Professional Documents
Culture Documents
V800R002C01
01
Date
2011-10-15
Notice
The purchased products, services and features are stipulated by the contract made between Huawei and the
customer. All or part of the products, services and features described in this document may not be within the
purchase scope or the usage scope. Unless otherwise specified in the contract, all statements, information,
and recommendations in this document are provided "AS IS" without warranties, guarantees or representations
of any kind, either express or implied.
The information in this document is subject to change without notice. Every effort has been made in the
preparation of this document to ensure accuracy of the contents, but all statements, information, and
recommendations in this document do not constitute the warranty of any kind, express or implied.
Website:
http://www.huawei.com
Email:
support@huawei.com
Issue 01 (2011-10-15)
Commissioning engineers
Version
HUAWEI NetEngine5000E
Core Router
V800R002C01
Symbol Conventions
The symbols that may be found in this document are defined as follows.
Symbol
Description
Indicates a hazard with a high level of risk, which if not
avoided, will result in death or serious injury.
Indicates a hazard with a medium or low level of risk, which
if not avoided, could result in minor or moderate injury.
Issue 01 (2011-10-15)
ii
Symbol
Description
Indicates a potentially hazardous situation, which if not
avoided, could result in equipment damage, data loss,
performance degradation, or unexpected results.
Indicates a tip that may help you solve a problem or save time.
Provides additional information to emphasize or supplement
important points of the main text.
Description
Boldface
Italic
[]
{ x | y | ... }
[ x | y | ... ]
{ x | y | ... }*
[ x | y | ... ]*
&<1-n>
Change History
Updates between document issues are cumulative. Therefore, the latest document issue contains
all updates made in previous issues.
iii
Contents
Contents
About This Document.....................................................................................................................ii
1 ARP Configuration........................................................................................................................1
1.1 ARP Overview....................................................................................................................................................3
1.2 ARP Features Supported by the NE5000E.........................................................................................................3
1.3 Configuring Dynamic ARP................................................................................................................................5
1.4 Configuring Static ARP......................................................................................................................................7
1.5 Configuring Routed Proxy ARP.........................................................................................................................8
1.6 Configuring ARP Security................................................................................................................................11
1.6.1 Restricting Dynamic ARP Entry Learning..............................................................................................12
1.6.2 Configuring Strict ARP Entry Learning..................................................................................................13
1.6.3 Limiting the ARP Packet Processing Rate..............................................................................................15
1.6.4 Limiting the Number of ARP Entries on Interfaces................................................................................16
1.6.5 Limiting the ARP Miss Message Processing Rate..................................................................................17
1.6.6 Checking the Configuration.....................................................................................................................18
1.7 Configuring ARP-Ping.....................................................................................................................................19
1.7.1 Configuring ARP-Ping IP........................................................................................................................19
1.7.2 Configuring ARP-Ping MAC..................................................................................................................20
1.8 Monitoring the ARP Status...............................................................................................................................21
1.9 Configuration Examples...................................................................................................................................21
1.9.1 Example for Configuring Static ARP......................................................................................................21
1.9.2 Example for Configuring Routed Proxy ARP.........................................................................................23
1.9.3 Example for Configuring ARP Security..................................................................................................26
2 ACL Configuration......................................................................................................................30
2.1 ACL Overview.................................................................................................................................................32
2.2 ACL Types Supported by the NE5000E..........................................................................................................32
2.3 Configuring an Interface-based ACL...............................................................................................................33
2.3.1 Creating an Interface-based ACL............................................................................................................35
2.3.2 Configuring Rules for an Interface-based ACL.......................................................................................35
2.3.3 (Optional) Configuring an ACL Step......................................................................................................36
2.3.4 (Optional) Configuring an ACL Description...........................................................................................37
2.3.5 Checking the Configuration.....................................................................................................................37
2.4 Configuring a Basic ACL.................................................................................................................................38
Issue 01 (2011-10-15)
iv
Contents
Contents
5 ACL6 Configuration..................................................................................................................110
5.1 ACL6 Overview.............................................................................................................................................111
5.2 ACL6 Features Supported by the NE5000E...................................................................................................111
5.3 Configuring an Interfaced-based ACL6.........................................................................................................112
5.3.1 Creating an Interface-based ACL6........................................................................................................113
5.3.2 Configuring Rules for an Interface-based ACL6...................................................................................113
5.3.3 Checking the Configuration...................................................................................................................114
5.4 Configuring a Basic ACL6.............................................................................................................................114
5.4.1 Creating a Basic ACL6..........................................................................................................................116
5.4.2 Configuring Rules for a Basic ACL6....................................................................................................116
5.4.3 Checking the Configuration...................................................................................................................116
5.5 Configuring an Advanced ACL6....................................................................................................................117
Issue 01 (2011-10-15)
vi
Contents
vii
Contents
Issue 01 (2011-10-15)
viii
1 ARP Configuration
ARP Configuration
Issue 01 (2011-10-15)
1 ARP Configuration
that can be learned by an interface, and source IP address-based ARP Miss message processing
rate.
1.9 Configuration Examples
This section describes several ARP configuration examples, providing networking requirements,
configuration notes and roadmap, and configuration procedure for each example. Configuration
flowcharts provided in this section will help you understand the configuration procedures.
Issue 01 (2011-10-15)
1 ARP Configuration
Introduction
Each host or router on a Local Area Network (LAN) has a 32-bit IP address and uses the IP
address to communicate with other devices. IP addresses are configurable.
On an Ethernet, a host or a router sends or receives Ethernet frames based on 48-bit MAC
addresses. A MAC address is also called a physical address or a hardware address. It is allocated
to an Ethernet interface when a device is being manufactured. In internetworking scenarios, an
address resolution mechanism is needed for providing mappings between IP addresses and MAC
addresses. ARP is introduced as such a mechanism.
Working Mechanism
The ARP working mechanism is described below:
1.
2.
After having received the ARP request packet, another host or device whose MAC address
is requested sends an ARP reply packet, and creates an ARP entry based on the mapping
between the IP address and MAC address of the request sender.
3.
The request sender receives the ARP reply packet and creates an ARP entry based on the
mapping between the IP address and the MAC address of the reply sender.
Issue 01 (2011-10-15)
Feature
Description
Dynamic
ARP
1 ARP Configuration
Feature
Description
Static ARP
Description
Usage Scenario
Routed proxy
ARP
ARP security
ARP security
configurations include:
Issue 01 (2011-10-15)
1 ARP Configuration
Applicable Environment
ARP aging parameters include the aging time, number of ARP probes, and ARP probe interval.
Proper setting of these aging parameters can improve network reliability:
l
Aging time: When the aging time of a dynamic ARP entry expires, a device sends an ARP
probe (ARP request packet) from the outbound interface recorded in the dynamic ARP
entry, and starts counting the number of ARP probes.
Number of ARP probes: Before deleting an aged dynamic ARP entry, a device sends ARP
probes to the IP address recorded in the ARP entry at specified intervals. If the configured
number of ARP probes is exceeded but the ARP entry has not been updated, the device
will delete the ARP entry.
ARP probe interval: It is the interval at which probe packets are sent.
NOTE
1. If the aging time of dynamic ARP entries is set too short, for example, 1 minute, a device will
be busy updating dynamic ARP entries. This consumes a lot of system resources and affects the
processing of other services.
2. Length of time before the deletion of a dynamic ARP entry = Number of ARP probes x Probe
interval
Setting a long probe interval is not recommended, because a long interval will delay the deletion
of an aged dynamic ARP entry according to the formula.
Pre-configuration Tasks
Before configuring dynamic ARP, complete the following tasks:
l
Configuring link layer protocol parameters for the interfaces to make sure that the link layer
protocol status of the interfaces is Up
Procedure
Step 1 Run:
system-view
1 ARP Configuration
Step 4 Run:
arp detect-times detect-times
Run the display arp all command to check all ARP entries on MPUs and LPUs.
Run the display arp interface interface-name command to check the ARP entries on a
specified interface.
Run the display arp slot slot-id command to check the ARP entries on a board in a specified
slot.
