AR500, AR510, and AR530 V200R007 CLI-based Configuration Guide - IP Service PDF

Huawei AR Series IOT Gateway
V200R007
CLI-based Configuration Guide - IP

Service
Issue 06
Date 2019-05-24
HUAWEI TECHNOLOGIES CO., LTD.

Copyright © Huawei Technologies Co., Ltd. 2019. All rights reserved.
No part of this document may be reproduced or transmitted in any form or by any means without prior written
consent of Huawei Technologies Co., Ltd.
Trademarks and Permissions
and other Huawei trademarks are trademarks of Huawei Technologies Co., Ltd.
All other trademarks and trade names mentioned in this document are the property of their respective
holders.
Notice
The purchased products, services and features are stipulated by the contract made between Huawei and the
customer. All or part of the products, services and features described in this document may not be within the
purchase scope or the usage scope. Unless otherwise specified in the contract, all statements, information,
and recommendations in this document are provided "AS IS" without warranties, guarantees or
representations of any kind, either express or implied.
The information in this document is subject to change without notice. Every effort has been made in the
preparation of this document to ensure accuracy of the contents, but all statements, information, and
recommendations in this document do not constitute a warranty of any kind, express or implied.
Huawei Technologies Co., Ltd.

Address: Huawei Industrial Base
Bantian, Longgang
Shenzhen 518129
People's Republic of China
Website: http://e.huawei.com
Issue 06 (2019-05-24) Copyright © Huawei Technologies Co., Ltd. i

CLI-based Configuration Guide - IP Service About This Document
About This Document
Intended Audience
This document describes the concepts and configuration procedures of IP Service features on
the device, and provides the configuration examples.
This document provides guidance for configuring IP Service features.
This document is intended for:
l Data configuration engineers

l Commissioning engineers
l Network monitoring engineers
l System maintenance engineers
Symbol Conventions
The symbols that may be found in this document are defined as follows.
Symbol Description
Indicates an imminently hazardous situation

which, if not avoided, will result in death or
serious injury.
Indicates a potentially hazardous situation

which, if not avoided, could result in death
or serious injury.

which, if not avoided, may result in minor
or moderate injury.

which, if not avoided, could result in
equipment damage, data loss, performance
deterioration, or unanticipated results.
NOTICE is used to address practices not
related to personal injury.
Issue 06 (2019-05-24) Copyright © Huawei Technologies Co., Ltd. ii

Symbol Description
NOTE Calls attention to important information,

best practices and tips.
NOTE is used to address information not
related to personal injury, equipment
damage, and environment deterioration.
Command Conventions
The command conventions that may be found in this document are defined as follows.
Convention Description
Boldface The keywords of a command line are in boldface.
Italic Command arguments are in italics.
[] Items (keywords or arguments) in brackets [ ] are optional.
{ x | y | ... } Optional items are grouped in braces and separated by

vertical bars. One item is selected.
[ x | y | ... ] Optional items are grouped in brackets and separated by

vertical bars. One item is selected or no item is selected.
{ x | y | ... }* Optional items are grouped in braces and separated by

vertical bars. A minimum of one item or a maximum of all
items can be selected.
[ x | y | ... ]* Optional items are grouped in brackets and separated by

vertical bars. Several items or no item can be selected.
&<1-n> The parameter before the & sign can be repeated 1 to n

times.
# A line starting with the # sign is comments.
Interface Numbering Conventions

Interface numbers used in this manual are examples. In device configuration, use the existing
interface numbers on devices.
Security Conventions
l Password setting
Issue 06 (2019-05-24) Copyright © Huawei Technologies Co., Ltd. iii

– When configuring a password, the cipher text is recommended. To ensure device

security, change the password periodically.
– When you configure a password in plain text that starts and ends with %@%@, @
%@%, %#%#, or %^%# (the password can be decrypted by the device), the
password is displayed in the same manner as the configured one in the
configuration file. Do not use this setting.
– When you configure a password in cipher text, different features cannot use the
same cipher-text password. For example, the cipher-text password set for the AAA
feature cannot be used for other features.
l Encryption algorithm
Currently, the device uses the following encryption algorithms: DES, 3DES, AES, DSA,
RSA, DH, ECDH, HMAC, SHA1, SHA2, PBKDF2, scrypt, and MD5. The encryption
algorithm depends on the applicable scenario. Use the recommended encryption
algorithm; otherwise, security defense requirements may be not met.
– For the symmetrical encryption algorithm, use AES with the key of 256 bits or
more.
– When you need to use an asymmetric cryptography, RSA (2048-bit or longer key)
is recommended. In addition, use different key pairs for encryption and signature.
– For the digital signature, RSA (2048-bit or longer key) or DSA (2048-bit or longer
key) is recommended.
– For key negotiation, DH (2048-bit or longer key) or ECDH (256-bit or longer key)
is recommended.
– For the hash algorithm, use SHA with the key of 256 bits or more.
– For the HMAC algorithm, use HMAC-SHA2.
– DES, 3DES, RSA and AES are reversible encryption algorithm. If protocols are
used for interconnection, the locally stored password must be reversible.
– SHA1, SHA2, and MD5 are irreversible encryption algorithm. When configuring a
password for local administrator, it is recommended that you use the SHA2
irreversible encryption algorithm.
– To prevent brute force cracking of the user password, the iteration algorithm is
added to the password on the basis of salts. The iteration algorithm uses PBKDF2
or scrypt key export algorithm.
– The ECB mode has a poor capability of defending against plaintext playback
attacks, so ECB is not recommended for password encryption.
– In SSH2.0, the symmetric cryptography using the CBC mode may undergo the
plaintext-recovery attack to cause a data leak. Therefore, the CBC mode is not
recommended for SSH2.0.
l Personal data
Some personal data may be obtained or used during operation or fault location of your
purchased products, services, features, so you have an obligation to make privacy
policies and take measures according to the applicable law of the country to protect
personal data.
l The terms mirrored port, port mirroring, traffic mirroring, and mirroring in this manual
are mentioned only to describe the product's function of communication error or failure
detection, and do not involve collection or processing of any personal information or
communication data of users.
Issue 06 (2019-05-24) Copyright © Huawei Technologies Co., Ltd. iv

Reference Standards and Protocols

To obtain reference standards and protocols, log in to Huawei official website, search for
"protocol compliance list", and download the Huawei AR Series Standard and Protocol
Comply Table.
Declaration
l This manual is only a reference for you to configure your devices. The contents in the
manual, such as web pages, command line syntax, and command outputs, are based on
the device conditions in the lab. The manual provides instructions for general scenarios,
but do not cover all usage scenarios of all product models. The contents in the manual
may be different from your actual device situations due to the differences in software
versions, models, and configuration files. The manual will not list every possible
difference. You should configure your devices according to actual situations.
l The specifications provided in this manual are tested in lab environment (for example,
the tested device has been installed with a certain type of boards or only one protocol is
run on the device). Results may differ from the listed specifications when you attempt to
obtain the maximum values with multiple functions enabled on the device.
l In this document, public IP addresses may be used in feature introduction and
configuration examples and are for reference only unless otherwise specified.
l In this document, AR series IOT gateway include
AR500&AR510&AR530&AR550&AR2500 Series.
Mappings Between Product Software Versions and NMS

Versions
The mappings between product software versions and NMS versions are as follows.
AR Product eSight iManager U2000

Software Version
V200R007C00 V300R005C00 V200R015C60
Change History
Changes between document issues are cumulative. Therefore, the latest document version
contains all updates made to previous versions.
Changes in Issue 06 (2019-05-24)

This version has the following updates:
The following information is modified:

l 8.2.2 IPv6 Packet Format
Issue 06 (2019-05-24) Copyright © Huawei Technologies Co., Ltd. v


The following information is added:
l 2.4 Licensing Requirements and Limitations for ARP

l 2.8.2 Example for Configuring Routed Proxy ARP

The following information is added:
l 7.4.8 Configure Routing Forwarding for Broadcast Packets

l 7.4.11 Checking the Configuration

Initial commercial release.
Issue 06 (2019-05-24) Copyright © Huawei Technologies Co., Ltd. vi

CLI-based Configuration Guide - IP Service Contents
Contents
About This Document.....................................................................................................................ii

1 IP Address Configuration............................................................................................................ 1
1.1 IPv4 Overview................................................................................................................................................................ 1
1.2 Configuration Notes....................................................................................................................................................... 2
1.3 Principles........................................................................................................................................................................ 2
1.3.1 IPv4 Protocol Suite...................................................................................................................................................... 2
1.3.2 IPv4 Address................................................................................................................................................................3
1.3.3 IPv4 Packet Format..................................................................................................................................................... 6
1.3.4 Subnetting.................................................................................................................................................................... 7
1.3.5 IP Address Resolution................................................................................................................................................. 9
1.4 Configuring IP Addresses for Interfaces........................................................................................................................ 9
1.4.1 Configuring a Primary IP Address for an Interface.....................................................................................................9
1.4.2 (Optional) Configuring a Secondary IP Address for an Interface............................................................................. 10
1.4.3 Checking the Configuration.......................................................................................................................................11
1.5 Configuring an IP Unnumbered Interface.................................................................................................................... 11
1.5.1 Configuring a Primary IP Address for the IP Numbered Interface........................................................................... 11
1.5.2 Configuring an IP address Unnumbered Interface.................................................................................................... 12
1.5.3 Checking the Configuration.......................................................................................................................................12
1.6 Configuration Examples............................................................................................................................................... 12
1.6.1 Example for Configuring Primary and Secondary IP Addresses for an Interface.....................................................13
1.6.2 Example for Configuring an IP Unnumbered Interface............................................................................................ 14
1.7 Common Configuration Errors..................................................................................................................................... 19
1.7.1 IP Address Configuration Fails on an Interface........................................................................................................ 19
2 ARP Configuration......................................................................................................................21
2.1 ARP Overview..............................................................................................................................................................21
2.2 Principles...................................................................................................................................................................... 22
2.2.1 ARP Principles.......................................................................................................................................................... 22
2.2.2 Proxy ARP................................................................................................................................................................. 25
2.2.3 Gratuitous ARP..........................................................................................................................................................28
2.2.4 ARP-Ping...................................................................................................................................................................28
2.2.5 Multi-Interface ARP.................................................................................................................................................. 29
2.3 Configuration Task Summary.......................................................................................................................................31
Issue 06 (2019-05-24) Copyright © Huawei Technologies Co., Ltd. vii

2.4 Licensing Requirements and Limitations for ARP.......................................................................................................33

2.5 Default Configuration...................................................................................................................................................33
2.6 Configuring ARP.......................................................................................................................................................... 34
2.6.1 Configuring Static ARP.............................................................................................................................................34
2.6.2 Optimizing Dynamic ARP.........................................................................................................................................35
2.6.2.1 Adjusting Aging Parameters of Dynamic ARP Entries..........................................................................................35
2.6.2.2 Enabling Layer 2 Topology Detection....................................................................................................................37
2.6.2.3 Configuring Unicast ARP Probe............................................................................................................................ 37
2.6.2.4 Checking the Configuration....................................................................................................................................38
2.6.3 Configuring Proxy ARP............................................................................................................................................ 38
2.6.3.1 Configuring Routed Proxy ARP.............................................................................................................................38
2.6.3.2 Configuring Intra-VLAN Proxy ARP.................................................................................................................... 40
2.6.3.3 Configuring Inter-VLAN Proxy ARP.................................................................................................................... 41
2.6.4 Configuring ARP-Ping.............................................................................................................................................. 42
2.6.4.1 Configuring ARP-Ping IP.......................................................................................................................................42
2.6.4.2 Configuring ARP-Ping MAC................................................................................................................................. 43
2.6.5 Enabling a Device to Learn Multicast MAC Addresses and Generate ARP Entries................................................ 43
2.6.6 Configuring Multi-Interface ARP............................................................................................................................. 45
2.6.7 Configuring the Scheduled ARP Refresh Function...................................................................................................46
2.7 Maintaining ARP.......................................................................................................................................................... 47
2.7.1 Clearing ARP Entries................................................................................................................................................ 47
2.7.2 Monitoring the ARP Running Status.........................................................................................................................47
2.8 Configuration Examples............................................................................................................................................... 48
2.8.1 Example for Configuring Static ARP........................................................................................................................ 48
2.8.2 Example for Configuring Routed Proxy ARP........................................................................................................... 51
2.8.3 Example for Configuring Intra-VLAN Proxy ARP.................................................................................................. 53
2.8.4 Example for Configuring Inter-VLAN Proxy ARP...................................................................................................55
2.8.5 Example for Configuring Layer 2 Topology Detection.............................................................................................57
2.8.6 Example for Configuring Multi-Interface ARP.........................................................................................................60
3 DHCP Configuration.................................................................................................................. 63
3.1 DHCP Overview...........................................................................................................................................................64
3.2 Principles...................................................................................................................................................................... 66
3.2.1 Typical Networking................................................................................................................................................... 66
3.2.2 How a DHCP Server Allocates Network Parameters to New DHCP Clients........................................................... 66
3.2.3 How a DHCP Client Reuses an IP Address.............................................................................................................. 71
3.2.4 How a DHCP Client Renews Its IP Address Lease...................................................................................................72
3.3 Specifications................................................................................................................................................................74
3.4 Application................................................................................................................................................................... 75
3.4.1 DHCP Server Application......................................................................................................................................... 75
3.4.2 DHCP Relay Agent Application................................................................................................................................76
3.4.3 DHCP Client Application.......................................................................................................................................... 77
3.4.4 Master/Backup DHCP Server Application................................................................................................................78
Issue 06 (2019-05-24) Copyright © Huawei Technologies Co., Ltd. viii

3.5 Appendix...................................................................................................................................................................... 79
3.5.1 Introduction to DHCP Messages............................................................................................................................... 79
3.5.2 DHCP Options........................................................................................................................................................... 82
3.6 Default Configuration...................................................................................................................................................85
3.7 Configuration Task Summary.......................................................................................................................................86
3.8 Configuration Notes..................................................................................................................................................... 87
3.9 Configuring a DHCP Server.........................................................................................................................................87
3.9.1 Planning Data............................................................................................................................................................ 87
3.9.2 Enabling DHCP......................................................................................................................................................... 89
3.9.3 Configuring a DHCP Server to Allocate IP Addresses to Clients.............................................................................89
3.9.3.1 Creating an Address Pool....................................................................................................................................... 89
3.9.3.2 Enabling the DHCP Server Function......................................................................................................................92
3.9.3.3 (Optional) Configuring the Range of IP Addresses That Cannot Be Automatically Allocated to Clients from an
Address Pool.......................................................................................................................................................................94
3.9.3.4 (Optional) Configuring a DHCP Server to Allocate Fixed IP Addresses to Specified Clients..............................95
3.9.3.5 (Optional) Configuring an Address Lease Time.....................................................................................................98
3.9.3.6 (Optional) Configuring the Logging Function During IP Address Allocation...................................................... 99
3.9.3.7 (Optional) Configuring IP Address Conflict Detection Before a DHCP Server Allocates IP Addresses............100
3.9.3.8 (Optional) Configuring a DHCP Server to Automatically Save IP Address Allocation Information..................101
3.9.3.9 (Optional) Associating an IP Address Pool with NQA........................................................................................ 102
3.9.4 (Optional) Configuring a DHCP Server to Allocate Network Parameters Besides IP Addresses.......................... 106
3.9.4.1 Configuring a Gateway Address for Clients.........................................................................................................106
3.9.4.2 Configuring DNS and the NetBIOS Service on the DHCP Clients..................................................................... 108
3.9.4.3 Configuring a Configuration File for a DHCP Client...........................................................................................114
3.9.4.4 Configuring User-defined Options for Clients..................................................................................................... 117
3.9.5 (Optional) Configuring the DHCP Rate Limit Function......................................................................................... 124
3.9.6 Checking the Configuration.....................................................................................................................................127
3.10 Configuring a DHCP Relay Agent........................................................................................................................... 128
3.10.1 Enabling DHCP..................................................................................................................................................... 128
3.10.2 Enabling the DHCP Relay Function......................................................................................................................128
3.10.3 Specifying an IP Address for the DHCP Server on a DHCP Relay Agent........................................................... 129
3.10.4 (Optional) Configuring Strategies for Processing Option 82 Information on a DHCP Relay Agent....................132
3.10.5 (Optional) Configuring Rate Limit of DHCP Packets...........................................................................................134
3.10.6 Checking the Configuration...................................................................................................................................136
3.11 Configuring a DHCP Client......................................................................................................................................136
3.11.1 (Optional) Configuring Attributes for a DHCP Client.......................................................................................... 137
3.11.2 (Optional) Configuring an Expected Lease for a DHCP Client............................................................................ 138
3.11.3 (Optional) Configuring the Gateway Detection Function on a DHCP Client....................................................... 138
3.11.4 (Optional) Configuring a DHCP Client to Dynamically Obtain Routing Information......................................... 139
3.11.5 Enabling the DHCP Client Function..................................................................................................................... 140
3.12 Configuring a BOOTP Client................................................................................................................................... 141
3.12.1 (Optional) Configuring Attributes for a BOOTP Client........................................................................................141
Issue 06 (2019-05-24) Copyright © Huawei Technologies Co., Ltd. ix

3.12.2 (Optional) Configuring the Gateway Detection Function on a BOOTP Client.....................................................141

3.12.3 (Optional) Configuring a BOOTP Client to Dynamically Obtain Routing Information.......................................142
3.12.4 Enabling the BOOTP Client Function...................................................................................................................143
3.13 Maintaining DHCP................................................................................................................................................... 144
3.13.1 Viewing Statistics About DHCP Messages........................................................................................................... 144
3.13.2 Clearing Statistics About DHCP Messages...........................................................................................................144
3.13.3 Resetting a DHCP Address Pool........................................................................................................................... 145
3.13.4 Locking a DHCP Address Pool............................................................................................................................. 146
3.14 Configuration Examples........................................................................................................................................... 146
3.14.1 Example for Configuring the Device as a DHCP Server (Based on the Interface Address Pool)........................ 147
3.14.2 Example for Configuring the DHCP Server to Allocate Different Network Parameters to Dynamic Clients and
Static Clients in the Global Address Pool........................................................................................................................ 150
3.14.3 Example for Configuring the Device as a DHCP Relay (Relay and Server Are Located on the Same Network)
.......................................................................................................................................................................................... 153
3.14.4 Example for Configuring a Device as the DHCP Relay Agent (Connected to the DHCP Server Across a BGP/
MPLS IP VPN Tunnel).....................................................................................................................................................156
3.14.5 Example for Configuring a DHCP Client..............................................................................................................167
3.14.6 Example for Configuring a BOOTP Client........................................................................................................... 169
3.14.7 Example for Configuring a DHCP Server in a Super-VLAN............................................................................... 171
3.15 Common Misconfigurations..................................................................................................................................... 174
3.15.1 The IP Address Obtained by a Client Conflicts with the IP Address of Another Client.......................................174
3.15.2 A Client Fails to Obtain an IP Address from a DHCP Server...............................................................................175
3.15.3 It Takes a Long Time for a DHCP Client to Obtain an IP Address from a DHCP Server.................................... 178
3.15.4 A DHCP Client Can Obtain an IP Address Through the DHCP Relay Agent, but Cannot Access the Internet.. 179
3.16 FAQ...........................................................................................................................................................................180
3.16.1 How Can I Ensure that a DHCP Client Selects the Correct DHCP Server?......................................................... 180
3.16.2 How Can I Configure a PC to Release and Update Its IP Address?......................................................................180
3.16.3 When Both the DHCP Server and Relay Functions Are Enabled on an Interface, Which Function Is Processed
Preferentially?...................................................................................................................................................................181
4 DNS Configuration................................................................................................................... 182

4.1 DNS Overview........................................................................................................................................................... 183
4.2 Principles.................................................................................................................................................................... 183
4.2.1 Working Principle of DNS.......................................................................................................................................183
4.2.2 Working Principle of DNS Proxy or Relay............................................................................................................. 185
4.2.3 Working Principle of DNS Spoofing....................................................................................................................... 186
4.2.4 Working Principle of DDNS....................................................................................................................................187
4.3 Applications................................................................................................................................................................189
4.3.1 DNS Client Application...........................................................................................................................................189
4.3.2 DNS Proxy Application...........................................................................................................................................189
4.4 Configuration Notes................................................................................................................................................... 190
4.5 Configuring the DNS Client....................................................................................................................................... 190
4.5.1 Configuring the Static Domain Name Resolution................................................................................................... 190
Issue 06 (2019-05-24) Copyright © Huawei Technologies Co., Ltd. x

4.5.2 Configuring the Dynamic Domain Name Resolution............................................................................................. 191

4.5.3 (Optional) Associating a DNS Server with NQA....................................................................................................192
4.6 Configuring DNS Proxy or Relay.............................................................................................................................. 195
4.6.1 Configuring the Destination DNS Server................................................................................................................ 195
4.6.2 (Optional) Configuring DNS Spoofing................................................................................................................... 197
4.6.3 (Optional) Associating a DNS Server with NQA....................................................................................................198
4.7 Configuring the DDNS Client.................................................................................................................................... 201
4.7.1 Configuring a DDNS Policy....................................................................................................................................201
4.7.2 Binding a DDNS Policy to an Interface.................................................................................................................. 204
4.8 Maintaining DNS........................................................................................................................................................205
4.8.1 Deleting Dynamic DNS Entries.............................................................................................................................. 205
4.8.2 Deleting DNS Entries of the DNS Proxy or Relay..................................................................................................206
4.8.3 Clearing Statistics on Sent and Received DNS Packets.......................................................................................... 206
4.8.4 Manually Updating a DDNS Policy........................................................................................................................ 206
4.8.5 Monitoring the Running Status of DNS.................................................................................................................. 207
4.9 Configuration Examples............................................................................................................................................. 207
4.9.1 Example for Configuring DNS Proxy..................................................................................................................... 207
4.9.2 Example for Configuring the DDNS Client (Using the Update Mode Defined by the RFC2136)......................... 209
4.9.3 Example for Configuring the DDNS Client (Using the Update Mode Implemented Through the DDNS Server)
.......................................................................................................................................................................................... 211
4.9.4 Example for Configuring the Router to Communicate with the Siemens DDNS Server........................................213
4.9.5 Example for Configuring Association Between the DNS Server and NQA........................................................... 216
4.10 Common Configuration Errors................................................................................................................................. 220
4.10.1 Dynamic Domain Name Resolution Cannot Be Implemented on a DNS Client.................................................. 220
5 NAT Configuration................................................................................................................... 222

5.1 Introduction to NAT....................................................................................................................................................223
5.2 Principles.................................................................................................................................................................... 223
5.2.1 Overview................................................................................................................................................................. 223
5.2.2 NAT Implementation............................................................................................................................................... 225
5.2.3 NAT ALG................................................................................................................................................................ 228
5.2.4 DNS Mapping..........................................................................................................................................................229
5.2.5 NAT Associated with VPNs.................................................................................................................................... 230
5.2.6 Twice NAT...............................................................................................................................................................232
5.2.7 NAT Filtering and NAT Mapping............................................................................................................................234
5.3 Applications................................................................................................................................................................236
5.3.1 Private Network Hosts Accessing Public Network................................................................................................. 236
5.3.2 Public Network Hosts Accessing Private Network Servers.................................................................................... 236
5.3.3 Private Network Hosts Accessing Private Network Servers Using the Domain Name.......................................... 237
5.4 Configuration Tasks....................................................................................................................................................238
Issue 06 (2019-05-24) Copyright © Huawei Technologies Co., Ltd. xi


5.6 Configuring Dynamic NAT........................................................................................................................................ 240
5.6.1 Configuring ACL Rules...........................................................................................................................................240
5.6.2 Configuring Outbound NAT.................................................................................................................................... 240
5.6.3 (Optional) Enabling NAT ALG............................................................................................................................... 241
5.6.4 (Optional) Configuring the SIP Call Bandwidth Limit on a NAT Device.............................................................. 242
5.6.5 (Optional) Configuring NAT Filtering and NAT Mapping..................................................................................... 243
5.6.6 (Optional) Configuring Twice NAT.........................................................................................................................244
5.6.7 (Optional) Configuring NAT Log Output................................................................................................................244
5.6.8 (Optional) Configuring the Aging Time of NAT Mapping Entries......................................................................... 246
5.7 Configuring Static NAT..............................................................................................................................................247
5.7.1 Configuring Static Address Mapping...................................................................................................................... 247
5.7.4 (Optional) Configuring DNS Mapping....................................................................................................................250
5.8 Configuring an Internal NAT Server.......................................................................................................................... 255
5.8.1 Configuring Internal NAT Server............................................................................................................................ 255
5.8.4 (Optional) Configuring DNS Mapping....................................................................................................................257
5.9 Maintaining NAT........................................................................................................................................................ 262
5.9.1 Clearing NAT Mapping Entries............................................................................................................................... 262
5.9.2 Monitoring NAT Mapping Entries.......................................................................................................................... 262
5.10.1 Example for Configuring Dynamic NAT.............................................................................................................. 263
5.10.2 Example for Configuring Static One-to-One NAT................................................................................................266
5.10.3 Example for Configuring an Internal NAT Server................................................................................................ 267
5.10.4 Example for Configuring Twice NAT................................................................................................................... 270
5.10.5 Example for Configuring NAT.............................................................................................................................. 272
5.10.6 Example for Configuring PPPoE Dialup Access in Easy IP Mode.......................................................................274
5.10.7 Example for Configuring the SIP Call Bandwidth Limit on a NAT Device......................................................... 277
Issue 06 (2019-05-24) Copyright © Huawei Technologies Co., Ltd. xii

5.11 Common Configuration Errors................................................................................................................................. 278

5.11.1 Intranet users Fail to Access Public Networks...................................................................................................... 278
5.11.2 External Hosts Fail to Access Internal Servers......................................................................................................280
5.11.3 Internal Hosts with an Overlapped IP Address Fail to Access External Servers.................................................. 281
6 UDP Helper Configuration......................................................................................................284

6.1 UDP Helper Overview................................................................................................................................................284
6.3 Configuring UDP Helper............................................................................................................................................286
6.4 Maintaining UDP Helper............................................................................................................................................287
6.4.1 Displaying UDP Helper Statistics........................................................................................................................... 287
6.4.2 Clearing UDP Helper Statistics............................................................................................................................... 287
6.5 Configuration Examples............................................................................................................................................. 288
6.5.1 Example for Configuring UDP Helper.................................................................................................................... 288
7 IP Performance Configuration................................................................................................ 292

7.1 IP Performance Overview.......................................................................................................................................... 292
7.3 Default Configuration.................................................................................................................................................293
7.4 Optimizing IP Performance........................................................................................................................................ 293
7.4.1 Configuring Source IP Addresses Verification........................................................................................................294
7.4.2 Configuring an Outbound Interface to Fragment IP Packets...................................................................................294
7.4.3 Configuring Virtual Fragment Reassembly of IP Packets.......................................................................................295
7.4.4 Configuring Unequal Cost Multiple Path................................................................................................................ 295
7.4.5 Configuring the Device to Process IP Packets with Options...................................................................................297
7.4.6 Configuring an Interface to Forward Directed Broadcast Packets.......................................................................... 297
7.4.7 Configuring the Enhanced Forwarding Function for Control Packets Generated by the Device........................... 299
7.4.8 Configure Routing Forwarding for Broadcast Packets............................................................................................300
7.4.9 Configuring ICMP properties.................................................................................................................................. 301
7.4.10 Configuring TCP Properties.................................................................................................................................. 303
7.5 Maintaining IP Performance.......................................................................................................................................305
7.5.1 Clearing IP Performance Statistics.......................................................................................................................... 305
8 Basic IPv6 Configuration......................................................................................................... 307

8.1 IPv6 Overview............................................................................................................................................................ 308
8.2 Principles.................................................................................................................................................................... 310
8.2.1 IPv6 Addresses........................................................................................................................................................ 310
8.2.2 IPv6 Packet Format................................................................................................................................................. 316
8.2.3 ICMPv6................................................................................................................................................................... 320
8.2.4 Neighbor Discovery.................................................................................................................................................322
8.2.5 Path MTU................................................................................................................................................................ 328
Issue 06 (2019-05-24) Copyright © Huawei Technologies Co., Ltd. xiii

8.5 Configuring IPv6 Addresses for Interfaces................................................................................................................ 330

8.5.1 Configuring Global Unicast Addresses for Interfaces.............................................................................................330
8.5.2 Configuring Link-local Addresses for Interfaces.................................................................................................... 331
8.5.3 Configuring Anycast Addresses for Interfaces........................................................................................................332
8.6 Configuring ICMPv6 Packet Control......................................................................................................................... 333
8.7 Configuring IPv6 Neighbor Discovery.......................................................................................................................335
8.7.1 Configuring Static Neighbors.................................................................................................................................. 335
8.7.2 Configuring Neighbor Discovery............................................................................................................................ 336
8.8 Configuring PMTU.....................................................................................................................................................339
8.8.1 Configuring Static PMTU....................................................................................................................................... 339
8.8.2 Setting the Aging Time of Dynamic PMTU............................................................................................................340
8.9 Configuring TCP6...................................................................................................................................................... 341
8.9.1 Setting TCP6 Timers............................................................................................................................................... 341
8.9.2 Setting the TCP6 Sliding Window Size...................................................................................................................342
8.9.3 Setting the MSS Value for a TCP6 Connection.......................................................................................................342
8.10 Configuring the Enhanced Forwarding Function for IPv6 Control Packets Generated by the Device....................343
8.11 Maintaining IPv6...................................................................................................................................................... 345
8.11.1 Clearing IPv6 Statistics..........................................................................................................................................345
8.11.2 Monitoring IPv6 Running Status........................................................................................................................... 346
8.12.1 Example for Configuring Basic IPv6 Functions....................................................................................................346
9 DHCPv6 Configuration............................................................................................................ 350

9.1 DHCPv6 Overview.....................................................................................................................................................351
9.2 Principles.................................................................................................................................................................... 351
9.2.1 DHCPv6 Overview..................................................................................................................................................352
9.2.2 DHCPv6 Packets..................................................................................................................................................... 354
9.2.3 DHCPv6 Working Principles...................................................................................................................................357
9.2.4 Working Principle of DHCPv6 PD..........................................................................................................................359
9.2.5 Working Principle of the DHCPv6 Relay Agent..................................................................................................... 360
9.2.6 IPv6 Address/Prefix Allocation and Lease Updating..............................................................................................361
9.3 Applications................................................................................................................................................................364
9.3.1 Typical Networking of the DHCPv6 Server............................................................................................................364
9.3.2 Typical Networking of the DHCPv6 PD Server......................................................................................................365
9.3.3 Typical Networking of the DHCPv6 Relay Agent.................................................................................................. 365
9.3.4 Typical Networking of the DHCPv6 Client.............................................................................................................366
9.3.5 Typical Networking of the DHCPv6 PD Client...................................................................................................... 366
9.6 Configuring a DHCPv6 Server...................................................................................................................................367
Issue 06 (2019-05-24) Copyright © Huawei Technologies Co., Ltd. xiv

9.6.1 Configuring the DHCPv6 DUID............................................................................................................................. 368

9.6.2 Configuring an IPv6 Address Pool.......................................................................................................................... 368
9.6.3 (Optional) Configuring Network Server Addresses for the IPv6 Address Pool......................................................370
9.6.4 (Optional) Configuring the Options of an IPv6 Address Pool................................................................................ 371
9.6.5 (Optional) Configuring the DHCPv6 Data Saving Function...................................................................................372
9.6.6 Enabling the DHCPv6 Server Function...................................................................................................................372
9.6.7 (Optional) Configuring the DHCPv6 Message Rate Limit and Alarm Function of DHCPv6 Messages Discarded
.......................................................................................................................................................................................... 375
9.7 Configuring a DHCPv6 PD Server.............................................................................................................................376
9.7.2 Configuring an IPv6 PD Address Pool....................................................................................................................377
9.7.3 (Optional) Configuring Network Server Addresses for the IPv6 Address Pool......................................................378
9.7.4 (Optional) Configuring the Options of an IPv6 Address Pool................................................................................ 379
9.7.5 (Optional) Configuring the DHCPv6 Data Saving Function...................................................................................380
9.7.6 Enabling the DHCPv6 PD Server Function............................................................................................................ 381
.......................................................................................................................................................................................... 383
9.8 Configuring a DHCPv6 Relay Agent......................................................................................................................... 384
9.8.2 Configuring the DHCPv6 Relay Function...............................................................................................................385
9.8.3 (Optional) Configuring DHCPv6 Relay Options.................................................................................................... 387
.......................................................................................................................................................................................... 388
9.9 Configuring a DHCPv6 Client................................................................................................................................... 390
9.9.1 Enabling the DHCPv6 Client Function................................................................................................................... 390
.......................................................................................................................................................................................... 392
9.10 Configuring a DHCPv6 PD Client........................................................................................................................... 393
9.10.1 Enabling the DHCPv6 PD Client Function........................................................................................................... 393
.......................................................................................................................................................................................... 395
9.11 Maintaining DHCPv6............................................................................................................................................... 396
9.11.1 Monitoring DHCPv6 Operation.............................................................................................................................396
9.11.2 Clearing DHCPv6 Packet Statistics.......................................................................................................................397
9.11.3 Resetting the Status of the IPv6 Address Pool...................................................................................................... 397
9.12.1 Example for Configuring a DHCPv6 Server......................................................................................................... 398
9.12.2 Example for Configuring a DHCPv6 PD Server...................................................................................................399
9.12.3 Example for Configuring a DHCPv6 Relay to Assign IPv6 Addresses to the Clients in One Network Segment
Connected to the Relay.....................................................................................................................................................401
Issue 06 (2019-05-24) Copyright © Huawei Technologies Co., Ltd. xv

9.12.4 Example for Configuring a DHCPv6 Relay to Assign IPv6 Addresses to the Clients in Multiple Network
Segments Connected to the Relay.................................................................................................................................... 404
9.12.5 Example for Configuring a DHCPv6 PD Client................................................................................................... 408
9.12.6 Example for Configuring a DHCPv6 Client..........................................................................................................410
10 IPv6 DNS configuration......................................................................................................... 413

10.1 IPv6 DNS Overview................................................................................................................................................. 413
10.2 Configuration Notes................................................................................................................................................. 415
10.3 Configuring the IPv6 DNS Client............................................................................................................................ 415
10.3.1 Configuring the IPv6 Static Domain Name Resolution........................................................................................ 416
10.3.2 Configuring the IPv6 Dynamic Domain Name Resolution...................................................................................416
10.4 Configuring IPv6 DNS Proxy or Relay.................................................................................................................... 418
10.4.1 Configuring the DNS Server Address................................................................................................................... 418
10.4.2 (Optional) Configuring Static DNSv6 Entries.......................................................................................................419
10.4.3 (Optional) Configuring IPv6 DNS Spoofing.........................................................................................................419
10.5 Maintaining IPv6 DNS............................................................................................................................................. 420
10.5.1 Clearing IPv6 DNS dynamic Entries.....................................................................................................................420
10.5.2 Clearing IPv6 DNS Forwarding Entries................................................................................................................ 420
10.5.3 Clearing Statistics on Sent and Received IPv6 DNS Packets............................................................................... 421
10.5.4 Monitoring the Running Status of IPv6 DNS........................................................................................................421
10.6.1 Example for Configuring IPv6 DNS..................................................................................................................... 422
10.6.2 Example for Configuring IPv6 DNS Proxy...........................................................................................................424
11 IPv6 over IPv4 Tunnel Configuration................................................................................. 427

11.1 IPv6 over IPv4 Tunnel Overview............................................................................................................................. 427
11.2 Principles.................................................................................................................................................................. 427
11.2.1 Dual Protocol Stack............................................................................................................................................... 427
11.2.2 IPv6 over IPv4 Tunnel........................................................................................................................................... 430
11.3 Configuration Notes..................................................................................................................................................437
11.4 Configuring the IPv4/IPv6 Dual Stack..................................................................................................................... 437
11.4.1 Enabling IPv6 Packet Forwarding......................................................................................................................... 437
11.4.2 Configuring an IPv4 Address and an IPv6 Address for Respective Interfaces..................................................... 438
11.5 Configuring an IPv6 over IPv4 Tunnel.....................................................................................................................439
11.5.1 Configuring a Manual IPv6 over IPv4 Tunnel...................................................................................................... 441
11.5.2 Configuring an Automatic IPv6 over IPv4 Tunnel................................................................................................442
11.5.3 Configuring a 6to4 Tunnel.....................................................................................................................................443
11.5.4 Configuring an ISATAP Tunnel.............................................................................................................................444
11.6 Maintaining the IPv6 over IPv4 Tunnel....................................................................................................................445
11.6.1 Monitoring the Running Status of the IPv6 over IPv4 Tunnel.............................................................................. 445
Issue 06 (2019-05-24) Copyright © Huawei Technologies Co., Ltd. xvi


11.7.1 Example for Configuring a Manual IPv6 over IPv4 Tunnel..................................................................................445
11.7.2 Example for Configuring an IPv6 over IPv4 GRE Tunnel....................................................................................449
11.7.3 Example for Configuring an Automatic IPv6 over IPv4 Tunnel...........................................................................453
11.7.4 Example for Configuring 6to4 Relay.....................................................................................................................455
11.7.5 Example for Configuring an ISATAP Tunnel........................................................................................................458
12 IPv4 over IPv6 Tunnel Configuration................................................................................. 463

12.1 IPv4 over IPv6 Tunnel Overview............................................................................................................................. 463
12.2 Configuration Notes................................................................................................................................................. 464
12.3 Configuring an IPv4 over IPv6 Tunnel.....................................................................................................................464
12.3.1 Configuring a Tunnel Interface..............................................................................................................................465
12.3.2 Configuring a Tunnel Route.................................................................................................................................. 466
12.3.3 Performing Other IPv4 over IPv6 Tunnel Configurations.....................................................................................466
12.4 Maintaining the IPv4 over IPv6 Tunnel................................................................................................................... 467
12.4.1 Monitoring the Running Status of the IPv4 over IPv6 Tunnel.............................................................................. 467
12.5.1 Example for Configuring an IPv4 over IPv6 Tunnel.............................................................................................468
Issue 06 (2019-05-24) Copyright © Huawei Technologies Co., Ltd. xvii

CLI-based Configuration Guide - IP Service 1 IP Address Configuration
1 IP Address Configuration
About This Chapter
Network devices can communicate at the network layer only after they are configured with IP
addresses.
1.1 IPv4 Overview

This section describes the definition and purpose of IPv4.
1.2 Configuration Notes
1.3 Principles
This section describes the implementation of IPv4.
1.4 Configuring IP Addresses for Interfaces
To enable network devices to communicate at the network layer, configure interface IP
addresses on the device.
1.5 Configuring an IP Unnumbered Interface
An IP unnumbered interface can borrow the IP address from another interface when the local
interface has no IP address.
1.6 Configuration Examples
This section provides examples to explain how to configure the primary IP address, secondary
IP addresses, and IP unnumbered on an interface.
1.7 Common Configuration Errors
This section describes common errors that may occur in IP address configuration. Learning
this section helps you avoid faults caused incorrect IP address configuration.
1.1 IPv4 Overview

This section describes the definition and purpose of IPv4.
Definition
Internet Protocol Version 4 (IPv4) is the core protocol in the TCP/IP protocol suite. IPv4
works at the network layer in the TCP/IP model. This layer corresponds to the network layer
Issue 06 (2019-05-24) Copyright © Huawei Technologies Co., Ltd. 1

in the Open System Interconnection Reference Model (OSI RM). The network layer provides
connectionless data transmission. Each IP datagram is transmitted independently.
Purpose
IPv4 is used on the network layer between the data link layer and the transport layer. IPv4
shields the differences at the link layer and provides a uniform format for the data packets
transmitted at the transport layer.
Involved Network Elements

None
License Support
IP addresses functions are basic function of routers and can be obtained without licenses.
Feature Dependencies and Limitations

None
1.3 Principles
This section describes the implementation of IPv4.
1.3.1 IPv4 Protocol Suite

Internet Protocol Version 4 (IPv4) is the core protocol in the TCP/IP protocol suite. IPv4
protocol suite includes Address Resolution Protocol (ARP), Reverse Address Resolution
Protocol (RARP), Internet Control Message Protocol (ICMP), Transmission Control Protocol
(TCP), and User Datagram Protocol (UDP).
Figure 1-1 IPv4 protocol suite
Transport
TCP, UDP
layer
ICMP
Network
layer IP
RARP, ARP
Data link Various network
layer interfaces
As shown in Figure 1-1, ARP and RARP work between the data link layer and the network
layer for address resolution. ICMP works between the network layer and the transport layer to
ensure correct forwarding of IP datagrams.

ARP
ARP maps an IP address to a MAC address. ARP can be implemented in dynamic or static
mode. ARP provides some extended functions, such as proxy ARP, gratuitous ARP, ARP
security, and ARP-Ping.
RARP
RARP maps a MAC address to an IP address.
ICMP
ICMP works at the network layer to ensure correct forwarding of IP datagrams. ICMP allows
hosts and devices to report errors during packet transmission. An ICMP message is
encapsulated in an IP datagram as the data, and a header is added to the ICMP message to
form an IP datagram.
1.3.2 IPv4 Address

To connect a PC to the Internet, you need to apply an IP address from the Internet Service
Provider (ISP).
An IP address is a numerical label assigned to each device on a computer network. An IPv4

address is a 32-bit binary number. IPv4 addresses are expressed in dotted decimal notation,
which helps you memorize and identify them. In dotted decimal notation, an IPv4 address is
written as four decimal numbers, one for each byte of the address. For example, the binary
IPv4 address 00001010 00000001 00000001 00000010 is written as 10.1.1.2 in dotted
decimal notation.
An IPv4 address consists of two parts:
l Network ID (Net-id): The network ID identifies a network. The IP address and subnet
mask are converted to be binary numbers. The network ID is obtained after the bit-by-bit
AND operation is performed.
l Host ID (Host-id): The host ID identifies different hosts on a network. Network devices
with the same network ID are located on the same network, regardless of their physical
locations. The IP address and subnet mask are converted to be binary numbers. Taking
the reverse of the subnet mask, the host ID is obtained after the bit-by-bit AND operation
is performed.
Characteristics of IPv4 Addresses

IPv4 addresses have the following characteristics:
l IP addresses do not show any geographical information. The network ID represents the
network to which a host belongs.
l When a host connects to two networks simultaneously, it must have two IP addresses
with different network IDs. In this case, the host is called a multihomed host.
l Networks allocated with the network ID are in the same class.

IPv4 Address Classification

As shown in Figure 1-2, IP addresses are classified into five classes to facilitate IP address
management and networking.
Figure 1-2 Five classes of IP addresses

0 7 15 23 31
A 0 Host-id
Net-id
B 1 0 Host-id
Net-id
C 1 1 0 Host-id
Net-id
D 1 1 1 0 Multicast-address
E 1 1 1 1 Reserved
At present, most IP addresses in use belong to Class A, Class B, or Class C. Class D addresses
are multicast addresses and Class E addresses are reserved. The easiest way to determine the
class of an IP address is to check the first bits in its network ID. The class fields of Class A,
Class B, Class C, Class D, and Class E are binary digits 0, 10, 110, 1110, and 1111
respectively.
Certain IP addresses are reserved, and they cannot be allocated to users. Table 1-1 lists the
ranges of IP addresses for the five classes.
Table 1-1 IP address classes and ranges
Class Range Description
A 0.0.0.0 to IP addresses with all-0 host IDs are network addresses

127.255.255.255 and are used for network routing. IP addresses with all-1
host IDs are broadcast addresses and are used for
broadcasting packets to all hosts on the network.
B 128.0.0.0 to IP addresses with all-0 host IDs are network addresses

C 192.0.0.0 to IP addresses with all-0 host IDs are network addresses

D 224.0.0.0 to Class D addresses are multicast addresses.

239.255.255.255

Class Range Description
E 240.0.0.0 to Reserved. The IP address 255.255.255.255 is used as a

255.255.255.255 Local Area Network (LAN) broadcast address.
Special IPv4 Addresses
Table 1-2 Special IP addresses

Networ Host ID Used as a Used as a Description
k ID Source Destination
Address Address
All 0s All 0s Yes No Used by local hosts on a local

network.
All 0s Host ID Yes No Used by specified hosts on a

network.
127 Any value Yes Yes Used as loopback addresses.

except all
0s or all
1s
All 1s All 1s No Yes Limited broadcast address

(packets with this IP address
will never be forwarded).
Net-id All 1s No Yes Directed broadcast address

(packets with this IP address is
broadcast on the specified
network).
NOTE
Net-id is not all 0s, all 1s, or 127.
Private IPv4 Addresses

Private IP addresses are used to solve the problem of IP address shortage. Private addresses
are used on internal networks or hosts, and cannot be used on the public network.
Table 1-3 Private IP addresses

Class Range
A 10.0.0.0 to 10.255.255.255
B 172.16.0.0 to 172.31.255.255
C 192.168.0.0 to 192.168.255.255

1.3.3 IPv4 Packet Format

Figure 1-3 shows the IPv4 packet format.
Figure 1-3 IPv4 packet format

0 4 8 16 19 24 31
Version Header Length Tos Total length
identifier Flags Fragment offset
TTL Protocol Header checksum
Header
Source IP address
Destination IP address
Options (variable length)
Data
An IPv4 datagram consists of a header and a data field. The first 20 bytes in the header are
mandatory for all IPv4 datagrams. The Options field following the 20 bytes has a variable
length.
Table 1-4 describes the meaning of each field in an IPv4 packet.
Table 1-4 Description of each field in an IPv4 packet

Field Length Description
Version 4 bits Specifies the IP protocol version, IPv4 or IPv6.
Header Length 4 bits Specifies the length of the IPv4 header.
Type of Service 8 bits Specifies the type of service. This field takes effect only in
(ToS) the differentiated service model.
Total Length 16 bits Specifies the length of the header and data.
Identification 16 bits IPv4 software maintains a counter in the storage device to

record the number of IP datagrams. The counter value
increases by 1 every time a datagram is sent, and is filled in
the identification field.

Flags 3 bits Only the rightmost two bits are valid. The rightmost bit
indicates whether the datagram is not the last data
fragment. The value 1 indicates the last fragment, and the
value 0 indicates non-last fragment. The middle bit is the
fragmentation flag. The value 1 indicates that the datagram
cannot be fragmented, and the value 0 indicates that the
datagram can be fragmented.
Fragment Offset 13 bits Specifies the location of a fragment in a packet.
Time to Live 8 bits Specifies the life span of a datagram on a network. TTL is
(TTL) measured by the number of hops.
Protocol 8 bits Specifies the type of the protocol carried in the datagram.
Header 16 bits A device calculates the header checksum for each datagram
Checksum received. If the checksum is 0, the device knows that the
header remains unchanged and retains the datagram. This
field checks only the header but not the data.
Source IP 32 bits Specifies the IPv4 address of a sender.

Address
Destination IP 32 bits Specifies the IPv4 address of a receiver.

Address
Options 0-40 Allows IPv4 to support various options such as fault

bytes handling, measurement, and security. Pad bytes with a
(variable value of 0 are added if necessary.
length)
Data Variable Pads an IP datagram .
1.3.4 Subnetting
A network can be divided into multiple subnets to conserve IP address space and support
flexible IP addressing.
When many hosts are distributed on an internal network, the internal host IDs can be divided
into multiple subnet IDs to facilitate management. Then the entire network contains multiple
small networks.
Subnetting is implemented within the internal network. The internal network has only one
network ID for the external network. When packets are transmitted from the external network
to the internal network, the device on the internal network selects a route for the packets based
on the subnet ID and finds the destination host.
Figure 1-4 shows subnetting of a Class B IP address. The subnet mask consists of a string of
continuous 1s and 0s. 1s indicate the network ID and the subnet ID field, and 0s indicate the
host ID.

Figure 1-4 Subnetting of IP addresses

7 15 20 31
Class B
Net-id Host-id
address
Mask 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
Subnet Net-id Subnet-id Host-id
Mask 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 0 0 0 0 0 0 0 0 0 0 0
As shown in Figure 1-4, the first 5 bits of the host ID is used as the subnet ID. The subnet ID
ranges from 00000 to 11111, allowing a maximum of 32 (25) subnets. Each subnet ID has a
subnet mask. For example, the subnet mask of the subnet ID 11111 is 255.255.248.0. After
performing an AND operation on the IP address and the subnet mask, you can obtain the
network address.
Subnetting reduces the available IP addresses. For example, a Class B IP address contains
65534 ((216 − 2)) host IDs. After 5 bits in the host ID are used as the subnet ID, there can be a
maximum of 32 subnets, each having an 11-bit host ID. Each subnet has a maximum of 2046
host IDs (211 - 2, excluding the host IDs with all 1s and all 0s). Therefore, the IP address has a
maximum of 65472 (32 x 2046) host IDs, 62 less than the maximum number of host IDs
before subnetting.
To implement efficient network planning, subnetting and IP addressing should abide by the
following rules.
Hierarchy
To divide a network into multiple layers, you need to consider geographic and service factors.
Use a top-down subnetting mode to facilitate network management and simplify routing
tables. In most cases:
l A network consisting of a backbone network and a MAN is divided into hierarchical

subnets.
l An administrative network is divided into subnets based on administrative levels.
Consecutiveness
Consecutive addresses facilitate route summarization on a hierarchical network, which greatly
reduces the number of routing entries and improves route search efficiency.
l Allocate consecutive IP addresses to each area.

l Allocate consecutive IP addresses to devices that have the same services and functions.
Scalability
When allocating addresses, reserve certain addresses on each layer to ensure consecutive
address allocation in future network expansion.
A backbone network must have enough consecutive addresses for independent autonomous
systems (ASs) and further network expansion.

Efficiency
When planning subnets, fully utilize address resources to ensure that the subnets are sufficient
for hosts.
l Allocate IP addresses by using variable-length subnet masking (VLSM) to fully use
address resources.
l Consider the routing mechanisms in IP address planning to improve address utilization
efficiency in the allocated address spaces.
1.3.5 IP Address Resolution

To ensure that users can use the IP address normally, ensure that:
l An IP address is a network layer address of a host. To transmit data packets to a
destination host, the device must obtain the physical address of the host. Therefore, the
IP address must be resolved to a physical address.
l A host name is easier to remember than an IP address. Therefore, the host name needs to
be resolved to the IP address.
On Ethernet, the physical address of a host is the MAC address. The DNS server resolves a
host name to an IP address. ARP resolves an IP address to a MAC address. For details, see 4
DNS Configuration and 2 ARP Configuration.
1.4 Configuring IP Addresses for Interfaces

To enable network devices to communicate at the network layer, configure interface IP
addresses on the device.
Pre-configuration Tasks
Before configuring IP addresses for interfaces, complete the following tasks:
l Setting link layer parameters for the interfaces to ensure that the link layer protocol
status of the interfaces is Up
1.4.1 Configuring a Primary IP Address for an Interface
Context
Interfaces on the same industrial switch router can be assigned IP addresses on overlapping
network segments, but the IP addresses cannot be located on the same network segment. For
example, an interface has been assigned 20.1.1.1/16. If you assign 20.1.1.2/24 to another
interface on the same industrial switch router, the system displays a warning message but the
configuration succeeds. If you assign 20.1.1.2/16 to another interface, the system displays an
error message, indicating that the configuration fails because of an IP address conflict.
Procedure
Step 1 Run:
system-view
The system view is displayed.

Step 2 Run:
interface interface-type interface-number
The interface view is displayed.
Step 3 Run:
ip address ip-address { mask | mask-length }
A primary IP address is configured for the interface.
By default, no IP address is configured for an interface.
Each interface has only one primary IP address. If you configure multiple primary IP
addresses for an interface, the last configured IP address becomes the primary IP address of
the interface.
----End
1.4.2 (Optional) Configuring a Secondary IP Address for an

Interface
Context
Generally, an interface needs only a primary IP address. In some special scenarios, you need
to configure secondary IP addresses for an interface. For example, a industrial switch router
connects to a physical network through an interface, and hosts on this network belong to two
network segments. To enable the industrial switch router to communicate with all hosts on the
physical network, configure a primary IP address and a secondary IP address for this
interface. You can configure multiple IP address for a Layer 3 interface on a industrial switch
router, one as the primary IP address, and the others as secondary IP addresses. Each Layer 3
interface can have a maximum of 31 secondary IP addresses.
The primary and secondary IP addresses of an interface can be located on overlapping

network segments but not the same network segment. For example, if an interface has been
assigned a primary IP address 20.1.1.1/24 and you assign secondary IP address 20.1.1.2/16
sub to this interface, the system displays a warning message but the configuration succeeds.
The primary IP address of one interface and secondary IP address of another interface on the
same industrial switch router can be located on overlapping network segments but not on the
same network segment. For example, if an interface has been assigned a primary IP address
20.1.1.1/16 and you assign secondary IP address 20.1.1.2/24 sub to another interface on the
industrial switch router, the system displays a warning message but the configuration
succeeds.
Procedure
Step 1 Run:
system-view
Step 2 Run:

Step 3 Run:
ip address ip-address { mask | mask-length } sub
A secondary IP address is configured for the interface.
----End
1.4.3 Checking the Configuration
Procedure
l Run the display interface [ interface-type [ interface-number ] ] command to check
information about an interface.
l Run the display ip interface [ interface-type interface-number ] command to check the
IP address configuration of an interface.
l Run the display ip interface brief [ interface-type [ interface-number ] ] command to
check brief information about interface IP addresses.
----End
1.5 Configuring an IP Unnumbered Interface

An IP unnumbered interface can borrow the IP address from another interface when the local
interface has no IP address.
Before configuring an IP unnumbered interface, complete the following tasks:
l Setting link layer parameters for the interfaces to ensure that the link layer protocol
1.5.1 Configuring a Primary IP Address for the IP Numbered

Interface
Context
An IP unnumbered interface cannot run dynamic routing protocols because it does not have
an IP address itself. To enable the interface to communicate with a peer network segment,
configure a static route to the network segment.
Procedure
Step 1 Run:
system-view

Step 2 Run:

IP unnumbered interfaces can borrow interfaces from Ethernet, Loopback, Eth-Trunk, and
VLANIF interfaces.
Step 3 Run:
A primary IP address is configured for the interface.
Each interface has only one primary IP address. If you configure multiple primary IP
addresses for an interface, the last configured IP address becomes the primary IP address of
the interface.
----End
1.5.2 Configuring an IP address Unnumbered Interface
Procedure
Step 1 Run:
system-view
Step 2 Run:
l IP unnumbered can be configured on PPP, HDLC, and Tunnel interfaces.

l Ethernet interfaces can borrow IP addresses from Loopback interfaces.
Step 3 Run:
ip address unnumbered interface interface-type interface-number
The interface is configured to borrow the IP address from a specified interface.
----End
Procedure
l Run the display ip interface [ interface-type interface-number ] command to check the
IP address configuration of an interface.
l Run the display ip interface brief [ interface-type [ interface-number ] ] command to
check brief information about interface IP addresses.
----End

This section provides examples to explain how to configure the primary IP address, secondary
IP addresses, and IP unnumbered on an interface.

1.6.1 Example for Configuring Primary and Secondary IP

Addresses for an Interface
Networking Requirements
As shown in Figure 1-5, the Router has only one idle interface GE1/0/0 to connect to a LAN.
The hosts on the LAN are located on two network segments: 10.16.1.0/24 and 10.16.2.0/24.
The interface must be configured with two interfaces to provide access for hosts on the two
network segments.
Figure 1-5 Network diagram for IP addresses configuration

Router
GE1/0/0
10.16.1.1/24
10.16.2.1/24 sub
10.16.1.2/24 10.16.1.3/24 10.16.2.2/24 10.16.2.3/24
Configuration Roadmap
The configuration roadmap is as follows:
Configure a primary IP address and a secondary IP address for the interface.
NOTE
IP addresses of the same interface must be on different network segments.
Procedure
Step 1 Configure a primary IP address and a secondary IP address for GE1/0/0.
<Huawei> system-view
[Huawei] interface gigabitethernet 1/0/0
[Huawei-GigabitEthernet1/0/0] undo portswitch
[Huawei-GigabitEthernet1/0/0] ip address 10.16.1.1 24
[Huawei-GigabitEthernet1/0/0] ip address 10.16.2.1 24 sub
Step 2 Verify the configuration.

# Ping a host on network segment 10.16.1.0/24 from the Router. The ping operation succeeds.
<Huawei> ping 10.16.1.2
PING 10.16.1.2: 56 data bytes, press CTRL_C to break
Reply from 10.16.1.2: bytes=56 Sequence=1 ttl=128 time=25 ms


--- 10.16.1.2 ping statistics ---
5 packet(s) transmitted
5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 25/26/27 ms
# Ping a host on network segment 10.16.2.0/24 from the Router. The ping operation succeeds.
<Huawei> ping 10.16.2.2
0.00% packet loss
# The hosts of the two network segments can ping through each other.
----End
Configuration Files
Configuration file of the Router
#
interface GigabitEthernet1/0/0
undo portswitch
ip address 10.16.1.1 255.255.255.0
ip address 10.16.2.1 255.255.255.0 sub
#
return
1.6.2 Example for Configuring an IP Unnumbered Interface

As shown in Figure 1-6, RouterA and RouterC are interconnected through a tunnel. Tunnel
interfaces (Tunnel0/0/15) of RouterA and RouterC are seldom used, so they have no IP
address configured. IP unnumbered needs to be configured on the tunnel interfaces so that the
two switches can communicate through the tunnel.

Figure 1-6 Network diagram for IP unnumbered interface configuration

RouterB
GE1/0/0 GE2/0/0
20.1.1.2/24 30.1.1.1/24
RouterA GE1/0/0 GE1/0/0 RouterC
Loopback 0
10.1.2.1/24
30.1.1.2/24
Loopback 0
20.1.1.1/24
10.1.1.1/24
Tunnel
Tunnel Tunnel
0/0/15 0/0/15
PC 1 PC 2
1. Configure OSPF to ensure that there are reachable routes between RouterA and RouterC.
2. Create tunnel interfaces on RouterA and RouterC and configure the tunnel interfaces to
borrow IP addresses from loopback interfaces to save IP addresses.
Procedure
Step 1 Configure IP addresses for physical interfaces.
# Configure RouterA.
[Huawei] sysname RouterA
[RouterA] interface loopback 0
[RouterA-LoopBack0] ip address 10.1.1.1 255.255.255.0
[RouterA-LoopBack0] quit
[RouterA] interface gigabitethernet 1/0/0
[RouterA-GigabitEthernet1/0/0] undo portswitch
[RouterA-GigabitEthernet1/0/0] ip address 20.1.1.1 255.255.255.0
[RouterA-GigabitEthernet1/0/0] quit
# Configure RouterB.
[Huawei] sysname RouterB
[RouterB] interface gigabitethernet 1/0/0
[RouterB-GigabitEthernet1/0/0] undo portswitch
[RouterB-GigabitEthernet1/0/0] ip address 20.1.1.2 255.255.255.0
[RouterB-GigabitEthernet1/0/0] quit
# Configure RouterC.
[Huawei] sysname RouterC

[RouterC] interface loopback 0

[RouterC-LoopBack0] ip address 10.1.2.1 255.255.255.0
[RouterC-LoopBack0] quit
[RouterC] interface gigabitethernet 1/0/0
[RouterC-GigabitEthernet1/0/0] undo portswitch
[RouterC-GigabitEthernet1/0/0] ip address 30.1.1.2 255.255.255.0
[RouterC-GigabitEthernet1/0/0] quit
Step 2 Configure OSPF.

[RouterA] ospf 1
[RouterA-ospf-1] area 0
[RouterA-ospf-1-area-0.0.0.0] network 20.1.1.0 0.0.0.255
[RouterA-ospf-1-area-0.0.0.0] quit
[RouterA-ospf-1] quit
[RouterB] ospf 1
[RouterB-ospf-1] area 0
[RouterB-ospf-1-area-0.0.0.0] network 20.1.1.0 0.0.0.255
[RouterB-ospf-1-area-0.0.0.0] network 30.1.1.0 0.0.0.255
[RouterB-ospf-1-area-0.0.0.0] quit
[RouterB-ospf-1] quit
[RouterC] ospf 1
[RouterC-ospf-1] area 0
[RouterC-ospf-1-area-0.0.0.0] network 30.1.1.0 0.0.0.255
[RouterC-ospf-1-area-0.0.0.0] quit
[RouterC-ospf-1] quit
# After the preceding configurations, run the display ip routing-table command on RouterA
and RouterC. The command output shows that RouterA and RouterC have learned OSPF
routes to the network segment of the peer.
# The following uses the display on RouterA as an example.
[RouterA] display ip routing-table protocol ospf
Route Flags: R - relay, D - download to
fib
------------------------------------------------------------------------------
Public routing table :

OSPF
Destinations : 1 Routes :
1
OSPF routing table status :

<Active>
1
Destination/Mask Proto Pre Cost Flags NextHop

Interface
30.1.1.0/24 OSPF 10 2 D 20.1.1.2

GigabitEthernet1/0/0
OSPF routing table status :

<Inactive>

Step 3 Configure tunnel interfaces.

[RouterA] interface tunnel 0/0/15
[RouterA-Tunnel0/0/15] tunnel-protocol gre
[RouterA-Tunnel0/0/15] ip address unnumbered interface loopback 0
[RouterA-Tunnel0/0/15] source 20.1.1.1
[RouterA-Tunnel0/0/15] destination 30.1.1.2
[RouterA-Tunnel0/0/15] quit
[RouterC] interface tunnel 0/0/15
[RouterC-Tunnel0/0/15] tunnel-protocol gre
[RouterC-Tunnel0/0/15] ip address unnumbered interface loopback 0
[RouterC-Tunnel0/0/15] source 30.1.1.2
[RouterC-Tunnel0/0/15] destination 20.1.1.1
[RouterC-Tunnel0/0/15] quit
Step 4 Configure static routes.

[RouterA] ip route-static 10.1.2.0 24 tunnel 0/0/15
[RouterC] ip route-static 10.1.1.0 24 tunnel 0/0/15

# Ping 10.1.2.1 from RouterA.
[RouterA] ping 10.1.2.1

0.00% packet loss
----End
Configuration Files
l Configuration file of RouterA
#
sysname RouterA
#
interface
undo portswitch
ip address 20.1.1.1
255.255.255.0
#
interface LoopBack0
ip address 10.1.1.1 255.255.225.0

#
interface Tunnel0/0/15
ip address unnumbered interface LoopBack0
tunnel-protocol
gre
source
20.1.1.1
destination 30.1.1.2
#
ospf 1
area 0.0.0.0
network 20.1.1.0 0.0.0.255
#
ip route-static 10.1.2.0 255.255.255.0 Tunnel0/0/15

#
return
l Configuration file of RouterB
#
sysname RouterB
#
interface
undo portswitch
ip address 20.1.1.2
255.255.255.0
#
interface
undo portswitch
ip address 30.1.1.1
255.255.255.0
#
ospf 1
area 0.0.0.0
network 20.1.1.0 0.0.0.255
network 30.1.1.0 0.0.0.255
#
return
l Configuration file of RouterC
#
sysname RouterC
#
interface
undo portswitch
ip address 30.1.1.2 255.255.255.0
#
interface LoopBack0
ip address 10.1.2.1 255.255.225.0
#
ip address unnumbered interface LoopBack0
tunnel-protocol
gre
source
30.1.1.2
#
ospf 1
area 0.0.0.0
network 30.1.1.0 0.0.0.255
#
ip route-static 10.1.1.0 255.255.255.0 Tunnel0/0/15

#
return

This section describes common errors that may occur in IP address configuration. Learning
this section helps you avoid faults caused incorrect IP address configuration.
1.7.1 IP Address Configuration Fails on an Interface

Fault Analysis
An error occurs in IP address configuration, so the configuration fails.
Procedure
l Check the error message and rectify the fault according to Table 1-5.
Table 1-5 Error messages and ways to rectify faults

Error Message Description Troubleshooting Method
Error: The specified IP The IP address or subnet Configure the IP address or

address is invalid. mask is incorrect. subnet mask correctly.
l The IP address must be a
Class A, Class B, or Class C
IP address.
l The subnet mask must
match the IP address.
Error: The specified The specified IP address Configure another IP address

address conflicts with is on the same network for the interface.
another address. segment as the IP
address of another
interface on the local
device.
Error: The specified The primary IP address You do not need to delete the IP
primary address does to be deleted does not address.
not exist. exist.
NOTE
Each interface has only
one primary IP address. If
you configure multiple
primary IP addresses for
an interface, the last
configured IP address
becomes the primary IP
address of the interface.

Error Message Description Troubleshooting Method
Error: Please configure The secondary IP Configure a primary IP address

the primary address in address cannot be for the interface first.
the interface view first. configured because the
primary IP address has
not been configured for
the interface.
Error: The number of The number of -

addresses of the secondary IP addresses
specified interface on the interface exceeds
reached the upper limit the maximum; therefore,
(32). no more secondary IP
address can be
configured.
NOTE
Each interface can have a
maximum of 32 IP
addresses, including one
primary IP address and 31
secondary IP addresses.
Error: Please delete the The primary IP address Delete all the secondary IP
sub address in the cannot be deleted addresses from the interface,
interface view first. because the interface and then delete the primary IP
has secondary IP address.
addresses.
Error: The specified The command used to Run the undo ip address ip-
address cannot be delete a primary IP address { mask | mask-length }
deleted because it is not address cannot delete a sub command to delete the
the primary address of secondary IP address. secondary IP address.
this interface.
Error: The specified sub The secondary IP You do not need to delete the IP
address does not exist. address to be deleted address.
does not exist.
Error: The address The interface has been Configure a different IP address
already exists. configured with the for the interface.
same IP address.
----End

CLI-based Configuration Guide - IP Service 2 ARP Configuration
2 ARP Configuration
About This Chapter
The Address Resolution Protocol (ARP) maps IP addresses to MAC addresses so that
Ethernet frames can be transmitted on a physical network.
2.1 ARP Overview
This section describes the definition, background, and functions of ARP.
2.2 Principles
This section describes the implementation of ARP.
2.3 Configuration Task Summary
ARP can be a dynamic ARP or a static ARP. ARP provides some extended functions, such as
proxy ARP, ARP-Ping.
2.4 Licensing Requirements and Limitations for ARP
2.5 Default Configuration
This section describes default ARP configurations.
2.6 Configuring ARP
This section describes the procedures for configuring ARP.
2.7 Maintaining ARP
Maintaining ARP includes clearing ARP entries and monitoring ARP running status.
This section provides configuration examples including networking requirements and
configuration roadmap.
2.1 ARP Overview

This section describes the definition, background, and functions of ARP.
Definition
The Address Resolution Protocol (ARP) maps IP addresses into MAC addresses.

Purpose
On a local area network (LAN), a host or a network device must learn the IP address of the
destination host or device before sending data to it. Additionally, the host or network device
must learn the physical address of the destination host or device because IP packets must be
encapsulated into frames for transmission over a physical network. Therefore, the mapping
from an IP address into a physical address is required. ARP is used to map IP addresses into
physical addresses.
2.2 Principles
This section describes the implementation of ARP.
2.2.1 ARP Principles
Format of ARP Packets

Figure 2-1 shows the format of an ARP Request or Reply packet.
Figure 2-1 Format of an ARP Request or Reply packet

0 15 23 31 bit
Ethernet Address of destination(0-31)
Ethernet Address of destination(32-47) Ethernet Address of sender(0-15)
Ethernet Address of sender(16-47)
Frame Type Hardware Type
Protocol Type Hardware Length Protocol Length
OP Ethernet Address of sender(0-15)
Ethernet Address of sender(16-47)
IP Address of sender
Ethernet Address of destination(0-31)
Ethernet Address of destination(32-47) IP Address of destination(0-15)
IP Address of destination(16-31)
Description of the main fields is as follows:
l Hardware Type: indicates the hardware address type. For an Ethernet, the value of this
field is 1.
l Protocol Type: indicates the type of the protocol address to be mapped. For an IP
address, the value of this field is 0x0800.
l Hardware Length: indicates the hardware address length. For an ARP Request or Reply
packet, the value of this field is 6.
l Protocol Length: indicates the protocol address length. For an ARP Request or Reply
packet, the value of this field is 4.

l OP: indicates the operation type. The value 1 indicates ARP requesting, and the value 2
indicates ARP replying.
l Ethernet Address of sender: indicates the MAC address of the sender.
l IP Address of sender: indicates the IP address of the sender.
l Ethernet Address of destination: indicates the MAC address of the receiver.
l IP Address of destination: indicates the IP address of the receiver.
Address Resolution Process

ARP completes address resolution through two processes: ARP request process and ARP
reply process.
Figure 2-2 ARP request process
ARP Request
HOSTA HOSTB
As shown in Figure 2-2, HOSTA and HOSTB are on the same network segment. HOSTA
needs to send IP packets to HOSTB.
HOSTA searches the local ARP table for the ARP entry corresponding to HOSTB. If the
corresponding ARP entry is found, HOSTA encapsulates the IP packets into Ethernet frames
and forwards them to HOSTB based on its MAC address.
If the corresponding APR entry is not found, HOSTA caches the IP packets and broadcasts an
ARP Request packet. In the ARP Request packet, the IP address and MAC address of the
sender are the IP address and MAC address of HOSTA. The destination IP address is the IP
address of HOSTB, and the destination MAC address contains all 0s. All hosts on the same
network segment can receive the ARP Request packet, but only HOSTB processes the packet.
Figure 2-3 ARP reply process
ARP Reply
HOSTA HOSTB

HOSTB compares its IP address with the destination IP address in the ARP Request packet. If
HOSTB finds that its IP address is the same as the destination IP address, HOSTB adds the IP
address and MAC address of the sender (HOSTA) to the local ARP table. Then HOSTB
unicasts an ARP Reply packet, which contains its MAC address, to HOSTA, as shown in
Figure 2-3.
After receiving the ARP Reply packet, HOSTA adds HOSTB's MAC address into the local
ARP table. Meanwhile, HOSTA encapsulates the IP packets and forwards them to HOSTB.
ARP Aging Mechanism

l ARP cache (ARP table)
If HOSTA broadcasts an ARP Request packet every time it communicates with HOSTB,
the communication traffic on the network will increase. Furthermore, all hosts on the
network have to receive and process the ARP Request packet, which decreases network
efficiency.
To solve the preceding problems, each host maintains an ARP cache, which is the key to
efficient operation of ARP. This cache contains the recent mapping from IP addresses to
MAC addresses.
Before sending IP packets, a host searches the cache for the MAC address corresponding
to the destination IP address. If the cache contains the MAC address, the host does not
send an ARP Request packet but directly sends the IP packets to the destination MAC
address. If the cache does not contain the MAC address, the host broadcasts an ARP
Request packet on the network.
l Aging time of dynamic ARP entries
After HOSTA receives the ARP Reply packet from HOSTB, HOSTA adds the mapping
between the IP address and the MAC address of HOSTB to the ARP cache. However, if
a fault occurs on HOSTB or the network adapter of HOSTB is replaced but HOSTA is
not notified, HOSTA still sends IP packets to HOSTB. This fault occurs because the
APR entry of HOSTB in the ARP cache on HOSTA is not updated.
To reduce address resolution errors, a timer is set for each ARP entry in an ARP cache.
When a dynamic ARP entry expires, the device sends ARP aging probe packets to the
corresponding host. If the host does not respond, the ARP entry is deleted, otherwise, the
ARP entry is saved.
Configuring the timer reduces address resolution errors but does not eliminate the
problem because of the time delay. Specifically, if the length of a dynamic APR entry
timer is N seconds, the sender can detect the fault on the receiver after N seconds.
During the N seconds, the cache on the sender is not updated.
l Number of probes for aging dynamic ARP entries
Besides setting a timer for dynamic ARP entries, you can set the number of probes for
aging dynamic ARP entries to reduce address resolution errors. Before aging a dynamic
ARP entry, a host sends ARP aging probe packets. If the host receives no ARP Reply
packet after the number of probes reaches the maximum number, the ARP entry is
deleted.
l Aging probe modes for dynamic ARP entries
Before a dynamic ARP entry on a device is aged out, the device sends ARP aging probe
packets to other devices on the same network segment. An ARP aging probe packet can
be a unicast or broadcast packet. By default, a device sends the last ARP aging probe
message in broadcast mode, and the rest ARP aging probe messages are sent in unicast
mode.

If the IP address of the peer device remains the same but the MAC address changes
frequently, it is recommended that you configure ARP aging probe packets to be
broadcast.
If the MAC address of the peer device remains the same, the network bandwidth is
insufficient, and the aging time of ARP entries is short, it is recommended that you
configure ARP aging probe packets to be unicast.
When a non-Huawei device connected to a Huawei device receives an ARP aging probe
packet whose destination MAC address is a broadcast address, the non-Huawei device
checks the ARP table. If the mapping between the IP address and the MAC address of
the Huawei device exists in the ARP table, the non-Huawei device drops the ARP aging
probe packet. The Huawei device cannot receive a response and therefore deletes the
corresponding ARP entry. As a result, traffic from the network cannot be forwarded. In
this scenario, the Huawei device needs to send ARP aging probe packets in unicast mode
and the non-Huawei device needs to respond to the ARP aging probe packets.
l Layer 2 topology detection
The Layer 2 topology detection function enables a device to retransmit ARP probe
packets to update ARP entries when a Layer 2 interface becomes Up and the aging time
of the ARP entries in the corresponding VLAN becomes 0.
Dynamic ARP
Dynamic ARP entries are generated and maintained dynamically by using ARP packets. They
can be aged out, updated, or overwritten by static ARP entries. When the aging time expires
or the interface is Down, the corresponding dynamic ARP entries are deleted.
Static ARP
Static ARP entries record fixed mapping between IP addresses and MAC addresses and are
configured manually by network administrators.
2.2.2 Proxy ARP

If an ARP Request packet is sent to a host on a different network, the device that connects the
two networks can reply to this packet. This function is called proxy ARP.
Proxy ARP has the following characteristics:
l Proxy ARP is implemented on the ARP subnet gateway without any modifications on
any hosts.
l Proxy ARP can shield topologies of physical networks so that hosts on different physical
networks can use the same network ID to communicate. Proxy ARP enables hosts that
are on the same network segment but on different physical networks to communicate.
l Proxy ARP affects only the ARP caches on hosts but does not affect the ARP cache or
routing table on the gateway.
l After proxy ARP is enabled, the aging time of ARP entries on hosts should be shortened
so that invalid ARP entries can be deleted as soon as possible. Then IP packet
forwarding failures decrease on the router.
Proxy ARP Type Resolved Issue
Routed proxy ARP Allows hosts on the same network segment but on different
physical networks to communicate.

Proxy ARP Type Resolved Issue
Intra-VLAN proxy ARP Allows isolated hosts in a VLAN to communicate.
Inter-VLAN proxy ARP Allows hosts in different VLANs or hosts in different sub-
VLANs of the same VLAN to communicate at Layer 3.
Routed Proxy ARP

Routed proxy ARP enables network devices on the same network segment but on different
physical networks to communicate.
In practice, if a host connected to a router is not configured with a default gateway address
(that is, the host does not know how to reach the intermediate system of the network), the host
cannot transmit packets.
As shown in Figure 2-4, RouterA is connected to two networks through VLAN10 and
VLAN20. The IP addresses of VLANIF10 and VLANIF20 are on different network
segments. However, the masks make HOSTA and VLANIF10 on the same network segment,
HOSTB and VLANIF20 on the same network segment, and HOSTA and HOSTB on the same
network segment.
Figure 2-4 Application of routed proxy ARP
RouterA
172.16.2.10/16 172.16.1.20/16
VLANIF10 VLANIF20
HOSTA 172.16.2.9/24 172.16.1.9/24 HOSTB
The IP addresses of HOSTA and HOSTB are on the same network segment. When HOSTA
needs to communicate with HOSTB, HOSTA broadcasts an ARP Request packet, requesting
the MAC address of HOSTB. However, HOSTA and HOSTB are on different physical
networks (in different broadcast domains). Therefore, HOSTB cannot receive the ARP
Request packet sent from HOSTA and does not respond with an ARP Reply packet.
To solve this problem, enable proxy ARP on RouterA. After receiving an ARP Request
packet, RouterA enabled with proxy ARP searches for the routing table corresponding to
HOSTB. If the router corresponding to HOSTB exists, RouterA responds to the ARP Request
packet with its own MAC address. HOSTA forwards data based on the MAC address of
RouterA. RouterA functions as the proxy of HOSTB.

Intra-VLAN Proxy ARP

If two hosts belong to the same VLAN but are isolated, enable intra-VLAN proxy ARP on an
interface associated with the VLAN to allow the hosts to communicate.
As shown in Figure 2-5, HOSTA and HOSTB are connected to RouterA. The two interfaces
connected to HOSTA and HOSTB belong to VLAN10.
Figure 2-5 Application of intra-VLAN proxy ARP
RouterA
HOSTA VLAN10 HOSTB

172.16.2.20/24 172.16.2.30/24
HOSTA and HOSTB cannot communicate at Layer 2 because interface isolation in a VLAN
is configured on RouterA.
To solve this problem, enable intra-VLAN proxy ARP on the interfaces of RouterA. After
RouterA's interface connected to HOSTA receives an ARP Request packet whose destination
address is not its own address, RouterA does not discard the packet but searches for the ARP
entry corresponding to HOSTB. If the ARP entry corresponding to HOSTB exists, RouterA
sends its MAC address to HOSTA and forwards packets sent from HOSTA to HOSTB.
RouterA functions as the proxy of HOSTB.
Inter-VLAN Proxy ARP

If two hosts belong to different VLANs, enable inter-VLAN proxy ARP on interfaces
associated with the VLANs to implement Layer 3 communication between the two hosts.
As shown in Figure 2-6, HOSTA and HOSTB are connected to RouterA. The interface
connected to HOSTA belongs to VLAN10, and the interface connected to HOSTB belongs to
VLAN20.
Figure 2-6 Application of inter-VLAN proxy ARP
VLAN10 RouterA VLAN20
HOSTA HOSTB
172.16.2.20/24 172.16.2.30/24
The interfaces connected to HOSTA and HOSTB belong to different VLANs. Therefore,
HOST A and HOSTB cannot communicate at Layer 2.
To solve this problem, enable inter-VLAN proxy ARP on the interfaces of RouterA. After
RouterA's interface connected to HOSTA receives an ARP Request packet whose destination
address is not its own address, RouterA does not discard the packet but searches for the ARP
entry corresponding to HOSTB. If the ARP entry corresponding to HOSTB exists, RouterA

sends its MAC address to HOSTA and forwards packets sent from HOSTA to HOSTB.
RouterA functions as the proxy of HOSTB.
2.2.3 Gratuitous ARP

Gratuitous ARP enables a host to send an ARP Request packet using its own IP address as the
destination address. Gratuitous ARP provides the following functions:
l Checks duplicate IP addresses: Normally, a host does not receive an ARP Reply packet
after sending an ARP Request packet with the destination address being its own IP
address. If the host receives an ARP Reply packet, another host has the same IP address.
l Advertises a new MAC address. If the MAC address of a host changes because its
network adapter is replaced, the host sends a gratuitous ARP packet to notify all hosts of
the change before the ARP entry is aged out.
l Notifies an active/standby switchover in a VRRP backup group: After an active/standby
switchover, the master router sends a gratuitous ARP packet in the VRRP backup group
to notify the switchover.
When a device receives a gratuitous ARP packet, it checks whether the source IP address of
the packet is the same as the local IP address:
l If the IP addresses are the same, the device periodically broadcasts a gratuitous ARP
Reply packet to notify the address conflict until the conflict is removed.
l If the IP addresses are different, the device updates the ARP entry according to the
received gratuitous ARP packet only when it receives the packet on the VLANIF
interface and has the dynamic ARP entry mapping the source IP address of the packet. In
other cases, the device does not update the ARP entry.
NOTE
For the application of gratuitous ARP in the security feature, see Gratuitous ARP Packet Sending in the
Huawei AR Series IOT Gateway Configuration Guide - Security.
2.2.4 ARP-Ping
ARP-Ping includes ARP-Ping IP and ARP-Ping MAC. ARP-Ping sends ARP Request packets
or ICMP Echo Request packets to check whether a specified IP address or MAC address is
used.
ARP-Ping IP
ARP-Ping IP checks whether an IP address is used by another device on the LAN by sending
ARP packets.
Before configuring an IP address for a device, configure ARP-Ping IP on the device to check
whether this IP address has been used by sending ARP Request packets.
You can also run the ping command to check whether this IP address is used by another
device on the network. However, if the router or host that uses the IP address is enabled with
the firewall function and the firewall is configured not to respond to ping packets, you may be
misled into thinking that this IP address is not used. To solve the problem, use ARP-Ping IP.
ARP is a Layer 2 protocol. Therefore, ARP packets can pass through the firewall that is
configured not to respond to ping packets.

ARP-Ping IP sends ARP Request packets. ARP-Ping IP is implemented as follows:

1. After an IP address is specified for a host using the arp-ping ip command, the host sends
an ARP Request packet and starts a timer of waiting for an ARP Reply packet.
2. After receiving the ARP Request packet, the router or host that uses this IP address in the
LAN returns an ARP Reply packet.
3. The sender performs the following two operations based on whether it receives the ARP
packet:
– If the sender receives an ARP Reply packet, the sender compares the source IP
address carried in the ARP Reply packet with the IP address specified using the
arp-ping ip command. If the two IP addresses are the same, the MAC address
corresponding to the specified IP address is displayed and the timer is disabled.
– If the sender does not receive an ARP Reply packet before the timer of waiting for
an ARP Reply packet expires, the sender displays a message indicating that the IP
address is not used by another router device or host.
ARP-Ping MAC
The ARP-Ping MAC process is similar to the ping process. The difference is that ARP-Ping
MAC applies only to directly connected Ethernet LANs or Layer 2 VPN Ethernet networks.
ARP-Ping MAC sends ICMP Echo Request packets. ARP-Ping MAC is implemented as
follows:
1. After a MAC address is specified for a host using the arp-ping mac command, the host
sends an ICMP Echo Request packet and starts a timer of waiting for an ICMP Echo
Reply packet.
2. After receiving the ICMP Echo Request packet, the router device or host that uses this
MAC address in the LAN returns an ICMP Echo Reply packet.
3. The sender performs the following two operations based on whether it receives the
ICMP packet:
– If the sender receives an ICMP Echo Reply packet, the sender compares the source
MAC address carried in the ICMP Echo Reply packet with the MAC address
specified using the arp-ping mac command. If the two MAC addresses are the
same, the sender displays the source IP address of the ICMP Echo Reply packet and
displays a message indicating that the MAC address is used by another router
device or host. The timer is disabled.
– If the sender does not receive an ARP Reply packet before the timer of waiting for
an ICMP Echo Reply packet expires, the sender displays a message indicating that
the MAC address is not used by another router device or host.
2.2.5 Multi-Interface ARP

Network Load Balance (NLB) is a Microsoft implementation of clustering and load balancing
on Windows servers. Servers in an NLB group support load balancing and redundancy. When
a server in the group fails, data can be quickly switched to other servers. To implement quick
data switching, devices on the network must be able to forward service traffic to each server
in the NLB group. Each server in the NLB group uses the same NLB algorithm to determine
whether to process the service traffic.
NLB servers can work in unicast, multicast, and IGMP multicast mode. Currently, the device
can only be connected to NLB servers working in unicast or multicast mode.

l When NLB servers work in unicast mode, the virtual MAC address starts with 02BF.
l When NLB servers work in multicast mode, the virtual MAC address starts with 03BF.
As shown in Figure 2-7, each server in the NLB group has its own IP address and MAC
address. In addition, the servers share a virtual IP address and a virtual MAC address. Router
functions as the access gateway and directly connects to the NLB group. Router needs to
forward packets destined for the virtual IP address to all servers in the NLB group.
After servers in the NLB group receive ARP Request packets for the virtual MAC address
from Router, all the servers return ARP Reply packets. In the ARP Reply packets, the
protocol source IP address is the virtual IP address and the protocol source MAC address is
the virtual MAC address.
l When NLB servers work in unicast mode, Router learns only one outbound interface
(interface connecting Router to an NLB server) from the ARP entry matching the NLB
group virtual IP address in the ARP table. Therefore, Router can forward packets
destined for the virtual IP address to only one server in the NLB group.
l When NLB servers work in multicast mode, Router does not learn ARP entries after
receiving ARP Reply packets from NLB servers because the protocol source MAC
address is a multicast MAC address. If you configure a static ARP entry by binding the
virtual IP address to the virtual MAC address, only one outbound interface is specified.
Therefore, Router can forward packets destined for the virtual IP address to only one
server in the NLB group.
To resolve the preceding problems, you can deploy multi-interface ARP to allow Router to
forward packets destined for the virtual IP address to all servers in the NLB group.
Figure 2-7 Typical networking diagram for multi-interface ARP
Client
IP Network
Router
IF1 IF3
IF2
Server_1 Server_2 Server_3

192.168.1.1 192.168.1.2 192.168.1.3
0025-9e01-0201 0025-9e01-0202 0025-9e01-0203
NLB server group
Virtual IP address:10.128.246.252/24
Virtual MAC address:03bf-0a80-f6fc

In multi-interface ARP, a static ARP entry is configured by binding the virtual IP address to
the virtual MAC address, and MAC address entries are configured by binding the virtual
MAC address to multiple outbound interfaces. When Router forwards packets destined for the
virtual IP address, Router first searches for the ARP entry matching the virtual IP address to
determine the virtual MAC address and the VLAN to which the NLB servers belong. Router
then searches the MAC address table for multiple outbound interfaces based on the virtual
MAC address and VLAN. Router forwards packets to each connected NLB server through the
outbound interfaces.

ARP can be a dynamic ARP or a static ARP. ARP provides some extended functions, such as
proxy ARP, ARP-Ping.
Table 2-1 describes the ARP configuration tasks.
Table 2-1 ARP configuration task summary

Scenario Description Task
Configurin Static ARP entries 2.6.1 Configuring Static ARP

g Static improve communication
ARP security. However, a
large number of ARP
entries increase
configuration and
maintenance costs.
Static ARP entries can
be configured on
important network
devices such as servers
to specify member
devices that they can
communicate with. In
this way, mappings
between IP addresses
and MAC addresses of
these member devices
cannot be modified by
forged ARP packets and
illegal ARP replies can
be prevented. This
protects servers against
network attacks.

Optimizing Dynamic ARP entries 2.6.2 Optimizing Dynamic ARP

Dynamic are generated and
ARP maintained
automatically using the
ARP protocol.
l They can be aged,
updated, or
overridden by static
ARP entries.
l By default, ARP
entries are
dynamically learned
and maintained.
Configurin Proxy ARP is classified 2.6.3 Configuring Proxy ARP

g Proxy into the following three
ARP types:
l Routed Proxy ARP:
Routed Proxy ARP
enables network
devices on the same
network segment but
on different physical
networks to
communicate.
l Intra-VLAN Proxy
ARP: Intra-VLAN
Proxy ARP enables
isolated network
devices in a VLAN
to communicate.
l Inter-VLAN Proxy
ARP: Inter-VLAN
Proxy ARP enables
network devices in
different VLANs or
network devices in
different sub-
VLANs but on the
same network
segment to
communicate.

Configurin l The ARP-Ping IP 2.6.4 Configuring ARP-Ping

g ARP- function checks
Ping whether an IP
address is used by
another device on
the network.
l The ARP-Ping MAC
function checks
whether a MAC
address is used or
queries the IP
address mapping the
MAC address.
2.4 Licensing Requirements and Limitations for ARP

None
Licensing Requirements
ARP functions are basic function of routers and can be obtained without licenses.
Feature Limitations
None

This section describes default ARP configurations.
Table 2-2 describes the default configuration of ARP.
Table 2-2 Default ARP configuration
Parameter Default Configuration
Aging time of dynamic ARP entries 1200 seconds
Maximum number of probes for aging 3 times

dynamic ARP entries
Aging detection mode of dynamic An interface sends the last ARP Aging probe
ARP entries packet in broadcast mode, and the rest ARP
Aging probe packets are sent in unicast mode.