Run the display arp vpn-instance vpn-instance-name slot slot-id [ dynamic | static ]
command to check the ARP entries in a specified VPN instance.
Run the display arp all command to view all ARP entries on MPUs and LPUs.
<HUAWEI> display arp all
IP ADDRESS
MAC ADDRESS
EXPIRE(M) TYPE
INTERFACE
VPN-INSTANCE
VLAN/CEVLAN PVC
-----------------------------------------------------------------------------15.1.1.1
3885-d010-0301
I GE3/0/1
15.1.1.2
3885-d010-0303 15
D-3
GE3/0/1
-----------------------------------------------------------------------------Total:2
Dynamic:1
Static:0
Interface:1
Run the display arp interface command to view the ARP entries on a specified interface.
<HUAWEI> display arp interface gigabitethernet1/0/0
IP ADDRESS
MAC ADDRESS
EXPIRE(M) TYPE
INTERFACE
VPN-INSTANCE
VLAN/CEVLAN PVC
-----------------------------------------------------------------------------10.1.1.1
3885-d040-0201
I GE1/0/0
10.1.1.2
3885-d040-0203 20
D-3
GE1/0/0
-----------------------------------------------------------------------------Total:2
Dynamic:1
Static:0
Interface:1
Run the display arp slot command to view the ARP entries on a board in a specified slot.
<HUAWEI> display arp slot 1
IP ADDRESS
MAC ADDRESS
EXPIRE(M) TYPE
INTERFACE
VPN-INSTANCE
VLAN/CEVLAN PVC
------------------------------------------------------------------------------
Issue 01 (2011-10-15)
1 ARP Configuration
192.168.1.12
0000-0a41-0202
I GE1/0/1
vpn2
192.168.1.1
0000-0a41-0200 17
D-6
GE1/0/1
vpn2
192.168.1.11
0000-0a41-0201
I GE1/0/0
192.168.1.1
0000-0a41-0200 17
D-6
GE1/0/0
-----------------------------------------------------------------------------Total:4
Dynamic:2
Static:0
Interface:2
Run the display arp vpn-instance command to view the ARP entries in a specified VPN
instance.
<HUAWEI> display arp vpn-instance r1 slot 1
IP ADDRESS
MAC ADDRESS
EXPIRE(M) TYPE
INTERFACE
VPN-INSTANCE
VLAN/CEVLAN PVC
-----------------------------------------------------------------------------192.168.1.11
0000-0a41-0201
I GE1/0/0
vpn1
192.168.1.1
0000-0a41-0200 12
D-6
GE1/0/0
vpn1
-----------------------------------------------------------------------------Total:2
Dynamic:1
Static:0
Interface:1
Applicable Environment
Static ARP entries will not be aged or overwritten by dynamic ARP entries, and are manually
configured and maintained. Configuring static ARP entries improves communication security.
In the case that device A communicates with device B that uses a specified IP address, device
A can be configured with a fixed mapping between device B's IP address and MAC address.
This mapping will not be changed because devices do not update ARP entries after receiving
attack packets. This ensures communication between the two devices.
Static ARP can be used for the following purposes:
l
To enable a local gateway to forward packets whose destination IP addresses are not on
the local network segment.
To bind the invalid IP addresses of received ARP packets to a non-existent MAC address.
When an important network device such as a server is communicating with another device, a
static ARP entry recording the mapping between another device's IP address and MAC address
can be configured on the important network device. The static ARP entry on the important device
cannot be overwritten by the ARP packets forged by attackers, and also prevents the important
device from responding to invalid ARP request packets. This protects the important device
against network attacks.
NOTE
Static ARP entries will never be overwritten, but configuring a large number of ARP entries is heavy
workload. Therefore, static ARP is applicable to small networks where host IP addresses seldom change.
Pre-configuration Tasks
Before configuring static ARP, complete the following tasks:
l
Issue 01 (2011-10-15)
Connecting interfaces and configuring physical parameters for the interfaces to make sure
that the physical status of the interfaces is Up
Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
1 ARP Configuration
Configuring link layer protocol parameters for the interfaces to make sure that the link layer
protocol status of the interfaces is Up
Procedure
Step 1 Run:
system-view
Run the display arp slot slot-id command to check the ARP entries on a board in a specified
slot.
Run the display arp slot command to view the ARP entries on all LPUs.
<HUAWEI> display arp slot 1 static
IP ADDRESS
MAC ADDRESS
EXPIRE(M) TYPE
INTERFACE
VPN-INSTANCE
VLAN/CEVLAN PVC
-----------------------------------------------------------------------------10.1.1.1
0000-0a41-0200
S-3/10.1.1.2
0000-0a41-0202
S-3/10.1.1.3
0000-0a41-0204
S-3/-----------------------------------------------------------------------------Total:3
Dynamic:0
Static:3
Interface:0
Applicable Environment
Proxy ARP is a technique that a device on a given network uses to answer an ARP request sent
from a host on another network to a host on the given network. (The two hosts are on different
Issue 01 (2011-10-15)
1 ARP Configuration
physical networks but on the same network segment, and the device connects the two hosts.)
Proxy ARP makes users on different physical networks feel that they are communicating with
each other on the same physical network.
Routed proxy ARP is one way to allow hosts or routers on the same network segment but on
different physical networks to communicate with each other. If a host connected to the router
does not have a default gateway address (does not know how to reach an agent), the host cannot
forward data to the destination host on another physical network. Routed proxy ARP can solve
this problem. When a host sends an ARP request for the MAC address of the destination host
on another network, the proxy ARP-enabled router receives the request and responds to the
request with its own MAC address. Data packets sent by the host can then be forwarded by the
router.
Users belong to two different physical networks (two subnets on the same IP network) on the
same network segment. To allow the users to communicate with each other, configure routed
proxy ARP on the interface connecting routers to the physical networks.
Figure 1-1 shows the networking diagram of routed proxy ARP.
Figure 1-1 Networking diagram of routed proxy ARP
Host A
172.16.1.2/16
Host B
172.16.2.2/16
GE1/0/0
172.16.1.1/24
Ethernet A
Router A
POS2/0/0
172.17.3.1/24
Proxy ARP
Router B
GE1/0/0
172.16.2.1/24
POS2/0/0
172.17.3.2/24
Proxy ARP
Ethernet B
CAUTION
The IP addresses of all hosts on each subnet must have the same network ID. None of the hosts
needs to be configured with a default gateway.
Pre-configuration Tasks
Before configuring routed proxy ARP, complete the following tasks:
l
Configuring link layer protocol parameters for the interfaces to make sure that the link layer
protocol status of the interfaces is Up
Procedure
Step 1 Run:
system-view
Issue 01 (2011-10-15)
1 ARP Configuration
Run the display arp interface interface-name command to check the ARP entries on a
specified interface.
Run the display arp slot slot-id command to check the ARP entries on a board in a specified
slot.
Run the display arp vpn-instance vpn-instance-name slot slot-id [ dynamic | static ]
command to check the ARP entries in a specified VPN instance.
Run the display arp interface command to view the ARP entries on a specified interface.
<HUAWEI> display arp interface gigabitethernet1/0/0
IP ADDRESS
MAC ADDRESS
EXPIRE(M) TYPE
INTERFACE
VPN-INSTANCE
VLAN/CEVLAN PVC
-----------------------------------------------------------------------------10.1.1.2
2202-0003-0001 20
D-3
GE1/0/0
-----------------------------------------------------------------------------Total:1
Dynamic:1
Static:0
Interface:0
Run the display arp slot command to view the ARP entries on all LPUs.
<HUAWEI> display arp slot 1
IP ADDRESS
MAC ADDRESS
EXPIRE(M) TYPE
INTERFACE
VPN-INSTANCE
VLAN/CEVLAN PVC
------------------------------------------------------------------------------
Issue 01 (2011-10-15)
10
1 ARP Configuration
192.168.1.12
0000-0a41-0202
I GE1/0/1
r2
192.168.1.1
0000-0a41-0200 17
D-6
GE1/0/1
r2
192.168.1.11
0000-0a41-0201
I GE1/0/0
r1
192.168.1.1
0000-0a41-0200 17
D-6
GE1/0/0
r1
-----------------------------------------------------------------------------Total:4
Dynamic:2
Static:0
Interface:2
Run the display arp vpn-instance command to view the ARP entries in a specified VPN
instance.
<HUAWEI> display arp vpn-instance r1 slot 1
IP ADDRESS
MAC ADDRESS
EXPIRE(M) TYPE
INTERFACE
VPN-INSTANCE
VLAN/CEVLAN PVC
-----------------------------------------------------------------------------192.168.1.11
0000-0a41-0201
I GE1/0/0
r1
192.168.1.1
0000-0a41-0200 12
D-6
GE1/0/0
r1
-----------------------------------------------------------------------------Total:2
Dynamic:1
Static:0
Interface:1
Applicable Environment
ARP is a basic link layer protocol that can be used on an Ethernet. It maps devices' IP addresses
to MAC addresses. For details on the ARP working mechanism, see Working Mechanism.
The working mechanism shows that ARP is simple to use but has no security guarantee.
Attackers may send forged ARP packets to attack devices.
ARP attacks may cause the following problems:
l
Attackers steal user accounts and passwords for online games, Internet banks, or file transfer
services, causing the attacked people's interests to suffer a great loss.
Improving ARP security is becoming more important. There are several solutions: limiting the
ARP packet processing rate, limiting the number of ARP entries on interfaces, and limiting the
ARP Miss message processing rate.
Pre-configuration Tasks
Before configuring ARP security, complete the following tasks:
l
Connecting interfaces and configuring physical parameters for the interfaces to make sure
that the physical status of the interfaces is Up
Configuring link layer protocol parameters for the interfaces to make sure that the link layer
protocol status of the interfaces is Up
Configuration Procedures
Choose one or more configuration tasks (excluding "Checking the Configuration") as needed.
Issue 01 (2011-10-15)
11
1 ARP Configuration
Background Information
CAUTION
l If dynamic ARP entry learning is disabled on an interface, traffic forwarding may fail on this
interface.
l After dynamic ARP entry learning is disabled on an interface, the system will not
automatically delete the ARP entries that were learnt previously on this interface. You can
delete or retain these dynamic ARP entries as required.
Procedure
Step 1 Run:
system-view
12
1 ARP Configuration
Step 3 Run:
arp learning disable
Applicable Environment
On an Ethernet, attackers continuously send a large number of ARP packets to attack devices.
This severely affects forwarding of valid service packets. To address the problem, configure
strict ARP entry learning. This strictly controls the learning of unknown users' ARP entries.
Strict ARP entry learning can be configured globally or on an interface to allow the router or
the interface to learn only the ARP reply packets in response to the ARP request packets sent
by the router or the interface itself.
l
If strict ARP entry learning is disabled, a device processes a received ARP packet as
follows:
When a device receives an ARP reply packet, it processes the packet in either of the
following manners:
If the device has no ARP entry matching the source IP address of the ARP reply
packet, the device creates a new ARP entry based on the source IP address and source
MAC address of the ARP reply packet.
If the device has an ARP entry matching the source IP address of the ARP reply
packet, the device updates the ARP entry based on the source IP address and source
MAC address of the ARP reply packet.
When a device receives an ARP request packet that requests its MAC address, the device
first sends an ARP reply packet to the request sender and then creates an ARP entry
based on the IP address and MAC address of the request sender.
After strict ARP entry learning is enabled, a device processes a received ARP packet as
follows:
If the device receives an ARP reply packet, it determines whether the reply packet is in
response to the ARP request packet sent by the device itself. If it is such a reply packet,
the device learns the MAC address and updates the corresponding ARP entry.
Otherwise, the device does not learn the MAC address or update the corresponding ARP
entry.
If a device receives an ARP request packet, it only replies to the request but does not
generate a new ARP entry or update the existing ARP entry.
Issue 01 (2011-10-15)
13
1 ARP Configuration
As shown in Figure 1-3, strict ARP entry learning is configured on a backbone network's edge
routers that are connected to user access devices.
Figure 1-3 Networking diagram of configuring strict ARP entry learning
Core network
RouterB
RouterA
ARP
learning
strict
ARP
learning
strict
For details on ARP security problems, see 1.6 Configuring ARP Security.
Pre-configuration Tasks
Before configuring strict ARP entry learning, complete the following task:
l
Disabling dynamic ARP entry learning where strict ARP entry learning is enabled
Procedure
1.
Run:
system-view
Run:
arp learning strict
Run:
commit
Configure strict ARP entry learning on an interface. Strict ARP entry learning enabled on
an interface takes effect regardless of whether strict ARP entry learning is enabled globally.
1.
Issue 01 (2011-10-15)
Run:
Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
14
1 ARP Configuration
system-view
Run:
interface interface-type interface-number
Run:
arp learning strict force-enable
If strict ARP entry learning is not enabled globally, running the arp learning strict forceenable command on a specified interface enables strict ARP entry learning on the interface.
4.
(Optional) Run:
arp learning strict force-disable
If strict ARP entry learning is not disabled globally, running the arp learning strict forcedisable command on a specified interface disables strict ARP entry learning on the interface.
5.
Run:
commit
Restore the global strict ARP entry learning configuration on the interface.
1.
Run:
system-view
Run:
interface interface-type interface-number
Run:
arp learning strict trust
The global strict ARP entry learning configuration is restored on the interface.
4.
Run:
commit
Context
Processing ARP packets on a device consumes the device's resources. In addition, restricted by
the system memory size and required by ARP entry searching efficiency, a device usually limits
Issue 01 (2011-10-15)
15
1 ARP Configuration
the number of ARP entries and the ARP packet processing rate. Sometimes, a large number of
packets whose destination IP addresses cannot be resolved are sent to a device. The device then
keeps resolving the destination IP addresses, causing the device's CPU to be overloaded. This
is called an ARP flood attack. The ARP flood attack severely affects service forwarding on
devices and causes customers to suffer an incalculable economic loss.
Configuring a device to limit the ARP packet processing rate effectively guards against ARP
flood attack, improves network security and stability, and ensures service forwarding for
authorized users.
Procedure
Step 1 Run:
system-view
Background
Attackers send a large number of ARP packets with forged source IP addresses to a device,
causing the number of ARP entries on the device to exceed the allowed maximum number. As
a result, the device cannot process valid ARP packets and generate valid ARP entries.
Procedure
Step 1 Run:
system-view
Issue 01 (2011-10-15)
16
1 ARP Configuration
If the number of ARP entries that have been learnt on an interface exceeds the maximum number, the
interface will not delete the excess learned ARP entries, but will not learn any more new entries.
If the maximum number of dynamic ARP entries that an interface can learn is set to 0, no limit is set on
the number of the dynamic ARP entries.
Step 4 Run:
commit
Context
An upper-layer device sends an ARP packet destined for a specific host to the router. If the
router does not have the MAC address corresponding to the ARP packet's destination IP address,
Layer 3 forwarding of this ARP packet fails. Then, the router sends an ARP request packet to
the destination host and sends an ARP Miss message to the upper-layer device. Sending too
many ARP Miss messages to the upper-layer devices and sending too many ARP request packets
to the destination host waste resources on the router. This affects processing of other services
on the router. Therefore, the ARP Miss message processing rate must be limited on the router.
An Ethernet is exposed to lots of scan attacks. To prevent these attacks, ARP Miss message
processing rate limiting needs to be configured on devices at the access or aggregation layer on
the Ethernet.
Procedure
Step 1 Run:
system-view
17
1 ARP Configuration
Prerequisite
The configurations of protecting ARP entries against attacks are completed.
Procedure
l
Run the display arp speed-limit destination-ip [ slot slot-id ] command to check the ARP
packet processing rate on an LPU.
Run the display arp-limit command to check the number of ARP entries that an interface
can learn.
Run the display arp-miss speed-limit source-ip [ slot slot-id ] command to check the rate
of processing the ARP Miss messages with a specific source IP address.
Run the display arp learning strict command to check the configuration of strict ARP
entry learning.
----End
Example
# Run the display arp speed-limit destination-ip [ slot slot-id ] command to view the ARP
packet processing rate on an LPU.