Layer 2 topology detection Layer 2 topology detection is disabled.
ARP proxy ARP proxy is disabled.
Dynamic Learning of ARP Entries Dynamic Learning of ARP Entries with Multicast
with Multicast MAC Addresses MAC Addresses is disabled.
2.6 Configuring ARP

This section describes the procedures for configuring ARP.
2.6.1 Configuring Static ARP

Static ARP entries improve communication security.
Context
Static ARP entries are manually configured and maintained. They cannot be aged and
overridden by dynamic ARP entries. Therefore, static ARP entries improve communication
security. Static ARP entries ensure communication between the local device and a specified
device by using a specified MAC address so that attackers cannot modify mappings between
IP addresses and MAC addresses in static ARP entries.
NOTE
Static ARP entries cannot be modified. However, the configuration workload is heavy. Static ARP
entries cannot apply to a network where IP addresses of hosts may change or a small-sized network.
Procedure
Step 1 Run:
system-view

Step 2 Run:
arp static ip-address mac-address [ vpn-instance vpn-instance-name ] or arp
static ip-address mac-address vid vlan-id [ cevid ce-vid ] interface interface-
type interface-number
A static ARP entry is configured.

l For Layer 3 physical interfaces and Layer 3 Eth-Trunk interfaces, run the arp static ip-
address mac-address command to configure static ARPentries.
l For VLANIF interfaces and Dot1q termination sub-interfaces, run the arp static ip-
address mac-address vid vlan-id interface interface-type interface-number command to
configure static ARP entries.
l For QinQ termination sub-interfaces, run the arp static ip-address mac-address vid
vlan-id cevid ce-vid interface interface-type interface-number command to configure
static ARP mapping entries with double tags. vid specified in this command must be the
same as pe-vid in the qinq termination pe-vid ce-vid command, and ce-vid must be
within the value range of ce-vid in the qinq termination pe-vid ce-vid command.

l For interfaces bound to a VPN instance:

– For Layer 3 physical interfaces and Layer 3 Eth-Trunk interfaces, run the arp static
ip-address mac-address vpn-instance vpn-instance-name command to configure
static ARP entries.
– For VLANIF interfaces and Dot1q termination sub-interfaces, run the arp static ip-
address mac-address vid vlan-id interface interface-type interface-number
command to configure static ARP entries.
– For QinQ termination sub-interfaces, run the arp static ip-address mac-address vid
vlan-id cevid ce-vid interface interface-type interface-number command to
configure static ARP mapping entries with double tags. vid specified in this
command must be the same as pe-vid in the qinq termination pe-vid ce-vid
command, and ce-vid must be within the value range of ce-vid in the qinq
termination pe-vid ce-vid command.
----End
Checking the Configuration

After configuring the static ARP entries is complete, run the following commands to check
the configuration.
l Run the display arp [ all | brief ] command to check all ARP mapping entries.
l Run the display arp network net-number net-mask [ dynamic | static ] command to
check ARP mapping entries of a specified network segment.
l Run the display arp static command to check static ARP mapping entries.
l Run the display arp interface interface-type interface-number [ vid vlan-id [ cevid
cevlan-id ] ] command to check ARP mapping entries of a specified interface.
l Run the display arp vpn-instance vpn-instance-name static command to check static
ARP mapping entries of a specified VPN instance.
2.6.2 Optimizing Dynamic ARP

By default, hosts and industrial switch routers dynamically learn ARP entries. You can adjust
parameters of dynamic ARP entries based on network requirements.
Before optimizing dynamic ARP, complete the following tasks:
l Setting link layer protocol parameters for interfaces to ensure that the link layer protocol
2.6.2.1 Adjusting Aging Parameters of Dynamic ARP Entries
Context
Aging parameters of ARP entries include the aging time, the number of probes, detection
intervals, and detection modes. Proper adjustment of aging parameters improves network
reliability.
You can adjust the following parameters of dynamic ARP entries:

l Aging time of dynamic ARP entries: After the aging time of a dynamic ARP entry is
reached, the device sends an ARP Request packet to the corresponding outbound
interface and starts ARP aging detection. If the value of the aging time is set too small
(for example, 1 minute), the system consumes most resources on updating dynamic ARP
entries and cannot process other services. If the aging time is too long (for example, 15
hours), the device may not update dynamic ARP entries in a timely manner. The default
aging time (20 minutes) is recommended.
l Number of probes to dynamic ARP entries: Before aging a dynamic ARP entry, the
system first performs probes. If no answer is received after the times of probes reach the
upper limit, the ARP entry is deleted.
l Aging detection modes of dynamic ARP entries: Before an ARP entry is aged, an
interface sends an ARP aging probe packet.
NOTE
l If the IP address of the peer device remains the same but the MAC address changes frequently,
it is recommended that you configure ARP aging probe packets to be broadcast.
l If the MAC address of the peer device remains the same, and the network bandwidth is
insufficient, it is recommended that you configure ARP aging probe packets to be unicast.
Procedure
Step 1 Run:
system-view
Step 2 Run:
Step 3 Run:
arp expire-time expire-time
The aging time of dynamic ARP entries is set.
By default, the aging time of dynamic ARP entries is 1200 seconds, that is, 20 minutes.
Step 4 Run:
arp detect-times detect-times
The number of probes to dynamic ARP entries is set.
By default, the number of ARP probes is 3.
Step 5 Run:
arp detect-mode unicast
An interface is configured to send ARP aging probe packets in unicast mode.
By default, an interface sends the last ARP Aging Detection packet in broadcast mode, and
the rest ARP Aging Detection packets are sent in unicast mode.
----End

2.6.2.2 Enabling Layer 2 Topology Detection
Context
Layer 2 topology detection enables the system to update all the ARP entries in the VLAN that
a Layer 2 interface belongs to when the Layer 2 interface status changes from Down to Up.
Procedure
Step 1 Run:
system-view
Step 2 Run:
l2-topology detect enable
Layer 2 topology detection is enabled.
By default, Layer 2 topology detection is disabled.
----End
2.6.2.3 Configuring Unicast ARP Probe
Background Information
To improve network security, some devices do not support broadcast packets.
l Before an ARP entry ages out, the local device broadcasts an ARP request packet in an
attempt to update the ARP entry based on the reply from a peer device. If the peer device
does not support broadcast packets, it does not respond to the broadcast ARP request
packet, so the local device considers the peer device offline and deletes the ARP entry.
As a result, services will be interrupted between the two devices.
l If the local device is new, it will broadcast an ARP request packet to learn the MAC
addresses of other devices. If a peer device does not support broadcast packets, it will
discard the ARP request packet, so the local device will not learn the peer device's MAC
address. As a result, new services will not be started between the two devices.
To resolve these problems, enable the unicast ARP probe function. This function enables a
local interface to send a unicast ARP request packet that carries the specified IP and MAC
addresses. The unicast ARP probe function improves network security, without compromising
service stability. The ARP entries learned or updated by the local device will be deleted after
their aging time expires and can be updated again after the local device receives ARP request
packets from the peer device.
Procedure
l Run:
arp send-packet ip-address mac-address interface interface-type interface-
number [ vid vid [ cevid cevid ] ]
The unicast ARP probe function is configured.
----End

2.6.2.4 Checking the Configuration
Procedure
l Run the display arp [ all | brief ] command to check all ARP mapping entries.
l Run the display arp network net-number net-mask [ dynamic | static ] command to
check ARP mapping entries of a specified network segment.
l Run the display arp dynamic command to check dynamic ARP mapping entries.
l Run the display arp vpn-instance vpn-instance-name static command to check static
ARP mapping entries of a specified VPN instance.
2.6.3 Configuring Proxy ARP

The industrial switch router can function as a proxy of the destination host to reply an ARP
Request message.
Before configuring proxy ARP, complete the following task:
l Setting link layer protocol parameters for interfaces to ensure that the link layer protocol
2.6.3.1 Configuring Routed Proxy ARP
Context
Proxy ARP enables PCs or industrial switch routers on the same network segment but on
different physical networks to communicate. In actual applications, if the current connected to
the industrial switch router is not configured with a default gateway address (that is, the host
does not know how to reach the intermediate system of the network), the host cannot forward
data packets. Routed proxy ARP solves this problem.
Figure 2-8 shows the routed proxy ARP networking. RouterA uses GE1/0/0 and GE2/0/0 to
connect two networks. IP addresses of the two GE interfaces are on different network
segments. However, the masks make Host A and VLANIF10 on the same network segment,
Host B and VLANIF20 on the same network segment, and Host A and Host B on the same
network segment.
Figure 2-8 Networking diagram for configuring routed proxy ARP

172.16.2.10/16 172.16.1.20/16
GE1/0/0 GE2/0/0
172.16.2.9/24 172.16.1.9/24
HOSTA RouterA HOSTB
HOST A sends an ARP Request packet, requesting the MAC address of HOST B. After
receiving the packet, RouterA uses its MAC address to reply the Request packet. HOST A
then forwards data using the MAC address of RouterA.

IP addresses of the STAhosts on a subnet have the same network ID. Therefore, the default
gateway address does not need to be configured on the STAhosts.
Procedure
Step 1 Run:
system-view
Step 2 Run:
The interfaces connect routing devices to the physical networks and are enabled with routed
proxy ARP.
Step 3 Run:
IP addresses are configured for interfaces.
The IP address configured for the interface enabled with routed proxy ARP must be on the
same network segment as the IP address of the connected hostserver on a LAN.
Step 4 Run:
arp-proxy enable
Routed proxy ARP is enabled on the interface.
By default, routed proxy ARP is disabled on an interface.
After proxy ARP is enabled, the aging time of ARP entries on hosts should be shortened so
that invalid ARP entries can be deleted as soon as possible. The number of packets received
but cannot be forwarded by the device is decreased. To set ARP aging time, run the arp
expire-time expire-time command.
----End

After configuring routed proxy ARP is complete, run the following commands to check the
configuration.
l Run the display arp vpn-instance vpn-instance-name [ dynamic | static ] command to
check ARP mapping entries of a specified VPN instance.

2.6.3.2 Configuring Intra-VLAN Proxy ARP
Context
If two hosts belong to the same VLAN but are isolated, enable intra-VLAN proxy ARP on an
interface associated with the VLAN to allow the hosts to communicate.
As shown in Figure 2-9, HOSTA and HOSTB connect to RouterA. The two interfaces that
connect HOSTA and HOSTB to RouterA belong to VLAN10.
Figure 2-9 Intra-VLAN proxy ARP application
RouterA
HOSTA VLAN10 HOSTB

172.16.2.20/24 172.16.2.30/24
HOSTA and HOSTB cannot communicate at Layer 2 because interface isolation in a VLAN
is configured on RouterA.
To solve this problem, enable intra-VLAN proxy ARP on the interfaces of RouterA. After an
interface of RouterA receives an ARP Request packet whose destination address is not its
own address, RouterA does not discard the packet but searches for the ARP entry. If the ARP
entry matching HOSTB exists, RouterA sends its MAC address to HOSTA and forwards
packets sent from HOSTA to HOSTB. RouterA functions as the proxy of HOSTB.
Procedure
Step 1 Run:
system-view

Step 2 Run:

Step 3 Run:
arp-proxy inner-sub-vlan-proxy enable
Intra-VLAN proxy ARP is enabled.

By default, intra-VLAN proxy ARP is disabled.
----End

After configuring intra-VLAN proxy ARP is complete, run the following commands to check
the configuration.

2.6.3.3 Configuring Inter-VLAN Proxy ARP
Context
If two hosts belong to different VLANs, enable inter-VLAN proxy ARP on interfaces
associated with the VLANs to implement Layer 3 communication between the two hosts.
As shown in Figure 2-10, HOSTA and HOSTB connect to RouterA. Interfaces that connect
HOSTA and HOSTB to RouterA belong to VLAN10 and VLAN20 respectively.
Figure 2-10 Inter-VLAN proxy ARP application
VLAN10 RouterA VLAN20
HOSTA HOSTB
172.16.2.20/24 172.16.2.30/24
Interfaces connecting HOSTA and HOSTB to RouterA belong to different VLANs.

Therefore, HOSTA and HOSTB cannot communicate at Layer 2.
To solve this problem, inter-VLAN proxy ARP needs to be enabled on interfaces of RouterA.
After an interface of RouterA receives an ARP Request packet whose destination address is
not its own address, RouterA does not discard the packet but searches for the ARP entry. If
the ARP entry matching HOSTB exists, RouterA sends its MAC address to HOSTA and
forwards packets sent from HOSTA to HOSTB. RouterA functions as the proxy of HOSTB.
Inter-VLAN proxy ARP implements the following functions:
l Allows users in different VLANs to communicate at Layer 3.

l Allows users in different sub-VLANs to communicate. You need to enable inter-VLAN
proxy ARP on the VLANIF interface of the super-VLAN.
Procedure
Step 1 Run:
system-view
Enter the system view.
Step 2 Run:

Step 3 Run:
arp-proxy inter-sub-vlan-proxy enable
Inter-VLAN proxy ARP is enabled.
By default, inter-VLAN proxy ARP or proxy ARP on termination sub-interfaces is disabled.
----End

After configuring inter-VLAN proxy ARP is complete, run the following commands to check
the configuration.
2.6.4 Configuring ARP-Ping

ARP-Ping includes ARP-Ping IP and ARP-Ping MAC. ARP-Ping sends ARP Request packets
or ICMP Echo Request packets to check whether a specified IP address or MAC address is
used.
Before configuring ARP-Ping, complete the following task:
l Configuring link layer protocol parameters and IP addresses for interfaces to ensure that
the link layer protocol status of the interfaces is Up.
2.6.4.1 Configuring ARP-Ping IP
Context
Before configuring an IP address for a device on a LAN, run the arp-ping ip command to
check whether the IP address is used by other network devices.
The ping command can also check whether an IP address is in use. If the destination host or
the industrial switch router configured with the firewall function are configured not to reply to
ping packets, there is no response to the ping packet. Consequently, the IP address is
considered unused. ARP is a Layer 2 protocol. In most cases, ARP packets can pass through
the firewall that is disabled from replying to the Ping packets to prevent the preceding
situation.
Procedure
l Run:
arp-ping ip ip-address [ timeout timeout-value ] [ interface interface-type
interface-number [ vlan-id vlan-id ] ]
Check whether the IP address is used.
– If the following information is displayed, the IP address is not used.

<Huawei> arp-ping ip 10.1.1.2

ARP-Pinging 10.1.1.2:
Request timed out
Request timed out
Request timed out
The IP address is not used by anyone!
– If the following information is displayed, the IP address is used.

<Huawei> arp-ping ip 10.1.1.1
ARP-Pinging 10.1.1.1:
10.1.1.1 is used by 00e0-517d-f202
----End
2.6.4.2 Configuring ARP-Ping MAC
Context
When you know a specific MAC address but not the corresponding IP address on a network
segment, you can obtain the corresponding IP address using the arp-ping mac command to
send ICMP packets. In this way, you can obtain the IP address mapping the MAC address.
Procedure
l Run:
arp-ping mac mac-address { ip-address [ vpn-instance vpn-instance-name ] |
interface interface-type interface-number }
Check whether the MAC address is used. If the MAC address is in use, query the IP
address mapping the MAC address.
– If the following information is displayed, the MAC address is not used.
<Huawei> arp-ping mac 00e0-517d-f201 interface gigabitethernet 1/0/0
OutInterface: GigabitEthernet1/0/0 MAC[00-E0-51-7D-F2-01], press
CTRL_C to break
Request timed out
Request timed out
Request timed out
----- ARP-Ping MAC statistics -----
MAC[00-E0-51-7D-F2-01] not be used
– If the following information is displayed, it means that the MAC address is used.
<Huawei> arp-ping mac 00e0-517d-f202 interface gigabitethernet 1/0/0
OutInterface: GigabitEthernet1/0/0 MAC[00-E0-51-7D-F2-02], press
CTRL_C to break
----- ARP-Ping MAC statistics -----
IP ADDRESS MAC ADDRESS
10.1.1.1 00-E0-51-7D-F2-02
----End
2.6.5 Enabling a Device to Learn Multicast MAC Addresses and

Generate ARP Entries
When a device is enabled to learn multicast MAC addresses, the device can generate ARP
entries after receiving ARP packets carrying multicast MAC addresses as source MAC
addresses.

Background Information
IP addresses may be mapped to multicast MAC addresses in some service scenarios. As
shown in Figure 2-11, the device is connected to the network load balance (NLB) group
through a Layer 2 LAN switch (LSW). The NLB group works in multicast mode; that is, the
MAC address of the NLB group is a multicast MAC address. In this case, a network
administrator can enable the device to dynamically learn multicast MAC addresses and
generate ARP entries. This reduces the network administrator's workload of configuring static
ARP entries and reduces network operation and maintenance costs.
Figure 2-11 Device connected to the NLB group through a Layer 2 LSW
Client
IP Network
Router
Eth2/0/0
LSW

NLB server group
Procedure
l Globally enable a device to learn multicast MAC addresses.
a. Run:
system-view

b. Run:
arp learning multicast enable
The device is globally enabled to learn multicast MAC addresses and generate
dynamic ARP entries.
By default, a device is globally disabled from learning multicast MAC addresses.

NOTE
If a device is globally enabled to learn multicast MAC addresses, the interfaces of this
device are enabled to learn multicast MAC addresses.
----End
2.6.6 Configuring Multi-Interface ARP

After you configure multi-interface ARP, a device forwards packets destined for an NLB
group to all servers in the group through interfaces connected to the servers.
Before configuring multi-interface ARP, complete the following task:
l Creating VLANs and adding interfaces to these VLANs
NOTE
The VLAN cannot be a super-VLAN, sub-VLAN, or control VLAN of an SEP segment.
Context
All servers in an NLB group share a virtual IP address and a virtual MAC address. When the
NLB group works in unicast mode, the virtual MAC address is a unicast MAC address. When
the NLB group works in multicast mode, the virtual MAC address is a multicast MAC
address. In both modes, when a device directly connects to the NLB group and functions as
the access gateway, the device needs to forward packets destined for the virtual IP address to
all servers in the NLB group, and each server determines how to process the packets. You can
configure multi-interface ARP on the device to allow it to forward packets destined for the
virtual IP address to all servers in the NLB group.
Procedure
Step 1 Run:
system-view
Step 2 Use the following methods to configure a multi-interface MAC address entry.
Configure a multi-interface MAC address entry in the system view for the first time. When a
multi-interface MAC address entry has been created and you need to add or delete an
interface, add or delete the interface in its interface view.
l Configure a multi-interface MAC address entry in the system view.

Run:
mac-address multiport mac-address interface { interface-type interface-
number1 [ to interface-type interface-number2 ] } &<1-5> vlan vlan-id
A multi-interface MAC address entry is configured.

By default, no multi-interface MAC address entry is configured on a device.
When configuring a multi-interface MAC address entry, ensure that the specified MAC
address and VLAN ID are simultaneously different from those in a static MAC address
entry or a blackhole MAC address entry.

The value of interface-number2 must be greater than that of interface-number1, and the
two values determine an interface range.
l Configure a multi-interface MAC address entry in the interface view.
a. Run:

b. Run:
mac-address multiport mac-address vlan vlan-id
A multi-interface MAC address entry is configured.

By default, no multi-interface MAC address entry is configured.
When configuring a multi-interface MAC address entry, ensure that the specified
MAC address and VLAN ID are simultaneously different from those in a static
MAC address entry or a blackhole MAC address entry.
c. Run:
quit
Return to the system view.

Repeat the preceding steps on multiple interfaces to respectively configure a MAC
address to match multiple outbound interfaces in the MAC address table.
Step 3 Run:
arp static ip-address mac-address [ vpn-instance vpn-instance-name ]
A short static ARP entry is configured.

By default, the ARP mapping table is empty and address mappings are obtained using
dynamic ARP.
You must set mac-address to the same as the MAC address in the multi-interface MAC
address entry.
----End

After the configurations are complete, run the following commands in any view to check the
multi-interface ARP configurations.
l Run the display mac-address multiport [ [ mac-address ] vlan vlan-id ] [ total-
number ] command to check the multi-interface MAC address table.
l Run the display arp static command to check the static ARP mapping table.
2.6.7 Configuring the Scheduled ARP Refresh Function

When fast forwarding is enabled on interfaces of the device, you can disable the scheduled
ARP refresh function to prevent traffic jitter.
Background
By default, the scheduled ARP refresh function is enabled on the device. That is, the device
updates ARP entries. And clears the fast forwarding table every ten hours. When fast
forwarding is enabled (using the ip fast-forwarding enable command) on interfaces of the

device, you can disable the scheduled ARP refresh function to prevent traffic jitter occurring
when the fast forwarding table is cleared.
Procedure
Step 1 Run:
system-view
Step 2 Run:
undo arp regularly-refresh enable
The scheduled ARP refresh function is disabled.
By default, the scheduled ARP refresh function is enabled.
----End
2.7 Maintaining ARP

Maintaining ARP includes clearing ARP entries and monitoring ARP running status.
2.7.1 Clearing ARP Entries
Context
ARP entries cannot be restored after being cleared. When you delete static ARP entries, the
( arp static ) command is also deleted. Exercise caution when you delete the ARP entries.
Procedure
l Run the reset arp { all | dynamic | interface interface-type interface-number | packet
statistics | static } command to clear ARP entries in the ARP mapping table.
l Run the reset arp packet statistics command in user view to clear ARP packet statistics.
----End
2.7.2 Monitoring the ARP Running Status
Context
Monitoring the ARP running status includes checking ARP mapping entries, strict ARP entry
learning, ARP packet statistics, ARP packet processing rate, and maximum number of ARP
entries learnt by an interface.

Procedure
l Run the display arp [ all | brief ] command in any view to check all ARP mapping
entries.
cevlan-id ] ] command in any view to check ARP mapping entries of a specified
interface.
l Run the display arp network net-number net-mask [ dynamic | static ] command in any
view to check ARP mapping entries of a specified network segment.
l Run the display arp vpn-instance vpn-instance-name static command in any view to
check static ARP mapping entries of a specified VPN instance.
l Run the display arp statistics { all | interface interface-type interface-number }
command in any view to check ARP entry statistics.
l Run the display arp packet statistics command in any view to check ARP packet
statistics.
----End

This section provides configuration examples including networking requirements and
configuration roadmap.
2.8.1 Example for Configuring Static ARP

As shown in Figure 2-12, a router connects departments of a company and each department
joins different VLANs. Hosts in the headquarters office and the file backup server are
allocated manually configured IP addresses, and hosts in departments dynamically obtain IP
addresses by using DHCP. Hosts in the marketing department can access the Internet and are
often attacked by ARP packets. Attackers attack the router and modify dynamic ARP entries
on the router. As a result, communication between hosts in the headquarters office and
external devices is interrupted and hosts in departments fail to access the file backup server.
The company requires that static ARP entries be configured on the router so that hosts in the
headquarters office can communicate with external devices and hosts in departments can
access the file backup server.

Figure 2-12 Networking diagram for configuring static ARP
File backup server
10.164.10.1/24
0df0-fc01-003a 10.164.1.1/24
00e0-fc01-0001
GE3/0/0 Etherent2/0/0
10.164.10.10 /24 VLANIF10
PC A
10.164.1.20/24
Router
Marketing President's
department office
10.164.2.0/24 10.164.1.0/24
VLAN20 VLAN10
R&D
department
10.164.3.0/24
VLAN30
1. Configure static ARP entries for hosts in the headquarters office on the router to prevent
ARP entries of the hosts in the headquarters office from being modified in ARP attack
packets.
2. Configure a static ARP entry for the file backup server on the router to prevent the ARP
entry of the file backup server from being modified in ARP attack packets.
Procedure
Step 1 Configure static ARP entries for the host in the headquarters office on the router.
# Create VLAN10.
[Huawei] sysname Router
[Router] vlan 10
[Router-vlan10] quit
# Add Ethernet2/0/0 to VLAN 10.

[Router] interface ethernet 2/0/0
[Router-Ethernet2/0/0] port hybrid tagged vlan 10
[Router-Ethernet2/0/0] quit
# Configure an IP address for VLANIF 10.

[Router] interface vlanif 10

[Router-Vlanif10] ip address 10.164.1.20 255.255.255.0
[Router-Vlanif10] quit
# Configure static ARP entries for the host in the headquarters office. PC A is used as an
example. The IP address of PC A is 10.164.1.1 and maps the MAC address 00e0-fc01-0001,
the VLAN ID is 10 and the outbound interface is Ethernet2/0/0.
[Router] arp static 10.164.1.1 00e0-fc01-0001 vid 10 interface ethernet 2/0/0
# Configure static ARP entries for other hosts in the headquarters office. The configuration
method is similar to that of PC A.
Step 2 Configure a static ARP entry for the file backup server on the router.
# Configure an IP address for GE3/0/0.

[Router] interface gigabitethernet 3/0/0
[Router-GigabitEthernet3/0/0] undo portswitch
[Router-GigabitEthernet3/0/0] ip address 10.164.10.10 255.255.255.0
[Router-GigabitEthernet3/0/0] quit
# Configure a static ARP entry for the file backup server, The IP address 10.164.10.1/24 maps
the MAC address 0df0-fc01-003a.
[Router] arp static 10.164.10.1 0df0-fc01-003a
[Router] quit
# Run the display current-configuration command to view static ARP entries.

<Router> display current-configuration | include arp
arp static 10.164.1.1 00e0-fc01-0001 vid 10 interface Ethernet 2/0/0
arp static 10.164.10.1 0df0-fc01-003a
----End
Configuration Files
Routrr configuration file
#
sysname Router
#
vlan batch 10 20 30
#
interface Ethernet2/0/0
port hybrid tagged vlan 10
#
interface Vlanif10
ip address 10.164.1.20 255.255.255.0
#
undo portswitch
ip address 10.164.10.10 255.255.255.0
#
arp static 10.164.1.1 00e0-fc01-0001 vid 10 interface Ethernet 2/0/0
arp static 10.164.10.1 0df0-fc01-003a
#
return

2.8.2 Example for Configuring Routed Proxy ARP

As shown in Figure 2-13, branch A and branch B of a company are located in different cities.
Multiple routing devices are deployed between branches, and routes are reachable. IP
addresses of the routing devices are on the same network segment 10.16.0.0/16. Branch A and
branch B belong to different broadcast domains; therefore, they cannot communicate on a
LAN. Hosts of branches are not configured with default gateways; therefore, they cannot
communicate across network segments. The company requires that branch A and branch B
communicate without changing the host configurations.
NOTE
AR500&AR510&AR530 functions as RouterA or RouterB.
Figure 2-13 Networking diagram for configuring routed proxy ARP
RouterA RouterC RouterD RouterB
Internet
Etherent2/0/0 Etherent2/0/0
VLAN10 VLAN20
Branch A Branch B
Host A Host B
10.16.1.2/16 10.16.2.2/16
0000-5e33-ee20 0000-5e33-ee10
1. Add the interface connecting RouterA and branch A to VLAN10 and add the interface
connecting RouterB and branch B to VLAN20.
2. Enable routed proxy ARP on VLANIF interfaces of branch A and branch B to
implement communication between the two branches.
Procedure
Step 1 Configure RouterA.
# Create VLAN10.
[RouterA] vlan 10
[RouterA-vlan10] quit
# Add Etherent2/0/0 to VLAN10.

[RouterA] interface ethernet 2/0/0

[RouterA-Ethernet2/0/0] port link-type access
[RouterA-Ethernet2/0/0] port default vlan 10
[RouterA-Ethernet2/0/0] quit
# Configure an IP address for VLANIF10.

[RouterA] interface vlanif 10
[RouterA-Vlanif10] ip address 10.16.1.1 255.255.255.0
# Enable routed proxy ARP on VLANIF10.

[RouterA-Vlanif10] arp-proxy enable
[RouterA-Vlanif10] quit
Step 2 Configure RouterB.

The configuration of RouterB is similar to that of RouterA.
# Select HostA at 10.16.1.2/16 in branch A and select HostB at 10.16.2.2/16 in branch B. Run
the ping command on HostA to ping the IP address of HostB.
C:\Documents and Settings\Administrator> ping 10.16.2.2

0.00% packet loss
# View the ARP mapping table of HostA. You can see that the MAC address of HostB is the
MAC address of VLANIF10.
C:\Documents and Settings\Administrator> arp -a
Interface: 10.16.1.2 --- 0x2
Internet Address Physical Address Type
10.16.2.2 00e0-fc39-80aa dynamic
----End
Configuration Files
#
sysname RouterA
#
vlan batch 10
#
interface Vlanif10
ip address 10.16.1.1 255.255.255.0
arp-proxy enable
#
port link-type access
port default vlan 10
#
return

#
sysname RouterB
#
vlan batch 20
#
interface Vlanif20
ip address 10.16.2.1 255.255.255.0
arp-proxy enable
#
#
return
2.8.3 Example for Configuring Intra-VLAN Proxy ARP
As shown in Figure 2-14, hosts of the accounting department are located in a VLAN. Hosts
of the accounting department are attacked by viruses when they access the Internet. The
attacked hosts send a large number of broadcast packets, causing broadcast storms in the
VLAN. Even hosts cannot communicate. The company requires that broadcast storms be
prevented to ensure communication between hosts and information security.
Figure 2-14 Networking diagram for configuring intra-VLAN proxy ARP
Router
Ethernet2/0/0
VLANIF10
10.1.1.12/24
PC B PC A
10.1.1.100/24 10.1.1.10/24
VLAN10
Accounting department
1. Configure interface isolation on the downstream interface of the switch to forbid Layer 2
communication and remove broadcast storms.
2. Enable intra-VLAN proxy ARP on the VLANIF interface to prevent broadcast storms
and implement Layer 3 communication between hosts in the accounting department.

Procedure
Step 1 Add Etherent2/0/0 to VLAN10.
# Create VLAN10.
[Router] vlan 10
# Add Etherent2/0/0 to VLAN10.

[Router-Ethernet2/0/0] port hybrid tagged vlan 10
[Router-Ethernet2/0/0] port hybrid pvid vlan 10

Step 2 Configure the switch.

Create VLAN10 on the the switch and add all interfaces to VLAN10. Configure isolation for
downstream interfaces connected to users. The configuration details are not mentioned here.
Step 3 Configure IP addresses for PCs.
# Configure an IP address for each PC. Ensure that the IP addresses of PCs and the IP address
of VLANIF10 are on the same network segment.The configuration details are not mentioned
here.
# After the configuration is complete, each PC and the router can ping each other. PCs,
however, cannot ping each other.
Step 4 Enable intra-VLAN proxy ARP on VLANIF10.
[Router-Vlanif10] arp-proxy inner-sub-vlan-proxy enable

# Ping PC A and PC B. They can ping each other.
C:\Documents and Settings\Administrator> ping 10.1.1.100

0.00% packet loss
----End
Configuration Files
Configuration file of the router

#
sysname Router
#
vlan batch 10
#
interface Vlanif10
ip address 10.1.1.12 255.255.255.0
arp-proxy inner-sub-vlan-proxy enable
#
port hybrid pvid vlan 10
port hybrid tagged vlan 10
#
return
2.8.4 Example for Configuring Inter-VLAN Proxy ARP
In Figure 2-15, VLAN2 and VLAN3 belong to super-VLAN4. Hosts in VLAN2 and VLAN3
cannot ping each other. To implement communication between hosts in VLAN2 and VLAN3,
configure inter-VLAN proxy ARP.
Figure 2-15 Networking diagram for configuring inter-VLAN proxy ARP

Router
VLAN2 VLAN3
VLAN4
VLAN2 VLAN3
1. Configure a super-VLAN and sub-VLANs.

2. Add interfaces to the sub-VLANs.
3. Create a VLANIF interface corresponding to the super-VLAN and configure an IP
address for the VLANIF interface.
4. Enable inter-VLAN proxy ARP.

Procedure
Step 1 Configure a super-VLAN and sub-VLANs.
# Configure sub-VLAN2.
[Router] vlan 2
[Router-vlan2] quit
# Add Ethernet2/0/0 and Ethernet2/0/1 to sub-VLAN2.

[Router-Ethernet2/0/0] port link-type access
[Router-Ethernet2/0/0] port default vlan 2
# Configure sub-VLAN3.
[Router] vlan 3
[Router-vlan3] quit
# Add Ethernet2/0/2 and Ethernet2/0/3 to sub-VLAN3.

# Create super-VLAN 4 and add sub-VLAN2 and sub-VLAN3 to super-VLAN4.

[Router] vlan 4
[Router-vlan4] aggregate-vlan
[Router-vlan4] access-vlan 2
[Router-vlan4] access-vlan 3
[Router-vlan4] quit
Step 2 Create and configure VLANIF4.

# Create VLANIF4.

[Router-Vlanif4] ip address 10.10.10.1 24
Step 3 Enable inter-VLAN proxy ARP on VLANIF4.

[Router-Vlanif4] arp-proxy inter-sub-vlan-proxy enable

# Run the display current-configuration command to check configurations of the super-
VLAN, sub-VLANs, and VLANIF interface. The output of the command is displayed in the
following configuration file.
# Run the display arp command to view all the ARP entries.
<Router> display arp
IP ADDRESS MAC ADDRESS EXPIRE(M) TYPE INTERFACE VPN-INSTANCE

VLAN/CEVLAN
------------------------------------------------------------------------------
10.10.10.1 0018-2000-0083 I - Vlanif4
10.10.10.2 00e0-fc00-0002 19 D-0 Ethernet2/0/0
2/-
10.10.10.3 00e0-fc00-0003 19 D-0 Ethernet2/0/1
2/-
10.10.10.4 00e0-fc00-0004 19 D-0 Ethernet2/0/2
3/-
10.10.10.5 00e0-fc00-0005 19 D-0 Ethernet2/0/3
3/-
------------------------------------------------------------------------------
Total:5 Dynamic:4 Static:0 Interface:1
----End
Configuration Files
Only the configuration file of the router is provided.
#
sysname Router
#
vlan batch 2 to 4
#
vlan 4
aggregate-vlan
access-vlan 2 to 3
#
interface Vlanif4
ip address 10.10.10.1 255.255.255.0
#
port default vlan 2
#
port default vlan 2
#
port default vlan 3
#
port default vlan 3
#
return
2.8.5 Example for Configuring Layer 2 Topology Detection

As shown in Figure 2-16, two Ethernet interfaces are added to VLAN100 in default mode. To
view changes of ARP entries, configure Layer 2 topology detection.

Figure 2-16 Networking diagram for configuring Layer 2 topology detection

Router
Etherent 2/0/0 Etherent 2/0/1

VLANIF100
10.1.1.2/24
PC A PC B
VLAN100
10.1.1.1/24 10.1.1.3/24
1. Add two Ethernet interfaces to VLAN100 in default mode.
2. Enable Layer 2 topology detection to view changes of ARP entries.
Procedure
Step 1 Create VLAN100 and add two Ethernet interfaces to VLAN100 in default mode.
# Create VLAN100 and configure an IP address for the VLANIF interface.
[Router] vlan 100
# Add two Ethernet interfaces to VLAN100 in default mode.

Step 2 Enable Layer 2 topology detection.

[Router] l2-topology detect enable
Step 3 Restart Ethernet2/0/0 and view changes of ARP entries and aging time.
# View ARP entries on the router. You can find the router has learned the MAC address of the
PC.
[Router] display arp all
IP ADDRESS MAC ADDRESS EXPIRE(M) TYPE INTERFACE VPN-
INSTANCE

VLAN/CEVLAN PVC
-----------------------------------------------------------------------------
10.1.1.2 00e0-c01a-4900 I - Vlanif100
10.1.1.1 00e0-c01a-4901 20 D-0 Ethernet2/0/0
10.1.1.3 00e0-de24-bf04 20 D-0 Ethernet2/0/1
-----------------------------------------------------------------------------
After 1 minute, run the shutdown command to shut down Ethernet2/0/0, simulate an interface
fault, and check the aging time of ARP entries. The command output shows that the ARP
entries learned from Ethernet2/0/0 are deleted after Ethernet2/0/0 is shut down.
[Router-Ethernet2/0/0] shutdown
[Router-Ethernet2/0/0] display arp all
VLAN/CEVLAN PVC
----------------------------------------------------------------------------
10.1.1.2 00e0-c01a-4900 I -
Vlanif100
10.1.1.3 00e0-de24-bf04 19 D-0 Ethernet2/0/1
------------------------------------------------------------------------------
# Run the undo shutdown command to restart Ethernet2/0/0 and check the aging time of
ARP entries. The command output shows that Ethernet2/0/0 and Ethernet2/0/1 in VLAN100
update ARP entries after Ethernet2/0/0 is restarted and becomes Up.
[Router] display arp all
IP ADDRESS MAC ADDRESS EXPIRE(M) TYPE INTERFACE VPN-
INSTANCE
VLAN/CEVLAN PVC
-----------------------------------------------------------------------------
10.1.1.2 00e0-c01a-4900 I - Vlanif100
10.1.1.1 00e0-c01a-4901 20 D-0 Ethernet2/0/0
10.1.1.3 00e0-de24-bf04 20 D-0 Ethernet2/0/1
-----------------------------------------------------------------------------
----End
Configuration Files
#
sysname Router
#
l2-topolgy detect enable
#
vlan batch 100
#
interface Vlanif100
ip address 10.1.1.2 255.255.255.0
#
#
#
return

2.8.6 Example for Configuring Multi-Interface ARP

As shown in Figure 2-17, the router connects to three NLB servers through interfaces
Eth2/0/1, Eth2/0/2, and Eth2/0/3 respectively. The three interfaces belong to VLAN 10. The
NLB group works in multicast mode. Each server in the NLB group has its own IP address
and MAC address. The servers also share virtual IP address 10.128.246.252/24 and virtual
MAC address 03bf-0a80-f6fc.
When the client attempts to connect to the virtual IP address of the NLB group, the router
needs to forward packets destined for the group virtual IP address to all servers in the NLB
group.
Figure 2-17 Networking diagram for configuring multi-interface ARP
Client
IP Network
Router
Eth2/0/1 Eth2/0/3
Eth2/0/2
NLB server group

Virtual IP address: 10.128.246.252/24
Virtual MAC address: 03bf-0a80-f6fc
1. Configure IP addresses for interfaces and add the interfaces to a VLAN.
2. Configure a multi-interface MAC address entry and a static ARP entry so that the router
can forward packets destined for the group virtual IP address to the three servers in the
NLB group.
Procedure
Step 1 Create a VLAN and add interfaces to the VLAN.

# On the router, create a VLAN and add the interfaces to the VLAN.
[Router] vlan 10
[Router-vlan10] port ethernet 2/0/1 to 2/0/3
Step 2 On the router, create a VLANIF interface and assign an IP address to it.
Step 3 On the router, configure a multi-interface MAC address entry.

[Router] mac-address multiport 03bf-0a80-f6fc interface ethernet 2/0/1 to
ethernet 2/0/3 vlan 10
Step 4 On the router, configure a static ARP entry.

[Router] arp static 10.128.246.252 03bf-0a80-f6fc
[Router] quit

# On the router, run the display mac-address multiport vlan 10 command to check the
multi-interface MAC address table.
<Router> display mac-address multiport vlan 10
--------------------------------------------------------------------------------
MAC Address VLANID Out-Interface
--------------------------------------------------------------------------------
03bf-0a80-f6fc 10 Ethernet2/0/1
Ethernet2/0/2
Ethernet2/0/3
3 port(s)
--------------------------------------------------------------------------------
Total Group(s) : 1
# On the router, run the display arp static command to check the static ARP entry.
<Router> display arp static
VLAN/CEVLAN PVC
------------------------------------------------------------------------------
10.128.246.252 03bf-0a80-f6fc S-- Multi-port:3
------------------------------------------------------------------------------
----End
Configuration Files
#
sysname Router
#
vlan batch 10
#

interface Vlanif10
ip address 10.128.246.251 255.255.255.0
#
mac-address multiport 03bf-0a80-f6fc vlan 10
#
#
#
arp static 10.128.246.252 03bf-0a80-f6fc
#
return

CLI-based Configuration Guide - IP Service 3 DHCP Configuration
3 DHCP Configuration
About This Chapter
Dynamic Host Configuration Protocol (DHCP) can dynamically allocate network parameters
including IPv4 addresses to network hosts, helping network administrators to implement
centralized management and control on the network hosts.
3.1 DHCP Overview
This section provides an overview of Dynamic Host Configuration Protocol (DHCP) and
describes its purpose and benefits.
3.2 Principles
This section describes DHCP implementation.
3.3 Specifications
This section provides DHCP specifications.
3.4 Application
This section describes the application scenarios of DHCP.
3.5 Appendix
This section describes the default DHCP configurations.
Based on the application scenarios in the following table, perform the appropriate DHCP
configuration tasks.
This section provides the points of attention when configuring DHCP.
3.9 Configuring a DHCP Server
A DHCP server dynamically allocates network parameters including IP addresses to network
hosts.
3.10 Configuring a DHCP Relay Agent
When a DHCP server resides on a different network segment from DHCP clients, configure a
DHCP relay agent to help the DHCP server allocate network parameters including IP
addresses to DHCP clients.

3.11 Configuring a DHCP Client

A device can function as a DHCP client and dynamically obtain network parameters including
the IP address from a DHCP server. This mechanism lowers manual costs, reduces errors, and
facilitates unified management.
3.12 Configuring a BOOTP Client
A device can function as a BOOTP client and dynamically obtain network parameters
including the IP address from a DHCP server.
3.13 Maintaining DHCP
This section describes how to view and clear DHCP statistics and monitor DHCP operation.
This section provides DHCP configuration examples, including the networking requirements
and configuration roadmap.
3.15 Common Misconfigurations
This section describes common faults caused by incorrect configurations and provides the
troubleshooting procedure.
3.16 FAQ
This section provides answers to frequently asked questions (FAQs) about the use of DHCP.
3.1 DHCP Overview

This section provides an overview of Dynamic Host Configuration Protocol (DHCP) and
describes its purpose and benefits.
Definition
DHCP dynamically configures and uniformly manages network parameters of hosts on a
TCP/IP network. DHCP provides the following functions:
l Allocates IP addresses to hosts. DHCP supports two mechanisms for IP address
allocation. Network administrators can select different mechanisms for hosts based on
network requirements.
– Dynamic allocation: DHCP allocates an IP address with a limited validity period
(called lease) to a client. This mechanism applies to hosts that temporarily connect
to a network with fewer IP addresses than the total number of hosts. For example,
this mechanism can be used to allocate IP addresses to laptops used by employees
on business trips or mobile terminals in cafes.
– Static allocation: A network administrator uses DHCP to allocate fixed IP addresses
to specified clients. This mechanism applies to hosts with special IP address
requirements. For example, the file server of an enterprise needs to use a fixed IP
address to provide services for extranet users. Compared with manual IP address
configuration, DHCP-based static IP address allocation prevents manual
configuration errors and helps network administrators perform unified maintenance
and management.
l Allocates other network parameters to hosts, including the DNS server address, routing
information, and gateway address.
NOTE
This chapter deals exclusively with IPv4 addresses. To configure DHCP to dynamically allocate IPv6
addresses, see 9 DHCPv6 Configuration.

Purpose
To communicate with other networked devices, a host generally requires network parameters
including an IP address, gateway address, and DNS server address. If these network
parameters are manually configured on each host, errors may occur. In addition, it may be
difficult for administrators to centrally maintain the configurations.
The Bootstrap Protocol (BOOTP) is a transport protocol based on the client/server model.
BOOTP can dynamically allocate network parameters to hosts and diskless workstations.
When a host starts for the first time, it can obtain network parameters including the IP
address, gateway address, and DNS server address using BOOTP. When BOOTP is used, an
administrator must configure and maintain a BOOTP configuration file that defines mappings
between IP addresses and MAC addresses. Each host can obtain the configuration from the
BOOTP server and set up a permanent network connection. The BOOTP configuration file is
statically configured. When a host changes its location, the administrator must reconfigure the
corresponding BOOTP configuration file.
BOOTP cannot meet network parameter allocation requirements when available IP addresses
on a network are insufficient or hosts frequently change locations. DHCP is introduced to
resolve this issue. DHCP allows the reuse of IP addresses and dynamically allocates network
parameters to hosts.
DHCP is built on the client/server model, where a DHCP server manages IP addresses for
clients on a network segment in address pools. Administrators do not need to manually record
mappings between IP addresses and MAC addresses of the clients. After a host obtains an IP
address from a DHCP server, the DHCP server records the mapping between the IP address
and MAC address of the host. No manual intervention is required during this process. In
addition, the DHCP server can dynamically allocate the same network parameters, such as a
gateway address and DNS server IP address, to hosts on a network segment. DHCP can
allocate one IP address to different hosts in different time periods. When a host does not need
this IP address, this IP address can be released and allocated to other hosts.
Benefits
l Lower network access costs: Static IP address configuration must consider physical
locations of the hosts and requires a significant undertaking. DHCP allows an
administrator to perform unified configuration for hosts on a DHCP server, reducing
network access costs.
l Lower host configuration costs: Manual IP address allocation is labor consuming and has
high technical requirements for configuration personnel. DHCP allows hosts to
dynamically obtain required network parameters after they are powered on. No
additional configuration is required, reducing host configuration costs and lowering
technical requirements for configuration personnel.
l Higher IP address utilization: Static IP address configuration binds IP addresses to hosts.
DHCP can release the IP address of a host after the host goes offline and then allocate
the IP address to another host, improving IP address utilization.
l Unified management: Static IP address configuration cannot quickly respond to
configuration changes. When a network parameter changes (a gateway address, for
example), the administrator must modify the configuration on each host. With DHCP, the
administrator needs only to modify the configuration on the DHCP server, facilitating
unified management.

3.2 Principles
This section describes DHCP implementation.
3.2.1 Typical Networking

Figure 3-1 shows the typical DHCP networking.
Figure 3-1 Typical DHCP networking
DHCP Relay Agent DHCP Server
IP Network
DHCP Client
DHCP Client
The following roles are involved on a typical DHCP network:

l DHCP client: applies for network parameters including IP addresses through DHCP. A
DHCP client can be an IP phone, PC, mobile phone, or diskless workstation.
l DHCP server: allocates network parameters to DHCP clients.
l (Optional) DHCP relay agent: exchanges DHCP messages between a DHCP server and
DHCP clients and helps the DHCP server to dynamically allocate network parameters to
the DHCP clients.
When a DHCP client broadcasts DHCP Discovery messages with the destination IP
address 255.255.255.255, only the DHCP server on the same network segment as the
DHCP client can receive the messages. If a DHCP server is on a different network
segment from the DHCP client, a DHCP relay agent must be deployed to forward DHCP
Discovery messages to the DHCP server. The DHCP relay agent modifies the format of a
DHCP Discovery or Offer message to generate a new DHCP message and then forwards
it.
A DHCP relay agent is required in scenarios where terminals on an enterprise network
are located on multiple network segments and need to obtain network parameters
through DHCP. This enables the terminals to communicate with one DHCP server,
saving server resources and facilitating unified management.
3.2.2 How a DHCP Server Allocates Network Parameters to New

DHCP Clients
This section describes how a DHCP server allocates network parameters to DHCP clients that
connect to the network for the first time. If a DHCP relay agent is deployed on the network,
the working mechanism is different.

l Network Parameter Allocation Without a DHCP Relay Agent

l Network Parameter Allocation with DHCP Relay Agents
Network Parameter Allocation Without a DHCP Relay Agent

When accessing a network for the first time, a DHCP client exchanges DHCP messages with
a DHCP server to obtain network parameters, as shown in Figure 3-2.
NOTE
DHCP messages are transmitted using the User Datagram Protocol (UDP). A DHCP client sends messages
with UDP port 68 to a DHCP server, and a DHCP server sends messages with UDP port 67 to a DHCP client.
Figure 3-2 Message exchange between a DHCP server and a new DHCP client when no
DHCP relay agent is deployed
DHCP Client DHCP Server
1 Discovery stage: The DHCP

client broadcasts a DHCP
Discover message.
2 Offer stage: The DHCP server
replies with a DHCP Offer
message.
3 Request stage: The DHCP
Request message.
4 Acknowledge stage: The
DHCP server replies with a
DHCP ACK message.
1. Discovery stage: The DHCP client detects DHCP servers.

Because the DHCP client does not know the IP addresses of DHCP servers, it broadcasts
a DHCP Discover message (with destination IP address 255.255.255.255) to detect
DHCP servers. All DHCP servers on the same network segment as the DHCP client can
receive the DHCP Discover message. Information carried in a DHCP Discover message
includes the client's MAC address (Chaddr field), parameter request list (Option 55 field,
indicating the network parameters required by the client), and broadcast flag (Flags field,
determining whether the response should be sent in unicast or broadcast mode).
– The Options field in a DHCP Discover message defines network parameters that a
client requires. Each option identifies a parameter. For example, Option 3 indicates
the requested gateway address. (A client adds Option 3 in the Option 55 field when
it requests the gateway address.) Option 53 indicates the DHCP message type (such
as Discover message). Options are classified into well-known and self-defined

options. For more information about well-known DHCP options, see RFC 2132.
Vendors can define their own options (for example, Option 43 is defined to indicate
vendor-specific information). For details about options, see 3.5.2 DHCP Options.
– The Flags field is defined in RFC 2131. The leftmost bit of this field indicates
whether the server is required to unicast or broadcast the DHCP Offer/ACK
message. The value 0 indicates unicast, and the value 1 indicates broadcast. The
Flags field is set to 1 on Huawei AR Series series switches functioning as DHCP
clients.
2. Offer stage: A DHCP server offers network parameters to the DHCP client.
All DHCP servers on the same network segment as the DHCP client can receive the
DHCP Discover message. Each DHCP server may have multiple address pools to
manage network parameters including allocatable IP addresses. A DHCP server selects
an address pool on the same network segment as the IP address of the interface receiving
the DHCP Discover message, and from the address pool selects an idle IP address. The
DHCP server then sends a DHCP Offer message carrying the allocated IP address (in the
Yiaddr field) to the DHCP client. The DHCP Offer message also carries other network
parameters such as the IP address lease.
In most cases, an address pool specifies the leases of IP addresses in it. If the DHCP
Discover message carries an expected lease, the DHCP server compares the expected
lease with the specified lease and allocates the IP address with a smaller lease to the
DHCP client.
IP addresses in an address pool are added to different IP address lists based on the IP
address status. Unallocated IP addresses are added to the allocatable IP address list.
Allocated IP addresses are added to the in-use IP address list. Conflicting IP addresses
are added to the conflicting IP address list. And IP addresses that cannot be allocated are
added to the unallocatable IP address list. The DHCP server selects an IP address for the
client from the address pool in the following sequence:
a. IP address statically bound to the MAC address of the client on the DHCP server
b. IP address that has been previously allocated to the client
c. IP address specified in the Option 50 field (requested IP address) in the DHCP
Discover message
d. Largest allocatable IP address
e. If the DHCP server does not find any allocatable IP address, it searches for expired
IP addresses and, if none are found, conflicting IP addresses. If a valid IP address is
found, the DHCP server allocates it to the client. Otherwise, the DHCP server
replies with a DHCP NAK message to notify the client that no IP address is
available. After receiving the DHCP NAK message, the DHCP client sends a
DHCP Discover message to apply for a new IP address.
DHCP servers can exclude some IP addresses that cannot be allocated through DHCP
from address pools. For example, if 192.168.1.100/24 has been manually configured for
a DNS server, the DHCP server excludes this IP address from the address pool on
network segment 192.168.1.0/24 so that it is not allocated through DHCP. This helps
prevent IP address conflicts.
To prevent a newly allocated IP address from conflicting with IP addresses of other
clients on the network, the DHCP server sends an ICMP Echo Request packet to check
whether the IP address to be allocated conflicts with other clients' IP addresses before
sending a DHCP Offer message. The source and destination IP addresses of the ICMP
Echo Request packet are the DHCP server's IP address and the IP address to be
allocated, respectively. If the DHCP server receives no ICMP Echo Reply packet within

the detection period, no client is using this IP address, and the DHCP server can allocate
it. If the DHCP server receives an ICMP Echo Reply packet within the detection period,
this IP address is in use by another client, and the DHCP server lists this IP address as a
conflicting IP address. The DHCP server then waits for the next DHCP Discover
message to start the IP address selection process again.
NOTE
The IP address allocated in this stage may not be the final IP address used by the client. This is because
the IP address may be allocated to another client if the DHCP server receives no response 16 seconds
after the DHCP Offer message is sent. The IP address for the client can be determined only after the
request and acknowledgment stages.
3. Request stage: The DHCP client selects an IP address.
The client broadcasts a DHCP Discover message to all DHCP servers on the local
network segment. If multiple DHCP servers reply with a DHCP Offer message to the
DHCP client, the client accepts only the first received DHCP Offer message. The client
then broadcasts a DHCP Request message carrying the selected DHCP server identifier
(Option 54) and IP address (Option 50, with the IP address specified in the Yiaddr field
of the accepted DHCP Offer message).
The DHCP Request message notifies all the DHCP servers that the DHCP client has
selected the IP address offered by a DHCP server. Then the other servers can allocate IP
addresses to other clients.
4. Acknowledgment stage: The DHCP server acknowledges the IP address offered to the
client.
After receiving the DHCP Request message, the DHCP server sends a DHCP ACK
message to the client, carrying the IP address specified in the Option 50 field of the
Request message.
After receiving the DHCP ACK message, the DHCP client broadcasts gratuitous ARP
packets to check whether any other terminal is using the IP address allocated by the
DHCP server. If no response is received within the specified time, the DHCP client can
use the IP address. If the DHCP client receives a response within the specified time, this
IP address is in use by another terminal. The client then sends a DHCP Decline message
to the DHCP server and applies for a new IP address. The DHCP server lists this IP
address as a conflicting IP address. The DHCP server allocates conflicting IP addresses
only when there is no idle IP address in the address pools, minimizing IP address
conflicts.
Occasionally, the DHCP server may fail to allocate the IP address specified in the Option
50 field because, for example, an error occurs during negotiation or it takes a long time
to receive the DHCP Request message. In this case, the DHCP server replies with a
DHCP NAK message to notify the DHCP client that the requested IP address cannot be
allocated. The DHCP client then sends a DHCP Discover message to apply for a new IP
address.
Network Parameter Allocation with DHCP Relay Agents

After a DHCP client connects to the network for the first time, the client exchanges DHCP
messages with a DHCP relay agent and DHCP server to obtain network parameters, as shown
in Figure 3-3. The interaction between the DHCP client and server is similar to that described
in Network Parameter Allocation Without a DHCP Relay Agent. The following describes
the working mechanism of the DHCP relay agent.

Figure 3-3 Message exchange among a new DHCP client, a DHCP server, and a DHCP relay
agent
DHCP Relay
DHCP Client Agent DHCP Server
1 Discovery stage: The

DHCP client broadcasts a The DHCP relay agent unicasts
DHCP Discover message. the DHCP Discover message.
2 Offer stage: The DHCP relay The DHCP server unicasts a
agent replies with the DHCP
Offer message. DHCP Offer message.
Request stage: The DHCP
3 The DHCP relay agent unicasts
the DHCP Request message.
Request message.
4 Acknowledge stage: The The DHCP server unicasts a
DHCP server replies with the
DHCP ACK message. DHCP ACK message.
1. Discovery stage
When receiving a DHCP Discover message broadcast by a DHCP client, the DHCP relay
agent performs the following steps:
a. Check the value of the Hops field. If this value exceeds 16, the DHCP relay agent
discards the message. Otherwise, the DHCP relay agent increases this value by 1
and proceeds to the next step.
The Hops field indicates the number of DHCP relay agents that a DHCP message
has passed through. This field is set to 0 by a DHCP client or server. Its value
increases by 1 each time the message passes through a DHCP relay agent. This field
limits the number of DHCP relay agents that a DHCP message can pass through. A
maximum of 16 DHCP relay agents are allowed between a DHCP client and server.
b. Check the value of the Giaddr field. If this value is 0, the DHCP relay agent sets the
Giaddr field to the IP address of the interface receiving the DHCP Discover
message. Otherwise, the DHCP relay agent does not change the field and proceeds
to the next step.
The Giaddr field indicates the gateway IP address. If the DHCP server and client
are located on different network segments, the first DHCP relay agent fills this field
with its own IP address and forwards the message to the DHCP server. Other DHCP
relay agents on the path forward the message without changing this field. The
DHCP server determines on which network segment the client resides based on the
Giaddr field, and allocates an IP address on this network segment to the client.
c. Change the destination IP address of the DHCP Discover message to the IP address
of the DHCP server or the next-hop DHCP relay agent, and change the source IP
address to the IP address of the interface connecting the DHCP relay agent to the
client. The message is then unicast to the DHCP server or the next-hop DHCP relay
agent.
If there are multiple DHCP relay agents between the DHCP client and server, the DHCP
relay agents process the DHCP Discover message using the same method.

2. Offer stage
After receiving the DHCP Discover message, the DHCP server selects an address pool
on the same network segment as that specified in the Giaddr field and allocates an IP
address and other network parameters from the address pool. The IP address selection
rule is the same as that described in Network Parameter Allocation Without a DHCP
Relay Agent. The DHCP server then sends a unicast DHCP Offer message to the DHCP
relay agent specified in the Giaddr field.
When receiving the DHCP Offer message, the DHCP relay agent performs the following
steps:
– Check the value of the Giaddr field. If this value is the IP address of the interface
receiving the DHCP Offer message, the DHCP relay agent discards the message.
Otherwise, the DHCP relay agent proceeds to the next step.
– Check the value of the Flags field. If this value is 1, the DHCP relay agent sends a
broadcast DHCP Offer message to the DHCP client. Otherwise, the DHCP relay
agent sends a unicast DHCP Offer message.
3. Request stage
The DHCP relay agent processes the DHCP Request message from the client using the
same method as that described in Discovery stage.
4. Acknowledgment stage
The DHCP relay agent processes the DHCP ACK message from the server using the
same method as that described in Offer stage.
3.2.3 How a DHCP Client Reuses an IP Address

If a DHCP client reconnects to the network, it can reuse an IP address that has been allocated
to it. This section describes how a DHCP client reuses an IP address in a scenario where no
DHCP relay agent is deployed. If a DHCP relay agent is deployed, the only difference is that
the DHCP relay agent processes DHCP messages. For details, see 3.2.2 How a DHCP Server
Allocates Network Parameters to New DHCP Clients.
Not all clients can reuse IP addresses that have been allocated to them. The following uses a
PC as the DHCP client to describe how the DHCP client reuses an IP address.
The DHCP client exchanges DHCP messages with a DHCP server so that it can obtain the
network parameters, including the IP address that has been allocated to it. Figure 3-4 shows
this message exchange.
Figure 3-4 Message exchange for IP address reuse between a DHCP client and a server
Request stage: The

1
DHCP client broadcasts a
DHCP Request message.
2 Acknowledge stage: The
DHCP server replies with
a DHCP ACK message.

1. The DHCP client broadcasts a DHCP Request message carrying the IP address that the
client has used. The requested IP address is added in the Option 50 field.
2. After receiving the DHCP Request message, the DHCP server checks whether there is a
lease record based on the MAC address in the message. If there is a lease record
matching the MAC address, the DHCP server replies with a DHCP ACK message to
notify the DHCP client that the requested IP address can be used. Otherwise, the DHCP
server performs no operation and waits for a new DHCP Discover message from the
client.
3.2.4 How a DHCP Client Renews Its IP Address Lease

IP addresses that are dynamically allocated by a DHCP server have leases. A DHCP Discover
message from a DHCP client can carry an expected lease. When allocating network
parameters, the DHCP server compares the expected lease with the specified lease in the
address pool and allocates an IP address with a smaller lease to the DHCP client. When the
lease expires or the client goes offline, the DHCP server reclaims the IP address, which can
then be allocated to other clients. This mechanism improves IP address utilization. To
continue to use this IP address, the DHCP client must renew its IP address lease.
The following describes how a DHCP client renews its IP address lease with and without a
DHCP relay agent.
l IP Address Lease Renewal Without a DHCP Relay Agent
l IP Address Lease Renewal with DHCP Relay Agents
IP Address Lease Renewal Without a DHCP Relay Agent

Figure 3-5 shows how a DHCP client renews its IP address lease.
Figure 3-5 Renewing an IP address lease

The DHCP client unicasts a

DHCP Request message.
T1
The DHCP client broadcasts
a DHCP Request message.
T2
1. When the lease reaches 50% (T1) of its validity period, the DHCP client sends a unicast
DHCP Request message to the DHCP server to request lease renewal. If the DHCP client
receives a DHCP ACK message, the IP address lease is successfully renewed (counted
from 0). If the DHCP client receives a DHCP NAK message, the DHCP client must send
a DHCP Discover message to apply for a new IP address.
2. If no response is received from the DHCP server when the lease reaches 87.5% (T2) of
its validity period, the DHCP client sends a broadcast DHCP Request message to request

lease renewal. If the DHCP client receives a DHCP ACK message, the IP address lease
is successfully renewed (counted from 0). If the DHCP client receives a DHCP NAK
message, the DHCP client must send a DHCP Discover message to apply for a new IP
address.
3. If no response is received when the lease expires, the DHCP client stops using the IP
address and sends a DHCP Discover message to apply for a new IP address.
If a DHCP client does not need to use the allocated IP address before the lease expires, the
DHCP client sends a DHCP Release message to the DHCP server to request IP address
release. The DHCP server saves the configuration of this DHCP client and records the IP
address in the allocated IP address list. The IP address can then be allocated to this DHCP
client or other clients.
A DHCP client can send a DHCP Inform message to the DHCP server to request
configuration update.
IP Address Lease Renewal with DHCP Relay Agents

Figure 3-6 shows how a DHCP client renews its IP address lease when a DHCP relay agent is
deployed.
Figure 3-6 Renewing the IP address lease when a DHCP relay agent is deployed
DHCP Relay
DHCP Client Agent DHCP Server
The DHCP client unicasts a DHCP Request message.

T1
The DHCP relay agent

The DHCP client broadcasts unicasts the DHCP
a DHCP Request message. Request message.
T2
1. When the lease reaches 50% (T1) of its validity period, the DHCP client sends a unicast
DHCP Request message to the DHCP server to request lease renewal. If the DHCP client
receives a DHCP ACK message, the IP address lease is successfully renewed (counted
from 0). If the DHCP client receives a DHCP NAK message, the DHCP client must send
a DHCP Discover message to apply for a new IP address.
2. If no response is received from the DHCP server when the lease reaches 87.5% (T2) of
its validity period, the DHCP client sends a broadcast DHCP Request message to request
lease renewal. The DHCP relay agent then sends a unicast DHCP Request message to
the DHCP server. For details about how the DHCP relay agent processes received
messages, see 3.2.2 How a DHCP Server Allocates Network Parameters to New
DHCP Clients. If the DHCP client receives a DHCP ACK message, the IP address lease
is successfully renewed (counted from 0). If the DHCP client receives a DHCP NAK
message, the DHCP client must send a DHCP Discover message to apply for a new IP
address.

3. If no response is received when the lease expires, the DHCP client stops using the IP
address and sends a DHCP Discover message to apply for a new IP address.
3.3 Specifications
This section provides DHCP specifications.
Table 3-1 lists DHCP specifications.
Table 3-1 DHCP specifications

Function Description Specifications
DHCP server Maximum number of IP l AR510:256

addresses that can be l others:512
allocated by the device
Maximum number of IP AR510:16, others:64.

address pools that can be The global address pool and
configured on the device interface address pool are
included and not
independently restricted.
Maximum number of egress 8

gateway addresses that can
be configured in the global
address pool view
Maximum number of DNS 8

server or NetBIOS server IP
addresses configured in an
address pool
Maximum number of fixed l AR510:256

IP addresses that can be l others:512
allocated to specified clients
DHCP relay Maximum number of DHCP AR510:8, others:64.

server groups that can be
configured on the device
Maximum number of DHCP 8

servers in a DHCP server
group8

server groups that can be
applied to an interface

server addresses that can be
configured on an interface

Function Description Specifications
DHCP client Maximum number of IP AR510:16, others:32.

addresses that a DHCP
client can apply for
3.4 Application
This section describes the application scenarios of DHCP.
3.4.1 DHCP Server Application
For unified management and control on network hosts, a DHCP server can be deployed on a
network to allocate network parameters including IP addresses to the hosts, as shown in
Figure 3-7.
Figure 3-7 Network on which a device functions as a DHCP server
Internet
Router
DHCP Server
LSW
DHCP Client
A DHCP server is commonly used in the following scenarios:

l Hosts in small-scale locations, for example, cafes, cyber bars, and private companies,
connect to the Internet through an egress gateway. To allocate network parameters
including IP addresses to the hosts, the egress gateway can be configured as a DHCP
server, facilitating host management and control.
l Departments on a campus network are assigned different network segments. To allow
hosts on each network segment to dynamically obtain network parameters including IP
addresses, a DHCP server can be configured. If the DHCP server is not located on the
same network segment as the clients, a DHCP relay agent must be deployed between
them.

3.4.2 DHCP Relay Agent Application

On a medium- or large-scale network, hosts are configured on different network segments to
differentiate services. A DHCP relay agent and a DHCP server can be deployed to
dynamically allocate network parameters including IP addresses to the hosts. This conserves
server resources and facilitates unified host management.
The following describes two common usage scenarios of DHCP relay agents depending on
the locations of a DHCP server:
l A DHCP server and DHCP relay agents are located on the local network.
l A DHCP relay agent connects to a DHCP server across the Internet.
A DHCP Server and DHCP Relay Agents Are Located on the Local Network
As shown in Figure 3-8, an enterprise has departments A, and B. The egress gateway
functions as a DHCP server. Hosts in the departments are not on the same network segment as
the DHCP server. The enterprise requires that one DHCP server dynamically allocates the IP
addresses and DNS server address to the hosts. (The DNS server is used to resolve domain
names to IP addresses.) To meet this requirement, deploy DHCP relay agents between the
DHCP server and hosts.
Figure 3-8 Local network on which the DHCP server and DHCP relay agents are located
DNS Server
Department A:
192.168.100.0/24
RouterA
RouterC DHCP Relay Agent
Internet
DHCP Server
RouterB
DHCP Snooping
DHCP Client
DHCP Client
Department B:
192.168.101.0/24
In normal cases, a host gateway functions as a DHCP relay agent, and an enterprise egress
gateway functions as a DHCP server. A DHCP server can also be independently deployed.
DHCP Discover messages are broadcast to a network segment, bringing risks of DHCP
attacks, such as bogus DHCP server attacks and DoS attacks. To defend against DHCP attacks
and improve security, configure DHCP snooping on a user-side device (RouterB) between the
DHCP server and clients. DHCP snooping ensures that hosts can obtain IP addresses from the
authorized DHCP server. In addition, the device enabled with DHCP snooping records the
mapping between IP addresses and MAC addresses.

For detailed configuration of DHCP snooping, see DHCP Snooping Configuration in Huawei
AR Series Configuration Guide - Security.
A DHCP Relay Agent Connects to a DHCP Server Across the Internet

In Figure 3-9, an enterprise needs to extend branch departments A and B. The branches are
connected to the headquarters across the Internet through a GRE tunnel. RouterA is the
branch egress gateway, and the DHCP server is deployed in the headquarters. The enterprise
requires that the DHCP server in the headquarters dynamically allocates the IP addresses and
DNS server address to the hosts. (The DNS server is used to resolve domain names to IP
addresses.) Configure RouterA as a DHCP relay agent to allow the DHCP server to
dynamically allocate network parameters including IP addresses to the hosts in the branches
through the Internet.
Figure 3-9 DHCP relay agent connected to a DHCP server through the Internet
Department A in a Branch: DNS Server

192.168.100.0/24
192.168.100.1/24
RouterA
DHCP Relay
RouterC Agent
Internet Headquarters
192.168.101.1/24 Egress
RouterB Gateway
DHCP DHCP Server
DHCP Client Snooping
DHCP Client
Department B in a Branch:
192.168.101.0/24
3.4.3 DHCP Client Application

In Figure 3-10, the DHCP client function is configured on the interface connecting the device
to the carrier's network, and the device obtains IP addresses, DNS and NetBIOS service
information from the remote DHCP server. At the same time, the device functions as the
DHCP server to assign the obtained DNS and NetBIOS service information to the
downstream DHCP clients through the import function.

Figure 3-10 Network on which a device functions as a DHCP client
DHCP Client
Remote
Internet DHCP Server
LSW Router
DHCP Server
DHCP Client
3.4.4 Master/Backup DHCP Server Application
In Figure 3-11, to improve network reliability, an enterprise deploys two DHCP servers. One
is the master, and the other is the backup. If the master DHCP server is faulty, the backup
DHCP server dynamically allocates IP addresses to hosts, ensuring uninterrupted services on
the hosts. The details are as follows.
Figure 3-11 Network on which master and backup DHCP servers are deployed
Router_1
Master DHCP Server
SwitchA
VRRP
DHCP Client Router_2

Backup DHCP Server
The hot standby (HSB) and DHCP functions are deployed on Router_1 and Router_2.
Router_1 functions as the master device, and Router_2 functions as the backup device. In
normal cases, Router_1 dynamically allocates IP addresses to clients, and Router_2 only
backs up data. When Router_1 is faulty, a master/backup VRRP switchover is triggered to
switch Router_2 to the Master state. Router_2 then dynamically allocates IP addresses to
clients. Router_2 has backed up DHCP data, therefore ensuring uninterrupted services on the
clients. For example, a client obtains an IP address from Router_1. When Router_1 is faulty,
Router_2 becomes the master device. When the client sends a DHCP Request message to
request the IP address lease renewal, Router_2 determines whether the IP address is still
available based on DHCP data backed up from Router_1. If the IP address is available,
Router_2 replies with a DHCP ACK message to allow the client to renew the lease. If the IP
address has been allocated to another client, Router_2 sends a DHCP NAK message to the
client and the client needs to apply for a new IP address.

When the original master device (Router_1) recovers, service traffic can be switched back to
the master device or retained on the backup device, depending on the configuration.
3.5 Appendix
3.5.1 Introduction to DHCP Messages
DHCP Message Format

Figure 3-12 shows the format of a DHCP message.
Figure 3-12 DHCP message format
0 7 15 23 31
op (1) htype (1) hlen (1) hops (1)
xid (4)
secs (2) flags (2)
ciaddr (4)
yiaddr (4)
siaddr (4)
giaddr (4)
chaddr (16)
sname (64)
file (128)
options (variable)
In Figure 3-12, numbers in the parenthesis indicate lengths of fields, in bytes.
Table 3-2 Description of each field in a DHCP message
op (op 1 byte Indicates the message type. The options are as follows:
code) l 1: DHCP Discover message
l 2: DHCP Offer message

htype 1 byte Indicates the hardware type. For an Ethernet address, the value of
(hardware this field is 1.
type)
hlen 1 byte Indicates the length of a hardware address, in bytes. For an

(hardware Ethernet address, the value of this field is 6.
length)
hops 1 byte Indicates the number of DHCP relay agents that a DHCP message
passes through. This field is set to 0 by a DHCP client or a server.
Its value increases by 1 each time the message passes through a
DHCP relay agent. This field limits the number of DHCP relay
agents that a DHCP message can pass through.
NOTICE
A maximum of 16 DHCP relay agents are allowed between a DHCP server
and a DHCP client. That is, the number of hops must be less than or equal
to 16. Otherwise, DHCP messages are discarded.
xid 4 bytes Indicates a random number chosen by a DHCP client to exchange

messages with a DHCP server.
secs 2 bytes Indicates the time elapsed since the client obtained or renewed an
(seconds) IP address, in seconds.
flags 2 bytes Indicates the Flags field. Only the leftmost bit in the Flags field is
valid, and other bits are set to 0. The leftmost bit determines
whether the DHCP server unicasts or broadcasts a DHCP Offer
message. The options are as follows:
l 0: The DHCP server unicasts a DHCP Offer message.
l 1: The DHCP server broadcasts a DHCP Offer message.
ciaddr 4 bytes Indicates the IP address of a client. The IP address can be an

(client ip existing IP address of a DHCP client or an IP address allocated by
address) a DHCP server to a DHCP client. During initialization, the client
has no IP address, and the value of this field is 0.0.0.0.
The IP address 0.0.0.0 is only used by a DHCP-enabled device to
temporarily communicate with other devices during startup. It is
an invalid destination address.
yiaddr 4 bytes Indicates the IP address allocated by a server to a client. The

(your client DHCP server fills this field into a DHCP Offer message.
ip address)
siaddr 4 bytes Indicates the server IP address from which a DHCP client obtains
(server ip the startup configuration file.
address)

giaddr 4 bytes Indicates the IP address of the first DHCP relay agent. If the
(gateway ip DHCP server and client are located on different network
address) segments, the first DHCP relay agent fills this field with its own
IP address and forwards the message to the DHCP server. The
DHCP server determines on which network segment the client
resides based on the Giaddr field, and allocates an IP address on
this network segment to the client.
The DHCP server also returns a DHCP Offer message to the first
DHCP relay agent. The DHCP relay agent then forwards the
DHCP Offer message to the client.
If the DHCP Discover message passes through multiple DHCP
relay agents before reaching the DHCP server, the value of this
field is the IP address of the first DHCP relay agent and remains
unchanged. However, the value of the Hops field increases by 1
each time the DHCP Discover message passes through a DHCP
relay agent.
chaddr 16 Indicates the MAC address of a client. This field must be

(client bytes consistent with the hardware type and hardware length fields.
hardware When sending a DHCP Discover packet, the client fills its
address) hardware address in this field. For Ethernet, a 6-byte Ethernet
MAC address must be filled in this field when hardware type and
hardware length fields are set to 1 and 6 respectively.
sname 64 Indicates the name of the server from which a client obtains the
(server host bytes configuration. This field is optional and is filled in by a DHCP
name) server. The field must be filled in with a character string that ends
with 0.
file (file 128 Indicates the startup configuration file name specified by the
name) bytes DHCP server for a DHCP client. The DHCP server fills this field
and then delivers it together with the IP address to the client. This
field is optional. The field must be filled in with a character string
that ends with 0.
options Variabl Indicates the DHCP Options field, which has a maximum of 312
e bytes. This field contains the DHCP message type and
configuration parameters allocated by a DHCP server to a client.
The configuration parameters include the gateway IP address,
DNS server IP address, and IP address lease.
For details about the Options field, see 3.5.2 DHCP Options.
DHCP Message Types

A DHCP server and a DHCP client communicate by exchanging DHCP messages. DHCP
messages are classified into eight types.

Table 3-3 DHCP message types

Message Description
Name
DHCP A DHCP Discover message is broadcast by a DHCP client to locate a

Discover DHCP server when the client attempts to connect to a network for the
first time.
DHCP Offer A DHCP Offer message is sent by a DHCP server to respond to a DHCP
Discover message. A DHCP Offer message carries various
configurations.
DHCP Request A DHCP Request message is sent in the following scenarios:

l After a DHCP client starts, it broadcasts a DHCP Request message to
respond to the DHCP Offer message sent by a DHCP server.
l After a DHCP client restarts, it broadcasts a DHCP Request message
to confirm the configuration including the allocated IP address.
l After a DHCP client obtains an IP address, it unicasts or broadcasts a
DHCP Request message to renew the IP address lease.
DHCP Ack A DHCP ACK message is sent by a DHCP server to acknowledge the
DHCP Request message from a DHCP client. After receiving a DHCP
ACK message, the DHCP client obtains the configuration parameters
including the IP address.
DHCP Nak A DHCP NAK message is sent by a DHCP server to reject the DHCP
Request message from a DHCP client. For example, if a DHCP server
cannot find matching lease records after receiving a DHCP Request
message, the DHCP server sends a DHCP NAK message to notify the
DHCP client that no IP address is available.
DHCP Decline A DHCP Decline message is sent by a DHCP client to notify the DHCP
server that the allocated IP address conflicts with another IP address. The
DHCP client then applies to the DHCP server for another IP address.
DHCP Release A DHCP Release message is sent by a DHCP client to release its IP
address. After receiving a DHCP Release message, the DHCP server can
allocate this IP address to another DHCP client.
DHCP Inform A DHCP Inform message is sent by a DHCP client to obtain other
network configuration parameters such as the gateway address and DNS
server address after the DHCP client has obtained an IP address.
3.5.2 DHCP Options
Options Field in a DHCP Message

The Options field in a DHCP message carries control information and parameters that are not
defined in common protocols. When a DHCP client requests an IP address from a DHCP
server configured with the Options field, the DHCP server replies with a message containing
the Options field. Figure 3-13 shows the format of the Options field.

Figure 3-13 Format of the Options field
0 7 15
Type Length Value
The Options field consists of Type, Length, and Value, which are described in the following
table.
Table 3-4 Description of the Options field
Type 1 byte Indicates the information type.
Length 1 byte Indicates the length of the

subsequent content in the Options
field.
Value Varies depending on the Length Indicates the message content.

field
The value of the Options field ranges from 1 to 255. Table 3-5 lists well-known DHCP
options.
Table 3-5 Well-known DHCP options in DHCP messages
Option No. Function
1 Specifies a subnet mask.
3 Specifies a gateway address.
6 Specifies the IP address of a DNS server.
12 Specifies the device name of a DHCP client.
15 Specifies a domain name.
33 Specifies a group of classful static routes. After a DHCP

client receives DHCP messages with this option, it adds the
classful static routes contained in the option to its routing
table. In classful routes, masks of destination addresses are
natural masks and cannot be used to divide subnets. If Option
121 is configured, ignore this option.
44 Specifies a NetBIOS name.
46 Specifies a NetBIOS node type.
50 Specifies a requested IP address.

Option No. Function
51 Specifies an IP address lease.
52 Specifies an additional option.
53 Specifies a DHCP message type.
54 Specifies a server identifier.
55 Specifies the parameter request list. A DHCP client uses this

option to request specified configuration parameters. The
content of this option is the value of the option requested by
the DHCP client.
58 Specifies the lease renewal time (T1), which is 50% of the

lease time.
59 Specifies the lease renewal time (T2), which is 87.5% of the

lease time.
60 Specifies the vendor category, which identifies the DHCP

client type and configuration.
61 Specifies a client identifier.
66 Specifies a TFTP server name allocated to DHCP clients.
67 Specifies a startup file name allocated to DHCP clients.
77 Specifies a user type.
121 Specifies a group of classless routes. After a DHCP client

receives DHCP messages with this option, it adds the
classless static routes contained in the option to its routing
table. In classless routes, masks of destination addresses can
be any value and can be used to divide subnets.
The objects of this field vary with the functions of the Options field. For example, Option 77
is used on a DHCP client to identify user types of the DHCP client. The DHCP server selects
an address pool to allocate an IP address and configuration parameters to the DHCP client
based on the User Class in the Options field. Option 77 is manually configured only on the
DHCP client but not on the server.
NOTE
A device functioning as a DHCP client can receive static routes delivered from a DHCP server through
Option 121.
For more information about well-known DHCP options, see RFC 2132.
Customized DHCP Options

Some options are not defined in RFC 2132 and can be customized. For example, Option 82 is
described as follows:
Option 82 is the DHCP relay agent information option that records the location of a DHCP
client. A DHCP relay agent or a device with DHCP snooping enabled appends the Option 82

field to a DHCP Discover message sent from a DHCP client and then forwards the DHCP
Discover message to a DHCP server.
The administrator can use the Option 82 field to locate a DHCP client and control the security
and accounting of the DHCP client. A DHCP server that supports the Option 82 field can
determine policies to allocate IP addresses and other parameters according to information in
the Option 82 field. IP addresses can be allocated flexibly.
The Option 82 field contains a maximum of 255 suboptions. If the Option 82 field is defined,
at least one suboption must be defined. Currently, the device supports only two suboptions:
suboption 1 (circuit ID) and suboption 2 (remote ID).
The content of the Option 82 field is not defined uniformly, and vendors fill in the Option 82
field as required.

This section describes the default DHCP configurations.
Table 3-6 Default DHCP configurations
Function Parameter Default Setting
DHCP server DHCP function Disabled
Range of IP addresses that Not configured

are not automatically
allocated from the address
pool
Allocating fixed IP Not configured

addresses to specified
clients
IP address lease One day
Number of times the device 0, that is, no detection

detects IP address conflicts
before allocating IP
addresses
Interval at which DHCP 300 seconds

data is stored
Rate limit for DHCP Disabled

messages
DHCP relay DHCP function Disabled
Rate limit for DHCP Disabled

messages
DHCP client DHCP client function on Disabled

interfaces


Based on the application scenarios in the following table, perform the appropriate DHCP
configuration tasks.
Table 3-7 Configuration task summary

Scenario Task
A device functions as Perform the tasks specified in 3.9 Configuring a DHCP Server
a DHCP server and in the following sequence:
allocates IP addresses 1. 3.9.2 Enabling DHCP
to clients on the local
network segment. 2. 3.9.3.2 Enabling the DHCP Server Function
3. 3.9.3 Configuring a DHCP Server to Allocate IP Addresses
to Clients
A device functions as Perform the tasks specified in 3.9 Configuring a DHCP Server
a DHCP server and in the following sequence:
allocates IP addresses 1. 3.9.2 Enabling DHCP
and other network
parameters (including 2. 3.9.3.2 Enabling the DHCP Server Function
a gateway address, 3. 3.9.3 Configuring a DHCP Server to Allocate IP Addresses
DNS service, to Clients
NetBIOS Service, and 4. Configuring a DHCP Server to Allocate Network
options) to clients on Parameters Besides IP Addresses
the local network
segment.
When a DHCP server 3.10 Configuring a DHCP Relay Agent

resides on a different
network segment from
DHCP clients, a
DHCP relay agent is
required to help the
DHCP server allocate
network parameters
including IP addresses
to DHCP clients.
In this scenario, a
industrial switch
router functions as the
DHCP relay agent,
and the DHCP server
can be a dedicated
DHCP server or a
industrial switch
router.

Scenario Task
A device functions as 3.11 Configuring a DHCP Client

a DHCP client and
dynamically obtains
an IP address from a
DHCP server.
A device functions as 3.12 Configuring a BOOTP Client

a BOOTP client and
dynamically obtains
an IP address from a
DHCP server.

This section provides the points of attention when configuring DHCP.

Other network elements are not required.
License Support
DHCP is a basic feature of the device and is not under license control.

Wireless interfaces cannot function as DHCP clients or BOOTP clients.
When ACL resources are exhausted, related DHCP commands do not take effect.
3.9 Configuring a DHCP Server

A DHCP server dynamically allocates network parameters including IP addresses to network
hosts.
Before configuring a device as a DHCP server, ensure that routes between DHCP clients and
the device are reachable.
3.9.1 Planning Data
Planning DHCP Servers

A client broadcasts DHCP Discovery messages. When multiple DHCP servers (or DHCP
relay agents) are deployed on a network segment, the client accepts only the first received
DHCP Offer message and therefore may obtain an unexpected IP address. Planning DHCP
servers ensures that a client obtains network parameters from an expected DHCP server.

Note the following when planning servers:

l Plan VLANs to ensure that only one DHCP server (or a DHCP relay agent) can receive
DHCP Discovery messages in a VLAN.
l Configure DHCP snooping on client access devices to ensure that the clients can apply to
the correct DHCP servers for network parameters. For detailed configuration of DHCP
snooping on the Huawei AR Series IOT Gateway , see DHCP Snooping Configuration in
Planning IP Addresses
l IP address range that can be automatically allocated
Plan an IP address range based on the number of concurrent online clients on the
network. If the number of IP addresses in this range is too small, some clients cannot
obtain IP addresses. If the number of IP addresses in this range is too large, IP addresses
are wasted.
l (Optional) IP addresses that cannot be automatically allocated
Some IP addresses in an address pool are reserved for devices that require static IP
addresses. For example, in an address pool ranging from 192.168.100.1 to
192.168.100.254, 192.168.100.2 is reserved for a DNS server. Exclude the IP address
192.168.100.2 from the address pool so that the DHCP server will not allocate
192.168.100.2 to other clients.
l IP address allocation
DHCP supports two mechanisms for IP address allocation. Select the mechanism based
on network requirements.
– Dynamic allocation: DHCP allocates an IP address with a limited validity period
(known as a lease) to a client. This mechanism applies to hosts that temporarily
connect to a network with fewer IP addresses than the total number of hosts. For
example, this mechanism can be used to allocate IP addresses to laptops used by
employees on business trips or mobile terminals in cafes.
– Static allocation: DHCP allocates fixed IP addresses to specified clients with special
IP address requirements. For example, the file server of an enterprise needs to use a
fixed IP address to provide services for extranet users. Compared with manual IP
address configuration, DHCP static allocation prevents manual configuration errors
and helps network administrators perform unified maintenance and management.
Planning Other Network Parameters

DHCP servers can allocate other network parameters as well as IP addresses to DHCP clients.
Plan other network parameters based on network requirements. For example, to enable a
client to communicate with other network devices through a domain name and obtain DNS
parameters using DHCP, plan the IP address of the DNS server and domain name of the
client.
Planning Leases
Plan an IP address lease for a client based on the online duration of the client. By default, the
IP address lease is one day.
l In locations where clients often move and stay online for a short period of time, for
example, in cafes, airports, and hotels, plan a short-term lease to ensure that IP addresses
are released quickly after the clients go offline.

l In locations where clients seldom move and stay online for a long period of time, for
example, in office areas of an enterprise, plan a long-term lease to prevent services from
being affected by frequent lease or address renewals.
3.9.2 Enabling DHCP

Context
Before enabling the DHCP server function, enable DHCP in the system view.
Procedure
Step 1 Run:
system-view

Step 2 Run:
dhcp enable
DHCP is enabled.
By default, DHCP is disabled.
NOTE
If STP is enabled on a device functioning as the DHCP server, the speed of allocating IP addresses may be
slower. By default, STP is enabled. To disable STP, run the undo stp enable command.
----End
3.9.3 Configuring a DHCP Server to Allocate IP Addresses to

Clients
Context
DHCP servers can allocate IP addresses to DHCP and BOOTP clients.
3.9.3.1 Creating an Address Pool
Context
Address pools allow DHCP servers to allocate network parameters including IP addresses to
clients. You can specify network parameters in an address pool, including an IP address range,
gateway address, and the IP address of a DNS server.
Address pools are classified into interface address pools and global address pools.
l Interface address pool: After an IP address is configured for an interface on a DHCP
server, you can create an address pool on the same network segment as this interface.
Addresses in the address pool can be allocated only to clients connected to the interface.
The interface address pool can allocate IP addresses to clients on the same network
segment as the DHCP server. When no DHCP relay agent is deployed. A DHCP server
allocates IP addresses to clients connected to one interface or allocates IP addresses on
different network segments to clients connected to multiple interfaces.

l Global address pool: On a DHCP server, you can create an address pool on the specified
network segment in the system view. Addresses in the address pool can be allocated to
all clients connected to the DHCP server. The global address pool applies to the
following scenarios:
– The DHCP server and clients are not on the same network segment, and a DHCP
relay agent is deployed.
– The DHCP server and clients are on the same network segment, and the DHCP
server needs to allocate an IP address to a client connected to one interface or
allocate IP addresses to clients connected to multiple interfaces.
NOTE
Configuring interface address pools is recommended for scenarios where a DHCP server and clients reside on
the same network segment.
A DHCP server selects address pools according to the following rules:

l When no DHCP relay agent is deployed, the DHCP server selects the address pool on the
same network segment as the IP address of the interface receiving DHCP Request
messages.
l When DHCP relay agents are deployed, the DHCP server selects the address pool on the
same network segment as the IP address specified in the Giaddr field of received DHCP
Request messages.
Procedure
l Create an interface address pool.
a. Run:
system-view

b. (Optional) Configure a DHCP server to dynamically allocate IP addresses to
BOOTP clients.
i. Run:
dhcp server bootp
The DHCP server is enabled to respond to BOOTP requests.

By default, a DHCP server responds to a BOOTP request.
ii. Run:
dhcp server bootp automatic
The DHCP server is enabled to dynamically allocate IP addresses to BOOTP

clients.
By default, a DHCP server does not dynamically allocate IP addresses to
BOOTP clients.
In addition to dynamically allocating IP addresses to BOOTP clients, the
device functioning as the DHCP server can allocate IP addresses to the
BOOTP clients in static binding mode using the dhcp server static-bind ip-
address ip-address mac-address mac-address command.
c. Run:
interface interface-type interface-number [.subinterface-number ]
The interface view or sub-interface view is displayed.

d. Run:
An IP address is configured for the interface.
The IP address segment of the interface is the interface address pool.

l Create a global address pool.
a. Run:
system-view

b. (Optional) Configure a DHCP server to dynamically allocate IP addresses to
BOOTP clients.
i. Run:
dhcp server bootp
The DHCP server is enabled to respond to BOOTP requests.

By default, a DHCP server responds to a BOOTP request.
ii. Run:
The DHCP server is enabled to dynamically allocate IP addresses to BOOTP

clients.
By default, a DHCP server does not dynamically allocate IP addresses to
BOOTP clients.
In addition to dynamically allocating IP addresses to BOOTP clients, the
device functioning as the DHCP server can allocate IP addresses to the
BOOTP clients in static binding mode using the dhcp server static-bind ip-
address ip-address mac-address mac-address command.
c. Run:
ip pool ip-pool-name
A global address pool is created and the global address pool view is displayed.
By default, no global address pool is created on the device.
The parameter ip-pool-name uniquely specifies the name of an address pool. For
example, create a global address pool named global_f1 for employees on the first
floor.
[Huawei] ip pool global_f1
d. Run:
network ip-address [ mask { mask | mask-length } ]
The range of IP addresses that can be dynamically allocated from the global address
pool is specified.
By default, the range of IP addresses that can be allocated dynamically to clients is

not specified.
An address pool can be configured with only one IP address segment. The IP
address range is determined by the mask length.

NOTE
When specifying the IP address range, ensure that IP addresses within the range are on the same
network segment as the interface IP address of the DHCP server or DHCP relay agent to avoid
incorrect IP address allocation.
e. (Optional) Run:
vpn-instance vpn-instance-name
A VPN instance is configured for the address pool.