<HUAWEI> display arp speed-limit destination-ip slot 3
Slot
SuppressType
SuppressValue
--------------------------------------------------3
ARP
500
# Run the display arp-limit command to view the number of ARP entries that an interface can
learn.
<HUAWEI> display arp-limit
interface
LimitNum
VlanID
LearnedNum
--------------------------------------------------------------------------GigabitEthernet2/0/1
16384
0
0
GigabitEthernet4/0/1
100
0
0
Total:2
# Run the display arp-miss speed-limit source-ip [ slot slot-id ] command to view the rate of
processing the ARP Miss messages with a specific source IP address.
<HUAWEI> display arp-miss speed-limit source-ip slot 3
Slot
SuppressType
SuppressValue
--------------------------------------------------3
ARP-miss
600
# Run the display arp learning strict command to view the configuration of strict ARP entry
learning.
<HUAWEI> display arp learning strict
The global configuration:arp learning strict
interface
LearningStrictState
-----------------------------------------------------------GigabitEthernet3/0/1
force-enable
GigabitEthernet4/0/1
force-enable
-----------------------------------------------------------Total:2
Issue 01 (2011-10-15)
18
1 ARP Configuration
Force-enable:2
Force-disable:0
Applicable Environment
Before configuring an IP address for a device on a LAN, run the arp-ping ip command to check
whether the IP address to be configured is being used by another device on the network.
The ping command can also be used to check whether this IP address is used by another device
on the network. If the destination host and the router that are enabled with the firewall function
are configured not to reply to ping packets, the destination host and the router do not reply to
ping packets. This means that the ping always fails and the IP address is regarded as being
unused. ARP is a Layer 2 protocol. In most cases, ARP packets can pass through a firewall that
is configured not to reply to ping packets. Therefore, whether an IP address is being used by
another device can be detected.
When a device knows a specific MAC address on a network segment but does not know the
corresponding IP address, the arp-ping mac command can be run on the device to broadcast
ICMP packets to obtain the corresponding IP address.
Pre-configuration Tasks
Before configuring ARP-Ping, complete the following task:
l
Configuring link layer protocol parameters and IP addresses for interfaces to ensure that
the link layer protocol status of the interfaces is Up
Configuration Procedures
You can choose one or more configuration tasks as required.
Figure 1-4 Flowchart for configuring ARP-Ping
Configure ARP-Ping IP
19
1 ARP Configuration
Procedure
Step 1 Run:
arp-ping ip ip-address [ interface interface-type interface-number ]
l If the IP address is being used by another device, the command output is as follows:
[~HUAWEI] arp-ping ip 128.1.1.1
ARP-Pinging 128.1.1.1:
128.1.1.1 is used by 00e0-517d-f202
----End
Procedure
Step 1 Run:
arp-ping mac mac-address { ip-address [ vpn-instance vpn-instance-name ] |
interface interface-type interface-number }
Whether a MAC address is being used by another device is checked. (If the MAC address is
used, the IP address corresponding to this MAC address will be displayed.)
There are two possible results after the command is run:
l If the MAC address is not being used by another device, the command output is as follows:
[~HUAWEI] arp-ping mac 00e0-517d-f201 interface gigabitethernet 1/0/0
OutInterface: GigabitEthernet1/0/0 MAC[00-E0-51-7D-F2-01], press CTRL_C to
break
Request timed out
Request timed out
Request timed out
----- ARP-Ping MAC statistics ----3 packet(s) transmitted
0 packet(s) received
MAC[00-E0-51-7D-F2-01] not be used
l If the MAC address is being used by another device, the command output is as follows:
[~HUAWEI] arp-ping mac 00e0-517d-f202 interface gigabitethernet 1/0/0
OutInterface: GigabitEthernet1/0/0 MAC[00-E0-51-7D-F2-02], press CTRL_C to
break
----- ARP-Ping MAC statistics ----1 packet(s) transmitted
1 packet(s) received
IP ADDRESS
MAC ADDRESS
128.1.1.1
00-E0-51-7D-F2-02
----End
Issue 01 (2011-10-15)
20
1 ARP Configuration
Procedure
l
Run the display arp all command in any view to check all ARP entries on MPUs and LPUs.
Run the display arp interface interface-type interface-number command in any view to
check the ARP status on a specified interface.
Run the display arp slot slot-id command in any view to check the ARP running status on
a board in a specified slot.
Run the display arp learning strict command in any view to check strict ARP entry
learning on all interfaces.
Run the display arp packet statistics [ slot slot-id ] command in any view to check statistics
on ARP packets.
Run the display arp speed-limit destination-ip [ slot slot-id ] command to check the ARP
packet processing rate on an LPU.
Run the display arp-miss speed-limit source-ip [ slot slot-id ] command in any view to
check the rate of processing the ARP Miss messages with a specific source IP address.
----End
Networking Requirements
CAUTION
On a single NE5000E, an interface is numbered in the format of slot number/card number/
interface number. On the NE5000E cluster, an interface is numbered in the format of chassis
ID/slot number/card number/interface number. If the slot number is specified, the chassis ID of
the slot must also be specified.
ARP is a basic link layer protocol that can be used on the Ethernet. It maps devices' IP addresses
to MAC addresses. ARP is simple to use but does not have any security guarantee. Attackers
Issue 01 (2011-10-15)
21
1 ARP Configuration
may send forged ARP packets to attack networks, causing normal services to be interrupted and
devices to break down. Therefore, carriers want to enhance backbone network security.
As shown in Figure 1-5, users are connected to the backbone network through routers. To protect
the devices on the backbone network against ARP attacks and ensure stable data transmission,
static ARP needs to be configured on routers.
Figure 1-5 Networking diagram of configuring static ARP
Static ARP
10.1.1.1 is mapped to
0000-0a41-0200
10.1.1.2 is mapped to
0000-0a41-0202
10.1.1.3 is mapped to
0000-0a41-0204
Static ARP
10.1.2.1 is mapped to
0000-0a41-0300
10.1.2.2 is mapped to
0000-0a41-0302
10.1.2.3 is mapped to
0000-0a41-0304
Core network
RouterA
RouterB
Precautions
None.
Configuration Roadmap
The configuration roadmap is as follows:
l
Configure static ARP entries on routers. These entries will not be aged or overwritten by
dynamic ARP entries. User data can thus be transmitted stably.
Data Preparation
To complete the configuration, you need the following data:
l
Procedure
Step 1 Configure static ARP entries on Router A. The configuration on Router B is the same as that on
Router A.
Issue 01 (2011-10-15)
22
1 ARP Configuration
<HUAWEI> system-view
[~HUAWEI] sysname RouterA
[~HUAWEI] commit
[~RouterA] arp static 10.1.1.1 0000-0a41-0200
[~RouterA] arp static 10.1.1.2 0000-0a41-0202
[~RouterA] arp static 10.1.1.3 0000-0a41-0204
[~RouterA] commit
MAC ADDRESS
EXPIRE(M) TYPE
INTERFACE
VPN-INSTANCE
VLAN/CEVLAN PVC
-----------------------------------------------------------------------------10.1.1.1
0000-0a41-0200
S-10.1.1.2
0000-0a41-0202
S-10.1.1.3
0000-0a41-0204
S------------------------------------------------------------------------------Total:3
Dynamic:0
Static:3
Interface:0
----End
Configuration Files
l
Networking Requirements
CAUTION
On a single NE5000E, an interface is numbered in the format of slot number/card number/
interface number. On the NE5000E cluster, an interface is numbered in the format of chassis
ID/slot number/card number/interface number. If the slot number is specified, the chassis ID of
the slot must also be specified.
Two users on the same network segment but on different physical networks need to communicate
with each other.
Issue 01 (2011-10-15)
23
1 ARP Configuration
As shown in Figure 1-6, two routers are connected by serial links. No default gateways are set
for Host A and Host B on different physical networks. Routed proxy ARP needs to be configured
on routers to enable Host A and Host B to communicate with each other.
Figure 1-6 Networking diagram of configuring routed proxy ARP
Host A
172.16.1.2/16
0000-5e33-ee20
Host B
172.16.2.2/16
0000-5e33-ee10
GE1/0/0
172.16.1.1/24 Router A
00e0-fc39-80aa
Ethernet A
Proxy
ARP
GE1/0/0
Router B 172.16.2.1/24
00e0-fc39-80bb
POS2/0/0
POS2/0/0
172.17.3.1/24 172.17.3.2/24 Proxy
ARP Ethernet B
Precautions
None.
Configuration Roadmap
The configuration roadmap is as follows:
1.
Configure an IP address for the interface that connects each router to a host, ensuring that
the link between each host and each router is working properly.
2.
Configure routed proxy ARP on the interface that connects each router to a host. After
receiving an ARP request (for the destination host's MAC address) sent by the host, the
router enabled with routed proxy ARP responds to the request with its own MAC address.
The host then forwards data to the router.
3.
Configure a default route between two routers to ensure that there is a reachable route
between them and data can be transmitted along the route.
Data Preparation
To complete the configuration, you need the following data:
l
Procedure
Step 1 Configure routerRouter A.
# Configure an IP address for GE 1/0/0.
<HUAWEI> system-view
Issue 01 (2011-10-15)
24
1 ARP Configuration
----End
Issue 01 (2011-10-15)
25
1 ARP Configuration
Configuration Files
l
Networking Requirements
CAUTION
On a single NE5000E, an interface is numbered in the format of slot number/card number/
interface number. On the NE5000E cluster, an interface is numbered in the format of chassis
ID/slot number/card number/interface number. If the slot number is specified, the chassis ID of
the slot must also be specified.
ARP is a basic link layer protocol that can be used on the Ethernet. It maps devices' IP addresses
to MAC addresses. ARP is simple to use but does not have any security guarantee. Attackers
may send forged ARP packets to attack networks, causing normal services to be interrupted and
devices to break down. Therefore, carriers want to enhance backbone network security.
Issue 01 (2011-10-15)
26
1 ARP Configuration
As shown in Figure 1-7, an Internet bar is connected to the Internet through the router. ARP
security needs to be configured on the router to protect the Internet bar against ARP attacks.
Figure 1-7 Networking diagram of configuring ARP security
Router
Switch1
Switch2
Internet
Switch4
Switch3
Precautions
None.
Configuration Roadmap
The configuration roadmap is as follows:
1.
2.
Data Preparation
To complete the configuration, you need the following data:
l
LPU slot number: 3; number of ARP packets that the LPU processes every second: 50
Issue 01 (2011-10-15)
27
1 ARP Configuration
LPU slot number: 3; number of ARP Miss messages that the LPU processes every second:
50
Procedure
Step 1 Configure the LPU in slot 3 to process 50 ARP packets to a specific destination every second.
<HUAWEI> system-view
[~HUAWEI] sysname Router
[~HUAWEI] commit
[~Router] arp speed-limit destination-ip maximum 50 slot 3
Step 2 Configure GE 3/0/0 to learn a maximum of 20 ARP entries and enable strict ARP entry learning
on GE 3/0/0.
[~Router] interface Gigabitethernet 3/0/0
[~Router-GigabitEthernet3/0/0] arp-limit maximum 20
[~Router-GigabitEthernet3/0/0] arp learning strict force-enable
[~Router-GigabitEthernet3/0/0] quit
Step 3 Configure the LPU in slot 3 to process 50 ARP Miss messages with a specific source IP address
every second.
[~Router] arp-miss speed-limit source-ip maximum 50 slot 3
[~Router] commit
EXPIRE(M) TYPE
INTERFACE
VPN-INSTANCE
VLAN/CEVLAN PVC
-----------------------------------------------------------------------------100.1.1.200
00e0-fc7f-7258
I GE3/0/0
100.1.1.180
000d-88f4-d06b 9
D-0
GE2/0/0
100.1.1.24
0013-d326-ab88 9
D-0
GE0/0/0
100.1.1.166
0014-2afd-7376 10
D-0
GE0/0/0
100.1.1.37
00e0-4c77-a2f9 12
D-0
GE0/0/0
100.1.1.168
000d-88f8-332c 14
D-0
GE0/0/0
100.1.1.48
0015-e9ac-7a30 16
D-0
GE0/0/0
32.1.1.1
0088-0010-000a
I GE4/0/9
24.1.1.1
0088-0010-0009
I GE4/0/8
10.1.1.1
0088-0010-0003
I GE4/0/2
10.1.1.2
00e0-fc22-18d5 9
D-3
GE4/0/2
-----------------------------------------------------------------------------Total:11
Dynamic:7
Static:0
Interface:4
Run the display arp speed-limit command on the router to view the configured ARP packet
processing rate. Run the display arp-miss speed-limit command on the to view the configured
ARP Miss message processing rate.
<Router> display arp speed-limit destination-ip slot 3
Slot
SuppressType
SuppressValue
--------------------------------------------------3
ARP
50
<Router> display arp-miss speed-limit source-ip slot 3
Slot
SuppressType
SuppressValue
--------------------------------------------------3
ARP-miss
50
Use a tool to scan the router. Run the display arp packet statistics command on the router to
view the number of discarded ARP Miss messages.
<Router> display arp packet statistics
Issue 01 (2011-10-15)
28
1 ARP Configuration
----End
Configuration Files
#
sysname Router
arp speed-limit destination-ip maximum 50 slot 3
arp-miss speed-limit destination-ip maximum 50 slot 3
#
admin
interface GigabitEthernet3/0/0
undo shutdown
arp learning strict force-enable
arp-limit maximum 20
#
return
Issue 01 (2011-10-15)
29
2 ACL Configuration
ACL Configuration
30
2 ACL Configuration
This section describes how to maintain an ACL. Detailed operations include clearing ACL
statistics and monitoring the ACL operation.
Issue 01 (2011-10-15)
31
2 ACL Configuration
Interface-based ACLs: classify packets according to the interface from which packets are
received.
Advanced ACLs: classify packets according to the source address, destination address,
source port number, destination port number, and protocol type.
Ethernet frame header-based ACLs: classify packets according to the source MAC address
and destination MAC address.
MPLS-based ACLs: classify MPLS packets according to the Exp value, label, or TTL value
in MPLS packets.
NOTE
As a mere group of rules, an ACL does not implement the function of filtering packets. An ACL can only
identity packets of a certain type. How packets are processed depends on the functions introduced to an
ACL. In the NE5000E, the ACL must be used in conjunction with certain functions, such as routing policy,
and QoS, to filter packets.
Interface-based ACLs
The rules in an interface-based ACL are defined according to the inbound interfaces of packets
and are used to filter packets received by different inbound interfaces. The number of an
interface-based ACL ranges from 1000 to 1999.
Basic ACL
The rules in a basic ACL are defined according to the source addresses of packets and are used
to filter packets with different source addresses. The number of a basic ACL ranges from 2000
to 2999.
Basic ACLs are commonly applied to the implementation of the routing policy and QoS. For
example, by configuring an ACL, you can control the rights of users logging in to the device or
control the traffic on the device.
Issue 01 (2011-10-15)
32
2 ACL Configuration
Advanced ACLs
The rules in an advanced ACL are defined according to the source addresses, destination
addresses, protocol types, source port numbers, and destination port numbers of packets.
Advanced ACLs can be classified into numbered ACLs and named ACLs according to the
naming rule of ACLs. The number of a numbered ACL ranges from 3000 to 3999; the number
of a named ACL ranges from 42768 to 59151.
An advanced ACL provides more extensive filtering rules, which can be applied to the routing
policy and packet filtering. For example, you can configure an advanced ACL in the multicast
service to filter multicast packets with different source addresses and group addresses.
MPLS-based ACLs
MPLS-based ACLs classify packets based on the Exp value, label, and TTL value in MPLS
packets. MPLS-based ACLs are numbered from 10000 to 10999. This means that a maximum
of 999 MPLS ACLs can be configured.
Issue 01 (2011-10-15)
33
2 ACL Configuration
Applicable Environment
Figure 2-1 Typical application environment of an interface-based ACL
Network A
GE1/0/0
Internet
RouterA
Interface-based
GE2/0/0 ACL enable
Network B
As shown in Figure 2-1, an ACL that is based on GE 1/0/0 is created on Router A. Router A
needs to accept all the packets that are sent from Network A to the Internet and deny all the
packets that are sent from Network B to the Internet.