By default, no VPN instance is configured for an address pool.
In most cases, an address pool allocates IP addresses to clients on only one network
segment to prevent IP address conflicts. In a BGP/MPLS IP VPN scenario, different
VPNs use IP addresses on the same network segment. If clients in different VPNs
apply to the same DHCP server for IP addresses, perform this step to use the same
address pool to allocate IP addresses on the same network segment to the clients.
Only the S5720HI and S5720EI support this step.Only the S5320EI supports this
step.Only the S5720HI, S5720EI, S5720SI, S5720S-SI and S6720EI support this
step.Only the S5320EI, S5320SI and S6320EI support this step.
----End
3.9.3.2 Enabling the DHCP Server Function
Context
After the DHCP server function is enabled on an interface, the DHCP function can allocate
network parameters including IP addresses to clients.
Procedure
l Enabling the DHCP server function based on an interface address pool:
a. Run:
system-view

b. Run:

c. Run:
dhcp select interface
The interface is enabled to use the interface address pool to provide the DHCP
server function.
By default, an interface does not use the interface address pool to provide the
DHCP server function.
An interface address pool is actually the network segment where the interface IP
address resides, and such an interface address pool applies only to this interface.
If the device functioning as the DHCP server provides the DHCP service for clients
connected to multiple interfaces, repeat this step to enable the DHCP server
function on all the interfaces.

l Enabling the DHCP server function based on a global address pool

a. Run:
system-view

b. Run:

c. Run:
ip address ip-address { mask | mask-length } [ sub ]
The primary and secondary interface IP addresses are configured.
When a client on the interface applies for an IP address after the interface IP
addresses are configured:
n If the device and client are located in the same network segment (that is, no
relay exists), the device first selects the address pool in the same network
segment as the primary interface IP address to assign an IP address. If this
address pool is used up or no mapping address pool is configured for the
primary IP address, the device uses the address pool mapping the secondary IP
address.If the interface is not configured with an IP address or no address pool
is in the same network segment as the interface address, the client cannot
obtain an IP address.
NOTE
The device can select the global address pool based on the primary and secondary interface
IP addresses only when the DHCP client and server are located in the same network
segment.
n If the device and client are located in different network segments (that is, a
relay exists), the DHCP server parses the IP address specified by the giaddr
field in the received DHCP request packet and selects the address pool in the
same network segment as this IP address to assign an IP address to the client.
If no address pool matches the parsed IP address, the client cannot obtain an IP
address.
d. Run:
dhcp select global
The interface is enabled to use the global address pool to provide the DHCP server
function.
By default, an interface does not use the global address pool to provide the DHCP
server function.
Clients connected to the interface can obtain network parameters including IP

addresses from the global interface pool.
NOTE
This step is optional if a DHCP relay agent exists between the device and clients; this step is
mandatory if no relay agent exists.
----End

Follow-up Procedure
A DHCP client sends a DHCP Discover message in broadcast mode. When multiple DHCP
servers including bogus DHCP servers exist on a network segment, the DHCP client accepts
only the first received DHCP Offer message and therefore may obtain an unexpected IP
address from a bogus DHCP server. To ensure that a client obtains an IP address from the
correct DHCP server, configure DHCP snooping on the client. For detailed configuration of
DHCP snooping, see DHCP Snooping Configuration in Huawei AR Series IOT Gateway
Configuration Guide - Security.
3.9.3.3 (Optional) Configuring the Range of IP Addresses That Cannot Be

Automatically Allocated to Clients from an Address Pool
Context
Some servers and clients may use specific IP addresses in an address pool, so that the DHCP
server does not automatically allocate these IP addresses to other clients. For example, in an
enterprise, a DHCP server allocates IP addresses on the network segment 192.168.1.0/24 to
employee PCs. On this network segment, 192.168.1.1 is used as the gateway IP address, and
192.168.1.10 is used as the DNS server IP address. The DNS server IP address is manually
configured to ensure stability, and other hosts obtain IP addresses using DHCP. Therefore,
192.168.1.10 must be excluded from the range of IP addresses that can be automatically
allocated.
NOTE
A DHCP server automatically excludes a gateway address configured using the gateway-list command and
the IP addresses of interfaces that connect a DHCP server to clients. The DHCP server automatically adds
these addresses to the list of IP addresses that cannot be automatically allocated.
Procedure
l Exclude IP addresses from an interface address pool.
a. Run:
system-view

b. Run:

c. Run:
dhcp server excluded-ip-address start-ip-address [ end-ip-address ]
The range of IP addresses that are not automatically allocated from the address pool
is configured.
By default, all IP addresses are automatically allocated from the address pool.
To set multiple IP address ranges that cannot be automatically allocated from the
address pool, run this command multiple times.
For example, to exclude 192.168.1.10 from the range of IP addresses that can be
automatically allocated, run:
[Huawei-GigabitEthernet0/0/1] dhcp server excluded-ip-address
192.168.1.10

l Exclude IP addresses from a global address pool.

a. Run:
system-view

b. Run:
The global address pool view is displayed.

c. Run:
excluded-ip-address start-ip-address [ end-ip-address ]
The range of IP addresses that are not automatically allocated from the address pool
is configured.
By default, all IP addresses are automatically allocated from the address pool.
To set multiple IP address ranges that cannot be automatically allocated from the
address pool, run this command multiple times.
For example, to exclude 192.168.1.10 from the range of IP addresses that can be
automatically allocated, run:
[Huawei-ip-pool-global_f1] excluded-ip-address 192.168.1.10
----End
3.9.3.4 (Optional) Configuring a DHCP Server to Allocate Fixed IP Addresses to

Specified Clients
Context
A DHCP server leases IP addresses to clients. When the lease expires, the clients must apply
for new IP addresses. To ensure stability, certain clients require fixed IP addresses. In this
case, configure the DHCP server to allocate fixed IP addresses to these clients. The MAC
addresses of these clients are then bound to fixed IP addresses. When such a client applies to
the DHCP server for an IP address, the DHCP server searches the binding entries for the
MAC address of the client and allocates the matched IP address to the client. DHCP static
allocation prevents manual configuration errors and facilitates unified management.
Before performing this configuration task, ensure that the IP addresses for static allocation
have not been allocated. (To check related information, run the display ip pool { interface
interface-pool-name | name ip-pool-name } used command.) If such an IP address has been
allocated, use another IP address or release the allocated address using the reset ip pool
{ interface pool-name | name ip-pool-name } start-ip-address [ end-ip-address ] command
and perform the binding again.
DHCP static allocation,IPSG Configuration, and static ARP all involve the binding of IP
addresses and MAC addresses. For their usage scenarios and implementations, see the
following Table 3-8.

Table 3-8 Differences between DHCP static allocation, IPSG, and static ARP
Function Scenario Implementation
DHCP static allocation Some clients (such as The MAC addresses of these
servers and PCs) require clients are bound to fixed IP
fixed IP addresses from a addresses. When such a
DHCP server. client applies to the DHCP
server for an IP address, the
DHCP server searches the
binding entries for the MAC
address of the client and
allocates the matched IP
address to the client.
IPSG Attacks including IP address The mapping between IP

spoofing and ARP spoofing addresses and MAC
need to be prevented: addresses is set up on a
l IP address spoofing: An device. When receiving an
attacker uses a forged IP ARP Request packet, the
address and its own device searches for the
MAC address to obtain mapped MAC address based
rights of the attacked on the source IP address of
device and intercept the packet and compares the
packets destined for the mapped MAC address with
attacked device. the source MAC address in
the packet header. If the two
l ARP spoofing: An MAC addresses are different
attacker sends ARP from each other, the device
packets using a forged considers the packet invalid
MAC address to and discards it.
intercept packets
destined for the attacked
device or using the MAC
address of the gateway to
intercept all packets
destined for the gateway.

Function Scenario Implementation
Static ARP The mapping between IP The mapping between IP

addresses and MAC addresses and MAC
addresses is manually addresses is set up on a
configured in the following device. When receiving an
scenarios: ARP Request packet, the
l Packets whose device searches for the
destination IP addresses MAC address mapped to the
are not on the local IP address in the packet and
network segment need to responds with an ARP Reply
be forwarded by a packet.
gateway on the local Static ARP entries are
network segment. manually configured and
l Destination IP addresses maintained. These entries
of invalid packets need are neither aged nor
to be bound to a overwritten by dynamic
nonexistent MAC ARP entries, and therefore
address to filter them improve communication
out. security.
l Critical devices need to
forward packet securely
and be protected against
attacks, such as ARP
flooding. In this
situation, static ARP
entries can be configured
to bind MAC addresses
to specific IP addresses.
Network attackers
cannot modify the
mapping between the IP
and MAC addresses,
which ensures
communication between
the two devices.
Procedure
l Configure a DHCP server to allocate fixed IP addresses from an interface address pool.
a. Run:
system-view

b. Run:

c. Run:
dhcp server static-bind ip-address ip-address mac-address mac-address

The DHCP server is configured to allocate fixed IP addresses to specified clients.

By default, a DHCP server does not allocate fixed IP addresses to specified clients.
The fixed IP addresses to be allocated must be within the range of IP addresses that
can be dynamically allocated from the interface address pool.
l Configure a DHCP server to allocate fixed IP addresses from a global address pool.
a. Run:
system-view

b. Run:

c. Run:
static-bind ip-address ip-address mac-address mac-address
The DHCP server is configured to allocate fixed IP addresses to specified clients.

By default, a DHCP server does not allocate fixed IP addresses to specified clients.
The fixed IP addresses to be allocated must be within the range of IP addresses that
can be dynamically allocated from the global address pool.
----End
3.9.3.5 (Optional) Configuring an Address Lease Time
Context
NOTE
This task does not take effect for BOOTP clients.
Except for allocating fixed IP addresses to specified clients, a DHCP server can
dynamically allocate IP addresses with leases to clients in scenarios where hosts temporarily
access the network and the number of idle IP addresses is less than the total number of hosts.
The lease time varies depending on network access requirements. By default, the IP address
lease is one day.
l In locations where clients often move, for example, in cafes, airports, and hotels, plan a
short-term lease to ensure that IP addresses are released quickly after the clients go
offline.
l In locations where clients seldom move, for example, in office areas of an enterprise,
plan a long-term lease to prevent services from being affected by frequent address
renewals.
Different address pools on a DHCP server can be configured with different IP address leases,
but the IP addresses in the same address pool must be configured with the same lease.
Procedure
l Configure a lease time based on an interface address pool.
a. Run:
system-view


b. Run:

c. Run:
dhcp server lease { day day [ hour hour [ minute minute ] ] | unlimited }
An IP address lease is set.

By default, the IP address lease is one day.
l Configure a lease time based on a global address pool.
a. Run:
system-view

b. Run:

c. Run:
lease { day day [ hour hour [ minute minute ] ] | unlimited }
An IP address lease is set.

By default, the IP address lease is one day.
----End
3.9.3.6 (Optional) Configuring the Logging Function During IP Address

Allocation
Context
When the DHCP server allocates IP addresses to clients, it records address allocation
information to facilitate routine maintenance and fault location. After the logging function
during IP address allocation of the DHCP server is configured, the DHCP server records logs
about address allocation, conflict, lease renewal, and release.
NOTE
If a large number of DHCP clients request for IP addresses after the logging function during IP address
allocation of the DHCP server is configured, the server frequently records logs and therefore the device
performance may be affected.
Procedure
l Based on interfaces:
a. Run:
system-view

b. Run:

c. Run:
dhcp server logging
The logging function during IP address allocation of the DHCP server is enabled.
By default, the logging function during IP address allocation of the DHCP server is
disabled.
l Based on the global mode:
a. Run:
system-view

b. Run:
The global address pool is created and the global address pool view is displayed.
By default, no global address pool is created on the device.

c. Run:
logging
The logging function during IP address allocation of the DHCP server is enabled.
By default, the logging function during IP address allocation of the DHCP server is
disabled.
----End

Run the display ip pool command to view the status of the logging function during IP address
allocation of the DHCP server.
Follow-up Procedure
Configure the information center to display the IP address allocation logs recorded by the
DHCP server on user terminals or log hosts or generate them in log files. For details on how
to configure the information center, see Configuring Log Output in Huawei AR Series IOT
Gateway Configuration Guide - Device Management - Information Center Configuration.
3.9.3.7 (Optional) Configuring IP Address Conflict Detection Before a DHCP

Server Allocates IP Addresses
Context
A DHCP server configured with IP address conflict detection checks whether an IP address to
be allocated to a client conflicts with other IP addresses.
After IP address conflict detection is configured, a DHCP server sends an ICMP Echo
Request packet before it sends a DHCP Offer message. The packet contains the source and
destination IP addresses, which are both a specified IP address. If the DHCP server does not
receive an ICMP Echo Reply packet after the maximum waiting period (specified using the
dhcp server ping timeout milliseconds command), the DHCP server continues to send the

ICMP Echo Request packet until the maximum number of detection times (specified using the
dhcp server ping packet number command) has been reached.
l If the DHCP server receives no ICMP Echo Reply packet within the detection period
(number of detection times x maximum waiting period), this IP address is not used by
any client, and the DHCP server allocates the IP address to the client by sending a DHCP
Offer message to the client.
l If the DHCP server receives an ICMP Echo Reply packet within the detection period
(number of detection times x maximum waiting period), this IP address is being used by
a client, and the DHCP server lists this IP address as a conflicting IP address and waits
for the next DHCP Discover message.
This configuration task takes effect for both the interface and global address pools.
NOTE
If the detection period is too long, clients may fail to obtain IP addresses. Set the detection period to less than
8 seconds.
Procedure
Step 1 Run:
system-view
Step 2 Run:
dhcp server ping packet number
The number of times that the device detects IP address conflicts before allocating IP addresses
is set.
By default, the device does not detect IP address conflicts before allocating IP addresses.
Step 3 Run:
dhcp server ping timeout milliseconds
The maximum wait time for each conflict detection is set.
By default, the maximum wait time for each conflict detection is 500 milliseconds.
----End
3.9.3.8 (Optional) Configuring a DHCP Server to Automatically Save IP Address

Allocation Information
Context
If a DHCP server is restarted upon an upgrade or is faulty, IP address allocation information
on the DHCP server is lost. After the restart, the DHCP server must re-allocate IP addresses.
To prevent data loss and to support data recovery upon a restart, configure a DHCP server to
automatically save IP address allocation information, including address leases and conflicting
IP addresses, in files. When the DHCP server restarts, it can recover the data from the files.
This configuration task takes effect for both the interface and global address pools.

Procedure
Step 1 Run:
system-view
Step 2 Run:
dhcp server database enable
The DHCP server is enabled to automatically save IP address allocation information.
By default, a DHCP server does not periodically save IP address allocation information.
After this function is enabled, the DHCP server generates lease.txt and conflict.txt files in the
DHCP folder in storage. The lease.txt file stores lease information, and the conflict.txt file
stores conflicting IP addresses. To view information about the DHCP database, run the
display dhcp server database command.
Step 3 Run:
dhcp server database write-delay interval
The interval at which the DHCP server saves IP address allocation information is set.
By default, IP address allocation information is saved every 300 seconds in data files. The
new data files overwrite the earlier data files.
Step 4 Run:
dhcp server database recover
The DHCP server is enabled to recover IP address allocation information.
After this command is run, the DHCP server can recover IP address allocation information
from the data files in storage.
----End
3.9.3.9 (Optional) Associating an IP Address Pool with NQA
Context
As shown in Figure 3-14 and Figure 3-15, the router functions as the backup DHCP server.
You can associate the IP address pool on the router with NQA test instances to check the
DHCP server status (including the link and DHCP server function). This can improve network
reliability. When the DHCP server is working properly, the IP address pool on the router is
locked, and PC1 and PC2 obtain IP addresses through the DHCP server. When NQA detects
that the DHCP server is faulty, the IP address pool on the router is unlocked and assigns an IP
address to PC3 that is newly online. When NQA detects that the DHCP server fault is
rectified, the IP address pool on the router is locked again, and PC4 that is newly online
obtains an IP address through the DHCP server.
This function is configured only for a global address pool.

NOTE
When the DHCP server is faulty, PC3 obtains an IP address from the router; when the DHCP server is
recovered, the DHCP function is switched back to the DHCP server. At this time, if the IP address lease of
PC3 has expired, the lease renewal will fail. After PC3 goes offline temporarily, it re-obtains an IP address
from the DHCP server. In addition, the two IP addresses obtained by PC3 are different because the IP address
pools on the DHCP server and router have different address ranges.
Figure 3-14 Associating the IP address pool with NQA (router and client locating in the same
network segment)
DHCP server DHCP server DHCP server
Internet Internet Internet

Router Router Router
DHCP relay DHCP server DHCP relay
Backup DHCP (from backup to Backup DHCP
server master) server
L2 LSW L2 LSW L2 LSW
PC1 PC2 PC1 PC2 PC3 PC1 PC2 PC3 PC4
Working DHCP server Faulty DHCP server Recovered DHCP server
Figure 3-15 Associating the IP address pool with NQA (router and client locating in different
network segments)
Internet Internet Internet

Router
Router DHCP server Router
Backup DHCP (from backup to Backup DHCP
server master) server
L3 LSW L3 LSW L3 LSW

DHCP relay DHCP relay DHCP relay
DHCP server DHCP serve
DHCP server
PC1 PC2 PC1 PC2 PC3 PC1 PC2 PC3 PC4
Working DHCP server Faulty DHCP server Working DHCP server
Procedure
Step 1 Configure and start NQA test instances.
An IP address pool can be associated with NQA test instances of the DHCP and ICMP types.
NQA test instances of the DHCP type are used to test whether the DHCP server function is
normal; those of the ICMP type are used to test whether routes to the DHCP server are
reachable. When the device uses NQA test instances of the ICMP type, it cannot detect the
status of the DHCP server function. Therefore, the device cannot detect the situation in which

the route is reachable but the DHCP server function is unavailable, and users cannot go
online.
l Configuring and starting an NQA test instance of the DHCP type
a. Run:
system-view

b. Run:
nqa test-instance admin-name test-name
An NQA test instance is created and the test instance view is displayed.
By default, no NQA test instance is configured.
c. Run:
test-type dhcp
The NQA test instance type is set to DHCP.

By default, no test type is configured for an NQA test instance.
d. Run:
source-interface interface-type interface-number
The source interface is specified to send DHCP packets.

By default, no source interface is configured for an NQA test instance.
e. Run:
frequency interval
The automatic test interval is set for the NQA test instance.
By default, no automatic test interval is set. The system performs the test only once.
f. Run:
start
The NQA test instance is started.

An NQA test instance can be started immediately, at a specified time, or after a
specified delay.
n Run the start now [ end { at [ yyyy/mm/dd ] hh:mm:ss | delay { seconds
second | hh:mm:ss } | lifetime { seconds second | hh:mm:ss } } ] command to
start the test instance immediately.
n Run the start at [ yyyy/mm/dd ] hh:mm:ss [ end { at [ yyyy/mm/dd ] hh:mm:ss |
delay { seconds second | hh:mm:ss } | lifetime { seconds second |
hh:mm:ss } } ] command to start the test instance at a specified time.
n Run the start delay { seconds second | hh:mm:ss } [ end { at [ yyyy/mm/dd ]
hh:mm:ss | delay { seconds second | hh:mm:ss } | lifetime { seconds second |
hh:mm:ss } } ] command to start the test instance after a specified delay.
g. Run:
quit
Exit from the NQA test instance view.

NOTE
Before using the test instance of the DHCP type, ensure that the DHCP server provides the address
pool for the network segment of the source interface (specified running the source-interface
interface-type interface-number command). You can use the source interface to simulate a DHCP
client to send a DHCP request, and determine the DHCP server status depending on whether an IP
address can be obtained.

l Configuring and starting an NQA test instance of the ICMP type

a. Run:
system-view

b. Run:
c. Run:
test-type icmp
The test type is set to ICMP.

d. Run:
destination-address ipv4 ipv4-address
The destination address is configured.

By default, no test destination address is configured.
e. Run:
frequency interval
f. Run:
start

specified delay.
g. Run:
quit

NOTE
l To persistently detect the DHCP server status, you need to perform periodical test for NQA test
instances. Therefore, run the frequency interval command to set the automatic test interval for NQA
test instances.
l This section only mentions basic configuration parameters of the DHCP and ICMP NQA test
instances. For details on how to configure other parameters, see Configuring DHCP Test and
Configuring ICMP Test in the Huawei AR Series IOT Gateway Configuration Guide-Network
Management and Monitoring-Configuring the NQA.

Step 2 Run:

Step 3 Run:
excluded-ip-address start-ip-address [ end-ip-address ]
The IP addresses that are not automatically allocated in the address pool are configured.
By default, all IP addresses in an address pool can be automatically allocated to clients.
NOTE
The IP addresses assigned by the backup DHCP server cannot overlap with those assigned by the DHCP
server, which prevents repeated assignment of an IP address. Therefore, you need to run the excluded-
ip-address start-ip-address [ end-ip-address ] command to exclude the IP addresses that are repeated
with those of the remote DHCP service.
Step 4 Run:
lock track nqa admin-name test-name
The IP address pool is associated with the NQA test instance. The device determines whether
to lock the address pool according to the test result of the NQA test instance.
By default, no IP address pool is locked.
NOTE
When the NQA test instance type is not DHCP and ICMP, the association between the IP address pool and
NQA do not take effect. In this case, the IP address pool is locked.
----End
3.9.4 (Optional) Configuring a DHCP Server to Allocate Network

Parameters Besides IP Addresses
Context
DHCP servers can allocate other network parameters as well as IP addresses to DHCP clients.
These parameters include the IP address of a DNS server, startup configuration file, and self-
defined options.
When network parameters, excluding the IP address, are allocated to dynamic and static
clients, configuration commands are the same if an interface address pool is used, but are
different if a global address pool is used. This is because of the following:
l Network parameters for dynamic clients are configured in the global address pool view.
l Network parameters for static clients are configured in the global address pool and
DHCP Option template views. Network parameters configured in the DHCP Option
template view take effect only for static clients. If a network parameter is configured
differently in the global address pool and DHCP Option template views, the
configuration in the DHCP Option template view takes effect.
3.9.4.1 Configuring a Gateway Address for Clients
Context
When a DHCP client connects to a DHCP server or host outside the local network segment,
data must be forwarded through an egress gateway. You can configure the gateway address for

clients. This configuration is required only when the global address pool is used. When the
interface address pool is used, the gateway address is the IP address of the interface
connecting the DHCP server to the DHCP client.
NOTE
l For a global address pool, if a gateway address is configured on the DHCP server, a DHCP client
obtains the gateway address from the DHCP server and automatically generates a default route to the
gateway address. If you run the option121 command on the DHCP server to allocate classless static
routes to DHCP clients, the DHCP client uses an allocated classless static route and does not
automatically generate a default route to the gateway address.
l For an interface address pool, the egress gateway address is the IP address of the interface
connecting the DHCP server to the DHCP client. The DHCP client obtains the IP address as the
gateway address and automatically generates a default route to the gateway address. If you run the
dhcp server option121 command on the DHCP server to allocate classless static routes to DHCP
clients, the DHCP client uses an allocated classless static route and does not automatically generate a
default route to the gateway address.
Do not configure a gateway address for DHCP clients in the following scenarios:
l When no DHCP relay agent is deployed, the gateway address is the IP address of the
interface connecting the DHCP server to the DHCP client.
l When a DHCP relay agent is deployed, the gateway address is the IP address of the
interface connecting the DHCP relay agent to the client.
In a scenario where Virtual Router Redundancy Protocol (VRRP) and DHCP are deployed, if
the VRRP group functions as the DHCP server, perform this task to configure the group
virtual IP address as the gateway address.
To load balance traffic and improve network reliability, configure multiple egress gateways.
Each address pool can be configured with a maximum of eight gateway addresses.
When a global address pool is used to allocate network parameters, configuration commands
are different for dynamic and static clients. Network parameters for dynamic clients are
configured in the global address pool view, whereas network parameters for static clients are
configured in the global address pool view or DHCP Option template view. The DHCP
Option template must be configured when static clients require network parameters that are
different from those of dynamic clients. Network parameters configured in the DHCP Option
differently in the global address pool and DHCP Option template views, the configuration in
the DHCP Option template view takes effect.
Procedure
l In the global address pool view:
a. Run:
system-view

b. Run:

c. Run:
gateway-list ip-address &<1-8>
A gateway address for DHCP clients is configured.

By default, no egress gateway address is configured.

l In the DHCP Option template view:

a. Run:
system-view

b. Run:
dhcp option template template-name
A DHCP Option template is created and its view is displayed.

By default, no DHCP Option template is created on a device.
To allocate network parameters (except IP addresses) to static clients, configure a
DHCP Option template. Network parameters configured in the DHCP Option
template view take effect only for static clients. If a network parameter is
configured differently in the global address pool and DHCP Option template views,
the configuration in the DHCP Option template view takes effect.
To allocate IP addresses only to static clients (for details, see 3.9.3.4 (Optional)
Configuring a DHCP Server to Allocate Fixed IP Addresses to Specified
Clients), you do not need to configure a DHCP Option template.
c. Run:
gateway-list ip-address &<1-8>
A gateway address for DHCP clients is configured.

By default, no egress gateway address is configured.
If you need to configure other items in the DHCP Option template view, complete
them first before performing the following steps.
d. (Optional) Run:
quit

e. (Optional) Run:

f. (Optional) Run:
static-bind ip-address ip-address mac-address mac-address option-
template template-name
A DHCP Option template is bound to static clients.

----End
3.9.4.2 Configuring DNS and the NetBIOS Service on the DHCP Clients
Context
To enable DHCP clients to communicate with devices on other networks through host names,
configure the DNS or NetBIOS service.
DNS, defined by RFC 1034 and provided by TCP/IP, translates host names into IP addresses.
NetBIOS, defined by IBM, is applicable to small LANs with dozens of PCs to provide the
following services:
l Host naming service on a network segment through UDP port 137

l Data services (through UDP port 138), including transmitting data between programs,
notifying browser services, and setting up network neighbors on users' desktop systems
l Session services (through TCP port 139), including file sharing and printing
Clients running on the Microsoft Windows operating system use the NetBIOS protocol for
communication. When such clients are used, the Windows Internet Naming Service (WINS)
server translates host names into IP addresses. NetBIOS is vulnerable to attacks, so it is
optional on Windows operating systems later than Windows 2000. Users can enable or disable
NetBIOS as required.
When a DHCP client uses the NetBIOS protocol for communication, its host name must be
mapped to an IP address. Based on the modes to obtain mapping, NetBIOS nodes are
classified into the following types:
l b-node: indicates a node in broadcast mode. This node obtains its mapping in broadcast
mode.
l p-node: indicates a node in peer-to-peer mode. This node obtains its mapping by
communicating with the NetBIOS server in unicast mode.
l m-node: indicates a node in mixed mode. An m-node is a p-node that has certain
broadcast features. The node first sends broadcast packets to obtain its mapping. If no
mapping is obtained, the node sends unicast packets.
l h-node: indicates a node in hybrid mode. An h-node is a b-node enabled with an end-to-
end communication mechanism. The node first sends unicast packets to obtain its
mapping. If no mapping is obtained, the node sends broadcast packets.
When installing a Microsoft Windows operating system on a PC, you must define a host
name. Otherwise, the system generates a host name at random. Host names are unique on a
network.
The DNS server IP address, DNS domain name suffix, and NetBIOS server IP address in the
address pool can be statistically specified or automatically obtained. The NetBIOS node type
can only be statically specified.
l If the configuration is to be automatically obtained, the device as the DHCP server also
needs to function as the DHCP client (the DHCP client function is configured on the
interface connected to the remote DHCP server). The device obtains the DNS server IP
address, DNS domain name suffix, and NetBIOS server IP address from the remote
DHCP server, and then uses the import function of the address pool to allocate the
information to the downlink client. For example, the DHCP server of a company needs
to obtain the uniform DNS server IP address, DNS domain name suffix, and NetBIOS
server IP address from the carrier, and allocate the information to the downlink client. In
this case, the configuration can be automatically obtained.
l If the configuration needs to be specified after the automatically obtaining function is
enabled, the statically specifying method is used.

NOTE
If the address pool contains the configurations that are statistically specified and automatically obtained, the
statistically specified configuration takes precedence.
Procedure
l Based on an interface address pool:
– Configure a DNS service.
i. Run:
system-view

ii. Run:

iii. Configure the address pool to allocate the automatically obtained DNS
configuration to the DHCP clients.
Run:
dhcp server import all
The address pool is configured to allocate the automatically obtained DNS

By default, the address pool does not allocate the automatically obtained DNS
Configure the address pool to allocate the statically specified DNS
○ Run:
dhcp server dns-list ip-address &<1-8>
The DNS server IP address is specified for the DHCP clients.

By default, no DNS server IP address is configured.
Each address pool can be configured with a maximum of eight DNS
server IP addresses.
○ Run:
dhcp server domain-name domain-name
The DNS domain name suffix allocated to the DHCP clients is

configured.
By default, no DNS domain name suffix is configured.
– Configure a NetBIOS service.
i. Run:
system-view

ii. Run:

iii. Configure the address pool to allocate the automatically obtained NetBIOS
server IP address to the DHCP client.
Run:

The address pool is configured to allocate the automatically obtained NetBIOS

server IP address to the DHCP clients.
By default, the address pool does not allocate the automatically obtained
NetBIOS server IP address to the DHCP clients.
Configure the address pool to allocate the statically specified NetBIOS
○ Run:
dhcp server nbns-list ip-address &<1-8>
The NetBIOS server IP address is specified for the DHCP clients.

By default, no NetBIOS server IP address is configured.
Each address pool can be configured with a maximum of eight NetBIOS
○ Run:
dhcp server netbios-type { b-node | h-node | m-node | p-node }
The NetBIOS node type is specified.

By default, no NetBIOS node type is specified.
l Based on a global address pool:
– In the global address pool view:
n Configure a DNS service.
1) Run:
system-view

2) Run:

3) Configure the address pool to allocate the automatically obtained DNS
Run:
import all
The address pool is configured to allocate the automatically obtained

DNS configuration to the DHCP clients.
DNS configuration to the DHCP clients.
Configure the address pool to allocate the statically specified DNS
○ Run:
dns-list ip-address &<1-8>
The DNS server IP address is specified for the DHCP clients.

○ Run:
domain-name domain-name

The domain name suffix to be assigned to the DHCP clients is

configured.
By default, no DNS domain name suffix is configured.
n Configure a NetBIOS service.
1) Run:
system-view

2) Run:

3) Configure the address pool to allocate the automatically obtained
NetBIOS server IP address to the DHCP client.
Run:
import all
The address pool is configured to allocate the automatically obtained

Configure the address pool to allocate the statically specified NetBIOS
○ Run:
nbns-list ip-address &<1-8>
The NetBIOS server address that a DHCP server delivers to a DHCP

client is specified.
By default, no NetBIOS server IP address is configured.
Each address pool can be configured with a maximum of eight
NetBIOS server IP addresses.
○ Run:
netbios-type { b-node | h-node | m-node | p-node }
The NetBIOS node type is specified.

By default, no NetBIOS node type is specified.
– In the DHCP Option template view:
n Configure a DNS service.
1) Run:
system-view

2) Run:

To allocate network parameters (except IP addresses) to static clients,
configure a DHCP Option template. Network parameters configured in
the DHCP Option template view take effect only for static clients. If a
network parameter is configured differently in the global address pool and

DHCP Option template views, the configuration in the DHCP Option

template view takes effect.
To allocate IP addresses only to static clients (for details, see 3.9.3.4
(Optional) Configuring a DHCP Server to Allocate Fixed IP
Addresses to Specified Clients), you do not need to configure a DHCP
Option template.
3) Run the following commands to configure the IP address of the DNS
server and domain name for the DHCP clients.
○ Run:
dns-list ip-address &<1-8>
The IP address of the DNS server is configured for DHCP clients.

By default, no DNS server IP address is configured in an address
pool.
○ Run:
domain-name domain-name
The domain name is allocated to DHCP clients.

By default, no domain name is allocated.
If you need to configure other items in the DHCP Option template view,
complete them first before performing the following steps.
4) (Optional) Run:
quit

5) (Optional) Run:

6) (Optional) Run:
option-template template-name

n Configure a NetBIOS service.
1) Run:
system-view

2) Run:

configure a DHCP Option template. Network parameters configured in
the DHCP Option template view take effect only for static clients. If a
network parameter is configured differently in the global address pool and
DHCP Option template views, the configuration in the DHCP Option
template view takes effect.


(Optional) Configuring a DHCP Server to Allocate Fixed IP
Addresses to Specified Clients), you do not need to configure a DHCP
Option template.
3) Run the following commands to configure the IP address of the NetBIOS
server and NetBIOS node type for the DHCP clients.
○ Run:
nbns-list ip-address &<1-8>
The IP address of the NetBIOS server is configured for DHCP

clients.
By default, no NetBIOS server IP address is configured in an
address pool.
Each address pool can be configured with a maximum of eight
NetBIOS server IP addresses.
○ Run:
netbios-type { b-node | h-node | m-node | p-node }
The NetBIOS node type for DHCP clients is configured.

By default, no NetBIOS node type is configured for DHCP clients.
4) (Optional) Run:
quit

5) (Optional) Run:

6) (Optional) Run:
option-template template-name

----End
3.9.4.3 Configuring a Configuration File for a DHCP Client
Context
Some clients require certain network parameters, in addition to IP addresses, to be configured
before they can work normally. A DHCP server can allocate configuration information such
as the startup configuration file to clients. Configuration files are usually saved on the DHCP
server or a dedicated file server. The DHCP server can specify the address of the file server so
that clients can easily obtain files from the file server.
If the startup configuration file is saved on a file server, the route between the DHCP client
and file server must be reachable.

Procedure
l Configure a configuration file based on an interface address pool.
a. Run:
system-view

b. Run:

c. Run:
dhcp server bootfile bootfile
The name of the startup configuration file for DHCP clients is configured.
By default, the name is not configured.
d. Run:
dhcp server sname sname
The name of the server from which DHCP clients obtain the startup configuration
file is configured.
By default, the name of the server is not configured.
e. Run:
dhcp server next-server ip-address
The IP address of the server is configured for the client after the client
automatically obtains an IP address.
By default, the server IP address is not configured.
You can also specify an IP address for the file server by configuring user-defined
options for clients.
l Configure a configuration file based on a global address pool.
i. Run:
system-view

ii. Run:

iii. Run:
bootfile bootfile


iv. Run:
sname sname
The name of the server from which DHCP clients obtain the startup
configuration file is configured.
v. Run:
next-server ip-address
The IP address of a network service server is configured for the client after the
client automatically obtains an IP address.
You can also specify an IP address for the file server by configuring user-
defined options for clients.
i. Run:
system-view

ii. Run:

configure a DHCP Option template. Network parameters configured in the
DHCP Option template view take effect only for static clients. If a network
parameter is configured differently in the global address pool and DHCP
Option template views, the configuration in the DHCP Option template view
takes effect.
(Optional) Configuring a DHCP Server to Allocate Fixed IP Addresses to
Specified Clients), you do not need to configure a DHCP Option template.
iii. Run:
bootfile bootfile
iv. Run:
sname sname
The name of the server from which DHCP clients obtain the startup
configuration file is configured.
v. Run:
next-server ip-address
The IP address of a network service server is configured for the client after the
client automatically obtains an IP address.

You can also specify an IP address for the file server by configuring user-
defined options for clients.
vi. (Optional) Run:
quit

vii. (Optional) Run:

viii. (Optional) Run:

----End
3.9.4.4 Configuring User-defined Options for Clients
Context
Vendors can define DHCP options. A device functioning as a DHCP server can allocate
vendor-defined network parameters to clients using the following methods:
l Based on the options in DHCP Discovery messages: Options are configured using the
dhcp server option (based on an interface address pool) or option (based on a global
address pool) command. The device provides options only when requested by clients.
l By forcibly appending the Options field: Options are configured using the dhcp server
force insert option (based on an interface address pool) or force insert option (based on
a global address pool) command. The device inserts the Options field to DHCP Reply
messages, regardless of whether the options are requested by clients.
Procedure
l Configure user-defined options for clients based on an interface address pool.
a. Run:
system-view

b. (Optional) Run:
dhcp server trust option82
The DHCP server is enabled to trust Option 82.

By default, the device is enabled to trust Option 82.
The Option 82 field is called the DHCP relay agent information field. It records the
location of a DHCP client, based on which a DHCP server can select address
allocation policies including IP addresses and other network parameters. Vendors
can define Option 82 based on their requirements. Currently, a device functioning
as the DHCP server cannot allocate network parameters to clients based on policies.
After the device is enabled to trust Option 82, the device normally allocates IP
addresses to clients. If the device is disabled from trusting Option 82, the device
discards received messages carrying Option 82.
c. Run:

d. (Optional) Run:
dhcp server force insert option code &<1-254>
The DHCP server is configured to forcibly insert an Option field to DHCP Reply
messages sent to DHCP clients.
By default, the DHCP server does not forcibly insert an Option field to DHCP
Reply messages.
After this function is configured, the device inserts an Option field to a DHCP
Reply message regardless of whether the option has been requested.
e. Run:
dhcp server option code [ sub-option sub-code ] { ascii ascii-string |
hex hex-string | cipher cipher-string | ip-address ip-address &<1-8> }
DHCP options are configured.
By default, no option is configured.
NOTE
If an option carries a password, using ascii or hex is insecure. Using cipher is recommended. For
security purposes, the password must be at least six characters long and contain at least two of the
following: digits, lowercase letters, uppercase letters, and special characters.
After an option is configured, the device provides this option only when requested
by clients.
Some options are configured using other commands, as described in the following
table.
Table 3-9 Commands for configuring options
Option Configuration Description

Command
Option1 mask-length in the ip Specifies the subnet

address ip-address mask.
{ mask | mask-length }
command


Command
Option3 ip-address in the ip Specifies the gateway

address ip-address address.
command
Option6 dhcp server dns-list ip- Specifies the DNS server

address &<1-8> IP address.
Option15 dhcp server domain- Specifies the domain

name domain-name name.
Option44 dhcp server nbns-list Specifies the NetBIOS

ip-address &<1-8> server IP address.
Option46 dhcp server netbios- Specifies the NetBIOS

type { b-node | h-node | node type.
m-node | p-node }
Option50 Does not need to be Specifies the requested

configured on the DHCP IP address.
server
Option51 dhcp server lease { day Specifies the IP address

day [ hour hour lease.
[ minute minute ] ] |
unlimited }
Option52 Does not need to be Specifies the additional

configured on the DHCP option.
server
Option53 Does not need to be Specifies the DHCP

configured on the DHCP message type.
server
Option54 Does not need to be Specifies the server

configured on the DHCP identifier.
server
Option55 Does not need to be Specifies the parameter

configured on the DHCP request list.
server
Option57 Does not need to be Specifies the maximum

configured on the DHCP length of a DHCP
server message.
Option58 Does not need to be Specifies the lease

configured on the DHCP renewal time (T1), which
server is 50% of the lease time.


Command

configured on the DHCP renewal time (T2), which
server is 87.5% of the lease
time.
Option61 Does not need to be Specifies the client

configured on the DHCP identifier.
server
Option82 Does not need to be Specifies relay agent

configured on the DHCP information.
server
Option121 dhcp server option121 Specifies a group of

ip-address { ip-address classless routes.
mask-length gateway-
address } &<1-8>
Option184 dhcp server option184 Specifies voice

{ as-ip ip-address | fail- parameters.
over ip-address dialer- NOTE
string | ncp-ip ip-address AR503GW-LM7,
| voice-vlan vlan-id } AR503GW-LcM7 do not
support voice-vlan vlan-id
parameter.
f. Run:
dhcp server option121 ip-address { ip-address mask-length gateway-
address } &<1-8>
A classless static route allocated to a DHCP client is configured.
By default, no classless static route allocated to DHCP clients is configured.

g. Run:
dhcp server option184 { as-ip ip-address | fail-over ip-address dialer-
string | ncp-ip ip-address | voice-vlan vlan-id }
Option 184 allocated to DHCP clients is configured.
By default, the Option 184 field is not configured.
NOTE
AR503GW-LM7, AR503GW-LcM7 do not support voice-vlan vlan-id parameter.

l Configure user-defined options for clients based on a global address pool.
i. Run:
system-view

ii. (Optional) Run:
dhcp server trust option82

The DHCP server is enabled to trust Option 82.

By default, the device is enabled to trust Option 82.
The Option 82 field is called the DHCP relay agent information field. It
records the location of a DHCP client, based on which a DHCP server can
select address allocation policies including IP addresses and other network
parameters. Vendors can define Option 82 based on their requirements.
Currently, a device functioning as the DHCP server cannot allocate network
parameters to clients based on policies. After the device is enabled to trust
Option 82, the device normally allocates IP addresses to clients. If the device
is disabled from trusting Option 82, the device discards received messages
carrying Option 82.
iii. Run:

iv. (Optional) Run:
force insert option code &<1-254>
The DHCP server is configured to forcibly insert an Option field to DHCP

Reply messages sent to DHCP clients.
Reply messages.
v. Run:
option code [ sub-option sub-code ] { ascii ascii-string | hex hex-
string | cipher cipher-string | ip-address ip-address &<1-8> }

NOTE
If an option carries a password, using ascii or hex is insecure. Using cipher is

recommended. For security purposes, the password must be at least six characters long and
contain at least two of the following: digits, lowercase letters, uppercase letters, and special
characters.
Some options are configured using other commands, as described in the
following table.
Table 3-10 Commands for configuring options

Command
Option1 mask-length in the ip Specifies the subnet

address ip-address mask.
command
Option3 gateway-list ip-address Specifies the gateway

&<1-8> address.
Option6 dns-list ip-address Specifies the DNS

&<1-8> server IP address.


Command
Option15 domain-name domain- Specifies the domain

name name.
Option44 nbns-list ip-address Specifies the NetBIOS

&<1-8> server IP address.
Option46 netbios-type { b-node Specifies the NetBIOS

| h-node | m-node | p- node type.
node }
Option50 Does not need to be Specifies the requested

configured on the IP address.
DHCP server
Option51 lease { day day [ hour Specifies the IP address

hour [ minute lease.
minute ] ] | unlimited }
Option52 Does not need to be Specifies the additional

configured on the option.
DHCP server
Option53 Does not need to be Specifies the DHCP

configured on the message type.
DHCP server
Option54 Does not need to be Specifies the server

configured on the identifier.
DHCP server
Option55 Does not need to be Specifies the parameter

configured on the request list.
DHCP server
Option57 Does not need to be Specifies the maximum

configured on the length of a DHCP
DHCP server message.

configured on the renewal time (T1),
DHCP server which is 50% of the
lease time.

configured on the renewal time (T2),
DHCP server which is 87.5% of the
lease time.
Option61 Does not need to be Specifies the client

configured on the identifier.
DHCP server


Command
Option82 Does not need to be Specifies relay agent

configured on the information.
DHCP server
Option121 option121 ip-address Specifies a group of

{ ip-address mask- classless routes.
length gateway-
address } &<1-8>
Option184 option184 { as-ip ip- Specifies voice

address | fail-over ip- parameters.
address dialer-string | NOTE
ncp-ip ip-address | AR503GW-LM7,
voice-vlan vlan-id } AR503GW-LcM7 do not
support voice-vlan vlan-
id parameter.
vi. Run:
option121 ip-address { ip-address mask-length gateway-address }
&<1-8>

vii. Run:
option184 { as-ip ip-address | fail-over ip-address dialer-string |
ncp-ip ip-address | voice-vlan vlan-id }

NOTE

i. Run:
system-view

ii. Run:

configure a DHCP Option template. Network parameters configured in the
DHCP Option template view take effect only for static clients. If a network
parameter is configured differently in the global address pool and DHCP
Option template views, the configuration in the DHCP Option template view
takes effect.
(Optional) Configuring a DHCP Server to Allocate Fixed IP Addresses to
Specified Clients), you do not need to configure a DHCP Option template.

iii. (Optional) Run:

force insert option code &<1-254>
The DHCP server is configured to forcibly insert an Option field to DHCP

Reply messages sent to DHCP clients.
Reply messages.
iv. Run:
option code [ sub-option sub-code ] { ascii ascii-string | hex hex-
string | cipher cipher-string | ip-address ip-address &<1-8> }

NOTE
If an option carries a password, using ascii or hex is insecure. Using cipher is

recommended. For security purposes, the password must be at least six characters long and
contain at least two of the following: digits, lowercase letters, uppercase letters, and special
characters.
Some options are configured using commands, as described in Table 3-10.
v. Run:
option121 ip-address { ip-address mask-length gateway-address }
&<1-8>

vi. Run:
option184 { as-ip ip-address | fail-over ip-address dialer-string |
ncp-ip ip-address | voice-vlan vlan-id }

NOTE

vii. (Optional) Run:
quit

viii. (Optional) Run:

ix. (Optional) Run:
----End
3.9.5 (Optional) Configuring the DHCP Rate Limit Function

Context
To prevent an attacker from sending a large number of DHCP messages, you can configure
the DHCP rate limit function on the device to limit the rate of DHCP messages from clients.
The device can send only a specified number of DHCP messages in a certain period of time
and discards excess DHCP messages.
You are advised to configure DHCP message rate limit on user-side devices. If the device
functions as a DHCP server and directly connects to DHCP clients, configure rate limit on the
device; if the device functions as a DHCP server and connects to a DHCP relay agent or
DHCP snooping device, configure rate limit on the DHCP relay agent or DHCP snooping
device.
You can configure rate limit in the system, VLAN, or interface view. The configuration takes
effect in the interface view, VLAN view, and system view in descending order of priority.
Procedure
l Configure DHCP rate limit in the system view.
a. Run:
system-view

b. Run:
dhcp check dhcp-rate enable [ vlan { vlan-id1 [ to vlan-id2 ] } &<1-10> ]
DHCP rate limit is enabled.

By default, DHCP rate limit is disabled.
c. Run:
dhcp check dhcp-rate rate [ vlan { vlan-id1 [ to vlan-id2 ] } &<1-10> ]
The maximum rate of sending DHCP messages to the DHCP stack is configured.
By default, DHCP messages are sent to the DHCP stack at a rate of 100 pps. Excess
packets in a specified period of time are discarded.
d. (Optional) Run:
dhcp alarm dhcp-rate enable
The trap function for the rate limit is enabled.

By default, the trap function for the rate limit is disabled.
This function allows the system to generate an alarm when the number of discarded
DHCP messages reaches the threshold.
e. (Optional) Run:
dhcp alarm dhcp-rate threshold threshold
The alarm threshold for checking DHCP message rates is specified.

By default, the alarm threshold for checking DHCP message rates is not specified.
After the trap function for the rate limit is enabled, the device discards packets
whose rate exceeds the rate limit. When the number of discarded packets exceeds
the alarm threshold, the system generates an alarm.
l Configure DHCP rate limit in the VLAN view.

a. Run:
system-view

b. Run:
vlan vlan-id
The VLAN view is displayed.

c. Run:
dhcp check dhcp-rate enable

d. Run:
dhcp check dhcp-rate rate
By default, the maximum rate of sending DHCP messages to the DHCP stack is not
configured.
l Configure DHCP rate limit in the interface view.
a. Run:
system-view

b. Run:

c. Run:

d. Run:
By default, the rate of sending DHCP messages to the DHCP stack is not
configured.
e. (Optional) Run:

DHCP messages on the interface reaches the threshold.
f. (Optional) Run:

----End

Procedure
l Check IP address allocation information in address pools using the following commands:
– Interface address pool:
display ip pool [ interface interface-pool-name [ start-ip-address [ end-ip-
address ] | all | conflict | expired | used ] ]
– Global address pool:
display ip pool [ name ip-pool-name [ start-ip-address [ end-ip-address ] | all |
conflict | expired | used ] ]
Parameters in the commands are described in the following table.
Parameter Description
used Displays information about used IP

addresses in an address pool.
start-ip-address [ end-ip-address ] Displays information about an IP address

or some IP addresses in an address pool.
all Displays information about all IP

conflict Displays information about conflicting IP

expired Displays information about expired IP

l Run the display dhcp server database command to view the path for storing the DHCP
database.
l Run the display dhcp option template [ name template-name ] command to view the
configuration of a DHCP Option template.
l Run the display ip pool import all command to view the DNS and NetBIOS
configurations that the address pool automatically obtains and allocates to the DHCP
clients.
----End

3.10 Configuring a DHCP Relay Agent

When a DHCP server resides on a different network segment from DHCP clients, configure a
DHCP relay agent to help the DHCP server allocate network parameters including IP
addresses to DHCP clients.
Before configuring a DHCP relay agent, complete the following tasks:
l Configure a DHCP server.

If a industrial switch router functions as the DHCP server, refer to 3.9 Configuring a
DHCP Server for configuration details.
l Configure a routing protocol between the device and DHCP server to ensure that the
route between them is reachable.
3.10.1 Enabling DHCP
Context
Before enabling the DHCP relay function, enable DHCP in the system view.
Procedure
Step 1 Run:
system-view
Step 2 Run:
dhcp enable
DHCP is enabled.
NOTE
If STP is enabled on a device functioning as a DHCP relay, allocating IP addresses may be slowed. By
default, STP is enabled. To disable STP, run the undo stp enable command.
----End
3.10.2 Enabling the DHCP Relay Function
Context
Enable the DHCP relay function on an interface so that the interface functions as a DHCP
relay agent.

Procedure
Step 1 Run:
system-view
Step 2 Run:
Step 3 Run:
An IP address is configured for the interface.
NOTE
When the IP address of the interface connecting the DHCP relay agent to clients functions as the gateway
address of the clients, configure the IP address on the same network segment as the address pool on the
DHCP server. Otherwise, clients cannot obtain IP addresses.
Step 4 Run:
dhcp select relay
The DHCP relay function is enabled on the interface.
By default, the DHCP relay function is disabled on an interface.
NOTE
When enabling the DHCP relay function on a sub-interface, run the arp broadcast enable command on the
sub-interface to enable ARP broadcast. By default, ARP broadcast is not enabled on a VLAN tag termination
sub-interface.
----End
3.10.3 Specifying an IP Address for the DHCP Server on a DHCP

Relay Agent
Context
A device functioning as a DHCP relay agent transparently transmits DHCP Discovery
messages to the destination DHCP server. The DHCP server can then allocate network
parameters including IP addresses to clients. After an IP address is specified for the DHCP
server on the DHCP relay agent, clients can send DHCP Discovery messages to the DHCP
server to apply for IP addresses.
The device supports two configuration methods:

l In the interface view: Specify an IP address for the DHCP server in the interface view.
This method is recommended for configuring a DHCP relay on an interface or multiple
interfaces on which DHCP servers have different IP addresses.
l In the DHCP server group view: Create a DHCP server group in the system view, add
members (IP addresses of specified DHCP servers) to the group, and apply the DHCP
server group to an interface. This method is recommended for configuring a DHCP relay
on multiple interfaces that map to the same DHCP server.

A maximum of 16 DHCP relay agents are allowed between a DHCP server and a DHCP
client. If there are more than 16 DHCP relay agents, DHCP messages are discarded.
Procedure
l Specify an IP address for the DHCP server in the interface view.
a. Run:
system-view

b. (Optional) Run:
ip relay address cycle
The DHCP server polling function is configured on the DHCP relay agent.
By default, DHCP server polling is disabled on a DHCP relay agent.
If IP addresses are specified for multiple DHCP servers, by default, the DHCP relay
agent forwards DHCP Discovery messages to all DHCP servers. To reduce the
burden on the device, configure the DHCP server polling function so that the device
forwards DHCP Discovery messages to only one DHCP server at a time. If the
device receives no DHCP Reply message from the DHCP server for a specified
period of time, the device forwards the DHCP Discovery messages to another
DHCP server until it receives a DHCP Reply message.
c. Run:

d. Run:
dhcp relay server-ip ip-address
An IP address is specified for a DHCP server.

By default, no IP addresses are specified for DHCP servers.
Each interface supports a maximum of eight DHCP server IP addresses.
l Specify an IP address for the DHCP server in the DHCP server group view.
a. Run:
system-view

b. (Optional) Run:
ip relay address cycle
The DHCP server polling function is configured on the DHCP relay agent.
By default, DHCP server polling is disabled on a DHCP relay agent.
If IP addresses are specified for multiple DHCP servers, by default, the DHCP relay
agent forwards DHCP Discovery messages to all DHCP servers. To reduce the
burden on the device, configure the DHCP server polling function so that the device
forwards DHCP Discovery messages to only one DHCP server at a time. If the

device receives no DHCP Reply message from the DHCP server for a specified
period of time, the device forwards the DHCP Discovery messages to another
DHCP server until it receives a DHCP Reply message.
c. Run:
dhcp server group group-name
A DHCP server group is created, and its view is displayed.
By default, no DHCP server group is configured.
A maximum of 64 DHCP server groups can be configured on a device.

d. Run:
dhcp-server ip-address [ ip-address-index ]
DHCP server members are configured in the DHCP server group.
By default, no DHCP server member is configured in a DHCP server group.
A maximum of eight DHCP servers can be added to a DHCP server group.

e. (Optional) Run:
gateway ip-address
A gateway address is specified for clients.
If the IP address of the interface that connects the DHCP relay agent to clients
functions as the gateway address, skip this step.
The gateway address specified in this step must be the same as the egress gateway
address of clients specified on the DHCP server. If an Huawei AR Series series
switch functions as the DHCP server, refer to 3.9.4.1 Configuring a Gateway
Address for Clients for details about how to specify the egress gateway address for
clients.
f. (Optional) Run:
vpn-instance vpn-instance-name
The DHCP server group is bound to a VPN instance.
By default, the DHCP server group is not bound to a VPN instance.
Only the S5720HI and S5720EI support this step.Only the S5320EI supports this
step.Only the S5720HI, S5720EI, S5720SI, S5720S-SI and S6720EI support this
step.Only the S5320EI, S5320SI and S6320EI support this step.
If the DHCP relay agent is deployed on a VPN network, bind the DHCP server
group to the VPN instance that is also bound to the address pool of the DHCP
server. Otherwise, clients cannot obtain IP addresses.
g. Run:

h. Run:
dhcp relay server-select group-name
A DHCP server group is configured on the interface.
----End

3.10.4 (Optional) Configuring Strategies for Processing Option 82

Information on a DHCP Relay Agent
Context
Option 82 is also called the Relay Agent Information Option. It records the location of a
DHCP client, based on which a DHCP server can select address allocation policies including
IP addresses and other network parameters. You can configure strategies for processing
Option 82 information on a DHCP relay agent.
You are advised to perform the configuration on a user-side device. If the DHCP relay agent
connects to a DHCP snooping device, configure the strategies for processing Option 82
information on the DHCP snooping device. When a industrial switch router functions as the
DHCP snooping device, refer to Inserting the Option 82 Field in a DHCP Message in Huawei
AR Series IOT Gateway Configuration Guide - Security - DHCP Snooping to perform the
configuration.
NOTE
If the device functions as the first-hop DHCP relay agent, it can process Option 82 information. If the device
functions as the second-hop or subsequent DHCP relay agent, it cannot process Option 82 information.
Procedure
Step 1 Run:
system-view
Step 2 Run:
dhcp relay trust option82
The DHCP relay agent is enabled to trust Option 82.
By default, a DHCP relay agent does not trust Option 82.
When this function is enabled, the DHCP relay agent can receive and forward DHCP
messages that carry Option 82. If the DHCP relay agent is disabled from trusting Option 82
using the undo dhcp relay trust option82 command, the device discards the DHCP
messages carrying Option 82.
Step 3 Configure strategies for processing Option 82 information on the DHCP relay agent.
l Configure the DHCP relay agent to insert the Option 82 field to DHCP messages in a
VLAN view. This configuration takes effect on all DHCP messages from this VLAN
received on the interfaces of the DHCP relay agent.
a. Run:
vlan vlan-id

b. Run:
dhcp option82 { insert | rebuild } enable
The DHCP relay agent is enabled to insert the Option 82 field to received DHCP
messages.

By default, a DHCP relay agent is disabled from inserting the Option 82 field to
received DHCP messages.
c. Run:
quit

l Configure the DHCP relay agent to insert the Option 82 field to DHCP messages in an
interface view. This configuration takes effect on DHCP messages received on the
specified interface.
a. Run:

b. Run:
dhcp option82 { insert | rebuild } enable
The DHCP relay agent is enabled to insert the Option 82 field to received DHCP
messages.
By default, a DHCP relay agent is disabled from inserting the Option 82 field to
received DHCP messages.
DHCP messages received on the DHCP relay agent may carry the Option 82 field.
Select a strategy based on network requirements.
n When insert is configured: If a DHCP message does not carry the Option 82
field, the DHCP relay agent inserts the Option 82 field. If a DHCP message
carries the Option 82 field, the DHCP relay agent checks whether the Option
82 field contains remote-id. If yes, the Option 82 field remains unchanged; if
no, the DHCP relay agent inserts remote-id.
n When rebuild is configured: If a DHCP message does not carry the Option 82
field, the DHCP relay agent inserts the Option 82 field. If a DHCP message
carries the Option 82 field, the DHCP relay agent deletes the original Option
82 field and inserts the locally configured Option 82 field.
c. Run:
quit

Step 4 (Optional) Set the format of the Option 82 field.
Configure the format of the Option 82 field in the system or interface view. If the
configuration is performed in the system view, the configuration takes effect on all interfaces
of the device. If the configuration is performed in an interface view, the configuration takes
effect only on the specified interface.
l All Option82 fields configured in the system view or in the same interface view share a
length of 1-255 bytes. If their total length exceeds 255 bytes, some Option82 information
will be lost.
l There is no limit on the number of Option 82 fields configured on the device. However, a
large number of Option 82 fields will occupy a lot of memory and prolong the device
processing time. To ensure device performance, you are advised to configure Option 82
fields based on the service requirements and device memory size.

l In the system view:

Run:
dhcp option82 [ vlan vlan-id ] [ ce-vlan ce-vlan-id ] [ circuit-id | remote-
id ] format { default | common | extend | user-defined text }
The format of the Option 82 field is configured.

By default, the Option 82 field is in the default format.
l In the interface view:
a. Run:

b. Run:
dhcp option82 [ vlan vlan-id ] [ ce-vlan ce-vlan-id ] [ circuit-id |
remote-id ] format { default | common | extend | user-defined text }
The format of the Option 82 field is configured.

By default, the Option 82 field is in the default format.
c. Run:
quit
----End
3.10.5 (Optional) Configuring Rate Limit of DHCP Packets
Context
You can configure rate limit of DHCP packets on the device to prevent DHCP packet attacks.
After rate limit is configured, the device is allowed to process only a specified number of
DHCP packets within a certain period and discards extra packets.
Rate limit is configured for the DHCP packets sent by the clients, so you are advised to
configure the rate limit function on the device close to the user side. If the device functions as
the DHCP relay and is connected to a DHCP snooping-enabled device, you are advised to
configure the rate limit function on the DHCP snooping-enabled device.
You can configure the rate limit function in the system view, VLAN view, or interface view.
The configuration in the interface view takes precedence over those in the VLAN view and
global view; the configuration in the VLAN view takes precedence over that in the system
view.
Procedure
l Configure DHCP rate limit in the system view.
a. Run:
system-view

b. Run:
dhcp check dhcp-rate enable [ vlan { vlan-id1 [ to vlan-id2 ] } &<1-10> ]


c. Run:
dhcp check dhcp-rate rate [ vlan { vlan-id1 [ to vlan-id2 ] } &<1-10> ]
By default, DHCP messages are sent to the DHCP stack at a rate of 100 pps. Excess
packets in a specified period of time are discarded.
d. (Optional) Run:

DHCP messages reaches the threshold.
e. (Optional) Run:

l Configure DHCP rate limit in the VLAN view.
a. Run:
system-view

b. Run:
vlan vlan-id

c. Run:

d. Run:
By default, the maximum rate of sending DHCP messages to the DHCP stack is not
configured.
l Configure DHCP rate limit in the interface view.
a. Run:
system-view

b. Run:


c. Run:

d. Run:
By default, the rate of sending DHCP messages to the DHCP stack is not
configured.
e. (Optional) Run:
DHCP messages on the interface reaches the threshold.
f. (Optional) Run:
----End
Procedure
l Run the display dhcp relay { all | interface interface-type interface-number } command
to view information about the DHCP server or DHCP server group on the interface
functioning as a DHCP relay agent.
l Run the display dhcp server group [ group-name ] command to view the configuration
of the DHCP server group.
----End
3.11 Configuring a DHCP Client

A device can function as a DHCP client and dynamically obtain network parameters including
the IP address from a DHCP server. This mechanism lowers manual costs, reduces errors, and
facilitates unified management.

Before configuring a DHCP client, complete the following tasks:

l (Optional) Configure a DHCP relay agent.
3.11.1 (Optional) Configuring Attributes for a DHCP Client
Procedure
Step 1 Run:
system-view
Step 2 Run:
dhcp client class-id class-id
The DHCP client is configured to send DHCP Discovery messages that carry the Option 60
field.
By default, the default value of the Option60 field depends on the device type, which is "
huawei Device Model".
Option 60 identifies the vendor type and configuration of a DHCP client. Vendors can define
the Option 60 field to transfer specified identification information or configurations of clients
to DHCP servers.
Step 3 Run:
Step 4 Run:
dhcp client hostname hostname
A host name is configured for the DHCP client.
By default, no host name is configured for a DHCP client.
The host name allows access to a DHCP client through the domain name. A domain name
consists of a host name and domain name suffix.
Step 5 Run:
dhcp client client-id client-id
An identifier is configured for the DHCP client.
By default, a client's MAC address is used as its identifier.
Client identifiers are filled in the Option 61 field to uniquely identify DHCP clients.
Step 6 (Optional) Run:

dhcp client class-id class-id

The DHCP client is configured to send DHCP Discovery messages that carry the Option 60
field.
The Option 60 field can be configured in the system view and in the interface view. The
configuration in the interface view has a higher priority than that in the system view. If the
Option 60 field is configured in both views, the configuration performed in the interface view
takes effect.
----End
3.11.2 (Optional) Configuring an Expected Lease for a DHCP

Client
Context
When a DHCP server dynamically allocates an IP address with a lease to a client, the DHCP
server compares the configured lease with the expected lease of the client and selects the
smaller value as the lease of the IP address. A device functioning as a DHCP client supports
the configuration of an expected lease.
Procedure
Step 1 Run:
system-view
Step 2 Run:
Step 3 Run:
dhcp client expected-lease time
An expected lease is configured for the DHCP client.
By default, no expected lease is configured for a DHCP client.
----End
3.11.3 (Optional) Configuring the Gateway Detection Function on

a DHCP Client
Context
A DHCP client enabled with the gateway detection function sends an ARP Request packet to
detect the gateway status after obtaining an IP address. If the DHCP client receives no ARP
Reply packet within the detection period, it considers the gateway address incorrect or the
gateway device faulty, and then re-applies for an IP address.

Procedure
Step 1 Run:
system-view

Step 2 Run:

Step 3 Run:
dhcp client gateway-detect period period retransmit retransmit timeout time
The gateway detection function is configured on the DHCP client.

By default, the gateway detection function is not configured on DHCP clients.
----End
3.11.4 (Optional) Configuring a DHCP Client to Dynamically

Obtain Routing Information
Context
To allow a DHCP client to communicate with other network devices, you need to configure a
route in which the next hop address is the gateway address of the client. If the gateway
address of the client is dynamically obtained from the DHCP server and the route is statically
configured on the client, the static route must be manually modified when the gateway
address changes. After the DHCP client is configured to dynamically obtain routing entries
through DHCP, the next hop address in the static route is automatically updated when the
gateway address changes, lowering maintenance costs.
A DHCP server can allocate routing entries to DHCP clients. On a device functioning as the
DHCP client, you can set the priorities of routing entries allocated by the DHCP server so that
the DHCP client can dynamically update its routing table.
Procedure
Step 1 Run:
system-view

Step 2 Run:
ip route ip-address { mask | mask-length } interface-type interface-number dhcp
[ preference-value ]
The DHCP client is configured to obtain routing entries through DHCP.

By default, a DHCP client does not obtain routing entries through DHCP.
Step 3 Run:

Step 4 Run:
dhcp client default-route preference preference-value
The priority of routing entries allocated by the DHCP server to DHCP clients is set.
The default priority of routing entries allocated by the DHCP server to DHCP clients is 60.
----End
3.11.5 Enabling the DHCP Client Function
Context
After an interface is enabled with the DHCP client function, the device can obtain network
parameters including an IP address from a DHCP server.
If the allocated IP address and IP addresses of other interfaces are on the same network
segment, the interface does not use the allocated IP address and does not re-apply for an IP
address. To allow the interface to re-apply for an IP address, run the shutdown and then the
undo shutdown commands on the interface. Alternatively, run the undo ip address dhcp-
alloc and then the ip address dhcp-alloc commands on the interface.
Procedure
Step 1 Run:
system-view
Step 2 Run:
Step 3 Run:
ip address dhcp-alloc
The DHCP client function is enabled.
By default, the DHCP client function is disabled.
----End
Procedure
l On an interface enabled with the DHCP client function, run the display this command to
view the configuration of the DHCP client.
l Run the display dhcp client command to view the status of the DHCP client.
----End

3.12 Configuring a BOOTP Client

A device can function as a BOOTP client and dynamically obtain network parameters
including the IP address from a DHCP server.
Before configuring a device as a BOOTP client, complete the following tasks:
l (Optional) Configure a DHCP relay agent.
3.12.1 (Optional) Configuring Attributes for a BOOTP Client

Procedure
Step 1 Run:
system-view

Step 2 Run:

Step 3 Run:
dhcp client hostname hostname
A host name is configured for the BOOTP client.

By default, no host name is configured for a BOOTP client.
A host name allows access to a BOOTP client through a domain name. A domain name
consists of a host name and domain name suffix.
Step 4 Run:
dhcp client client-id client-id
An identifier is configured for the BOOTP client.

By default, a client's MAC address is used as its identifier.
----End
3.12.2 (Optional) Configuring the Gateway Detection Function on

a BOOTP Client
Context
A BOOTP client enabled with the gateway detection function sends an ARP Request packet
to detect the gateway status after obtaining an IP address. If the BOOTP client receives no

ARP Reply packet within the detection period, it considers the gateway address incorrect or
the gateway device faulty, and then re-applies for an IP address.
Procedure
Step 1 Run:
system-view

Step 2 Run:

Step 3 Run:
dhcp client gateway-detect period period retransmit retransmit timeout time
The gateway detection function is configured on the BOOTP client.

By default, the gateway detection function is not configured on BOOTP clients.
----End
3.12.3 (Optional) Configuring a BOOTP Client to Dynamically

Obtain Routing Information
Context
To allow a BOOTP client to communicate with other network devices, you need to configure
a route in which the next hop address is the gateway address of the client. If the gateway
address of the client is dynamically obtained from the DHCP server and the route is statically
configured on the client, the static route must be manually modified when the gateway
address changes. After the BOOTP client is configured to dynamically obtain routing entries
through DHCP, the next hop address in the static route is automatically updated when the
gateway address changes, lowering maintenance costs.
A DHCP server can allocate routing entries to BOOTP clients. On a device functioning as the
BOOTP client, you can set the priorities of routing entries allocated by the DHCP server so
that the BOOTP client can dynamically update its routing table.
Procedure
Step 1 Run:
system-view

Step 2 Run:
ip route ip-address { mask | mask-length } interface-type interface-number dhcp
[ preference-value ]
The BOOTP client is configured to obtain routing entries through DHCP.

By default, a BOOTP client does not obtain routing entries through DHCP.
Step 3 Run:

Step 4 Run:
dhcp client default-route preference preference-value
The priority of routing entries allocated by the DHCP server to BOOTP clients is set.
The default priority of routing entries allocated by the DHCP server to BOOTP clients is 60.
----End
3.12.4 Enabling the BOOTP Client Function
Context
After an interface is enabled with the BOOTP client function, the interface can obtain network
parameters including the IP address from the DHCP server.
If the allocated IP address and IP addresses of other interfaces are on the same network
segment, the interface does not use the allocated IP address and does not re-apply for an IP
address. To allow the interface to re-apply for an IP address, run the shutdown and then the
undo shutdown commands on the interface. Alternatively, run the undo ip address bootp-
alloc and then the ip address bootp-alloc commands on the interface.
Procedure
Step 1 Run:
system-view
Step 2 Run:
Step 3 Run:
ip address bootp-alloc
The BOOTP client function is enabled.
By default, the BOOTP client function is disabled.
----End
Procedure
l On an interface enabled with the DHCP client function, run the display this command to
view the configuration of the DHCP client.
l Run the display dhcp client command to view the status of the DHCP client.
----End

3.13 Maintaining DHCP

This section describes how to view and clear DHCP statistics and monitor DHCP operation.
3.13.1 Viewing Statistics About DHCP Messages

Context
Statistics about received and sent DHCP messages provide useful information for locating
faults during routine maintenance.
Procedure
l Run the display dhcp server statistics command to view statistics about DHCP
messages sent and received on a DHCP server.
l Run the display dhcp relay statistics [ server-group group-name ] command to view
statistics about DHCP messages sent and received on a DHCP relay agent.
l Run the display dhcp client statistics [ interface interface-type interface-number ]
command to view statistics about DHCP messages sent and received on a DHCP client.
l Run the display dhcp statistics command to view statistics about DHCP messages sent
and received on a device.
----End
3.13.2 Clearing Statistics About DHCP Messages

Context
Before collecting statistics about DHCP messages during routine maintenance, clear the
existing statistics.
DHCP statistics cannot be restored after they are cleared. Exercise caution when performing
this operation.
Procedure
l Run the reset dhcp server statistics command to clear statistics about DHCP messages
sent and received on a DHCP server.
l Run the reset dhcp relay statistics [ server-group group-name ] command to clear
statistics about DHCP messages sent and received on a DHCP relay agent.
l Run the reset dhcp client statistics [ interface interface-type interface-number ]
command to clear statistics about DHCP messages sent and received on a DHCP client.
l Run the reset dhcp statistics command to clear statistics about DHCP messages sent
and received on a device.
----End

3.13.3 Resetting a DHCP Address Pool
Context
To force a DHCP server to re-allocate IP addresses to clients or to set IP addresses in an
address pool to idle (idle IP addresses will be preferentially allocated), reset an address pool.
Procedure
l Run the following commands to reset address pools on the device.
– Interface address pool:
reset ip pool interface pool-name { start-ip-address [ end-ip-address ] | all |
conflict | expired | used }
– Global address pool:
reset ip pool name ip-pool-name { start-ip-address [ end-ip-address ] | all |
conflict | expired | used }
Parameters in the commands are described in the following table.
Parameter Description
start-ip-address [ end-ip-address ] Resets a range of IP addresses in an

address pool.
all Resets all IP addresses in an address pool.
conflict Resets conflicting IP addresses in an

address pool.
expired Resets expired IP addresses in an address

pool.
used Resets IP addresses being used in an

address pool.
l Run the reset ip pool import { all | dns | domain-name | nbns } command to clear the
DNS and NetBIOS configurations that the address pool automatically obtains and
allocates to the DHCP clients.
l Configure a DHCP relay agent to request a DHCP server to release IP addresses of
clients.
After a DHCP relay agent is configured to request the DHCP server to release IP
addresses of clients, the DHCP relay agent sends DHCP Release messages to the
specified DHCP server. After receiving the message, the DHCP server restores specified
IP addresses to the idle status. Released IP addresses can then be allocated to other
clients. Run the following commands to configure the DHCP relay agent to request the
DHCP server to release IP addresses of clients:
a. Run the system-view command to enter the system view.

b. (Optional) Run the interface interface-type interface-number [.subinterface-
number ] command to enter the interface view or sub-interface view.

c. Run the dhcp relay release client-ip-address mac-address [ vpn-instance vpn-

instance-name ] [ server-ip-address ] command to request the DHCP server to
release IP addresses allocated to DHCP clients.
NOTE
The parameter vpn-instance vpn-instance-name cannot be configured in the interface view.

n When you run the preceding command in the system view:
○ If no DHCP server is specified, the DHCP relay agent sends DHCP
Release messages to all DHCP servers connected to DHCP relay
interfaces.
○ If a DHCP server is specified, the DHCP relay agent sends DHCP
Release messages to only the specified DHCP server.
n When you run the preceding command in the interface view:
○ If no DHCP server is specified, the DHCP relay agent sends DHCP
Release messages to the DHCP server connected to this interface.
○ If a DHCP server is specified, the DHCP relay agent sends DHCP
Release messages to only the specified DHCP server.
----End
3.13.4 Locking a DHCP Address Pool

Context
When a DHCP server is migrated, address pools on the DHCP server need to be transferred to
a DHCP server on the live network. To prevent impacting clients that have obtained IP
address from the to-be-migrated DHCP server, lock the address pools on the DHCP server.
New users who go online will apply for IP addresses from the new address pool.
Procedure
Step 1 Run the system-view command to enter the system view.
Step 2 Run the ip pool ip-pool-name command to enter the global address pool view.
Step 3 Run the lock command to lock the address pool.

By default, address pools on a device are not locked.
----End

This section provides DHCP configuration examples, including the networking requirements

3.14.1 Example for Configuring the Device as a DHCP Server

(Based on the Interface Address Pool)
As shown in Figure 3-16, an enterprise plans two network segments for office terminals. The
PCs on the network segment 10.1.1.0/24 are fixed office terminals for employees; the network
segment 10.1.2.0/24 is used for employees on business trips to temporarily access the
network. To facilitate management, the administrator requires that the enterprise terminals
automatically obtain IP addresses and the DNS server IP address. (When users want to use
domain names for access, the DNS server for domain name resolution needs to be
configured.) The PC (Client_1) of the enterprise manager needs to use the fixed IP address
10.1.1.100/24 based on service requirements.
Figure 3-16 Networking diagram of configuring the device as a DHCP server
DNS Server
10.1.1.2/24
IP Network
Eth2/0/0 Eth2/0/1
VLANIF10 VLANIF11
10.1.1.1/24 10.1.2.1/24
Router
DHCP Server
LSW_1 LSW_2
DHCP Client_1 ... DHCP DHCP DHCP

Client_n Client_s
... Client_t
MAC：286e-d488-b684
IP：10.1.1.100/24
Configure the DHCP server function on the router to dynamically assign IP addresses and the
DNS server address to the terminals on the two network segments of the enterprise. The PCs
on 10.1.1.0/24 are fixed office terminals for employees with the IP address lease of 30 days,
and DHCP Client_1 is assigned with the fixed IP address (10.1.1.100/24) in DHCP static
mode. The network segment 10.1.2.0/24 is used for employees on business trips to
temporarily access the network, with the IP address lease of 2 days.

NOTE
Configure the interface link type and VLANs on the Layer 2 switches LSW_1 and LSW_2 to implement
Layer 2 communication.
Procedure
Step 1 Enable the DHCP service.
[Router] dhcp enable
Step 2 Add interfaces to VLANs.

# Add Eth2/0/0 to VLAN 10.
[Router] vlan batch 10 to 11
# Add Eth2/0/1 to VLAN 11.

Step 3 Allocate IP addresses to VLANIF interfaces.

# Set an IP address for VLANIF 10.
# Set an IP address for VLANIF 11.

Step 4 Configure the interface address pool.

# Configure the clients connected to VLANIF 10 to obtain IP addresses and other network
parameters from the interface address pool.
[Router-Vlanif10] dhcp select interface
[Router-Vlanif10] dhcp server lease day 30
[Router-Vlanif10] dhcp server domain-name huawei.com
[Router-Vlanif10] dhcp server dns-list 10.1.1.2
[Router-Vlanif10] dhcp server excluded-ip-address 10.1.1.2
[Router-Vlanif10] dhcp server static-bind ip-address 10.1.1.100 mac-address 286e-
d488-b684
# Configure the clients connected to VLANIF 11 to obtain IP addresses and other network
parameters from the interface address pool.
[Router-Vlanif11] dhcp server lease day 2
[Router-Vlanif11] dhcp server domain-name huawei.com
[Router-Vlanif11] dhcp server dns-list 10.1.1.2


# Run the display ip pool command on the router to view the allocation of the interface
address pool. The Used field indicates the number of allocated IP addresses.
[Router] display ip pool interface vlanif10
Pool-name : Vlanif10
Pool-No : 0
Lease : 30 Days 0 Hours 0 Minutes
Domain-name : huawei.com
DNS-server0 : 10.1.1.2
NBNS-server0 : -
Netbios-type : -
Position : Interface Status : Unlocked
Gateway-0 : 10.1.1.1
Network : 10.1.1.0
Mask : 255.255.255.0
VPN instance : --
Logging : Disable
-----------------------------------------------------------------------------
Start End Total Used Idle(Expired) Conflict Disable
-----------------------------------------------------------------------------
10.1.1.1 10.1.1.254 253 1 251(0) 0 1
-----------------------------------------------------------------------------
Pool-name : Vlanif11
Pool-No : 1
Domain-name : huawei.com
NBNS-server0 : -
Netbios-type : -
Position : Interface Status : Unlocked
Gateway-0 : 10.1.2.1
Network : 10.1.2.0
Mask : 255.255.255.0
VPN instance : --
Logging : Disable
-----------------------------------------------------------------------------
-----------------------------------------------------------------------------
10.1.2.1 10.1.2.254 253 1 252(0) 0 0
-----------------------------------------------------------------------------
----End
Configuration Files
#
sysname Router
#
vlan batch 10 to 11
#
dhcp enable
#
interface Vlanif10
ip address 10.1.1.1 255.255.255.0
dhcp server excluded-ip-address 10.1.1.2
dhcp server static-bind ip-address 10.1.1.100 mac-address 286e-d488-b684
dhcp server lease day 30 hour 0 minute 0
dhcp server dns-list 10.1.1.2
dhcp server domain-name huawei.com
#

interface Vlanif11
ip address 10.1.2.1 255.255.255.0
dhcp server lease day 2 hour 0 minute 0
dhcp server dns-list 10.1.1.2
dhcp server domain-name huawei.com
#
#
#
return
3.14.2 Example for Configuring the DHCP Server to Allocate

Different Network Parameters to Dynamic Clients and Static
Clients in the Global Address Pool
As shown in Figure 3-17, the router functions as the enterprise egress gateway. The IP phone
and PCs are devices in an office area. To uniformly manage devices and reduce manual
configuration costs, the administrator needs to configure hosts to dynamically obtain IP
addresses through DHCP. The PCs are the fixed terminal in the duty room. It should always
be online and use domain names to access network devices. Besides obtaining an IP address
dynamically, the PCs requires an unlimited IP address lease and obtains information about the
DNS server. The IP phone uses a fixed IP address 10.1.1.4/24 and its MAC address is dcd2-
fc96-e4c0. Besides obtaining an IP address, the IP phone needs to dynamically obtain the
startup configuration file. The startup configuration file named configuration.ini is saved on
the FTP file server. There are reachable routes between the IP phone and the FTP file server.
The gateway address of the PCs and IP phone is 10.1.1.1/24.
Figure 3-17 Networking diagram of configuring the DHCP server to allocate different
network parameters to dynamic clients and static clients
DNS Server
10.1.1.2/24
Switch GE1/0/0
10.1.1.1/24 Internet
Router
IP Phone DHCP Server
10.1.1.4/24
PC PC PC FTP Server
10.1.1.3/24

1. Create a DHCP Option template on the router. In the DHCP Option template view,
configure the startup configuration file for the static client IP phone, and configure an IP
address for the network server that provides the startup configuration file.
2. Create a global address pool on the router. In the global address pool view, configure the
IP address lease and information about the DNS server for the dynamic client PCs. Bind
an IP address to the MAC address of the static client IP phone and bind a DHCP Option
template. In this way, the DHCP server can allocate different network parameters to
dynamic and static clients.
Procedure
Step 1 Configure an IP address for the interface.
[Router-GigabitEthernet1/0/0] ip address 10.1.1.1 24
Step 2 Enable DHCP.

Step 3 Create a DHCP Option template. In the DHCP Option template view, configure the startup
configuration file for the static client IP phone, and configure an IP address for the network
server that provides the startup configuration file.
[Router] dhcp option template template1
[Router-dhcp-option-template-template1] gateway-list 10.1.1.1
[Router-dhcp-option-template-template1] bootfile configuration.ini
[Router-dhcp-option-template-template1] next-server 10.1.1.3
[Router-dhcp-option-template-template1] quit
Step 4 Create an IP address pool. In the IP address pool view, configure the gateway address, IP
address lease, and IP address of the DNS server for the PCs. Allocate a fixed IP address to the
IP phone and configure the startup configuration file.
[Router] ip pool pool1
[Router-ip-pool-pool1] network 10.1.1.0 mask 255.255.255.0
[Router-ip-pool-pool1] dns-list 10.1.1.2
[Router-ip-pool-pool1] gateway-list 10.1.1.1
[Router-ip-pool-pool1] excluded-ip-address 10.1.1.2 10.1.1.3
[Router-ip-pool-pool1] lease unlimited
[Router-ip-pool-pool1] static-bind ip-address 10.1.1.4 mac-address dcd2-fc96-e4c0
option-template template1
[Router-ip-pool-pool1] quit
Step 5 Enable the DHCP server function on the interface.

[Router-GigabitEthernet1/0/0] dhcp select global

# Run the display ip pool name pool1 command on the router to check the IP address pool
configuration.
[Router] display ip pool name pool1
Pool-name : pool1
Pool-No : 0
Lease : unlimited

Domain-name : -
NBNS-server0 : -
Netbios-type : -
Position : Local Status : Unlocked
Gateway-0 : 10.1.1.1
Network : 10.1.1.0
Mask : 255.255.255.0
VPN instance : --
-----------------------------------------------------------------------------
-----------------------------------------------------------------------------
10.1.1.1 10.1.1.254 253 4 247(0) 0 2
-----------------------------------------------------------------------------
# Run the display dhcp option template name template1 command on the router to check
the DHCP Option template configuration.
[Router] display dhcp option template name template1
-----------------------------------------------------------------------------
Template-Name : template1
Template-No : 0
Next-server : 10.1.1.3
Domain-name : -
DNS-server0 : -
NBNS-server0 : -
Netbios-type : -
Gateway-0 : 10.1.1.1
Bootfile : configuration.ini
----End
Configuration File
#
sysname Router
#
dhcp enable
#
dhcp option template template1
gateway-list 10.1.1.1
next-server 10.1.1.3
bootfile configuration.ini
#
ip pool pool1
network 10.1.1.0 mask 255.255.255.0
excluded-ip-address 10.1.1.2 10.1.1.3
static-bind ip-address 10.1.1.4 mac-address dcd2-fc96-e4c0 option-template
template1
lease unlimited
dns-list 10.1.1.2
#
ip address 10.1.1.1 255.255.255.0
dhcp select global
#
return

3.14.3 Example for Configuring the Device as a DHCP Relay

(Relay and Server Are Located on the Same Network)
As shown in Figure 3-18, the DHCP server is deployed on the core device of an enterprise,
and is not located on the same network segment with the enterprise's terminals. The enterprise
requires that this DHCP server should dynamically allocate IP addresses for the terminals.
Figure 3-18 Networking diagram of configuring the device as a DHCP relay
Internet
RouterB
DHCP server
Eth2/0/0
VLANIF200 10.10.20.2/24
Eth2/0/0
VLANIF200 10.10.20.1/24
RouterA
DHCP relay
Eth2/0/1
VLANIF100 10.20.20.1/24
LSW
DHCP client DHCP client
1. Configure the DHCP relay function on the aggregation device RouterA (user gateway)
so that the device functions as the DHCP relay to forward the DHCP packets between
the terminals and DHCP server.
2. On the core device RouterB, configure the DHCP server based on the global address
pool so that the DHCP server allocates the IP addresses from the global address pool to
the terminals.
NOTE
A Huawei AR Series router is used as an example of the DHCP server (RouterB).

Configure the interface link type and VLANs on the LSW to implement Layer 2 communication.

Procedure
Step 1 Configure the DHCP relay function on RouterA.
# Add interfaces to the VLANs.

[RouterA] vlan batch 100 200
[RouterA-Ethernet2/0/1] port link-type access
[RouterA-Ethernet2/0/1] port default vlan 100
[RouterA-Ethernet2/0/0] port link-type trunk
[RouterA-Ethernet2/0/0] port trunk allow-pass vlan 200
[RouterA-Vlanif200] ip address 10.10.20.1 24
# Enable the DHCP relay function on the interface.

[RouterA] dhcp enable
[RouterA-Vlanif100] ip address 10.20.20.1 24
[RouterA-Vlanif100] dhcp select relay
[RouterA-Vlanif100] dhcp relay server-ip 10.10.20.2
Step 2 Configure the default route on RouterA.

[RouterA] ip route-static 0.0.0.0 0.0.0.0 10.10.20.2
Step 3 Configure the DHCP server function based on the global IP address pool on RouterB.
# Enable the DHCP service.

[RouterB] dhcp enable
# Configure VLANIF 200 to work in global address pool mode.

[RouterB] vlan 200
[RouterB-vlan200] quit
[RouterB] interface ethernet 2/0/0
[RouterB-Ethernet2/0/0] port link-type trunk
[RouterB-Ethernet2/0/0] port trunk allow-pass vlan 200
[RouterB-Ethernet2/0/0] quit
[RouterB] interface vlanif 200
[RouterB-Vlanif200] ip address 10.10.20.2 24
[RouterB-Vlanif200] dhcp select global
[RouterB-Vlanif200] quit
Create an address pool and set the attributes of the address pool.
[RouterB] ip pool pool1
[RouterB-ip-pool-pool1] network 10.20.20.0 mask 24
[RouterB-ip-pool-pool1] gateway-list 10.20.20.1
[RouterB-ip-pool-pool1] option121 ip-address 10.10.20.0 24 10.20.20.1
[RouterB-ip-pool-pool1] quit
Step 4 Configure the default route on RouterB.

[RouterB] ip route-static 0.0.0.0 0.0.0.0 10.10.20.1

# Run the display dhcp relay interface vlanif 100 command on RouterA to view the DHCP
relay configuration.
[RouterA] display dhcp relay interface vlanif 100
DHCP relay agent running information of interface Vlanif100 :
Server IP address [00] : 10.10.20.2
Gateway address in use : 10.20.20.1
# Run the display ip pool name pool1 command on RouterB to view the allocation of the
address pool. The Used field indicates the number of allocated IP addresses.
[RouterB] display ip pool name pool1
Pool-name : pool1
Pool-No : 0
Domain-name : -
Option-code : 121
Option-subcode : --
Option-type : hex
Option-value : 18640A1414141401
DNS-server0 : -
NBNS-server0 : -
Netbios-type : -
Gateway-0 : 10.20.20.1
Network : 10.20.20.0
Mask : 255.255.255.0
VPN instance : --
Logging : Disable
-----------------------------------------------------------------------------
-----------------------------------------------------------------------------
10.20.20.1 10.20.20.254 253 1 252(0) 0 0
-----------------------------------------------------------------------------
----End
Configuration Files
#
sysname RouterA
#
vlan batch 100 200
#
dhcp enable
#
interface Vlanif100
ip address 10.20.20.1 255.255.255.0
dhcp select relay
dhcp relay server-ip 10.10.20.2
#
interface Vlanif200
ip address 10.10.20.1 255.255.255.0
#
port link-type trunk
port trunk allow-pass vlan 200
#
#
ip route-static 0.0.0.0 0.0.0.0 10.10.20.2
#
return


#
sysname RouterB
#
vlan batch 200
#
dhcp enable
#
ip pool pool1
network 10.20.20.0 mask 255.255.255.0
option121 ip-address 10.10.20.0 24 10.20.20.1
#
interface Vlanif200
ip address 10.10.20.2 255.255.255.0
dhcp select global
#
#
ip route-static 0.0.0.0 0.0.0.0 10.10.20.1
#
return
3.14.4 Example for Configuring a Device as the DHCP Relay

Agent (Connected to the DHCP Server Across a BGP/MPLS IP
VPN Tunnel)
As shown in Figure 3-19, branch 1 and branch 2 of an enterprise are connected to the
headquarters through BGP/MPLS IP VPN tunnels to implement secure interconnection. CE_1
and CE_2 are the egress gateways of branch 1 and branch 2, respectively. For service
isolation, branch 1 and branch 2 are deployed in vpna and vpnb, respectively. The enterprise
administrator deploys a DHCP server in the headquarters and a multi-VPN-instance customer
edge (MCE) as the headquarters egress gateway so that the DHCP server can allocate IP
addresses on 10.1.1.0/24 to terminals in branch1 and branch 2.

Figure 3-19 Networking diagram for configuring a device as the DHCP relay agent
DHCP Client
10.1.1.0/24
Branch 1:
vpna
GE0/0/1
CE_1
DHCP Relay Agent Loopback0 MCE
GE0/0/2 10.20.20.9/32 DHCP Server
GE2/0/0
Loopback0 GE3/0/0 GE2/0/0 GE1/0/0
10.10.10.9/32 GE0/0/1
GE1/0/0 PE_1 PE_2
GE0/0/2
CE_2
DHCP Relay Agent
GE0/0/1
Branch 2:
vpnb
DHCP Client
10.1.1.0/24
1. Configure OSPF between PE_1 and PE_2 to implement interworking between them and
configure MP-IBGP to exchange VPN routing information.
2. Configure basic MPLS capabilities and MPLS LDP on PE_1 and PE_2 to set up LDP
LSPs.
3. Create VPN instances vpna and vpnb on the MCE, PE_1, and PE_2 to isolate services.
4. Set up EBGP peer relationships between PE_1 and its connected CEs, and import BGP
routes to the VPN routing table of PE1.
5. Configure the MCE as the DHCP server to allocate IP addresses from the global address
pool to terminals in branch 1 and branch 2.
6. Configure the DHCP relay function on CE_1 and CE_2 to forward DHCP messages
between the DHCP server and terminals so that the terminals can apply to the DHCP
server for IP addresses.
7. Configure the terminals to dynamically obtain IP addresses from the DHCP server.

Procedure
Step 1 Configure IP addresses for the interfaces.
# Configure the egress gateway CE1 of branch 1.

[Huawei] sysname CE_1
[CE_1] interface gigabitEthernet 0/0/1
[CE_1-GigabitEthernet0/0/1] ip address 10.1.1.1 24
[CE_1-GigabitEthernet0/0/1] quit

[Huawei] sysname CE_2
# Configure PE_1.
[Huawei] sysname PE_1
[PE_1] interface loopback 0
[PE_1-LoopBack0] ip address 10.10.10.9 32
[PE_1-LoopBack0] quit
[PE_1] interface gigabitethernet 3/0/0
[PE_1-GigabitEthernet3/0/0] ip address 10.1.3.1 24
[PE_1-GigabitEthernet3/0/0] quit
# Configure PE_2.
[Huawei] sysname PE_2
[PE_2] interface loopback 0
[PE_2-LoopBack0] ip address 10.20.20.9 32
[PE_2-LoopBack0] quit
Step 2 Configure OSPF routes between PE_1 and PE_2.
# Configure PE_1.
[PE_1] ospf 1
[PE_1-ospf-1] area 0
[PE_1-ospf-1-area-0.0.0.0] network 10.10.10.9 0.0.0.0
[PE_1-ospf-1-area-0.0.0.0] quit
[PE_1-ospf-1] quit
# Configure PE_2.
[PE_2] ospf 1
[PE_2-ospf-1] quit

# After the configuration is complete, PE_1 and PE_2 set up the OSPF neighbor relationship.
Run the display ip routing-table command on PE_1 and PE_2 to view the routes to each
other.
Step 3 Configure basic MPLS capabilities and MPLS LDP on PE_1 and PE_2 to set up LDP LSPs.
# Configure PE_1.
[PE_1] mpls lsr-id 10.10.10.9
[PE_1] mpls
[PE_1-mpls] quit
[PE_1] mpls ldp
[PE_1-mpls-ldp] quit
[PE_1-GigabitEthernet3/0/0] mpls
[PE_1-GigabitEthernet3/0/0] mpls ldp
# Configure PE_2.
[PE_2] mpls lsr-id 10.20.20.9
[PE_2] mpls
[PE_2-mpls] quit
[PE_2] mpls ldp
[PE_2-mpls-ldp] quit
[PE_2-GigabitEthernet2/0/0] mpls
[PE_2-GigabitEthernet2/0/0] mpls ldp
# After the configuration is complete, PE_1 and PE_2 set up LDP sessions. Run the display
mpls ldp session command on PE_1 and PE_2. The command output shows that the Status
field is Operational. Run the display mpls ldp lsp command. Information about the
established LDP LSPs is displayed.
Step 4 Configure VPN instances on the MCE, PE_1, and PE_2.
# Configure PE_1.
[PE_1] ip vpn-instance vpna
[PE_1-vpn-instance-vpna] ipv4-family
[PE_1-vpn-instance-vpna-af-ipv4] route-distinguisher 100:1
[PE_1-vpn-instance-vpna-af-ipv4] vpn-target 111:1 both
[PE_1-vpn-instance-vpna-af-ipv4] quit
[PE_1-vpn-instance-vpna] quit
[PE_1] ip vpn-instance vpnb
[PE_1-vpn-instance-vpnb] ipv4-family
[PE_1-vpn-instance-vpnb-af-ipv4] route-distinguisher 100:2
[PE_1-vpn-instance-vpnb-af-ipv4] vpn-target 222:2 both
[PE_1-vpn-instance-vpnb-af-ipv4] quit
[PE_1-vpn-instance-vpnb] quit
[PE_1-GigabitEthernet2/0/0] ip binding vpn-instance vpna
[PE_1-GigabitEthernet1/0/0] ip binding vpn-instance vpnb
# Configure PE_2.
[PE_2] ip vpn-instance vpna
[PE_2-vpn-instance-vpna] ipv4-family
[PE_2-vpn-instance-vpna-af-ipv4] route-distinguisher 200:1
[PE_2-vpn-instance-vpna-af-ipv4] vpn-target 111:1 both
[PE_2-vpn-instance-vpna-af-ipv4] quit
[PE_2-vpn-instance-vpna] quit

[PE_2] ip vpn-instance vpnb

[PE_2-vpn-instance-vpnb] ipv4-family
[PE_2-vpn-instance-vpnb-af-ipv4] route-distinguisher 200:2
[PE_2-vpn-instance-vpnb-af-ipv4] vpn-target 222:2 both
[PE_2-vpn-instance-vpnb-af-ipv4] quit
[PE_2-vpn-instance-vpnb] quit
[PE_2] interface gigabitethernet 1/0/0.1
[PE_2-GigabitEthernet1/0/0.1] dot1q termination vid 10
[PE_2-GigabitEthernet1/0/0.1] ip binding vpn-instance vpna
[PE_2-GigabitEthernet1/0/0.1] ip address 10.1.4.2 24
[PE_2-GigabitEthernet1/0/0.1] arp broadcast enable
[PE_2-GigabitEthernet1/0/0.1] quit
[PE_2] interface gigabitethernet 1/0/0.2
[PE_2-GigabitEthernet1/0/0.2] dot1q termination vid 20
[PE_2-GigabitEthernet1/0/0.2] ip binding vpn-instance vpnb
[PE_2-GigabitEthernet1/0/0.2] ip address 10.1.5.2 24
[PE_2-GigabitEthernet1/0/0.2] arp broadcast enable
[PE_2-GigabitEthernet1/0/0.2] quit
# Configure the MCE.

[Huawei] sysname MCE
[MCE] ip vpn-instance vpna
[MCE-vpn-instance-vpna] ipv4-family
[MCE-vpn-instance-vpna-af-ipv4] route-distinguisher 200:1
[MCE-vpn-instance-vpna-af-ipv4] vpn-target 111:1 both
[MCE-vpn-instance-vpna-af-ipv4] quit
[MCE-vpn-instance-vpna] quit
[MCE] ip vpn-instance vpnb
[MCE-vpn-instance-vpnb] ipv4-family
[MCE-vpn-instance-vpnb-af-ipv4] route-distinguisher 200:2
[MCE-vpn-instance-vpnb-af-ipv4] vpn-target 222:2 both
[MCE-vpn-instance-vpnb-af-ipv4] quit
[MCE-vpn-instance-vpnb] quit
[MCE] interface gigabitethernet 0/0/1.1
[MCE-GigabitEthernet0/0/1.1] ip binding vpn-instance vpna
[MCE-GigabitEthernet0/0/1.1] dot1q termination vid 10
[MCE-GigabitEthernet0/0/1.1] ip address 10.1.4.1 24
[MCE-GigabitEthernet0/0/1.1] arp broadcast enable
[MCE-GigabitEthernet0/0/1.1] quit
[MCE-GigabitEthernet0/0/1.2] ip binding vpn-instance vpnb
[MCE-GigabitEthernet0/0/1.2] dot1q termination vid 20
[MCE-GigabitEthernet0/0/1.2] ip address 10.1.5.1 24
[MCE-GigabitEthernet0/0/1.2] arp broadcast enable
Step 5 Set up the MP-IBGP peer relationship between PE_1 and PE_2.
# Configure PE_1.
[PE_1] bgp 100
[PE_1-bgp] peer 10.20.20.9 as-number 100
[PE_1-bgp] peer 10.20.20.9 connect-interface loopback 0
[PE_1-bgp] ipv4-family vpnv4
[PE_1-bgp-af-vpnv4] peer 10.20.20.9 enable
[PE_1-bgp-af-vpnv4] quit
[PE_1-bgp] ipv4-family vpn-instance vpna
[PE_1-bgp-vpna] import-route direct
[PE_1-bgp-vpna] quit
[PE_1-bgp] ipv4-family vpn-instance vpnb
[PE_1-bgp-vpnb] import-route direct
[PE_1-bgp-vpnb] quit
[PE_1-bgp] quit
# Configure PE_2.
[PE_2] bgp 100
[PE_2-bgp] peer 10.10.10.9 as-number 100

[PE_2-bgp] peer 10.10.10.9 connect-interface loopback 0

[PE_2-bgp] ipv4-family vpnv4
[PE_2-bgp-af-vpnv4] peer 10.10.10.9 enable
[PE_2-bgp-af-vpnv4] quit
[PE_2-bgp] quit
# After the configuration is complete, run the display bgp peer command on PE_1 and PE_2.
The command output shows that the MP-IBGP peer relationship has been set up between PEs
and the relationship is in Established state.
Step 6 Configure EBGP peer relationships between CE_1 and PE_1 and between CE_2 and PE_1.
[CE_1] bgp 65410
[CE_1-bgp] peer 10.1.2.2 as-number 100
[CE_1-bgp] ipv4-family unicast
[CE_1-bgp-af-ipv4] undo synchronization
[CE_1-bgp-af-ipv4] import-route direct
[CE_1-bgp-af-ipv4] quit
[CE_1-bgp] quit

[CE_2] bgp 65411
[CE_2-bgp] peer 10.1.2.2 as-number 100
[CE_2-bgp] ipv4-family unicast
[CE_2-bgp-af-ipv4] undo synchronization
[CE_2-bgp-af-ipv4] import-route direct
[CE_2-bgp-af-ipv4] quit
[CE_2-bgp] quit
# Configure PE_1.
[PE_1] bgp 100
[PE_1-bgp-vpna] peer 10.1.2.1 as-number 65410
[PE_1-bgp-vpnb] peer 10.1.2.1 as-number 65411
[PE_1-bgp] quit
Step 7 Configure OSPF multi-instance between the MCE and PE_2.

# Configure PE_2.
NOTE
To configure OSPF multi-instance between the MCE and PE2, perform the following tasks on PE_2:
l In the OSPF view, import BGP routes and advertise VPN routes of PE_1 to the MCE.
l In the BGP view, import routes of the OSPF processes and advertise the VPN routes of the MCE to PE_1.
[PE_2] ospf 100 vpn-instance vpna
[PE_2-ospf-100] import-route bgp
[PE_2-ospf-100] quit
[PE_2] ospf 200 vpn-instance vpnb

[PE_2-ospf-200] import-route bgp

[PE_2-ospf-200] quit
[PE_2] bgp 100
[PE_2-bgp-vpna] import-route ospf 100
[PE_2-bgp-vpnb] import-route ospf 200
[PE_2-bgp] quit
# Configure the MCE.
NOTE
Import VPN routes to the OSPF processes.

[MCE] ospf 100 vpn-instance vpna
[MCE-ospf-100] vpn-instance-capability simple
[MCE-ospf-100] area 0
[MCE-ospf-100-area-0.0.0.0] network 10.1.4.0 0.0.0.255
[MCE-ospf-100-area-0.0.0.0] quit
[MCE-ospf-100] quit
[MCE] ospf 200 vpn-instance vpnb
[MCE-ospf-200] vpn-instance-capability simple
[MCE-ospf-200] area 0
[MCE-ospf-200-area-0.0.0.0] network 10.1.5.0 0.0.0.255
[MCE-ospf-200-area-0.0.0.0] quit
[MCE-ospf-200] quit
# After the configuration is complete, run the display ip routing-table vpn-instance

command on the MCE to view the routes to the remote CEs.
# Run the display ip routing-table vpn-instance command on PE_1 to view the routes to the
remote CEs.
Step 8 Configure the MCE as the DHCP server.

[MCE] dhcp enable
# Create global address pools pool1 and pool2 to allocate IP addresses to terminals in branch
1 and branch 2.
[MCE] ip pool pool1
[MCE-ip-pool-pool1] network 10.1.1.0 mask 255.255.255.0
[MCE-ip-pool-pool1] vpn-instance vpna
[MCE-ip-pool-pool1] gateway-list 10.1.1.1
[MCE-ip-pool-pool1] quit
[MCE] ip pool pool2
[MCE-ip-pool-pool2] network 10.1.1.0 mask 255.255.255.0
[MCE-ip-pool-pool2] vpn-instance vpnb
[MCE-ip-pool-pool2] gateway-list 10.1.1.1
[MCE-ip-pool-pool2] quit
# Configure clients to obtain IP addresses from the global address pools.

[MCE-GigabitEthernet0/0/1.1] dhcp select global
[MCE-GigabitEthernet0/0/1.2] dhcp select global
Step 9 Configure CE_1 and CE_2 as the DHCP relay agents.


[CE_1] dhcp enable
[CE_1-GigabitEthernet0/0/1] dhcp select relay
[CE_1-GigabitEthernet0/0/1] dhcp relay server-ip 10.1.4.1

[CE_2] dhcp enable
[CE_2-GigabitEthernet0/0/1] dhcp select relay
[CE_2-GigabitEthernet0/0/1] dhcp relay server-ip 10.1.5.1

# Run the display ip pool name command on the MCE to view IP address allocation in the
address pools. The command output for pool1 is used as an example. The Used field displays
the number of used IP addresses in an address pool.
[MCE] display ip pool name pool1
Pool-name : pool1
Pool-No : 0
Domain-name : -
DNS-server0 : -
NBNS-server0 : -
Netbios-type : -
Gateway-0 : 10.1.1.1
Network : 10.1.1.0
Mask : 255.255.255.0
VPN instance : vpna
Logging : Disable
-----------------------------------------------------------------------------
-----------------------------------------------------------------------------
10.1.1.1 10.1.1.254 253 1 252(0) 0 0
-----------------------------------------------------------------------------
----End
Configuration Files
l Configuration file of PE_1
#
sysname PE_1
#
ip vpn-instance vpna
ipv4-family
route-distinguisher 100:1
vpn-target 111:1 export-extcommunity
vpn-target 111:1 import-extcommunity
#
ip vpn-instance vpnb
ipv4-family
#
mpls lsr-id 10.10.10.9
mpls
#
mpls ldp
#

ip address 10.1.3.1 255.255.255.0
mpls
mpls ldp
#
ip binding vpn-instance vpnb
ip address 10.1.2.2 255.255.255.0
#
ip binding vpn-instance vpna
ip address 10.1.2.2 255.255.255.0
#
interface LoopBack0
ip address 10.10.10.9 255.255.255.255
#
bgp 100
peer 10.20.20.9 as-number 100
peer 10.20.20.9 connect-interface LoopBack0
#
ipv4-family unicast
undo synchronization
peer 10.20.20.9 enable
#
ipv4-family vpnv4
policy vpn-target
#
ipv4-family vpn-instance vpna
import-route direct
#
ipv4-family vpn-instance vpnb
import-route direct
#
ospf 1
area 0.0.0.0
network 10.1.3.0 0.0.0.255
network 10.10.10.9 0.0.0.0
#
return
l Configuration file of PE_2
#
sysname PE_2
#
ipv4-family
#
ipv4-family
#
mpls lsr-id 10.20.20.9
mpls
#
mpls ldp
#
ip address 10.1.3.2 255.255.255.0
mpls
mpls ldp
#
interface GigabitEthernet1/0/0.1

dot1q termination vid 10

ip address 10.1.4.2 255.255.255.0
#
ip address 10.1.5.2 255.255.255.0
#
interface LoopBack0
ip address 10.20.20.9 255.255.255.255
#
bgp 100
peer 10.10.10.9 connect-interface LoopBack0
#
ipv4-family unicast
#
ipv4-family vpnv4
policy vpn-target
#
ipv4-family vpn-instance vpna
import-route direct
import-route ospf 100
#
ipv4-family vpn-instance vpnb
import-route direct
import-route ospf 200
#
ospf 1
area 0.0.0.0
network 10.1.3.0 0.0.0.255
network 10.20.20.9 0.0.0.0
#
ospf 100 vpn-instance vpna
import-route bgp
area 0.0.0.0
network 10.1.4.0 0.0.0.255
#
ospf 200 vpn-instance vpnb
import-route bgp
area 0.0.0.0
network 10.1.5.0 0.0.0.255
#
return
l Configuration file of CE_1
#
sysname CE_1
#
dhcp enable
#
ip address 10.1.1.1 255.255.255.0
dhcp select relay
#
ip address 10.1.2.1 255.255.255.0
#
bgp 65410
#
ipv4-family unicast
import-route direct

#
return
l Configuration file of CE_2
#
sysname CE_2
#
dhcp enable
#
ip address 10.1.1.1 255.255.255.0
dhcp select relay
#
ip address 10.1.2.1 255.255.255.0
#
bgp 65411
#
ipv4-family unicast
import-route direct
#
return
l Configuration file of the MCE
#
sysname MCE
#
dhcp enable
#
ipv4-family
#
ipv4-family
#
ip pool pool1
vpn-instance vpna
network 10.1.1.0 mask 255.255.255.0
#
ip pool pool2
vpn-instance vpnb
network 10.1.1.0 mask 255.255.255.0
#
ip address 10.1.4.1 255.255.255.0
dhcp select global
#
ip address 10.1.5.1 255.255.255.0
dhcp select global
#
ospf 100 vpn-instance vpna
vpn-instance-capability simple
area 0.0.0.0

network 10.1.4.0 0.0.0.255

#
ospf 200 vpn-instance vpnb
vpn-instance-capability simple
area 0.0.0.0
network 10.1.5.0 0.0.0.255
#
return
3.14.5 Example for Configuring a DHCP Client
As shown in Figure 3-20, GE0/0/1 on the router is enabled with the DHCP client function,
and dynamically obtains network information such as IP addresses from the carrier's DHCP
server.
GE0/0/2 on the router is enabled with the DHCP server function, and allocates information
such as IP addresses and gateway addresses to the connected PCs. In addition, the function is
enabled on the router that the DNS and NetBIOS server configurations can be automatically
obtained from the address pool of GE0/0/2, so that these configurations assigned to PCs are
the same as those assigned by the carrier.
Figure 3-20 Networking diagram of configuring a DHCP client
LAN Switch Router

Internet DHCP Server
GE0/0/2 GE0/0/1
192.168.1.1/24 DHCP Client
DHCP Server
PC
1. Enable the DHCP client function on GE0/0/1 so that the router can dynamically obtain
IP addresses, DNS and NetBIOS server configurations from the DHCP server.
2. Enable the DHCP server function on GE0/0/2 to use the interface address pool for
address allocation. Enable the function of automatically obtaining DNS and NetBIOS
server configurations to assign network parameters such as IP addresses, DNS and
NetBIOS server configurations to PCs.
NOTE
Before the configuration, ensure that the devices on the network can communicate with each other.
In this example, the carrier's DHCP server will deliver the configurations to the router. The configurations
include the DNS server address 10.1.2.1, domain name suffix huawei, and NetBIOS server address 10.1.3.1.
Configure the carrier's DHCP server before configuring the router.

Procedure
Step 1 Configure the DHCP client function on GE0/0/1.
[Router-GigabitEthernet0/0/1] ip address dhcp-alloc
Step 2 Enable the DHCP server function on GE0/0/2 to use the interface address pool for address
allocation, and enable the function of automatically obtaining DNS and NetBIOS server
configurations.
1. Enable the DHCP service.
2. Configure GE0/0/2 to work in interface address pool mode.

[Router-GigabitEthernet0/0/2] dhcp select interface
3. Enable the function of automatically obtaining DNS and NetBIOS server configurations
on GE0/0/2.
[Router-GigabitEthernet0/0/2] dhcp server import all

# Run the display dhcp client command on the router to view the status of the DHCP client
function.
[Router] display dhcp client
DHCP client lease information on interface GigabitEthernet0/0/1 :
Current machine state : Bound
Internet address assigned via : DHCP
Physical address : 5489-98f7-310f
IP address : 10.1.5.254
Subnet mask : 255.255.255.0
Gateway ip address : 10.1.5.1
DHCP server : 10.1.5.1
Lease obtained at : 2015-02-10 08:47:41
Lease expires at : 2015-02-11 08:47:41
Lease renews at : 2015-02-10 20:47:41
Lease rebinds at : 2015-02-11 05:47:41
Domain name : huawei
DNS : 10.1.2.1
NBNS : 10.1.3.1
# Run the display ip pool import all command to view the DNS and NetBIOS server
configurations dynamically obtained by the router.
[Router] display ip pool import all
-----------------------------------------------------------------------------
Parameter Update time Protocol Value
-----------------------------------------------------------------------------
domain-name 2015-02-10 08:47:41 dhcp huawei
dns-server 2015-02-10 08:47:41 dhcp 10.1.2.1
nbns-server 2015-02-10 08:47:41 dhcp 10.1.3.1
-----------------------------------------------------------------------------
----End
Example

#
sysname Router
#
dhcp enable
#
ip address dhcp-alloc
#
ip address 192.168.1.1 255.255.255.0
#
return
3.14.6 Example for Configuring a BOOTP Client
As shown in Figure 3-21, RouterA functions as the BOOTP client to dynamically obtain
information including the IP address, DNS server address, and gateway address from the
DHCP server (RouterB).
Figure 3-21 Networking diagram for configuring a BOOTP client
DNS Server RouterB

192.168.2.2/24 DHCP Server
GE0/0/1
192.168.1.1/24
GE0/0/1
RouterA
BOOTP Client
1. Configure RouterA as the BOOTP client to dynamically obtain the IP address from the
DHCP server.
2. Create a global address pool on RouterB and set corresponding attributes.
Procedure
Step 1 Configure the BOOTP client function on RouterA.
# Enable the BOOTP client function on GE0/0/1.
[RouterA-GigabitEthernet0/0/1] ip address bootp-alloc

Step 2 Create a global address pool on RouterB and set corresponding attributes.
[RouterB] dhcp server bootp
[RouterB] dhcp server bootp automatic
# Configure GE0/0/1 to work in global address pool mode.

[RouterB-GigabitEthernet0/0/1] ip address 192.168.1.1 24
[RouterB-GigabitEthernet0/0/1] dhcp select global
# Create an address pool and set corresponding attributes.

[RouterB] ip pool pool1
[RouterB-ip-pool-pool1] network 192.168.1.0 mask 24
[RouterB-ip-pool-pool1] gateway-list 192.168.1.1
[RouterB-ip-pool-pool1] dns-list 192.168.2.2
[RouterB-ip-pool-pool1] quit

# On interface GE0/0/1, run the display this command to view the BOOTP client
configuration.
[RouterA-GigabitEthernet0/0/1] display this
#
ip address bootp-
alloc
return
# After GE0/0/1 obtains an IP address, run the display dhcp client command on RouterA to
view the status of the BOOTP client on GE0/0/1.
[RouterA] display dhcp client
BOOTP client lease information on interface GigabitEthernet0/0/1 :
Current machine state : Bound
Internet address assigned via : BOOTP
Physical address : 5489-98f7-310f
IP address : 192.168.1.254
Subnet mask : 255.255.255.0
Gateway ip address : 192.168.1.1
Lease obtained at : 2015-02-10 16:03:43
DNS : 192.168.2.2
# Run the display ip pool name pool1 command on RouterB to view the address pool
configuration.The Used field displays the number of used IP addresses in an address pool.
[RouterB] display ip pool name pool1
Pool-name : pool1
Pool-No : 5
Domain-name : -
DNS-server0 : 192.168.2.2
NBNS-server0 : -
Netbios-type : -

Gateway-0 : 192.168.1.1
Network : 192.168.1.0
Mask : 255.255.255.0
VPN instance : --
Logging : Disable
-----------------------------------------------------------------------------
-----------------------------------------------------------------------------
192.168.1.1 192.168.1.254 253 1 252(0) 0 0
-----------------------------------------------------------------------------
----End
Configuration Files
#
sysname RouterA
#
interface
ip address bootp-
alloc
#
return

#
sysname RouterB
#
dhcp enable
#
#
ip pool pool1
network 192.168.1.0 mask 255.255.255.0
dns-list 192.168.2.2
#
ip address 192.168.1.1 255.255.255.0
dhcp select global
#
return
3.14.7 Example for Configuring a DHCP Server in a Super-VLAN

As shown in Figure 3-22, an enterprise has two departments that are allocated the same
network segment to save IP address resources. Users in departments A and B belong to
different VLANs. For unified manaEthment, the enterprise administrator requires that a
DHCP server be deployed to dynamically allocate IP addresses to terminals in the
departments. Layer 3 communication is required between users in different departments to
meet service requirements.

Figure 3-22 Networking diagram for configuring a DHCP server in a super-VLAN

Router
Eth0/0/1 Eth0/0/3
Eth0/0/2 Eth0/0/4
VLAN2 VLAN3
VLAN4
VLANIF4:10.1.1.12/24
Department A： Department B：
VLAN 2 VLAN 3
1. Configure sub-VLANs on the Router to implement Layer 2 isolation between users in
different sub-VLANs. The sub-VLANs are on the same network segment, which reduces
the amount of required IP address resources.
2. Configure proxy ARP on the VLANIF interface of the super-VLAN to implement Layer
3 communication among sub-VLANs.
3. Configure a DHCP server in the super-VLAN to dynamically allocate IP addresses to
terminals in departments A and B.
Procedure
Step 1 Create VLAN 2, and add Eth0/0/1 and Eth0/0/2 to VLAN 2. Create VLAN 3, and add
Eth0/0/3 and Eth0/0/4 to VLAN 3.
[Router] vlan batch 2 to 4
Step 2 Configure a super-VLAN to implement VLAN aggregation.

# Configure the super-VLAN.

[Router] vlan 4
[Router-vlan4] aggregate-vlan
[Router-vlan4] access-vlan 2 to 3
[Router-vlan4] quit
# Configure the VLANIF interface.

Step 3 Configure proxy ARP.

[Router-Vlanif4] arp-proxy inter-sub-vlan-proxy enable
Step 4 Configure a DHCP server based on the interface address pool on VLANIF 4 to dynamically
allocate IP addresses to terminals in sub-VLANs.

# After the configuration is complete, run the display ip pool interface vlanif4 command on
the Router to view IP address allocation in the address pool. The Used field displays the
number of used IP addresses in an address pool.
Pool-name :
Vlanif4
Pool-No :
0
Lease : 1 Days 0 Hours 0

Minutes
Domain-name :
-
DNS-server0 :
-
NBNS-server0 :
-
Netbios-type :
-
Position : Interface Status :

Unlocked
Gateway-0 :
10.1.1.12
Network :
10.1.1.0
Mask :
255.255.255.0
VPN instance :
--
Logging : Disable

-----------------------------------------------------------------------------
Start End Total Used Idle(Expired) Conflict

Disable
-----------------------------------------------------------------------------
10.1.1.1 10.1.1.254 253 4 249(0) 0

0
-----------------------------------------------------------------------------
----End
Configuration Files
#
sysname Router
#
vlan batch 2 to 4
#
dhcp enable
#
vlan 4
aggregate-vlan
access-vlan 2 to 3
#
interface Vlanif4
ip address 10.1.1.12 255.255.255.0
#
port default vlan 2
#
port default vlan 2
#
port default vlan 3
#
port default vlan 3
#
return
3.15 Common Misconfigurations

This section describes common faults caused by incorrect configurations and provides the
troubleshooting procedure.
3.15.1 The IP Address Obtained by a Client Conflicts with the IP

Address of Another Client

Table 3-11 Locating and troubleshooting the fault

Possible Cause Troubleshooting Solution
Procedure
The IP address is manually Disable the network adapter l Change the manually
configured for another host of the client or disconnect configured IP address of
on the network. The DHCP the network cable. Then, the host.
server does not exclude this perform a ping operation on l Exclude the conflicting
IP address from the address another host to check IP address from the
pool, leading to the IP whether the host with this IP address pool on the
address conflict. address exists. If the ping DHCP server by running
operation is successful, the either of the following
IP address has been commands: dhcp server
manually configured. excluded-ip-address for
an interface address pool
or excluded-ip-address
for a global address pool.
l Release the conflicting
IP address of the client
and apply for a new IP
address. A PC running
on Windows 7 is used as
an example. Run the
cmd command to enter
the DOS environment.
Run the ipconfig/release
command to release the
IP address and then run
the ipconfig/renew
command to apply for a
new IP address.
To prevent clients from
obtaining conflicting IP
addresses, configure IP
address conflict detection on
the DHCP server. When an
IP address conflict is
detected, the DHCP server
allocates another available
IP address. For details, see
3.9.3.7 (Optional)
Configuring IP Address
Conflict Detection Before a
DHCP Server Allocates IP
Addresses.
3.15.2 A Client Fails to Obtain an IP Address from a DHCP Server


Procedure
The configuration is On the DHCP server: On the DHCP server:

incorrect. l Run the display ip pool Modify the configuration
command to check based on the network plan.
whether an address pool For details, see 3.9
on the same network Configuring a DHCP
segment as the client is Server.
configured, and check On the DHCP relay agent:
whether the l Modify the configuration
configuration is correct. based on the network
l If a DHCP relay agent is plan. For details, see
deployed between the 3.10 Configuring a
DHCP server and client, DHCP Relay Agent.
check whether a route to l In the view of the
the network segment of interface connected to
the client is configured the client, run the dhcp
on the DHCP server. select relay command to
On the DHCP relay agent: enable DHCP relay on
l Run the display dhcp the interface.
relay command to check
whether the DHCP relay
agent is correctly
configured.
l In the view of the
interface connected to
the client, run the
display this command to
check whether DHCP
relay is enabled on the
interface.


Procedure
The address pool has no Run the display ip pool Determine the number of
available IP addresses. command to check whether DHCP clients on the
there are available IP network.
addresses in the address l If the number of DHCP
pool. The Idle(Expired) clients is larger than the
field displays the number of number of available IP
idle IP addresses in the addresses in the address
address pool. If the value of pool, increase the range
this field is 0, there are no of IP addresses in the
available IP addresses in the address pool by using
address pool. either of the following
methods: Run the ip
address ip-address
command in the interface
view to reduce the mask
length. Or run the
network ip-address
[ mask { mask | mask-
length } ] command in
the global address pool
view to reduce the mask
length.
l If the number of DHCP
clients is less than the
number of available IP
addresses in the address
pool, check whether the
lease is too long and
whether the DHCP
server reclaims IP
addresses of offline or
disconnected clients. If
the lease is too long,
shorten the lease of IP
addresses in the address
pool. For details, see
3.9.3.5 (Optional)
Configuring an
Address Lease Time.
In locations where
clients often move
(cafes, for example),
clients' online time
generally does not
exceed one day. In this
situation, reduce the
default lease (one day) of


Procedure
IP addresses assigned by
a device functioning as a
DHCP server.
STP is enabled on access The timeout period of Disable STP on access

devices of some diskless DHCP Discover messages devices of the diskless
workstations. sent from clients is shorter workstations.
than the STP convergence
time. The DHCP server
cannot receive DHCP
Discover messages and
therefore cannot allocate IP
addresses to the diskless
workstations.
3.15.3 It Takes a Long Time for a DHCP Client to Obtain an IP

Address from a DHCP Server
Possible Cause Troubleshooting Procedure Solution
Multiple DHCP servers are If multiple DHCP servers are Configure DHCP
deployed on the network. deployed on the same network snooping on the access
segment as the DHCP client, device of the client so that
the client accepts the first the client receives DHCP
DHCP Offer message. messages only from the
trusted DHCP server.
For detailed configuration
of DHCP snooping on the
Huawei AR Series IOT
Gateway , see DHCP
Snooping Configuration
in Huawei AR Series IOT
Gateway Configuration
Guide - Security.
Broadcast traffic Check whether broadcast Set the broadcast traffic

suppression is configured. traffic suppression is suppression threshold
configured between the DHCP based on the service
server and client. If the number volume.
of DHCP Discover messages
broadcast on the network
exceeds the threshold, the
DHCP Discover messages may
be discarded.

Possible Cause Troubleshooting Procedure Solution
A malicious attack occurs. Run the display cpu-defend Add this MAC address to
statistics command to check the blacklist. For detailed
statistics about packets sent to configuration, see
the CPU of the DHCP server. Configuring CPU Attack
If a large number of DHCP Defense in Huawei AR
messages simultaneously sent Series IOT Gateway
from one MAC address are Configuration Guide -
discarded, this MAC address is Security - Local Attack
the source of a DHCP flood Defense Configuration.
attack.
The STP function is enabled By default, the STP function is If the STP function does
on the DHCP server or enabled. If the STP function is not need to be enabled,
relay. enabled on the DHCP server or run the undo stp enable
relay, address allocation may command to disable it.
be slow.
3.15.4 A DHCP Client Can Obtain an IP Address Through the

DHCP Relay Agent, but Cannot Access the Internet
Table 3-14 Troubleshooting roadmap and solution

Roadmap
The DHCP client does not The DHCP client can obtain Run the gateway-list ip-
obtain the egress gateway an IP address through the address &<1-8> command
address. DHCP relay agent, but in the global address pool
cannot access the Internet or view of the DHCP server to
ping the DHCP server. The configure the egress
phenomenon indicates that gateway address for DHCP
the DHCP relay agent and clients.
DHCP server work properly.
The possible cause is that
the DHCP client does not
obtain the egress gateway
address. Run the display ip
pool command to check
whether the egress gateway
address for DHCP clients is
configured in the address
pool. If the Gateway-0 field
in the command output
displays -, the egress
gateway address for DHCP
clients is not configured in
the address pool.

3.16 FAQ
This section provides answers to frequently asked questions (FAQs) about the use of DHCP.
3.16.1 How Can I Ensure that a DHCP Client Selects the Correct
DHCP Server?
A DHCP client sends a DHCP Discover message in broadcast mode. When there are multiple
DHCP servers including bogus DHCP servers on a network segment, the DHCP client accepts
only the first received DHCP Offer message and therefore may obtain an unexpected IP
address from a bogus DHCP server. To ensure that a client obtains an IP address from the
correct DHCP server, configure DHCP snooping on the client.
For detailed configuration of DHCP snooping, see DHCP Snooping Configuration in Huawei
AR Series IOT Gateway Configuration Guide - Security.
3.16.2 How Can I Configure a PC to Release and Update Its IP

Address?
This section describes how to release and update a PC's IP address that is dynamically
obtained through DHCP.
l Release the IP address.

Commands to release an IP address vary for different operating systems. For details, see
the user documentation of your operating system. The commands for some common
operating systems are as follows:
– For Windows 7, run the ipconfig/release command.
– For MS-DOS of Windows 98, run the winipcfg/release command.
– For Unix-like operating systems, run the dhclient –r command.
The PC sends a DHCP Release message to instruct the DHCP server to release its IP
address.
l Renew the IP address lease or apply for a new IP address.
Commands to renew the IP address lease or apply for a new IP address are the same on
the same operating system. To apply for a new IP address, release the original IP address
of the PC first. To renew the IP address lease, you do not need to release the IP address
in advance.
Commands to apply for a new IP address vary with the operating systems. For details,
see the user documentation of your operating system. The commands for some common
operating systems are as follows:
– For Windows 7, run the ipconfig/renew command.
– For MS-DOS of Windows 98, run the winipcfg/renew command.
– For Unix-like operating systems, run the dhclient command.
The PC sends a DHCP Discover message to apply to the DHCP server for an IP address.

3.16.3 When Both the DHCP Server and Relay Functions Are
Enabled on an Interface, Which Function Is Processed
Preferentially?
When both the DHCP server function and the DHCP relay function are enabled on an
interface, the DHCP server function is processed preferentially. The local DHCP server that is
on the same network segment as the interface's IP address is used preferentially to allocate IP
addresses. If the local DHCP server cannot allocate IP addresses, a remote DHCP server
allocates IP addresses through the DHCP relay agent.

CLI-based Configuration Guide - IP Service 4 DNS Configuration
4 DNS Configuration
About This Chapter
This chapter describes the principles, basic functions and configuration procedures of DNS,
and provides configuration examples.
4.1 DNS Overview

This section describes the definition and purpose of DNS.
4.2 Principles
This section describes the implementation of DNS.
4.3 Applications
This section describes the applicable scenario of DNS.
This section provides the points of attention when configuring DNS.
4.5 Configuring the DNS Client
This section describes how to configure the industrial switch router as a DNS client to allow
users to use domain names to access other devices.
4.6 Configuring DNS Proxy or Relay
The device can function as a DNS proxy or relay to forward DNS request and reply packets
and provide domain name resolution for DNS clients.
4.7 Configuring the DDNS Client
The device functions as the DDNS client. When the IP address corresponding to the domain
name changes, the DDNS client can notify the DNS server to update the mapping between the
domain name and the IP address on the DNS server. This ensures that users can successfully
access servers on the network using domain names.
4.8 Maintaining DNS
Maintaining DNS includes clearing dynamic DNS entries, clearing DNS forwarding entries,
updating DDNS policies, and monitoring DNS running status.
This section provides DNS configuration examples, including networking requirements,
configuration roadmap, and configuration procedure.


This section describes common faults caused by incorrect DNS configurations and provides
the troubleshooting procedure.
4.1 DNS Overview

This section describes the definition and purpose of DNS.
Definition
Domain Name System (DNS) is a distributed database used in TCP and IP applications and
completes resolution between IP addresses and domain names.
Purpose
Each host on the network is identified by an IP address. To access a host, a user must obtain
the host IP address first. It is difficult for users to remember IP addresses of hosts. Therefore,
host names in the format of strings are designed. Each host name maps an IP address. In this
way, users can use the simple and meaningful domain names instead of the complicated IP
addresses to access hosts.
4.2 Principles
This section describes the implementation of DNS.
4.2.1 Working Principle of DNS
Domain name resolution is classified into dynamic resolution and static resolution that
complement each other. During domain name resolution, static resolution is preferentially
used. If static resolution fails, dynamic resolution is used. Dynamic DNS resolution takes a
period of time, and the cooperation of the DNS server is required. To improve the domain
name resolution efficiency, you are advised to add commonly used domain names to a static
domain name resolution table.
Static DNS
A static domain name resolution table is manually set up, describing the mappings between
domain names and IP addresses. Some common domain names are added to the table. To
obtain the IP address by resolving a domain name, domain names are resolved based on the
static domain name resolution table. In this manner, the efficiency of domain name resolution
is improved.
Dynamic DNS
User programs, such as ping and tracert, access the DNS server using the resolver of the DNS
client.
Figure 4-1 shows the relationship between user programs, the resolver, the DNS server, and
the cache on the resolver.

Figure 4-1 Dynamic DNS
Request Request
User Resolver
program
Response Response
Save Read DNS
Server
Local DNS Cache

host Client
The DNS client, consisting of the resolver and the cache, is used to accept and respond to the
DNS queries from user programs. Generally, user programs(ping,Tracert), the cache, and the
resolver are on the same host; whereas the DNS server is on another host.
Working Process of the Dynamic DNS

1. When a user accesses some applications by domain name, the user program sends a
request to the resolver on the DNS client.
2. After receiving the request, the resolver searches the local domain name cache.
– If the domain name matches an entry in the local cache, the resolver sends the
corresponding IP address to the user program.
– If the domain name matches no entry in the local cache, the resolver sends a query
message to the DNS server.
3. When receiving the query message, the DNS server first checks whether the domain
name to be resolved is in an authorized sub-domain. Then, the DNS server sends a
response packet according to the check result.
– If the domain name is in an authorized sub-domain, the DNS server searches for the
corresponding IP address in the local database.
– If the domain name is out of authorized sub-domains, the DNS server sends a query
message to a higher-level DNS server. This process continues until the DNS server
finds the corresponding IP address or detects that the corresponding IP address of
the domain name does not exist. Then the DNS server returns a result to the DNS
client.
4. After receiving the response packet from the DNS server, the DNS client sends the
resolution result to the user program.
Mappings between domain names and IP addresses are stored in the dynamic domain
name cache. When resolving a domain name that is stored in the cache, the DNS client
obtains the corresponding IP address from the cache directly and does not send a query
message to the DNS server. Mappings stored in the cache will be deleted when the aging
time expires to ensure that the latest mappings can be obtained from the DNS server. The
aging time is set by the DNS server. The DNS client obtains the aging time from
protocol packets.
Domain Name Suffix List

Dynamic domain name resolution supports the domain name suffix list. Users can preset
domain name suffixes. Users only need to enter partial content of a domain name, and the

system adds a suffix to the domain name for resolution. For example, a user has set the
domain name suffix com in the suffix list. To visit huawei.com, the user only needs to enter
huawei. The system adds the suffix com to the domain name.
When the domain name suffix list is used, the resolution modes vary according to domain
names entered by users.
l If a user enters a domain name without a dot (.), for example, huawei, the system
identifies it as a host name and adds a suffix to the domain name for resolution. If the
resolution fails, the system resolves the entered domain name.
l If a user enters a domain name with a dot (.), for example, www.huawei or
huawei.com., the system resolves the domain name. If the resolution fails, the system
adds a suffix to the domain name for resolution.
Query Type
Class-A query is a common type of query, which is used to obtain the IP address
corresponding to a specified domain name. For example, when you ping or tracert a domain
name, the ping or tracert, as a user program, sends a query to the DNS client for the IP
address corresponding to the domain name. If the corresponding IP address does not exist on
the DNS client, the DNS client sends a Class-A query to the DNS server to obtain the
corresponding IP address.
4.2.2 Working Principle of DNS Proxy or Relay

DNS proxy or relay is used to forward DNS request and reply packets between the DNS client
and DNS server. The DNS client sends DNS request packets to the DNS proxy or relay. The
DNS proxy or relay forwards request packets to the DNS server and sends reply packets to the
DNS client. After DNS proxy or relay is enabled, if the IP address of the DNS server changes,
you only need to change the configuration on the DNS proxy or relay.
DNS relay is similar to DNS proxy. The difference is that the DNS proxy searches for DNS
entries saved in the local domain name cache after receiving DNS query messages from DNS
clients. If requested DNS entries are not saved in the cache, DNS query messages are
forwarded to the DNS server. The DNS relay, however, directly forwards DNS query
messages to the DNS server. This saves DNS cache resources on the DNS relay and ensures
that the DNS client obtains real-time resolution results. (The client obtains wrong resolution
results if domain names and IP addresses change on the DNS server but the cache table on the
DNS proxy is not updated in time.)
The application environments of DNS replay and DNS proxy are similar. Figure 4-2 shows
the typical networking of DNS proxy.

Figure 4-2 Working Principle of DNS proxy

DNS Client
DNS DNS
Proxy Server
Internet
DNS Client DNS Client
The working process of DNS proxy is as follows:

1. The DNS client sends a request packet to the DNS proxy. The DNS proxy IP address is
the destination address of the request packet.
2. After receiving the request packet, the DNS proxy searches for DNS entries saved in the
local domain name resolution tables. If mapping information exists, the DNS proxy
sends a reply packet carrying the resolution result to the DNS client.
3. If no mapping information exists, the DNS proxy sends the request packet to the DNS
server for resolution.
4. After receiving the reply packet from the DNS server, the DNS proxy records the
resolution result and forwards the reply packet to the DNS client.
4.2.3 Working Principle of DNS Spoofing

When the DNS server IP address is not configured or the route to the DNS server does not
exist on the DNS proxy or relay that is enabled with DNS spoofing, the DNS proxy or relay
sends a spoofing IP address as the domain name resolution result to any DNS client that sends
a DNS query message.
DNS spoofing is applied to a dial-up network, as shown in Figure 4-3.
Figure 4-3 DNS spoofing application scenario
DNS Server
Host A
Dialer Interface
DNS Client
ISP
DNS Proxy
DNS Spoofing
Host B
HTTP Server
DNS Client

As shown in Figure 4-3, the device functions as the DNS proxy and connects to the network
using the dial-up interface. The dial-up interface is triggered to set up a connection only when
data packets are forwarded by the dial-up interface. When the device functions as the DNS
proxy, hosts A and B consider the device as the DNS server. When the dial-up connection is
set up, the device obtains the DNS server IP address using DHCP.
When receiving a DNS query message from a DNS client, the device not enabled with DNS
spoofing sends a DNS query message to the DNS server when no matching entry is found. If
the dial-up connection is not set up, the device cannot obtain the DNS server IP address. The
device does not send a DNS query message to the DNS server or respond to the request from
the DNS client. The domain name resolution fails. No data packet traffic triggers the dial-up
interface to set up a connection.
DNS spoofing enables the device to send a spoofing IP address to the DNS client that sends a
DNS query message regardless of whether the DNS server IP address is configured or the
route to the DNS server exists on the device. Data packets sent by the DNS client triggers the
dial-up interface to set up a connection.
As shown in Figure 4-3, a DNS client wants to access the HTTP server. The process is
described as follows:
1. A DNS client sends a DNS query message to the DNS proxy for resolving the HTTP
server domain name to an IP address.
2. After receiving the DNS query message, the DNS proxy cannot send the correct IP
address to the DNS client because no matching entry is found locally, no dial-up
connection is set up, and the DNS server IP address is not obtained. The DNS proxy
sends the spoofing IP address as the resolution result to the DNS client. The aging time
of a DNS resolution response message is 0. A reachable route between the DNS client
and the IP address in the response message must exist. The outbound interface of the
route is the dial-up interface.
3. After receiving the response message, the host sends an HTTP request to the IP address
in the response message.
4. The DNS proxy forwards the HTTP request using the dial-up interface. The traffic
triggers the dial-up interface to set up a connection with the DNS server. Then the DNS
proxy obtains the DNS server IP address using DHCP.
5. After the DNS resolution response message is aged, the DNS client sends a DNS query
message again.
6. The DNS proxy sends the correct IP address to the DNS client.
7. After obtaining the correct HTTP server IP address, the DNS client can access the HTTP
server.
4.2.4 Working Principle of DDNS
DDNS Overview
DNS resolves domain names into IP addresses so that you can access network nodes using
domain names. DNS provides static mappings between domain names and IP addresses.
When IP addresses of nodes change, DNS server cannot dynamically update mappings. If a
user uses the original domain name to access the node, the user will fail to access the node
because the IP address mapping the domain name is incorrect. The Dynamic Domain Name

System (DDNS) updates mappings between domain names and the IP addresses on the DNS
server to ensure that the IP address can be resolved correctly.
DDNS Working Mode

DDNS works in client/server mode. Two update modes are available:
l DDNS update mode (defined by the RFC2136): The device functioning as a DDNS
client dynamically updates the mapping between domain names and IP addresses on the
DNS server.
l Update mode implemented through the DDNS server: The device functioning as a
DDNS client sends the mapping between domain names and IP addresses to the DDNS
server with a specified URL. The DDNS server then informs the DNS server to
dynamically update the mapping between domain names and IP addresses. Figure 4-4
shows the networking diagram.
Figure 4-4 Typical DDNS networking for the update mode implemented through the
DDNS server
DNS Server
HTTP Server
DDNS Client 2
Internet
HTTP Client
1
DDNS Server
– DDNS client: When an IP address changes, the DNS server needs to update the
mapping between the domain name and IP address. Internet users use domain
names to access servers that provide application-layer services, such as HTTP and
FTP servers. When the IP address of a server changes, the server functions as a
DDNS client and sends a request for updating the mapping between the domain
name and the IP address to the DDNS server.
– DDNS server: After receiving the DDNS update request, the DDNS server instructs
the DNS server to dynamically update the mapping between the domain name and
the IP address on the DNS server to ensure that the IP address can be resolved
correctly and Internet users can access the DDNS client using the domain name.
No unified standard is defined for the DDNS update process. DDNS update processes
are different on different DDNS servers. DDNS servers provided at www.3322.org,
www.oray.cn, and www.dyndns.com.

4.3 Applications
This section describes the applicable scenario of DNS.
4.3.1 DNS Client Application

Figure 4-5 shows typical networking of a DNS client.
Figure 4-5 Typical networking of a DNS client
RouterA
DNS Client
DNS Server
RouterB
DNS Client
As shown in Figure 4-5, the device functions as a DNS client and can dynamically obtain the
corresponding IP address of a domain name from a DNS server. This facilitates user
communication.
4.3.2 DNS Proxy Application

Figure 4-6 shows the typical networking of DNS proxy.
Figure 4-6 Typical networking of DNS proxy

DNS Client
DNS DNS
Proxy Server
Internet
DNS Client DNS Client
After being configured with DNS proxy, the device can forward DNS request and reply
packets between the internal DNS clients and external DNS server. When the DNS server

address changes, you only need to configure the DNS proxy, not the DNS clients. This
facilitates centralized network management.

This section provides the points of attention when configuring DNS.

License Support
DNS is a basic feature of the device and is not under license control.

None
4.5 Configuring the DNS Client

This section describes how to configure the industrial switch router as a DNS client to allow
users to use domain names to access other devices.
Before configuring a DNS client, complete the following tasks:
l Configuring link layer protocol parameters for interfaces to ensure that the link layer
protocol status on the interfaces is Up
l Configuring a route between the industrial switch router and the DNS server
4.5.1 Configuring the Static Domain Name Resolution
Context
domain names and IP addresses. Some common domain names are added to the table. Static
domain name resolution can be performed based on the static domain name resolution table.
To obtain the IP address by resolving a domain name, the client searches the static domain
name resolution table for the specified domain name. In this manner, the efficiency of domain
name resolution is improved.
Procedure
Step 1 Run:
system-view

Step 2 Run:

ip host host-name ip-address
Static DNS entries are configured.

By default, no static DNS entries are configured.
----End
Follow-up Procedure
Each host name can be mapped to only one IP address. When multiple IP addresses are
mapped to a host name, only the latest configuration takes effect. If multiple host names need
to be resolved, repeat step 2.
You can configure a maximum of 50 static DNS entries.
4.5.2 Configuring the Dynamic Domain Name Resolution

Context
For dynamic domain name resolution, the DNS server needs to provide the mapping between
domain names and IP addresses and receive domain name resolution requests from clients.
To implement dynamic DNS, you need to enable dynamic DNS resolution, configure the IP
address of DNS server, configure a source IP address for the local device to receive DNS
packets, and configure a domain name suffix.The DNS server IP address and domain name
suffix can be dynamically obtained using DHCP.
Procedure
Step 1 Run:
system-view

Step 2 Run:
dns resolve
Dynamic domain name resolution is enabled.

By default, dynamic DNS resolution is disabled.
Step 3 Run:
dns server ip-address
The IP address of the DNS server is configured.

By default, no IP address of the DNS server is configured.
A maximum of six DNS server IP (IPv4 and IPv6) addresses can be configured on the device.
dns server source-ip ip-address
The source IP address is configured for the local device to receive DNS packets.
By default, no source IP address is configured for the local device to receive DNS packets.

dns-server-select-algorithm { fixed | auto }
The mode in which the device selects a DNS server is configured.
By default, the device selects a DNS server in auto mode.

dns domain domain-name
A domain name suffix is configured.
By default, no domain name suffix is configured on a DNS client.
A maximum of ten domain name suffixes can be configured on the device.
----End
4.5.3 (Optional) Associating a DNS Server with NQA
Context
After a DNS server is associated with NQA, the device sends a query packet only to the DNS
server in Up state during dynamic domain name resolution. This improves the domain name
resolution efficiency.
Procedure
Step 1 Configure and start NQA test instances. A DNS server can be associated with NQA test
instances of the DNS and ICMP types. According to the test mechanism, NQA test instances
of the DNS type are used to test whether the DNS server function is normal; those of the
ICMP type are used to test whether routes to the DNS server are reachable. You can select one
NQA test instance type based on the site requirements.
l Configuring and starting an NQA test instance of the DNS type
a. Run:
system-view

b. Run:
c. Run:
test-type dns
The test instance type is set to DNS.

d. Run:
dns-server ipv4 ip-address
The DNS server address is configured.

By default, no DNS server address is configured.

NOTE
Ensure that the configured DNS server address is the same as that specified in the dns
server ip-address track nqa admin-name test-name command. If the addresses are different,
the NQA check result will not match the associated DNS server.
e. Run:
destination-address url urlstring
The destination host name is configured.

By default, no test destination host name is configured.
f. Run:
frequency interval
g. Run:
start

specified delay.
h. Run:
quit

a. Run:
system-view

b. Run:
c. Run:
test-type icmp

d. Run:


e. Run:
frequency interval
f. Run:
start

specified delay.
g. Run:
quit

NOTE
l To persistently detect the DNS server status, you need to perform periodical test for NQA test
test instances.
l This section only mentions basic configuration parameters of the DNS and ICMP NQA test
instances. For details on how to configure other parameters, see Configuring DNS Test and
Step 2 Run:
dns resolve
The dynamic domain name resolution function is enabled.

By default, dynamic domain name resolution is disabled.
Step 3 Run:
dns server ip-address track nqa admin-name test-name
An IP address for the DNS server is configured and the DNS server is associated with NQA.
During dynamic domain name resolution, the device sends a query request only to the DNS
server in Up state.
NOTE
You can run the display dns server command to check the DNS server status. When the DNS server is not
associated with NQA, the server is in Up state. After the DNS server is associated with NQA, the server
status depends on the NQA check result. When the NQA test instance type is not DNS and ICMP, the
association between the DNS server and NQA does not take effect and the DNS server is in Up state.
----End


Procedure
l Run the display dns configuration command to display the global DNS configurations.
l Run the display ip host command to check static DNS entries.
l Run the display dns server [ verbose ] command to check the DNS server
configuration.
l Run the display dns domain [ verbose ] command to check the domain name suffix
configuration.
----End
4.6 Configuring DNS Proxy or Relay

The device can function as a DNS proxy or relay to forward DNS request and reply packets
and provide domain name resolution for DNS clients.
Before configuring DNS proxy or relay, complete the following tasks:
l Configuring the DNS server
l Configuring routes between the device and the DNS server and between the device and
the DNS client
4.6.1 Configuring the Destination DNS Server

Context
DNS Relay is similar to DNS Proxy. The difference is that the DNS Proxy searches for DNS
entries saved in the domain name cache after receiving DNS query messages from DNS
clients. The DNS Relay, however, directly forwards DNS query messages to the DNS server,
reducing the cache usage.
Procedure
Step 1 Run:
system-view

Step 2 Run:
dns proxy enable or dns relay enable
DNS Proxy or Relay is enabled.

Step 3 Choose either of the following methods to configure domain name resolution.
l Configure static domain name resolution.
Run:

ip host host-name ip-address
A static DNS entry is configured.

By default, no static DNS entry is configured.
You can manually configure the mappings between domain names and IP addresses by
configuring static DNS entries. When a DNS client requests the IP address
corresponding to a domain name, the device does not forward the request to the DNS
server but searches the static domain name resolution table for the IP address and returns
the IP address to the DNS client.
l Configure dynamic domain name resolution.
a. Run:
dns resolve

After dynamic domain name resolution is enabled, the DNS proxy searches the
dynamic domain name resolution table after receiving a DNS request packet and
checks whether the requested IP address exists. If yes, the DNS proxy returns a
DNS reply packet that carries the resolution result to the DNS client. If not, the
DNS proxy forwards the DNS request packet to the DNS server.
b. Run:
dns server ip-address
The DNS server that the DNS Proxy or Relay connects to is configured.
By default, no IP address is configured for the DNS server.
c. (Optional) Configure the DNS resolution policy function.
To control access traffic, the administrator requires that users can access only some
websites on which they can browse only texts or pictures. For example, in Wi-Fi
connection scenarios such as in metro or on bus, passengers can access only
specified websites. If they attempt to access other websites, their access requests are
rejected or redirected to the specified websites. To meet these requirements,
perform the following steps:
i. Run:
dns resolve policy a
The DNS resolution policy function for class-A query requests is enabled and
the DNS resolution policy view is displayed.
By default, the DNS resolution policy function for class-A query requests is
disabled.
ii. Run:
rule rule-id [ if-match name hostname ] { deny | permit | spoofing
ip-address }
The DNS resolution rule is configured.

By default, no DNS resolution rule is configured.
iii. Run:
quit
Exit from the DNS resolution policy view.

d. (Optional) Run:
dns server source-ip ip-address

The source IP address that the device uses to exchange packets with the DNS server
is configured.
By default, no source IP address is configured for the device.
e. (Optional) Run:
dns-server-select-algorithm { fixed | auto }
An algorithm used by the DNS Proxy or Relay to access the destination DNS server
is configured.
By default, the auto algorithm is used.
f. (Optional) Run:
dns forward retry-number number
The number of times for the DNS Proxy or Relay to retransmit query requests to the
destination DNS server is set.
By default, the number of times for the DNS Proxy or Relay to retransmit query
requests to the destination DNS server is 2.
g. (Optional) Run:
dns forward retry-timeout time
The retransmission timeout period that the DNS proxy or DNS relay agent sends
Query packets to the destination DNS server is set.
By default, the retransmission timeout period is 3 seconds.
----End
4.6.2 (Optional) Configuring DNS Spoofing
Context
If the device is enabled with DNS proxy or relay but is not configured with a DNS server
address or has no route to the DNS server, the device does not forward or respond to DNS
query messages from DNS clients. After DNS Spoofing is enabled, the device uses the
configured IP address to respond to all DNS query messages.
In addition to enabling DNS proxy or relay, one of the following requirements must be met to
make DNS Spoofing take effect:
l No DNS server is configured.
l A DNS server is configured, but dynamic DNS resolution is disabled.
l No route is reachable to the DNS server.
l No source IP address is available for the outbound interface connected to the DNS
server.
If one of the preceding requirements is met, when receiving an address record query, the DNS
proxy or relay return Spoofing reply messages using the configured IP address.
Procedure
Step 1 Run:
system-view

Step 2 Run:
dns spoofing ip-address
DNS Spoofing is enabled and the IP address in response messages is specified.

By default, DNS Spoofing is disabled.
----End
4.6.3 (Optional) Associating a DNS Server with NQA
Context
After a DNS server is associated with NQA, the device sends a query packet only to the DNS
server in Up state during dynamic domain name resolution. This improves the domain name
resolution efficiency.
Procedure
Step 1 Configure and start NQA test instances. A DNS server can be associated with NQA test
instances of the DNS and ICMP types. According to the test mechanism, NQA test instances
of the DNS type are used to test whether the DNS server function is normal; those of the
ICMP type are used to test whether routes to the DNS server are reachable. You can select one
NQA test instance type based on the site requirements.
l Configuring and starting an NQA test instance of the DNS type
a. Run:
system-view

b. Run:
c. Run:
test-type dns
The test instance type is set to DNS.

d. Run:
dns-server ipv4 ip-address
The DNS server address is configured.

By default, no DNS server address is configured.
NOTE
Ensure that the configured DNS server address is the same as that specified in the dns
server ip-address track nqa admin-name test-name command. If the addresses are different,
the NQA check result will not match the associated DNS server.
e. Run:
destination-address url urlstring
The destination host name is configured.

By default, no test destination host name is configured.

f. Run:
frequency interval
g. Run:
start

specified delay.
h. Run:
quit

a. Run:
system-view

b. Run:
c. Run:
test-type icmp

d. Run:

e. Run:
frequency interval
f. Run:
start


specified delay.
g. Run:
quit

NOTE
l To persistently detect the DNS server status, you need to perform periodical test for NQA test
test instances.
l This section only mentions basic configuration parameters of the DNS and ICMP NQA test
instances. For details on how to configure other parameters, see Configuring DNS Test and
Step 2 Run:
dns resolve
The dynamic domain name resolution function is enabled.
By default, dynamic domain name resolution is disabled.
Step 3 Run:
dns server ip-address track nqa admin-name test-name
An IP address for the DNS server is configured and the DNS server is associated with NQA.
During dynamic domain name resolution, the device sends a query request only to the DNS
server in Up state.
NOTE
You can run the display dns server command to check the DNS server status. When the DNS server is not
associated with NQA, the server is in Up state. After the DNS server is associated with NQA, the server
status depends on the NQA check result. When the NQA test instance type is not DNS and ICMP, the
association between the DNS server and NQA does not take effect and the DNS server is in Up state.
----End
Procedure
l Run the display ip host command to check static DNS entries.

l Run the display dns server [ verbose ] command to check the DNS server
configuration.
----End
4.7 Configuring the DDNS Client

The device functions as the DDNS client. When the IP address corresponding to the domain
name changes, the DDNS client can notify the DNS server to update the mapping between the
domain name and the IP address on the DNS server. This ensures that users can successfully
access servers on the network using domain names.
Before configuring a DDNS client, complete the following tasks:
l (Optional) Registering on the DDNS server website
NOTE
The device functioning as the DDNS client supports the following update modes:
l DDNS update mode (defined by the RFC2136): The DDNS client dynamically updates the mapping
between domain names and IP addresses on the DNS server.
l Update mode implemented through the DDNS server: The DDNS client sends the mapping between
domain names and IP addresses to the DDNS server with a specified URL. The DDNS server then
informs the DNS server to dynamically update the mapping between domain names and IP
addresses.
When using the update mode implemented through the DDNS server, the DDNS client must register on
the DDNS server website. Currently, the device can be connected to the following DDNS servers:
DDNS servers provided at www.3322.org, www.dyndns.com, and www.oray.cn, Siemens DDNS server,
and HTTP-based common DDNS server.
Authentication steps are implemented in the update process through DDNS servers. All DDNS servers
except Siemens DDNS servers do not encrypt user passwords during the authentication. To improve
security, you are advised to configure IPSec when using these DDNS servers to implement update. For
details, see IPSec Configuration in the Huawei AR Series IOT Gateway Configuration Guide - VPN.
l Configuring a route between the device and the DDNS server or DNS Server
NOTE
The AR500& series do not support this function.
4.7.1 Configuring a DDNS Policy
Context
You can specify the DDNS or DNS server to which update requests are sent when configuring
the DDNS policy.
When the device functioning as a DDNS client needs to update the mapping between domain
names and IP addresses on the DNS server, the following update modes are supported:
l DDNS update mode (defined by the RFC2136): The DDNS client dynamically updates
the mapping between domain names and IP addresses on the DNS server. To configure
this mode, run the method ddns [ both ] command.
l Update mode implemented through the DDNS server: The DDNS client sends the
mapping between domain names and IP addresses to the DDNS server with a specified

URL. The DDNS server then informs the DNS server to dynamically update the
mapping between domain names and IP addresses.
– To use the Siemens DDNS server or DDNS servers provided at www.3322.org,
www.dyndns.com, or www.oray.cn, run the method vendor-specific command.
– To use an HTTP-based common DDNS server, run the method http command.
Procedure
Step 1 Run:
system-view

Step 2 Run:
ddns policy policy-name
A DDNS policy is created and the DDNS policy view is displayed.

By default, no DDNS policy is created in the system.
A maximum of 10 DDNS policies can be configured on the device.
Step 3 Run:
method { ddns [ both ] | http | vendor-specific }
The update mode is configured for the device functioning as the DDNS client.
By default, the update mode is vendor-specific for the device functioning as the DDNS client.
l Configuring the update mode to ddns (DDNS update mode defined by the RFC2136)
a. Run:
name-server name-server
The DNS server for receiving update messages from the DDNS client is configured.
By default, no DNS server for receiving DDNS update messages is configured.
b. (Optional) Run:
interval interval-time
The interval for sending DDNS update requests is set.

By default, the interval for sending DDNS update requests is 3600 seconds.
After the interval for sending DDNS update requests is set in the configured DDNS
policy, the DDNS client sends DDNS update requests at intervals.
l Configuring the update mode to vendor-specific (communicating with the Siemens
DDNS server and DDNS servers provided at www.3322.org, www.dyndns.com, and
www.oray.cn) or http (communicating with an HTTP-based common DDNS server)
a. Run:
url request-url [ username username password password ]
The URL in DDNS update requests is specified.

NOTE
To ensure password security, you are advised to run the username username password password
command to configure a user name and password. The password information in the configuration
file is displayed in cipher text.
After a DDNS policy is created, enter the URL and specify a DDNS server in the
URL. The processes for the device to request DDNS updates from different DDNS

servers are different; therefore, the URL configurations of DDNS servers are
different.
n If username username password password is not specified, the URL contains
the user name and password, and their configurations are displayed in plain
text.
○ When the device uses HTTP to communicate with the DDNS server
provided at www.3322.org, the URL in a DDNS update request is:
http://username:password@members.3322.org/dyndns/update?
system=dyndns&hostname=<h>&myip=<a>
provided at www.dyndns.com, the URL in a DDNS update request is:
http://username:password@update.dyndns.com/nic/update?
hostname=<h>&myip=<a>
○ When the device uses TCP to communicate with the DDNS server
provided at www.oray.cn, the URL in a DDNS update request is:
oray://username:password@phddnsdev.oray.net
○ When the device uses HTTPS to communicate with the Siemens DDNS
server, the URL in a DDNS update request is user-defined, for example,
https://x.x.x.x/nic/update?
group=med&user=huawei_test&password=12345&myip=192.168.19.2
NOTE
During the configuration, replace x.x.x.x with the DDNS server IP address of
Siemens.
○ When the device uses HTTP to communicate with a common DDNS
server, the URL in a DDNS update request is:
http://username:password@merri.s.dnaip.fi/reg/h=<h>&a=<a>
NOTE
In the preceding URLs, username and password indicate the user name and password
for logging in to the DDNS server. Set these parameters based on the registry
information. For example, in http://huawei1:huawei2@merri.s.dnaip.fi/reg/
h=<h>&a=<a>, huawei1 and huawei2 indicate the user name and password for
logging in to the DDNS server.
n If username username password password is specified, the URL only
contains the fixed format <username>:<password>, not the user name and
password. The user name and password are specified by username and
password, and the password configuration is displayed in cipher text.
provided at www.3322.org, the URL in a DDNS update request is:
http://<username>:<password>@members.3322.org/dyndns/update?
system=dyndns&hostname=<h>&myip=<a>
provided at www.dyndns.com, the URL in a DDNS update request is:
http://<username>:<password>@update.dyndns.com/nic/update?
hostname=<h>&myip=<a>
○ When the device uses TCP to communicate with the DDNS server
provided at www.oray.cn, the URL in a DDNS update request is:
oray://<username>:<password>@phddnsdev.oray.net

○ When the device uses HTTPS to communicate with the Siemens DDNS
server, the URL in a DDNS update request is user-defined, for example,
https://x.x.x.x/nic/update?
group=med&user=<username>&password=<password>&myip=192.168.
19.2
NOTE
During the configuration, replace x.x.x.x with the DDNS server IP address of
Siemens.
○ When the device uses HTTP to communicate with a common DDNS
server, the URL in a DDNS update request is:
http://<username>:<password>@merri.s.dnaip.fi/reg/h=<h>&a=<a>
NOTE
○ Press Ctrl+T to enter the question mark (?) in the URL.

○ In the preceding URLs, <username> and <password> are fixed formats, which
cannot be modified.
○ The DDNS service is provided by DDNS servers from different vendors. When
the DDNS server URL changes or the DDNS server stops providing service, the
device used as the DDNS client cannot exchange packets with the DDNS server.
The DDNS function may not take effect.If you fail to update the mapping entries
between the DDNS domain name and IP address, you are advised to upgrade the
router to the latest version.
b. (Optional) Run:
ssl-policy policy-name
The SSL policy is bound to the DDNS policy.

NOTE
When the device functions as the DDNS client and communicates with the Siemens DDNS
server, the device needs to encrypt packets using SSL. An SSL policy needs to be bound to
the Siemens DDNS policy. To configure an SSL policy, see "SSL Configuration" in the
c. (Optional) Run:
interval interval-time
The interval for sending DDNS update requests is set.

After the interval for sending DDNS update requests is set in the configured DDNS
policy, the device sends DDNS update requests at intervals. By default, the interval
for sending DDNS update requests is 3600 seconds.
----End
4.7.2 Binding a DDNS Policy to an Interface
Context
You can bind a DDNS policy to an interface to update the mapping between the domain name
and an IP address and to start DDNS update.
Procedure
Step 1 Run:
system-view

Step 2 Run:
Step 3 Run:
ddns apply policy policy-name [ fqdn domain-name ]
The DDNS policy is bound to the interface.
By default, no DDNS policy is bound to an interface.
On the AR510, a maximum of five DDNS policies can be applied to an interface; on other
models, a maximum of six DDNS policies can be applied to an interface.
NOTE
l When the DDNS server is www.3322.org , www.dyndns.com or an HTTP-based common DDNS server,
you must configure the fully qualified domain name ( FQDN ), that is, the fqdn parameter is mandatory.
l The fqdn parameter is mandatory when the DDNS update mode defined by the RFC2136 is configured
using the method ddns [ both ] command.
----End
Procedure
l Run the display ddns policy [ policy-name ] command to view DDNS policy
information.
l Run the display ddns interface interface-type interface-number command to view
DDNS policy information on an interface.
----End
4.8 Maintaining DNS

Maintaining DNS includes clearing dynamic DNS entries, clearing DNS forwarding entries,
updating DDNS policies, and monitoring DNS running status.
4.8.1 Deleting Dynamic DNS Entries
Context
Dynamic DNS entries cannot be restored after being deleted. Exercise caution when you run
the command.

Procedure
l Run the reset dns dynamic-host command to delete dynamic DNS entries.
----End
4.8.2 Deleting DNS Entries of the DNS Proxy or Relay

Context
DNS entries of the DNS proxy or relay cannot be restored after being deleted. Exercise
caution when you run the command.
Procedure
l Run the reset dns forward table [ source-ip ip-address ] command to delete DNS
entries of the DNS proxy or relay.
----End
4.8.3 Clearing Statistics on Sent and Received DNS Packets
Context
Statistics on sent and received DNS packets cannot be restored after being cleared. Exercise
Procedure
l Run the reset dns statistics command to clear statistics on sent and received DNS
packets.
----End
4.8.4 Manually Updating a DDNS Policy

Context
NOTE
The AR500& series do not support this function.
Procedure
l Run:
reset ddns policy policy-name [ interface interface-type interface-num ]

Mappings between all the IP addresses and host names in the DDNS policy are updated.
----End
4.8.5 Monitoring the Running Status of DNS

Context
In routine maintenance, you can run the following commands in any view to check the
running status of DNS.
Procedure
l Run the display dns forward table [ source-ip ip-address ] command to check the DNS
forwarding table.
l Run the display dns dynamic-host [ ip | naptr | srv ] [ domain-name ] command to
display dynamic DNS entries.
----End

This section provides DNS configuration examples, including networking requirements,
configuration roadmap, and configuration procedure.
4.9.1 Example for Configuring DNS Proxy

As shown in Figure 4-7, the enterprise does not deploy a DNS server. The route between the
RouterA and the DNS server or between the RouterA and the FTP server is reachable. The
mapping between the domain name (huawei.com) of the FTP server and the IP address
10.2.1.3 is recorded on the DNS server. Enterprise users expect to access the FTP server
through the DNS domain name. To facilitate maintenance, the enterprise users are unaware of
the DNS server address change.
Figure 4-7 Network diagram for configuring DNS proxy

DNS Server
10.2.1.1/16
RouterA
DNS Proxy GE1/0/0
10.1.1.2/16 Internet
Enterprise
GE1/0/0
10.1.1.1/16
HostA
FTP Server
huawei.com
10.2.1.3/16

1. Configure DNS Proxy on the AC to implement domain name resolution for clients.
NOTE
After DNS Proxy is enabled, the RouterA can be regarded as the DNS server of HostA. You need to
configure the RouterA's IP address as the IP address of the DNS server on HostA, and configure the IP
address (10.2.1.1) of the DNS server on the Internet network on the RouterA. In this way, when the
DNS server address changes, you only need to modify the configurations on the RouterA, which is not
detected by the users.
Procedure
Step 1 Configure an IP address for GE1/0/0.
Step 2 Configure DNS Proxy.

[RouterA] dns proxy enable
[RouterA] dns resolve
[RouterA] dns server 10.2.1.1
Step 3 Configure the default route from the DNS proxy to the DNS server.
Assume that the IP address of the next hop from the DNS proxy to the DNS server is
10.1.1.2/16.
[RouterA] quit
Step 4 Specify the IP address of the DNS server on HostA as 10.1.1.1.

# Run the display current-configuration command to view the DNS proxy configuration on
RouterA.
<RouterA> display current-configuration | include dns
dns resolve
dns server 10.2.1.1
dns proxy enable
# Run the ping huawei.com command on LAN HostA. You can see that the ping operation
succeeds
C:\Documents and Settings\HostA>ping huawei.com
PING huawei.com [10.2.1.3] with 32 bytes of data:
Reply from 10.2.1.3: bytes=32 time=16ms TTL=255
Reply from 10.2.1.3: bytes=32 time<1ms TTL=255
Ping statistics for 10.2.1.3:

Packets: Sent = 4, Received = 4, Lost = 0(0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 16ms, Average = 4ms
----End

Configuration File
Configuration file of RouterA
#
sysname RouterA
#
undo portswitch
ip address 10.1.1.1 255.255.0.0
#
dns resolve
dns server 10.2.1.1
dns proxy enable
#
ip route-static 0.0.0.0 0.0.0.0 10.1.1.2
#
return
4.9.2 Example for Configuring the DDNS Client (Using the

Update Mode Defined by the RFC2136)
As shown in Figure 4-8, the router can function as the web server to provide web services for
network users, and the users access the web server by sending DNS requests. The domain
name www.abc.com of the web server corresponds to the interface IP address on the server.
The interface IP address may change. If the mapping between the domain name and IP
address of the web server is not updated on the DNS server in real time, a user access error
may occur. The user requires that the mapping between the domain name and IP address of
the web server should be updated on the DNS server in real time when the DDNS server is
not leased. The routes between the router and DNS server are reachable.
Figure 4-8 Configuring the DDNS client
DNS Server
10.3.1.2
GE1/0/0
Internet
Router
DDNS Client
Configure the DDNS client whose update mode is ddns on the router so that the mapping
between the domain name and IP address of the web server is dynamically updated on the
DNS server when the interface IP address on the router changes.

Procedure
Step 1 Create a DDNS policy.
[Router] ddns policy mypolicy
[Router-ddns-policy-mypolicy] method ddns both
[Router-ddns-policy-mypolicy] name-server 10.3.1.2
[Router-ddns-policy-mypolicy] interval 3600
[Router-ddns-policy-mypolicy] quit
# Bind the DDNS policy to GE1/0/0.

[Router-GigabitEthernet1/0/0] ddns apply policy mypolicy fqdn www.abc.com
NOTE
When the IP address of GE1/0/0 changes, the router informs the DNS server to update the mapping between
the domain name www.abc.com and new IP address. Internet users then can parse the domain name to obtain
the latest IP address.
# Run the display ddns policy mypolicy command on the router to check the DDNS policy
named mypolicy.
<Router> display ddns policy mypolicy
Policy name : mypolicy
Policy interval time : 3600
Update method : ddns both
Name-server : 10.3.1.2
Policy bind count : 1
Interface : GigabitEthernet1/0/0
# Run the display ddns interface gigabitethernet 1/0/0 command on the router to check the
DDNS policy on GE1/0/0.
<Router> display ddns interface gigabitethernet 1/0/0
===== Policy mypolicy =======
Update method : ddns
Name-server : 10.3.1.2
----End
Configuration Files
#
sysname Router
#
ddns policy mypolicy
method ddns both
name-server 10.3.1.2
#
undo portswitch
ddns apply policy mypolicy fqdn www.abc.com
#
return

4.9.3 Example for Configuring the DDNS Client (Using the

Update Mode Implemented Through the DDNS Server)
As shown in Figure 4-9, Router can function as web server to provide web services for
network users, and the users access the web server by sending DNS requests. The domain
name of Router is www.abc.com, the IP address may change. If the mapping between the
domain name and IP address of the web server is not updated on the DNS server in real time,
a user access error may occur. In this case, enable the DDNS client function to obtain the
latest mapping between the domain name and the IP address. The DDNS service provider
www.oray.cn is used as the DDNS server. When the IP address of Router changes, Router
functions as the DDNS client to send an update request to the DDNS server. Then the DDNS
server instructs the DNS server to reconfigure the mapping between the domain name and the
IP address.
Figure 4-9 Networking diagram for configuring the DDNS client
DNS Server
Router
GE1/0/0
DDNS Client
DDNS Server
Create and bind a DDNS policy on Router. When the interface IP address on Router changes,
Router can send a request for dynamically updating DNS entries.
NOTE
Authentication steps are implemented in the update process through DDNS servers. All DDNS servers except
Siemens DDNS servers do not encrypt user passwords during the authentication. To improve security, you are
advised to configure IPSec when using these DDNS servers to implement update. For details, see IPSec
Configuration in the Huawei AR Series IOT Gateway Configuration Guide - VPN.

Procedure
Step 1 Configure Router.
# Create a DDNS policy.

[Router-ddns-policy-mypolicy] method vendor-specific
[Router-ddns-policy-mypolicy] url oray://<username>:<password>@phddnsdev.oray.net
username steven password nevets
NOTE
By default, the update mode of the DDNS client is vendor-specific. If the default update mode is not
modified by running the method command, do not run the method vendor-specific command.
# Enable DNS resolution.

[Router] dns resolve
# Configure an IP address for the DNS server.

[Router] dns server 10.3.1.2

[Router-GigabitEthernet1/0/0] ddns apply policy mypolicy
NOTE
If the IP address of GE1/0/0 changes, Router notifies the DDNS server of the change, and then the DDNS
server instructs the DNS server to reconfigure the mapping between the domain name www.abc.com and the
IP address to ensure that the IP address can be resolved correctly.
# Run the display ddns policy mypolicy command on Router, and information about the
DDNS policy named mypolicy is displayed.
Policy URL : oray://<username>:<password>@phddnsdev.oray.net username
steven password %^%#SjZ)YyY0"8eB@"LQK<C19m5])(oyX>*&n+#lBBHT%^%#
===== interface GigabitEthernet1/0/0

======
Status: ESTABLISH
Refresh: enable
# Run the display ddns interface gigabitethernet 1/0/0 command on Router, and
information about the DDNS policy on GE1/0/0 is displayed.
URL: oray://<username>:<password>@phddnsdev.oray.net
Status: ESTABLISH
Refresh: enable
----End

Configuration File
Configuration file of Router
#
sysname Router
#
dns resolve
dns server 10.3.1.2
#
url oray://<username>:<password>@phddnsdev.oray.net username steven password %^
%#SjZ)YyY0"8eB@"LQK<C19m5])(oyX>*&n+#lBBHT%^%#
#
undo portswitch
ddns apply policy mypolicy
#
return
4.9.4 Example for Configuring the Router to Communicate with

the Siemens DDNS Server
As shown in Figure 4-10, Router can function as the web server to provide web services for
network users, and the domain name of Router is www.abc.com. the IP address may change.
The interface IP address may change. If the mapping between the domain name and IP
address of the web server is not updated on the DNS server in real time, a user access error
may occur. In this case, you need to enable the DDNS client function to obtain the latest
mapping between the domain name and the IP address. The Siemens DDNS server is used.
When the IP address of Router changes, Router functions as the DDNS client to send a
request to the DDNS server. Then the DDNS server instructs the DNS server to reconfigure
the mapping between the domain name and the IP address.
Figure 4-10 Configuring the DDNS client to communicate with the Siemens DDNS server
DNS Server
Router
GE1/0/0
DDNS Client
DDNS Server

Create and bind a DDNS policy on Router. When the interface IP address on Router changes,
Router can send a request for dynamically updating DNS entries.
Procedure
Step 1 Configure Router.
# Create a DDNS policy.
[Router-ddns-policy-mypolicy] method vendor-specific
[Router-ddns-policy-mypolicy] url "https://10.2.1.3/nic/update?
group=med&user=<username>&password=<password>&myip=<a>" username huawei_test
password 12345
NOTE
l During the configuration, replace 10.2.1.3 with the DDNS server IP address of Siemens.
l By default, the update mode of the DDNS client is vendor-specific. If the default update mode is not
modified by running the method command, do not run the method vendor-specific command.
# Configure a client SSL policy siemens. Assume that the SSL policy uses the default
protocol version and cipher suite.
[Router] pki entity siemens
[Router-pki-entity-siemens] common-name hello
[Router-pki-entity-siemens] country cn
[Router-pki-entity-siemens] state jiangsu
[Router-pki-entity-siemens] organization huawei
[Router-pki-entity-siemens] organization-unit info
[Router-pki-entity-siemens] quit
[Router] pki realm siemens
[Router-pki-realm-siemens] entity siemens
[Router-pki-realm-siemens] ca id ca_root
[Router-pki-realm-siemens] enrollment-url http://10.137.145.158:8080/certsrv/
mscep/mscep.dll ra
[Router-pki-realm-siemens] fingerprint sha1
7bb05ada0482273388ed4ec228d79f77309ea3f4
[Router-pki-realm-siemens] auto-enroll regenerate
[Router-pki-realm-siemens] quit
[Router] ssl policy siemens type client
[Router-ssl-policy-siemens] server-verify enable
[Router-ssl-policy-siemens] pki-realm siemens
[Router-ssl-policy-siemens] quit
# Bind the SSL policy to the DDNS policy.

[Router-ddns-policy-mypolicy] ssl-policy siemens
# Set the interval for sending DDNS update requests.

# Enable the DNS resolution function.


[Router] dns server 10.3.1.2


[Router-GigabitEthernet1/0/0] ddns apply policy mypolicy
NOTE
When the IP address of GE1/0/0 changes, Router notifies the DNS server to establish the mapping between
the domain name www.abc.com and the new IP address through the DDNS server so that users on the Internet
can resolve the latest IP address mapping www.abc.com.

# Run the display ddns policy mypolicy command on Router, and you can view information
about the DDNS policy named mypolicy.
Policy URL : https://10.2.1.3/nic/update?
group=med&user=<username>&password=<password>&myip=<a> username huawei_test
password %^%#o:2u<@1H~VkNyxJdJ.B=I\(V@2D=}Ht`G'0]mlAL%^%#
Policy SSL : siemens
===== interface GigabitEthernet1/0/0 ======
Status : ESTABLISH
Refresh : enable
Last Fresh Time : 2012-06-13 13:06:46
Last Fresh result : Success
Next Fresh Time : 2012-06-13 23:06:46
# Run the display ddns interface gigabitethernet 1/0/0 command on Router. You can view
information about the DDNS policy on GigabitEthernet1/0/0.
URL: https://10.2.1.3/nic/update?
group=med&user=huawei_test&password=12345&myip=<a>
Status: ESTABLISH
Refresh: enable
----End
Configuration Files
Configuration file of Router
#
sysname Router
#
dns resolve
dns server 10.3.1.2
#
pki entity siemens
country CN
state jiangsu
organization huawei
organization-unit info
common-name hello
#
pki realm siemens
ca id ca_root
enrollment-url http://10.137.145.158:8080/certsrv/mscep/mscep.dll ra
entity siemens

auto-enroll regenerate
fingerprint sha1 7bb05ada0482273388ed4ec228d79f77309ea3f4
#
ssl policy siemens type client
pki-realm siemens
server-verify enable
#
interval 36000
url https://10.2.1.3/nic/update?
group=med&user=<username>&password=<password>&myip=<a> username huawei_test
password %^%#o:2u<@1H~VkNyxJdJ.B=I\(V@2D=}Ht`G'0]mlAL%^%#
ssl-policy siemens
#
undo portswitch
ddns apply policy mypolicy
#
return
4.9.5 Example for Configuring Association Between the DNS

Server and NQA
As shown in Figure 4-11, Router is the enterprise's gateway device; the PC is the host in the
enterprise and is connected to Router through the access switch. At the same time, PC can
function as a DNS client to connect to the network using a domain name; Router can function
as a DNS proxy to uniformly manage the DNS servers that the enterprise can access. The
enterprise can access two DNS servers: Local DNS Server_1 (The mapping between the
domain name www.huawei.com and the IP address 10.82.42.59 is recorded) in the local
network segment and Remote DNS Server_2 (The mapping between the domain name
www.huawei123.com and the IP address 10.46.1.1 is recorded) on the remote end. To
improve the domain name resolution efficiency and speed up network access, the enterprise
requires that query requests be sent to the DNS servers whose dns function is normal.

Figure 4-11 Configuring association between the DNS Server and NQA
Remote DNS Server_2
IP:10.20.1.2
The mapping between the domain name
www.huawei123.com and IP address
10.46.1.1
GE0/0/2 IP:10.20.1.1
Router
DNS Proxy
GE0/0/1 IP:10.1.1.1
GE0/0/1
Switch GE0/0/2
Local DNS Server_1
GE0/0/3 IP:10.1.1.2
The mapping between the domain
name www.huawei.com and IP address
10.82.42.59
PC
DNS Client
IP:10.1.1.3
Associate DNS servers with NQA on Router, so that query requests are only sent to the DNS
servers whose dns function is normal.
1. Configure VLANs for interfaces on the switch to implement Layer 2 transparent

transmission.
2. Configure the DNS client function on PC so that it can connect to the network using a
domain name.
3. Configure the DNS proxy function on Router and associate Router with NQA, so that
query requests are only sent to the DNS servers whose dns function is normal.
Procedure
Step 1 Configure VLANs for interfaces on the switch (using a Huawei S series switch as an
example).
[Huawei] sysname Switch
[Switch] interface gigabitethernet 0/0/1
[Switch-GigabitEthernet0/0/1] port link-type trunk
[Switch-GigabitEthernet0/0/1] port trunk allow-pass vlan 10
[Switch-GigabitEthernet0/0/1] port trunk pvid vlan 10
[Switch-GigabitEthernet0/0/1] quit
[Switch-GigabitEthernet0/0/2] port link-type trunk
[Switch-GigabitEthernet0/0/2] port trunk allow-pass vlan 10
[Switch-GigabitEthernet0/0/2] port trunk pvid vlan 10
[Switch-GigabitEthernet0/0/3] port link-type access

[Switch-GigabitEthernet0/0/3] port default vlan 10

Step 2 Configure the DNS client function on PC.

1. Right-click Network and choose Properties to display the Network and Sharing
Center window.
2. Click Local Area Connection to display the Local Area Connection Status window.
3. Click Properties to display the Local Area Connection Properties window.
4. Select Internet Protocol Version 4 (TCP/IPv4) and click Properties to display the
Internet Protocol Version 4 (TCP/IPv4) Properties window. Select Use the following
DNS server addresses, enter the DNS Proxy address 10.1.1.1 in the Preferred DNS
server text box, and click OK.
Step 3 Configure the DNS proxy function on Router and associate Router with NQA.
[Router] dns proxy enable
[Router] nqa test-instance admin localdns
[Router-nqa-admin-localdns] test-type dns
[Router-nqa-admin-localdns] dns-server ipv4 10.1.1.2
[Router-nqa-admin-localdns] destination-address url www.huawei.com
[Router-nqa-admin-localdns] frequency 30
[Router-nqa-admin-localdns] start now
[Router-nqa-admin-localdns] quit
[Router] nqa test-instance admin remotedns
[Router-nqa-admin-remotedns] test-type dns
[Router-nqa-admin-remotedns] dns-server ipv4 10.20.1.2
[Router-nqa-admin-remotedns] destination-address url www.huawei123.com
[Router-nqa-admin-remotedns] frequency 30
[Router-nqa-admin-remotedns] start now
[Router-nqa-admin-remotedns] quit
[Router] dns server 10.1.1.2 track nqa admin localdns
[Router] dns server 10.20.1.2 track nqa admin remotedns
NOTE
To persistently detect the DNS server status, you need to perform periodical test for NQA test instances.
Therefore, run the frequency interval command to set the automatic test interval for NQA test instances.