Pre-configuration Tasks
Before configuring an Interface-based ACL, complete the following tasks:
l
Issue 01 (2011-10-15)
Configuring the parameters of the link layer protocol for interfaces to ensure that the link
layer protocol status of interfaces is Up
34
2 ACL Configuration
Configuration Procedure
Figure 2-2 Flowchart for configuring an interface-based ACL
Create an interface-based
ACL
Configure rules for an
interface-based ACL
Configure an ACL step
Configure an ACL
description
Mandatory
procedure
Optional
procedure
Procedure
Step 1 Run:
system-view
35
2 ACL Configuration
Procedure
Step 1 Run:
system-view
Procedure
Step 1 Run:
system-view
36
2 ACL Configuration
Procedure
Step 1 Run:
system-view
Prerequisite
The configuration of the interface-based ACL is complete.
Procedure
Step 1 Run the display acl { acl-number | all } command to view the configured ACL rules.
----End
Example
After running the preceding command, you can view the ACL number, number of ACL rules,
ACL step, and rule contents.
<HUAWEI> display acl 1200
Interface Based ACL 1200,1 rule
ACL's step is 5
ACL's match-order is config
rule 5 permit interface Pos4/0/0 (1 times matched)
Issue 01 (2011-10-15)
37
2 ACL Configuration
Applicable Environment
Figure 2-3 Typical application environment of a basic ACL
Network A
10.1.1.0/24
GE1/0/0 Router A
Network B
10.1.2.0/24
Internet
Basic ACL enable
GE2/0/0
Network C
10.1.3.0/24
As shown in Figure 2-3, a basic ACL is created on Router A. Router A accepts the packets that
are sent from Network A and refuses the packets that are sent from Network B, and Network C
to the Internet.
Pre-configuration Tasks
Before configuring a Basic ACL, complete the following tasks:
l
Issue 01 (2011-10-15)
Configuring the parameters of the link layer protocol for interfaces to ensure that the link
layer protocol status of the interface is Up
38
2 ACL Configuration
Configuration Procedure
Figure 2-4 Flowchart for configuring a basic ACL
Procedure
Step 1 Run:
system-view
Issue 01 (2011-10-15)
39
2 ACL Configuration
Procedure
Step 1 Run:
system-view
Procedure
Step 1 Run:
system-view
40
2 ACL Configuration
Procedure
Step 1 Run:
system-view
Prerequisite
The configuration of the basic ACL is complete.
Procedure
Step 1 Run the display acl { acl-number | all } command to view the configured basic ACL.
----End
Example
After running the preceding command, you can view the ACL number, number of ACL rules,
ACL step, and rule contents.
<HUAWEI> display acl 2000
Basic ACL 2000, 1 rule
Acl's step is 5
Acl's match-order is config
rule 5 deny source 10.1.1.1 0 (3 times matched)
Issue 01 (2011-10-15)
41
2 ACL Configuration
Applicable Environment
Figure 2-5 Typical application environment of an advanced ACL
Network A
1.1.1.0/24
Network D
4.4.4.0/24
ICMP
packet
RouterA
RouterD
RouterE
Network B
2.2.2.0/24
Network C
3.3.3.0/24
ICMP
packet
RouterB
RouterC
As shown in Figure 2-5, an advanced ACL is created on Router E. Router E needs to accept all
the ICMP packets sent from Router B to Router D and deny all the ICMP packets sent from
Router A to Router C.
Pre-configuration Tasks
Before configuring an Advanced ACL, complete the following tasks:
l
Issue 01 (2011-10-15)
Configuring the parameters of the link layer protocol for interfaces to ensure that the link
layer protocol status of the interfaces is Up
42
2 ACL Configuration
Configuration Procedure
Figure 2-6 Flowchart for configuring an advanced ACL
Configure numbered
advanced ACL
Configure named
advanced ACL
Configure an ACL
description
Configure an ACL
description
Mandatory
procedure
Optional
procedure
Procedure
Step 1 Run:
system-view
43
2 ACL Configuration
Procedure
Step 1 Run:
system-view
l If the value of protocol is a protocol other than TCP, UDP, and ICMP, run the following
command to create an ACL rule:
rule [ rule-id ] { deny | permit } protocol [ [ dscp dscp | [ precedence precedence | tos
tos ] * ] | destination { destination-ip-address destination-wildcard | any } | fragmenttype fragment-type-name | source { source-ip-address source-wildcard | any } | timerange time-name | vpn-instance vpn-instance-name ] *
Issue 01 (2011-10-15)
44
2 ACL Configuration
NOTE
You can configure the advanced ACL according to the protocol type. For different protocol types, the
parameters specified differ.
l For TCP and UDP, the [ source-port operator port ] [ destination-port operator port ] parameters
are available. which can not be configured for other protocols.
l For TCP, the [ syn-flag syn-flag ] parameters is available. which can not be configured for other
protocols.
Step 4 Run:
commit
Procedure
Step 1 Run:
system-view
Procedure
Step 1 Run:
Issue 01 (2011-10-15)
45
2 ACL Configuration
system-view
Prerequisite
The configuration of the advanced ACL is complete.
Procedure
Step 1 Run the display acl { name acl-name | acl-number | all } command to view the configuration
of the advanced ACL.
----End
Example
Run the command, and you can view the ACL number, number of rules, ACL step, and rule
contents.
<HUAWEI> display acl 3000
Advanced ACL 3000, 3 rules
Acl's step is 5
Acl's match-order is config
rule 0 permit icmp (0 times matched)
rule 1 permit ip source 1.1.1.1 0 destination 2.2.2.2 0 (2 times matched)
rule 2 permit tcp source 10.110.0.0 0.0.255.255 (1 times matched)
46
2 ACL Configuration
Applicable Environment
Figure 2-7 Typical application environment of an Ethernet frame header-based ACL
Network A
1-1-1 1-1-1
Network D
3-3-3 1-1-0
MAC Frame
RouterA
RouterD
Router E
Network B
2-2-2 0-0-1
Network C
4-4-4 0-0-0
MAC
Frame
RouterB
RouterC
As shown in Figure 2-7, an Ethernet frame header-based ACL is created on Router E. Router
E needs to filter packets from Network A and Network B according to source MAC addresses
or filter packets destined for Network C and Network D according to destination MAC addresses.
Pre-configuration Tasks
Before configuring an Ethernet Frame Header-based ACL, complete the following tasks:
l
Configuring the parameters of the link layer protocol for interfaces to ensure that the link
layer protocol status of the interface is Up
Configuration Procedure
Figure 2-8 Flowchart for configuring an Ethernet frame header-based ACL
47
2 ACL Configuration
Procedure
Step 1 Run:
system-view
Procedure
Step 1 Run:
system-view
48
2 ACL Configuration
Procedure
Step 1 Run:
system-view
Procedure
Step 1 Run:
system-view
49
2 ACL Configuration
Step 4 Run:
commit
Prerequisite
The configuration of the Ethernet frame header-based ACL is complete.
Procedure
Step 1 Run the display acl { acl-number | all } command to view the configuration of the Ethernet
frame header-based ACL.
----End
Example
Run the preceding command, and you can view the ACL number, number of ACL rules, ACL
step, and rule contents.
<HUAWEI> display acl 4001
Ethernet frame ACL 4001, 2 rules
Acl's step is 5
Acl's match-order is config
rule 5 deny source-mac 0000-0000-0000 0002-0002-0002 dest-mac 0002-0002-0002
0003-0003-0003 (0 times matched)
rule 10 deny type 0200 0222 dest-mac 0000-0000-0000 0002-0002-0002 (2 times
matched)
Procedure
Step 1 Run:
system-view
Issue 01 (2011-10-15)
50
2 ACL Configuration
Procedure
Step 1 Run:
system-view
Prerequisite
The configuration of the MPLS-based ACL is complete.
Procedure
l
Run the display acl { acl-number | all } command to check the configured ACL rule.