# Run the display nqa history test-instance command to check the check result of two test
instances, and run the display dns server command to check the states of the two DNS
servers. The command output shows that the DNS server state is Up when the NQA check
result is success. In this case, dynamic domain name resolution can be performed on the two
DNS servers.
[Router] display nqa history test-instance admin localdns
NQA entry(admin, localdns) history:
Index T/H/P Response Status Address Time
1 61/1/1 19ms success 10.82.42.59 2014-06-23 12:01:50.900
2 62/1/1 19ms success 10.82.42.59 2014-06-23 12:02:20.900
3 63/1/1 24ms success 10.82.42.59 2014-06-23 12:02:50.900
4 64/1/1 20ms success 10.82.42.59 2014-06-23 12:03:20.910
5 65/1/1 15ms success 10.82.42.59 2014-06-23 12:04:19.360
6 66/1/1 13ms success 10.82.42.59 2014-06-23 12:04:49.260
[Router] display nqa history test-instance admin remotedns
NQA entry(admin, remotedns) history:


1 63/1/1 16ms success 10.46.1.1 2014-06-23 12:04:10.560
2 64/1/1 5ms success 10.46.1.1 2014-06-23 12:04:40.450
3 65/1/1 5ms success 10.46.1.1 2014-06-23 12:05:10.490
4 66/1/1 5ms success 10.46.1.1 2014-06-23 12:05:40.480
5 67/1/1 5ms success 10.46.1.1 2014-06-23 12:06:10.380
6 68/1/1 6ms success 10.46.1.1 2014-06-23 12:06:40.350
[Router] display dns server
Type:
D:Dynamic S:Static
No. Type Status IP Address

1 S Up 10.1.1.2
2 S Up 10.20.1.2
No configured ipv6 dns servers.

# On Local DNS Server_1, delete the mapping between the domain name www.huawei.com
and IP address 10.82.42.59 to simulate the situation in which the DNS server is faulty. Run
the display nqa history test-instance command to check the result of two test instances, and
run the display dns server command to check the states of the two DNS servers. The
command output shows that the NQA check result of Local DNS Server_1 is timeout and the
server state is Down. In this case, dynamic domain name resolution is only performed on
Remote DNS Server_2.
[Router] display nqa history test-instance admin localdns
NQA entry(admin, localdns) history:
1 842/1/1 3000ms timeout unKnown 2014-06-23 18:32:55.240
[Router] display nqa history test-instance admin remotedns
NQA entry(admin, remotedns) history:
1 843/1/1 13ms success 10.46.1.1 2014-06-23 18:34:11.130
2 844/1/1 15ms success 10.46.1.1 2014-06-23 18:34:41.150
3 845/1/1 18ms success 10.46.1.1 2014-06-23 18:35:11.140
4 846/1/1 13ms success 10.46.1.1 2014-06-23 18:35:41.160
5 847/1/1 14ms success 10.46.1.1 2014-06-23 18:36:11.150
6 848/1/1 16ms success 10.46.1.1 2014-06-23 18:36:41.120
[Router] display dns server
Type:
D:Dynamic S:Static
No. Type Status IP Address

1 S Down 10.1.1.2
2 S Up 10.20.1.2
No configured ipv6 dns servers.
----End
Configuration Files
l Configuration file of the switch
#
sysname Switch
#
vlan batch 10
#
port trunk pvid vlan 10
#

port trunk pvid vlan 10
#
#
return
l Configuration file of the router

#
sysname Router
#
dns resolve
dns server 10.1.1.2 track nqa admin localdns
dns server 10.20.1.2 track nqa admin remotedns
dns proxy enable
#
ip address 10.1.1.1 255.255.255.0
#
ip address 10.20.1.1 255.255.255.0
#
nqa test-instance admin localdns
test-type dns
destination-address url www.huawei.com
frequency 30
dns-server ipv4 10.1.1.2
start now
nqa test-instance admin remotedns
test-type dns
destination-address url www.huawei123.com
frequency 30
dns-server ipv4 10.20.1.2
start now
#
return

This section describes common faults caused by incorrect DNS configurations and provides
the troubleshooting procedure.
4.10.1 Dynamic Domain Name Resolution Cannot Be

Implemented on a DNS Client
Fault Description
The industrial switch router functions as a DNS client that is configured with dynamic domain
name resolution but cannot resolve domain names to IP addresses correctly.
Procedure
Step 1 Run the display dns dynamic-host to command check whether the specified domain name
exists in the dynamic domain name cache.
l If not, check whether the DNS client communicates with the DNS server properly, the
DNS server runs properly, and dynamic domain name resolution is enabled.

l If so, but the IP address is incorrect, go to step 2.

Step 2 Run the display dns server command to verify that the IP address of the DNS server is
correct on the DNS client.
If the DNS server IP address is incorrect, run the undo dns server ip-address command to
delete the configured DNS server IP address, and run the dns server ip-address command to
reconfigure a correct IP address for the DNS server.
----End

CLI-based Configuration Guide - IP Service 5 NAT Configuration
5 NAT Configuration
About This Chapter
Network Address Translation (NAT) enables translation between private IP addresses and
public IP addresses, alleviates the IPv4 address shortage, and shields the topology of private
networks, therefore improving network security.
5.1 Introduction to NAT

5.2 Principles
5.3 Applications
5.4 Configuration Tasks
5.6 Configuring Dynamic NAT
Dynamic NAT allows dynamic establishment of the mapping between private and public IP
addresses so that intranet users can access the external network.
5.7 Configuring Static NAT
Static NAT implements one-to-one translation between a private network address and a public
network address.
5.8 Configuring an Internal NAT Server
An internal NAT server allows external users to access internal servers.
5.9 Maintaining NAT

5.1 Introduction to NAT

Definition
Network Address Translation (NAT) translates the IP address in an IP datagram header to
another IP address.
Purpose
The rapid development of the Internet brings an increasing number of network applications.
Exhaustion of IPv4 addresses has become a bottleneck for the network development. IPv6 can
solve the problem of IPv4 address shortage, but numerous network devices and applications
are based on IPv4. Major transitional technologies such as classless inter-domain routing
(CIDR) and private network addresses are used before the wide use of IPv6 addresses. NAT
enables users on private networks to access public networks. When a host on a private
network accesses a public network, NAT translates the host's private IP address to a public IP
address. Multiple hosts on a private network can share one public IP address. This implements
network communication while saving public IP addresses. For the classification of private IP
addresses, see 1.3.2 IPv4 Address.
Benefits
As a transitional plan, NAT enables address reuse to meet the demand for IP addresses,
therefore alleviating the IPv4 address shortage. In addition to solving the problem of IP
address shortage, NAT provides the following advantages:
l Protects private networks against external attacks, greatly improving network security.
l This function controls not only access to external networks from internal hosts, but also
access to the internal network from external users.
5.2 Principles
5.2.1 Overview
NAT translates the IP address in an IP datagram header to another IP address, allowing users
on private networks to access public networks. Basic NAT implements one-to-one translation
between one private IP address and one public IP address, whereas Network Address and Port
Translation (NAPT) implements one-to-many translation between one public IP address and
multiple private IP addresses.
Basic NAT
Basic NAT implements one-to-one IP address translation. In this mode, only the IP address is
translated, whereas the TCP/UDP port number remains unchanged. Basic NAT cannot
translate multiple private IP addresses to the same public IP address.

Figure 5-1 Networking diagram for basic NAT

Address group：
162.105.178.65
162.105.178.66
162.105.178.67
Host Router Server

Destination address Destination address
10.1.1.100 162.105.178.65
Source address Source address

10.1.1.100/8 10.1.1.100 162.105.178.65
211.100.7.34/24
NAT table
Internal host sends a request
Way Before Router After Router
External host responds to the request Outbound 10.1.1.100 162.105.178.65
Inbound 162.105.178.65 10.1.1.100
As shown in Figure 5-1, the basic NAT process is as follows:

1. The Router receives a request packet sent from the host on the private network for
accessing the server on the public network. The source IP address of the packet is
10.1.1.100.
2. The Router selects an idle public IP address (1.1.1.1) from the IP address pool, and sets
up forward and reverse NAT entries that specify the mapping between the source IP
address of the packet and the public IP address. The Router translates the packet's source
IP address to the public IP address based on the forward NAT entry, and sends the packet
to the server on the public network. After the translation, the packet's source IP address
is 1.1.1.1, and its destination IP address is 2.2.2.2.
3. After receiving a response packet from the server on the public network, the Router
queries the reverse NAT entry based on the packet's destination IP address. The Router
translates the packet's destination IP address to the private IP address of the host on the
private network based on the reverse NAT entry, and sends the packet to the host. After
the translation, the packet's source IP address is 2.2.2.2, and its destination IP address is
10.1.1.100.
NOTE
Basic NAT cannot solve the problem of public IP address shortage because it cannot implement address
reuse. Therefore, basic NAT is seldom used in practice.
The number of public IP addresses owned by the NAT device is far less than the number of hosts on
private networks because not all the hosts on private networks access public networks at the same time.
The number of public IP addresses needs to be determined based on the number of hosts on private
networks that access public networks during peak hours.
NAPT
In addition to one-to-one address translation, NAPT allows multiple private IP addresses to be
mapped to the same public IP address. It is also called many-to-one address translation or
address reuse.
NAPT translates the IP address and port number of a packet so that multiple users on a private
network can use the same public IP address to access the public network.

Figure 5-2 Networking diagram for NAPT

Source address Address group：
Host A 10.1.1.100:1025 1.1.1.1
1.1.1.2 Source address
1.1.1.3 1.1.1.1：16384
10.1.1.100/8Destination address Server

10.1.1.100:1025 Router
Destination address
1.1.1.1：16384
Source address
1.1.1.1：16400 2.2.2.2/24
Host B Source address
10.1.1.200:1028
Destination address
1.1.1.1：16400
10.1.1.200/8 Destination address
10.1.1.200:1028
NAPT table

Outbound 10.1.1.100:1025 1.1.1.1:16384
Host A sends a request
Inbound 1.1.1.1:16384 10.1.1.100:1025
Server responds to Host A Outbound 10.1.1.200:1028 1.1.1.1:16400
Host B sends a request
Inbound 1.1.1.1:16400 10.1.1.200:1028
Server responds to Host A
As shown in Figure 5-2, the NAPT process is as follows:

accessing the server on the public network.For example,the packet is sent from Host A to
Router, its source IP address is 10.1.1.100, and its port number is 1025.
2. The Router selects an idle public IP address and an idle port number from the IP address
pool, and sets up forward and reverse NAPT entries that specify the mapping between
the source IP address and port number of the packet and the public IP address and port
number. The Router translates the packet's source IP address and port number to the
public IP address and port number based on the forward NAPT entry, and sends the
packet to the server on the public network.For example, after the translation is performed
on the packet of Host A, the packet's source IP address is 1.1.1.1, and its port number is
16384.
queries the reverse NAPT entry based on the packet's destination IP address and port
number. The Router translates the packet's destination IP address and port number to the
private IP address and port number of the host on the private network based on the
reverse NAPT entry, and sends the packet to the host.For example, after the translation is
performed on the packet sent from the server to Host A, the packet's destination IP
address is 10.1.1.100, and its destination port number is 1025.
5.2.2 NAT Implementation

Basic NAT and NAPT translate private IP addresses to public IP addresses by using NAT
devices. Basic NAT implements one-to-one address translation, and NAPT implements many-
to-one address translation. On existing networks, NAT is implemented based on the principles
of basic NAT and NAPT. NAT implements multiple functions such as Easy IP, NAT address
pool, NAT server, and static NAT/NAPT.

NAT address pool and Easy IP are implemented in similar ways. This section describes only
Easy IP. For the implementation of NAT address pool, see NAPT in 5.2.1 Overview.
Easy IP
Easy IP uses access control lists (ACLs) to control the private IP addresses that can be
translated.
Easy IP is applied to the scenario where hosts on small-scale LANs access the Internet. Small-
scale LANs are usually deployed at small and medium-sized cybercafes or small-sized offices
where only a few internal hosts are used and the outbound interface obtains a temporary
public IP address through dial-up. The temporary public IP address is used by the internal
hosts to access the Internet. Easy IP allows the hosts to access the Internet using this
temporary public address.
Figure 5-3 Networking diagram for Easy IP
Source address
Host A 10.1.1.100:1540
Source address
162.10.2.8:5480
10.1.1.100/8 Destination address Server

Router
10.1.1.100:1540 Destination address
162.10.2.8:5480
Source address
162.10.2.8/24 162.10.2.8:5481
Host B Source address 211.100.7.34/24
10.1.1.200:1586
Destination address
162.10.2.8:5481
10.1.1.200/8 Destination address
10.1.1.200:1586 Easy IP table
Host A sends a request Outbound 10.1.1.100:1540 162.10.2.8:5480
Server responds to Host A Inbound 162.10.2.8:5480 10.1.1.100:1540
Host B sends a request Outbound 10.1.1.200:1586 162.10.2.8:5481
Server responds to Host B Inbound 162.10.2.8:5481 10.1.1.200:1586
As shown in Figure 5-3, the Easy IP process is as follows:

accessing the server on the public network. The packet's source IP address is 10.1.1.100,
and its port number is 1540.
2. The Router sets up forward and reverse Easy IP entries that specify the mapping between
the source IP address and port number of the packet and the public IP address and port
number of the port connected to the public network. The Router translates the source IP
address and port number of the packet to the public IP address and port number based on

the forward Easy IP entry, and sends the packet to the server on the public network. After
the translation, the packet's source IP address is 1.1.1.1, and its port number is 5480.
queries the reverse Easy IP entry based on the packet's destination IP address and port
number. The Router translates the packet's destination IP address and port number to the
private IP address and port number of the host on the private network based on the
reverse Easy IP entry, and sends the packet to the host. After the translation, the packet's
destination IP address is 10.1.1.100, and its port number is 1540.
NAT Server
NAT can shield hosts on private networks from public network users. When a private network
needs to provide services such as WWW and FTP services for public network users, servers
on the private network must be accessible to public network users at any time.
The NAT server can address the preceding problem by translating the public IP address and
port number to the private IP address and port number based on the preset mapping.
Figure 5-4 Networking diagram for NAT server implementation
NAT Server：
Global: 1.1.1.1：80 External host
Local: 192.168.1.68：80 2.2.2.2
Internal server
192.168.1.68 Destination address Router Destination address
192.168.1.68:80 1.1.1.1:80
Internet
Source address Source address

192.168.1.68:80 1.1.1.1:80
NAT table
External host sends a request Way Before Router After Router
Internal host responds to the request Inbound 1.1.1.1:80 192.168.1.68:80

Outbound 192.168.1.68:80 1.1.1.1:80
As shown in Figure 5-4, the address translation process of the NAT server is as follows:
1. Address translation entries of the NAT server are configured on the Router.
2. The Router receives an access request sent from a host on the public network. The
Router queries the address translation entry based on the packet's destination IP address
and port number. The Router translates the packet's destination IP address and port
number to the private IP address and port number based on the address translation entry,
and sends the packet to the server on the private network. The destination IP address of
the packet sent by the host on the public network is 1.1.1.1, and its port number is 80.
After the translation by the Router, the destination IP address of the packet is
192.168.1.68, and its port number remains unchanged.
3. After receiving a response packet sent from the server on the private network, the Router
queries the address translation entry based on the packet's source IP address and port
number. The Router translates the packet's source IP address and port number to the
public IP address and port number based on the address translation entry, and sends the
packet to the host on the public network. The source of the response packet sent from the

host on the private network is 192.168.1.68, and its port number is 80. After translation
by the Router, the source IP address of the packet is 1.1.1.1, and its port number remains
unchanged.
Static NAT/NAPT
Static NAT indicates that a private IP address is statically bound to a public IP address when
NAT is performed. Only this private IP address can be translated to this public IP address.
Static NAPT indicates that the combination of a private IP address, protocol number, and port
number is statically bound to the combination of a public IP address, protocol number, and
port number. Multiple private IP addresses can be translated to the same public IP address.
Static NAT/NAPT can also translate host IP addresses in the specified private address range to
host IP addresses in the specified public address range. When an internal host accesses the
external network, static NAT or NAPT translates the IP address of the internal host to a public
address if the IP address of the internal host is in the specified address range. An external host
can directly access an internal host if the private IP address translated from the IP address of
the external host is in the specified internal address range.
5.2.3 NAT ALG

NAT and NAPT can translate only IP addresses in IP datagram headers and port numbers in
TCP/UDP headers. For some special protocols such as FTP, IP addresses or port numbers may
be contained in the Data field of the protocol packets. Therefore, NAT cannot translate the IP
addresses or port numbers. A good way to solve the NAT issue for these special protocols is
to use the application level gateway (ALG) function. As a special translation agent for
application protocols, the ALG interacts with the NAT device to establish states. It uses NAT
state information to change the specific data in the Data field of IP datagrams and complete
other necessary work, so that application protocols can run across private and public
networks.
For example, when an FTP server with a private IP address sets up a session with a host on
the public network, the server may need to send its IP address to the host. NAT cannot
translate this IP address because the IP address is carried in the Data field. When the host on
the public network attempts to use the received private IP address, it finds that the FTP server
is unreachable.
DNS, FTP, SIP, PPTP and RTSP support the ALG function. Table 5-1 lists the NAT fields
supported by different protocols.
Table 5-1 Fields supported by different protocols

Application Protocol Field
DNS IP and Port fields in a response packet
FTP l IP and Port fields in the payload of a Port request packet

l IP and Port fields in the payload of a Passive response
packet

Application Protocol Field
SIP l Request line

l From
l To
l Contact
l Via
l O
l Connection information field (indicating an IP address) and
media description field (indicating a port) in the Message
body
l record-router
PPTP There are two scenarios:

l PPTP client on the private network and PPTP server on the
public network: Client-Call-ID field
l PPTP server on the private network and PPTP client on the
public network: Server-Call-ID field
RTSP Port field in a setup/reply OK packet
5.2.4 DNS Mapping

In practice, users on a private network need to access internal servers on the same private
network using domain names, but the DNS server is located on a public network. Usually, a
DNS response packet carries the public IP address of an internal server. If the NAT device
does not replace the public IP address resolved by the DNS server with the private IP address
of the internal server, users on the private network cannot access the internal server using the
domain name.
DNS mapping can solve the problem by configuring a table that specifies the mapping
between domain names, public IP addresses, public port numbers, and protocol types. In this
manner, the mapping between domain names of servers on the private network and public
network information is established.
Figure 5-5 describes the implementation of DNS mapping.

Figure 5-5 Networking diagram for DNS mapping

Web server
10.1.1.200/8 DNS server

Router
www.test.com
211.100.7.34/24
Host www.test.com=162.10.2.5
10.1.1.100/8 DNS resquest for www.test.com
DNS response=162.10.2.5
DNS Mapping:
162.10.2.5->10.1.1.200
DNS response=10.1.1.200
As shown in Figure 5-5, the host on the private network needs to access the web server using
the domain name, and the Router functions as a NAT server. After receiving a DNS response
packet, the Router searches the DNS mapping table for the information about the web server
based on the domain name carried in the response packet. Then, the Router replaces the public
IP address carried in the DNS response packet with the private IP address of the web server.
In this manner, the DNS response packet received by the host carries the private IP address of
the web server. Then, the host can access the web server using the domain name.
5.2.5 NAT Associated with VPNs

NAT allows hosts on private networks to access public networks, hosts in different virtual
private networks (VPNs) on a private network to access a public network through the same
outbound interface, and hosts with the same IP address in different VPNs to access a public
network simultaneously. The NAT also supports NAT server associated with VPNs. It allows
a host on a public network to access hosts in different VPNs on a private network, and a host
on a public network to access hosts with the IP address in different VPNs on a private
network.
Source NAT Associated with VPNs

Source NAT associated with VPNs allows hosts in different VPNs on a private network to
access a public network using NAT. Figure 5-6 shows the networking for NAT associated
with VPNs.

Figure 5-6 Networking diagram for source NAT associated with VPNs
Server
External
外部网络
network
NAT rule： NAT rule：

VPN 2：10.1.1.1-202.1.2.1 VPN 1：10.1.1.1-202.1.1.1
Router Host A
Host B
IP address：10.1.1.1 IP address：10.1.1.1
Private IP
VPN 2 addresses of VPN VPN 1
1 and VPN 2 are
overlapped.
Source NAT associated with VPNs is implemented as follows:

1. The IP addresses of host A in VPN 1 and host B in VPN 2 are 10.1.1.1. Host A and host
B want to access the same server on the public network.
2. When a router functions as a NAT device, the router translates the source IP address of
the packet sent from host A to 202.1.1.1 and the source IP address of the packet sent
from host B to 202.1.2.1. In addition, the router records the VPN information about the
hosts in the NAT translation table.
3. When the response packets sent from the server on the public network to host A and host
B pass through the router:
– The NAT module translates the destination IP address 202.1.1.1 of the packet sent
to host A to 10.1.1.1 based on the NAT translation table, and then sends the packet
to host A in VPN 1.
– The NAT module translates the destination IP address 202.1.2.1 of the packet sent
to host B to 10.1.1.1 based on the NAT translation table, and then sends the packet
to host B in VPN 2.
NAT Server Associated with VPNs

NAT server associated with VPNs allows hosts on a public network to access servers in
different VPNs on a private network using NAT.

Figure 5-7 Networking diagram for NAT server associated with VPNs
External
外部网络
network
NAT server： NAT server：

Local：VPN 2 10.1.1.1 Local：VPN 1 10.1.1.1
Global：202.1.20.1 Global：202.1.10.1
Router
Server B Server A
IP address: 10.1.1.1 IP address: 10.1.1.1
Private IP
VPN 2 addresses of VPN VPN 1
1 and VPN 2 are
overlapped.
As shown in Figure 5-7, the IP addresses of server A in VPN 1 and server B in VPN 2 are
10.1.1.1. The public address of server A is 202.1.10.1 and that of server B is 202.1.20.1.
Hosts on the public network can access server A using 202.1.10.1 and access server B using
202.1.20.1.
The NAT server associated with VPNs is implemented as follows:
1. A host on the public network sends a packet with the destination IP address as
202.1.10.1 to server A in VPN 1 and sends a packet with the destination IP address as
202.1.20.1 to server B in VPN 2.
2. The router functions as the NAT server. Based on the packets' destination IP addresses
and VPN information:
– The router translates the destination address 202.1.10.1 to 10.1.1.1 and sends the
packet to server A in VPN 1.
– The router translates the destination address 202.1.20.1 to 10.1.1.1 and sends the
packet to server B in VPN 2.
In addition, the router records the VPN information in the NAT translation table.
3. When the response packets sent from server A and server B to the host on the public
network pass through the router:
– The NAT module translates the source IP address 10.1.1.1 of the packet sent from
server A to 202.1.10.1 based on the NAT translation table, and sends the packet to
the host on the public network.
– The NAT module translates the source IP address 10.1.1.1 of the packet sent from
server B to 202.1.20.1 based on the NAT translation table, and sends the packet to
the host on the public network.
5.2.6 Twice NAT

Twice NAT refers to translation of both the source and destination IP addresses of a data
packet. It is applied to the situation where a private IP address is the same as a public IP
address.
Figure 5-8 Networking diagram for twice NAT

Host B
1.1.1.1
Address group： www.example.com
3.3.3.1
3.3.3.2
Host A
External
network
1.1.1.1 Router
DNS server
The process of twice NAT is described as follows:

1. Host A with the IP address 1.1.1.1 on the private network wants to access host B with
the same IP address on the public network. Host A sends a DNS request to the DNS
server on the public network. The DNS server sends a response packet containing the IP
address 1.1.1.1 of host B. When the response packet passes through the router, the router
performs DNS ALG and translates host B's IP address 1.1.1.1 in the response packet to
the unique temporary IP address 3.3.3.1. Then, the router forwards the response packet to
Host A.
2. Host A sends a request packet with the destination IP address as the temporary IP
address 3.3.3.1, for accessing host B. When the request packet passes through the router,
the router detects that the destination IP address is the temporary IP address, and
translates the destination IP address to host B's real IP address 1.1.1.1. Meanwhile, the
router translates the source IP address of the request packet to an address in the outbound
NAT address pool using outbound NAT. Then, the router forwards the request packet to
host B.
3. Host B sends host A a response packet with the destination IP address as the address in
the outbound NAT address pool and the source IP address as the IP address of host B
1.1.1.1. When the response packet passes through the router, the router detects that the
source IP address is the same as the real IP address of host A, and translates the source
IP address to the temporary IP address 3.3.3.1 using NAT. Meanwhile, the router
translates the destination IP address of the response packet to the private IP address
1.1.1.1 of host A. Then, the router forwards the response packet to host A.

Figure 5-9 Networking diagram for twice NAT when multiple VPNs are deployed on a
private network
Host C
Host B 1.1.1.1
1.1.1.1 Address group：
3.3.3.1 www.example.com
4.4.4.1
VPN B
Host A External
1.1.1.1 network
Router
VPN A
DNS server
A private network may consist of multiple VPNs and hosts in the VPNs may have the same IP
address. When configuring DNS ALG on a router, you need to add the VPN information that
is used as the condition for mapping identical IP addresses of the hosts in the VPNs to IP
addresses in the temporary address pool. Figure 5-9 shows the networking for twice NAT
when multiple VPNs are deployed on a private network. When multiple VPNs are deployed
on a private network, the twice NAT process remains unchanged. The source IP address of
host A in VPN A is translated to the temporary address 3.3.3.1, and the source IP address of
host B in VPN B is translated to the temporary address 4.4.4.1.
5.2.7 NAT Filtering and NAT Mapping

NAT filtering allows an NAT device to filter the traffic from a public network to a private
network. NAT mapping enables the IP addresses of a group of hosts on a private network to
be mapped to the same public IP address using the NAT mapping table.
NAT Filtering
A NAT device filters the traffic from external network to internal network. NAT filtering
includes the following modes:
l Endpoint-independent filtering
l Endpoint-dependent filtering
l Endpoint and port-dependent filtering
Figure 5-10 shows the NAT filtering applications.

Figure 5-10 NAT filtering applications
Data packet 1 Data packet 1'

Source IP：10.1.1.1 Source IP：3.3.3.3
Source port：1111 Source port：1111 PC 2: 1.1.1.1
Destination IP：1.1.1.1 Destination IP：1.1.1.1
Destination port：2222 Destination port：2222
Internet
PC 1
Data packet 2'
Data packet 2
Source IP：2.2.2.2
Source IP：2.2.2.2
Source port：4444
Source port：4444 PC 3: 2.2.2.2
Destination IP：3.3.3.3
Destination IP：10.1.1.1
Destination port：1111
Destination port：1111

Source port：3333 Source port：3333

Source port：2222 Source port：2222
As shown in the preceding figure, PC-1 on the private network communicates with PC-2 and
PC-3 on the public network using a NAT device. Datagram 1 is sent from PC-1 to PC-2. The
source port number of the datagram is 1111 and the destination port number is 2222. The NAT
device translates the source IP address to 3.3.3.3.
After PC-1 sends an access request to a PC on the public network, the PC on the public
network transmits traffic to PC-1, and the NAT device filters the traffic destined for PC-1.
Datagram 2', datagram 3', and datagram 4' are sent in three scenarios corresponding to the
preceding three NAT filtering modes.
l Datagram 2' is sent from PC-3 to PC-1. The destination address of datagram 2 is
different from that of datagram 1, and the destination port number is 1111. Datagram 2
can pass through the NAT device only when endpoint-independent filtering is used.
l Datagram 3' is sent from PC-2 to PC-1. The destination address of datagram 3 is the
same as that of datagram 1, and the destination port number is 1111. The source port
number of datagram 3 is 3333, which is different from that of datagram 1. Datagram 3
can pass through the NAT device only when endpoint-dependent filtering or endpoint-
independent filtering is used.
l Datagram 4' is sent from PC-2 to PC-1. The destination address of datagram 4 is the
same as that of datagram 1, and the destination port number is 1111. The source port
number of datagram 4 is 2222, which is the same as that of datagram 1. In this case,
endpoint and port-dependent filtering is used, which is the default one. Datagram 4 can
pass through the NAT device no matter whether a filtering mode is configured or no
matter which filtering mode is configured.

NAT Mapping
After NAT mapping is enabled on a public network, it seems that all flows from a private
network come from the same IP address because hosts on the private network share the same
public IP address. When a host on the private network initiates a session request to a host on
the public network, the NAT device searches the NAT translation table for the related session
record. If the NAT device finds the session record, it translates the private IP address and port
number and forwards the request. If the NAT device does not find the session record, it
translates the private IP address and port number and meanwhile adds a session record to the
NAT translation table. NAT mapping includes the following modes:
l Endpoint-independent mapping: The NAT uses the same IP address and port mapping for
packets sent from the same private IP address and port to any public IP address and port.
l Endpoint and port-dependent mapping: The NAT uses the same port mapping for packets
sent from the same private IP address and port to the same public IP address and port if
the mapping is still active.
5.3 Applications
5.3.1 Private Network Hosts Accessing Public Network

Private IP addresses are planned for hosts on private networks for communities, schools, and
enterprises because public IP addresses are limited. In this case, the NAT technology can be
used to implement access from hosts on the private networks to public networks. As shown in
Figure 5-11, Easy IP is configured on the Router to enable the hosts on the private network to
access the server on the public network.
Figure 5-11 Networking diagram for private network hosts accessing public network servers
Host A
192.168.1.1/24
Server
Host B Router
External
network
192.168.1.2/24 211.100.7.34/24
Host C
192.168.1.3/24
5.3.2 Public Network Hosts Accessing Private Network Servers

On private networks, some servers such as web servers and FTP servers need to provide
services for public network users. NAT supports this application. As shown in Figure 5-12,

the NAT server is configured. That is, mapping between the public IP address and port
number and the private IP address and port number is defined. As a result, the host on the
public network can access the server on the private network using the mapping.
Figure 5-12 Networking diagram for public network hosts accessing private network servers
Host A
192.168.1.1/24
Router Host C
Host B
External
network
192.168.1.2/24 211.138.7.94/24
Server
192.168.1.100/24
5.3.3 Private Network Hosts Accessing Private Network Servers

Using the Domain Name
Hosts on a private network need to access a server on the same private network using the
domain name. The DNS server, however, is located on a public network. You can configure
DNS mapping to allow the private network hosts to access the DNS server. As shown in
Figure 5-13, a DNS mapping table is configured to define mapping between the domain
name, public IP address, public port number, and protocol type. The public IP address carried
in the DNS response packet is replaced by the private IP address of the server on the private
network. In this manner, hosts on the private network can access the server using the domain
name.

Figure 5-13 Networking diagram for private network hosts accessing private network servers
using the domain name
Host A
192.168.1.1/24
Router DNS server
Host B
External
network
192.168.1.2/24 210.33.5.1/24
www.test.com=211.65.3.1
Web server
192.168.1.100/24
www.test.com
5.4 Configuration Tasks

As shown in Table 5-2, users can select NAT features based on usage scenarios and configure
the selected NAT features.
Table 5-2 NAT configuration tasks

Internal Internal hosts of an enterprise use 5.6 Configuring Dynamic NAT

hosts use private IP addresses to communicate
private IP with each other, but cannot access
addresses to external networks. Dynamic NAT
access translates the private IP address of a
external device to the public IP address and
networks. establishes a mapping between the
private and public address. When the
response packet reaches the device,
the public IP address is translated to
the private IP address and then
forwarded to the host. In this way,
intranet users can access external
networks.

Important During dynamic NAT, it cannot use 5.7 Configuring Static NAT
internal fixed public IP addresses and
hosts use interface numbers to replace the
fixed public private IP addresses and interface
IP numbers. When some important
addresses hosts need to access the external
and network, they must use fixed public
interface IP addresses and interface numbers.
numbers to Dynamic NAT cannot meet this
communica requirement.
te with Static NAT sets up a fixed mapping
external between public and private IP
hosts. addresses. A specific private IP
address can be replaced only by the
specified public IP address. In this
way, the important hosts can access
the external network using fixed
public IP addresses.
External NAT can shield IP addresses off 5.8 Configuring an Internal NAT
users access internal hosts. When the internal Server
internal network needs to provide services
servers. such as web and FTP services for
external users, internal servers must
be accessible to external users at any
time.
The NAT server enables the internal
servers to be accessible at any time.
By configuring the mapping between
the public and private IP addresses
and between the public and private
interface numbers, the NAT device
can translate public IP addresses to
private IP addresses.

License Support
NAT is a basic feature of a router and is not under license control.


l By default, the route forwarding function is enabled on high-end LAN cards (8FE1GE,
24GE, and 24ES2GP). These cards do not send received IP packets to the CPU when the
IP packets are forwarded on a LAN card. In this way, NAT services configured on
VLANIF interfaces do not take effect.
5.6 Configuring Dynamic NAT

Dynamic NAT allows dynamic establishment of the mapping between private and public IP
addresses so that intranet users can access the external network.
5.6.1 Configuring ACL Rules
Procedure
Step 1 Run:
system-view
Step 2 Run:
acl [ number ] acl-number [ match-order { auto | config } ]
An ACL with the specified number is created and the ACL view is displayed.
Step 3 Configure basic or advanced ACLs as required. For details, see Configuring a Basic ACL or
Configuring an Advanced ACL in the Huawei AR Series IOT Gateway Configuration Guide -
Security - ACL Configuration.
NOTE
Only basic ACLs (2000 to 2999) and advanced ACLs (3000 to 3999) can be used to configure the NAT
function.
1. When permit is used in the ACL rule, the system uses the address pool to translate addresses for the
packets of which the source IP address is specified in the ACL rule.
2. When permit is not used in the ACL rule, the NAT policy referencing the ACL does not take effect.
That is, the system searches routes for packets, but does not translate addresses.
----End
5.6.2 Configuring Outbound NAT
Context
The address pool used by outbound NAT stores a set of public IP addresses used by dynamic
NAT. When dynamic NAT is performed, an address in the address pool is selected for NAT
address translation.
To access external networks through dynamic NAT, intranet users can choose one of the
following modes based on their public IP address plan:
l After users configure the IP address of outbound ports and other applications on the NAT
device, there are still some available public IP addresses. Users can choose outbound
NAT with an address pool.

l After users configure the IP address of outbound ports on the NAT device and other
applications, there are no available public IP addresses. Users can choose Easy IP that
uses the IP address of outbound ports on the NAT device to implement dynamic NAT.
Procedure
Step 1 Run:
system-view
Step 2 Configure outbound NAT. Users can choose one of the following configuration methods
based on actual situations:
l Configure outbound NAT with an address pool.
a. Run:
nat address-group group-index start-address end-address
A public address pool is configured.

b. Run:
interface interface-type interface-number [ .subnumber ]

c. Run:
nat outbound acl-number address-group group-index [ no-pat ]
Outbound NAT that references an address pool is configured.

l Configure Easy IP without an address pool.
a. Run:
interface interface-type [ .subnumber ]

b. Run:
nat outbound acl-number [ interface interface-type interface-number
[ .subnumber ] ] [ vrrp vrrpid ]
Easy IP is configured.
----End
5.6.3 (Optional) Enabling NAT ALG
Context
Generally, NAT translates only the IP address in the IP packet header and the interface
number in the TCP/UDP header. Packets of some protocols such as DNS and FTP contain the
IP address or interface number in the Data field. Such content cannot be translated using NAT.
Therefore, communication between internal and external networks will fail.
The application level gateway (ALG) function enables the NAT device to identify the IP
address or interface number in the Data field, and translate addresses based on the mapping
table. In this way, packets can traverse NAT devices. Currently, the ALG function supports
DNS, FTP, SIP, PPTP and RTSP.
NOTE
The AR510 series do not support SIP.

Procedure
Step 1 Run:
system-view

Step 2 Run:
nat alg { all | protocol-name } enable
The NAT ALG function for specified application protocols is enabled.

By default, the NAT ALG function is disabled.
port-mapping { dns | ftp | sip | rtsp | pptp } port port-number acl acl-number
The port mapping is configured.

Run the port-mapping protocol to configure port mapping when the application protocol that
is enabled with the NAT ALG function uses a non-well-known port number, namely a non-
default port number.
tcp proxy ip-address port-number [ acl acl-number ]
The TCP proxy function is enabled.

By default, the TCP proxy function is disabled on the device.
NOTE
Only V200R007C01 supports this command.

tcp proxy aging-time aging-time
The aging time of a TCP connection set up by the TCP proxy is configured.
By default, the aging time of a TCP connection set up by the TCP proxy is 120 seconds.
NOTE
----End
5.6.4 (Optional) Configuring the SIP Call Bandwidth Limit on a

NAT Device
Context
When the SIP server is deployed on the public network and SIP phones in public and private
networks are interconnected, the call quality is affected if the bandwidth on the NAT device is
insufficient. You can enable call admission control (CAC) and set the total bandwidth on the
NAT device to limit the bandwidth of SIP calls. If the bandwidth of a SIP exceeds the
specified value, the SIP call is rejected.
NOTE
The AR510 series do not support this function.

Procedure
Step 1 Run:
system-view

Step 2 Run:
nat sip cac enable bandwidth { bandwidth-value | percent value interface
interface-type interface-number [ .subnumber ] }
CAC is enabled and the total bandwidth is set to limit the bandwidth of SIP calls.
By default, the bandwidth limit is 0, indicating that the bandwidth is not limited.
----End
5.6.5 (Optional) Configuring NAT Filtering and NAT Mapping
Context
NAT conserves IPv4 addresses and improves network security. Different vendors provide
different NAT features. As a result, applications using STUN, TURN, and ICE technologies
may fail to traverse NAT devices because these technologies are implemented using SIP
proxy. SIP proxy is a multi-channel application and needs to create multiple data channels to
implement its function. To ensure connection of multiple data channels, NAT filtering and
NAT mapping must be configured to allow only packets that meet the filtering and mapping
conditions to pass through.
The device supports the following NAT mapping types:
l Endpoint-and-port-independent mapping: The NAT reuses the interface mapping for
subsequent packets sent from the same internal IP address and interface to any external
IP address and port.
l Endpoint-and-port-dependent mapping: The NAT reuses the interface mapping for
subsequent packets sent from the same internal IP address and interface to the same
external IP address and interface while the mapping is still active.
The device supports the following NAT filtering types:
l Endpoint-and-port-independent filtering
l Endpoint-dependent and port-independent filtering
l Endpoint-and-port-dependent filtering
NOTE
Configure endpoint-and-port-dependent NAT mapping and filtering to enable SIP proxy to traverse NAT
devices.
Procedure
Step 1 Run:
system-view

Step 2 Run:

nat mapping-mode endpoint-independent [ protocol-name [ dest-port port-number ] ]
The NAT mapping mode is configured.

The default NAT mapping mode is endpoint-and-port-dependent.
Step 3 Run:
nat filter-mode { endpoint-dependent | endpoint-independent | endpoint-and-port-
dependent }
The NAT filtering mode is configured.

The default NAT filtering mode is endpoint-and-port-dependent.
----End
5.6.6 (Optional) Configuring Twice NAT

Context
If the external addresses of internal hosts overlap with addresses of external hosts, twice NAT
can be configured. The overlapping addresses are replaced with temporary addresses and then
translated by NAT so that the internal and external hosts can access each other.
l An overlapping address pool specifies which internal IP addresses can overlap with
public IP addresses. Twice NAT is performed only on the addresses in the overlapping
address pool.
l A temporary address pool specifies which temporary IP addresses can replace addresses
in the overlapping address pool.
Procedure
Step 1 Run:
system-view

Step 2 Run:
nat overlap-address map-index overlappool-startaddress temppool-startaddress pool-
length length [ inside-vpn-instance inside-vpn-instance-name ]
The mapping between the overlapping address pool and the temporary address pool is
configured.
NOTE
l A maximum of 255 addresses can be configured in the overlapping address pool and the temporary
address pool.
l When the VPN instance specified in the command is deleted, the configuration of twice NAT is also
deleted.
----End
5.6.7 (Optional) Configuring NAT Log Output

Context
NAT logs are generated when the industrial switch router performs address translation. The
logs record the original source IP addresses, source ports, destination IP addresses, destination

ports, and translated source IP addresses and source ports, as well as user actions and time
stamps. You can view NAT logs to learn about information about users have accessed a
network using NAT.
The industrial switch router can send NAT logs to a specified log host, as shown in Figure
5-14.
Figure 5-14 Sending NAT logs to a specified log host

Log Server
Host
NAT logs
Internet
NAT Device
Procedure
Step 1 Run:
system-view

Step 2 Run:
firewall log session enable
The firewall log function is enabled.

Step 3 Run:
firewall log session nat enable
The NAT session log function is enabled.

nat log-format elog
Sets the NAT log format to eLog. The logs are generated in the format specified by the eLog
server.
Step 5 Run the following command to output logs to the information center log host or session log
host:
l Output logs to the information center log host
a. Run:
info-center enable
The information center is enabled.

b. Run:
info-center loghost ip-address [ channel { channel-number | channel-
name } | facility local-number | language language-name | transport
{ udp | tcp ssl-policy policy-name } | { vpn-instance vpn-instance-name
| public-net | local-time } ] *
The channel through which logs are output to the log host is configured.

The industrial switch router supports a maximum of eight log hosts to implement
backup among log hosts.
NOTE
For details on how to configure the industrial switch router to send logs to a log host, see
Example for Outputting Log Information to a Log Host in "Information Center
Configuration" of the Huawei AR Series IOT Gateway Configuration Guide - Device
Management.
l Output logs to the session log host
Run:
firewall log binary-log host host-ip-address host-port source source-ip-
address source-port [ vpn-instance vpn-instance-name ]
A session log host is configured.

By default, no session log host is configured.
----End
5.6.8 (Optional) Configuring the Aging Time of NAT Mapping

Entries
Procedure
Step 1 Run:
system-view

Step 2 Run:
firewall-nat session { dns | ftp | ftp-data | http | icmp | tcp | tcp-proxy | udp
| sip | sip-media | rtsp | rtsp-media | pptp | pptp-data } aging-time time-value
The aging time of NAT mapping entries is configured.

By default, the aging time of NAT mapping entries for each protocol is as follows: 120
seconds for DNS, 120 seconds for FTP; 120 seconds for FTP-data, 120 seconds for HTTP, 20
seconds for ICMP, 600 seconds for TCP, 10 seconds for TCP-proxy, 120 seconds for UDP,
1800 seconds for SIP, 120 seconds for SIP-media, 60 seconds for RTSP, 120 seconds for
RTSP-media, 600 seconds for pptp, and 600 seconds for pptp-data.
----End
Procedure
l Run the display nat address-group [ group-index ] [ verbose ] command to check the
configuration of a NAT address pool.
l Run the display nat outbound [ acl acl-number | address-group group-index |
interface interface-type interface-number [ .subnumber ] ] command to check the
configuration of outbound NAT.
l Run the display nat alg command to check the NAT ALG configuration.
l Run the display nat overlap-address { map-index | all | inside-vpn-instance inside-
vpn-instance-name } command to check the configuration of twice NAT.

l Run the display firewall-nat session aging-time command to check the aging time of
NAT mapping entries.
l Run the display nat sip cac bandwidth information [ verbose ] command to check the
current total bandwidth and occupied bandwidth on the device.
l Run the display nat filter-mode command to check the current NAT filtering mode.
l Run the display nat mapping-mode command to check the NAT mapping mode.
l Run the display nat mapping table { all | number } or display nat mapping table
inside-address ip-address protocol protocol-name port port-number [ vpn-instance
vpn-instance-name ] command to check the NAT table information or the number of
entries in the NAT table.
----End
5.7 Configuring Static NAT

Static NAT implements one-to-one translation between a private network address and a public
network address.
5.7.1 Configuring Static Address Mapping
Procedure
Step 1 You can configure static address mapping as follows:
Configuring static address mapping in the interface view:
1. Run:
system-view

2. Run:

3. Run one of the following commands as required:
– nat static protocol { tcp | udp } global { global-address | current-interface |
interface interface-type interface-number [ .subnumber ] } global-port [ global-
port2 ] [ vrrp vrrpid ] inside host-address [ host-address2 ] [ host-port ] [ vpn-
instance vpn-instance-name ] [ netmask mask ] [ acl acl-number ] [ description
description ]
– nat static [ protocol { protocol-number | icmp | tcp | udp } ] global { global-
address | current-interface | interface interface-type interface-number
[ .subnumber ] } [ vrrp vrrpid ] inside host-address [ vpn-instance vpn-instance-
name ] [ netmask mask ] [ acl acl-number ] [ description description ]
Configuring static address mapping in the system view:
1. Run:
system-view

2. Run one of the following commands as required:

– nat static protocol { tcp | udp } global global-address global-port [ global-port2 ]

inside host-address [ host-address2 ] [ host-port ] [ vpn-instance vpn-instance-
name ] [ netmask mask ] [ description description ]
– nat static protocol { tcp | udp } global interface loopback interface-number
global-port [ global-port2 ] [ vpn-instance vpn-instance-name ] inside host-
address [ host-address2 ] [ host-port ] [ vpn-instance vpn-instance-name ]
[ netmask mask ] [ description description ]
– nat static [ protocol { protocol-number | icmp | tcp | udp } ] global { global-
address | interface loopback interface-number } inside host-address [ vpn-
instance vpn-instance-name ] [ netmask mask ] [ description description ]
3. Run:

4. Run:
nat static enable
Static NAT is enabled on the interface.

NOTE
l To specify a global VPN, you are advised to configure static NAT in the interface view. Then the
device can automatically obtain information about the VPN instance associated with the interface,
and you do not need to manually specify the VPN instance at the public network side (global). To
associate static NAT with a global VPN in the system view, you can specify a loopback interface as
the outbound interface at the public network side, and then specify a VPN instance.
l When configuring static NAT, ensure that global-address and host-address are different from IP
addresses of interfaces and IP addresses in the user address pool.
l If you run the undo nat static command, static mapping entries are not immediately deleted. To
clear static mapping entries, run the reset nat session command.
l You are advised to use the second method if multiple interfaces use the same static NAT mapping.
l When you configure static one-to-one NAT that borrows an interface IP address (no interface
number is specified and the IP address is mapped to a private network address), other services
enabled on the interface may become unavailable. Confirm your action before performing the
configuration. If you want to enable other applications on the interface, add an ACL rule after the
configuration to filter out the number of the interface on which the applications are enabled.
----End
Context
NOTE

Procedure
Step 1 Run:
system-view

Step 2 Run:



NOTE

NOTE
----End

NAT Device
Context
NOTE

Procedure
Step 1 Run:
system-view
Step 2 Run:
----End
5.7.4 (Optional) Configuring DNS Mapping
Context
If an enterprise has no internal DNS server but needs to access internal servers using the
domain name, intranet users of the enterprise must use DNS servers on external networks.
Intranet users can use the external DNS server to access an external server by performing
NAT; however, intranet users cannot use the external DNS server to access an internal server
because the IP address resolved by the external DNS server is not the real private IP address
of the internal server.
When configuring static NAT and DNS mapping at the same time, you can create a mapping
entry containing the domain name, public IP address, public interface number, and protocol
type. When receiving a DNS resolution packet, the NAT device searches the private IP
address mapped to the public address in the mapping entry. The NAT device then replaces the
address resolved by the DNS server with the private IP address and forwards the resolution
result to users.
Procedure
Step 1 Run:
system-view
Step 2 Run:
nat dns-map domain-name { global-address | interface interface-type interface-
number [ .subnumber ] } global-port protocol-name
A mapping from a domain name to a public IP address, an interface number, and a protocol
type is configured.
NOTE
After DNS mapping is configured, the nat alg dns enable command must be run to enable the ALG
DNS function. In this way, DNS response packets can traverse NAT devices. If the ALG DNS function
is disabled, internal hosts cannot access internal servers using the domain name.
----End

Context

NOTE
devices.
Procedure
Step 1 Run:
system-view
Step 2 Run:
Step 3 Run:
dependent }
----End


Context
address pool.
Procedure
Step 1 Run:
system-view

Step 2 Run:
configured.
NOTE
address pool.
deleted.
----End

Context
network using NAT.
5-15.


Log Server
Host
NAT logs
Internet
NAT Device
Procedure
Step 1 Run:
system-view

Step 2 Run:

Step 3 Run:

nat log-format elog
server.
host:
a. Run:
info-center enable

b. Run:
NOTE
Management.


Run:

----End

Entries
Procedure
Step 1 Run:
system-view

Step 2 Run:

----End
Procedure
l Run the display nat dns-map [ domain-name ] command to check the configuration of
DNS mapping.
l Run the display nat static [ global global-address | inside host-address [ vpn-instance
vpn-instance-name ] | interface interface-type interface-name [ .subnumber ] | acl acl-
number] command to check the configuration of static NAT.
l Run the display nat filter-mode command to check the the current NAT filtering mode.

l Run the display nat static interface enable command to check whether the static NAT
function is enabled.
----End
5.8 Configuring an Internal NAT Server

An internal NAT server allows external users to access internal servers.
5.8.1 Configuring Internal NAT Server

Procedure
Step 1 Run:
system-view

Step 2 Run:

Step 3 Run either of the following commands to configure an internal NAT server:
l nat server protocol { tcp | udp } global { global-address | current-interface |
interface interface-type interface-number [ .subnumber ] } global-port [ global-port2 ]
[ vrrp vrrpid ] inside host-address [ host-address2 ] [ host-port ] [ vpn-instance vpn-
instance-name ] [ acl acl-number ] [ description description ]
l nat server [ protocol { protocol-number | icmp | tcp | udp } ] global { global-address |
current-interface | interface interface-type interface-number [ .subnumber ] } [ vrrp
vrrpid ] inside host-address [ vpn-instance vpn-instance-name ] [ acl acl-number ]
[ description description ]
NOTE
l When configuring an internal NAT server, ensure that global-address and host-address are different
from IP addresses of ports and IP addresses in the user address pool.
l You can use the IP address of current-interface or loopback as the internal server's IP address.
l The undo nat server command does not delete mapping entries immediately. You can run the reset
nat session command to delete mapping entries.
l Compared with static NAT, NAT Server translates only the IP address, but not the port number,
when the private network initiatively accesses the public network.
l When you configure one-to-one NAT Server that borrows an interface IP address (no interface
number is specified and the IP address is mapped to a private network address), other services
enabled on the interface may become unavailable. Confirm your action before performing the
configuration. If you want to enable other applications on the interface, add an ACL rule after the
configuration to filter out the number of the interface on which the applications are enabled.
l To enable the device to directly discard packets that cannot be processed using NAT, run the nat
miss forward deny command.
----End

Context
NOTE
Procedure
Step 1 Run:
system-view
Step 2 Run:



NOTE


NOTE
----End

NAT Device
Context
NOTE
Procedure
Step 1 Run:
system-view

Step 2 Run:
----End
5.8.4 (Optional) Configuring DNS Mapping
Context
If an enterprise has no internal DNS server but needs to access internal servers using the
domain name, intranet users of the enterprise must use DNS servers on external networks.
Intranet users can use the external DNS server to access an external server by performing
NAT; however, intranet users cannot use the external DNS server to access an internal server
because the IP address resolved by the external DNS server is not the real private IP address
of the internal server.
When configuring static NAT and DNS mapping at the same time, you can create a mapping
entry containing the domain name, public IP address, public interface number, and protocol
type. When receiving a DNS resolution packet, the NAT device searches the private IP
address mapped to the public address in the mapping entry. The NAT device then replaces the
address resolved by the DNS server with the private IP address and forwards the resolution
result to users.

Procedure
Step 1 Run:
system-view

Step 2 Run:
nat dns-map domain-name { global-address | interface interface-type interface-
number [ .subnumber ] } global-port protocol-name
A mapping from a domain name to a public IP address, an interface number, and a protocol
type is configured.
NOTE
After DNS mapping is configured, the nat alg dns enable command must be run to enable the ALG
DNS function. In this way, DNS response packets can traverse NAT devices. If the ALG DNS function
is disabled, internal hosts cannot access internal servers using the domain name.
----End

Context
NOTE
devices.
Procedure
Step 1 Run:
system-view

Step 2 Run:
Step 3 Run:
dependent }
----End
Context
address pool.
Procedure
Step 1 Run:
system-view
Step 2 Run:
configured.
NOTE
address pool.
deleted.
----End


Context
network using NAT.
5-16.

Log Server
Host
NAT logs
Internet
NAT Device
Procedure
Step 1 Run:
system-view

Step 2 Run:

Step 3 Run:

nat log-format elog
server.
host:
a. Run:
info-center enable

b. Run:
NOTE
Management.
Run:

----End

Entries
Procedure
Step 1 Run:
system-view

Step 2 Run:

----End
Procedure
l Run the display nat server [ global global-address | inside host-address [ vpn-instance
vpn-instance-name ] | interface interface-type interface-number [ .subnumber ] | acl acl-
number ] command to check the configuration of the NAT server.

l Run the display nat dns-map [ domain-name ] command to check the configuration of
DNS mapping.
l Run the display nat filter-mode command to check the the current NAT filtering mode.
----End
5.9 Maintaining NAT

You can clear and monitor NAT mapping entries.
5.9.1 Clearing NAT Mapping Entries
Context
NOTE
The cleared entries cannot be restored; therefore, confirm the action before you use the command.
Procedure
l After you are determined to clear NAT mapping entries, run the reset nat session { all |
transit interface interface-type interface-number [ .subnumber ] } command in the
system view.
----End
5.9.2 Monitoring NAT Mapping Entries
Procedure
l Run the display nat session { all [ verbose ] | number },display nat session protocol
{ protocol-name | protocol-number } [ source source-address [ source-port ] ]
[ destination destination-address [ destination-port ] ] [ verbose ], display nat session
source source-address [ source-port ] [ destination destination-address [ destination-
port ] ] [ verbose ], or display nat session destination destination-address [ destination-
port ] [ verbose ] command to display information about entries in the NAT mapping
table.
----End


This section provides several NAT configuration examples to help you configure the NAT
function in actual scenarios.
5.10.1 Example for Configuring Dynamic NAT
As shown in Figure 5-17, private network users in Area A and Area B of a company connect
to the Internet. The public IP address of GigabitEthernet3/0/0 on the router is
202.169.10.1/24. The IP address of the carrier device connected to the router is
202.169.10.2/24. Users in Area A want to use addresses in the public address pool
(202.169.10.100 to 202.169.10.200) to replace IP addresses (192.168.20.0/24) of hosts in
Area A in NAT mode to access the Internet. Users in Area B want to use addresses in the
public address pool (202.169.10.80 to 202.169.10.83) to replace IP addresses (10.0.0.0/24) of
hosts in Area B to access the Internet.
Figure 5-17 Networking diagram for configuring dynamic NAT
Area A
PC 1...PC n
192.168.20.0/24
202.169.10.2/24
Router
VLAN 100
Eth2/0/0 GE3/0/0
Internet
202.169.10.1/24
Eth2/0/1
VLAN 200
Area B
PC 1...PC n
10.0.0.0/24
1. Configure IP addresses for ports, default route, and outbound NAT on the WAN interface
to allow internal hosts to access external networks.
Procedure
Step 1 Configure an IP address for ports on the router.

[Router] vlan 100
[Router] vlan 200
Step 2 Configure a default route with next hop address 202.169.10.2 on the router.
[Router] ip route-static 0.0.0.0 0.0.0.0 202.169.10.2
Step 3 Configure outbound NAT on the router.

[Router] nat address-group 1 202.169.10.100 202.169.10.200
[Router] acl 2000
[Router-acl-basic-2000] rule 5 permit source 192.168.20.0 0.0.0.255
[Router-acl-basic-2000] quit
[Router] acl 2001
[Router-GigabitEthernet3/0/0] nat outbound 2000 address-group 1 no-pat
[Router-GigabitEthernet3/0/0] nat outbound 2001 address-group 2
NOTE
To run the ping -a source-ip-address command that has a source IP address specified on the router to verify
that intranet users can access the Internet, you need to run the ip soft-forward enhance enable command to
enable the enhanced forwarding function for control packets generated by the device so that the private source
IP addresses can be translated into public IP addresses by the NAT function. By default, the the enhanced
forwarding function for control packets generated by the device is enabled. If the function has been disabled
using the undo ip soft-forward enhance enable command, you need to run the ip soft-forward enhance
enable command in the system view to enable the function again.

# Run the display nat outbound command on the router to check the address translation
result.
<Router> display nat outbound
NAT Outbound Information:
-----------------------------------------------------------------
Interface Acl Address-group/IP/Interface Type
-----------------------------------------------------------------
GigabitEthernet3/0/0 2000 1 no-pat
GigabitEthernet3/0/0 2001 2 pat
-----------------------------------------------------------------
Total : 2
# Run the ping command on the router to verify that users on the internal network can access
the Internet.

<Router> ping -a 192.168.20.1 202.169.10.2

-- 202.169.10.2 ping statistics ---
0.00% packet loss
<Router> ping -a 10.0.0.1 202.169.10.2
-- 202.169.10.2 ping statistics ---
0.00% packet loss
----End
Configuration Files
#
sysname Router
#
vlan batch 100 200
#
acl number 2000
rule 5 permit source 192.168.20.0 0.0.0.255
#
acl number 2001
#
nat address-group 1 202.169.10.100 202.169.10.200
#
interface Vlanif100
ip address 192.168.20.1 255.255.255.0
#
interface Vlanif200
ip address 10.0.0.1 255.255.255.0
#
#
#
undo portswitch
ip address 202.169.10.1
255.255.255.0
nat outbound 2000 address-group 1 no-pat
nat outbound 2001 address-group 2
#
ip route-static 0.0.0.0 0.0.0.0 202.169.10.2
#
return

5.10.2 Example for Configuring Static One-to-One NAT
As shown in Figure 5-18, the IP address of outbound interface GE2/0/0 on the router is
202.10.1.2/24 and the LAN gateway address is 192.168.0.1/24. The IP address of the carrier
device connected to the router is 202.10.1.1/24. The private IP address of the host is
192.168.0.2/24 and the fixed IP address the host needs to use is 202.10.1.3/24. In this case,
the private IP address of this company must be translated to a public IP address to allow the
host to access the WAN.
Figure 5-18 Networking diagram for configuring static one-to-one NAT

Router
192.168.0.1/24 202.10.1.2/24
GE1/0/0 GE2/0/0
Internet
192.168.0.2/24
1. Configure the IP address of ports, default route, and static NAT on the WAN interface to
implements one-to-one translation between a private IP address and a public IP address.
Procedure
Step 3 Configure one-to-one NAT mapping on uplink interface GE2/0/0 on the router.

[Router-GigabitEthernet2/0/0] nat static global 202.10.1.3 inside 192.168.0.2

# Run the display nat static command on the router to check the mapping between address
pools.

<Router> display nat static

Static Nat Information:
Interface :
Global IP/Port : 202.10.1.3/----
Inside IP/Port : 192.168.0.2/----
Protocol : ----
VPN instance-name : ----
Acl number : ----
Vrrp id : ----
Netmask : 255.255.255.255
Description : ----
Total : 1
----End
Configuration Files
#
sysname Router
#
interface
undo portswitch
ip address 192.168.0.1 255.255.255.0
#
undo portswitch
ip address 202.10.1.2 255.255.255.0
nat static global 202.10.1.3 inside 192.168.0.2 netmask 255.255.255.255
#
ip route-static 0.0.0.0 0.0.0.0 202.10.1.1
#
return
5.10.3 Example for Configuring an Internal NAT Server
As shown in Figure 5-19, the network of a company provides the WWW server and FTP
server for external network users to access the internal network. The web server uses private
IP address 192.168.20.2/24, port 8080, and public address 202.169.10.5/24. The private IP
address of the FTP server is 10.0.0.3/24 and its public address is 202.169.10.33/24. The IP
address of the carrier device connected to the router is 202.169.10.2/24. In this case, the NAT
function of the router enables the internal network of the company to connect to the Internet.

Figure 5-19 Networking diagram for configuring an internal NAT server

192.168.20.2/24:8080
WWW server Router
Eth2/0/0 GE3/0/0
Internet
Eth2/0/1 External
user
FTP server
10.0.0.3/24
1. Configure an IP address for ports on the router and configure an NAT server on
Gigabitethernet 3/0/0 to allow external users to access internal servers.
2. Configure a default route on the router.
3. Enable the FTP NAT ALG function to allow external FTP packets to traverse the NAT
server.
Procedure
Step 1 Configure an IP address for the ports on the router and configure a NAT server.
[Router] vlan 100
[Router] vlan 200
[Router-GigabitEthernet3/0/0] nat server protocol tcp global 202.169.10.5 www
inside 192.168.20.2 8080
[Router-GigabitEthernet3/0/0] nat server protocol tcp global 202.169.10.33 ftp
inside 10.0.0.3 ftp

Step 3 Enable the NAT ALG function for FTP packets on the router.
[Router] nat alg ftp enable

# Run the display nat server command on the router. The command output is as follows:
<Router> display nat server
Nat Server Information:
Interface : gigabitethernet 3/0/0
Global IP/Port : 202.169.10.5/80(www)
Inside IP/Port : 192.168.20.2/8080
Protocol : 6(tcp)
Acl number : ----
Vrrp id : ----
Description : ----
Global IP/Port : 202.169.10.33/21(ftp)

Inside IP/Port : 10.0.0.3/21(ftp)
Protocol : 6(tcp)
Acl number : ----
Vrrp id : ----
Description : ----
Total : 2
# Run the display nat alg command on the router. The command output is as follows:
<Router> display nat alg
NAT Application Level Gateway Information:
----------------------------------
Application Status
----------------------------------
dns Disabled
ftp Enabled
rtsp Disabled
sip Disabled
pptp Disabled
----------------------------------
# Verify that external users can access the WWW server and FTP server.The details are not
provided here.
----End
Configuration Files
#
sysname Router
#
vlan batch 100 200
#
nat alg ftp enable
#
interface Vlanif100
ip address 192.168.20.1 255.255.255.0
#
interface Vlanif200
ip address 10.0.0.1 255.255.255.0
#

#
#
interface gigabitethernet 3/0/0
undo portswitch
ip address 202.169.10.1 255.255.255.0
nat server protocol tcp global 202.169.10.5 www inside 192.168.20.2 8080
nat server protocol tcp global 202.169.10.33 ftp inside 10.0.0.3 ftp
#
ip route-static 0.0.0.0 0.0.0.0 202.169.10.2
#
return
5.10.4 Example for Configuring Twice NAT
As shown in Figure 5-20, the IP address of the outbound interface on the router is
202.11.1.2/24. The IP address of the LAN gateway is 202.10.0.1/24 and that of the carrier
device connected to the router is 202.11.1.1/24. IP addresses of internal hosts are not assigned
properly. The IP address of PC1 on the internal network overlaps with that of Server A on the
external network. In this case, PC2 can access this server using the domain name of Server A,
but PC2 may access PC1 on the same network segment based on the DNS resolution result.
Users want packets to be forwarded correctly.
Figure 5-20 Network diagram for configuring twice NAT

202.10.0.100/24
PC 1
202.10.0.100/24
Server A
Router
202.10.0.1/24 202.11.1.2/24
GE2/0/0 GE1/0/0
Internet
DNS server
PC 2
202.10.0.16/24

1. Configure an IP address for ports on the router.

2. Configure a default route on the router.
3. Configure the DNS ALG function to enable DNS packets to traverse the NAT device.
4. Map the overlapped address pool to the temporary address pool.
5. Configure outbound NAT to allow internal users to access external networks.
Procedure
Step 3 Configure the mapping between the overlapped address pool and the temporary address pool
on the router.
[Router] nat overlap-address 0 202.10.0.100 202.12.1.100 pool-length 254
Step 4 Configure a static route on the router from the temporary address pool to outbound interface
GE1/0/0.
[Router] ip route-static 202.12.1.100 32 gigabitethernet 1/0/0 202.11.1.1
Step 5 Configure the DNS NAT ALG function in the system view.
[Router] nat alg dns enable
Step 6 Configure outbound NAT on outbound interface GE1/0/0 of the router.

1. Create an ACL and configure an ACL rule to permit the packets of PC1 to pass through.
[Router] acl 3180
[Router-acl-adv-3180] rule 5 permit ip source 202.10.0.0 0.0.0.255
[Router-acl-adv-3180] quit
2. Configure the NAT address pool for outbound NAT.

3. Configure outbound NAT on outbound interface GE1/0/0.

[Router-GigabitEthernet1/0/0] nat outbound 3180 address-group 1

# Run the display nat overlap-address all command on the router to check the mapping
between the overlapped address pool and the temporary address pool.
<Router> display nat overlap-address all
Nat Overlap Address Pool To Temp Address Pool Map Information:
-------------------------------------------------------------------------------
Id Overlap-Address Temp-Address Pool-Length Inside-VPN-Instance-Name
-------------------------------------------------------------------------------
0 202.10.0.100 202.12.1.100 254
-------------------------------------------------------------------------------
Total : 1

# Run the display nat outbound command to display the configuration of NAT.
[Router] display nat outbound
-----------------------------------------------------------------
-----------------------------------------------------------------
-----------------------------------------------------------------
Total : 1
----End
Configuration Files
#
sysname Router
#
acl number 3180
rule 5 permit ip source 202.10.0.0 0.0.0.255
#
nat alg dns enable
#
#
nat overlap-address 0 202.10.0.100 202.12.1.100 pool-length 254
#
undo portswitch
ip address 202.10.0.1 255.255.255.0
#
undo portswitch
ip address 202.11.1.2 255.255.255.0
nat outbound 3180 address-group 1
#
ip route-static 0.0.0.0 0.0.0.0 202.11.1.1
ip route-static 202.12.1.100 255.255.255.255 GigabitEthernet1/0/0 202.11.1.1
# return
5.10.5 Example for Configuring NAT

As shown in Figure 5-21, GE1/0/0 on the router has a private IP address 192.168.1.1/24 and
is connected to the intranet. GE2/0/0 on the router has a public IP address 11.11.11.1/8 and is
connected to the Internet. The intranet server has a private IP address 192.168.1.2/24 and a
public IP address 11.11.11.6/8. The intranet host has an IP address 192.168.1.3/24.
Both the intranet host and extranet host want to access the intranet server through the public
IP address 11.11.11.6.

Figure 5-21 Networking diagram for configuring NAT
Internal server
Internal IP: 192.168.1.2/24
External IP: 11.11.11.6/8
GE2/0/0
11.11.11.1/8
Internet
GE1/0/0
GE1/0/0
11.11.11.2/8
192.168.1.1/24
External host
Internal host 12.1.1.2/8
192.168.1.3/24
l Configure IP addresses for interfaces.
l Configure a default route.
l Configure outbound NAT and static NAT in Easy IP mode on the LAN-side interface of
the router to ensure that the intranet host can use a public IP address to access the
intranet server.
l Configure outbound NAT and static NAT in Easy IP mode on the WAN-side interface of
the router to ensure that the intranet host can access the Internet and the extranet host can
use a public IP address to access the intranet server.
Procedure
Step 1 Configure IP addresses for interfaces on the router.
Step 2 Configure a default route on the router and specify the next hop address as 11.11.11.2.
Step 3 Configure outbound NAT and static NAT in Easy IP mode on GE1/0/0 of the router to ensure
that the intranet host can use a public IP address to access the intranet server.
[Router] acl 3000
[Router-acl-adv-3000] rule 5 permit ip source 192.168.1.0 0.0.0.255 destination
11.11.11.6 0
[Router-acl-adv-3000] quit
[Router-GigabitEthernet1/0/0] nat outbound 3000


netmask 255.255.255.255
Step 4 Configure outbound NAT and static NAT in Easy IP mode on GE2/0/0 of the router to ensure
that the intranet host can access the Internet and the extranet host can use a public IP address
to access the intranet server.
[Router] acl 2000
[Router-GigabitEthernet2/0/0] nat outbound 2000
netmask 255.255.255.255

# The intranet host and extranet host can access the intranet server using the public IP address
11.11.11.6. The intranet host can also access the Internet.
----End
Configuration Files
Router configuration file
#
acl number 2000
#
acl number 3000
rule 5 permit ip source 192.168.1.0 0.0.0.255 destination 11.11.11.6 0
#
ip address 192.168.1.1 255.255.255.0
nat outbound 3000
#
ip address 11.11.11.1 255.0.0.0
nat outbound 2000
#
ip route-static 0.0.0.0 0.0.0.0 11.11.11.2
#
return
5.10.6 Example for Configuring PPPoE Dialup Access in Easy IP

Mode
The command output is as follows: As shown in Figure 5-22, the router obtains an IP address
from the PPPoE server. The IP address of Eth2/0/1 on the router is 192.168.0.1/24 and the IP
address of the PPPoE server is 2.2.2.2/16. Internal hosts connect to the network using routers.
The router obtains a public IP address from the PPPoE server in PPPoE dialup mode. Users
hope that internal hosts can access external networks.

Figure 5-22 Networking diagram for configuring PPPoE dialup access in Easy IP mode
Host 1
Eth2/0/1 GE1/0/0
Host 2 Internet
……
Router PPPoE Server
Host n
Create a dialer interface and set parameters of the dialer port, establish a PPPoE session,
configure a static route on the router, and configure Easy IP on the dialer interface to
implement external network access by configuring PPPoE dialup in Easy IP mode.
Procedure
Step 1 Configure a PPPoE server.
Configure the authentication mode, IP address allocation mode, and IP address or IP address
pool for the PPPoE client. For details about the configuration procedure, see the
documentation of the PPPoE server. If the router functions as a PPPoE server, see Example
for Configuring the PPPoE Server.
Step 2 Configure a dialer port.
[Router] dialer-rule
[Router-dialer-rule] dialer-rule 1 ip permit
[Router-dialer-rule] quit
[Router] interface dialer 1
[Router-Dialer1] dialer user user2
[Router-Dialer1] dialer-group 1
[Router-Dialer1] dialer bundle 1
[Router-Dialer1] dialer timer idle 300
INFO: The configuration will become effective after link reset.
[Router-Dialer1] dialer queue-length 8
[Router-Dialer1] ppp chap user user1@system
[Router-Dialer1] ppp chap password cipher huawei123
[Router-Dialer1] ip address ppp-negotiate
[Router-Dialer1] quit
Step 3 Create a PPPoE session.

[Router-GigabitEthernet1/0/0] pppoe-client dial-bundle-number 1 on-demand
Step 4 Configure a static route on the router.

[Router] ip route-static 0.0.0.0 0 dialer 1

Step 5 Configure outbound NAT on the dialer interface in Easy IP mode.

[Router] acl 2000
[Router] interface dialer 1
[Router-Dialer1] nat outbound 2000
[Router-Dialer1] quit
# Run the display pppoe-client session summary command to check the PPPoE session
status and configuration. Check whether the session status is Up and whether the
configuration is consistent with the data plan and networking according to command output.
<Router> display pppoe-client session summary
PPPoE Client Session:
ID Bundle Dialer Intf Client-MAC Server-MAC State
1 1 1 GE1/0/0 00e0fc030201 00e0fc030206 PPPUP
# Run the display nat outbound command on the router. The command output is as follows:
<Router> display nat outbound
---------------------------------------------------------------------------
---------------------------------------------------------------------------
Dialer1 2000 1.1.1.1 easyip
---------------------------------------------------------------------------
Total : 1
----End
Configuration Files
#
sysname Router
#
acl number 2000
#
dialer-rule
dialer-rule 1 ip permit
#
interface Dialer1
link-protocol ppp
ppp chap user user1@system
ppp chap password cipher %^%#R=>NT8A-8KmWU38WOZq(s%MsRSg>3,}l9b%K.%!S%^
%#
ip address ppp-negotiate
dialer user user2
dialer bundle 1
dialer queue-length 8
dialer timer idle 300
dialer-group 1
nat outbound 2000
#
undo portswitch
pppoe-client dial-bundle-number 1 on-demand
#
ip route-static 0.0.0.0 0.0.0.0 Dialer1
#
return

5.10.7 Example for Configuring the SIP Call Bandwidth Limit on

a NAT Device
As shown in Figure 5-23, the Router functions as the NAT gateway to connect to the
enterprise internal network and Internet. Multiple SIP phones on the enterprise internal
network often call the SIP phone, UserA, on the Internet. For example, multiple users on the
enterprise internal network often hold call conferences with the SIP phone on the Internet.
The voice configurations of the SIP phones and NAT configuration of the Router are
complete, and enterprise internal users can call the user on the Internet. The NAT device has
limited bandwidth, so the SIP call bandwidth limit needs to be configured on the NAT device
to reject the SIP calls that exceed the configured bandwidth limit.
Figure 5-23 Configuring the SIP call bandwidth limit on a NAT device
User 1
192.168.0.2/24 User A
202.10.1.8/24
Router
192.168.0.1/24 202.10.1.1/24
User 2 GE1/0/0 GE2/0/0
192.168.0.3/24 Internet
……
SIP Server
User n 202.10.1.10/24
192.168.0.44/24
Enable CAC and set the total bandwidth to limit the bandwidth of SIP calls.
Procedure
Step 1 Enable CAC on the Router and set the total bandwidth of the Router to 2000 Kbps.
[Router] nat sip cac enable bandwidth 2000
[Router] quit
# Run the display nat sip cac bandwidth information verbose command on the Router to
check detailed information about the configured total bandwidth and occupied bandwidth.

<Router> display nat sip cac bandwidth information verbose

-------------------------------------------------------------------------------
Total Bandwidth(Kbps) Used Bandwidth(Kbps)
2000
1900
-------------------------------------------------------------------------------
Src-IP Src-Port Dest-IP Dest-Port Protocol Used Bandwidth(Kbps)
192.168.0.2 50 202.10.1.10 5060 udp 600
192.168.0.3 50 202.10.1.10 5060 udp 700
192.168.0.4 50 202.10.1.10 5060 udp 600
-------------------------------------------------------------------------------
# User 1, User 2, and User 3 in the enterprise's intranet can concurrently have a conference
call with User A on the Internet (the bandwidth does not exceed 2000 Kbps). If the total
bandwidth of the users who attempt to access the conference exceeds 2000 Kbps, the call
fails.
----End
Configuration Files
#
sysname Router
#
nat sip cac enable bandwidth
2000
#
return

This section describes common faults caused by incorrect NAT configurations to help you
avoid configuration errors.
5.11.1 Intranet users Fail to Access Public Networks
Fault Description
This fault is commonly caused by one of the following:
l Outbound NAT is not properly configured on the outbound interface connected to the
public network.
l The configuration of the ACL bound to outbound NAT is incorrect.
Procedure
Step 1 Check whether packets are received on interfaces of device.
Run the display interface interface-type interface-number command on the device to display
the value of the Input field.
l If the value of the Input field is 0, the device does not receive any packets. Check the
interface configuration to ensure that the interface can receive packets.
l If the value of the Input field is not 0, go to step 2.

NOTE
The device supports GE, FE, Eth-Trunk, and sub-interfaces. If an Eth-Trunk sub-interface is used, run
the display interface eth-trunk [ trunk-id [.subnumber ] ] command to check whether the Eth-Trunk
sub-interface receives packets.
Step 2 Check whether the ACL rule bound to outbound NAT allows NAT service packets to pass
through.
Run the display nat outbound command on the device to check whether outbound NAT is
correctly configured.
[Huawei]display nat outbound
---------------------------------------------------------------------------
---------------------------------------------------------------------------
GigabitEthernet0/0/0 2000 1 no-pat
---------------------------------------------------------------------------
Total : 1
The preceding information indicates that ACL 2000 is bound to outbound NAT on
GigabitEthernet0/0/0.
Check whether the rule of ACL 2000 is configured correctly. If the IP address, interface
number, or protocol type in the rule of ACL 2000 is configured incorrectly, packets cannot be
transmitted correctly.
Run thedisplay acl 2000 command to check the configuration of outbound NAT bound to
ACL 2000.
[Huawei] display acl 2000
Basic ACL2000, 1 rule
Acl's step is 5
rule 5 permit source 192.168.1.100 0
The rule of ACL 2000 matches packets with the source address 192.168.1.100.
l If the ACL rule is configured incorrectly, reconfigure the ACL rule.

l If the ACL rule is configured correctly but the fault persists, go to step 3.
Step 3 Check that the address pool configuration is correct.
Run the display nat address-group command on the device to check whether the address
pool bound to outbound NAT on the outbound interface is correct.
[Huawei] display nat address-group 1
NAT Address-Group Information:
--------------------------------------
Index Start-address End-address
--------------------------------------
1 10.0.0.100 10.0.0.110
--------------------------------------
Total : 1
To check Easy IP information on the outbound port, run the display nat outbound command
on the device. For example:
[Huawei] display nat outbound
--------------------------------------------------------------------------
--------------------------------------------------------------------------
GigabitEthernet0/0/1 2000 1.1.1.1 easyip
--------------------------------------------------------------------------
Total : 1

The preceding information indicates that Easy IP is configured on GigabitEthernet0/0/1 and

the address pool 1.1.1.1 bound to the interface is the address pool advertised on the interface.
If NAT is disabled, you perform the following steps:
l If the bound IP address is the interface address, ensure that the interface address is valid.
----End
5.11.2 External Hosts Fail to Access Internal Servers
Fault Description
l The NAT server is configured on an incorrect interface such as an outbound port or other
irrelated interfaces. The NAT server must be configured on the inbound interface of an
external host that connects to the internal network.
l The NAT server configuration is incorrect. For example, the corresponding public and
private IP addresses of internal servers are incorrect, and private ports and enabled ports
of internal servers are different.
Procedure
Step 1 Check whether services on the internal NAT server are running properly.
When the external network cannot access the internal NAT server, check whether services
such as HTTP server and FTP server are enabled on the internal NAT server. Access the
internal NAT server from an internal host to check whether the services are running properly.
l If services on the internal NAT server are not running properly, enable the services.
l If services on the internal NAT server are running properly but the fault persists, go to
step 2.
Step 2 Check that the NAT server is configured correctly.
Run the display nat server command on the device to check that the NAT server is
configured on the correct NAT interface and the correct protocol type, interface number, and
IP address are configured.
[Huawei] display nat server
Nat Server Information:
Interface : GigabitEthernet 2/0/0
Global IP/Port : 1.1.1.1/80 (www)
Inside IP/Port : 192.168.0.100/8080
Protocol : 6(tcp)
Acl number : ----
Vrrp id : ----
Description : ----
Total : 1
Ensure that the mapped internal address and interface are correct. When some services such as
FTP and TFTP transmit data packets, several interfaces (some of them are randomly
generated) are used. Therefore, to configure the NAT server providing such services, cancel
the limitation on the ports so that the internal server can provide services normally.
l If the NAT server is configured incorrectly, reconfigure the NAT server.

l If the NAT server is configured correctly but the fault persists, go to step 3.
Step 3 Check the connection between the external host and NAT server and the configurations of the
connected ports.
Check that the IP address of the outbound interface on the NAT server is correct and the
external IP address of the NAT server is correct. The IP addresses cannot conflict with the
addresses on other network segments. Ping the external interface of the NAT server on an
external host. Ensure that the external host can ping the NAT server successfully.
l If the external host cannot connect to the NAT server, check the connection.
l If the external host and NAT server are connected correctly but the fault persists, go to
step 4.
Step 4 Check that the internal NAT server is configured with the correct gateway address or route.
The internal NAT server must be configured with the correct route or gateway address so that
packets destined for the external host can be sent to the gateway.
l If the gateway address or route on the internal NAT server is configured incorrectly,
reconfigure it.
l If the gateway address or route on the internal NAT server is configured correctly but the
fault persists, contact technical support personnel.
----End
5.11.3 Internal Hosts with an Overlapped IP Address Fail to

Access External Servers
Fault Description
l Outbound NAT is incorrectly configured on the outbound port.
l NAT ALG is disabled for the DNS protocol.
l The DNS mapping entry is configured incorrectly. For example, the corresponding
public address is different from the IP address of an external server.
l The route between the temporary address pool and the outbound interface is not
configured.
Procedure
Step 1 Check that outbound NAT is configured correctly.
Run the display nat outbound command on the device to check whether outbound NAT is
configured correctly.
[Huawei]display nat outbound
---------------------------------------------------------------------------
---------------------------------------------------------------------------
---------------------------------------------------------------------------
Total : 1
The preceding information indicates that ACL 3180 is bound to outbound NAT and the
address pool index is 1. Check that outbound NAT references a correct address pool. When

configuring an address pool, ensure that the destination address on the external network is
different from any address in the address pool. Run the display nat address-group command
to check the configuration of the address pool.
[Huawei]display nat address-group 1
NAT Address-Group Information:
--------------------------------------
Index Start-address End-address
--------------------------------------
1 202.10.10.10 202.10.10.100
--------------------------------------
Total : 1
Check that ACL rules bound to outbound NAT are correct. Generally, incorrect addresses,
protocol types, or interface numbers are defined in ACL rules. When an ACL problem occurs,
packets on the internal network cannot be sent out or packets on the external network cannot
be sent to the internal network.
Run the display acl 3180 command to check the ACL bound to outbound NAT.
[Huawei]display acl 3180
Advanced ACL 3180, 1 rule
Acl's step is 5
rule 5 permit tcp source 1.1.1.1 0
NOTE
An ACL strictly controls the permitted address segments, protocols, and ports based on the networking
requirements. If certain protocol packets are rejected by the NAT gateway, check whether the packets of
this protocol are permitted by the ACL.
l If outbound NAT is configured incorrectly, correct the configuration.
l If outbound NAT is configured correctly but the fault persists, go to step 2.
Step 2 Check that the DNS mapping entry is configured correctly.
Run the display nat dns-map command on the device to check whether the NAT server is
configured on the correct NAT interface and check whether the protocol type, interface
number, and IP address are correctly configured.
[Huawei]display nat dns-map
NAT DNS mapping information:
Domain-name : test1
Global IP : 10.1.1.1
Global port : 2012
Protocol : tcp
Total : 1
l If the DNS mapping entry is configured incorrectly, run the nat dns-map command in
the system view to configure a DNS mapping entry correctly.
l If the DNS mapping entry is configured correctly but the fault persists, go to step 3.
Step 3 Check that NAT ALG is enabled for the DNS protocol.
Run the display nat alg command on the device to check whether NAT ALG is enabled for
the DNS protocol.
[Huawei]display nat alg
NAT Application Level Gateway Information:
----------------------------------
Application Status
----------------------------------
dns Disabled
ftp Disabled
rtsp Enabled
sip Disabled

pptp Disabled
----------------------------------
l If NAT ALG is disabled for the DNS protocol, run the nat alg command to enable it.
l If NAT ALG is enabled for the DNS protocol but the fault persists, go to step 4.
Step 4 Check that the mappings between overlapped address pools and temporary address pools are
correct.
Run the display nat overlap-address command on the device to check whether all the
mappings between overlapped address pools and temporary address pools are correct.
[Huawei]display nat overlap-address all
Nat Overlap Address Pool To Temp Address Pool Map Information:
----------------------------------------------------------------------
Id Overlap-Address Temp-Address Pool-Length Inside-VPN-Instance-Name
----------------------------------------------------------------------
1 1.1.1.1 20.20.20.20 34
-----------------------------------------------------------------------
Total : 1
NOTE
The temporary address pool contains available IP addresses on the device. The IP addresses in the
address pool cannot conflict with any interface address, VRRP address, or NAT address. In the
preceding information, Inside-VPN-Instance-Name specifies the VPN instance to which the internal
interface connected to the host belongs.
l If the mappings are incorrect, reconfigure the mappings.

l If the mappings are correct but the fault persists, go to step 5.
Step 5 Check that the route between the temporary address pool and the outbound interface is
configured.
Run the display ip routing-table command on the device to check all the routes on the public
network.
[Huawei]display ip routing-table
Route Flags: R - relay, D - download to fib
------------------------------------------------------------------------------
Routing Tables: Public
Destinations : 2 Routes : 2
Destination/Mask Proto Pre Cost Flags NextHop Interface
10.0.0.0/8 Static 60 0 D 10.164.50.1 Ethernet1/0/0

10.10.10.10/32 Direct 64 0 D 127.0.0.1 Vlanif3
NOTE
If the name of the VPN instance where the internal interface is located has been configured, run the
display ip routing-table vpn-instance vpn-name command to check the routes.
l If there is no correct route, reconfigure a route.

l If the route is correct but the fault persists, contact technical support personnel.
----End

CLI-based Configuration Guide - IP Service 6 UDP Helper Configuration
6 UDP Helper Configuration
About This Chapter
This chapter describes the principle and configuration of UDP helper, and provides
configuration examples.
6.1 UDP Helper Overview

This section describes the background and functions of UDP Helper.
6.3 Configuring UDP Helper
The UDP helper function relays the UDP broadcast packets destined for specified ports.
6.4 Maintaining UDP Helper
UDP helper maintenance includes displaying and clearing UDP helper statistics.
This example describes how to configure UDP helper on a industrial switch router.
6.1 UDP Helper Overview

This section describes the background and functions of UDP Helper.
Background
Hosts on a network may need to obtain the network configuration or resolve host names by
sending UDP broadcast packets to the server. If the hosts and server are located in different
broadcast domains, broadcast packets cannot reach the server and the hosts cannot obtain the
required information from the server.
The industrial switch router provides the UDP helper function to solve this problem. UDP
helper can relay the UDP broadcast packets with specified destination ports. It converts the
broadcast packets into unicast packets and sends the unicast packets to the specified
destination servers.
As shown in Figure 6-1, HostA uses a host name to access HostB, and the NetBIOS Name
Service (NetBIOS-NS) server resolves the host name of HostB. The NetBIOS-NS server and

HostA are in different broadcast domains, so the UDP broadcast packet with destination port
UDP 137 sent by HostA cannot reach the NetBIOS-NS server. After UDP helper is enabled
on the Router, the Router can forward the packet with destination port UDP 137 to the
NetBIOS-NS server through unicast so that the NetBIOS-NS server can resolve the host name
of HostB.
Figure 6-1 UDP helper relays broadcast packets
UDP
Bro
adc
ast
HostA LSW Router
UDP Unicast
NetBIOS-NS
HostB
Packets Forwarded by UDP Helper

The packets that can be forwarded by UDP helper must meet the following requirements:
l The destination MAC address is the broadcast MAC address (ffff-ffff-ffff).

l The destination IP address is the broadcast IP address (255.255.255.255) or a subnet
broadcast IP address (for example, 192.168.255.255).
l The Time-to-Live (TTL) is larger than 1.
l The protocol type is UDP.
l The destination port is a specified UDP port.
UDP Helper Ports

After UDP helper is enabled on the industrial switch router, the industrial switch router relays
the UDP packets with six specified destination ports by default. Manual configuration is
required if the industrial switch router needs to relay the UDP packets with other destination
ports. In addition to the 6 default ports, another 10 destination ports can be specified.
Table 6-1 lists the default UDP ports.
Table 6-1 Default UDP ports supported by UDP helper
Protocol UDP Port Number
Trivial File Transfer Protocol (TFTP) 69
Domain Name System (DNS) 53

Protocol UDP Port Number
Time Service 37
NetBIOS Name Service (NetBIOS-NS) 137
NetBIOS Datagram Service (NetBIOS- 138

DS)
Terminal Access Controller Access 49

Control System (TACACS)
NOTE
UDP helper does not relay DHCP packets. That is, the destination port number cannot be 67 or 68. To
relay DHCP packets, enable the DHCP relay function on the industrial switch router. For details about
DHCP relay, see .

None
License Support
UDP Helper functions are basic function of routers and can be obtained without licenses.

l Among the AR500 series routers, the AR502G-L-D-H, AR502GR-L-D-H do not support
UDP helper function.
6.3 Configuring UDP Helper

The UDP helper function relays the UDP broadcast packets destined for specified ports.
Before configuring UDP helper, complete the following task:
l Configuring a reachable route from the industrial switch router to the destination server
.
Procedure
Step 1 Run:
system-view

Step 2 Run:
udp-helper enable
UDP helper is enabled.

udp-helper port { port-number | dns | netbios-ds | netbios-ns | tacacs | tftp |
time }
The UDP destination port to which UDP broadcast packets are relayed is specified.
NOTE
After UDP helper is enabled, the industrial switch router relays the UDP packets with the following
destination ports by default: Time (37), TACACS (49), DNS (53), TFTP (69), NetBIOS-NS (137), and
NetBIOS-DS (138). If the UDP destination port you want to specify is among the six ports, skip this
step.
Step 4 Run:
The interface must be a VLANIF interface, Layer 3 Ethernet interface, or Layer 3 Ethernet
sub-interface.
Step 5 Run:
udp-helper server ip-address
The destination server for UDP helper is specified.
----End

l Run the display udp-helper port command to check the UDP port numbers of the
packets that need to be relayed.
6.4 Maintaining UDP Helper

UDP helper maintenance includes displaying and clearing UDP helper statistics.
6.4.1 Displaying UDP Helper Statistics
Procedure
l Run the display udp-helper server command to display the packet relay interface,
destination server address, and number of forwarded packets.
----End
6.4.2 Clearing UDP Helper Statistics

Context
UDP helper statistics cannot be restored after being cleared. Exercise caution when you run
the reset ip udp-helper packet command.
Procedure
l Run the reset udp-helper packet command in the user view to clear UDP helper
statistics.
----End

This example describes how to configure UDP helper on a industrial switch router.
6.5.1 Example for Configuring UDP Helper

As shown in Figure 6-2, Router connects to a local area network (LAN) through GE1/0/0.
The IP address of GE1/0/0 is 10.110.1.1/16. NetBIOS-NS is connected to GE2/0/0 on Router.
The IP address of the NetBIOS-NS server is 1.1.1.1/16 and the IP address of GE2/0/0 is
1.1.1.2/16. PC1 and PC2 on the LAN need to access each other using host names.

Figure 6-2 UDP helper network
NetBIOS-NS
1.1.1.1/16
GE2/0/0
1.1.1.2/16
Router
GE1/0/0
10.110.1.1/16
LSW
PC1 PC2
1. Because the PCs on the LAN need to access each other using host names, the host names
must be resolved into IP addresses. However, the NetBIOS-NS and PCs are in different
broadcast domains. The NetBIOS-NS Register packets cannot reach the NetBIOS-NS
server. The Router must be enabled with UDP helper to forward the UDP packets with
destination port 137 (NetBIOS-NS port) to the NetBIOS-NS server.
2. After UDP helper is enabled, specify the IP address of destination NetBIOS-NS server
on GE1/0/0 of Router.

NOTE
After UDP helper is enabled on the Router, the Router relays the broadcast packets with UDP destination port
137 by default. The UDP port number, therefore, does not need to be configured in this example.
Procedure
Step 1 Assign an IP address to GE1/0/0 on Router.
Step 2 Assign an IP address to GE2/0/0 on Router.

Step 3 Enable UDP helper.

[Router] udp-helper enable
Step 4 Configure a destination server for packet relay on GE1/0/0 of Router.

[Router-GigabitEthernet1/0/0] udp-helper server 1.1.1.1
[Router] quit

# Run the display udp-helper server command to check UDP Helper statistics.
<Router> display udp-helper server
Server-interface Server-Ip packet-num
------------------------------------------------------------------------
GigabitEthernet1/0/0 1.1.1.1 201
# Run the display udp-helper port command to check the configured destination port
number of UDP packets to be forwarded using the UDP Helper.
<Router> display udp-helper port
Udp-Port-Number Description
-------------------------------------------------------------
37 Time
49 TAC Access Control System
53 Domain Name Server
69 Trivial File Transfer Protocol
137 NETBIOS Name Service
138 NETBIOS Datagram Service
----End
Configuration Files
#
sysname Router
#
udp-helper enable
#
undo portswitch

ip address 10.110.1.1 255.255.0.0

udp-helper server 1.1.1.1
#
undo portswitch
ip address 1.1.1.2 255.255.0.0
#
return

CLI-based Configuration Guide - IP Service 7 IP Performance Configuration
7 IP Performance Configuration
About This Chapter
You can optimize IP performance by adjusting parameters on the network.
7.1 IP Performance Overview

Parameters on certain networks need to be modified to optimize network performance.
This section provides the default IP performance configuration.
7.4 Optimizing IP Performance
This section describes how to optimize IP performance. You can set IP performance
parameters to achieve best network performance.
7.5 Maintaining IP Performance
This section describes how to clear IP performance statistics to maintain IP performance.
7.1 IP Performance Overview

Parameters on certain networks need to be modified to optimize network performance.
A large number of packets need to be forwarded on the network, which may cause network
congestion and degrade network performance.IP performance optimization can solve the
problem. You can adjust parameters or forwarding modes for IP packets to achieve optimal
network performance.

None

License Support
IP performance functions are basic function of routers and can be obtained without licenses.

None

This section provides the default IP performance configuration.
Table 7-1 describes the default configuration of IP performance.
Table 7-1 Default IP performance configuration
Source IP address verification Disabled
IP packet fragmentation on outbound Disabled

interface
Fast ICMP reply function Enabled
Discarding ICMP packets whose TTL Disabled

values are 1 on an LPU
Discarding ICMP packets that carry Disabled

options on an LPU
Discarding ICMP destination Disabled

unreachable packets
TCP SYN-Wait timer 75s
TCP FIN-Wait timer 675s
Socket receive/send buffer size 8k bytes
7.4 Optimizing IP Performance

This section describes how to optimize IP performance. You can set IP performance
parameters to achieve best network performance.
Prerequisite
Before optimizing IP performance, complete the following task:
l Configuring IP addresses for interfaces

7.4.1 Configuring Source IP Addresses Verification

Context
Configuring source IP address verification enables an interface to check validity of source IP
addresses of received packets. Packets with invalid addresses are discarded. The interface
only check validity of source IP addresses of the packets that are forwarded to the CPU and
does not check validity of source IP addresses of the packets that will be directly forwarded
according to the FIB table.
Procedure
Step 1 Run:
system-view

Step 2 Run:
Step 3 Run:
ip verify source-address
Source IP address verification is configured.

By default, an interface does not check validity of source IP addresses of received packets.
----End
7.4.2 Configuring an Outbound Interface to Fragment IP Packets

Context
During actual packet forwarding, the length of an IP packet may exceed the MTU value.
Packets whose length exceeds the MTU value and the DF field is 1 are discarded. Therefore,
IP packet fragmentation can be enabled so that the system sets the DF field of IP packets to 0
and fragments the packets. In this way, all IP packets can be forwarded.
Procedure
Step 1 Run:
system-view

Step 2 Run:
NOTE
The function that clears the DF field is valid for outgoing packets; therefore, this function must be
configured on the outbound interface.
Step 3 Run:
clear ip df

The IP packet fragmentation is enabled on an outbound interface.

By default, an outbound interface does not fragment IP packets.
----End
7.4.3 Configuring Virtual Fragment Reassembly of IP Packets

Context
During network transmission, IP packets are fragmented if they have a long length. The
forwarding device forwards the fragmented packets, and the destination device receives the
fragmented packets and reassembles them. If some fragmented packets are discarded during
transmission due to the bandwidth limitation, the packets cannot be reassembled on the
destination device. To solve the problem, you can enable virtual fragment reassembly of IP
packets on the device functioning as the intermediate of fragmented packets. After that, the
device checks, sorts, and caches the fragmented packets received to ensure complete packet
forwarding or scheduling.
NOTE
If the NAT, firewall, smart application control (SAC), or in-depth security defense functions is configured on
the device, virtual fragment reassembly is enabled by default and cannot be disabled. That is, the undo ip
virtual-reassembly command does not take effect.
Procedure
Step 1 Run:
system-view

Step 2 Run:
ip virtual-reassembly
Virtual fragment reassembly of IP packets is enabled.

By default, virtual fragment reassembly of IP packets is disabled.
----End
7.4.4 Configuring Unequal Cost Multiple Path

Context
ECMP evenly load balances traffic over multiple equal-cost links, regardless of the
bandwidth. Consequently, traffic congestion may occur on low-speed links and bandwidth of
high-speed links cannot be used efficiently. To solve this problem, you can configure Unequal
Cost Multiple Path (UCMP) on an interface so that proportional traffic can be loaded over
equal-cost links based on the bandwidth. This configuration can achieve proper load
balancing.
Among the equal-cost links, the bandwidth of any link must be equal to or greater than 1/4 of
the total bandwidth; otherwise, the link cannot participate in load balancing traffic by
bandwidth.
You are advised to configure the bandwidth of each link participating in UCMP to an integral
multiple of the minimum bandwidth. If the bandwidth of each link is not configured to an

integral multiple of the minimum bandwidth, the system still uses an integral multiple of the
minimum bandwidth to process. For example, if the bandwidths of four links participating in
UCMP are configured to 2 Kbps, 3 Kbps, 4 Kbps, and 5 Kbps, the final bandwidths of the
links are 2 Kbps, 2 Kbps, 4 Kbps, and 4 Kbps.
Procedure
Step 1 Run:
system-view
Step 2 Run:
The interface or sub-interface view is displayed.
NOTE
Among all subinterfaces, only the Ethernet sub-interfaces (Dot1q and QinQ termination sub-interfaces) and
Eth-trunk sub-interfaces (Dot1q termination sub-interfaces) support configuration of unequal cost multiple
path.

load-balance bandwidth bandwidth
The bandwidth is manually configured for the interface.
For a logical interface, the interface bandwidth is not configured by default; for a physical
interface, the actual interface bandwidth is used by default. Therefore, this step is mandatory
for the logical interface.
Perform this step if you need to adjust the bandwidth of equal-cost links so that the equal-cost
links load balance traffic based on the configured bandwidth.
Step 4 Run:
load-balance unequal-cost enable
UCMP is enabled on the interface.
By default, UCMP is disabled on an interface.
Step 5 Run:
shutdown
The interface is shut down.
Step 6 Run:
undo shutdown
The interface is started.
Step 7 Run:
quit
To configure UCMP on other interfaces, repeat steps 2 through 7.

NOTE
Equal-cost links load balance proportional traffic based on the configured bandwidth only when UCMP
is enabled on the outbound interfaces of all equal-cost links and the shutdown and undo shutdown
commands are executed on the outbound interfaces in sequence to trigger FIB entry update. If UCMP is
not enabled on any outbound interface, the equal-cost links evenly load balance traffic even though FIB
entry update is triggered.
----End
7.4.5 Configuring the Device to Process IP Packets with Options

Context
IP packets can carry route options including the route alert option, route record option, source
route option, and timestamp option. These route options are used to diagnose network paths
and temporarily transmit special services. These options, however, may be used by attackers
to spy on the network structure for initiating attacks. This degrades network security and
device performance. To solve this problem, you can perform the following configurations to
configure the device to discard the IP packets that contain the route options.
Procedure
Step 1 Run:
system-view

Step 2 Run:
----End
7.4.6 Configuring an Interface to Forward Directed Broadcast

Packets
Context
Directed broadcast packets are sent to a specified network. In the destination IP address of a
directed broadcast packet, the network number is that of the specified network and the host
number is all 1s.
To enable an interface to receive and forward directed broadcast packets destined for its direct
network segment, run the ip forward-broadcast command. Then the following situations
occur:
l The device is allowed to receive directed broadcast packets destined for the interface's
direct network segment.
l When the device receives directed broadcast packets destined for this interface's direct
network segment through other interfaces, the device forwards these packets through this
interface.
Directed broadcast packets can be used by hackers to attack the network system, bringing
security risks. However, the device interfaces may need to receive or forward directed

broadcast packets in some scenarios. For example, to enable the Wake on LAN function so
that directed broadcast packets can be sent to wake up computers on a remote network, enable
the interface to receive and forward directed broadcast packets destined for its direct network
segment.
As shown in Figure 7-1, on the router, GE1/0/0 is on the same network segment with PC A;
GE2/0/0 is on another network segment with the WOL server. The WOL server uses directed
broadcast packets to wake up PC A. In normal cases, the directed broadcast packets are
isolated by the router. After the ip forward-broadcast command is run on the router's
GE1/0/0 to enable the interface to forward the directed broadcast packets, PC A can receive
the directed broadcast packets from the WOL server.
Figure 7-1 Configuring the interface to forward directed broadcast packets in the WOL
scenario
GE1/0/0 GE2/0/0
10.1.1.1/24 10.2.2.1/24
10.1.1.2/24 10.2.2.2/24
PC A Router WoL Server
NOTE
By default, the device identifies directed broadcast packets as malformed packets, and intercepts and
discards them because the attack defense function of malformed packets is enabled on the device. In this
case, the interface on the device cannot forward the directed broadcast packets.
To solve this problem, use either of the following methods:
l Run the anti-attack abnormal disable command to disable the attack defense function of
malformed packets. However, after this command is configured, other malformed packets will not
be intercepted and discarded, which brings certain security risks. Use this command with caution.
l Run the anti-attack disable command to disable all attack defense functions. However, after this
command is configured, not only malformed packets but also fragmented, tcp-syn, udp-flood, and
icmp-flood attack packets will not be intercepted and discarded, which brings certain security risks.
Use this command with caution.
The device can also be enabled to receive and forward a certain type of directed broadcast
packets based on ACLs. For example, if the basic ACL is used, run the acl (system view) and
rule (basic ACL view) commands to define the directed broadcast packets to be received and
forwarded as permit, and then run the ip forward-broadcast command to bind this ACL.
Procedure
Step 1 Configure the basic or advanced ACL. For details, see Configuring a Basic ACL or
Configuring an Advanced ACL in the Huawei AR Series IOT Gateway Configuration Guide -
Security - ACL Configuration.
Step 2 Run:
system-view
Step 3 Run:

Step 4 Run:
ip forward-broadcast [ acl acl-number ]
The interface is configured to forward directed broadcast packets.

By default, an interface does not forward directed broadcast packets.
Only broadcast packets that match the permit action defined in the ACL are forwarded.
Broadcast packets that match the deny action defined in the ACL or do not match any ACL
rules are not forwarded.
----End
7.4.7 Configuring the Enhanced Forwarding Function for Control

Packets Generated by the Device
Context
QoS policies take effect only for data packets. In certain cases, control packets need to be
managed. For example, bandwidth limitation is required for the control packets generated by
Telnet applications. The enhanced forwarding function can meet the requirement. You can
configure this function to apply QoS policies to the control packets generated by the device.
Currently, the enhanced forwarding function is valid only for the control packets generated by
the device.
Procedure
Step 1 Run:
system-view

Step 2 Run:
ip soft-forward enhance enable
The enhanced forwarding function is enabled.

By default, the enhanced forwarding function is enabled.
Step 3 (Optional) Set the priority for control packets.
1. Run:
set priority dot1p priority-value
The 802.1p priority is set for the control packets.

2. Run:
– Run the set priority protocol-type protocol-type dscp dscp-value command to set
the DSCP priority for the control packets according to the protocol type.
– Run the set priority acl acl-number dscp dscp-value command to set the DSCP
priority for the control packets according to the ACL rule.
You can set the priority of BGP, FTP, ICMP, SNMP, SSH, and Telnet control packets
according to the protocol type. To set the priority of other types of control packets,
configure advanced ACL rules according to Configuring an Advanced ACL and then set
the DSCP priority of the control packets according to the ACL rules.

NOTE
If you set the DSCP priority for control packets according to both the protocol type and ACL rule, the
DSCP priority configured according to the protocol type takes effect.
Step 4 (Optional) Configure the control packets to support QoS policies using one or more of the
following commands.
1. Run:
undo control-packet { bgp | icmp | igmp | ospf | pim | rip | snmp | ssh |
telnet | vrrp| other-protocols } * output car bypass or undo control-packet
all output car bypass
Control packets are configured to support traffic policing function.

By default, control packets do not support traffic policing function.
2. Run:
telnet | vrrp| other-protocols } * output queue bypass or undo control-packet
all output queue bypass
Control packets are configured to support QoS queue functions (including traffic
shaping, congestion management, and congestion avoidance).
By default, control packets do not support QoS queue functions.
3. Run:
telnet | vrrp| other-protocols } * output filter bypass or undo control-
packet all output filter bypass
The device is configured to discard control packets when the traffic policy or ACL-based
simplified traffic policy contain the deny action.
By default, the device does not discard control packets when the traffic policy and ACL-
based simplified traffic policy contain the deny action.
After this command is executed, the device discards control packets.
----End
Follow-up Procedures
After the enhanced forwarding function is configured for control packets, you can only make
QoS policies take effect for the control packets. To implement differentiated services for
control packets, configure QoS policies. For details, see Huawei AR Series IOT Gateway
Configuration Guide - QoS.
7.4.8 Configure Routing Forwarding for Broadcast Packets

Background
NOTE
Only V200R007C00 supports this configuration.
A router forwards broadcast packets according to its IP routing table by default. Broadcast
packets carry the destination MAC address of FFFF-FFFF-FFFF and a unicast destination IP
address. To prohibit broadcast packets from being forwarded using routes, disable routing
forwarding for broadcast packets.

In Figure 7-2, the PC connects to the Switch and traffic of the PC reaches the Firewall
through two links: LinkA and LinkB. The Firewall may receive through RouterA and
RouterB two copies of broadcast packets with the MAC address of FFFF-FFFF-FFFF from
the PC after the Switch forwards the packets. As a result, the Firewall may consider these
packets as abnormal packets after checking the packets.
To ensure that the Firewall receives only one copy of packets, run the broadcast routing
disable command on RouterA. This command will disable RouterA from forwarding
broadcast packets so that only RouterB forwards these packets to the Firewall.
Figure 7-2 Routing forwarding of broadcast packets

Router A
LinkA
Firewall
PC Switch LinkB
Router B
Procedure
Step 1 Run:
system-view
Step 2 Run:
broadcast routing disable
Routing forwarding of broadcast packets is disabled.
By default, routing forwarding of broadcast packets is enabled.
----End
7.4.9 Configuring ICMP properties
Procedure
Step 1 Run:
system-view
Step 2 Run:
icmp-reply fast
The fast ICMP reply function is enabled.
By default, the fast ICMP reply function is enabled on the device.

NOTE
After the fast ICMP reply function is enabled on the device, the local policy-based routing function does not
take effect for ICMP packets. Therefore, if the local policy-based routing function is configured on the
device, you are advised to disable the fast ICMP reply function.
Step 3 Run:
icmp ttl-exceeded drop
The device is configured to discard the ICMP packets whose TTL values are 1.
By default, the function of discarding ICMP packets with TTL values 1 is disabled.
Step 4 Run:
icmp with-options drop
The device is configured to discard the ICMP packets that carry options.
By default, the function of discarding ICMP packets that carry options is disabled.
Step 5 Run:
icmp unreachable drop
The function of discarding ICMP destination unreachable packets is enabled.

By default, the function of discarding ICMP destination unreachable packets is disabled.
Step 6 Run:
icmp port-unreachable send
The function of sending ICMP port unreachable packets is enabled.

The function of sending ICMP port unreachable packets is disabled.
Step 7 Run:
icmp time-exceed { extension { compliant | non-compliant } | classic }
The format of ICMP Time Exceeded packets is configured.

By default, ICMP Time Exceeded packets carry extension headers in compliant mode and
original datagrams are of variable length.
Step 8 Run:
icmp blackhole unreachable send
The BRAS is disabled from sending a Destination Unreachable ICMP packet to an initiator
when a tracert packet matches an IPv4 blackhole route.
By default, the BRAS is disabled from sending a Destination Unreachable ICMP packet to an
initiator when a tracert packet matches an IPv4 blackhole route.
Step 9 Run:

Step 10 Run:
undo icmp ttl-exceeded send
The function to send ICMP Time Exceeded messages is enabled.
By default, an interface is enabled to send ICMP Time Exceeded messages.

Step 11 Run:
icmp host-unreachable send
The function of sending ICMP host unreachable packets is enabled.

By default, the function of sending ICMP host unreachable packets is enabled.
----End
7.4.10 Configuring TCP Properties

Context
When a TCP connection is set up between industrial switch router and other devices, TCP
properties such as TCP connection for BGP need to be configured.
The following TCP properties can be configured on industrial switch router:
l SYN-Wait timer: When SYN packets are sent, the SYN-Wait timer is started. If no
response packet is received after the SYN-Wait timer expires, the TCP connection is
closed.
l FIN-Wait timer: When the TCP connection status changes from FIN_WAIT_1 to
FIN_WAIT_2, the FIN-Wait timer is started. If no response packet is received after the
FIN-Wait timer expires, the TCP connection is closed.
l Receive/send buffer size of connection-oriented socket.
l Aging time of the TCP Path MTU.
l the MSS of TCP Packets on an Interface.
Procedure
Step 1 Run:
system-view

Step 2 Run:
tcp timer syn-timeout interval
The SYN-Wait timer of TCP connections is configured.

By default, the value of the TCP SYN-Wait timer is 75s.
Step 3 Run:
tcp timer fin-timeout interval
The FIN-WAIT timer of TCP connections is configured.

By default, the value of the TCP FIN-Wait timer is 675s.
Step 4 Run:
tcp window window-size
The size of the receive or send buffer of a connection-oriented socket is configured.

By default, the size of the receive or send buffer of a connection-oriented socket is 8k bytes.
Step 5 Run:

tcp min-mss mss-value
The minimum MSS value is configured for a TCP connection.
By default, the minimum MSS value for a TCP connection is 216 bytes.
Step 6 Run:
Step 7 Run:
tcp adjust-mss value
The MSS of TCP packets is configured on the interface.
By default, the MSS of TCP packets is not configured on the interface.
The MSS of TCP packets is an option defined in TCP. It refers to the maximum length of a
TCP packet segment that can be received by the peer device. When establishing the TCP
connection, the local and peer ends negotiate the MSS value to determine the maximum data
length of TCP packets. If the length of a TCP packet sent by the peer device exceeds the
negotiated MSS, the TCP packet is fragmented.
When configuring the MSS of TCP packets, pay attention to the following points:
l To ensure that TCP packets are not fragmented, pay attention to the relationship between
the MSS and MTU during configuration. MTU is an option defined by the data link layer
to identify whether IP packets need to be fragmented. If the size of an IP packet sent by
the peer device exceeds the MTU, the IP packet is fragmented. To ensure that the packet
transmission is not affected, the MSS value plus the header lengths (such as the TCP
header and IP header) does not exceed the MTU value. For example, the default MTU
value of an Ethernet interface is 1500 bytes. To ensure that packets are not fragmented,
the MSS value can be set to 1460 bytes. The formula is as follows: Default MTU value
(1500 bytes) – Minimum length of the TCP header (20 bytes) – Minimum length of
the IP header (20 bytes). The recommended MSS value is 1200 bytes.
l The tcp adjust-mss command does not only take effect for the industrial switch router
functioning as the client or server used for TCP connections. When another device
functions as the client to perform MSS negotiation through the industrial switch router,
the negotiation result is modified based on the MSS configured on the industrial switch
router. In addition, the MSS value is changed to the value configured using the tcp
adjust-mss command only when the MSS value received by the industrial switch router
is larger than the value configured using the tcp adjust-mss command executed on the
industrial switch router.
l If you run the tcp adjust-mss multiple times in the same interface view, only the latest
configuration takes effect.
Step 8 Run:
tcp timer pathmtu-age age-time
The aging time for a TCP PMTU is configured.
By default, the aging time of the PMTU is 0 minutes, that is, the PMTU never ages.
----End


Procedure
l Run the display tcp status [ [ task-id task-id ] [ socket-id socket-id ] | [ local-ip ip-
address ] [ local-port local-port-number ] [ remote-ip ip-address ] [ remote-port
remote-port-number ] ] command to check the TCP connection status.
l Run the display tcp statistics command to view the TCP traffic statistics.
l Run the display udp statistics command to view the UDP traffic statistics.
l Run the display ip statistics command to view the IP traffic statistics.
l Run the display ip [ ha ] socket [ monitor ] [ task-id task-id socket-id socket-id |
socket-type socket-type ] command to view information about the created IPv4 socket.
l Run the display icmp statistics command to view the ICMP traffic statistics.
l Run the display ip fast-forwarding table [ source-ip ip-address ] [ destination-ip ip-
address ] command to display information about IPv4 fast forwarding entries generated
on the router.
NOTE
Only routers in V200R007C00 support the source-ip ip-address and destination-ip ip-address
parameters.
l Run the display load-sharing ip-address ip-address mask vrf vrf-id to check the UCMP
configuration.
----End
7.5 Maintaining IP Performance

This section describes how to clear IP performance statistics to maintain IP performance.
7.5.1 Clearing IP Performance Statistics

Context
The IP/TCP/UDP traffic statistics cannot be restored after being cleared. Therefore, confirm
your operation before clearing the IP performance statistics.
Procedure
l After you are determined to clear IP statistics, run the reset ip statistics [ interface
interface-type interface-number ] command in the user view.
l After you are determined to clear statistics in a socket monitor, run the reset ip socket
monitor [ task-id task-id socket-id socket-id ] command in the user view.
l After you are determined to clear statistics on the dual receive buffer of the socket, run
the reset ip socket pktsort task-id task-id socket-id socket-id command in the user
view.

l After you are determined to clear statistics about RawIP packets, run the reset rawip
statistics command in the user view.
l After you are determined to clear TCP statistics, run the reset tcp statistics command in
the user view.
l After you are determined to clear UDP statistics, run the reset udp statistics command
in the user view.
----End

CLI-based Configuration Guide - IP Service 8 Basic IPv6 Configuration
8 Basic IPv6 Configuration
About This Chapter
The IPv6 protocol stack supports routing protocols and application protocols on an IPv6
network.
8.1 IPv6 Overview
8.2 Principles
This section explains the fundamentals of IPv6 addresses, IPv6 packets, ICMPv6, Neighbor
Discovery Protocol (NDP), and path maximum transmission units (PMTUs).
8.5 Configuring IPv6 Addresses for Interfaces
8.6 Configuring ICMPv6 Packet Control
8.7 Configuring IPv6 Neighbor Discovery
8.8 Configuring PMTU
When the device functions as the source node and sends IPv6 packets to the destination node,
the device fragments packets based on PMTU. The intermediate device does not need to
fragment packets, reducing the burden of the intermediate device to effectively use network
resources and obtain the maximum throughput.
8.9 Configuring TCP6
8.10 Configuring the Enhanced Forwarding Function for IPv6 Control Packets Generated by
the Device
8.11 Maintaining IPv6

8.1 IPv6 Overview

Definition
Internet Protocol version 6 (IPv6), also called IP Next Generation (IPng), is the second-
generation network layer protocol. Designed by the Internet Engineering Task Force (IETF),
IPv6 is an upgraded version of Internet Protocol version 4 (IPv4).
Purpose
IPv6 was developed in response to rapidly increasing Internet use. IPv4, despite being easy to
implement, simple to use, and providing good interoperability, is no longer feasible as the
dominant network layer protocol. This is mainly due to IPv4 address exhaustion.
Table 8-1 shows how IPv6 overcomes many of the deficiencies found in IPv4.
Table 8-1 Comparison between IPv6 and IPv4

Item Deficiency in IPv4 Advantage of IPv6
Address IPv4 addresses are 32 bits long, IPv6 addresses are 128 bits long. A
space theoretically giving an available IP 128 bit structure allows for an
address space that contains about 4.3 address space of 2128 (4.3 billion x
billion IP addresses. The currently 4.3 billion x 4.3 billion x 4.3
available IP addresses are no longer billion) possible addresses. This
sufficient to continually support the vast address space makes it very
rapid expansion of the Internet. IPv4 unlikely that IPv6 address
address resources are allocated exhaustion will ever occur.
unevenly. USA address resources
account for almost half of the global
address space, with barely enough
addresses left for Europe, and still
fewer for the Asia-Pacific area.
Furthermore, the development of
mobile IP and broadband technologies
still requires more IP addresses. The
process of IP addresses being used up
is known as IP address exhaustion.
While several solutions to IPv4
exhaustion are currently in place, such
as Classless Inter-domain Routing
(CIDR) and Network Address
Translator (NAT), they all have
significant disadvantages. These
disadvantages prompted the
development of IPv6.

Packet The IPv4 packet header carries the Unlike the IPv4 packet header, the
format Options field, including security, IPv6 packet header does not carry
timestamp, and record route options. IHL, identifier, flag, fragment
The variable length of the Options offset, header checksum, option, or
field makes the IPv4 packet header padding fields, but it does carry the
length range from 20 bytes to 60 flow label field. This facilitates
bytes. IPv4 packets often need to be IPv6 packet processing and
forwarded by intermediate devices. improves processing efficiency. To
Therefore, using the Options field support various options without
occupies a large amount of resources, changing the existing packet
which means this field is rarely used format, the Extension Header
in practice. information field is added to the
IPv6 packet header, improving
IPv6 flexibility.
Autoconfig IP addresses often need to be IPv6 provides address

uration and reallocated during network expansion autoconfiguration to allow hosts to
readdressin or re-planning. Currently, IPv4 automatically discover networks
g depends on Dynamic Host and obtain IPv6 addresses,
Configuration Protocol (DHCP) to improving network manageability.
provide address autoconfiguration and
readdressing to simplify address
maintenance.
Route Many non-contiguous IPv4 addresses The enormous address space allows
summarizat are allocated. Routes cannot be for the hierarchical network design
ion summarized effectively due to in IPv6 to facilitate route
incorrect IPv4 address allocation and summarization and improve
planning. The increasingly large forwarding efficiency.
routing table consumes a lot of
memory and affects forwarding
efficiency. Manufacturers must
continually upgrade devices to
improve route addressing and
forwarding performance.
End-to-end The original IPv4 framework does not IPv6 supports IP Security (IPSec)
security support end-to-end security because authentication and encryption at the
support security was not fully considered network layer, providing end-to-
during the initial design. end security.
Quality of IPv4 has no native mechanism to The Flow Label field in IPv6
Service support QoS, especially when guarantees QoS for voice, data, and
(QoS) regarding real-time forwarding of video services.
support voice, data, and video services such as
network conferencing, network
telephones, and network TVs.

Mobility Due to the development of the Mobile IPv6 improves mobile

Internet, mobile IPv4 experiences communication efficiency and is
significant problems such as triangular transparent to the application layer
routing and source address filtering. because IPv6 has the native
capability to support mobility.
Unlike mobile IPv4, mobile IPv6
uses the neighbor discovery
function to discover a foreign
network and obtain a care-of
address without using any foreign
agent. The mobile node and peer
node can communicate using the
routing header and destination
options header. This function
solves the problems of triangular
routing and source address filtering
found in mobile IPv4.
8.2 Principles
This section explains the fundamentals of IPv6 addresses, IPv6 packets, ICMPv6, Neighbor
Discovery Protocol (NDP), and path maximum transmission units (PMTUs).
8.2.1 IPv6 Addresses

IPv6 Address Formats
An IPv6 address is 128 bits long and is written as eight groups of four hexadecimal digits
(base 16 digits represented by the numbers 0-9 and the letters A-F). Each group is separated
by a colon (:). For example, FC00:0000:130F:0000:0000:09C0:876A:130B is a complete and
valid IPv6 address.
For convenience, IPv6 addresses can be written in a compressed format. Taking the IPv6
address FC00:0000:130F:0000:0000:09C0:876A:130B as an example:
l Any leading zeroes in a group can be omitted. The example address now becomes
FC00:0:130F:0:0:9C0:876A:130B.
l A double colon (::) can be used when two or more consecutive groups contain all zeros.
The example address now becomes FC00:0:130F::9C0:876A:130B.
NOTE
An IPv6 address can contain only one double colon (::). Otherwise, a computer cannot determine the
number of zeros in a group when restoring the compressed address to the original 128-bit address.
IPv6 Address Structure

IPv6 addresses have two parts:
l Network prefix: Corresponds to the network ID of an IPv4 address. It is comprised of n
bits.

l Interface identifier (interface ID): Corresponds to the host ID of an IPv4 address. It is

comprised of 128-n bits.
NOTE
If the first 3 bits of an IPv6 unicast address are not 000, the interface ID must contain 64 bits. If the first
3 bits are 000, there is no such limitation.
You can manually configure the interface ID, generate it through system software, or generate
it in IEEE 64-bit Extended Unique Identifier (EUI-64) format. Generating an interface ID in
EUI-64 format is the most common practice.
IEEE EUI-64 standards convert an interface MAC address into an IPv6 interface ID. Figure
8-1 shows a 48-bit MAC address. When used as an interface ID, the first 24 bits (expressed
by c) are a vendor identifier, and the last 24 bits (expressed by m) are an extension identifier.
If the higher seventh bit is 0, the MAC address is locally unique. During conversion, EUI-64
inserts FFFE between the vendor identifier and extension identifier. The higher seventh bit
also changes from 0 to 1 to indicate that the interface ID is globally unique.
Figure 8-1 EUI-64 format
MAC
addresscccccc0cccccccccccccccccmmmmmmmmmmmmmmmmmmmmmmmm
1111111111111110
Insert
FFFE cccccc0ccccccccccccccccc1111111111111110mmmm...mmmm
Change the
seventh high
bit to 1 cccccc1ccccccccccccccccc1111111111111110mmmm...mmmm
For example, if the MAC address is 000E-0C82-C4D4, the interface ID is 020E:

0CFF:FE82:C4D4 after the conversion.
Converting MAC addresses into IPv6 interface IDs reduces the configuration workload.
When using stateless address autoconfiguration, you only need an IPv6 network prefix to
obtain an IPv6 address. One defect of this method, however, is that an IPv6 address is easily
calculable based on a MAC address, and could therefore be used for malicious attacks.
IPv6 Address Types

IPv6 addresses can be classified as unicast, multicast, or a new class called anycast. Unlike
IPv4, there is no broadcast IPv6 address. Instead, a multicast address can be used as a
broadcast address.
IPv6 Unicast Address
An IPv6 unicast address identifies an interface. Since each interface belongs to a node, the
IPv6 unicast address of any interface can identify the relevant node. Packets sent to an IPv6
unicast address are delivered to the interface identified by that address.
IPv6 defines multiple types of unicast addresses, including the unspecified address, loopback
address, global unicast address, link-local address, and unique local address.

l Unspecified address
The IPv6 unspecified address is 0:0:0:0:0:0:0:0/128 or ::/128, indicating that an interface
or a node does not have an IP address. It can be used as the source IP address of some
packets, such as Neighbor Solicitation (NS) messages, in duplicate address detection.
Devices do not forward packets with an unspecified address as the source IP address.
l Loopback address
The IPv6 loopback address is 0:0:0:0:0:0:0:1/128 or ::1/128. Similar to the IPv4
loopback address 127.0.0.1, the IPv6 loopback address is used when a node needs to
send IPv6 packets to itself. This IPv6 loopback address is usually used as the IP address
of a virtual interface, such as a loopback interface. The loopback address cannot be used
as the source or destination IP address of packets needing to be forwarded.
l Global unicast address
An IPv6 global unicast address is an IPv6 address with a global unicast prefix, which is
similar to an IPv4 public address. IPv6 global unicast addresses support route prefix
summarization, helping limit the number of global routing entries.
Figure 8-2 shows a global unicast address consisting of a global routing prefix, subnet
ID, and interface ID.
Figure 8-2 Global unicast address format

Provider Site Host
m bit n bit 128-m-n bit
Global routing prefix Subnet ID Interface ID
001
These components are described as follows:

Global routing prefix: is assigned by a service provider to an organization. A global
routing prefix is comprised of at least 48 bits. Currently, the first 3 bits of every assigned
global routing prefix is 001.
Subnet ID: is used by organizations to construct a local network (site). Similar to an IPv4
subnet number, there are a maximum of 64 bits for both the global routing prefix and
subnet ID.
Interface ID: identifies a device (host).
l Link-local address
Link-local addresses are used only in communication between nodes on the same local
link. A link-local address uses a link-local prefix of FE80::/10 as the first 10 bits
(1111111010 in binary) and an interface ID as the last 64 bits.
When IPv6 runs on a node, a link-local address that consists of a fixed prefix and an
interface ID in EUI-64 format is automatically assigned to each interface of the node.
This mechanism enables two IPv6 nodes on the same link to communicate without any
configuration, making link-local addresses widely used in neighbor discovery and
stateless address configuration.
Devices do not forward IPv6 packets with the link-local address as a source or
destination address to devices on different links.

Figure 8-3 shows the link-local address format.
Figure 8-3 Link-local address format

64 bit 64 bit
0 Interface ID
1111 1110 10
FE80::/10
10 bit
l Unique local address

Unique local addresses are used only within a site. Site-local addresses have been
replaced by unique local addresses.
Unique local addresses are similar to IPv4 private addresses. Any organization that does
not obtain a global unicast address from a service provider can use a unique local
address. However, they are routable only within a local network, not the Internet as a
whole.
Figure 8-4 shows the unique local address format.
Figure 8-4 Unique local address format

7 bit 1 bit 40 bit 16 bit 64 bit
Prefix L Global ID Subnet ID Interface ID
1111 110
FC00::/7
These components are described as follows:

Prefix: is fixed as FC00::/7.
L: is set to 1 if the address is valid within a local network. The value 0 is reserved for
future expansion.
Global ID: indicates a globally unique prefix, which is pseudo-randomly allocated.
Subnet ID: identifies a subnet within the site.
Interface ID: identifies an interface.
A unique local address has the following features:
– Has a globally unique prefix that is pseudo-randomly allocated with a high
probability of uniqueness.
– Allows private connections between sites without creating address conflicts.

– Has a well-known prefix (FC00::/7) that allows for easy route filtering at site
boundaries.
– Does not conflict with any other addresses if it is accidentally routed offsite.
– Functions as a global unicast address to applications.
– Is independent of Internet Service Providers (ISPs).
IPv6 Multicast Address
Like IPv4 multicast addresses, IPv6 multicast addresses identify groups of interfaces, which
usually belong to different nodes. A node may belong to any number of multicast groups.
Packets sent to an IPv6 multicast address are delivered to all the interfaces identified by the
multicast address. For example, the multicast address FF02::1 indicates all nodes within the
link-local scope, and FF02::2 indicates all routers within the link-local scope.
An IPv6 multicast address is composed of a prefix, a flag, a scope, and a group ID (global
ID).
l Prefix: is fixed as FF00::/8.
l Flag: is 4 bits long. The high-order 3 bits are reserved and must be set to 0s. The last bit
0 indicates a permanently-assigned, well-known multicast address allocated by the
Internet Assigned Numbers Authority (IANA). The last bit 1 indicates a non-
permanently-assigned (transient) multicast address.
l Scope: is 4 bits long. It limits the scope where multicast data flows are sent on the
network. Figure 8-5 shows the field values and meanings.
l Group ID (global ID): is 112 bits long. It identifies a multicast group. RFC does not
define all the 112 bits as a group ID but recommends using the low-order 32 bits as the
group ID and setting all of the remaining 80 bits to 0s. In this case, each multicast group
ID maps to a unique Ethernet multicast MAC address.
Figure 8-5 shows the IPv6 multicast address format.
Figure 8-5 IPv6 multicast address format

80 bit 32 bit
Reserved must be zero Group ID
fieldvalue description
1111 1111 1 temporary multicast address
Flag
FF Flag Scope 0 permanent multicast address
1 node
8 bit 4 bit 4 bit link
2
4 management
Scope 5 site
8 organization
E global
the rest unsigned or reserved
l Solicited-node Multicast Address

A solicited-node multicast address is generated using an IPv6 unicast or anycast address
of a node. When a node has an IPv6 unicast or anycast address, a solicited-node

multicast address is generated for the node, and the node joins the multicast group that
corresponds to its IPv6 unicast or anycast address. Each unicast or anycast address
corresponds to a single solicited-node multicast address, which is often used in neighbor
discovery and duplicate address detection.
IPv6 does not support broadcast addresses or Address Resolution Protocol (ARP). In
IPv6, Neighbor Solicitation (NS) packets are used to resolve IP addresses to MAC
addresses. When a node needs to resolve an IPv6 address to a MAC address, it sends an
NS packet in which the destination IP address is the solicited-node multicast address
corresponding to the IPv6 address.
The solicited-node multicast address consists of the prefix FF02::1:FF00:0/104 and the
last 24 bits of the corresponding unicast address.
IPv6 Anycast Address
An anycast address identifies a group of network interfaces, which usually belong to different
nodes. Packets sent to an anycast address are delivered to the nearest interface that is
identified by the anycast address, depending on the routing protocols.
Anycast addresses implement redundancy backup and load balancing functions when multiple
hosts or nodes are provided with the same services. Currently, a unicast address is assigned to
more than one interface to make a unicast address become an anycast address. When sending
data packets to anycast addresses, senders cannot determine which of the assigned devices
will receive the packets. Which device receives the packets depends on the routing protocols
running on the network. Anycast addresses are used in stateless applications, such as Domain
Name Service (DNS).
IPv6 anycast addresses are allocated from the unicast address space. Mobile IPv6 applications
also use anycast addresses.
NOTE
IPv6 anycast addresses can be assigned only to routing devices but not hosts. Anycast addresses cannot
be used as the source IP addresses of IPv6 packets.
l Subnet-router Anycast Address
RFC predefines a subnet-router anycast address. Packets sent to a subnet-router anycast
address are delivered to the nearest device on the subnet identified by the anycast
address, depending on the routing protocols. All devices must support subnet-router
anycast addresses. A subnet-router anycast address is used when a node needs to
communicate with any of the devices on the subnet identified by the anycast address. For
example, a mobile node needs to communicate with one of the mobile agents on the
home subnet.
In a subnet-router anycast address, the n-bit subnet prefix identifies a subnet, and the
remaining bits are padded with 0s. Figure 8-6 shows the subnet-router anycast address
format.
Figure 8-6 Subnet-router anycast address format

n bit 128-n bit
Subnet prefix 0

8.2.2 IPv6 Packet Format

An IPv6 packet has three parts: an IPv6 basic header, one or more IPv6 extension headers,
and an upper-layer protocol data unit (PDU).
An upper-layer PDU is composed of the upper-layer protocol header and its payload, which
maybe an ICMPv6 packet, a TCP packet, or a UDP packet.
IPv6 Basic Header

An IPv6 basic header is fixed as 40 bytes long and has eight fields. Each IPv6 packet must
have an IPv6 basic header that provides basic packet forwarding information, and which all
devices parse on the forwarding path.
Figure 8-7 shows the IPv6 basic header.
Figure 8-7 IPv6 basic header
Version Traffic Class Flow Label

Payload Length Next Header Hop Limit
Source 40 octets
Address Basic Header
Destination
Address
Next Header Extension Header information Variable length

Extension Header
32 bit
An IPv6 basic header contains the following fields:

l Version: 4 bits long. In IPv6, the value of the Version field is set to 6.
l Traffic Class: 8 bits long. This field indicates the class or priority of an IPv6 packet. The
Traffic Class field is similar to the TOS field in an IPv4 packet and is mainly used in
QoS control.
l Flow Label: 20 bits long. This field was added in IPv6 to differentiate traffic. A flow
label and source IP address identify a data flow. Intermediate network devices can
effectively differentiate data flows based on this field.
l Payload Length: 16 bits long. This field indicates the length of the IPv6 payload in bytes.
The payload is the part of the IPv6 packet following the IPv6 basic header, including the
extension header and upper-layer PDU. This field has a maximum value of 65535. If the
payload length exceeds 65535 bytes, the field is set to 0, and the Jumbo Payload option
in the Hop-by-Hop Options header is used to express the actual payload length.

l Next Header: 8 bits long. This field identifies the type of the first extension header that
follows the IPv6 basic header or the protocol type in the upper-layer PDU.
l Hop Limit: 8 bits long. This field is similar to the Time to Live field in an IPv4 packet,
defining the maximum number of hops that an IP packet can pass through. Each device
that forwards the packet decrements the field value by 1. If the field value is reduced to
0, the packet is discarded.
l Source Address: 128 bits long. This field indicates the address of the packet originator.
l Destination Address: 128 bits long. This field indicates the address of the packet
recipient.
Unlike the IPv4 packet header, the IPv6 packet header does not carry IHL, identifier, flag,
fragment offset, header checksum, option, or padding fields, but it does carry the flow label
field. This facilitates IPv6 packet processing and improves processing efficiency. To support
various options without changing the existing packet format, the Extension Header
information field is added to the IPv6 packet header, improving flexibility. The following
paragraphs describe IPv6 extension headers.
IPv6 Extension Header

An IPv4 packet header has an optional field (Options), which includes security, timestamp,
and record route options. The variable length of the Options field makes the IPv4 packet
header length range from 20 bytes to 60 bytes. When devices forward IPv4 packets with the
Options field, many resources need to be used. Therefore, these IPv4 packets are rarely used
in practice.
To improve packet processing efficiency, IPv6 uses extension headers to replace the Options
field in the IPv4 header. Extension headers are placed between the IPv6 basic header and
upper-layer PDU. An IPv6 packet may carry zero or more extension headers. The sender of a
packet adds one or more extension headers to the packet only when the sender requests the
destination device or other devices to perform special handling. Unlike IPv4, IPv6 has
variable-length extension headers, which are not limited to 40 bytes. This facilitates further
extension. To improve extension header processing efficiency and transport protocol
performance, IPv6 requires that the extension header length be an integer multiple of 8 bytes.
When multiple extension headers are used, the Next Header field of an extension header
indicates the type of the next header following this extension header. The Next Header field in
the IPv6 basic header indicates the type of the first extension header, and the Next Header
field in the first extension header indicates the type of the next extension header. If there are
no extension headers following the current one, the Next Header field indicates the upper-
layer protocol type. Figure 8-8 shows the IPv6 extension header format.

Figure 8-8 IPv6 extension header format

Version Traffic Class Flow Label
Payload Length Next Header Hop Limit
Source
40 octets
Address Basic
Header
Destination
Address
Next Header Extension Header Len

Extension Head Data Variable
Next Header Extension Header Len Length
Extension Head Data
Extension
...
Header
Next Header Extension Header Len
Extension Head Data(last)
... Data
An IPv6 extension header contains the following fields:

l Next Header: 8 bits long. This is similar to the Next Header field in the IPv6 basic
header, indicating the type of the next extension header (if any) or the upper-layer
protocol type.
l Extension Header Len: 8 bits long. This indicates the extension header length excluding
the Next Header field.
l Extension Head Data: Variable length. This includes a series of options and the padding
field.
RFC defines six IPv6 extension headers: Hop-by-Hop Options header, Destination Options
header, Routing header, Fragment header, Authentication header, and Encapsulating Security
Payload header.

Table 8-2 IPv6 extension headers
Heade Next Description

r Type Head
er
Field
Value
Hop- 0 This header carries information that every node must examine along the
by- delivery path of a packet. This header is used in the following
Hop applications:
Option l Jumbo payload (if the payload length exceeds 65535 bytes)
s
header l Prompting devices to check this option before the devices forward
packets.
l Resource Reservation Protocol (RSVP)
Destin 60 This header carries information that only the destination node of a
ation packet examines. Currently, this header is used in mobile IPv6.
Option
s
header
Routin 43 An IPv6 source node uses this header to specify the intermediate nodes
g that a packet must pass through on the way to its destination. This
header option is similar to the Loose Source and Record Route option in IPv4.
Fragm 44 Like IPv4 packets, the length of IPv6 packets to be forwarded cannot
ent exceed the maximum transmission unit (MTU). When the packet length
header exceeds the MTU, the packet needs to be fragmented. In IPv6, the
Fragment header is used by an IPv6 source node to send a packet larger
than the MTU.
Authen 51 IPSec uses this header to provide data origin authentication, data
tication integrity check, and packet anti-replay functions. It also protects some
header fields in the IPv6 basic header.
Encaps 50 This header provides the same functions as the Authentication header
ulating plus IPv6 packet encryption.
Securit
y
Payloa
d
header
Conventions for IPv6 extension headers
When a single packet uses more than one extension header, the headers must be listed in the
following order:
l IPv6 basic header

l Hop-by-Hop Options header
l Destination Options header

l Routing header
l Fragment header
l Authentication header
l Encapsulating Security Payload header
l Destination Options header
l Upper-layer header
Intermediate devices determine whether to process extension headers based on the Next
Header field value in the IPv6 basic header. The intermediate devices do not need to examine
or process all extension headers.
Each extension header can only occur once in an IPv6 packet, except for the Destination
Options header which may occur twice (once before a Routing header and once before the
upper-layer header).
8.2.3 ICMPv6
The Internet Control Message Protocol version 6 (ICMPv6) is one of the basic IPv6 protocols.
In IPv4, ICMP reports IP packet forwarding information and errors to the source node. ICMP
defines certain messages such as Destination Unreachable, Packet Too Big, Time Exceeded,
Echo Request, and Echo Reply to facilitate fault diagnosis and information management.
ICMPv6 provides additional mechanisms alongside the current ICMPv4 functions such as
Neighbor Discovery (ID), stateless address configuration (including duplicate address
detection), and Path Maximum Transmission Unit (PMTU) discovery.
The protocol number of ICMPv6 (that is, the value of the Next Header field in an IPv6
packet) is 58. Figure 8-9 shows the ICMPv6 packet format.
Figure 8-9 Format of an ICMPv6 packet
IPv6 basic
header
Next header = 58
ICMPv6 packet
ICMPv6 packet
Type Code Checksum
ICMPv6 Data
Some fields in the packet are described as follows:

l Type: specifies a message type. Values 0 to 127 indicate the error message type, and
values 128 to 255 indicate the informational message type.
l Code: indicates a specific message type.
l Checksum: indicates the checksum of an ICMPv6 packet.
Classification of ICMPv6 Error Messages

ICMPv6 error messages are generated when errors occur during IPv6 packet forwarding.
They are classified into the following four types:
l Destination Unreachable message
During IPv6 packet forwarding, if an IPv6 node detects that the destination address of a
packet is unreachable, it sends an ICMPv6 Destination Unreachable message to the
source node carrying information about the causes for the error message.
In an ICMPv6 Destination Unreachable message, the value of the Type field is 1.
Depending on the cause, the value of the Code field can be:
– 0: No route to the destination device.
– 1: Communication with the destination device is administratively prohibited.
– 2: Not assigned.
– 3: Destination IP address is unreachable.
– 4: Destination port is unreachable.
l Packet Too Big message
If an IPv6 node, during IPv6 packet forwarding, detects that the size of a packet exceeds
the link MTU of the outbound interface, it sends an ICMPv6 Packet Too Big message to
the source node. The link MTU of the outbound interface is carried in the message.
PMTU discovery is implemented based on Packet Too Big messages.
In a Packet Too Big message, the Type field value is 2 and the Code field value is 0.
l Time Exceeded message
During the transmission of IPv6 packets, when a device receives a packet with a hop
limit of 0 or a device reduces the hop limit to 0, it sends an ICMPv6 Time Exceeded
message to the source node. During the processing of a packet to be fragmented and
reassembled, an ICMPv6 Time Exceeded message is also generated when the reassembly
time is longer than the specified period.
In a Time Exceeded message, the Type field value is 3. Depending on the cause, the
Code field value can be:
– 0: Hop limit exceeded in packet transmission.
– 1: Fragment reassembly timeout.
l Parameter Problem message
When a destination node receives an IPv6 packet, it checks the validity of the packet. If
it detects an error, it sends an ICMPv6 Parameter Problem message to the source node.
In a Parameter Problem message, the Type field value is 4. Depending on the cause, the
Code field value can be:
– 0: A field in the IPv6 basic header or extension header is incorrect.
– 1: The Next Header field in the IPv6 basic header or extension header cannot be
identified.
– 2: Unknown options exist in the extension header.

Classification of ICMPv6 Information Messages

ICMPv6 information messages provide diagnosis and additional host functions such as
Multicast Listener Discovery (MLD) and Neighbor Discovery (ND). Common ICMPv6
information messages include Ping messages, which consist of Echo Request and Echo Reply
messages.
l Echo Request messages: Echo Request messages are sent to destination nodes. After
receiving an Echo Request message, the destination node responds with an Echo Reply
message. In an Echo Request message, the Type field value is 128 and the Code field
value is 0.
l Echo Reply messages: After receiving an Echo Request message, the destination node
responds with an Echo Reply message. In an Echo Reply message, the Type field value
is 129 and the Code field value is 0.
8.2.4 Neighbor Discovery

The Neighbor Discovery Protocol (NDP) is an enhancement of Address Resolution Protocol
(ARP) and Internet Control Management Protocol (ICMP) router discovery in IPv4. In
addition to ICMPv6 address resolution, NDP also provides the neighbor tracking, duplicate
address detection, router discovery, and redirection functions.
Address Resolution
In IPv4, a host needs to obtain the link-layer address of the destination host through the ARP
protocol for communication. Similar to IPv4, the IPv6 NDP protocol parses the IP address to
obtain the link-layer address.
ARP packets are encapsulated in Ethernet packets. The Ethernet type value is 0x0806. ARP is
defined as a protocol that runs between Layer 2 and Layer 3. ND is implemented through
ICMPv6 packets. The Ethernet type value is 0x86dd. The Next Header value in the IPv6
header is 58, indicating that the packets are ICMPv6 packets. NDP packets are encapsulated
in ICMPv6 packets. NDP is a Layer 3 protocol. Layer 3 address resolution has the following
advantages:
l Layer 3 address resolution enables Layer 2 devices to use the same address resolution
protocol.
l Layer 3 security mechanisms are used to prevent address resolution attacks.
l Request packets can be sent in multicast mode, reducing load on Layer 2 networks.
During address resolution, Neighbor Solicitation (NS) packets and Neighbor Advertisement
(NA) packets are used.
l In NS packets, the Type field value is 135 and the Code field value is 0. NS packets are
similar to IPv4 ARP Request packets.
l In NA packets, the Type field value is 136 and the Code field value is 0. NA packets are
similar to IPv4 ARP Reply packets.
Figure 8-10 shows the process of address resolution.

Figure 8-10 IPv6 address resolution
Host A Host B
ICMP Type = 135

NS
Src = IPv6-Addr of A
Dst = solicited-node multicast of B
Data = link-layer address of A
Query = What is your link address?
ICMP Type = 136
NA Src = IPv6-Addr of B
Dst = IPv6-Addr of A
Data = link-layer address of B
A and B can now exchange packets on this link
Host A needs to parse the link-layer address of Host B before sending packets to Host B. Host
A sends an NS message with its IPv6 address as the source address and the solicited-node
multicast address of Host B as the destination address. The Options field in the NS message
carries the link-layer address of Host A.
After receiving the NS message, Host B replies with an NA Reply message. In the NA reply
message, the source address is the IPv6 address of Host B, and the destination address is the
IPv6 address of Host A (the NS message is sent to Host A in unicast mode using the link-
layer address of Host A). The Options field carries the link-layer address of Host B. This is
the whole address resolution process.
Neighbor Tracking
A neighbor state can transit from one to another. Hardware faults and hot swapping of
interface cards interrupt communication with neighboring devices. Communication cannot be
restored if the destination of a neighboring device becomes invalid, but it can be restored if
the path fails. Nodes need to maintain a neighbor table to monitor the state of each
neighboring device.
RFC defines five neighbor states: Incomplete, Reachable, Stale, Delay, and Probe.
Figure 8-11 shows the transition of neighbor states. The Empty state indicates that the
neighbor table is empty.

Figure 8-11 Neighbor state transition
Empty Incomplete Reachable
Probe Delay Stale
The following example describes changes in neighbor state of node A during its first
communication with node B.
1. Node A sends an NS message and generates a cache entry. The neighbor state of node A
is Incomplete.
2. If node B replies with an NA message, the neighbor state of node A changes from
Incomplete to Reachable. Otherwise, the neighbor state changes from Incomplete to
Empty after a certain period of time, and node A deletes this entry.
3. After the neighbor reachable time times out, the neighbor state changes from Reachable
to Stale, indicating that the neighbor reachable state is unknown.
4. If node A in the Reachable state receives a non-NA Request message from node B, and
the link-layer address of node B carried in the message is different from that learned by
node A, the neighbor state of node A changes to Stale.
5. Node A sends data to node B. The state of node A changes from Stale to Delay. Node A
then sends an NS Request message.
6. After a period of time, the neighbor state changes from Delay to Probe. During this time,
if node A receives an NA Reply message, the neighbor state of node A changes to
Reachable.
7. Node A in the Probe state sends several unicast NS messages at the configured interval.
If node A receives a Reply message, the neighbor state of node A changes from Probe to
Reachable. Otherwise, the state changes to Empty and node A deletes the entry.
Duplicate Address Detection

Before an IPv6 unicast address is assigned to an interface, duplicate address detection (DAD)
is performed to check whether another node uses the address. DAD is required if IP addresses
are configured automatically. An IPv6 unicast address assigned to an interface but not verified
by DAD is called a tentative address. An interface cannot use the tentative address for unicast
communication but will join two multicast groups: ALL-nodes multicast group and Solicited-
node multicast group.
IPv6 DAD is similar to IPv4 gratuitous ARP. A node sends an NS message that requests the
tentative address as the destination address to the Solicited-node multicast group. If the node
receives an NA Reply message, another node is using the tentative address for
communication. This node will not use this tentative address for communication.
Figure 8-12 shows an example of DAD.

Figure 8-12 DAD example

Host A Host B
tentative address: FC00::1 FC00::1
ICMP Type = 135

Src = :: NS
Dst = FF02::1:FF00:1
Data = FC00::1
Query = Anyone has this address?
ICMP Type = 136
Src = FC00::1
NA
Dst = FF02::1
Data = FC00::1
Answer = I have this address.
The IPv6 address FC00::1 is assigned to Host A as a tentative IPv6 address. To check the
validity of this address, Host A sends an NS message containing the requested address
FC00::1 to the Solicited-node multicast group to which FC00::1 belongs. Since FC00::1 is not
specified, the source address of the NS message is an unspecified address. After receiving the
NS message, Host B processes the message in one of the following ways:
l If FC00::1 is a tentative address of Host B, Host B will not use this address as an
interface address and will not send an NA message.
l If FC00::1 is in use on Host B, Host B sends an NA message to FF02::1 carrying IP
address FC00::1. In this way, Host A can find and mark the duplicate tentative address
after receiving the message so it will not take effect.
Router Discovery
Router discovery is used to locate neighboring devices and learn their address prefixes and
configuration parameters for address autoconfiguration.
IPv6 supports stateless address autoconfiguration. Hosts obtain IPv6 prefixes and
automatically generate interface IDs. Router Discovery is the basis of IPv6 address
autoconfiguration and is implemented through the following two types of packets:
l Router Advertisement (RA) message: Each router periodically sends multicast RA

messages carrying network prefixes and identifiers on the network to declare its
existence to Layer 2 hosts and devices. An RA message has a Type field value of 134.
l Router Solicitation (RS) message: After being connected to the network, a host
immediately sends an RS message to obtain network prefixes. Devices on the network
reply with RA messages. An RS message has a Type field value of 133.
Figure 8-13 shows the router discovery function.

Figure 8-13 Router discovery example
RA RS RA
ICMP Type = 133 ICMP Type = 134

Src = self interface Src = router link-local address
Dst = all-nodes multicast
address
address (FF02::1)
Dst = all-router multicast
Data = Router lifetime, Cur hop
address (FF02::2)
limit, Autoconfig flag,
options(prefix, MTU)…
Address Autoconfiguration
IPv4 uses DHCP to automatically configure IP addresses and default gateways. This
simplifies network management. The length of an IPv6 address is increased to 128 bits.
Multiple terminal nodes require the function of automatic configuration. IPv6 allows both
stateful and stateless address autoconfiguration. Stateless autoconfiguration enables hosts to
automatically generate link-local addresses. Hosts automatically configure global unicast
addresses and obtain other information based on prefixes in the RA message.
The process of IPv6 stateless autoconfiguration is as follows:
1. A host automatically configures the link-local address based on the interface ID.
2. The host sends an NS message for duplicate address detection.
3. If address conflict occurs, the host stops address autoconfiguration. Then addresses need
to be configured manually.
4. If addresses do not conflict, the link-local address takes effect. The host then connects to
the network and communicates with the local node.
5. The host either sends an RS message or receives RA messages devices periodically send.
6. The host obtains the IPv6 address based on the prefixes carried in the RA message and
the interface ID.
Default Router Priority and Route Information Discovery
If there are multiple devices on the network where hosts reside, hosts need to select
forwarding devices based on the destination address of the packet. In such a case, devices
advertise default router priorities and route information, which allows hosts to select the
optimal forwarding device based on the packet destination address.
The fields of default router priority and route information are defined in an RA message.
These two fields enable hosts to select the optimal forwarding device.
After receiving an RA message containing route information, hosts update their routing
tables. When sending packets to other devices, hosts check the routing table and select the
optimal route.
When receiving an RA message carrying default router priorities, hosts update their default
router lists. When sending packets to other devices, hosts select the device with the highest

priority to forward packets from the router list. If the selected router does not work, hosts
select the subsequent device in descending order of priority.
Redirection
To choose an optimal gateway device, the gateway device sends a Redirection message to
notify the sender that another gateway device can send packets. Redirection messages are
contained within ICMPv6 messages and have a Type field value of 137. They carry a better
next hop address and destination address for packets that need to be redirected.
Figure 8-14 shows an example of packet redirection.
Figure 8-14 Packet redirection example
Host B Router B Host A Router A
IPv6 packet
Neighbor redirect packet definitions:

ICMPv6 Type = 137
Src = link-local address of Router A
Dst = link-local address of Host
Data = target address (link-local
address of Router B), options
(header of redirected packet)
Note: If the target is a host, the target

address is equal to the destination
address of the redirect packet and
the options include the link-layer
address of the target host (if known).
Subsequent IPv6 packets
Host A needs to communicate with Host B. By default, Router A sends packets from Host A
to Host B. After receiving packets from Host A, Router A discovers that sending packets
directly to Router B is more efficient. Router A sends a Redirection message carrying the
destination address of Host B to Host A to notify Host A that Router B is a better next hop
address. After receiving the Redirection message, Host A adds a host route to the default
routing table. Packets sent to Host B will be sent directly to Router B.
A device sends a Redirection message in the following situations:
l The destination address of the packet is not a multicast address.
l Packets are not forwarded to the device through routing.
l After route calculation, the outbound interface of the next hop is the interface that
receives the packets.

l The device discovers that a better next hop IP address of the packet is on the same
network segment as the source IP address of the packet.
l After checking the source address of the packet, the device discovers a neighboring
device in the neighbor entries using this address as the global unicast address or the link-
local unicast address.
8.2.5 Path MTU

In IPv4, oversized packets are fragmented. When the transit device receives a packet
exceeding the maximum transmission unit (MTU) size of its outbound interface from a source
node, the transit device fragments the packet before forwarding it to the destination node. In
IPv6, however, the source node fragments the packets to reduce pressure on the transit device.
When an interface on the transit device receives a packet whose size exceeds the MTU, the
transit device discards the packet and sends an ICMPv6 Packet Too Big message to the source
node. The ICMPv6 Packet Too Big message contains the MTU value of the outbound
interface. The source node fragments the packet based on the MTU and resends the packet,
increasing traffic overhead. The Path MTU Discovery (PMTUD) protocol dynamically
discovers the MTU value of each link on the transmission path, reducing excessive traffic
overhead.
The PMTU protocol is implemented through ICMPv6 Packet Too Big messages. A source
node first uses the MTU of its outbound interface as the PMTU and sends a probe packet. If a
smaller PMTU exists on the transmission path, the transit device sends a Packet Too Big
message to the source node. The Packet Too Big message contains the MTU value of the
outbound interface on the transit device. After receiving this message, the source node
changes the PMTU value to the received MTU value and sends packets based on the new
MTU. This process repeats until packets are sent to the destination address. The source node
obtains the PMTU of the destination address.
Figure 8-15 shows an example of PMTU discovery.
Figure 8-15 PMTU discovery
MTU=1500 MTU=1500 MTU=1400 MTU=1300

-
Packet with MTU=1500
ICMP error: packet too big,use MTU 1400
ICMP error: packet too big,use MTU 1300
Packet received
Path MTU=1300

Packets are transmitted through four links with MTU values of 1500, 1500, 1400, and 1300
bytes. Before sending a packet, the source node fragments the packet based on a PMTU of
1500. When the packet is sent to the outbound interface with MTU 1400, the device returns a
Packet Too Big message carrying MTU 1400. The source node then fragments the packet
based on MTU 1400 and sends the fragmented packet again. The process repeats when the
packet based on MTU 1400 is sent to the outbound interface with MTU 1300, the device
returns another Packet Too Big message that carries MTU 1300. The source node receives the
message and fragments the packet based on MTU 1300. In this way, the source node sends the
packet to the destination address and discovers the PMTU of the transmission path.
NOTE
IPv6 allows a minimum MTU of 1280 bytes. Therefore, the PMTU must be greater than 1280 bytes.
PMTU of 1500 bytes is recommended.

None
License Support
IPv6 functions are basic function of routers and can be obtained without licenses.

l Among the AR510 series routers, AR502G-L-D-H, AR502GR-L-D-H do not support
IPv6 function.
l The AR510 series routers do not support IPv6 function.

Default configuration
IPv6 packet forwarding Disabled
Maximum interval for sending RA 600s

packets
Minimum interval for sending RA 200s

packets
Neighbor reachable time 30000 ms

8.5 Configuring IPv6 Addresses for Interfaces

Before configuring IPv6 addresses for interfaces, configure link layer protocol parameters for
interfaces to ensure that the link layer protocol status on the interfaces is Up.
8.5.1 Configuring Global Unicast Addresses for Interfaces
Context
A global unicast address is similar to an IPv4 public address and provided for the Internet
Service Provider (ISP). A global unicast address can be generated by either of the following
methods:
l Generated in EUI-64 format: An IPv6 global unicast address in EUI-64 format contains a
manually configured prefix and an automatically generated interface identifier.
l Configured manually: You can manually configure an IPv6 global unicast address.
NOTE
l You can configure an interface with multiple global unicast addresses with different network
prefixes.
l Manually configured global unicast addresses have a higher priority than automatically generated
ones. Manually configured addresses can overwrite automatically generated ones with the same
prefix. The overwritten automatically generated addresses do not take effect even if manually
configured addresses are deleted. A device needs to generate a new global unicast address based on
the IP prefix carried in the received RA packet.
Procedure
Step 1 Run:
system-view
Step 2 Run:
ipv6
IPv6 packet forwarding is enabled.
By default, IPv6 packet forwarding is disabled.
Step 3 Run:
The specified interface view is displayed.
Step 4 Run:
ipv6 enable
The IPv6 function is enabled on the interface.
By default, the IPv6 function is disabled on an interface.

Step 5 Run either of the following commands to configure an IPv6 global unicast address for an
interface:
l Run:
ipv6 address { ipv6-address prefix-length | ipv6-address/prefix-length }
An IPv6 global unicast address is manually configured.

l Run:
eui-64
An IPv6 global unicast address is generated in EUI-64 format.

You can configure a maximum of 10 global unicast addresses on an interface.
----End

l Run the display ipv6 interface [ interface-type interface-number | brief ] command in
any view to check IPv6 information about a specified interface.
l Run the display this ipv6 interface command in the interface view to check IPv6
information about the current interface.
8.5.2 Configuring Link-local Addresses for Interfaces
Context
Link-local addresses are used in neighbor discovery or stateless autoconfiguration. An IPv6
link-local address is generated by either of the following methods:
l Generated automatically: A device automatically generates a link-local address for an
interface based on the link-local prefix (FE80::/10) and link layer address of the
interface.
l Configured manually: You can manually configure an IPv6 link-local address for an
interface.
NOTE
l Each interface can be configured with only one link-local address. To prevent link-local address
conflict, automatically generated link-local addresses are recommended. After an interface is
configured with an IPv6 global unicast address, it automatically generates a link-local address.
l Manually configured link-local addresses have a higher priority than automatically generated ones.
Manually configured addresses can overwrite automatically generated ones, but automatically
generated addresses cannot overwrite manually configured ones. If manually configured addresses
are deleted, the automatically generated ones that were previously overwritten take effect again.
Procedure
Step 1 Run:
system-view

Step 2 Run:
ipv6


Step 3 Run:

Step 4 Run:
ipv6 enable

Step 5 Run either of the following commands to configure a link-local address for an interface:
l Run:
ipv6 address ipv6-address link-local
A link-local address is configured for an interface.

l Run:
ipv6 address auto link-local
A link-local address is automatically generated.
----End

8.5.3 Configuring Anycast Addresses for Interfaces

Context
IPv6 anycast addresses are allocated from the unicast address space. An anycast address
identifies a group of network interfaces, which usually belong to different nodes. When using
anycast addresses, pay attention to the following points:
l You can use anycast addresses as destination addresses only.
l Packets addressed to an anycast address are delivered to the nearest interface identified
by the anycast address, depending on the routing protocols used.
Procedure
Step 1 Run:
system-view

Step 2 ipv6
IPv6 packet forwarding is enabled on the industrial switch router.


Step 3 Run:

Step 4 Run:
ipv6 enable

Step 5 Run:
ipv6 address { ipv6-address prefix-length | ipv6-address/prefix-length } anycast
An IPv6 anycast address is configured for the interface.
----End

8.6 Configuring ICMPv6 Packet Control

Context
Configuring ICMPv6 packet control reduces network traffic and prevents malicious attacks.
Network congestion may occur when a large number of ICMPv6 error packets are sent on the
network within a short period of time. To prevent network congestion, you can limit the
maximum number of ICMPv6 error packets sent in a specified period using the token bucket
algorithm.
You can set the bucket size and interval for placing tokens into the bucket. The bucket size
indicates the maximum number of tokens that a bucket can hold. One token represents one
ICMPv6 error packet. When an ICMPv6 error packet is sent, one token is taken out of the
token bucket. When there are no tokens, ICMPv6 error packets cannot be sent until new
tokens are placed into the token bucket.
If transmission of too many ICMPv6 error packets causes network congestion or the network
is attacked by forged ICMPv6 error packets, you can disable the system from ICMPv6 error
packets, Host Unreachable packets, and Port Unreachable packets.
Before setting rate limit for sending ICMPv6 error packets, complete the following task:
l 8.5 Configuring IPv6 Addresses for Interfaces
Procedure
l Control ICMPv6 error messages in the system view.

a. Run:
system-view

b. Run:
ipv6

By default, a device is disabled from forwarding IPv6 unicast packets.
c. Run:
ipv6 icmp-error { bucket bucket-size | ratelimit interval } *
Rate limit for sending ICMPv6 error packets is set.

By default, a token bucket can hold a maximum of 10 tokens and the interval for
placing tokens into the bucket is 100 ms.
d. Run:
ipv6 icmp too-big-rate-limit
The device is enabled to reject oversized ICMPv6 error messages.

By default, the device is disabled from rejecting oversized ICMPv6 error messages.
e. Run:
undo ipv6 icmp { icmpv6-type icmpv6-code | icmpv6-name | all } receive
The system is disabled from receiving ICMPv6 messages.

By default, the system is enabled to receive ICMPv6 messages.
f. Run:
undo ipv6 icmp { icmpv6-type icmpv6-code | icmpv6-name | all } send
The system is disabled from sending ICMPv6 messages.

By default, the system is enabled to send ICMPv6 messages.
l Control ICMPv6 messages in the interface view.
a. Run:
system-view

b. Run:

c. Run:
ipv6 enable

d. Run:
undo ipv6 icmp port-unreachable send
The interface is disabled from sending ICMPv6 Port Unreachable messages.

By default, the function of sending ICMPv6 Port Unreachable messages configured
globally also takes effect on an interface.

e. Run:
undo ipv6 icmp hop-limit-exceeded send
The interface is disabled from sending ICMPv6 Hop Limit Exceeded messages.
By default, the function of sending ICMPv6 Hop Limit Exceeded messages
configured globally also takes effect on an interface.
----End

l Run the display ipv6 interface [ interface-type interface-number | brief ] command to
check IPv6 information about a specified interface.
l Run the display icmpv6 statistics [ interface interface-type interface-number ]
command to check ICMPv6 traffic statistics.
8.7 Configuring IPv6 Neighbor Discovery

The Neighbor Discovery Protocol (NDP) replaces the Address Resolution Protocol (ARP)
and ICMP Router Discovery on an IPv4 network. Additionally, IPv6 Neighbor Discovery
(ND) provides redirection and neighbor unreachability detection.
8.7.1 Configuring Static Neighbors

Context
To communicate with a destination host, a host needs to obtain the destination host's link-
layer address. The link-layer address of a neighbor node can be obtained using the neighbor
discovery mechanism, or by manually configuring static neighbor entries. A device identifies
a static neighbor entry based on the IPv6 address of this neighbor and number of the Layer 3
interface connected to this neighbor. To filter invalid packets, you can create static neighbor
entries, binding the destination IPv6 addresses of these packets to nonexistent MAC
addresses.
Procedure
Step 1 Run:
system-view

Step 2 Run:

Step 3 Run one of the following commands based on the interface type:
l Run:
ipv6 neighbor ipv6-address mac-address

Static neighbor entries are configured on common Layer 3 interfaces.

l Run:
ipv6 neighbor ipv6-address mac-address vid vlan-id interface-type interface-
number
Static neighbor entries are configured on VLANIF interfaces.

l Run:
ipv6 neighbor ipv6-address mac-address vid vlan-id [ cevid cevid ]
Static neighbor entries are configured on a QinQ or Dot1q termination subinterface.

NOTE
If dynamic QinQ is enabled, static neighbor entries cannot be configured.
----End
8.7.2 Configuring Neighbor Discovery

Context
IPv6 NDP provides address resolution, neighbor unreachability detection, DAD, router/prefix
discovery, address autoconfiguration, and redirection.
NOTE
After the IPv6 function is enabled on the industrial switch router, the industrial switch router
automatically implements address resolution, DAD, and redirection. Neighbor unreachability detection,
router/prefix discovery, and address autoconfiguration need to be manually configured. You can also
configure the industrial switch router to send RA packets to enable router/prefix discovery and address
autoconfiguration, and enable the automatic detection of ND entries to check whether neighbors are
reachable.
After the automatic detection of ND entries is enabled on the industrial switch router, the
industrial switch router can send NS packets to check whether neighbors are reachable before
aging ND entries. If neighbors are reachable, the industrial switch router updates ND entries;
otherwise, the industrial switch router ages ND entries.
You can enable the industrial switch router to send RA packets. After receiving the RA
packets, network nodes perform address autoconfiguration and router/prefix discovery based
on the prefix and other configuration information contained in RA packets.
After the preceding configurations are complete, NDP functions work properly. You can also
adjust ND parameters based on service requirements.
Procedure
Step 1 Run the following commands to enable NDP functions to work properly.
1. Run:
system-view

2. Run:

3. Run:
undo ipv6 nd ra halt

The system is enabled to send RA packets.

By default, the system is disabled from sending RA packets.
NOTE
To configure neighbor discovery on a subinterface, you need to run the ipv6 nd ns multicast-enable
command to enable the subinterface to send NS multicast packets.
Step 2 (Optional) After completing the preceding steps, adjust ND parameters to meet service
requirements.
Run the following commands in the system view.
Run:
quit

l In the system view, run:
ipv6 nd hop-limit limit
The hop limit for IPv6 unicast packets initially sent by a device is set.
By default, the IPv6 unicast packets initially sent by a device can travel a maximum of
64 hops.
l In the system view, run:
ipv6 nd stale-timeout timeout-value
The aging time of ND entries in STALE state is set.

By default, the aging time of ND entries in STALE state is 1200 seconds.
Run the following commands on the interface.
Run:

l Run:
ipv6 nd stale-timeout timeout-value
The aging time of ND entries in STALE state is set.

By default, the aging time of ND entries in STALE state is not set on interfaces and is
the same as the aging time set in the system view.
l Run:
ipv6 nd ns retrans-timer interval
The interval for sending NS packets is set.

By default, the interval for sending NS packets is 1000 ms.
l Run:
ipv6 nd ra { max-interval maximum-interval | min-interval minimum-interval }
The interval for sending RA packets is set.

By default, the maximum interval is 600s and the minimum interval is 200s.
l (Optional) Run:
ipv6 nd ra prefix default no-advertise
RA messages are configured not to carry the default prefix generated based on the
interface IPv6 address.

By default, RA messages carry the default prefix generated based on the interface IPv6
address.
l Run:
ipv6 nd ra prefix ipv6-address prefix-length valid-lifetime preferred-
lifetime [ no-autoconfig ] [ off-link ]
Prefix information in RA packets is configured.

By default, the prefix in RA packets is the network prefix of the link where the interface
sending RA packets resides.
Prefixes configured using the ipv6 nd ra prefix command take precedence over the
default prefix generated based on the interface IPv6 address. An RA packet can carry a
maximum of 10 prefixes. If exactly 10 prefixes are configured manually, the default
prefix is not used.
l Run:
ipv6 nd autoconfig managed-address-flag
The managed address configuration flag (M flag) for stateful autoconfiguration in RA

packets is set.
By default, the M flag in an RA packet is not set.
l Run:
ipv6 nd autoconfig other-flag
The other configuration flag (O flag) for stateful autoconfiguration in RA packets is set.
By default, the O flag in an RA packet is not set.
l Run:
ipv6 nd nud reachable-time value
The IPv6 neighbor reachable time is set.

By default, the IPv6 neighbor reachable time is 1200000 ms.
l Run:
ipv6 nd ra router-lifetime ra-lifetime
The time to live (TTL) is set for RA packets.

By default, the TTL of RA packets is 1800s.
l Run:
ipv6 nd ra preference { high | medium | low }
The priority of the default router in RA packets is set.

l Run:
ipv6 nd ra route-information ipv6-address prefix-length lifetime route-
lifetime [ preference { high | medium | low } ]
Route option information in RA packets is set.

l Run:
ipv6 nd dad attempts value
The number of times NS packets are sent when the system performs DAD is set.
By default, the number of times NS packets are sent when the system performs DAD is
1.
----End

Procedure
l Run the display ipv6 neighbors [ ipv6-address | [ vid vid ] interface-type interface-
number | vpn-instance vpn-instance-name ] command to check information about
neighbor entries.
8.8 Configuring PMTU

When the device functions as the source node and sends IPv6 packets to the destination node,
the device fragments packets based on PMTU. The intermediate device does not need to
fragment packets, reducing the burden of the intermediate device to effectively use network
resources and obtain the maximum throughput.
8.8.1 Configuring Static PMTU
Context
Generally, PMTU is dynamically negotiated according to the IPv6 MTU value of an interface.
In special situations, to protect devices on the network and avoid attacks from large-sized
packets, you can manually configure the PMTU to a specified destination node to control the
maximum length of packets forwarded from the device to the destination node.
NOTE
When the PMTU from the device to a specified destination node is set, the IPv6 MTU values for interfaces on
all intermediate devices cannot be smaller than the configured PMTU value. Otherwise, packets are
discarded.
Procedure
Step 1 Run:
system-view

Step 2 (Optional) Configure the IPv6 MTU for an interface.
1. Run:

2. Run:
ipv6 mtu mtu
The MTU of IPv6 packets on an interface is set.

By default, the MTU of IPv6 packets on an interface is 1500 bytes.

NOTE
– For the AR503GW-LM7, AR503GW-LcM7,AR509GW-L-D-H, and AR509G-L-D-H, the default

value on the tunnel interface of the IPv6 over IPv4 tunnel is 1480 bytes.
– After the MTU value is changed, run the shutdown and undo shutdown commands or the restart
(interface view) command to restart the interface and allow the changes to take effect.
3. Run:
quit

Step 3 Run:
ipv6 pathmtu ipv6-address [ vpn-instance vpn-instance-name ] [ path-mtu ]
The PMTU for a specified IPv6 address is set.

By default, the PMTU is not set.
If the parameter path-mtu is not specified, the PMTU for a specified IPv6 address is 1500
bytes.
----End
8.8.2 Setting the Aging Time of Dynamic PMTU
Context
When the device functions as a source node and sends packets to a destination node, the
device dynamically negotiates the PMTU with the destination node according to the IPv6
MTU values of interfaces and fragments packets based on the PMTU. After the PMTU ages
out, the dynamic PMTU is deleted. The source node dynamically renegotiates the PMTU with
the destination node.
NOTE
When both static and dynamic PMTUs are configured, only static PMTU takes effect. Static PMTU
entries never age.
The interface MTU, IPv6 interface MTU, and PMTU are valid only for packets generated on the device,
not for packets forwarded by the host.
Procedure
Step 1 Run:
system-view

Step 2 (Optional) Configure the IPv6 MTU for an interface.
1. Run:

2. Run:
ipv6 mtu mtu
The MTU of IPv6 packets on an interface is set.

By default, the MTU of IPv6 packets on an interface is 1500 bytes.

The dynamic PMTU is negotiated based on the IPv6 MTU on an interface.

NOTE
– For AR503GW-LM7, AR503GW-LcM7, AR509GW-L-D-H, and AR509G-L-D-H, the default

value on the tunnel interface of the IPv6 over IPv4 tunnel is 1480 bytes.
– After the MTU value is changed, run the shutdown and undo shutdown commands or the restart
(interface view) command to restart the interface and allow the changes to take effect.
3. Run:
quit

Step 3 Run:
ipv6 pathmtu age age-time
The aging time is set for dynamic PMTU entries.

By default, the aging time of dynamic PMTU entries is 10 minutes.
----End

Procedure
l Run the display ipv6 pathmtu [ vpn-instance vpn-instance-name ]{ ipv6-address | all |
dynamic | static } command to check all PMTU entries.
8.9 Configuring TCP6

Before configuring TCP6, configure link layer protocol parameters for interfaces to ensure
that the link layer protocol status on the interfaces is Up.
8.9.1 Setting TCP6 Timers

Context
The following TCP6 timers need to be set:
l SYN-Wait timer: When SYN packets are sent, the SYN-Wait timer starts. If no response
packet is received after the SYN-Wait timer expires, the TCP6 connection is terminated.
l FIN-Wait timer: When the TCP connection status changes from FIN_WAIT_1 to
FIN_WAIT_2, the FIN-Wait timer starts. If no response packet is received after the FIN-
Wait timer expires, the TCP6 connection is terminated.
Procedure
Step 1 Run:
system-view

Step 2 Run:
tcp ipv6 timer syn-timeout interval
The SYN-Wait timer is set for TCP6 connections.
By default, the SYN-Wait timer is set to 75s.
Step 3 Run:
tcp ipv6 timer fin-timeout interval
The FIN-Wait timer is set for TCP6 connections.
By default, the FIN-Wait timer is set to 600s.
----End
8.9.2 Setting the TCP6 Sliding Window Size
Context
You can set a TCP6 sliding window size to improve network performance. The sliding
window size indicates the receive or send buffer size of a TCP6 socket.
Procedure
Step 1 Run:
system-view
Step 2 Run:
tcp ipv6 window window-size
The receive or send buffer size of a TCP6 socket is set.
By default, the receive or send buffer size of a TCP6 socket is 8 KB. The receive or send
buffer size of a TCP6 socket ranges from 1 KB to 32 KB.
----End
8.9.3 Setting the MSS Value for a TCP6 Connection
Context
Setting a minimum Maximum Segment Size (MSS) value for a TCP6 connection defines the
smallest TCP6 packet size, preventing Denial of Service (DoS) attacks caused by packets with
small MSS values.
Setting a maximum MSS value for a TCP6 connection defines the largest TCP6 packet size,
allowing TCP6 packets to be successfully forwarded by intermediate devices when no Path
MTU is available.

Procedure
Step 1 Run:
system-view
Step 2 Run:
tcp ipv6 min-mss mss-value
The minimum MSS value is set for a TCP6 connection.
By default, the minimum MSS value for a TCP6 connection is 216 bytes.
Step 3 Run:
tcp ipv6 max-mss mss-value
The maximum MSS value is set for a TCP6 connection.
By default, the maximum MSS value is not configured for TCP6 connections.
NOTE
The maximum MSS value configured using the tcp ipv6 max-mss command must be greater than the
minimum MSS value configured using the tcp ipv6 min-mss command.
----End
Procedure
l Run the display tcp ipv6 status [ [ task-id task-id ] [ socket-id socket-id ] | [ local-ip
ipv6-address ] [ local-port local-port-number ] [ remote-ip ipv6-address ] [ remote-
port remote-port-number ] ] command to check the status of all IPv6 TCP connections.
l Run the display tcp ipv6 statistics command to check TCP6 traffic statistics.
l Run the display ipv6 [ ha ] socket [ socketype socket-type | task-id task-id socket-id
socket-id ] command to check information about a specified socket.
----End
8.10 Configuring the Enhanced Forwarding Function for

IPv6 Control Packets Generated by the Device
Context
QoS policies take effect only for data packets. In certain cases, IPv6 control packets need to
be managed. For example, bandwidth limitation is required for the IPv6 control packets
generated by Telnet applications. The enhanced forwarding function can meet the
requirement. You can configure this function to apply QoS policies to the IPv6 control
packets generated by the device. Currently, the enhanced forwarding function is valid only for
the IPv6 control packets generated by the device.

Procedure
Step 1 Run:
system-view
Step 2 Run:
ipv6 soft-forward enhance enable
The enhanced forwarding function for IPv6 control packets generated by the device is
enabled.
By default, the enhanced forwarding function is enabled for IPv6 control packets generated by
the device.
Step 3 (Optional) Set the priority for IPv6 control packets.

l Set the 802.1p priority.
Run:
set priority dot1p priority-value
The 802.1p priority is set for the control packets.

l Set the DSCP priority.
– Run:
set priority protocol-type-ipv6 protocol-type dscp dscp-value
The DSCP priority of IPv6 control packets generated by the device is configured
based on the protocol type.
– Run:
set priority acl6 acl6-number dscp dscp-value
The DSCP priority of IPv6 control packets generated by the device is configured
based on the ACL rule.
You can configure the DSCP priority of BGP4+, IPv6 DNS, ICMPv6, IPv6 SNMP, IPv6
SSH, IPv6 Telnet and IPv6 UDP control packets based on the protocol type. To
configure the DSCP priority of other types of control packets, configure advanced ACL6
rules based on the protocol type (see Configuring an Advanced ACL6), and configure
the DSCP priority of control packets based on the ACL rule.
NOTE
If you specify the DSCP priority of IPv6 control packets based on both the protocol type and ACL rule,
the protocol type configuration takes effect preferentially.
Step 4 (Optional) Run one or more of the following commands to configure packets to support QoS
policies:
l Run:
undo control-packet-ipv6 { bgp4plus | icmpv6 | dns6 | snmp | ssh | telnet |
udp } * output car bypass or undo control-packet-ipv6 all output car bypass
IPv6 control packets generated by the device are configured to support traffic policing
function.
By default, IPv6 control packets generated by the device do not support traffic policing
function.
l Run:


udp } * output queue bypass or undo control-packet-ipv6 all output queue
bypass
IPv6 control packets generated by the device are configured to support QoS queue
functions (such as traffic shaping, congestion management, and congestion avoidance).
By default, IPv6 control packets generated by the device do not support QoS queue
functions.
l Run:
udp } * output filter bypass or undo control-packet-ipv6 all output filter
bypass
The device is configured to discard generated IPv6 control packets when the traffic
policy and ACL-based simplified traffic policy contain the deny action.
By default, the device does not discard generated IPv6 control packets when the traffic
policy and ACL-based simplified traffic policy contain the deny action.
After this step is performed, the device discards IPv6 control packets.
----End
Follow-up Procedures
After the enhanced forwarding function is configured for IPv6 control packets, you can only
make QoS policies take effect for the control packets. To implement differentiated services for
control packets, configure QoS policies. For details, see Huawei AR Series IOT Gateway
Configuration Guide - QoS.
8.11 Maintaining IPv6

8.11.1 Clearing IPv6 Statistics
Context
IPv6 statistics cannot be restored after being cleared. Therefore, exercise caution before
clearing IPv6 statistics.
Procedure
l Run the reset ipv6 statistics command in the user view to clear IPv6 traffic statistics.
l Run the reset tcp ipv6 statistics command in the user view to clear TCP6 statistics.
l Run the reset udp ipv6 statistics command in the user view to clear UDP6 statistics.
l Run the reset ipv6 pathmtu [ vpn-instance vpn-instance-name ] { all | dynamic |
static } command in the user view to clear PMTU entries.

l Run the reset ipv6 neighbors { all | dynamic | static | vid vlan-id [ interface-type
interface-number] | interface-type interface-number [ dynamic | static ] } command in
the user view to clear IPv6 neighbor entries.
----End
8.11.2 Monitoring IPv6 Running Status
Context
You can run the following commands in any view to check IPv6 running status.
Procedure
l Run the display ipv6 statistics [ interface interface-type interface-number ] command
to check IPv6 traffic statistics.
l Run the display icmpv6 statistics [ interface interface-type interface-number ]
command to check ICMPv6 traffic statistics.
l Run the display tcp ipv6 statistics command to check IPv6 TCP traffic statistics.
l Run the display ipv6 neighbors [ ipv6-address | [ vid vid ] interface-type interface-
number | vpn-instance vpn-instance-name ] command to check neighbor entries.
l Run the display ipv6 pathmtu [ vpn-instance vpn-instance-name ] { ipv6-address | all |
dynamic | static } command to check all PMTU entries.
----End

8.12.1 Example for Configuring Basic IPv6 Functions
As shown in Figure 8-16, RouterA and RouterB are connected using GE1/0/0. RouterA and
RouterB need to establish a neighbor relationship, and RouterB can obtain an IPv6 address
using the neighbor discovery function.
Figure 8-16 Networking diagram for configuring basic IPv6 functions
GE1/0/0 GE1/0/0
fc01::1/64
RouterA RouterB

1. Enable the IPv6 forwarding function on RouterA and configure an IPv6 address for
RouterA so that RouterA can forward IPv6 packets.
2. Configure RouterA to send RA packets and allow GE1/0/0 of RouterB to automatically
configure an IPv6 address based on the route prefix carried in the received RA packets.
Procedure
# Configure an IPv6 address for GE1/0/0 of RouterA.
[RouterA] ipv6
[RouterA-GigabitEthernet1/0/0] ipv6 enable
[RouterA-GigabitEthernet1/0/0] ipv6 address fc01::1/64
# Configure the neighbor discovery function on RouterA.

[RouterA-GigabitEthernet1/0/0] undo ipv6 nd ra halt
[RouterA] quit
Step 2 # Configure RouterB.

# Configure GE1/0/0 of RouterB to automatically generate an IPv6 address through stateless
autoconfiguration.
[RouterB] ipv6
[RouterB-GigabitEthernet1/0/0] ipv6 enable
[RouterB-GigabitEthernet1/0/0] ipv6 address auto link-local
[RouterB-GigabitEthernet1/0/0] ipv6 address auto global local-identifier
[RouterB] quit

If the preceding configurations are successful, you can view the configured global unicast
addresses. The interface status and the IPv6 protocol are Up. You can also check the neighbor
of the interfaces.
# Check interface information on RouterA.
<RouterA> display ipv6 interface gigabitethernet 1/0/0
GigabitEthernet1/0/0 current state : UP
IPv6 protocol current state : UP
IPv6 is enabled, link-local address is FE80::A19:A6FF:FECD:A897
Global unicast address(es):
3000::1, subnet is 3000::/64
Joined group address(es):
FF02::1:2
FF02::1:FF00:1
FF02::2
FF02::1
FF02::1:FFCD:A897
MTU is 1500 bytes
ND DAD is enabled, number of DAD attempts: 1
ND reachable time is 30000 milliseconds

ND retransmit interval is 1000 milliseconds

ND advertised reachable time is 0 milliseconds
ND advertised retransmit interval is 0 milliseconds
ND router advertisement max interval 600 seconds, min interval 200 seconds
ND router advertisements live for 1800 seconds
ND router advertisements hop-limit 64
ND default router preference medium
Hosts use stateless autoconfig for addresses
# Check interface information on RouterB.