----End
Example
After running the preceding command, you can view the ACL number, number of ACL rules,
and rule contents.
<HUAWEI> display acl 10001
Mpls ACL 10001, 2 rules
Acl's step is 5
rule 5 permit exp 2 any any any (0 times matched)
rule 10 permit ttl gt 2 any any (0 times matched)
51
2 ACL Configuration
Applicable Environment
To control certain types of traffic in a specified period, you can configure the validity period of
an ACL rule to determine the time traffic passes. For example, to ensure reliable transmission
of video traffic at prime time at night, you need to limit the volume of traffic for common online
users.
After this configuration task is performed, a time range is created. Then, you can specify the
time range as the validity period when creating an ACL rule.
The validity period of an ACL rule can be either of the following types:
l
Relative time range: The validity period is a periodic period, for example, each Monday.
Pre-configuration Tasks
Before configuring the Validity Period of an ACL Rule, complete the following tasks:
l
Configuring the parameters of the link layer protocol for interfaces to ensure that the link
layer protocol status of the interface is Up
Configuring an ACL
Configuration Procedure
Figure 2-9 Flowchart for configuring the validity period of an ACL rule
Procedure
Step 1 Run:
system-view
52
2 ACL Configuration
Procedure
Step 1 Run:
system-view
When a period which is not existed is configured for the ACL, the ACL will be rule invalid.
Step 4 Run:
commit
Prerequisite
The configuration of the validity period for an ACL rule is complete.
Procedure
Step 1 Run the display time-range { time-name | all } to view the validity period for the ACL rule.
----End
Issue 01 (2011-10-15)
53
2 ACL Configuration
Example
Run the display time-range command to view the configuration and status of the validity period
for the ACL rule are displayed.
<HUAWEI> display time-range all
Current time is 14:19:16 3-15-2006 Wednesday
Time-range : time1 ( Inactive )
10:00 to 12:00 daily
Time-range : time2 ( Inactive )
from 13:00 2006/4/1 to 23:59 2099/12/31
Time-range : active1 ( Active )
14:00 to 00:00 daily
Context
CAUTION
ACL statistics cannot be restored after being cleared. So, confirm the action before you run the
following command.
Procedure
Step 1 After checking that ACL Statistics need to be cleared, run the reset acl counter { acl-number |
name acl-name | all } command in the user view.
----End
Context
In routine maintenance, you can run either of the following commands in any view to view the
ACL operation.
Procedure
l
Run:
display acl { acl-number | name acl-name
Issue 01 (2011-10-15)
| all }
54
2 ACL Configuration
Run:
display time-range { time-name | all }
Issue 01 (2011-10-15)
55
56
Issue 01 (2011-10-15)
57
If multiple devices on the same network segment have the same network ID, they belong to the
same network regardless of their physical locations.
The increasing complexity of networks and emergence of new technologies pose requirements
for higher network security. By controlling ICMP packets and IP packets carrying options, you
can defend networks against attacks utilizing the two types of packets, thus improving device
performance and ensuring the normal operation of networks.
Configurations of IP Addresses
The NE5000E supports IP address configuration through the following methods:
l
The NE5000E supports the overlapping of network segment addresses to save the address space.
l
Different interfaces on the same device can be configured with IP addresses that have
overlapped network segments but are not the same. For example, after configuring the IP
address 20.1.1.1/16 for an interface on a device, if you configure the IP address 20.1.1.2/24
for another interface, the system displays a prompt. The configuration, however, still
succeeds. If you configure the IP address 20.1.1.2/16 for another interface, the system
prompts an IP address conflict, and the configuration fails.
An interface can be configured with primary and secondary IP addresses that have
overlapped network segments. For example, after configuring a primary IP address
20.1.1.1/24 for an interface, if you configure the IP address 20.1.1.2/16 sub as the secondary
IP address, the system displays a prompt. The configuration, however, still succeeds.
Different interfaces on the same device can be configured with primary and secondary IP
addresses that have overlapped network segments but are not the same. For example, after
Issue 01 (2011-10-15)
58
configuring the IP address 20.1.1.1/16 for an interface on a device, if you configure the IP
address 20.1.1.2/24 sub for another interface, the system displays a prompt. The
configuration, however, still succeeds.
To save the IP address space, the NE5000E allows IP addresses with 31-bit masks on interfaces.
After an interface is configured with an IP address with a 31-bit mask, there are only two IP
addresses on the same network segment, that is, the network segment address and broadcast
address of the network segment. The two addresses are called host addresses.
You can configure an IP address with a 31-bit mask for a Point-to-Point (P2P), Non-Broadcast
Multiple Access (NBMA), broadcast, or loopback interface. If you configure an IP address with
a 31-bit mask for a non-P2P interface, the system prompts you to confirm the configuration to
protect broadcast links. For example, if an Ethernet interface on a device is assigned an IP address
with a 31-bit mask, the router can access only one host rather than all hosts on the directly
connected subnet. On a broadcast backbone network, if a P2P link exists, you can configure IP
addresses with 31-bit masks to save the IP address space.
Timestamp option
The NE5000E supports the control of the following types of Internet Control Message Protocol
(ICMP) packets:
l
Applicable Environment
Before running IP services on interfaces, you need to configure IP addresses for interfaces. Each
interface on a device can be configured with multiple IP addresses, of which one is the primary
IP address and the others are secondary IP addresses.
Generally, an interface needs to be configured with only a primary IP address. In some special
scenarios, an interface also needs to be configured with secondary IP addresses. For example, a
device connects to a physical network through an interface, and hosts on this network belong to
two Class C networks. In this case, to ensure that the device communicates with all hosts on this
network, you need to configure a primary IP address and a secondary IP address for this interface.
Issue 01 (2011-10-15)
59
Pre-configuration Tasks
Before configuring IP addresses for interfaces, complete the following tasks:
l
Configuring link layer parameters for interfaces to ensure that the link layer protocol status
of the interfaces is Up
Configuration Procedures
Figure 3-1 Procedures for configuring IP addresses
Configure a primary IP
address for an interface
Configure a secondary IP
address for an interface
Mandatory
procedure
Optional
procedure
Procedure
Step 1 Run:
system-view
60
Context
Configuring secondary IP addresses for an interface is a optional procedure. This configuration
is performed only when an interface requires multiple IP addresses.
For example, if an interface on a device is configured with one primary IP address and two
secondary IP addresses, this interface can be connected to three networks with different network
IDs.
Procedure
Step 1 Run:
system-view
Prerequisite
The configurations of IP addresses are complete.
Issue 01 (2011-10-15)
61
Procedure
l
----End
Example
Run the display interface command, and you can view the configurations of the IP address and
subnet mask of the interface.
<RouterA> display interface gigabitethernet 1/1/0
GigabitEthernet1/1/0 current state : UP
Line protocol current state : UP
Description: HUAWEI, GigabitEthernet1/1/0 Interface (ifindex: 10, vr: 0)
Route Port,The Maximum Transmit Unit is 1500
Internet Address is 11.1.1.1/24
Internet Address is 11.1.2.1/24 Sub
IP Sending Frames' Format is PKTFMT_ETHNT_2, Hardware address 3870-1210-0300
Last physical up time
: 2010-02-06 15:19:40
Last physical down time : 2010-02-06 15:19:40
Current system time: 2010-02-06 17:36:40
Statistics last cleared:
Last 300 seconds input rate: 0 bits/sec, 0 packets/sec
Last 300 seconds output rate: 0 bits/sec, 0 packets/sec
Input: 0 bytes, 54025 packets
Output: 0 bytes, 0 packets
Input:
Unicast: 0 packets, Multicast: 7106 packets
Broadcast: 46919 packets, JumboOctets: 0 packets
CRC: 0 packets, Symbol: 11661289460833714176 packets
Overrun: 0 packets, InRangeLength: 0 packets
LongPacket: 0 packets, Jabber: 0 packets, Alignment: 0 packets
Fragment: 0 packets, Undersized Frame: 0 packets
RxPause: 0 packets
Output:
Unicast: 0 packets, Multicast: 0 packets
Broadcast: 0 packets, JumboOctets: 0 packets
Lost: 0 packets, Overflow: 0 packets, Underrun: 2715105531 packets
System: 0 packets, Overruns: 0 packets
TxPause: 0 packets
Applicable Environment
If devices are connected through Point-to-Point Protocol (PPP) links, interfaces on the client can
obtain IP addresses from the server through negotiation. This is applicable when the client
accesses the Internet by connecting to the Internet Service Provider (ISP) through PPP links (for
example by dial-up). In this case, the ISP device assigns an IP address to the client through
negotiation.