<RouterB> display ipv6 interface gigabitethernet 1/0/0
GigabitEthernet1/0/0 current state : UP
IPv6 is enabled, link-local address is FE80::2D6F:0:7AF3:1
fc01::15B:E0EA:3524:E791
subnet is fc01::/64 [SLAAC 2012-07-19 17:30:55 2592000S]
FF02::1:FF00:2
FF02::1:FFF3:1
FF02::2
FF02::1
MTU is 1500 bytes
ND DAD is enabled, number of DAD attempts: 1
# Check neighbor information on GE1/0/0 of RouterA.

<RouterA> display ipv6 neighbors gigabitethernet 1/0/0
---------------------------------------------------------
IPv6 Address : fc01::15B:E0EA:3524:E791
Link-layer : 00e0-fc89-fe6e State : STALE
Interface : GigabitEthernet1/0/0 Age : 7
VLAN : - CEVLAN: -
VPN name : Is Router : TRUE
Secure FLAG : UN-SECURE
---------------------------------------------------------
Total: 1 Dynamic: 1 Static: 0
----End
Configuration File
l RouterA configuration file
#
sysname RouterA
#
ipv6
#
undo portswitch
ipv6 enable
ipv6 address fc01::1/64
#
return
l RouterB configuration file

#
sysname RouterB
#
ipv6
#
undo portswitch
ipv6 enable


ipv6 address auto global local-identifier
#
return

CLI-based Configuration Guide - IP Service 9 DHCPv6 Configuration
9 DHCPv6 Configuration
About This Chapter
This section describes how to configure the DHCPv6 function. Currently, the industrial switch
router can function as the DHCPv6 server, DHCPv6 PD server, DHCPv6 relay, DHCPv6
client, and DHCPv6 PD client.
9.1 DHCPv6 Overview

This section describes the definition and purpose of DHCPv6.
9.2 Principles
This section describes the implementation of DHCPv6.
9.3 Applications
This section describes the applicable scenario of DHCPv6.
This section provides default DHCPv6 configurations.
9.6 Configuring a DHCPv6 Server
You can configure a DHCPv6 server to dynamically assign configuration information such as
IPv6 addresses to DHCPv6 clients.
9.7 Configuring a DHCPv6 PD Server
You can configure a DHCPv6 PD server to dynamically assign configuration information
such as IPv6 addresses to DHCPv6 PD clients.
9.8 Configuring a DHCPv6 Relay Agent
A DHCPv6 relay agent enables the DHCPv6 client and server on different links to exchange
DHCPv6 messages. The DHCPv6 relay agent forwards DHCP messages to the destination
DHCPv6 server on a different network segment. DHCPv6 clients on multiple networks can
share one DHCPv6 server.
9.9 Configuring a DHCPv6 Client
When the DHCPv6 client function is configured on the device, the device dynamically
obtains IPv6 addresses and other network configuration parameters from the DHCPv6 server.
9.10 Configuring a DHCPv6 PD Client

When the DHCPv6 PD client function is configured on the device, the device dynamically
obtains IPv6 address prefix and other network configuration parameters from the DHCPv6
PD server.
9.11 Maintaining DHCPv6
Maintaining DHCPv6 includes monitoring the running status of the DHCPv6 relay agent,
clearing DHCPv6 packet statistics, and resetting the status of the IPv6 address pool.
This section provides DHCPv6 configuration examples including networking requirements
9.1 DHCPv6 Overview

This section describes the definition and purpose of DHCPv6.
Definition
Dynamic Host Configuration Protocol for IPv6 (DHCPv6) is designed to assign IPv6
addresses, prefixes, and other network configuration parameters to hosts.
Purpose
The IPv6 protocol provides huge address space formed by 128-bit IPv6 addresses that require
proper and efficient assignment and management policies. IPv6 stateless address
autoconfiguration is widely used. Hosts configured with the stateless address
autoconfiguration function automatically configure IPv6 addresses based on prefixes carried
in Route Advertisement (RA) packets sent from a neighboring device.
When stateless address autoconfiguration is used, devices do not record IPv6 addresses of
hosts. Therefore, stateless address autoconfiguration has poor manageability. In addition,
hosts configured with stateless address autoconfiguration cannot obtain other configuration
parameters such as the DNS server address. Internet service providers (ISPs) do not provide
instructions for automatic allocation of IPv6 prefixes for devices. Therefore, users need to
manually configure IPv6 addresses for devices during IPv6 network deployment.
DHCPv6 solves this problem. DHCPv6 is a stateful protocol for configuring IPv6 addresses
automatically.
Compared with manual address configuration and IPv6 stateless address autoconfiguration
that uses network prefixes in RA packets, DHCPv6 has the following advantages:
l Controls IPv6 address assignment better. A DHCPv6 device can record addresses
assigned to hosts and assign requested addresses. This function facilitates network
management.
l Assigns IPv6 address prefixes to network devices. This function facilitates automatic
configuration and hierarchical network management.
l Provides other network configuration parameters such as the DNS server address.
9.2 Principles
This section describes the implementation of DHCPv6.

9.2.1 DHCPv6 Overview

DHCPv6 runs between a client and a server. Similar to DHCP for IPv4, DHCPv6 clients and
DHCPv6 servers exchange DHCPv6 packets using the User Datagram Protocol (UDP). In
IPv6, packets cannot be broadcast; therefore, DHCPv6 uses multicast packets. In this case,
DHCPv6 clients do not need to be configured with IPv6 addresses of DHCPv6 servers.
IPv6 Address Allocation Methods

The IPv6 protocol provides huge address space formed by 128-bit IPv6 addresses that require
proper and efficient assignment and management policies.
Currently, the following methods are available to allocate IPv6 addresses:
l Manual configuration: You can manually configure IPv6 addresses, prefixes, and other
network configuration parameter, such as addresses of the Domain Name System (DNS),
Network Information Service (NIS), and Simple Network Time Protocol (SNTP) servers.
l Stateless address autoconfiguration: Hosts generate a link-local address based on the
interface ID and automatically configure IPv6 addresses based on prefixes carried in
Router Advertisement (RA) packets.
l Stateful autoconfiguration,that is DHCPv6,DCHPv6 allocation has the following two
methods:
– DHCPv6 stateful autoconfiguration: DHCPv6 servers automatically provide IPv6
addresses, PD prefixes, and other network configuration parameters, such as
addresses of the DNS, NIS, and SNTP servers.
– DHCPv6 stateless autoconfiguration: IPv6 addresses are generated based on RA
packets. A DHCPv6 server does not provide IPv6 addresses but provides other
configuration parameters about the DNS, NIS, and SNTP servers.
DHCPv6 Architecture
Figure 9-1 shows the DHCPv6 architecture.
Figure 9-1 DHCPv6 architecture

DHCPv6 Clients
IPv6
Network
DHCPv6 Relay
DHCPv6 Clients
DHCPv6 Server
DHCPv6 involves the following roles:

l DHCPv6 client
A DHCPv6 client applies to a DHCPv6 server for IPv6 addresses, prefixes, and network
configuration parameters to complete its address configuration.
l DHCPv6 relay
A DHCPv6 relay agent relays DHCPv6 packets between a DHCPv6 client and a
DHCPv6 server to help the DHCPv6 client complete its address configuration.
Generally, a DHCPv6 client communicates with a DHCPv6 server through the link-local
multicast address to obtain IPv6 addresses, prefixes, and other network configuration
parameters. If a DHCPv6 server and a DHCPv6 client are on different links, a DHCPv6
relay agent is required to forward DHCPv6 packets. In this case, you do not need to
deploy a DHCPv6 server on each link, which saves costs and facilitates centralized
management.
A DHCPv6 relay agent is optional. If a DHCPv6 client and a DHCPv6 server are on the
same link or a DHCPv6 client communicates with a DHCPv6 server in unicast mode to
complete address allocation or information configuration, you do not need to deploy a
DHCPv6 relay agent. A DHCPv6 relay agent is required only when a DHCPv6 client
and a DHCPv6 server are located on different links or a DHCPv6 client cannot
communicate with a DHCPv6 server in unicast mode.
l DHCPv6 server
A DHCPv6 server processes requests of address allocation, address lease extension, and
address release from a DHCPv6 client or a DHCPv6 relay agent, and assigns IPv6
addresses and other network configuration parameters to the DHCPv6 client.
Basic DHCPv6 Concepts

l Multicast address
– In DHCPv6, a DHCPv6 client does not need to be configured with the IPv6 address
of a DHCPv6 server. Instead, the DHCPv6 client locates DHCPv6 servers by
sending Solicit packets with multicast addresses as destination addresses.
– In DHCPv4, a DHCP client locates DHCP servers by broadcasting DHCP packets.
To prevent broadcast storms, IPv6 does not use broadcast packets. Instead, IPv6
uses multicast packets. DHCPv6 uses the following two multicast addresses:
n FF02::1:2 (All DHCP Relay Agents and Servers): indicates the multicast
address of all the DHCPv6 servers and DHCPv6 relay agents. The address is a
link-local multicast address and is used for communication between a
DHCPv6 client and its neighboring servers or between a DHCPv6 client and
DHCPv6 relay agents. All DHCPv6 servers and relay agents are members of
this multicast group.
n FF05::1:3 (All DHCP Servers): indicates the multicast address of all the
DHCPv6 servers. The address is a site-local address and is used for
communication between DHCPv6 relay agents and DHCPv6 servers within a
site. All DHCPv6 servers within a site are members of this multicast group.
l UDP port number
– DHCPv6 packets are transmitted through UDPv6.
– DHCPv6 clients only process DHCPv6 packets with UDP port number 546.
– DHCPv6 servers and relay agents only process DHCPv6 packets with UDP port
number 547.
l DHCPv6 Unique Identifier (DUID)

– A DUID identifies a DHCPv6 device. Each DHCPv6 server or client has a unique
DUID. DHCPv6 servers use DUIDs to identify DHCPv6 clients and DHCPv6
clients use DUIDs to identify DHCPv6 servers.
– The DUIDs of a DHCPv6 client and a DHCPv6 server are carried in the Client
Identifier option and the Server Identifier option respectively. The Client Identifier
option and the Server Identifier option have the same format and are distinguished
by the option-code field value.
l Identity association (IA)
– An IA enables a DHCPv6 server and a DHCPv6 client to identify, group, and
manage IPv6 addresses. Each IA consists of an identity association identifier
(IAID) and associated configuration information.
– A DHCPv6 client must associate at least one IA with each of its network interfaces
for which the DHCPv6 client requests IPv6 addresses from a DHCP server. The
DHCPv6 client uses IAs associated with network interfaces to obtain configuration
information from a DHCPv6 server. Each IA must be associated with at least one
interface.
– The IAID identifies an IA, and IAIDs on the same DHCPv6 client must be unique.
The IAID is not lost or changed because of factors such as DHCPv6 client reboot.
– The configuration information in an IA consists of one or more IPv6 addresses
along with the lifetimes T1 and T2. Each address in an IA has a preferred lifetime
and a valid lifetime.
– An interface must be associated with at least one IA; an IA can contain information
about one or more addresses.
9.2.2 DHCPv6 Packets

DHCPv6 Packet Format
Figure 9-2 shows the DHCPv6 packet format.
Figure 9-2 DHCPv6 packet format

0 7 31
msg-type transaction-ID
options (variable)
Table 9-1 Description of each field in a DHCPv6 packet

msg-type 1 byte Indicates the packet type. The value ranges from 1 to 13. For
details, see the DHCPv6 Packet Type.

transaction- 3 bytes Identifies packet transaction between DHCPv6 clients and servers.
ID For example, a DHCPv6 client initiates a Solicit/Advertise
transaction or a Request/Reply transaction. Their transaction IDs
are different. Transaction IDs have the following characteristics:
l The transaction ID is randomly generated by a DHCPv6 client.
l Transaction IDs of request and reply packets must be the same.
l The transaction ID of a packet initiated by a DHCPv6 server is
0.
Options Variabl Indicates the option field in a DHCPv6 packet. The option field
e contains configurations that the DHCPv6 server assigns to IPv6
hosts, such as the IPv6 address of the DNS server.
DHCPv6 Packet Type

DHCPv6 defines 13 types of packets. A DHCPv6 server and a DHCPv6 client communicate
by exchanging these types of packets. Table 9-2 lists DHCPv6 packets and their
corresponding DHCPv4 packets and describes the DHCPv6 packets.
Table 9-2 Comparisons between DHCPv6 packets and DHCPv4 packets

DHC DHCPv6 DHCPv4 Description
P Packet Packet
Pack
et
Type
1 SOLICIT DHCP A DHCPv6 client sends a Solicit packet to locate

DISCOVE DHCPv6 servers.
R
2 ADVERTI DHCP A DHCPv6 server sends an Advertise packet in

SE OFFER response to a Solicit packet to declare that it can
provide DHCPv6 services.
3 REQUES DHCP A DHCPv6 client sends a Request packet to request

T REQUES IPv6 addresses and other configuration parameters
T from a DHCPv6 server.
4 CONFIR - A DHCPv6 client sends a Confirm packet to any

M available DHCPv6 server to check whether the
obtained IPv6 address applies to the link that the
DHCPv6 client is connected to.
5 RENEW DHCP A DHCPv6 client sends a Renew packet to the

REQUES DHCPv6 server that provides the IPv6 addresses and
T other configuration parameters to extend the lifetime of
the addresses and to update configuration parameters.

DHC DHCPv6 DHCPv4 Description

P Packet Packet
Pack
et
Type
6 REBIND DHCP A DHCPv6 client sends a Rebind packet to any

REQUES available DHCPv6 server to extend the lifetime of the
T assigned IPv6 address and to update configuration
parameters when the client does not receive a response
to its Renew packet.
7 REPLY DHCP A DHCPv6 server sends a Reply packet in the

ACK/NA following situations:
K 1. A DHCPv6 server sends a Reply packet containing
IPv6 addresses and configuration parameters in
response to a Solicit, Request, Renew or Rebind
packet received from a DHCPv6 client.
2. A DHCPv6 server sends a Reply packet containing
configuration parameters in response to an
Information-Request packet.
3. A DHCPv6 server sends a Reply packet in response
to a Confirm, Release, or Decline packet received
from a DHCPv6 client.
8 RELEASE DHCP A DHCPv6 client sends a Release packet to the

RELEASE DHCPv6 server that assigns IPv6 addresses to the
DHCPv6 client, indicating that the DHCPv6 client will
no longer use the obtained addresses.
9 DECLINE DHCP A DHCPv6 client sends a Decline packet to a DHCPv6

DECLINE server, indicating that the IPv6 addresses assigned by
the DHCPv6 server are already in use on the link to
which the DHCPv6 client is connected.
10 RECONFI - A DHCPv6 server sends a Reconfigure packet to a

GURE DHCPv6 client, informing the DHCPv6 client that the
DHCPv6 server has new addresses or updated
configuration parameters.
11 INFORM DHCP A DHCPv6 client sends an Information-Request packet

ATION- INFORM to a DHCPv6 server to request configuration
REQUES parameters except for IPv6 addresses.
T
12 RELAY- - A DHCPv6 relay agent sends a Relay-Forward packet

FORW to relay Request packets to DHCPv6 servers.
13 RELAY- - A DHCPv6 server sends a Relay-Reply packet to a

REPL DHCPv6 relay agent. The Relay-Reply packet carries a
packet that the DHCPv6 relay agent needs to deliver to
a DHCPv6 client.

9.2.3 DHCPv6 Working Principles

DHCPv6 autoconfiguration is classified as stateful or stateless.
l DHCPv6 stateful autoconfiguration: A DHCPv6 server automatically configures IPv6
addresses, prefixes, and network configuration parameters of the DNS, NIS, and SNTP
servers.
l DHCPv6 stateless autoconfiguration: IPv6 addresses are generated based on the Route
Advertisement (RA) packets. A DHCPv6 server provides other configuration parameters
such as addresses of the DNS, NIS, and SNTP servers except for IPv6 addresses.
DHCPv6 Stateful Autoconfiguration

The IPv6 node obtains addresses and other configuration parameters (such as the IPv6 address
of the DNS server) through stateful DHCPv6 autoconfiguration.
A DHCPv6 server assigns addresses and prefixes to a DHCPv6 client in the following ways:
l DHCPv6 four-message exchange
l DHCPv6 two-message exchange
DHCPv6 Four-Message Exchange
Four-message exchange applies to a network where multiple DHCPv6 servers are available. A
DHCPv6 client first multicasts a Solicit packet to locate DHCPv6 servers that can provide
DHCPv6 services. After receiving Advertise packets from multiple DHCPv6 servers, the
DHCPv6 client selects one of the DHCPv6 servers according to priorities of DHCPv6 servers.
Then the DHCPv6 client and the selected DHCPv6 server complete address application and
allocation by exchanging Request and Reply packets.
If a DHCPv6 server does not have two-message exchange enabled, the DHCPv6 server
allocates addresses and configuration parameters through four-message exchange, regardless
of whether the Solicit packet contains the Rapid Commit option.
Figure 9-3 shows the process of address allocation using four-message exchange.
Figure 9-3 Process of address allocation using four-message exchange
DHCPv6 DHCPv6
Client Server
(1)Solicit
(2)Advertise
(3)Request
(4)Reply

The process of address allocation using four-message exchange is as follows:
1. A DHCPv6 client sends a Solicit packet to request a DHCPv6 server to allocate IPv6
addresses and network configuration parameters.
2. If the DHCPv6 server does not support fast address allocation, the DHCPv6 server
returns an Advertise packet containing the allocated addresses and network configuration
parameters regardless of whether the Solicit packet contains the Rapid Commit option.
3. If receiving Advertise packets from multiple DHCPv6 servers, the DHCPv6 client
selects the DHCPv6 server with the highest priority and sends Request multicast packets
to all DHCPv6 servers. The Request multicast packets carry the DUID of the selected
DHCPv6 server.
4. The DHCPv6 server responds with a Reply packet that contains the addresses and
network configuration parameters allocated to the client.
DHCPv6 Two-Message Exchange
Two-message exchange applies to a network where only one DHCPv6 server is available. A
DHCPv6 client multicasts a Solicit packet to locate the DHCPv6 server that can allocate
addresses and configuration parameters. After receiving the Solicit packet, the DHCPv6
server responds with a Reply packet carrying addresses and configuration parameters
allocated to the DHCPv6 client.
This packet exchange improves address allocation efficiency. On the network where multiple
DHCPv6 servers are available, multiple DHCPv6 servers can allocate addresses to DHCPv6
clients and respond with Reply packets. The DHCPv6 clients, however, use the addresses and
configuration parameters allocated by one DHCPv6 server. To prevent the preceding situation,
the administrator can configure only one DHCPv6 server to support two-message exchange.
l If a DHCPv6 server is configured with two-message exchange and the Solicit packet
from a DHCPv6 client contains the Rapid Commit option, the DHCPv6 server allocates
IPv6 addresses and configuration parameters in two-message exchange mode.
l If a DHCPv6 server does not support fast address allocation, the DHCPv6 server
allocates IPv6 addresses and other network configuration parameters to clients using
four-message exchange.
Figure 9-4 shows the process of address allocation using two-message exchange.
Figure 9-4 Process of address allocation using two-message exchange
DHCPv6 DHCPv6
Client Server
(1)Solicit (contains a Rapid Commit option)
(2)Reply
The process of address allocation using two-message exchange is as follows:

1. A DHCPv6 client sends a Solicit packet carrying the Rapid Commit option, indicating
that the DHCPv6 client requires fast address allocation and network configuration
parameters from a DHCPv6 server.
2. DHCPv6 server receives the Solicit message, it will processed as follows:
– If the DHCPv6 server supports fast address allocation, it returns a Reply packet and
allocates IPv6 addresses and other network configuration parameters to the
DHCPv6 client.
– If the DHCPv6 server does not support fast address allocation, the DHCPv6 server
uses four-message exchange to allocate IPv6 addresses, prefixes, and other network
configuration parameters.
DHCPv6 Stateless Autoconfiguration

The IPv6 node obtains network configuration parameters (including configuration parameters
of DNS, SIP, and SNTP servers, without IPv6 addresses) through DHCPv6 stateless
autoconfiguration.
Figure 9-5 shows the working process of DHCPv6 stateless autoconfiguration.
Figure 9-5 Working process of DHCPv6 stateless autoconfiguration

DHCPv6 DHCPv6
Client Server
Information-request:
includes an Option Request option
Reply:
includes the requested options
The working process of DHCPv6 stateless autoconfiguration is as follows:

1. A DHCPv6 client multicasts an Information-Request packet with the Option Request
option to DHCPv6 servers. The Option Request option specifies the configuration
parameters that the DHCPv6 client needs to obtain from a DHCPv6 server.
2. After receiving the Information-Request packet, the DHCPv6 server sends a Reply
packet to the client in unicast mode. The Reply packet carries the allocated network
configuration parameters. The DHCPv6 client performs stateless autoconfiguration
based on parameters carried in the Reply packet.
9.2.4 Working Principle of DHCPv6 PD

DHCPv6 prefix delegation (PD) is a prefix allocation mechanism and defined in RFC 3633.
On a layered network, IPv6 addresses of different layers are configured manually. Manually
configured IPv6 addresses have poor extensibility and cannot be planned and managed in a
centralized manner.
The DHCPv6 PD mechanism allows a downstream device to request IPv6 prefixes from the
upstream device and an upstream device to assign appropriate prefixes for the downstream

device. In this way, you do not need to configure IPv6 prefixes for user-side links on the
downstream device. The downstream device divides the obtained prefix (the length of the
obtained prefix is smaller than 64 bits) into 64-bit prefix of subnet segments and sends a
Route Advertisement (RA) packet on the link that IPv6 hosts directly connect to. This enables
hosts to automatically configure addresses, completing IPv6 network deployment.
Figure 9-6 shows the working process of DHCPv6 PD.
Figure 9-6 Working principle of DHCPv6 PD

IPv6 HostC
Router A Router B
DHCPv6 PD Client
DHCPv6 PD Server
IPv6 HostA IPv6 HostB
The process of DHCPv6 PD using four-message exchange is as follows:
1. A DHCPv6 PD client sends a Solicit packet, requesting an IPv6 address prefix from a
DHCPv6 PD server.
2. If the DHCPv6 PD server does not support fast address allocation, the DHCPv6 PD
server returns an Advertise packet containing the allocated address prefixes regardless of
whether the Solicit packet contains the Rapid Commit option.
3. If receiving Advertise packets from multiple DHCPv6 PD servers, the DHCPv6 PD
client selects the DHCPv6 PD server with the highest priority and sends a Request
packet to this DHCPv6 PD server to request address prefixes.
4. The DHCPv6 PD server responds with a Reply packet to assign an IPv6 address prefix to
the DHCPv6 PD client.
DHCPv6 PD also supports two-message exchange using packets carrying the Rapid Commit
option. For details, see DHCPv6 Two-Message Exchange
9.2.5 Working Principle of the DHCPv6 Relay Agent
Figure 9-7 shows the working process of a DHCPv6 relay agent. A DHCPv6 client sends
packets to a DHCPv6 server through a DHCPv6 relay agent to obtain IPv6 addresses,
prefixes, and other network configuration parameters, such as IPv6 addresses of DNS servers.

Figure 9-7 Working principle of a DHCPv6 relay agent

DHCPv6 Client DHCPv6 Relay DHCPv6 Server
(1)DHCPv6 message from client
(2)Relay-forward
(3)Relay-reply
(4)DHCPv6 message to client
The working process of a DHCPv6 relay agent is as follows:

1. A DHCPv6 client sends DHCPv6 Request packets with the destination multicast address
FF02::1:2 to all DHCPv6 servers and DHCPv6 relay agents.
2. A DHCPv6 relay agent processes packets in the following two ways:
– If a DHCPv6 relay agent and a DHCPv6 client are located on the same link, that is,
the DHCPv6 relay agent is the first-hop relay agent of the DHCPv6 client, the
DHCPv6 relay agent is the IPv6 gateway of the DHCPv6 client. After receiving a
packet from the DHCPv6 client, the DHCPv6 relay agent encapsulates the packet in
the Relay Message option of a Relay-Forward packet. Then the DHCPv6 relay
agent sends the Relay-forward packet to a DHCPv6 server or the next hop relay
agent.
– If the DHCPv6 relay agent and DHCPv6 client are on different links, the DHCPv6
relay agent receives Relay-Forward packets sent from other relay agents. The
DHCPv6 relay agent constructs a new Relay-Forward packet and sends the packet
to the DHCPv6 server or the next hop relay agent.
3. The DHCPv6 server parses the request of the DHCPv6 client in the Relay-Forward
packet and selects IPv6 addresses and other network configuration parameters to
construct a reply packet. Then the DHCPv6 server encapsulates the reply packet in the
Relay Message option in a Relay-Reply packet and sends the Relay-reply packet to the
DHCPv6 relay agent.
4. The DHCPv6 relay agent parses the reply packet of the DHCPv6 server in the Relay-
Reply packet and forwards the reply packet to the DHCPv6 client. If the DHCPv6 client
receives reply packets from multiple DHCPv6 servers, the DHCPv6 client selects the
DHCPv6 server with the highest priority, and obtains the IPv6 address and other network
configuration parameters from the DHCPv6 server.
9.2.6 IPv6 Address/Prefix Allocation and Lease Updating

IPv6 Address Allocation Sequence

The DHCPv6 server allocates an IPv6 address or prefix to a DHCPv6 client in the following
sequence:
1. Select an IPv6 address pool.
An IPv6 address pool can be bound to an interface of the DHCPv6 server. The DHCPv6
server assigns an address or prefix to the DHCPv6 client from the IPv6 address pool. If
an relay exists, the IPv6 address pool cannot be bound to the interface of the DHCPv6
server. Based on the first link-address field (identifies the link range of the DHCPv6
clients) whose value is not 0 in the packet, the address pool that can be bound must be in
the same link range with the network prefixes or IPv6 address prefixes in the configured
address pools.
2. Select an IPv6 address or prefix.
After the address pool is configured, the DHCPv6 server assigns IPv6 addresses or
prefixes to DHCPv6 clients in the following procedures:
a. If IPv6 addresses or prefixes have been specified in the address pool, these
addresses and prefixes matching the client DUIDs are preferentially assigned to
clients.
b. If the IA option in the packet sent from the client carries valid addresses or prefixes,
these addresses or prefixes are preferentially assigned to clients from the address
pool. If these addresses or prefixes are unavailable in the address pool, other idle
addresses or prefixes are assigned to clients. If the IPv6 prefix length exceeds the
assigned length, the IPv6 prefix of the assigned length is assigned.
c. Idle addresses and prefixes are assigned to clients from the address pool. Reserved
addresses (For example, anycast addresses defined in RFC 2526), conflicted
addresses, and used addresses cannot be assigned to clients.
d. If no IPv6 address or prefix can be assigned, address or prefix allocation fails.
DHCPv6 Address Lease Updating

The addresses allocated by DHCPv6 servers to DHCPv6 clients have leases. A lease is
composed of the lifetime (including the preferred lifetime and valid lifetime) and lease
extension time (T1 and T2 in an IA). After the valid lifetime of an address is reached, a
DHCPv6 client can no longer use this address. Before the valid lifetime is reached, a
DHCPv6 client needs to update the address lease if it needs to continue to use this address.
To extend the valid lifetime and preferred lifetime for the addresses associated with an IA, a
DHCPv6 client sends a Renew packet to the DHCPv6 server at T1. The IA option in the
Renew packet carries the addresses whose leases need to be extended. If the DHCPv6 client
does not receive a response packet, it sends a Rebind packet at T2 to the DHCPv6 server to
continue to extend the address lease.
Figure 9-8 shows the process of updating the address lease at T1.

Figure 9-8 Process of updating the address lease at T1
DHCPv6 DHCPv6
Client Server
(1)Renew
T1
(2)Reply
The process of updating the address lease at T1 is as follows:
1. A DHCPv6 client sends a Renew packet to request to update the address lease at T1 (the
recommended value of T1 is half the preferred lifetime).
2. A DHCPv6 server responds with a Reply packet.
– If the DHCPv6 client can continue to use the address, the DHCPv6 server responds
with a Reply packet indicating that the address lease is extended successfully. In
addition, the DHCPv6 server informs the DHCPv6 client that the address lease is
updated successfully.
– If the DHCPv6 client cannot use the address, the DHCPv6 server responds with a
Reply packet indicating that address lease extension fails. In addition, the DHCPv6
server informs the DHCPv6 client that the DHCPv6 client cannot obtain a new
address lease.
Figure 9-9 shows the process of updating the address lease at T2.
Figure 9-9 Process of updating the address lease at T2
DHCPv6 DHCPv6
Client Server
(1)Renew
T1
(2)Rebind
T2
(3)Reply
The process of updating the address lease at T2 is as follows:

1. A DHCPv6 client sends a Renew packet to request to update the address lease at T1, but
does not receive a response packet from a DHCPv6 server.
2. The DHCPv6 client multicasts a Rebind packet to all the DHCPv6 servers to request
them to update the address lease at T2 (the recommended value of T2 is 0.8 times the
preferred lifetime).
3. A DHCPv6 server responds with a Reply packet.
– If the DHCPv6 client can continue to use the address, the DHCPv6 server responds
with a Reply packet indicating that the address lease is extended successfully. In
addition, the DHCPv6 server informs the DHCPv6 client that the address or prefix
lease is updated successfully.
– If the DHCPv6 client cannot use the address, the DHCPv6 server responds with a
Reply packet indicating that address lease extension fails. In addition, the DHCPv6
server informs the DHCPv6 client that the DHCPv6 client cannot obtain a new
address lease.
If the DHCPv6 client does not receive a response packet from the DHCPv6 server, the
DHCPv6 client stops using this address after the valid lifetime is reached.
IP Address Reservation
The DHCPv6 server supports reserved IPv6 addresses that cannot be dynamically allocated.
For example, an IPv6 address can be reserved for a DNS server.
9.3 Applications
This section describes the applicable scenario of DHCPv6.
9.3.1 Typical Networking of the DHCPv6 Server

Figure 9-10 shows a typical networking of the DHCPv6 server.
Figure 9-10 Networking of the DHCPv6 server
DHCPv6 Client DHCPv6 Server
The device functions as the DHCPv6 server to assign IPv6 addresses to clients. The DHCPv6
client applies to the DHCPv6 server for configurations including an IPv6 address and DNS
server address. The DHCPv6 server replies with related configurations according to policies.
The DHCPv6 server assigns a complete IPv6 address to a host and provides other
configuration parameters such as the DNS server address. The DHCPv6 server also provides
stateless DHCPv6 services. That is, the DHCPv6 server does not assign IPv6 addresses but
provides hosts with configuration parameters such as the DNS server address and domain

name. Hosts automatically configure IPv6 addresses based on RA messages. This overcomes
the limitations of IPv6 stateless address autoconfiguration.
9.3.2 Typical Networking of the DHCPv6 PD Server
Figure 9-11 shows a typical networking of the DHCPv6 PD server.
Figure 9-11 Networking of the DHCPv6 PD server

IPv6 HostC
RouterB RouterA
DHCPv6 PD Client DHCPv6 PD Server
The device functions as the DHCPv6 PD server to assign IPv6 address prefixes to DHCPv6
PD clients.
The DHCPv6 PD mechanism allows RouterB to function as a DHCPv6 PD client to request

IPv6 prefixes from the DHCPv6 PD server and allows the DHCPv6 PD server to assign
prefixes to RouterB. In this way, RouterB does not need to assign IPv6 prefixes for user-side
links. RouterB divides the obtained prefix (the length of the obtained prefix is smaller than 64
bits) into 64-bit prefix of subnet segments and sends an RA message on the link that hosts
directly connect to. The RA message contains 64-bit prefix of subnet segments. This enables
hosts to automatically configure addresses.
9.3.3 Typical Networking of the DHCPv6 Relay Agent
Figure 9-12 shows a typical networking of the DHCPv6 relay agent.
Figure 9-12 Networking of the DHCPv6 relay agent
Internet
DHCPv6 Relay DHCPv6 Server

DHCPv6 Client

The device functions as a DHCPv6 relay agent, the client can communicate with a DHCPv6
server on another network segment through the DHCPv6 relay agent, and obtain an IPv6
address and other configuration parameters from the global address pool on the DHCP server.
In this manner, DHCPv6 clients on multiple network segments can share one DHCPv6 server.
This reduces costs and facilitates centralized management.
9.3.4 Typical Networking of the DHCPv6 Client

Figure 9-13 shows a typical networking of the DHCPv6 client.
Figure 9-13 Networking of the DHCPv6 client
RouterA
DHCPv6 Client
RouterC
DHCPv6 Server
RouterB
DHCPv6 Client
This operation facilitates user configurations and centralized management.
9.3.5 Typical Networking of the DHCPv6 PD Client

Figure 9-14 shows a typical networking of the DHCPv6 PD client.
Figure 9-14 Networking of the DHCPv6 PD client

IPv6 HostC
Router A Router B
GE0/0/1
GE0/0/1
DHCPv6 PD Client
DHCPv6 PD Server

The DHCPv6 PD client function is configured on the device, the device dynamically obtains
IPv6 addresses and other network configuration parameters from the DHCPv6 PD server.
This operation facilitates user configurations and centralized management. The device divides
the obtained IPv6 prefix (the length of the obtained prefix is smaller than 64 bits) into 64-bit
prefix of subnet segments and sends an RA message on the link that hosts directly connect to.
The RA message contains 64-bit prefix of subnet segments. This enables hosts to
automatically configure addresses.

This section provides default DHCPv6 configurations.
Table 1 DHCPv6 default configuration

Parameter Default Value
DHCPv6 DUID based on the link-layer (LL) address

License Support
DHCPv6 is a basic feature of the device and is not under license control.

l AR502G-L-D-H, AR502GR-L-D-H do not support DHCPv6 functions.
l AR510 series do not support DHCPv6 functions.
9.6 Configuring a DHCPv6 Server

You can configure a DHCPv6 server to dynamically assign configuration information such as
IPv6 addresses to DHCPv6 clients.
Before configuring the DHCPv6 server, complete the following tasks:
l Ensuring that the link between the DHCPv6 client and the industrial switch router works
properly and the DHCPv6 client can communicate with the industrial switch router
l (Optional) In the scenario where the DHCPv6 relay exists, configuring the route between
the industrial switch router and DHCPv6 relay agent or client

Configuration Process
The configuration tasks are performed in sequence.
9.6.1 Configuring the DHCPv6 DUID
Context
The DUID identifies a DHCPv6 device. Each DHCPv6 server or client has a unique DUID.
DHCPv6 servers use DUIDs to identify DHCPv6 clients and DHCPv6 clients use DUIDs to
identify DHCPv6 servers.
Procedure
Step 1 Run:
system-view

Step 2 Run:
dhcpv6 duid { ll | llt }
A DUID is configured for the device.

By default, the device generates a DUID based on the link-layer (LL) address.
----End
9.6.2 Configuring an IPv6 Address Pool

Context
To implement the DHCPv6 function, you need to create an IPv6 address pool and configure
its attributes including the IPv6 address range, IPv6 configuration update time, IPv6 addresses
not to be automatically allocated, and IP addresses to be statically bound to clients. IPv6
addresses can be dynamically assigned or statically bound to clients based on client
requirements.
Procedure
Step 1 Run:
system-view

Step 2 Run:
dhcpv6 pool pool-name
An IPv6 address pool is created and the address pool view is displayed.
By default, no IPv6 address pool is created on the device.
Step 3 Run the commands in the IPv6 address pool view to configure the network prefix.
When functioning as a DHCPv6 server, the device supports the DHCPv6 stateful mode and
DHCPv6 stateless mode to assign network parameters to clients. In DHCPv6 stateful mode,

the DHCPv6 server automatically provides IPv6 addresses, prefixes, and other network
configuration parameters, such as DNS, NIS, and SNTP server addresses. In DHCPv6
stateless mode, the DHCPv6 server does not provide IPv6 addresses but provides other
configuration parameters about the DNS, NIS, and SNTP servers. IPv6 addresses for clients
are still generated based on Route Advertisement (RA) packets.
l When the DHCPv6 service needs to automatically assign network parameters in
DHCPv6 stateful mode, run the address prefix ipv6-prefix/ipv6-prefix-length [ life-time
{ valid-lifetime | infinite } { preferred-lifetime | infinite } ] command to configure
network prefixes and lifetimes in the IPv6 address pool view.
By default, no network prefix and lifetime are configured in the address pool view.
l When the DHCPv6 service needs to automatically assign network parameters in
DHCPv6 stateless mode, run the link-address ipv6-prefix/ipv6-prefix-length command
to configure networks prefixes in the IPv6 address pool view.
By default, no network prefix is configured in the IPv6 address pool view.
The DHCPv6 server determines the clients on network segments to which the server
assigns network configuration parameters from an address pool based on the configured
network prefixes.
static-bind address ipv6-address duid client-duid [ iaid iaid ] [ life-time
{ valid-lifetime | infinite } { preferred-lifetime | infinite } ]
The IPv6 address is statically bound to the client DUID.

By default, no IPv6 address is bound to client DUID in the address pool view.
To statically assign specified IPv6 addresses to some specific clients, specify the mapping
between IPv6 addresses and client DUIDs. When such a client requests an IPv6 address from
the DHCPv6 server, the device functioning as the DHCPv6 server assigns the specified IPv6
address to the client.
Configure the specified IPv6 addresses to be assigned only to the clients with specified
DUIDs.
excluded-address start-ipv6-address [ to end-ipv6-address ]
The range of the IPv6 addresses that cannot be automatically assigned is specified in the IPv6
address pool. If only one IPv6 address is not automatically assigned, you can specify only the
value of start-ipv6-address.
By default, all IPv6 addresses in the address pool can be automatically assigned to clients.
information-refresh time
The time is configured for updating configuration parameters assigned to clients through
stateless DHCPv6 address autoconfiguration.
By default, the time for updating IPv6 address pool configuration is 86400s (24 hours).
capwap-ac ipv6-address
The IPv6 address for the AC is configured.

By default, the AC's IPv6 address is not configured in the IPv6 address pool view.

In the AC+Fit AP scenario, the AC needs to establish connections with APs. The device
functioning as a DHCPv6 server can specify the AC's IPv6 address for an AP. The AP then
can connect to the specified AC. If the AC and AP are located in the same network segment,
this step is optional because the AP will send a broadcast packet to automatically discover the
AC. If the AC and AP are located in different network segments, this step is mandatory.
----End
9.6.3 (Optional) Configuring Network Server Addresses for the

IPv6 Address Pool
Context
To successfully connect DHCPv6 clients to the Internet, the DHCPv6 server needs to specify
network service configurations such as the DNS server address and SIP server address when
assigning IPv6 addresses to the clients. The DHCPv6 server dynamically allocates carrier-
assigned configurations such as the DNS server address and SIP server address to DHCPv6
clients.
Procedure
Step 1 Run:
system-view
Step 2 Run:
Step 3 In the IPv6 address pool view, you can run one or multiple following commands to configure
network server addresses.
l Run dns-server ipv6-address command to configure the DNS server address for the
DHCPv6 address pool.
l Run dns-domain-name dns-domain-name command to configure the DNS domain
name suffix allocated by the DHCPv6 server to the client.
l Run sip-server ipv6-address command to configure the SIP server IPv6 address for the
l Run sip-domain-name sip-domain-name command to configure the SIP domain name
suffix allocated by the DHCPv6 server to the client.
l Run nis-server ipv6-address command to configure the NIS server IPv6 address for the
l Run nis-domain-name nis-domain-name command to configure the NIS domain name
l Run nisp-server ipv6-address command to configure the NISP server IPv6 address for
the DHCPv6 address pool.
l Run nisp-domain-name nisp-domain-name command to configure the NISP domain

l Run sntp-server ipv6-address command to configure the SNTP server IPv6 address for
By default, DNS, SIP, NIS, NISP, and SNTP server addresses are not configured for the IPv6
address pool.
----End
9.6.4 (Optional) Configuring the Options of an IPv6 Address Pool
Context
DHCPv6 provides various options. To use these options, add them to the attribute list of the
DHCPv6 server manually. If the DHCPv6 server is configured with the vendor-defined
Option field, the client can obtain the configuration information in the Option field of the
DHCPv6 reply packet from the server when a DHCPv6 client applies for an IPv6 address.
Procedure
Step 1 Run:
system-view
Step 2 Run:
Step 3 Run:
vendor-specific vendor-id
Vendor-defined options are configured for the IPv6 address pool and the vendor-defined mode
view is displayed.
By default, no vendor-defined option is configured. A maximum of eight vendor-defined

options can be configured for one IPv6 address pool.
vendor-id indicates the vendor identifier ID, which is assigned by the IANA. The identifier ID
of Huawei is 2011.
Step 4 Run:
suboption suboption-code { address ipv6-address &<1-4> | ascii ascii-string |
hex hex-string }
Vendor-defined DHCPv6 sub-options are configured in the vendor-defined mode view.
A maximum of 16 vendor-defined sub-options can be configured in the vendor-defined mode

view.
----End

9.6.5 (Optional) Configuring the DHCPv6 Data Saving Function
Context
When the device functions as a DHCPv6 or DHCPv6 PD server, you can configure the
DHCPv6 data saving function to prevent data loss caused by device faults. After the DHCPv6
data saving function is enabled, the device periodically saves DHCPv6 data. The data includes
the last data recording time, address pool name, client DUID, IAID, address and prefix bound
to the client DUID and IAID, conflicted address, and address detection time.
Procedure
Step 1 Run:
system-view
Step 2 Run:
dhcpv6 server database url [ write-delay interval ]
The DHCPv6 data saving function is configured.
By default, the DHCPv6 data saving function is disabled.
You can specify write-delay to modify the DHCPv6 data saving interval. By default, the
device saves DHCPv6 data every 86400 seconds.
----End
9.6.6 Enabling the DHCPv6 Server Function
Context
When the device functions as a DHCPv6 server, the DHCPv6 server function can be enabled
in the system view or interface view.
l Enable the DHCPv6 server function in the interface view.
Enable the DHCPv6 server function and specify the IPv6 address pool on the interface
that connects the device to the DHCPv6 clients. After receiving the DHCPv6 request
packets sent by the clients from the interface, the device assigns configuration
parameters such as IPv6 addresses or DNS server addresses to the DHCPv6 clients from
the IPv6 address pool bound to the interface.
– If the DHCPv6 server and DHCPv6 clients are in the same link scope (that is, no
DHCPv6 relay exists), configuration parameters such as IPv6 addresses or DNS
server addresses are assigned to the DHCPv6 clients on the interface of the
DHCPv6 server.
– If the DHCPv6 server and DHCPv6 clients are in different link scopes (that is, a
DHCPv6 relay exists), configuration parameters such as IPv6 addresses or DNS
server addresses are assigned to the DHCPv6 clients in one network segment
connected to the DHCPv6 relay.

NOTE
l Only one IPv6 address pool can be specified on an interface.

l If the DHCPv6 server function is enabled in the interface view, the configuration information only
takes effect on the interface.
l Enable the DHCPv6 server function in the system view.
The DHCPv6 server and DHCPv6 clients are in different link scopes (that is, the
DHCPv6 relay exists). If the DHCPv6 server function is enabled in the interface view,
configuration parameters such as IPv6 addresses are assigned only to the clients in one
network segment connected to the DHCPv6 relay, because only one IPv6 address pool
can be specified on an interface. If configuration parameters such as IPv6 addresses need
to be assigned to the DHCPv6 clients in multiple network segments through the
DHCPv6 relay, enable the DHCPv6 server function in the system view.
The configuration method of enabling the DHCPv6 server function in the interface view
is affected by the physical interface status. If the interface status is Down, the DHCPv6
server cannot successfully assign network configuration parameters to clients through the
DHCPv6 relay. When the DHCPv6 server function is enabled in the system view and
there are multiple reachable routes between the DHCPv6 relay and DHCPv6 server,
configuration parameters such as IPv6 addresses can be assigned to clients through the
DHCPv6 relay as long as one route between the DHCPv6 relay and DHCPv6 server is
reachable. This improves reliability of the configuration information obtained by the
clients. In addition, no configuration is required on the interface, which reduces the
administrator's maintenance workload.
NOTE
l If the DHCPv6 server function is enabled in the system view, the configuration information takes
effect on all interfaces of the device.
l If the DHCPv6 server function is enabled concurrently in the system view and interface view, the
configuration in the interface view takes precedence over that in the system view.
Procedure
l Enable the DHCPv6 server function in the interface view.
a. Run:
system-view

b. Run:
dhcp enable
The DHCP service is enabled.

c. Run:
ipv6
The IPv6 function is enabled globally.

d. Run:

e. Run:
ipv6 enable
The IPv6 service is enabled on the interface.

f. Run:
ipv6 address { ipv6-address prefix-length |ipv6-address/prefix-length }
The global unicast IPv6 address is configured for the interface.

g. Run:
dhcpv6 server pool-name [ allow-hint | preference preference-value
| rapid-commit | unicast ] *
The DHCPv6 server function is enabled on the interface.
By default, the DHCPv6 server function is disabled in the interface view.

l Enable the DHCPv6 server function in the system view.
a. Run:
system-view

b. Run:
dhcp enable

c. Run:
ipv6

d. Run:
dhcpv6 server { allow-hint | preference preference-value | rapid-commit
| unicast } *
The DHCPv6 server function is enabled in the system view.
By default, the DHCPv6 server function is disabled in the system view.
When functioning as a DHCPv6 server, the device may be configured with multiple
IPv6 address pools. After receiving the DHCPv6 request packets, the DHCPv6
server chooses the IPv6 address pool based on the following rules:
n If a relay exists, the server chooses the address pool that belongs to the same
link scope with the configured network prefix (using the link-address
command) or IPv6 address prefix (using the address prefix command) based
on the first link-address field that is not 0. The link-address field identifies the
link scope of the DHCPv6 clients.
n If no relay exists, the device that functions as the DHCPv6 server only assigns
configuration parameters to clients in DHCPv6 stateless mode. This indicates
that the DHCPv6 server only assigns configuration parameters excluding IPv6
addresses and including DNS, NIS, and SNTP servers, and the IPv6 addresses
for clients are automatically generated based on the Route Advertisement (RA)
packets. To enable the DHCPv6 server to assign network parameters in
DHCPv6 stateful mode, enable the DHCPv6 server function in the interface
view.
----End

Follow-up Procedure
For clients (such as PCs) that automatically obtain IPv6 addresses based on IPv6 RA packets
by default, flags in RA messages need to be configured on the client gateways so that the
clients can obtain IPv6 addresses using DHCPv6.
l When the DHCPv6 relay does not exist and the device function as the client gateway:
a. Run:
system-view

b. Run:

c. Run:
The RA packet sending function is enabled on the device.

By default, the switch for sending the RA packets is disabled.
d. Run:
The managed address configuration flag (M flag) of stateful auto-configuration in

an RA packet is configured.
By default, the M flag in the RA packet is not configured.
e. Run:
The other flag (O flag) of stateful auto-configuration in an RA packet is configured.

By default, the O flag in the RA packet is not configured.
After the M flag and O flag of stateful autoconfiguration in the RA packet are
configured, the client can obtain an IPv6 address using DHCPv6.
l When the DHCPv6 relay exists and functions as the client gateway, the configuration
needs to be performed on the DHCPv6 relay device. Perform configuration based on the
preceding steps.
NOTE
When the device functions as the DHCPv6 client, flags in RA messages do not need to be configured
on gateways. You can run the ipv6 address auto dhcp command to configure the clients to
automatically obtain IPv6 addresses and other network configuration parameters using DHCPv6.
9.6.7 (Optional) Configuring the DHCPv6 Message Rate Limit

and Alarm Function of DHCPv6 Messages Discarded
Context
To prevent clients from sending a large number of messages to attack the device, the device
limits the rate of DHCPv6 messages.
After rate limit of DHCPv6 messages is enabled, the DHCPv6 messages are discarded when
the rate threshold is exceeded. After the alarm function of DHCPv6 messages discarded is
enabled, the device sends alarms when the number of discarded DHCPv6 messages exceeds
the threshold.

Procedure
Step 1 Run:
system-view

Step 2 Run:
dhcp enable
DHCP is enabled.
Step 3 Run:
dhcpv6 packet-rate packet-rate
Rate limit of DHCPv6 packets is enabled and the rate threshold is configured.
By default, rate limit of DHCPv6 messages is disabled on the industrial switch router.
Step 4 Run:
dhcpv6 packet-rate drop-alarm enable
The function of generating logs is enabled on the device.

By default, the alarm function of DHCPv6 messages discarded is disabled.
Step 5 Run:
dhcpv6 packet-rate drop-alarm threshold threshold
A alarm threshold for the number of discarded DHCPv6 messages when the DHCPv6
message rate exceeds the rate threshold is set.
By default, the alarm threshold is 100 when the alarm function of DHCPv6 messages
discarded is enabled.
----End
Procedure
l Run the display dhcpv6 duid command to check the DUID of the DHCPv6 device on
the network.
l Run the display dhcpv6 pool pool-name [ allocated { address | prefix } | binding
[ duid ] | conflict address | ipv6-address | ipv6-prefix/prefix-length ] command to check
IPv6 address pool configurations.
l Run the display dhcpv6 server [ database | [ statistics ] [ interface interface-type
interface-number ] ] command to check information about the DHCPv6 server function.
----End
9.7 Configuring a DHCPv6 PD Server

You can configure a DHCPv6 PD server to dynamically assign configuration information
such as IPv6 addresses to DHCPv6 PD clients.

Before configuring the DHCPv6 PD server, complete the following tasks:
l Ensuring that the link between the DHCPv6 client and the industrial switch router works
properly and the DHCPv6 client can communicate with the industrial switch router
l (Optional) In the scenario where the DHCPv6 relay exists, configuring the route between
the industrial switch router and DHCPv6 relay agent or client
Configuration Logic
The configuration tasks are performed in sequence.
Context
Procedure
Step 1 Run:
system-view

Step 2 Run:

----End
9.7.2 Configuring an IPv6 PD Address Pool
Context
IPv6 PD address pool refers to an IPv6 address pool used by a DHCPv6 server to assign IPv6
address prefixes to DHCPv6 clients.
Procedure
Step 1 Run:
system-view

Step 2 Run:

An IPv6 PD address pool is created and the address pool view is displayed.
By default, no IPv6 PD address pool is created on the device.
Step 3 Run:
prefix-delegation ipv6-prefix/ipv6-prefix-length assign-prefix-length [ life-time
{ valid-lifetime | infinite } { preferred-lifetime | infinite }]
An IPv6 address prefix agent is bound to the IPv6 address pool.

By default, no IPv6 address prefix agent is bound to the IPv6 address pool.
link-address ipv6-prefix/ipv6-prefix-length
The network prefix is configured in the IPv6 address pool.

By default, no network prefix is configured in the IPv6 address pool view.
To enable the DHCPv6 PD server function in the system view, you must perform this step
to determine the network segment where the clients need to be assigned IPv6 addresses
prefixes by the PD address pool.
static-bind prefix ipv6-prefix/ipv6-prefix-length duid client-duid [ iaid iaid-
value ] [ life-time { valid-lifetime | infinite } { preferred-lifetime |
infinite } ]
An IPv6 address prefix agent is statically bound to the DHCPv6 PD client in the address pool
view.
By default, no IPv6 address prefix agent is bound to the DHCPv6 PD client.
To statically assign specified IPv6 address prefixes to some specific clients, specify the
mapping between IPv6 address prefixes and client DUIDs. When such a client requests an
IPv6 address from the DHCPv6 PD server, the device functioning as the DHCPv6 PD server
assigns the specified IPv6 address to the client.
Configure the specified IPv6 address prefixes to be assigned only to the clients with specified
DUIDs.
----End
9.7.3 (Optional) Configuring Network Server Addresses for the

IPv6 Address Pool
Context
To successfully connect DHCPv6 clients to the Internet, the DHCPv6 server needs to specify
network service configurations such as the DNS server address and SIP server address when
assigning IPv6 addresses to the clients. The DHCPv6 server dynamically allocates carrier-
assigned configurations such as the DNS server address and SIP server address to DHCPv6
clients.
Procedure
Step 1 Run:
system-view


Step 2 Run:
Step 3 In the IPv6 address pool view, you can run one or multiple following commands to configure
network server addresses.
l Run dns-server ipv6-address command to configure the DNS server address for the
l Run dns-domain-name dns-domain-name command to configure the DNS domain
l Run sip-server ipv6-address command to configure the SIP server IPv6 address for the
l Run sip-domain-name sip-domain-name command to configure the SIP domain name
l Run nis-server ipv6-address command to configure the NIS server IPv6 address for the
l Run nis-domain-name nis-domain-name command to configure the NIS domain name
l Run nisp-server ipv6-address command to configure the NISP server IPv6 address for
l Run nisp-domain-name nisp-domain-name command to configure the NISP domain
l Run sntp-server ipv6-address command to configure the SNTP server IPv6 address for
By default, DNS, SIP, NIS, NISP, and SNTP server addresses are not configured for the IPv6
address pool.
----End
9.7.4 (Optional) Configuring the Options of an IPv6 Address Pool
Context
DHCPv6 provides various options. To use these options, add them to the attribute list of the
DHCPv6 server manually. If the DHCPv6 server is configured with the vendor-defined
Option field, the client can obtain the configuration information in the Option field of the
DHCPv6 reply packet from the server when a DHCPv6 client applies for an IPv6 address.
Procedure
Step 1 Run:
system-view

Step 2 Run:

Step 3 Run:
vendor-specific vendor-id
Vendor-defined options are configured for the IPv6 address pool and the vendor-defined mode
view is displayed.
By default, no vendor-defined option is configured. A maximum of eight vendor-defined

options can be configured for one IPv6 address pool.
vendor-id indicates the vendor identifier ID, which is assigned by the IANA. The identifier ID
of Huawei is 2011.
Step 4 Run:
suboption suboption-code { address ipv6-address &<1-4> | ascii ascii-string |
hex hex-string }
Vendor-defined DHCPv6 sub-options are configured in the vendor-defined mode view.
A maximum of 16 vendor-defined sub-options can be configured in the vendor-defined mode

view.
----End
9.7.5 (Optional) Configuring the DHCPv6 Data Saving Function
Context
When the device functions as a DHCPv6 or DHCPv6 PD server, you can configure the
DHCPv6 data saving function to prevent data loss caused by device faults. After the DHCPv6
data saving function is enabled, the device periodically saves DHCPv6 data. The data includes
the last data recording time, address pool name, client DUID, IAID, address and prefix bound
to the client DUID and IAID, conflicted address, and address detection time.
Procedure
Step 1 Run:
system-view
Step 2 Run:
dhcpv6 server database url [ write-delay interval ]
The DHCPv6 data saving function is configured.
By default, the DHCPv6 data saving function is disabled.
You can specify write-delay to modify the DHCPv6 data saving interval. By default, the
device saves DHCPv6 data every 86400 seconds.
----End

9.7.6 Enabling the DHCPv6 PD Server Function
Context
When the device functions as a DHCPv6 PD server, the DHCPv6 server function can be
enabled in the system view or interface view.
l Enable the DHCPv6 PD server function in the interface view.
Enable the DHCPv6 PD server function and specify the IPv6 PD address pool on the
interface that connects the device to the DHCPv6 clients. After receiving the DHCPv6
request packets sent by the clients from the interface, the device assigns configuration
parameters such as IPv6 address prefixes or DNS server addresses to the DHCPv6
clients from the IPv6 address pool bound to the interface.
– If the DHCPv6 PD server and DHCPv6 PD clients are in the same link scope (that
is, no DHCPv6 relay exists), configuration parameters such as IPv6 address prefixes
or DNS server addresses are assigned to the DHCPv6 PD clients on the interface of
the DHCPv6 PD server.
– If the DHCPv6 PD server and DHCPv6 PD clients are in different link scopes (that
is, a DHCPv6 relay exists), configuration parameters such as IPv6 address prefixes
or DNS server addresses are assigned to the DHCPv6 PD clients in one network
segment connected to the DHCPv6 relay.
NOTE
l Only one IPv6 PD address pool can be specified on an interface.

l If the DHCPv6 PD server function is enabled in the interface view, the configuration information
only takes effect on the interface.
l Enable the DHCPv6 PD server function in the system view.
The DHCPv6 PD server and DHCPv6 PD clients are in different link scopes and a
DHCPv6 relay exists. If the DHCPv6 PD server function is enabled in the interface view,
configuration parameters such as IPv6 address prefixes are assigned only to the clients in
one network segment connected to the DHCPv6 relay, because only one IPv6 PD address
pool can be specified on an interface. If configuration parameters such as IPv6 address
prefixes need to be assigned to the DHCPv6 PD clients in multiple network segments
through the DHCPv6 relay, enable the DHCPv6 PD server function in the system view.
The configuration method of enabling the DHCPv6 PD server function in the interface
view is affected by the physical interface status. If the interface status is Down, the
DHCPv6 PD server cannot successfully assign network configuration parameters to
clients through the DHCPv6 relay. If the DHCPv6 PD server function is enabled in the
system view and there are multiple reachable routes between the DHCPv6 relay and
DHCPv6 PD server, configuration parameters such as IPv6 address prefixes can be
assigned to clients through the DHCPv6 relay as long as one route between the DHCPv6
relay and DHCPv6 PD server is reachable. This improves reliability of the configuration
information obtained by the clients. In addition, no configuration is required on the
interface, which reduces the administrator's maintenance workload.
NOTE
l If the DHCPv6 PD server function is enabled in the system view, the configuration information
takes effect on all interfaces of the device.
l If the DHCPv6 PD server function is enabled concurrently in the system view and interface view,
the configuration in the interface view takes precedence over that in the system view.

Procedure
l Enable the DHCPv6 PD server function in the interface view.
a. Run:
system-view

b. Run the command to
dhcp enable

c. Run:
ipv6

d. Run:

e. Run:
ipv6 enable
The IPv6 service is enabled on the interface.

f. Run:
The global unicast IPv6 address is configured for the interface.

g. Run:
dhcpv6 server pool-name [ allow-hint | preference preference-value
| rapid-commit | unicast ] *
The DHCPv6 PD server function is enabled on the interface.
By default, the DHCPv6 PD server function is disabled in the interface view.

l Enable the DHCPv6 PD server function in the system view.
a. Run:
system-view

b. Run:
dhcp enable

c. Run:
ipv6

d. Run:
dhcpv6 server { allow-hint | preference preference-value | rapid-
commit | unicast } *
The DHCPv6 PD server function is enabled in the system view.
By default, the DHCPv6 PD server function is disabled in the system view.

When functioning as a DHCPv6 PD server, the device may be configured with

multiple IPv6 address pools. After receiving the DHCPv6 request packets, the
DHCPv6 server chooses the IPv6 PD address pool based on the following rules:
n If a relay exists, choose the address pool in the same link scope with the
configured network prefix (using the link-address command) based on the
first link-address field that is not 0. The link-address field identifies the link
scope of the DHCPv6 clients.
n If no relay exists, the DHCPv6 PD server function cannot be enabled in the
system view.
----End

Context
the threshold.
Procedure
Step 1 Run:
system-view
Step 2 Run:
dhcp enable
DHCP is enabled.
Step 3 Run:
Step 4 Run:
Step 5 Run:

----End
Procedure
l Run the display dhcpv6 duid command to check the DUID of the DHCPv6 device on
the network.
l Run the display dhcpv6 pool pool-name [ allocated { address | prefix } | binding
[ duid ] | conflict address | ipv6-address | ipv6-prefix/prefix-length ] command to check
IPv6 address pool configurations.
----End
9.8 Configuring a DHCPv6 Relay Agent

A DHCPv6 relay agent enables the DHCPv6 client and server on different links to exchange
DHCPv6 messages. The DHCPv6 relay agent forwards DHCP messages to the destination
DHCPv6 server on a different network segment. DHCPv6 clients on multiple networks can
share one DHCPv6 server.
Before configuring the DHCPv6 relay agent, complete the following tasks:
l Configuring the peer DHCPv6 server or DHCPv6 PD server
l Configuring a route from the industrial switch router to the DHCPv6 server or DHCPv6
PD server
Context
Procedure
Step 1 Run:
system-view

Step 2 Run:

----End
9.8.2 Configuring the DHCPv6 Relay Function
Context
The device supports the following methods of configuring the DHCPv6 relay function:
l Configure an IPv6 address for a DHCPv6 server or next-hop relay on an interface. This
method applies to the scenario in which the peer of the DHCPv6 relay is connected to
one DHCPv6 server or next-hop relay.
l Bind a DHCPv6 server group to an interface. The detailed procedure is as follows:
Create a DHCPv6 server group in the system view, add IPv6 addresses of multiple
DHCPv6 servers or next-hop relays to the DHCPv6 server group, and specify the
DHCPv6 server group for the DHCPv6 relay on an interface. This method applies to the
scenario in which the peer of the DHCPv6 relay is connected to multiple DHCPv6
servers or next-hop relays. In this way, the DHCPv6 relay can flexibly select and
uniformly manage the DHCPv6 servers or next-hop relays.
Multiple DHCPv6 relays can be connected between the DHCPv6 client and server. If the
device functions as a DHCPv6 relay and the peer is connected to the DHCPv6 server, you
must specify the IPv6 address for the DHCPv6 server when enabling the DHCPv6 relay. If the
peer is connected to the next-hop relay, you must specify the IPv6 address for the next-hop
relay and specify the IPv6 address for the peer DHCPv6 server or next-hop relay on the next-
hop relay.
Procedure
l Configure an IPv6 address for a DHCPv6 server or next-hop relay on an interface.
a. Run:
system-view

b. Run:
dhcp enable

c. Run:
ipv6
The IPv6 packet forwarding function is enabled.

d. Run:

e. Run:
ipv6 enable


f. Run:
The IPv6 address for the interface is configured.

g. Run:
dhcpv6 relay destination ipv6-address
The DHCPv6 relay function is enabled on the interface, and the IPv6 address for the
DHCPv6 server or next-hop relay is configured.
By default, the DHCPv6 relay function is disabled on an interface.
The configured IPv6 address is a global unicast address or unique local address.
The device finds the route and sends relay packets to the configured IPv6 address.
If the peer of the DHCPv6 relay is connected to multiple DHCPv6 servers or next-
hop relays, you must repeat this step. The device supports a maximum of eight
DHCPv6 servers or next-hop relays.
l Bind a DHCPv6 server group to an interface.
a. Run:
system-view

b. Run:
dhcp enable

c. Run:
ipv6

d. Run:
dhcpv6 server group group-name
The DHCPv6 server group is created.

By default, no DHCPv6 server group is created.
e. Run:
dhcpv6-server ipv6-address
The member address of the DHCPv6 server or next-hop relay is added to the
DHCPv6 server group.
By default, no member of the DHCPv6 server or next-hop relay is configure in the
DHCPv6 server group.
If the peer of the DHCPv6 relay is connected to multiple DHCPv6 servers or next-
hop relays, you must repeat this step. The device supports a maximum of 20
DHCPv6 servers or next-hop relays.
f. Run:
quit

g. Run:


h. Run:
ipv6 enable

i. Run:
The IPv6 address for the interface is configured.

j. Run:
dhcpv6 relay server-select group-name
The DHCPv6 server group is specified for the DHCPv6 relay.

By default, no DHCPv6 server group is specified.
----End
9.8.3 (Optional) Configuring DHCPv6 Relay Options

Context
Some DHCPv6 servers can allocate IPv6 addresses and other network parameters to clients
according to the client location information. The DHCPv6 protocol defines the Interface-ID
option and Remote-ID option that can record the client location information, including the
inbound interface on the device that receives DHCPv6 Request packets and DUID
information of clients. If the device functions as a DHCPv6 relay agent, the Interface-ID
option or Remote-ID option can be added in DHCPv6 packets.
After the Interface-ID option or Remote-ID option is configured to be added in DHCPv6
packets, the device adds the Interface-ID option or Remote-ID option in DHCPv6 Request
packets sent by clients according to the configuration, constructs Relay-Forward packets, and
sends the packets to the DHCPv6 server. The DHCPv6 server allocates IPv6 addresses and
other network parameters to clients according to the options, and sends Relay-Reply packets
to the DHCPv6 relay agent. After receiving the Relay-Reply packets, the DHCPv6 relay agent
removes the Interface-ID option or Remote-ID option, and forwards the packets to clients or
other relay agents.
Procedure
Step 1 Run:
system-view

Step 2 (Optional) Run the following commands to configure the format of the Interface-ID option or
Remote-ID option.
1. Run:
dhcpv6 interface-id format { default | user-defined text }
The Interface-ID option format in DHCPv6 packets is configured.

By default, the Interface-ID option format in DHCPv6 packets is default, that is,
%04svlan.%04cvlan.%mac:%portname.

If the user-defined parameter is specified, you can define the option format using the
following defining methods:
– Keyword defining method: You can define the format according to keywords
supported by the self-defined format. For example, you can define the format as
%sysname %svlan when you need to record the name of the device that users
connect to and the outer VLAN that users belong to. If the name of the device that
users connect to is HUAWEI and the outer VLAN that users belong to is 100, the
user location information recorded in the Interface-ID option is HUAWEI 100.
[Huawei] dhcpv6 interface-id format user-defined "%sysname %svlan"
– Common character string defining method: The Interface-ID option can be defined
as a character string. For example, if all users connected to the interface are in an
office building named N8, you can define the content of the Interface-ID option as
N8.
[Huawei] dhcpv6 interface-id format user-defined "N8"
– Mixed defining method: The Interface-ID option format is defined based on

keywords and common character strings. For example, the Interface-ID option
format can be defined as %sysname N8.
[Huawei] dhcpv6 interface-id format user-defined "%sysname N8"
2. Run:
dhcpv6 remote-id format { default | user-defined text }
The Remote-ID option format in DHCPv6 packets is configured.

By default, the Remote-ID option format in DHCPv6 packets is default, that is, %duid
%portname:%04svlan.%04cvlan.
The configuration of the self-defined option format is the same as that of the Interface-ID
option.
By default, the device adds the Interface-ID option in DHCPv6 packets. If the Remote-
ID option needs to be added, run the following commands to enable the function of
adding the Remote-ID option in DHCPv6 packets.
Step 3 Run:

Step 4 Run:
dhcpv6 remote-id insert enable
The function of adding the Remote-ID option in DHCPv6 packets is enabled.

By default, the function of adding the Remote-ID option in DHCPv6 packets is disabled.
----End

Context

the threshold.
Procedure
Step 1 Run:
system-view
Step 2 Run:
dhcp enable
DHCP is enabled.
Step 3 Run:
Step 4 Run:
Step 5 Run:
----End
Procedure
l Run the display dhcpv6 relay [ interface interface-type interface-number ] command to
check the interface configuration of the DHCPv6 relay agent function.
l Run the display dhcpv6 server group [ group-name ] command to check the
configuration of the DHCPv6 server group.
l Run the display dhcpv6 relay statistics [ interface interface-type interface-number ]
command to check the packet statistics of the DHCPv6 relay agent function.
----End

9.9 Configuring a DHCPv6 Client

Before configuring the DHCPv6 client function, complete the following tasks:
l Configuring a DHCPv6 server
l Configuring the DHCPv6 relay agent as service requires
l Configuring the industrial switch router between the router and DHCPv6 relay agent or
server
9.9.1 Enabling the DHCPv6 Client Function
Context
When the DHCPv6 client function is configured on the WAN-side Layer 3 interface or sub-
interface of the industrial switch router, the industrial switch router dynamically obtains IPv6
addresses and other configuration parameters from the DHCPv6 server. This operation
facilitates user configurations and management.
Procedure
Step 1 Configure IPv6 functions on interfaces.
1. Run:
system-view

2. Run:
ipv6
The device is enabled to forward IPv6 unicast packets.

By default, the device is disabled from forwarding IPv6 unicast packets.
3. Run:

4. Run:
ipv6 enable
IPv6 is enabled on the interface.

By default, IPv6 is disabled on an interface.
5. Run:
ipv6 address auto link-local or ipv6 address ipv6-address link-local
The link-local address is configured automatically or manually on the interface.

By default, no link-local address is configured for an interface.

Step 2 Configure the DHCPv6 client to request an IPv6 address

1. Run:
system-view

2. Run:

3. Run:
dhcp enable
The DHCP function is enabled on the device.

4. Run:

WAN-side Layer 3 interfaces and Layer 3 sub-interfaces on the industrial switch router
can work in DHCP client mode.
5. Run:
ipv6 address auto dhcp [ rapid-commit ]
The DHCPv6 client is enabled and stateful DHCPv6 address autoconfiguration is used to
assign an IPv6 address and other configuration parameters (IPv6 addresses of the DNS
server and SNTP server) to the client.
Or run:
dhcpv6 client information-request
The DHCPv6 client is enabled and stateless DHCPv6 address autoconfiguration is used
to assign configuration parameters (not including IPv6 addresses) to the client.
By default, stateless or stateful DHCPv6 address autoconfiguration is not used on an
interface to assign IPv6 addresses and other configuration parameters.
The service can use the two-message exchange method to assign IPv6 addresses and
other configuration parameters to clients only when two-message exchange is enabled on
the DHCPv6 clients and server. Otherwise, the server assigns IPv6 addresses and other
configuration parameters to the clients using the four-message exchange method.
To modify the DHCPv6 address autoconfiguration mode, you must disable the original
mode. For example, the DHCPv6 client is enabled to use the stateful DHCPv6 address
autoconfiguration mode to obtain an IPv6 address and other network configuration
parameters including the IPv6 addresses of the DNS and SNTP servers. To enable the
DHCPv6 client to use the stateless DHCPv6 address autoconfiguration mode to obtain
network configuration parameters (excluding IPv6 addresses), run the undo ipv6
address auto dhcp command to disable stateful DHCPv6 address autoconfiguration and
then run the dhcpv6 client information-request command to enable stateless DHCPv6
address autoconfiguration.
----End


l Run the display dhcpv6 client [ interface interface-type interface-number ] command
to check the DHCPv6 client configurations.

Context
the threshold.
Procedure
Step 1 Run:
system-view
Step 2 Run:
dhcp enable
DHCP is enabled.
Step 3 Run:
Step 4 Run:
Step 5 Run:
----End

9.10 Configuring a DHCPv6 PD Client

When the DHCPv6 PD client function is configured on the device, the device dynamically
obtains IPv6 address prefix and other network configuration parameters from the DHCPv6
PD server.
Before configuring the DHCPv6 PD client function, complete the following tasks:
l Configuring a DHCPv6 PD server
l Configuring the DHCPv6 relay agent as service requires
l Configuring the industrial switch router between the router and DHCPv6 relay agent or
PD server
9.10.1 Enabling the DHCPv6 PD Client Function
Context
When the WAN-side Layer 3 interface or sub-interface of the device is configured as the
DHCPv6 PD client, the client uses the DHCPv6 protocol to dynamically obtain an IPv6
address prefix from the DHCPv6 PD server. The downlink interface is bound to the obtained
IPv6 address prefix, so that the IPv6 address can be automatically generated for the user in
route advertising mode.
Procedure
Step 1 Configure the IPv6 function on the uplink interface.
1. Run:
system-view

2. Run:
ipv6
The device is enabled to forward IPv6 unicast packets.

By default, the device is disabled from forwarding IPv6 unicast packets.
3. Run:

4. Run:
ipv6 enable
IPv6 is enabled on the interface.

By default, IPv6 is disabled on an interface.
5. Configure a global unicast IPv6 address manually or automatically.
– Manually configuring a global unicast IPv6 address:

Run the ipv6 address { ipv6-address prefix-length |ipv6-address/prefix-length }

command to configure the global unicast IPv6 address for the interface.
– Automatically generating a global unicast IPv6 address:
i. Run the ipv6 address auto link-local or ipv6 address ipv6-address link-local
command to automatically or manually configure the link-local address on the
interface.
ii. Run the ipv6 address auto global [ default ] command to enable the function
of automatically generating global unicast IPv6 addresses through stateless
autoconfiguration.
By default, the device is disabled from automatically generating global unicast
IPv6 addresses through stateless autoconfiguration.
NOTE
When the DHCPv6 PD client and server are located on the same network segment, you only need
to run the ipv6 address auto link-local or ipv6 address ipv6-address link-local command to
configure the link-local address on the interface.
Step 2 Configure the DHCPv6 PD client on the uplink interface.

1. Run:
system-view

2. Run:
3. Run:
dhcp enable
The DHCP function is enabled on the device.

4. Run:
WAN-side Layer 3 interfaces and Layer 3 sub-interfaces on the industrial switch router
can work in DHCP client mode.
5. Run:
dhcpv6 client pd prefix-name [ hint ipv6-prefix/ipv6-prefix-length ] [ rapid-
commit ]
The DHCPv6 PD client is enabled.
By default, the DHCPv6 PD client is disabled.
You can specify the rapid-commit parameter to set the DHCPv6 PD client to request an
IPv6 address prefix using the two-message exchange. The service can use two-message
exchange to assign IPv6 address prefix to client only when two-message exchange is

enabled on the DHCPv6 PD client and server. Otherwise, the server assigns IPv6 address
prefix to the client using the four-message exchange method.
----End

Run the display dhcpv6 client prefix [ name prefix-name ] command to check IPv6 address
prefixe on the device that functions as the DHCPv6 PD client.
Follow-up Procedure
Bind the downlink interface to the obtained IPv6 address prefix and enable the downlink
interface to send RA packets, so that the IPv6 address can be automatically generated for the
user in route advertising mode.
1. Run the system-view command to enter the system view.
2. Run the interface interface-type interface-number command to enter the interface view.
3. Run the ipv6 enable command to enable the IPv6 function on the interface.
4. Run the ipv6 address auto link-local or ipv6 address ipv6-address link-local command
to automatically or manually configure the link-local address on the interface.
5. Run the ipv6 address dhcpv6-prefix { ipv6-address prefix-length | ipv6-address/prefix-
length } command to bind the interface to the IPv6 address prefix obtained by the
DHCPv6 PD client.
By default, the interface is not bound to the IPv6 address prefix obtained by the DHCPv6
PD client.
The value of prefix-length for the IPv6 address prefix bound to the interface must be
greater than the length of the prefix obtained by the DHCPv6 PD client; otherwise, the
interface cannot generate the global unicast IPv6 address based on the bound IPv6
address prefix and record the log DHCP/4/DHCPv6_CHECK_PREFIX_LENGTH.
You can run the display dhcpv6 client prefix [ name prefix-name ] command to check
the length of the prefix obtained by the DHCPv6 PD client.
6. Run the undo ipv6 nd ra halt command to enable the interface to send RA packets.
By default, the interface is disabled from sending RA packets.

Context
the threshold.

Procedure
Step 1 Run:
system-view
Step 2 Run:
dhcp enable
DHCP is enabled.
Step 3 Run:
Step 4 Run:
Step 5 Run:
----End
9.11 Maintaining DHCPv6

Maintaining DHCPv6 includes monitoring the running status of the DHCPv6 relay agent,
clearing DHCPv6 packet statistics, and resetting the status of the IPv6 address pool.
9.11.1 Monitoring DHCPv6 Operation
Procedure
l Run the display dhcpv6 statistics command to check statistics on DHCPv6 packets.
l Run the display dhcpv6 relay [ interface interface-type interface-number ] command to
check the configuration of the interface where the DHCPv6 relay function is configured.
l Run the display dhcpv6 relay statistics [ interface interface-type interface-number ]
command to check DHCPv6 packet statistics on the DHCPv6 relay.

l Run the display dhcpv6 client statistics [ interface interface-type interface-number ]

command to check packet statistics on the DHCPv6 client.
l Run the display dhcpv6 client prefix [ name prefix-name ] command to check the IPv6
address prefix obtained by the DHCPv6 client.
----End
9.11.2 Clearing DHCPv6 Packet Statistics
Context
The DHCPv6 packet statistics cannot be restored after being cleared.
Procedure
l Run the reset dhcpv6 server statistics [ interface interface-type interface-number ]
command to clear packet statistics of the DHCPv6 server.
l Run the reset dhcpv6 relay statistics [ interface interface-type interface-number ]
command to clear packet statistics of the DHCPv6 relay agent.
l Run the reset dhcpv6 client statistics [ interface interface-type interface-number ]
command to clear packet statistics of the DHCPv6 clients.
l Run the reset dhcpv6 statistics command to clear statistics on DHCPv6 packets.
----End
9.11.3 Resetting the Status of the IPv6 Address Pool
Context
When the client addresses conflict due to repeated IPv6 address assignment or IPv6 addresses
need to be re-assigned to clients based on the network plan, you can reset the status of the
IPv6 address pool. In this way, the IPv6 addresses in the address pool return to the idle state
and the clients can re-apply for these IPv6 addresses.
Procedure
l Run the reset dhcpv6 pool pool-name [ allocated { address | prefix } | binding [ duid ]
| conflict address | ipv6-address [ to ipv6-address ] | ipv6-prefix/prefix-length ]
command to clear IPv6 address pool configurations.
----End

This section provides DHCPv6 configuration examples including networking requirements

9.12.1 Example for Configuring a DHCPv6 Server

If a large number of IPv6 addresses need to be manually configured, the workload on
configuration will be huge, and the manually configured addresses have poor manageability.
The administrator requires that IPv6 addresses and network configuration parameters be
obtained automatically to facilitate centralized management and hierarchical IPv6 network
deployment.
Figure 9-15 Networking diagram for configuring the DHCPv6 server
Router B Router A
GE0/0/1 fc00:3::1/64
GE0/0/1
1. Enable IPv6 functions on the interface so that devices can communicate using IPv6.
2. Enable the DHCPv6 Server function so that devices can assign IPv6 addresses using
DHCPv6.
Procedure
Step 2 Configure a DHCPv6 server.

[Huawei] dhcpv6 pool pool1
[RouterA-dhcpv6-pool-pool1] address prefix fc00:3::/64
[RouterA-dhcpv6-pool-pool1] dns-server fc00:3::1
[RouterA-dhcpv6-pool-pool1] excluded-address fc00:3::1
[RouterA-dhcpv6-pool-pool1] quit
Step 3 Configure IPv6 functions on an interface.

[RouterA] ipv6
[RouterA-GigabitEthernet0/0/1] ipv6 address fc00:3::1/64
Step 4 Enable the DHCPv6 server function on the interface.

[RouterA-GigabitEthernet0/0/1] dhcpv6 server pool1
Step 5 Configure M and O flag bits of RA messages through which the DHCPv6 client learns the
route to the IPv6 gateway.
[RouterA-GigabitEthernet0/0/1] ipv6 nd autoconfig managed-address-flag
[RouterA-GigabitEthernet0/0/1] ipv6 nd autoconfig other-flag
[RouterA] quit

# Run the display dhcpv6 pool command on the industrial switch router to check information
about the DHCPv6 address pool.
<RouterA> display dhcpv6 pool
Address prefix: FC00:3::/64
Lifetime valid 172800 seconds, preferred 86400 seconds
0 in use, 0 conflicts
Excluded-address FC00:3::1
1 excluded addresses
Information refresh time: 86400
DNS server address: FC00:3::1
Conflict-address expire-time: 172800
Active normal clients: 0
# Run the display dhcpv6 server command on the industrial switch router to check
information about the DHCPv6 server.
<RouterA> display dhcpv6 server
Interface DHCPv6 pool
GigabitEthernet0/0/1 pool1
----End
Configuration File
#
sysname RouterA
#
ipv6
#
dhcp enable
#
dhcpv6 pool pool1
address prefix FC00:3::/64
excluded-address FC00:3::1
dns-server FC00:3::1
#
undo portswitch
ipv6 enable
ipv6 address FC00:3::1/64
dhcpv6 server pool1
#
return
9.12.2 Example for Configuring a DHCPv6 PD Server
In Figure 9-16, the industrial switch router is required to function as a DHCPv6 PD server
and assign an IPv6 address prefix to the DHCPv6 PD client. Configure the industrial switch
router as a DHCPv6 PD server to assign IPv6 addresses and other network configuration
parameters to DHCPv6 clients. This facilitates centralized management and layered IPv6
network deployment. The DHCPv6 PD server assigns DNS server address fc00:2::1/64 to a
client. The DHCPv6 PD server and client are on the same link.

Figure 9-16 Networking diagram for configuring DHCPv6 PD server

IPv6 HostC
Router B Router A
GE0/0/1 fc00:1::1/64
GE0/0/1
DHCPv6 PD Client
DHCPv6 PD Server
2. Enable the DHCPv6 PD server function so that DHCPv6 PD server can assign IPv6
address using DHCPv6.
Procedure
[Huawei] sysname Router A
[Router A] dhcp enable
Step 2 Configure a DHCPv6 PD server.

[Huawei] dhcpv6 pool pool1
[Router A-dhcpv6-pool-pool1] prefix-delegation fc00:1::/60 63
[Router A-dhcpv6-pool-pool1] dns-server fc00:2::1
[Router A-dhcpv6-pool-pool1] quit

[Router A] ipv6
[Router A] interface gigabitethernet 0/0/1
[Router A-GigabitEthernet0/0/1] undo portswitch
[Router A-GigabitEthernet0/0/1] ipv6 enable
[Router A-GigabitEthernet0/0/1] ipv6 address fc00:1::1/64
Step 4 Enable the DHCPv6 PD server function on an interface.

[Router A-GigabitEthernet0/0/1] dhcpv6 server pool1
Step 5 Configure M and O flag bits of RA messages through which the DHCPv6 PD client learns the
route to the IPv6 gateway.
[RouterA] quit

# Run the display dhcpv6 pool command on the industrial switch router to check information
about the DHCPv6 address pool.
<Router A> display dhcpv6 pool
DHCPv6 pool: pool1
Prefix delegation: FC00:1::/60 63
0 in use
DNS server address: FC00:2::1
Active pd clients: 0
# Run the display dhcpv6 server command on the industrial switch router to check
information about the DHCPv6 server.
<Router A> display dhcpv6 server
Interface DHCPv6 pool
GigabitEthernet0/0/1 pool1
----End
Configuration File
Configuration file of Router A
#
sysname Router A
#
ipv6
#
dhcp enable
#
dhcpv6 pool pool1
prefix-delegation FC00:1::/60 63
dns-server FC00:2::1
#
undo portswitch
ipv6 enable
dhcpv6 server pool1
#
return
9.12.3 Example for Configuring a DHCPv6 Relay to Assign IPv6

Addresses to the Clients in One Network Segment Connected to
the Relay
As shown in Figure 9-17, the IPv6 network segment address is fc00:1::/64 and the DHCPv6
server address is fc00:2::3/64. Users expect to obtain IPv6 addresses using DHCPv6. The
DHCPv6 client and server are on different network segments; therefore, a DHCPv6 relay
agent is required to forward DHCPv6 messages.
It is required that the industrial switch router should function as the DHCPv6 relay agent to
forward DHCPv6 messages between the DHCPv6 client and the DHCPv6 server. In addition,
the industrial switch router functions as the gateway device of the network at fc00:1::/64. The

M flag bit and O flag bit in RA messages allow hosts on the network to obtain IPv6 addresses
and other network configuration parameters through DHCPv6.
Figure 9-17 Networking diagram for configuring a DHCPv6 relay

DHCPv6 client DHCPv6 client
GE1/0/0 RouterA GE2/0/0 RouterB

fc00:1::1/64 fc00:2::1/64
DHCPv6 Relay fc00:2::3/64

DHCPv6 server
1. Enable IPv6 functions on the interface so that devices can implement IPv6
communication.
2. Enable the DHCPv6 relay function so that the DHCPv6 server and client on different
links can transmit packets.
Procedure

[Router A] ipv6
[Router A-GigabitEthernet1/0/0] ipv6 address fc00:1::1 64
[Router A-GigabitEthernet1/0/0] quit
[Router A-GigabitEthernet2/0/0] ipv6 address fc00:2::1 64
Step 3 Enable the DHCPv6 relay function.

[Router A-GigabitEthernet1/0/0] dhcpv6 relay destination fc00:2::3
Step 4 Configure RouterA as a gateway device.

# Configure RouterA to send RA messages and configure M and O flag bits.
[Router A-GigabitEthernet1/0/0] undo ipv6 nd ra halt
[Router A-GigabitEthernet1/0/0] ipv6 nd autoconfig managed-address-flag

[Router A-GigabitEthernet1/0/0] ipv6 nd autoconfig other-flag

# Run the display dhcpv6 relay command on RouterA to check configurations of DHCPv6
relay agent.
[Router A] display dhcpv6 relay
Interface Mode Destination
------------------------------------------------------------------
GigabitEthernet1/0/0 Relay FC00:2::3
------------------------------------------------------------------
dhcpv6 server group
--------------------------------------------------------------------------------
--------------------------------------------------------------------------------
Total count : 0
# Run the display dhcpv6 relay statistics on RouterA to check DHCP message statistics on
the DHCPv6 relay agent.
[Router A] display dhcpv6 relay statistics
MessageType Receive Send Error
Solicit 0 0 0
Advertise 0 0 0
Request 0 0 0
Confirm 0 0 0
Renew 0 0 0
Rebind 0 0 0
Reply 0 0 0
Release 0 0 0
Decline 0 0 0
Reconfigure 0 0 0
Information-request 0 0 0
Relay-forward 0 0 0
Relay-reply 0 0 0
UnknownType 0 0 0
----End
Configuration File
#
sysname Router A
#
ipv6
#
dhcp enable
#
undo portswitch
ipv6 enable
dhcpv6 relay destination FC00:2::3
#
undo portswitch
ipv6 enable
#
return

9.12.4 Example for Configuring a DHCPv6 Relay to Assign IPv6

Addresses to the Clients in Multiple Network Segments
Connected to the Relay
As shown in Figure 9-18, the DHCPv6 server needs to dynamically assign IPv6 addresses to
the clients on two network segments fc00:1::/64 and fc00:2::/64, and the DHCPv6 server and
clients are in different links. The addresses fc00:1::1/64 and fc00:2::1/64 on RouterA are used
as the gateway addresses of the clients on the network segments fc00:1::/64 and fc00:2::/64.
Figure 9-18 Networking diagram for configuring a DHCPv6 relay to assign IPv6 addresses to
the clients in multiple network segments connected to the relay
DHCPv6 Relay
RouterA
GE1/0/0 GE3/0/0 GE1/0/0

fc00:1::1/64 fc00:3::1/64 fc00:3::3/64
GE2/0/0 RouterB
fc00:2::1/64 DHCPv6 server
Configure the DHCPv6 relay function on RouterA to forward DHCPv6 packets between the
DHCPv6 server and clients so that the clients can dynamically obtain IPv6 addresses.
NOTE
The AR500&AR510&AR530 is used as an example to describe the DHCPv6 server configuration procedure.
Procedure
Step 1 Configure RouterA as the DHCPv6 relay.
# Configure IPv6 addresses for interfaces.

[RouterA] ipv6
[RouterA-GigabitEthernet1/0/0] ipv6 address fc00:1::1 64
# Enable the DHCPv6 relay function.

[RouterA-GigabitEthernet1/0/0] dhcpv6 relay destination fc00:3::3
[RouterA-GigabitEthernet2/0/0] dhcpv6 relay destination fc00:3::3
# Configure RouterA to function as the gateway to send the M and O flags of RA messages to
clients so that the clients can obtain IPv6 addresses through DHCPv6.
Step 2 Configure RouterB as the DHCPv6 server.

[RouterB] ipv6
[RouterB-GigabitEthernet1/0/0] ipv6 address fc00:3::3 64
[RouterB] dhcpv6 pool pool1
[RouterB-dhcpv6-pool-pool1] address prefix fc00:1::/64
[RouterB-dhcpv6-pool-pool1] excluded-address fc00:1::1
[RouterB-dhcpv6-pool-pool1] quit
[RouterB] dhcpv6 pool pool2
[RouterB-dhcpv6-pool-pool2] address prefix fc00:2::/64
[RouterB-dhcpv6-pool-pool1] excluded-address fc00:2::1
[RouterB-dhcpv6-pool-pool2] quit
[RouterB] dhcpv6 server preference 255
[RouterB] ipv6 route-static :: 0 fc00:3::1
Step 3 Configure the DHCPv6 client (Windows 7 is used as an example of the operating system on
the PC).
1. Right-click Network and choose Properties to display the Network and Sharing
Center window.
2. Click Local Area Connection to display the Local Area Connection Status window.
3. Click Properties to display the Local Area Connection Properties window.

4. Select Internet Protocol Version 6 (TCP/IPv6) and click Properties to display the
Internet Protocol Version 6 (TCP/IPv6) Properties window. Select Obtain an IPv6
address automatically and Obtain DNS server address automatically, and click OK.
# Run the display dhcpv6 relay command on RouterA to check the DHCPv6 relay
configuration.
[RouterA] display dhcpv6 relay
Interface Mode Destination
--------------------------------------------------------------------------------
--------------------------------------------------------------------------------
dhcpv6 server group
--------------------------------------------------------------------------------
--------------------------------------------------------------------------------
Total count : 0
# Run the display dhcpv6 pool command on RouterB to check the DHCPv6 address pool
configuration.
[RouterB] display dhcpv6 pool
DHCPv6 pool: pool1
DHCPv6 pool: pool2

# Run the display dhcpv6 pool pool1 allocated address and display dhcpv6 pool pool2
allocated address commands on RouterB to check the assignment of IPv6 addresses in the
[RouterB] display dhcpv6 pool pool1 allocated address
Address Valid Expires Left
-------------------------------------------------------------------------------
FC00:1::2 172800 2013-09-06 03:09:02 166610
FC00:1::3 172800 2013-09-06 03:09:02 166610
FC00:1::4 172800 2013-09-06 03:09:02 166610
FC00:1::5 172800 2013-09-06 03:09:02 166610
-------------------------------------------------------------------------------
Total : 4
[RouterB] display dhcpv6 pool pool2 allocated address
Address Valid Expires Left
-------------------------------------------------------------------------------
FC00:2::2 172800 2013-09-06 03:09:02 166610
FC00:2::3 172800 2013-09-06 03:09:02 166610
-------------------------------------------------------------------------------
Total : 2
----End

Configuration Files
#
sysname RouterA
#
ipv6
dhcp enable
#
interface
undo portswitch
ipv6 enable
#
interface
undo portswitch
ipv6 enable
#
interface
undo portswitch
ipv6 enable
#
return

#
sysname RouterB
#
ipv6
#
dhcp enable
#
dhcpv6 server preference 255

#
dhcpv6 pool
pool1
address prefix
FC00:1::/64
#
dhcpv6 pool
pool2
address prefix FC00:2::/64
#
undo portswitch
ipv6 enable

ipv6 route-static :: 0 FC00:3::1

#
return
9.12.5 Example for Configuring a DHCPv6 PD Client

In Figure 9-19, the industrial switch router is required to function as a DHCPv6 PD client and
obtain an IPv6 address prefix from the DHCPv6 PD server. Configure the industrial switch
router as a DHCPv6 PD client to assign IPv6 addresses and other network configuration
parameters to DHCPv6 clients. This reduces pressure on the DHCPv6 server and facilitates
layered IPv6 network deployment. The address of the DHCPv6 PD server is fc00:1::1/64. The
DHCPv6 PD server and client are on the same link.
Figure 9-19 Networking diagram for configuring a DHCPv6 PD client

IPv6 hostC
Router A Router B
GE0/0/2 GE0/0/1 fc00:1::1/64
GE0/0/1
DHCPv6 PD Client DHCPv6 PD Server
IPv6 hostA IPv6 hostB
2. Enable the DHCPv6 PD client function so that devices can obtain IPv6 address prefixes
using DHCPv6.
Procedure

[Router A] ipv6
[Router A-GigabitEthernet0/0/1] ipv6 address auto link-local

Step 3 Enable the DHCPv6 PD client function.
# Enable the DHCPv6 PD client function on GE0/0/1.
[Router A-GigabitEthernet0/0/1] dhcpv6 client pd myprefix

Step 4 Configure Router A to send an RA message to assign address prefixes to hosts.
# Configure the device to send RA messages and configure M and O flag bits.

[Router A-GigabitEthernet0/0/2] undo ipv6 nd ra halt
[Router A-GigabitEthernet0/0/2] ipv6 nd autoconfig other-flag
[Router A-GigabitEthernet0/0/2] ipv6 address myprefix ::1:0:0:0:1/64
# Run the display dhcpv6 client command on the Router A to check the DHCPv6 client
configurations.
<Router A> display dhcpv6 client
GigabitEthernet0/0/1 is in DHCPv6-PD client mode.
State is BOUND.
Preferred server DUID : 000300060819A6CDA894
Reachable via address : FE80::A19:A6FF:FECD:A897
IA PD IA ID 0x00000051 T1 43200 T2 69120
Prefix name : myprefix
Obtained : 2012-12-22 09:33:09
Renews : 2012-12-22 21:33:09
Rebinds : 2012-12-23 04:45:09
Prefix : FC00:1::/48
Expires at 2012-12-24 09:33:09(172792 seconds left)
DNS server : FC00:2::1
# Run the display dhcpv6 client statistics on the Router A to check DHCPv6 message
statistics on the DHCPv6 client.
<Router A> display dhcpv6 client statistics
Message statistics of interface GigabitEthernet0/0/1:
Message Received
Advertise 1
Reply 1
Reconfigure 0
Invalid 0
Message Sent
Solicit 1
Request 1
Confirm 0
Renew 0
Rebind 0
Release 0
Decline 0
Information-request 0
----End

Configuration File
#
sysname Router A
#
ipv6
#
dhcp enable
#
undo portswitch
ipv6 enable
dhcpv6 client pd
myprefix
#
undo portswitch
ipv6 enable
ipv6 address myprefix ::
1:0:0:0:1/64
#
return
9.12.6 Example for Configuring a DHCPv6 Client
In Figure 9-20, the industrial switch router is required to function as a DHCPv6 client and
obtain an IPv6 address and other configuration parameters from the DHCPv6 server. The
address of the DHCPv6 server is fc00:3::1/64. The DHCPv6 server and client are on the same
link.
Figure 9-20 Networking diagram for configuring a DHCPv6 client
Router A Router B
GE0/0/1 fc00:3::1/64
GE0/0/1
2. Enable the DHCPv6 client function so that devices can obtain IPv6 addresses using
DHCPv6.
Procedure


[Router A] ipv6
Step 3 Enable the DHCPv6 client function.

# Enable the DHCPv6 client function on GE 0/0/1.
[Router A-GigabitEthernet0/0/1] ipv6 address auto dhcp

# Run the display dhcpv6 client command on the Router A to check the DHCPv6 client
configurations.
<Router A> display dhcpv6 client
GigabitEthernet0/0/1 is in stateful DHCPv6 client mode.
State is BOUND.
Preferred server DUID : 000300060819A6CDA894
Reachable via address : FE80::A19:A6FF:FECD:A897
IA NA IA ID 0x00000051 T1 43200 T2 69120
Obtained : 2012-12-22 09:15:54
Renews : 2012-12-22 21:15:54
Rebinds : 2012-12-23 04:27:54
Address : FC00:3::2
Expires at 2012-12-24 09:15:54(172795 seconds left)
# Run the display dhcpv6 client statistics command on the Router A to check message
statistics on the DHCPv6 client.
<Router A> display dhcpv6 client statistics
Message statistics of interface GigabitEthernet0/0/1:
Message Received
Advertise 1
Reply 1
Reconfigure 0
Invalid 0
Message Sent
Solicit 1
Request 1
Confirm 0
Renew 0
Rebind 0
Release 0
Decline 0
Information-request 0
----End
Configuration File
#
sysname Router A
#
ipv6
#

dhcp enable
#
undo portswitch
ipv6 enable
ipv6 address auto
dhcp
#
return

CLI-based Configuration Guide - IP Service 10 IPv6 DNS configuration
10 IPv6 DNS configuration
About This Chapter
This chapter describes the principles, basic functions and configuration procedures of IPv6
DNS, and provides configuration examples.
10.1 IPv6 DNS Overview

IPv6 DNS is a distributed database used in TCP and IP applications and completes resolution
between IPv6 addresses and domain names.
This section provides the points of attention when configuring DNSv6.
10.3 Configuring the IPv6 DNS Client
This section describes how to configure the IPv6 DNS client and the mapping between a
domain name and IPv6 address on a device, so that the device can communicate with other
devices using the domain name.
10.4 Configuring IPv6 DNS Proxy or Relay
When the DNS client and DNS server are on different LANs, the device enabled with IPv6
DNS proxy or relay can forward DNS request and reply packets.
10.5 Maintaining IPv6 DNS
IPv6 DNS maintenance includes clearing IPv6 DNS entries, clearing statistics on sent and
received IPv6 DNS packets and monitoring IPv6 DNS running status.
This section describes configuration examples of IPv6 DNS.
10.1 IPv6 DNS Overview

IPv6 DNS is a distributed database used in TCP and IP applications and completes resolution
between IPv6 addresses and domain names.
Each host on the IPv6 network is identified by an IPv6 address. To access a host, a user must
obtain the host IPv6 address first. It is difficult for users to remember IPv6 addresses of hosts.
Therefore, host names in the format of strings are designed. In this way, users can use the

simple and meaningful domain names instead of the complicated IPv6 addresses to access
hosts by resolution of the DNS server on the network.
The device can function as an IPv6 DNS client and IPv6 DNS proxy or relay.
Figure 10-1 Typical networking of the IPv6 DNS Client
RouterA
IPv6 DNS Client
IPv6 DNS Server
RouterB
IPv6 DNS Client
As shown in Figure 10-1, the industrial switch router functions as an IPv6 DNS client and
supports static and dynamic domain name resolution.
l Static domain name resolution: Mappings between domain names and IPv6 addresses are
configured manually. To obtain the IPv6 address by resolving a domain name, the DNS
client searches the static domain name resolution table for the specified domain name.
l Dynamic domain name resolution: Dynamic domain name resolution is implemented by
a DNS server. The DNS server receives domain name resolution requests from DNS
clients. The DNS server searches for the corresponding IPv6 address of the domain name
in its DNS database. If no matching entry is found, it sends a query message to a higher-
level DNS server. This process continues until the DNS server finds the corresponding
IPv6 address or detects that the corresponding IPv6 address of the domain name does not
exist. Then the DNS server returns a result to the DNS client.
The industrial switch router IPv6 domain name resolution system must support the
following DNS query modes:
– AAAA query
– IPv6 PTR query.
– A6 query

Functioning as the DNS Proxy or Relay
Figure 10-2 Functioning as the DNS proxy

IPv6 DNS Client
DNS
Server
IPv6 DNS Proxy
Internet
IPv6 DNS Client IPv6 DNS Client
As shown in Figure 10-2, an IPv6 DNS client on the LAN can connect to an external IPv6
DNS server through the industrial switch router enabled with IPv6 DNS proxy or relay. After
the external DNS server translates the domain name of the IPv6 DNS client to an IP address,
the IPv6 DNS client can access the Internet.
IPv6 DNS relay is similar to IPv6 DNS proxy. The difference is that the IPv6 DNS proxy
searches for DNS entries saved in the domain name cache after receiving DNS query
messages from DNS clients. The IPv6 DNS relay, however, directly forwards DNS query
messages to the DNS server, reducing the cache usage.

This section provides the points of attention when configuring DNSv6.

License Support
DNSv6 is a basic feature of the device and is not under license control.

l The AR502G-L-D-H, AR502GR-L-D-H, do not support IPv6 DNS function.
l The AR510 series do not support IPv6 DNS function.
10.3 Configuring the IPv6 DNS Client

This section describes how to configure the IPv6 DNS client and the mapping between a
domain name and IPv6 address on a device, so that the device can communicate with other
devices using the domain name.

Context
NOTE
10.3.1 Configuring the IPv6 Static Domain Name Resolution

Context
domain names and IPv6 addresses. Some common domain names are added to the table.
Static domain name resolution can be performed based on the static domain name resolution
table. To obtain the IPv6 address by resolving a domain name, the client searches the static
domain name resolution table for the specified domain name. In this manner, the efficiency of
domain name resolution is improved.
Procedure
Step 1 Run:
system-view

Step 2 Run:
ipv6
The IPv6 function is enabled.

By default, a device is disabled from forwarding IPv6 unicast packets.
Step 3 Run:
ipv6 host host-name ipv6-address
The IPv6 static DNS entry are configured.

By default, no IPv6 static DNS entry is configured.
Each domain name supports a maximum of eight IPv6 addresses.
----End
10.3.2 Configuring the IPv6 Dynamic Domain Name Resolution
Context
The DNS client needs to complete dynamic domain name resolution through the DNS server.
During dynamic domain name resolution, the DNS server needs to provide the mapping
between domain names and IPv6 addresses and receive domain name resolution requests from
clients.
Configuring dynamic domain name resolution involves enabling dynamic domain name
resolution, configuring an IPv6 address for the DNS server, configuring an source IPv6
address for the local device, and configuring a domain name suffix. If the local device uses an
IPv6 address allocated by the DHCPv6 server and the information delivered by the DHCPv6
server to the local device contains the DNS server IPv6 address and the domain name suffix
list, you only need to enable dynamic DNS resolution.

Procedure
Step 1 Run:
system-view
Step 2 Run:
dns resolve
Step 3 Run:
dns server ipv6 ipv6-address [ interface-type interface-number ]
An IPv6 address is configured for the DNS server.
By default, no DNS server IPv6 address is configured.
A maximum of six DNS server IP (IPv4 and IPv6) addresses can be configured on the device.
During dynamic domain name resolution, the device sends a query packet to the DNS servers
according to the order in which they were configured. If the domain name query on the first
DNS server times out, the device sends the query request to the second DNS server.

dns server ipv6 source-ip ipv6-address
The source IPv6 address of the local device is specified.
By default, the source IPv6 address is not configured on the device.
After the IPv6 address of the local device is specified, the device uses the specified IPv6
address to communicate with the DNS server. If no source IPv6 address is configured, the
DNS client needs to select a source IPv6 address according to the destination address each
time it sends an IPv6 DNS request. If only one route from the DNS server to the device with
an IPv6 address is reachable, you need to specify the source IPv6 address in the DNS query
message when the device sends a DNS query to the DNS server.

dns domain domain-name
A suffix of a domain name is added.
By default, no domain name suffix is configured on a DNS client.
----End
Procedure
l Run the display ipv6 host command to check the IPv6 static domain name resolution
table.
l Run the display dns server command to check the DNS server configuration.

l Run the display dns domain command to check the domain name suffix list.
----End
10.4 Configuring IPv6 DNS Proxy or Relay

When the DNS client and DNS server are on different LANs, the device enabled with IPv6
DNS proxy or relay can forward DNS request and reply packets.
Before configuring IPv6 DNS proxy or relay, complete the following tasks:
l Connecting interfaces and setting physical parameters for the interfaces to ensure that the
physical status of the interfaces is Up
l Configuring a DNS server
l Configuring routes between the local routing device and the DNS server and between the
local routing device and the IPv6 DNS client
NOTE
10.4.1 Configuring the DNS Server Address
Context
IPv6 DNS relay is similar to IPv6 DNS proxy. The IPv6 DNS proxy searches for DNS entries
saved in the domain name cache after receiving IPv6 DNS query packets from IPv6 DNS
clients. The IPv6 DNS relay, however, directly forwards IPv6 DNS query packets to the DNS
server, reducing the cache usage.
Procedure
Step 1 Run:
system-view
Step 2 Run:
dns proxy enable or dns relay enable
IPv6 DNS proxy or relay is enabled.
Step 3 Run:
dns resolve
Step 4 Run:
dns server ipv6 ipv6-address [ interface-type interface-number ]

The DNS server that the IPv6 DNS proxy or relay connects to is configured.
----End
10.4.2 (Optional) Configuring Static DNSv6 Entries
Context
domain names and IPv6 addresses. Some common domain names are added to the table.
Static domain name resolution can be performed based on the static domain name resolution
table. To obtain the IPv6 address by resolving a domain name, the DNS server searches the
static domain name resolution table. In this manner, the efficiency of domain name resolution
is improved.
Procedure
Step 1 Run:
system-view

Step 2 Run:
ipv6 host host-name ipv6-address
The domain name and mapping IPv6 address are configured.
----End
10.4.3 (Optional) Configuring IPv6 DNS Spoofing
Context
If the device is enabled with IPv6 DNS proxy or relay but is not configured with a DNS
server address or has no route to the DNS server, the device does not forward or respond to
DNS query messages from DNS clients. If IPv6 DNS spoofing is enabled, the device uses the
configured IPv6 address to respond to all DNS query messages.
In addition to enabling IPv6 DNS proxy or relay, one of the following requirements must be
met to make IPv6 DNS spoofing take effect:
l No DNS server is configured.
l A DNS server is configured, but dynamic DNS resolution is disabled.
l No route is reachable to the DNS server.
l No source IPv6 address is available for the outbound interface connected to the DNS
server.
If one of the preceding requirements is met, when receiving an AAAA or A6 query, the IPv6
DNS proxy or relay return spoofing reply messages using the configured IPv6 address.
Procedure
Step 1 Run:

system-view
Step 2 Run:
dns spoofing ipv6 ipv6-address
IPv6 DNS spoofing is enabled and the IPv6 address in response packets is specified.
By default, IPv6 DNS spoofing is disabled.
----End
Procedure
l Run the display ipv6 host command to view the static IPv6 DNS table.
l Run the display dns server command to check the DNS server configuration.
----End
10.5 Maintaining IPv6 DNS

IPv6 DNS maintenance includes clearing IPv6 DNS entries, clearing statistics on sent and
received IPv6 DNS packets and monitoring IPv6 DNS running status.
10.5.1 Clearing IPv6 DNS dynamic Entries
Context
IPv6 DNS entries in the domain name cache cannot be restored after being cleared. Exercise
Procedure
l Run the reset dns ipv6 dynamic-host command to clear dynamic IPv6 DNS entries in
the domain name cache.
----End
10.5.2 Clearing IPv6 DNS Forwarding Entries

Context
IPv6 DNS forwarding entries cannot be restored after being cleared. Exercise caution when
you run the command.
Procedure
l Run the reset dns ipv6 forward table [ source-ip ipv6-address ]command in the user
view to clear IPv6 DNS forwarding entries.
----End
10.5.3 Clearing Statistics on Sent and Received IPv6 DNS Packets
Context
Statistics on sent and received IPv6 DNS packets cannot be restored after being cleared.
Exercise caution when you run the command.
Procedure
l Run the reset dns statistics command to clear statistics on sent and received IPv6 DNS
packets.
----End
10.5.4 Monitoring the Running Status of IPv6 DNS
Context
In routine maintenance, you can run the following commands in any view to check the
running status of IPv6 DNS.
Procedure
l Run the display dns ipv6 dynamic-host [ domain-name | a6 ] command to check
dynamic IPv6 DNS entries in the domain name cache.
----End

This section describes configuration examples of IPv6 DNS.

10.6.1 Example for Configuring IPv6 DNS

As shown in Figure 10-3, RouterA functions as a DNS client and cooperates with a DNS
server so that RouterA can access the host at fc00:2::1/64 using the domain name
huawei.com.
Static IPv6 DNS entries of RouterB and RouterC are configured on RouterA so that RouterA
can manage RouterB and RouterC.
Figure 10-3 Networking diagram for configuring IPv6 DNS
RouterB RouterC
GE1/0/0
GE1/0/0
fc00:1::1/64 fc00:3::1/64
GE1/0/0
fc00:1::2/64 GE2/0/0 GE2/0/0
IPv6 DNS client fc00:2::3/64 DNS server
fc00:2::2/64
RouterA fc00:3::2/64
huawei.com
fc00:2::1/64
1. Configure static DNS entries on RouterA to access host B and C.
2. Configure the dynamic DNS resolution on RouterA to access the DNS server.
Procedure
# Configure IPv6 function.
[RouterA] ipv6
[RouterA-GigabitEthernet1/0/0] ipv6 address fc00:1::1/64
# Configure static IPv6 DNS entries.

[RouterA] ipv6 host RouterB fc00:1::2
[RouterA] ipv6 host RouterC fc00:2::3
# Enable DNS resolution.



[RouterA] dns server ipv6 fc00:3::2
# Set the domain name suffix to net.

[RouterA] dns domain net
# Set the domain name suffix to com.

[RouterA] dns domain com
[RouterA] quit
NOTE
To resolve the domain name, you need to configure the route from RouterA to the IPv6 DNS server. For
details on how to configure the route, see Configure static route example in the Configuration Guide-
IP Routing.

# Run the ping ipv6 huawei.com command on RouterA. You can find that the ping operation
succeeds, and the destination IPv6 address is fc00:2::1.
<RouterA> ping ipv6 huawei.com
Resolved Host ( huawei.com -> FC00:2::1)
PING huawei.com : 56 data bytes, press CTRL_C to break
Reply from FC00:2::1
bytes=56 Sequence=1 hop limit=64 time = 1 ms
--- huawei.com ping statistics
---
0.00% packet loss
# Run the display ipv6 host command on RouterA. You can view mappings between host
names and IPv6 addresses in static DNS entries.
<RouterA> display ipv6 host
Host Age Flags IPv6Address (es)
RouterB 0 static FC00:1::2
RouterC 0 static FC00:2::3
Run the display dns ipv6 dynamic-host command on RouterA. You can view information
about dynamic IPv6 DNS entries saved in the cache.
<RouterA> display dns ipv6 dynamic-host
Host TTL Type Address(es)
huawei.com 3579 IPv6 FC00:2::1
NOTE
The TTL field in the command output indicates the lifetime of a DNS entry, in seconds.
----End
Configuration File

#
sysname RouterA
#
ipv6
#
ipv6 host RouterB FC00:1::2
ipv6 host RouterC FC00:2::3
#
dns resolve
dns server ipv6 FC00:3::2
dns domain net
dns domain com
#
undo portswitch
ipv6 enable
#
ipv6 route-static FC00:2:: 64

FC00:1::2
ipv6 route-static FC00:3:: 64 FC00:1::2
#
return

#
sysname RouterB
#
ipv6
#
undo portswitch
ipv6 enable
#
undo portswitch
ipv6 enable
#

#
return

#
sysname RouterC
#
ipv6
#
undo portswitch
ipv6 enable
#
undo portswitch
ipv6 enable
#

#
return
10.6.2 Example for Configuring IPv6 DNS Proxy

As shown in Figure 10-4, Users access the DNS server to resolve domain names through
RouterA enabled with DNS proxy. If the route from RouterA to the DNS server is
unreachable, the IPv6 address configured for DNS spoofing is used to respond to the DNS
query packets.
NOTE
AR500&AR530 can function only as RouterA in this scenario.
Figure 10-4 Network diagram for configuring IPv6 DNS proxy
HostA
RouterA
GE1/0/0 GE2/0/0
DNS Proxy
fc00:1::2/64 fc00:2::1/64
GE1/0/0
fc00:1::1/64 RouterB DNS Server
fc00:2::2/64
HostB
1. Configure the IPv6 address for the DNS server on RouterA to forward DNS packets.
2. Configure IPv6 DNS spoofing on RouterA.
Procedure
Step 1 Configure an IPv6 address for GE1/0/0.
[RouterA] ipv6
Step 2 Configure a DNS server.
# Enable dynamic DNS resolution.

# Configure a DNS server that the DNS proxy or relay connects to.
[RouterA] dns server ipv6 fc00:2::2
# Enable IPv6 DNS proxy.

[RouterA] dns proxy enable

Step 3 Configure DNS spoofing and specify the IPv6 address in response messages as fc00:3::3.
[RouterA] dns spoofing ipv6 fc00:3::3
Step 4 Configure a static route.

[RouterA] ipv6 route-static fc00:2:: 64 fc00:1::2
NOTE
You need to configure a static IPv6 route on the DNS server so that DNS packets can be sent and
received properly.

# Run the display current-configuration command to view the DNS proxy configuration on
RouterA.
<RouterA> display current-configuration | include dns
dns resolve
dns server ipv6
FC00:2::2
dns proxy enable
dns spoofing ipv6
FC00:3::3
----End
Configuration File
#
sysname RouterA
#
ipv6
#
undo portswitch
ipv6 enable
#
dns resolve
dns server ipv6 FC00:2::2
dns proxy enable
dns spoofing ipv6 FC00:3::3
#
#
return
#
sysname RouterB
#
ipv6
#
undo portswitch
ipv6 enable
#
undo portswitch
ipv6 enable
#
return

CLI-based Configuration Guide - IP Service 11 IPv6 over IPv4 Tunnel Configuration
11 IPv6 over IPv4 Tunnel Configuration
About This Chapter
11.1 IPv6 over IPv4 Tunnel Overview

11.2 Principles
11.4 Configuring the IPv4/IPv6 Dual Stack
11.5 Configuring an IPv6 over IPv4 Tunnel
An IPv6 over IPv4 tunnel connects IPv6 networks through an IPv4 network.
11.6 Maintaining the IPv6 over IPv4 Tunnel

An IPv6 over IPv4 tunnel connects isolated IPv6 sites through an IPv4 network. Exhaustion
of IPv4 addresses urgently requires IPv4 to IPv6 transition. IPv6 is incompatible with IPv4, so
original IPv4 devices will need to be replaced. This solution is currently infeasible because
replacement requires huge capital expenditures, and will interrupt services on the live
network. IPv4 therefore needs a gradual transit to IPv6. During the earlier stages, IPv4
networks are widely deployed and IPv6 networks are isolated sites. An IPv6 over IPv4 tunnel
allows IPv6 packets to be transmitted on an IPv4 network and connects IPv6 sites.
11.2 Principles
11.2.1 Dual Protocol Stack
Dual protocol stack is a technology used for the transition from the IPv4 to IPv6 network.
Nodes on a dual stack network support both IPv4 and IPv6 protocol stacks. A source node
and a destination node use the same protocol stack. Network devices use protocol stacks to
process and forward packets based on the protocol type of packets. You can implement a dual
protocol stack on a unique device or a dual stack backbone network. On the dual stack

backbone network, all devices must support both IPv4 and IPv6 protocol stacks. Interfaces
connecting to the dual stack network must be configured with both IPv4 and IPv6 addresses.
Figure 11-1 shows the structures of an IPv4 stack and a dual protocol stack.
Figure 11-1 IPv4 stack and dual protocol stack

IPv4 Application IPv4/IPv6 Application
TCP UDP TCP UDP
IPv4 IPv4 IPv6

Protocol ID: Protocol ID: Protocol ID:
0x0800 0x0800 0x86DD
Ethernet Ethernet
IPv4 Stack Dual Stack
A dual protocol stack has the following advantages:

l Supported by multiple link protocols.
Multiple link protocols, such as Ethernet, support dual protocol stacks. In Figure 11-1,
the link protocol is Ethernet. In an Ethernet frame, if the value of the Protocol ID field is
0x0800, the network layer receives IPv4 packets. If the value of the Protocol ID field is
0x86DD, the network layer receives IPv6 packets.
l Supported by multiple applications.
Multiple applications, such as the DNS, FTP, and Telnet, support dual protocol stacks.
The upper layer applications, such as the DNS, can use TCP or UDP as the transport
layer protocol. However, these applications prefer the IPv6 protocol stack rather than the
IPv4 protocol stack as the network layer protocol.
Figure 11-2 shows a typical application of the dual IPv4/IPv6 protocol stack.

Figure 11-2 Networking diagram for applying a dual protocol stack

www.example.com=?
IPv4
10.1.1.1
In Figure 11-2, an application that supports dual protocol stack requests an IP address
corresponding to the domain name www.example.com from the DNS server. A host sends a
DNS request packet to the DNS server, requesting the IP address corresponding to the domain
name www.example.com. The DNS server responds with the requested IP address. The IP
address can be 10.1.1.1 or fc00::1. If the host sends a class A query packet, it requests the
IPv4 address from the DNS server. If the host sends a class AAAA query packet, it requests
the IPv6 address from the DNS server.
The router in the figure supports the dual protocol stack and uses the IPv4 protocol stack to
connect the host to the network server with the IPv4 address 10.1.1.1. The router also uses the
IPv6 protocol stack to connect the host to the network server with the IPv6 address fc00::1.
11.2.2 IPv6 over IPv4 Tunnel

Tunneling is an encapsulation technology that encapsulates packets of a network layer
protocol as packets of another one. A tunnel is a virtual point-to-point (P2P) connection. It
provides a path through which encapsulated packets are transmitted. Datagrams are
encapsulated at one end, and decapsulated at the other end of the tunnel. Tunneling
technology refers to the process that datagrams are encapsulated, transmitted, and
decapsulated and is significant for the transition from IPv4 to IPv6.
Exhaustion of IPv4 addresses brings an urgent demand for the transition to IPv6. As IPv6 is
not compatible with IPv4, devices will need replacing on the original IPv4 network.
Replacing a large number of devices on the IPv4 network however costs a significant amount
and will cause service interruption to the current network. Therefore, transition from IPv4
networks to IPv6 networks must happen gradually. During the early stage of transition, a large
number of IPv4 networks have been deployed, whereas IPv6 networks remain as isolated sites
over the world. You can create tunnels on the IPv4 networks to connect to IPv6 isolated sites.
These tunnels are called IPv6 over IPv4 tunnels.
Figure 11-3 shows how to apply the IPv6 over IPv4 tunnel.
Figure 11-3 Networking diagram for applying the IPv6 over IPv4 tunnel
Dual Stack Dual Stack

Router Router
IPv4
IPv6 IPv6 over IPv4 Tunnel IPv6
IPv6 host IPv6 host

IPv6 Header IPv6 Data IPv6 Header IPv6 Data
IPv4 Header IPv6 Header IPv6 Data
1. On the border device, the IPv4/IPv6 dual protocol stack is enabled, and an IPv6 over
IPv4 tunnel is configured.
2. After the border device receives a packet from the IPv6 network, the device appends an
IPv4 header to the IPv6 packet to encapsulate the IPv6 packet as an IPv4 packet if the
destination address of the IPv6 packet is not the device and the outbound interface of the
next hop is the tunnel interface.

3. On the IPv4 network, the encapsulated packet is transmitted to the remote border device.
4. The remote border device decapsulates the packet, removes the IPv4 header, and sends
the decapsulated IPv6 packet to the IPv6 network.
A tunnel is established when its start and end points are determined. You must manually
configure an IPv4 address at the start point of an IPv6 over IPv4 tunnel. The IPv4 address at
the end point of the tunnel can be determined manually or automatically. Based on the mode
in which the end point IPv4 address is obtained, IPv6 over IPv4 tunnels classify into manual
tunnels and automatic tunnels.
l Manual tunnel: If a tunnel is created manually, a border router cannot automatically
obtain an IPv4 address at the end point. You must manually configure an end point IPv4
address before packets can be transmitted to the remote border router.
l Automatic tunnel: If a tunnel is created automatically, a border router can automatically
obtain an IPv4 address at the end point. The addresses of two interfaces on both ends of
the tunnel are IPv6 addresses with IPv4 addresses embedded. The border router extracts
IPv4 addresses from destination IPv6 addresses.
Manual Tunnel
Based on encapsulation modes of IPv6 packets, manual tunnels classify into IPv6 over IPv4
manual tunnels or IPv6 over IPv4 Generic Routing Encapsulation (GRE) tunnels.
IPv6 over IPv4 Manual Tunnel
The border router uses the received IPv6 packet as the payload and encapsulates the IPv6
packet as an IPv4 packet. You must manually specify the source and destination addresses of
a manual tunnel. A manual tunnel is created between two border routers to connect IPv4
isolated IPv6 sites, or created between a border router and a host to enable the host to access
an IPv6 network. Hosts and border routers on both ends of a manual tunnel must support the
IPv4/IPv6 dual protocol stack. Other devices only need to support a single protocol stack. If
you create multiple IPv6 over IPv4 manual tunnels between one border router and multiple
hosts, the configuration workload is heavy. Therefore, an IPv6 over IPv4 manual tunnel is
commonly created between two border routers to connect IPv6 networks.
Figure 11-4 shows the encapsulation format of an IPv6 over IPv4 packet.
Figure 11-4 Encapsulation format of an IPv6 over IPv4 packet
IPv4 Header IPv6 Header IPv6 Data
The forwarding mechanism of an IPv6 over IPv4 manual tunnel is as follows: After a border
router receives a packet from the IPv6 network, it searches the destination address of the IPv6
packet in the routing and forwarding table. If the packet is forwarded from a virtual tunnel
interface, the router encapsulates the packet based on the source and destination IPv4
addresses configured on the interface. The IPv6 packet is encapsulated as an IPv4 packet and
processed by the IPv4 protocol stack. The encapsulated packet is forwarded through the IPv4
network to the remote end of the tunnel. After the border router on the remote end of the
tunnel receives the encapsulated packet, it decapsulates the packet and processes the packet
using the IPv6 protocol stack.
IPv6 over IPv4 GRE Tunnel

An IPv6 over IPv4 GRE tunnel uses the standard GRE tunneling technology to provide P2P
connections. You must manually specify addresses for both ends of the tunnel. Any types of
protocol packets that GRE supports can be encapsulated and transmitted through a GRE
tunnel. The protocols may include IPv4, IPv6, Open Systems Interconnection (OSI), and
Multiprotocol Label Switching (MPLS).
Figure 11-5 shows the encapsulation and transmission process on an IPv6 over IPv4 GRE
tunnel.
Figure 11-5 IPv6 over IPv4 GRE tunnel
IPv6 Header Data IPv6 Header Data
IPv4
IPv6 IPv6
GRE Tunnel
IPv4 Header GRE Header IPv6 Header Data
The forwarding mechanism of an IPv6 over IPv4 GRE tunnel is the same as that of an IPv6
over IPv4 manual tunnel. For details, see the Configuration Guide - VPN.
Automatic Tunnel
You only need to configure the start point of an automatic tunnel, and the device
automatically obtains the end point of the tunnel. The tunnel interface uses a special form of
IPv6 address with an IPv4 address embedded. The device obtains the IPv4 address from the
destination IPv6 address and uses the IPv4 address as the end point address of the tunnel.
Based on the encapsulation modes of IPv6 packets, automatic tunnels classify into IPv4-
compatible IPv6 automatic tunnels, IPv6-to-IPv4 tunnels, and Intra-Site Automatic Tunnel
Addressing Protocol (ISATAP) tunnels.
IPv4-compatible IPv6 Automatic Tunnel
For an IPv4-compatible IPv6 automatic tunnel, the destination address contained in an IPv6
packet is an IPv4-compatible IPv6 address. The first 96 bits of an IPv4-compatible IPv6
address are all 0s and the last 32 bits are the IPv4 address. Figure 11-6 shows the format of an
IPv4-compatible IPv6 address.
Figure 11-6 IPv4-compatible IPv6 address
0 IPv4 address
96 bit 32 bit

Figure 11-7 shows the forwarding mechanism of an IPv4-compatible IPv6 automatic tunnel.
Figure 11-7 Forwarding mechanism of an IPv4-compatible IPv6 automatic tunnel
IPv4
1.1.1.1/24 2.1.1.1/24
IPv4-Compatible IPv6 Tunnel
::1.1.1.1/96 ::2.1.1.1/96
Router A Router B
After receiving an IPv6 packet, Router A searches the routing table for the destination
address ::2.1.1.1 and finds that the next hop address is a virtual tunnel interface address.
Router A then encapsulates the IPv6 packet as an IPv4 address because the tunnel configured
on Router A is an IPv4-compatible IPv6 automatic tunnel. The source address of the
encapsulated IPv4 address is the start point address of the tunnel 1.1.1.1, and the destination
address is 2.1.1.1, which is the last 32 bits of the IPv4-compatible IPv6 address. Router A
sends the packet through the tunnel interface and forwards it on an IPv4 network to the
destination address 2.1.1.1 (Router B). Router B receives the packet, obtains the IPv6 packet,
and processes the IPv6 packet using the IPv6 protocol stack. Router B returns packets to
Router A in the same way.
NOTE
If the IPv4 address contained in an IPv4-compatible IPv6 address is a broadcast address, multicast
address, network broadcast address, subnet broadcast address of an outbound interface, address of all 0s,
or loopback address, the IPv6 packet will be discarded.
To deploy an IPv4-compatible IPv6 tunnel, each host must have a valid IP address, and hosts
that communicate with each other must support dual protocol stacks and IPv4-compatible
IPv6 tunnels. Therefore, it is unsuitable for large-scale networks. Currently, the IPv4-
compatible IPv6 tunnel has been replaced by the IPv6-to-IPv4 tunnel.
IPv6-to-IPv4 Tunnel
An IPv6-to-IPv4 tunnel also uses an IPv4 address that is embedded in an IPv6 address. Unlike
IPv4-compatible IPv6 tunnels, you can create IPv6-to-IPv4 tunnels between two routers, a
router and a host, and two hosts. An IPv6-to-IPv4 address uses the IPv4 address as the
network ID. Figure 11-8 shows the format of an IPv6-to-IPv4 address.
Figure 11-8 Format of an IPv6-to-IPv4 address
FP TLA
IPv4 address SLA ID Interface ID
001 0x0002
3 bit 13 bit 32 bit 16 bit 64 bit
l FP: format prefix of a global unicast address. The value is 001.

l TLA ID: top level aggregation identifier. The value is 0x0002.

l SLA ID: site level aggregation identifier.
An IPv6-to-IPv4 address is expressed in the format of 2002::/16. An IPv6-to-IPv4 network is
expressed as 2002:IPv4 address::/48. An IPv6-to-IPv4 address has a 64-bit prefix composed
of a 48-bit 2002:IPv4 address and a 16-bit SLA. A 2002:IPv4 address in the format of
2002:a.b.c.d is determined by the IPv4 address allocated to the router and the SLA is defined
by the user. Figure 11-9 shows the encapsulation and forwarding process of the IPv6-to-IPv4
tunnel.
Figure 11-9 Example of an IPv6-to-IPv4 tunnel (1)

IPv4-Addr 1 IPv4-Addr 2
IPv6 Header Data IPv6 Header Data
IPv4
6to4 6to4 tunnel 6to4
6to4 Router 6to4 Router

2002:IPv4-Addr1::/48 2002:IPv4-Addr2::/48
IPv4 Header IPv6 Header Data
One IPv4 address can be used as the source address of only one IPv6-to-IPv4 tunnel. When a
border device connects to multiple IPv6-to-IPv4 networks using the same IPv4 address as the
source address of the tunnel, the IPv6-to-IPv4 networks share a tunnel and are identified by
SLA ID in the IPv6-to-IPv4 address. Figure 11-10 details this configuration.
Figure 11-10 Example of an IPv6-to-IPv4 tunnel (2)

2002:IPv4-Addr1:1::/64
6to4
IPv4
6to4
6to4 tunnel
6to4 Router
6to4 Router
6to4 2002:IPv4-Addr2::/48

2002:IPv4-Addr1:2::/64
Backed by the advance of IPv6 networks, IPv6 hosts need to communicate with IPv4 hosts
through IPv6-to-IPv4 networks. It can be implemented by deploying IPv6-to-IPv4 relays.

When the destination address of an IPv6 packet forwarded through an IPv6-to-IPv4 tunnel is
not an IPv6-to-IPv4 address, but the next hop address is an IPv6-to-IPv4 address, the next hop
router is an IPv6-to-IPv4 relay. The device obtains the destination IPv4 address from the next
hop IPv6-to-IPv4 address. Figure 11-11 shows an IPv6-to-IPv4 relay.
Figure 11-11 IPv6-to-IPv4 relay
IPv6 Network
IPv4
6to4 Net-2
6to4 tunnel
6to4 Router 6to4 Router

6to4 Net-1 2002:IPv4-Addr2::/48
2002:IPv4-Addr1:2::/64
When hosts on IPv6-to-IPv4 network 2 want to communicate with hosts on the IPv6 network,
configure the next hop address as the IPv6-to-IPv4 address of the IPv6-to-IPv4 relay on the
border router. The IPv6-to-IPv4 address matches the source address of the IPv6-to-IPv4
tunnel. Packets sent from IPv6-to-IPv4 network 2 to the IPv6 network are sent to the IPv6-to-
IPv4 relay router according to the routing table. The IPv6-to-IPv4 relay router then forwards
packets to the pure IPv6 network. When hosts on the IPv6 network send packets to IPv6-to-
IPv4 network 2, the IPv6-to-IPv4 relay router appends IPv4 headers to the packets and
forwards the packets to the destination addresses (IPv6-to-IPv4 addresses).
ISATAP Tunnel
ISATAP is another automatic tunneling technology. The ISATAP tunnel uses a specially
formatted IPv6 address with an IPv4 address embedded into it. Different from the IPv6-to-
IPv4 address that uses the IPv4 address as the network prefix, the ISATAP address uses the
IPv4 address as the interface ID. Figure 11-12 shows the format of the interface ID of an
ISATAP address.
Figure 11-12 Format of the interface ID of an ISATAP address
000000ug00000000 0101111011111110 IPv4 address
16 bit 16 bit 32 bit
The "u" bit in the IPv4 address that is globally unique is set to 1. Otherwise, the "u" bit is set
to 0. "g" is the individual/group bit. An ISATAP address contains an interface ID and it can be
a global unicast address, link-local address, ULA address, or multicast address. The device
obtains the first 64 bits of an ISATAP address by sending Request packets to the ISATAP
router. Devices on both ends of the ISATAP tunnel run the Neighbor Discovery (ND)

protocol. The ISATAP tunnel considers the IPv4 network as a non-broadcast multiple access
(NBMA) network.
ISATAP allows IPv6 networks to be deployed within existing IPv4 networks, which is simple
and makes networks easily expandable. ISATAP is suitable for transitions of local sites and
supports local routing within IPv6 sites, global IPv6 routing domains, and automatic IPv6
tunnels. ISATAP can be used together with NAT to allow the use of an IPv4 address that is not
globally unique within the site. Typically, an ISATAP tunnel is used within the site, and does
not require a globally unique IPv4 address embedded.
Figure 11-13 shows a typical application of the ISATAP tunnel.
Figure 11-13 Typical application of the ISATAP tunnel
Host B
10.1.2.5
FE80::5EFE:0A01:0205
1::5EFE:0A01:0205
GE1/0/0
10.1.2.1 l
Host A ne
un
ISATAP Tunnel
3::8 PT
TA
ISA
IPv6 IPv4
ISATAP Router
Host C
Tunnel 1
10.1.2.6
FE80::5EFE:0A01:0201
FE80::5EFE:0A01:0206
1::5EFE:0A01:0201
1::5EFE:0A01:0206
In Figure 11-13, Host B and Host C are located on an IPv4 network. They both support dual
protocol stacks and have private IPv4 addresses. You can perform the following operations to
enable the ISATAP function on Host B and Host C:
1. Configure an ISATAP tunnel interface to generate an interface ID based on the IPv4

address.
2. Encapsulate a link-local IPv6 address based on the interface ID. When a host obtains the
link-local IPv6 address, it can access the IPv6 network on the local link.
3. The host automatically obtains a global unicast IPv6 address and ULA address.
4. The host obtains an IPv4 address from the next hop IPv6 address as the destination
address, and forwards packets through the tunnel interface to communicate with another
IPv6 host. When the destination host is located on the same site as the source host, the
next hop address is the address of the source host. When the destination host is not
located on the local site, the next hop address is the address of the ISATAP device.


None
License Support
IPv6 over IPv4 tunnel functions are basic function of routers and can be obtained without
licenses.

the IPv6 over IPv4 tunnel function.
l The AR510 series routers do not support the IPv6 over IPv4 tunnel function.
11.4 Configuring the IPv4/IPv6 Dual Stack

Before configuring an IPv4/IPv6 dual stack, configure link layer protocol parameters for
interfaces to ensure that the link layer protocol status on the interfaces is Up.
11.4.1 Enabling IPv6 Packet Forwarding
Context
To enable an interface to forward IPv6 packets, enable IPv6 packet forwarding in the system
view and in the interface view.
Procedure
Step 1 Run:
system-view

Step 2 Run:
ipv6

By default, IPv6 packet forwarding is disabled on the device.
To enable a device to forward IPv6 packets, enable IPv6 packet forwarding in the system
view; otherwise, the device fails to forward IPv6 packets even if an IPv6 address is
configured for an interface on the device.
Step 3 Run:

The view of the interface to be enabled with IPv6 is displayed.

Step 4 Run:
ipv6 enable

Before performing IPv6 configurations in the interface view, enable the IPv6 function in the
interface view.
----End
11.4.2 Configuring an IPv4 Address and an IPv6 Address for

Respective Interfaces
Context
The device to be enabled with the dual stack must be configured with an IPv4 address on the
IPv4 network-side interface and an IPv6 address on the IPv6 network-side interface.
Procedure
Step 1 Run:
system-view

Step 2 Run:
The IPv4 network-side interface view is displayed.

Step 3 Run:
An IPv4 address is configured for the interface.

Step 4 Run:
quit

Step 5 Run:
The IPv6 network-side interface view is displayed.

Step 6 Run the following commands as required.
l Run:
The interface is configured to automatically generate a link-local address.

l Run:
ipv6 address ipv6-address link-local

A link-local IPv6 address is manually configured for the interface.

l Run:
A global unicast IPv6 address is configured for the interface.

l Run:
eui-64
An IPv6 address in EUI-64 format is configured for the interface.
----End

Prerequisites
All configurations of the IPv4/IPv6 dual stack are complete.
Procedure
check IPv6 attributes of an interface.
----End

An IPv6 over IPv4 tunnel connects IPv6 networks through an IPv4 network.
Prerequisites
Source and destination devices of an IPv6 over IPv4 tunnel must have forwarding routes.
Before configuring an IPv6 over IPv4 tunnel, complete the following task:
l 11.4 Configuring the IPv4/IPv6 Dual Stack
Configuration Process
You can perform the following configuration tasks in any sequence according to usage
scenarios shown in Table 11-1.

Table 11-1 Usage scenarios of IPv6 over IPv4 tunnels

Subcategory Tunnel Source/ Tunnel Interface Usage Scenario
Destination IP IP Address
Address
Manual IPv6 over Source and IPv6 address Applies to simple

IPv4 tunnel destination IP IPv6 networks or
addresses use point-to-point
manually configured connections. Only
IPv4 addresses. IPv6 packets can be
transmitted over the
manual IPv6 over
IPv4 tunnel.
IPv6 over IPv4 GRE Source and IPv6 address Applies to simple
tunnel destination IP IPv6 networks or
addresses use point-to-point
manually configured connections. The
IPv4 addresses. IPv6 over IPv4 GRE
tunnel supports
multiple upper-layer
protocols including
IPv6.
Automatic IPv6 over The source IP IPv6 address that is Applies to point-to-
IPv4 tunnel address uses a compatible with an multipoint
manually configured IPv4 address in the connections of IPv6
IPv4 address, and format of ::IPv4- hosts.
the destination source-address/96
address is
automatically
generated.
6to4 tunnel The source IP 6to4 address in the Applies to point-to-

address uses a format of multipoint
manually configured 2002:IPv4-source- connections on IPv6
IPv4 address, and address::/48 networks.
the destination
address is
automatically
generated.
ISATAP tunnel The source IP ISATAP address in Applies to

address uses a the format of Prefix: connections of IPv6
manually configured 0 nodes on an IPv4
IPv4 address, and network.
the destination
address is
automatically
generated.

11.5.1 Configuring a Manual IPv6 over IPv4 Tunnel
Context
When configuring a manual IPv6 over IPv4 tunnel, note the following points:
l You must create a tunnel interface before setting tunnel parameters.

l When the specified tunnel source interface is a physical interface, you are advised to set
the tunnel number and the tunnel source interface number to be the same.
l The following configurations must be performed on devices at both ends of the tunnel.
l To support a dynamic routing protocol, you can configure a network address for the
tunnel interface.
Procedure
Step 1 Run:
system-view
Step 2 Run:
interface tunnel interface-number
A tunnel interface is created.
Step 3 Run:
tunnel-protocol ipv6-ipv4
The tunnel mode is set to manual.
Step 4 Run:
source { ip-address | interface-type interface-number }
A source address or source interface is specified for the tunnel.
NOTE
You can specify a physical interface or a loopback interface as the source interface of a tunnel. Similarly,
you can specify the IP address of a physical interface or loopback interface as the source address of the
tunnel.
Step 5 Run:
destination dest-ip-address
A destination address is specified for the tunnel.
NOTE
The destination address of a tunnel can be the IP address of a physical interface or loopback interface.
Step 6 Run:
ipv6 enable
Step 7 Run:

An IPv6 address is configured for the tunnel interface.
----End
11.5.2 Configuring an Automatic IPv6 over IPv4 Tunnel
Context
When configuring an automatic IPv6 over IPv4 tunnel, pay attention to the following points:

l You are advised to set the tunnel number to be the same as the number of the source
physical interface of the tunnel when the source interface of the tunnel is specified as a
physical interface.
l You only need to specify the source address of the tunnel when an automatic tunnel is
configured. The destination address of the tunnel is obtained from the destination address
of the original IPv6 packet. In addition, the source addresses of an automatic tunnel must
be unique.
l Ensure that the IPv6 address configured for the tunnel interface is compatible with an
IPv4 address. In the IPv6 address, the high-order 96 bits are all 0s, and last 32 bits are
the IPv4 address configured for the IPv4 network-side interface.
Procedure
Step 1 Run:
system-view
Step 2 Run:
Step 3 Run:
tunnel-protocol ipv6-ipv4 auto-tunnel
The tunnel mode is set to automatic.
Step 4 Run:
source { ip-address | interface-type interface-number }
Step 5 Run:
ipv6 enable
Step 6 Run:
----End

11.5.3 Configuring a 6to4 Tunnel
Context
When configuring a 6to4 tunnel, note the following points:

physical interface of the tunnel.
l You only need to specify the source address of the tunnel when a 6to4 tunnel is
configured. The destination address of the tunnel is obtained from the destination address
of the original IPv6 packet. In addition, the source address of a 6to4 tunnel must be
unique.
l You need to configure a 6to4 address for the interface that connects a border device to
the 6to4 network, and an IPv4 address for the interface that connects a border device to
the IPv4 network. You also need to configure a network address for the tunnel interface
to support a dynamic routing protocol.
Procedure
Step 1 Run:
system-view
Step 2 Run:
Step 3 Run:
tunnel-protocol ipv6-ipv4 6to4
The tunnel mode is set to 6to4.
Step 4 Run:
source { source-ip-address | interface-type interface-number }
Step 5 Run:
ipv6 enable
Step 6 Run:
NOTE
The IPv6 address prefix of the specified tunnel interface must be the same as the address prefix of the
6to4 network that the device belongs to.
----End

Follow-up Procedure
Connect to an IPv6 network through a 6to4 relay agent. The procedure for connecting to an
IPv6 network through a 6to4 relay agent is similar to the procedure for configuring a 6to4
tunnel. For details, see Example for Configuring 6to4 Relay.
11.5.4 Configuring an ISATAP Tunnel

Context
When configuring an ISATAP tunnel, note the following points:
physical interface of the tunnel.
l You can specify an IP address or interface name for the source interface (the source
interface of a tunnel is the physical interface that forwards tunnel packets).
l You need to configure an ISATAP address with a 64-bit prefix-length as the IPv6 address
of a tunnel interface.
Procedure
Step 1 Run:
system-view

Step 2 Run:

Step 3 Run:
tunnel-protocol ipv6-ipv4 isatap
The tunnel mode is set to ISATAP.

Step 4 Run:

Step 5 Run:
ipv6 enable

Step 6 Run:

Step 7 Run:
The device is enabled to send router advertisement (RA) packets.
----End


Prerequisites
All configurations of the IPv6 over IPv4 tunnel are complete.
Procedure
l Run the display ipv6 interface tunnel interface-number command to check IPv6
attributes of a tunnel interface.
----End
11.6.1 Monitoring the Running Status of the IPv6 over IPv4

Tunnel
Context
In routine maintenance, you can run the following command in any view to monitor the
running status of the IPv6 over IPv4 tunnel.
Procedure
l Run the display ipv6 interface tunnel interface-number command in any view to
monitor the running status of the tunnel interface.
----End

11.7.1 Example for Configuring a Manual IPv6 over IPv4 Tunnel
Figure 11-14 shows two IPv6 networks connected to RouterB on an IPv4 backbone network
through RouterA and RouterC respectively. Hosts on the two IPv6 networks are required to
communicate through the IPv4 backbone network.

Figure 11-14 Networking diagram for configuring a manual IPv6 over IPv4 tunnel
IPv4
network
GE1/0/0 GE2/0/0
192.168.50.1/24 192.168.51.1/24
Router B
GE1/0/0 GE1/0/0
192.168.50.2/24 192.168.51.2/24
Dual Dual
Stack Stack
IPv6 RouterA RouterC IPv6
1. Configure IP addresses for physical interfaces so that devices can communicate on the
IPv4 backbone network.
2. Configure IPv6 addresses, source interfaces, and destination addresses for tunnel
interfaces so that devices can communicate with hosts on the two IPv6 networks.
3. Set the tunnel protocol to IPv6-IPv4 so that hosts on the two IPv6 networks can
communicate through the IPv4 backbone network.
Procedure
# Configure an IP address for an interface.

<Huawei>system-view
[RouterA] ipv6
# Set the tunnel protocol to IPv6-IPv4.

[RouterA-Tunnel0/0/1] tunnel-protocol ipv6-ipv4
# Configure an IPv6 address, a source interface, and a destination address for the tunnel
interface.
[RouterA-Tunnel0/0/1] ipv6 enable
[RouterA-Tunnel0/0/1] ipv6 address 2001::1/64
[RouterA-Tunnel0/0/1] source gigabitethernet 1/0/0

# Configure a static route.


# Configure IP addresses for interfaces.
Step 3 Configure RouterC.

# Configure an IP address for an interface.
[RouterC] ipv6
# Set the tunnel protocol to IPv6-IPv4.

[RouterC-Tunnel0/0/1] tunnel-protocol ipv6-ipv4
# Configure an IPv6 address, a source interface, and a destination address for the tunnel
interface.
[RouterC-Tunnel0/0/1] ipv6 enable
[RouterC-Tunnel0/0/1] ipv6 address 2001::2/64
[RouterC-Tunnel0/0/1] source gigabitethernet 1/0/0
# Configure a static route.

[RouterC] ip route-static 192.168.50.2 255.255.255.0 192.168.51.1

# Ping the IPv4 address of GE1/0/0 on RouterA from RouterC. RouterC can receive a Reply
packet from RouterA.
[RouterC] ping 192.168.50.2
--- 192.168.50.2 ping statistics ---
0.00% packet loss
# Ping the IPv6 address of Tunnel0/0/1 on RouterA from RouterC. RouterC can receive a
Reply packet from RouterA.

[RouterC] ping ipv6 2001::1

PING 2001::1 : 56 data bytes, press CTRL_C to break
Reply from 2001::1
Reply from 2001::1
Reply from 2001::1
Reply from 2001::1
Reply from 2001::1
--- 2001::1 ping statistics ---
0.00% packet loss
----End
Configuration Files
#
sysname RouterA
#
ipv6
#
undo portswitch
ip address 192.168.50.2 255.255.255.0
#
ipv6 enable
ipv6 address 2001::1/64
source GigabitEthernet1/0/0
#
ip route-static 192.168.51.0 255.255.255.0 192.168.50.1
#
return

#
sysname RouterB
#
undo portswitch
ip address 192.168.50.1 255.255.255.0
#
undo portswitch
ip address 192.168.51.1 255.255.255.0
#
return

#
sysname RouterC
#
ipv6
#
undo portswitch
ip address 192.168.51.2 255.255.255.0
#

ipv6 enable
#
ip route-static 192.168.50.0 255.255.255.0 192.168.51.1
#
return
11.7.2 Example for Configuring an IPv6 over IPv4 GRE Tunnel
As shown in Figure 11-15, two IPv6 networks connect to RouterB on an IPv4 backbone
network respectively through RouterA and RouterC. An IPv6 over IPv4 GRE tunnel needs to
be set up between RouterA and RouterC so that hosts on the two IPv6 networks can
communicate.
Figure 11-15 Networking diagram for configuring an IPv6 over IPv4 GRE tunnel
RouterB
GE1/0/0 GE2/0/0
10.1.1.2/24 10.1.2.1/24
GE1/0/0 GE1/0/0
10.1.1.1/24 10.1.2.2/24
RouterA GRE Tunnel RouterC
GE2/0/0 Tunnel0/0/1 Tunnel0/0/1 GE2/0/0
fc01::1/64 fc02::1/64 fc02::2/64 fc03::1/64
PC1
PC2
fc01::2/64 fc03::2/64
IPv4 network.
2. Create tunnel interfaces on RouterA and RouterC, set up a GRE tunnel between them,
and specify the source and destination addresses of the tunnel interfaces, so that
encapsulated packets can be forwarded using OSPF routes. The source address is the IP
address of the interface sending packets, and the destination address is the IP address of
the interface receiving packets.
3. Configure static routes on RouterA and RouterC, so that traffic between PC1 and PC2
can be forwarded through the GRE tunnel. Set the destination address to the network

segment connected to the peer PC and the outbound interface to the tunnel interface on
the local device.
Procedure
Step 1 Configure an IP address for each physical interface.
[RouterA] ipv6
[RouterA-GigabitEthernet2/0/0] ipv6 address fc01::1 64
[RouterC] ipv6
[RouterC-GigabitEthernet2/0/0] ipv6 enable
[RouterC-GigabitEthernet2/0/0] ipv6 address fc03::1 64
Step 2 Configure IPv4 static routes.

[RouterC] ip route-static 10.1.1.1 255.255.255.0 10.1.2.1
Step 3 Configure tunnel interfaces.

[RouterA-Tunnel0/0/1] tunnel-protocol gre
[RouterA-Tunnel0/0/1] ipv6 address fc02::1 64

[RouterA-Tunnel0/0/1] source 10.1.1.1

[RouterC-Tunnel0/0/1] tunnel-protocol gre
[RouterC-Tunnel0/0/1] ipv6 enable
[RouterC-Tunnel0/0/1] ipv6 address fc02::2 64
[RouterC-Tunnel0/0/1] source 10.1.2.2
Step 4 Configure tunnel static routes.

[RouterA] ipv6 route-static fc03::1 64 tunnel 0/0/1
[RouterC] ipv6 route-static fc01::1 64 tunnel 0/0/1

# Ping the IPv4 address of RouterA from RouterC. RouterC can receive a Reply packet from
RouterA.
[RouterC] ping 10.1.1.1
0.00% packet loss
# Ping the IPv6 address of RouterA from RouterC. RouterC can receive a Reply packet from
RouterA.
[RouterC] ping ipv6 fc01::1
PING fc01::1 : 56 data bytes, press CTRL_C to break
Reply from fc01::1
Reply from fc01::1
Reply from fc01::1
Reply from fc01::1
Reply from fc01::1
--- fc01::1 ping statistics ---
0.00% packet loss
----End
Configuration Files

#
sysname RouterA
#
ipv6
#
undo portswitch
ip address 10.1.1.1 255.255.255.0
#
undo portswitch
ipv6 enable
#
ipv6 enable
tunnel-protocol gre
source 10.1.1.1
#
ip route-static 10.1.2.0 255.255.255.0 10.1.1.2
#
ipv6 route-static fc03:: 64 Tunnel0/0/1

#
return
#
sysname RouterB
#
undo portswitch
ip address 10.1.1.2 255.255.255.0
#
undo portswitch
ip address 10.1.2.1 255.255.255.0
#
return
#
sysname RouterC
#
ipv6
#
undo portswitch
ip address 10.1.2.2 255.255.255.0
#
undo portswitch
ipv6 enable
#
ipv6 enable
tunnel-protocol gre
source 10.1.2.2
#
ip route-static 10.1.1.0 255.255.255.0 10.1.2.1
#
ipv6 route-static fc01:: 64 Tunnel0/0/1

#
return

11.7.3 Example for Configuring an Automatic IPv6 over IPv4

Tunnel
As shown in Figure 11-16, two IPv6 networks connect to an IPv4 backbone network through
RouterA and RouterB respectively. An automatic IPv6 over IPv4 tunnel needs to be set up
between RouterA and RouterB so that devices on the two IPv6 networks can communicate.
Figure 11-16 Networking diagram for configuring an automatic IPv6 over IPv4 tunnel
IPv4
Dual Dual
Stack Stack
RouterA GE1/0/0 GE1/0/0 RouterB
2.1.1.1/8 2.1.1.2/8
Tunnel0/0/1 Tunnel0/0/1
IPv6 ::2.1.1.1/96 ::2.1.1.2/96 IPv6
IPv4 backbone network.
2. Configure IPv6 addresses and source interfaces for tunnel interfaces so that devices can
communicate with hosts on the two IPv6 networks.
3. Set the tunnel protocol to automatic so that hosts on the two IPv6 networks can
communicate through the IPv4 network.
Procedure
# Configure an IPv4/IPv6 dual stack.
[RouterA] ipv6
# Configure an automatic IPv6 over IPv4 tunnel.

[RouterA-Tunnel0/0/1] tunnel-protocol ipv6-ipv4 auto-tunnel

[RouterA-Tunnel0/0/1] ipv6 address ::2.1.1.1/96


[RouterB] ipv6
# Configure an automatic IPv6 over IPv4 tunnel.

[RouterB] interface tunnel 0/0/1
[RouterB-Tunnel0/0/1] tunnel-protocol ipv6-ipv4 auto-tunnel
[RouterB-Tunnel0/0/1] ipv6 enable
[RouterB-Tunnel0/0/1] ipv6 address ::2.1.1.2/96
[RouterB-Tunnel0/0/1] source gigabitethernet 1/0/0
[RouterB-Tunnel0/0/1] quit
# View the IPv6 status of tunnel0/0/1 on RouterA. You can see that the tunnel status is Up.
[RouterA] display ipv6 interface tunnel 0/0/1
Tunnel0/0/1 current state : UP
IPv6 is enabled, link-local address is FE80::201:101
::2.1.1.1, subnet is ::/96
FF02::1:FF01:101
FF02::2
FF02::1
MTU is 1500 bytes
# Ping the IPv6 address of the peer device that is compatible with the IPv4 address from
RouterA. The IPv6 address is pinged successfully.
[RouterA] ping ipv6 ::2.1.1.2
PING ::2.1.1.2 : 56 data bytes, press CTRL_C to break
Reply from ::2.1.1.2
--- ::2.1.1.2 ping statistics ---
0.00% packet loss
----End

Configuration Files
#
sysname RouterA
#
ipv6
#
undo portswitch
ip address 2.1.1.1 255.0.0.0
#
interface Tunnel 0/0/1
ipv6 enable
ipv6 address ::2.1.1.1/96
#
return

#
sysname RouterB
#
ipv6
#
undo portswitch
ip address 2.1.1.2 255.0.0.0
#
ipv6 enable
ipv6 address ::2.1.1.2/96
#
return
11.7.4 Example for Configuring 6to4 Relay

As shown in Figure 11-17, the IPv6 network-side interface of 6to4 router RouterA connects
to a 6to4 network. RouterB is a 6to4 relay agent and connects to the IPv6 Internet (2001::/64).
RouterA and RouterB are connected through an IPv4 backbone network. A 6to4 tunnel needs
to be set up between RouterA and RouterB so that hosts on the 6to4 network and the IPv6
network can communicate.

Figure 11-17 Networking diagram for configuring 6to4 relay.
IPv4
GE1/0/0 GE1/0/0
2.1.1.1 2.1.1.2
RouterA RouterB
GE2/0/0 GE2/0/0
2002:201:101:1::1/64 2001::1/64
Tunnel 0/0/1 Tunnel0/0/1
2002:201:101::1/64 2002:201:102::1/64
2002:201:101:1::2 2002:201:102:1::2
PC1 PC2
IPv6 IPv6
1. Configure an IPv4/IPv6 dual stack on routers so that they can access the IPv4 network
and the IPv6 network.
2. Configure a 6to4 tunnel on routers to connect IPv6 networks through the IPv4 backbone
network.
3. Configure a static route between RouterA and RouterB so that they can communicate
through the IPv4 backbone network.
Procedure
[RouterA] ipv6
[RouterA-GigabitEthernet2/0/0] ipv6 address 2002:0201:0101:1::1/64
# Configure a 6to4 tunnel.

[RouterA-Tunnel0/0/1] tunnel-protocol ipv6-ipv4 6to4
[RouterA-Tunnel0/0/1] ipv6 address 2002:0201:0101::1/64

# Configure a static route to 2002::/16.

[RouterA] ipv6 route-static 2002:: 16 tunnel 0/0/1
# Configure a default route to the IPv6 network.

[RouterA] ipv6 route-static :: 0 2002:0201:0102::1

[RouterB] ipv6
[RouterB-GigabitEthernet2/0/0] ipv6 address 2001::1/64
# Configure a 6to4 tunnel.

[RouterB] interface tunnel 0/0/1
[RouterB-Tunnel0/0/1] tunnel-protocol ipv6-ipv4 6to4
[RouterB-Tunnel0/0/1] ipv6 enable
[RouterB-Tunnel0/0/1] ipv6 address 2002:0201:0102::1/64
[RouterB-Tunnel0/0/1] source gigabitethernet 1/0/0
[RouterB-Tunnel0/0/1] quit
# Configure a static route to 2002::/16.

[RouterB] ipv6 route-static 2002:: 16 tunnel 0/0/1

# Ping the IPv6 address of GE2/0/0 on RouterB from RouterA. The IPv6 address is pinged
successfully.
[RouterA] ping ipv6 2001::1
PING 2001::1 : 56 data bytes, press CTRL_C to break
Reply from 2001::1
Reply from 2001::1
Reply from 2001::1
Reply from 2001::1
Reply from 2001::1
--- 2001::1 ping statistics ---
0.00% packet loss
----End
Configuration Files

#
sysname RouterA
#
ipv6
#
undo portswitch
ip address 2.1.1.1 255.0.0.0
#
undo portswitch
ipv6 enable
ipv6 address 2002:201:101:1::1/64
#
ipv6 enable
ipv6 address 2002:201:101::1/64
#
ipv6 route-static :: 0 2002:201:102::1
#
ipv6 route-static 2002:: 16 Tunnel 0/0/1
#
return

#
sysname RouterB
#
ipv6
#
undo portswitch
ip address 2.1.1.2 255.0.0.0
#
undo portswitch
ipv6 enable
#
ipv6 enable
ipv6 address 2002:201:102::1/64
#
ipv6 route-static 2002:: 16 Tunnel 0/0/1
#
return
11.7.5 Example for Configuring an ISATAP Tunnel

Figure 11-18 shows how an IPv6 host on the IPv4 network needs to connect to the IPv6
network through a border router. The IPv6 host and border router support ISATAP, so an
ISATAP tunnel needs to be set up between the IPv6 host and the border router.

Figure 11-18 Networking diagram for configuring an ISATAP tunnel
ISATAP
Router
IPv6 IPv4
network network
IPv6 Host ISATAP Host

FC01::2 GE1/0/0 GE2/0/0
FE80::5EFE:0201:0102
FC01::1/64 2.1.1.1/8 2.1.1.2
2001::5EFE:0201:0102
1. Configure an IPv4/IPv6 dual stack on the router so that the router can communicate with
devices on the IPv4 and IPv6 networks.
2. Configure an ISATAP tunnel on the router so that IPv6 hosts on the IPv4 network can
communicate with IPv6 hosts on the IPv6 network.
3. Configure a static route.

Procedure
Step 1 Configure the ISATAP router.
# Enable the IPv4/IPv6 dual stack and configure an IP address for each interface.
[Router] ipv6
[Router-GigabitEthernet1/0/0] ipv6 enable
[Router-GigabitEthernet1/0/0] ipv6 address fc01::1/64
[Router-GigabitEthernet2/0/0] ip address 2.1.1.1 255.0.0.0
# Configure an ISATAP tunnel.

[Router] interface tunnel 0/0/2
[Router-Tunnel0/0/2] tunnel-protocol ipv6-ipv4 isatap
[Router-Tunnel0/0/2] ipv6 enable
[Router-Tunnel0/0/2] ipv6 address 2001::/64 eui-64
[Router-Tunnel0/0/2] source gigabitethernet 2/0/0
[Router-Tunnel0/0/2] undo ipv6 nd ra halt
[Router-Tunnel0/0/2] quit
Step 2 Configure the ISATAP host.

The ISATAP host is relevant to the operating system. The host running Windows 7 is used as
an example.
# Run the following command to add a static route to the border router. IPv6 has been
installed by default in Windows 7 operating system.
C:\> netsh interface ipv6 isatap set router 2.1.1.1
C:\> netsh interface ipv6 isatap set router 2.1.1.1 enabled
# Check ISATAP interface information on the host.

C:\>ipconfig/all
Tunnel adapter Automatic Tunneling Pseudo-Interface isatap.
{895CA398-8C4F-4332-9558-642844FCB01B}:
Connection-specific DNS Suffix . . . . . . . :
Description . . . . . . . . . . . . . . . : Microsoft ISATAP Adapter #5
Physical Address. . . . . . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled . . . . . . . . . . . :No
Automatic configuration. . . . . . . . . . : YES
IP Address . . . . . . . . . . . . : 2001::200:5efe:2.1.1.2
IP Address. . . . . . . . : fe80::200:5efe:2.1.1.2%30
Default Gateway. . . . . . . . . . . . . : fe80::5efe:2.1.1.1%30
DNS Servers . . . . . . . . . . . : fc01:0:0:ffff::1%1
fc01:0:0:ffff::2%1
fc01:0:0:ffff::3%1
NetBIOS over Tcpip . . . . . . . : Disabled
The preceding information shows that the host obtains the prefix 2001::/64 and generates the
address 2001::200:5efe:2.1.1.2, and the ISATAP tunnel has been set up successfully.
Step 3 Configure the IPv6 host.
# Configure a static route to the border router tunnel on the IPv6 host so that PCs on two
different networks can communicate through the ISATAP tunnel.
C:\> netsh interface ipv6 set route 2001::/64 fc01::1


# View the IPv6 status of Tunnel0/0/2 on the ISATAP router.
[Router] display ipv6 interface Tunnel 0/0/2
IPv6 is enabled, link-local address is FE80::5EFE:201:101
2001::5EFE:201:101, subnet is 2001::/64
FF02::1:FF01:101
FF02::2
FF02::1
MTU is 1500 bytes
ND advertised reachable time is 0 milliseconds
ND advertised retransmit interval is 0 milliseconds
ND router advertisement max interval 600 seconds, min interval 200 seconds
ND router advertisements live for 1800 seconds
Hosts use stateless autoconfig for addresses
# Ping the global unicast address of the tunnel interface on the ISATAP host running Windows
XP operating system from the ISATAP router.
[Router] ping ipv6 2001::5efe:2.1.1.2
PING 2001::5efe:2.1.1.2 : 56 data bytes, press CTRL_C to break
Reply from 2001::5EFE:201:102
--- 2001::5efe:2.1.1.2 ping statistics ---
0.00% packet loss
# Ping the global unicast address of the ISATAP router from the ISATAP host running
Windows XP operating system.
C:\> ping6 2001::5efe:2.1.1.1
Pinging 2001::5efe:2.1.1.1
from 2001::5efe:2.1.1.2 with 32 bytes of data:
Reply from 2001::5efe:2.1.1.1: bytes=32 time=1ms
Ping statistics for 2001::5efe:2.1.1.1:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
# Ping the IPv6 host from the ISATAP host running Windows XP operating system. They can
ping each other.
C:\> ping6 fc01::2
Pinging fc01::2 with 32 bytes of data:
Reply from fc01::2: time<1ms
Ping statistics for fc01::2:

Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),

----End
Configuration Files
Configuration file of the ISATAP router
#
sysname ISATAP
#
ipv6
#
undo portswitch
ipv6 enable
#
undo portswitch
ip address 2.1.1.1 255.0.0.0
#
ipv6 enable
ipv6 address 2001::/64 eui-64
tunnel-protocol ipv6-ipv4 isatap
#
return

12 IPv4 over IPv6 Tunnel Configuration
About This Chapter
During the later stage of IPv4 to IPv6 transition, the IPv4 over IPv6 tunnel is used to connect
isolated IPv4 sites.

A tunnel on an IPv6 network connects isolated IPv4 sites to other isolated IPv4 networks
through the IPv6 public network.
To establish IPv4 over IPv6 tunnels, you need to enable the IPv4/IPv6 dual stack on border
devices to forward IPv4 packets with the IPv6 header.
Maintaining the IPv4 over IPv6 tunnel includes monitoring the running status of the IPv4 over
IPv6 tunnel.
This section provides configuration examples of the IPv4 over IPv6 tunnel.

A tunnel on an IPv6 network connects isolated IPv4 sites to other isolated IPv4 networks
through the IPv6 public network.
During the later stage of IPv4 to IPv6 transition, a large number of IPv6 networks have been
deployed and isolated IPv4 sites may exist. You can create a tunnel on an IPv6 network to
connect isolated IPv4 sites, which is similar to deploying a VPN on the IP network using
tunneingl technology. The tunnel connecting isolated IPv4 sites on the IPv6 network is called
an IPv4 over IPv6 tunnel.
Figure 12-1 shows how to apply the IPv4 over IPv6 tunnel.

Figure 12-1 Networking diagram for applying the IPv4 over IPv6 tunnel
Dual Stack Dual Stack
Router IPv6
Router
network
IPv4 IPv4
network IPv4 over IPv6 Tunnel network
IPv4 IPv4
Host Host
IPv4 Header IPv4 Payload IPv4 Header IPv4 Payload
IPv6 Header IPv4 Header IPv4 Payload
1. On the border device, the IPv4/IPv6 dual protocol stack is enabled and the IPv4 over
IPv6 tunnel is configured.
2. After the border device receives a packet not destined for it from the IPv4 network, the
device appends an IPv6 header to the IPv4 packet and encapsulates the IPv4 packet as an
IPv6 packet.
3. On the IPv6 network, the encapsulated packet is transmitted to the remote border device.
4. The remote border device decapsulates the packet, removes the IPv6 header, and sends
the decapsulated IPv4 packet to the IPv4 network.

None
License Support
IPv4 over IPv6 tunnel functions are basic function of routers and can be obtained without
licenses.

the IPv4 over IPv6 tunnel function.
l The AR510 series routers do not support the IPv4 over IPv6 tunnel function.

To establish IPv4 over IPv6 tunnels, you need to enable the IPv4/IPv6 dual stack on border
devices to forward IPv4 packets with the IPv6 header.

Before configuring an IPv4 over IPv6 tunnel, complete the following task:
l 11.4 Configuring the IPv4/IPv6 Dual Stack
12.3.1 Configuring a Tunnel Interface
Context
Configuring a tunnel interface includes configuring the protocol type, source address, and
destination address and IP address.
NOTE
The device does not support fragmentation of packets that are transmitted over the IPv4 over IPv6
tunnel. Therefore, the IPv4 MTU of the tunnel interface must meet the following conditions:
IPv4 MTU of the tunnel interface < ( IPv6 MTU of the physical interface - Header length of IPv6
packets on the IPv4 over IPv6 tunnel )
Procedure
Step 1 Run:
system-view

Step 2 Run:

Step 3 Run:
The tunnel type is set to IPv4 over IPv6.

Step 4 Run:
A source IPv6 address or source interface is configured.

Step 5 Run:
destination dest-ip-address

Step 6 Run the following commands as required.
l Run:
ip address ip-address { mask | mask-length } [ sub ]

l Run:
ip address unnumbered interface interface-type interface-number
The tunnel interface is configured to borrow an IPv4 address.
----End

12.3.2 Configuring a Tunnel Route

Context
Packets can be forwarded correctly only when devices at the two ends of a tunnel are
configured with forwarding routes. Perform the following configurations on devices at each
end of the tunnel.
Procedure
Step 1 Run:
system-view

Step 2 Use either of the following methods to configure routes passing through a tunnel interface.
l Run:
ip route-static ip-address { mask | mask-length } tunnel interface-number
A static route is configured.

The static route must be configured on both ends of the tunnel. The destination address is
the destination IPv4 address of the packets that are not encapsulated into IPv6 packets,
and the next hop is the local tunnel interface.
l Configure a dynamic route. Dynamic routes can be configured using IGP (excluding IS-
IS) or BGP. The configuration method is not mentioned here.
When configuring a dynamic routing protocol, enable the protocol on the tunnel
interface and the interface on the link connecting the IPv4 network and IPv6 network.
----End
12.3.3 Performing Other IPv4 over IPv6 Tunnel Configurations

Context
You can perform one or more of the following configurations to optimize IPv4 over IPv6
tunnel performance.
Procedure
Step 1 Run:
system-view

Step 2 Run:
The tunnel interface view is displayed.

Step 3 Run:
tunnel ipv4-ipv6 encapsulation-limit encapsulation-limit
The maximum encapsulation count of an IPv6 packet is specified.

By default, an IPv4-over-IPv6 packet can be encapsulated four times.

Step 4 Run:
tunnel ipv4-ipv6 flow-label label-value
The flow label value is set.
By default, the flow label value is 0.
Step 5 Run:
tunnel ipv4-ipv6 hop-limit hop-limit
The maximum number of hops is set.
By default, the maximum number of hops is 64.
Step 6 Run:
tunnel ipv4-ipv6 traffic-class { original | class-value }
The traffic class is set.
By default, the traffic class is 0.
----End
Prerequisites
All configurations of the IPv4 over IPv6 tunnel are complete.
Procedure
l Run the display interface tunnel [ interface-number ] command to check the running
status of the tunnel interface.
l Run the display ip routing-table command to check the routing table.
----End

Maintaining the IPv4 over IPv6 tunnel includes monitoring the running status of the IPv4 over
IPv6 tunnel.
12.4.1 Monitoring the Running Status of the IPv4 over IPv6

Tunnel
Context
In routine maintenance, you can run the following command in any view to monitor the
running status of the IPv4 over IPv6 tunnel.

Procedure
l Run the display interface tunnel [ interface-number] command in any view to monitor
the running status of the tunnel interface.
----End

This section provides configuration examples of the IPv4 over IPv6 tunnel.
12.5.1 Example for Configuring an IPv4 over IPv6 Tunnel

In Figure 12-2, two IPv4 networks connect to an IPv6 network through RT1 and RT5. Border
devices RT2 and RT4 on the IPv6 network support the IPv4/IPv6 dual stack. An IPv4 over
IPv6 tunnel needs to be set up between RT2 and RT4 so that physically isolated IPv4
networks can communicate.

Figure 12-2 Networking diagram for configuring an IPv4 over IPv6 tunnel
IPv6
IPv4 network
network GE1/0/0 GE1/0/0
GE1/0/0 RT2 fc00:1::2/64 RT3 fc00:2::2/64 RT4
10.1.2.1/30
GE1/0/0 GE2/0/0 GE2/0/0
RT1 10.1.2.2/30 fc00:1::1/64 fc00:2::1/64 GE2/0/0
10.1.3.1/30
GE1/0/0
10.1.3.2/30
RT5
IPv4
network
1. Configure an IPv4 over IPv6 tunnel on the border devices at both ends of the IPv6
network.
2. Use a dynamic routing protocol to configure a route for the tunnel interface to forward
packets.

Procedure
Step 1 Configure an IPv6 address for the physical interface and enable IPv6 capability for IS-IS on
the IPv6 network to implement IP connectivity of the IPv6 network.
# Configure RT2.
[Huawei] sysname RT2
[RT2] ipv6
[RT2] interface gigabitethernet 2/0/0
[RT2-GigabitEthernet2/0/0] undo portswitch
[RT2-GigabitEthernet2/0/0] ipv6 enable
[RT2-GigabitEthernet2/0/0] ipv6 address fc00:1::1 64
[RT2-GigabitEthernet2/0/0] quit
[RT2] isis 1
[RT2-isis-1] network-entity 10.0000.0000.0001.00
[RT2-isis-1] ipv6 enable topology standard
[RT2-isis-1] quit
[RT2-GigabitEthernet2/0/0] isis ipv6 enable 1
# Configure RT3.
[RT3] ipv6
[RT3] isis 1
[RT3-isis-1] quit
# Configure RT4.
[RT4] ipv6
[RT4] isis 1
[RT4-isis-1] quit
Step 2 Configure an IPv4 address for the physical interface and configure OSPF on the IPv4 network
to implement IP connectivity of the IPv4 network.

# Configure RT1.
[RT1-GigabitEthernet1/0/0] ip address 10.1.2.2 30
[RT1] ospf 1
[RT1-ospf-1] area 0
[RT1-ospf-1-area-0.0.0.0] network 10.1.2.0 0.0.0.3
# Configure RT2.
[RT2] ospf 1
[RT2-ospf-1] area 0
# Configure RT4.
[RT4] ospf 1
[RT4-ospf-1] area 0
# Configure RT5.
[RT5] ospf 1
[RT5-ospf-1] area 0
Step 3 Configure a tunnel interface.
# Create a tunnel interface, and configure an IPv4 address, a source IPv6 address (or source
interface), and a destination IPv6 address for the tunnel interface.
# Configure RT2.
[RT2] interface tunnel 0/0/2
[RT2-Tunnel0/0/2] tunnel-protocol ipv4-ipv6
[RT2-Tunnel0/0/2] ip address 10.1.1.1 30
[RT2-Tunnel0/0/2] source gigabitethernet 2/0/0
[ET2-Tunnel0/0/2] destination fc00:2::2
# Configure RT4.
[RT4] interface tunnel 0/0/1
[RT4-Tunnel0/0/1] tunnel-protocol ipv4-ipv6
[RT4-Tunnel0/0/1] ip address 10.1.1.2 30
[RT4-Tunnel0/0/1] source gigabitethernet 1/0/0
[ET4-Tunnel0/0/1] destination fc00:1::1
Step 4 Use a dynamic routing protocol to configure a route for the tunnel interface to forward
packets.
# Configure RT2.

[RT2] ospf 1
[RT2-ospf-1] area 0
[RT2-ospf-1-area-0.0.0.0] quit
[RT2-ospf-1] quit
# Configure RT4.
[RT4] ospf 1
[RT4-ospf-1] area 0
# After the preceding configurations are complete, check the tunnel interface status on RT2
and RT4.
[RT2] display interface tunnel 0/0/2
Line protocol current state : UP
Last line protocol up time: 2010-06-22, 19:33:19
Description : HUAWEI, AR Series, Tunnel0/0/2 Interface
Route Port,The Maximum Transmit Unit is 1500
Internet Address is 10.1.1.1/30
Encapsulation is TUNNEL6, loopback not set
Tunnel protocol/transport (IPv6 or IPv4) over IPv6
Tunnel Source fc00:1::1 (GigabitEthernet2/0/0)
Tunnel Destination fc00:2::2
Tunnel Encapsulation limit 4
Tunnel Traffic class not set
Tunnel Flow label not set
Tunnel Hop limit 64
Current system time: 2012-09-05 10:28:33
300 seconds input rate 0 bits/sec, 0 packets/sec
300 seconds output rate 0 bits/sec, 0 packets/sec
102 seconds input rate 0 bits/sec, 0 packets/sec
102 seconds output rate 0 bits/sec, 0 packets/sec
0 packets input, 0 bytes
0 input error
0 packets output, 0 bytes
0 output error
Input bandwidth utilization : --
Output bandwidth utilization : --
You can see that the protocol status of the tunnel interface is Up.
# Check the IPv4 routing table on RT2 and RT4.

[RT2] display ip routing-table
Routing Tables: Public
Destinations : 9 Routes : 9
Destination/Mask Proto Pre Cost NextHop Interface
1.1.1.1/32 Direct 0 0 127.0.0.1 InLoopBack0
10.1.1.0/30 Direct 0 0 10.1.1.1 Tunnel0/0/2
10.1.1.1/32 Direct 0 0 127.0.0.1 Tunnel2/0/0
10.1.2.0/30 Direct 0 0 10.1.2.1 GigabitEthernet1/0/0
10.1.3.0/24 OSPF 10 2 10.1.1.2 Tunnel0/0/2
You can see that the outbound interface of the route to the remote IPv4 network is a tunnel
interface.
# RT1 and RT5 can ping each other.
----End

Configuration Files
l Configuration file of RT1
#
sysname RT1
#
undo portswitch
ip address 10.1.2.2 255.255.255.252
#
ospf 1
area 0.0.0.0
network 10.1.2.0 0.0.0.3
#
return

#
sysname RT2
#
ipv6
#
isis 1
network-entity 10.0000.0000.0001.00
#
ipv6 enable topology standard
#
#
undo portswitch
ip address 10.1.2.1 255.255.255.252
#
undo portswitch
ipv6 enable
ipv6 address fc00:1::1/64
isis ipv6 enable 1
#
ip address 10.1.1.1 255.255.255.252
destination fc00:2::2
#
ospf 1
area 0.0.0.0
network 10.1.2.0 0.0.0.3
network 10.1.1.0 0.0.0.3
#
return

#
sysname RT3
#
ipv6
#
isis 1
network-entity 10.0000.0000.0002.00
#
#
#
undo portswitch
ivp6 enable
isis ipv6 enable 1
#

undo portswitch
ipv6 enable
isis ipv6 enable 1
#
return

#
sysname RT4
#
ipv6
#
isis 1
network-entity 10.0000.0000.0003.00
#
#
#
undo portswitch
ipv6 enable
isis ipv6 enable 1
#
undo portswitch
ip address 10.1.3.1 255.255.255.252
#
ip address 10.1.1.2 255.255.255.252
destination fc00:1::1
#
ospf 1
area 0.0.0.0
network 10.1.1.0 0.0.0.3
network 10.1.3.0 0.0.0.3
#
return

#
sysname RT1
#
undo portswitch
ip address 10.1.3.2 255.255.255.252
#
ospf 1
area 0.0.0.0
network 10.1.3.0 0.0.0.3
#
return

AR500, AR510, and AR530 V200R007 CLI-based Configuration Guide - IP Service PDF

Hochgeladen von

Dokumentinformationen

Originaltitel

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

AR500, AR510, and AR530 V200R007 CLI-based Configuration Guide - IP Service PDF

Hochgeladen von

Copyright:

Verfügbare Formate

Huawei AR Series IOT Gateway

CLI-based Configuration Guide - IP

HUAWEI TECHNOLOGIES CO., LTD.

Trademarks and Permissions

Huawei Technologies Co., Ltd.

Issue 06 (2019-05-24) Copyright © Huawei Technologies Co., Ltd. i

About This Document

This document provides guidance for configuring IP Service features.

This document is intended for:

l Data configuration engineers

Indicates an imminently hazardous situation

Indicates a potentially hazardous situation

Indicates a potentially hazardous situation

Indicates a potentially hazardous situation

Issue 06 (2019-05-24) Copyright © Huawei Technologies Co., Ltd. ii

NOTE Calls attention to important information,

Boldface The keywords of a command line are in boldface.

Italic Command arguments are in italics.

[] Items (keywords or arguments) in brackets [ ] are optional.

{ x | y | ... } Optional items are grouped in braces and separated by

[ x | y | ... ] Optional items are grouped in brackets and separated by

{ x | y | ... }* Optional items are grouped in braces and separated by

[ x | y | ... ]* Optional items are grouped in brackets and separated by

&<1-n> The parameter before the & sign can be repeated 1 to n

# A line starting with the # sign is comments.

Interface Numbering Conventions

Issue 06 (2019-05-24) Copyright © Huawei Technologies Co., Ltd. iii

– When configuring a password, the cipher text is recommended. To ensure device

Issue 06 (2019-05-24) Copyright © Huawei Technologies Co., Ltd. iv

Reference Standards and Protocols

Mappings Between Product Software Versions and NMS

AR Product eSight iManager U2000

V200R007C00 V300R005C00 V200R015C60

Changes in Issue 06 (2019-05-24)

The following information is modified:

Issue 06 (2019-05-24) Copyright © Huawei Technologies Co., Ltd. v

Changes in Issue 05 (2017-12-29)

Changes in Issue 04 (2017-04-06)

Changes in Issue 03 (2016-06-15)

Changes in Issue 02 (2016-02-05)

Changes in Issue 01 (2015-12-01)

Issue 06 (2019-05-24) Copyright © Huawei Technologies Co., Ltd. vi

About This Document.....................................................................................................................ii

Issue 06 (2019-05-24) Copyright © Huawei Technologies Co., Ltd. vii

2.4 Licensing Requirements and Limitations for ARP.......................................................................................................33

Issue 06 (2019-05-24) Copyright © Huawei Technologies Co., Ltd. viii

Issue 06 (2019-05-24) Copyright © Huawei Technologies Co., Ltd. ix

3.12.2 (Optional) Configuring the Gateway Detection Function on a BOOTP Client.....................................................141

4 DNS Configuration................................................................................................................... 182

Issue 06 (2019-05-24) Copyright © Huawei Technologies Co., Ltd. x

4.5.2 Configuring the Dynamic Domain Name Resolution............................................................................................. 191

5 NAT Configuration................................................................................................................... 222

Issue 06 (2019-05-24) Copyright © Huawei Technologies Co., Ltd. xi

5.5 Configuration Notes................................................................................................................................................... 239

Issue 06 (2019-05-24) Copyright © Huawei Technologies Co., Ltd. xii

5.11 Common Configuration Errors................................................................................................................................. 278

6 UDP Helper Configuration......................................................................................................284

7 IP Performance Configuration................................................................................................ 292

8 Basic IPv6 Configuration......................................................................................................... 307

Issue 06 (2019-05-24) Copyright © Huawei Technologies Co., Ltd. xiii

8.5 Configuring IPv6 Addresses for Interfaces................................................................................................................ 330

9 DHCPv6 Configuration............................................................................................................ 350

Issue 06 (2019-05-24) Copyright © Huawei Technologies Co., Ltd. xiv