As shown in Figure 3-2, after the interfaces that directly connect Router A on the server side
to Router B on the client side are encapsulated with PPP, the client can obtain an IP address
from the server through negotiation.
Issue 01 (2011-10-15)
62
Ethernet
POS 1/0/0
192.168.1.1/24
RouterA
POS 1/0/0
192.168.1.2
Ethernet
RouterB
PPP supports IP address negotiation. Therefore, you can configure IP address negotiation
for an interface only after the interface is encapsulated with PPP. If the PPP status is Down,
the IP address generated during negotiation is deleted.
Pre-configuration Tasks
Before configuring IP address negotiation on interfaces, complete the following tasks:
l
Configuring IP addresses for interfaces on the server to ensure that the link layer protocol
status of the interfaces is Up
Configuring physical parameters and the link layer protocol PPP for interfaces on the client
Configuration Procedures
Figure 3-3 Configuring IP address negotiation on interfaces
Issue 01 (2011-10-15)
63
Context
The IP address to be assigned to the remote device should not conflict with the IP addresses on
the local device.
Procedure
Step 1 Run:
system-view
The view of the interface that is directly connected to the client is displayed.
IP address negotiation can be configured on only the PPP-encapsulated interface.
Step 3 Run:
remote address ip-address
Issue 01 (2011-10-15)
64
Procedure
Step 1 Run:
system-view
The view of the interface that is directly connected to the server is displayed.
IP address negotiation can be configured on only the PPP-encapsulated interface.
Step 3 Run:
ip address ppp-negotiate
Prerequisite
The configurations of IP address negotiation are complete.
Procedure
l
----End
Example
Run the display interface command, and you can view the configurations of the IP address and
subnet mask of the interface on the client.
[~RouterB] display interface pos 1/0/0
Pos1/0/0 current state : UP
Line protocol current state : DOWN
Description: HUAWEI, pos 1/0/0 Interface (ifindex: 10, vr: 0)
Route Port,The Maximum Transmit Unit is 1500
Internet Address is 10.1.1.1/24
Issue 01 (2011-10-15)
65
Applicable Environment
In some situations, to save IP address resources, you need to configure an interface to borrow
an IP address from another interface. You can configure an interface that is occasionally used
to borrow an IP address, instead of configuring a new IP address for the interface.
Restrictions on configuring IP unnumbered on an interface are as follows:
l
If the numbered interface has multiple IP addresses, the IP address to be lent must be the
primary IP address.
If the numbered interface is not configured with an IP address, the unnumbered interface
borrows the IP address 0.0.0.0.
The IP address of the virtual loopback interface can be borrowed by other interfaces, but
the virtual loopback interface cannot borrow an IP address from other interfaces.
Pre-configuration Tasks
Before configuring IP unnumbered on an interface, complete the following tasks:
l
Issue 01 (2011-10-15)
Configuring the link layer protocol on the unnumbered interface and numbered interface
66
Configuration Procedures
Figure 3-4 Procedures for configuring IP unnumbered
Context
Configuring IP unnumbered aims to save IP address resources. You can configure an interface
that is occasionally used to borrow an IP address, instead of configuring a new IP address for
the interface.
Procedure
Step 1 Run:
system-view
67
Context
Configuring IP unnumbered aims to save IP address resources. You can configure an interface
that is occasionally used to borrow an IP address, instead of configuring a new IP address for
the interface.
NOTE
The configuration procedure described in this section involves only configuring an interface to borrow an
IP address. The unnumbered interface has no IP address, and thus dynamic routing protocols cannot run
on this interface. In this case, you need to configure a static route to the remote network segment for
communication between devices.
Procedure
Step 1 Run:
system-view
Prerequisite
The configurations of IP unnumbered are complete.
Issue 01 (2011-10-15)
68
Procedure
l
----End
Example
Run the display interface command, and you can view the configurations of the IP address and
subnet mask of the unnumbered interface.
<RouterA> display interface pos 1/1/0
pos1/1/0 current state : UP
Line protocol current state : UP
Description: HUAWEI, Pos 1/1/0 Interface (ifindex: 8, vr: 0)
Route Port,The Maximum Transmit Unit is 4470, Hold timer is 10(sec)
Internet Address is unnumbered, using address of GigabitEthernet1/0/0
(172.16.10.1/24)
Link layer protocol is PPP
Current BW: 100 Mbits
Statistics last cleared:never
Last 300 seconds input rate 0 bits/sec, 0 packets/sec
Last 300 seconds output rate 0 bits/sec, 0 packets/sec
Input: 0 packets, 0 bytes
Input error: 0 shortpacket, 0 longpacket, 0 CRC, 0 lostpacket
Output: 0 packets, 0 bytes
Output error: 0 lostpackets
Output error: 0 overrunpackets, 0 underrunpackets
Applicable Environment
The route-related options in an IP packet can be used for link fault diagnosis and temporary
transmission of special services. The packets carrying route options may also be utilized by
malicious attackers to probe the network structure and launch attacks. Therefore, by configuring
whether to process the IP packets carrying route options, you can defend networks against attacks
utilizing these packets.
Network attackers perform scan detection by using various packets, and devices reply to these
packets with ICMP packets. Then, network attackers obtain network information from these
received ICMP packets and then launch attacks on networks. In addition, network attackers can
also utilize ICMP packets to affect the normal packet transmission on devices, thus hindering
the devices from providing normal services. Therefore, by controlling the sending or receiving
of ICMP packets, you can effectively defend networks against attacks utilizing ICMP packets.
Pre-configuration Tasks
Before configuring the security of the IPv4 protocol stack, complete the following tasks:
l
Issue 01 (2011-10-15)
Setting parameters of the link layer protocols for the interfaces to ensure that the status of
the link layer protocols on the interfaces is Up
Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
69
Configuration Procedures
You can choose one or several configuration tasks (excluding "Checking the Configuration") as
required.
Context
IP packets can carry the following route options:
l
Timestamp option
Generally, the preceding options are used for link fault diagnosis and temporary transmission
of special services. These options may also be utilized by network attackers to probe the network
structure and launch attacks. In this case, you need to use commands to determine whether the
system needs to process the IP packets carrying route options.
By default, devices process the IP packets carrying route options. To defend networks against
attacks utilizing the IP packets carrying route options, you can perform the following
configurations to disable the system from processing these IP packets.
Procedure
Step 1 Run:
system-view
The system is disabled from processing the IP packets carrying route alert options.
l Run:
undo ip option route-record enable
The system is disabled from processing the IP packets carrying record route options.
l Run:
undo ip option source-route enable
The system is disabled from processing the IP packets carrying source route options.
l Run:
undo ip option time-stamp enable
The system is disabled from processing the IP packets carrying timestamp options.
By default, the system is enabled to process the IP packets carrying route options.
Step 3 Run:
Issue 01 (2011-10-15)
70
commit
Context
Most attacks on networks are launched through ICMP packets. To ensure network security, you
can use commands to determine whether the system needs to send or receive ICMP packets.
To defend networks against attacks utilizing ICMP packets, you can perform the following
configurations to disable the system from sending or receiving ICMP packets.
Procedure
Step 1 Run:
system-view
or
undo icmp send
Issue 01 (2011-10-15)
name
type
code
echo
echo-reply
fragmentneed-dfset
host-redirect
host-tos-redirect
host-unreachable
information-reply
16
information-request
15
71
name
type
code
net-redirect
net-tos-redirect
net-unreachable
parameter-problem
12
port-unreachable
protocol-unreachable
reassembly-timeout
11
source-quench
source-route-failed
timestamp-reply
14
timestamp-request
13
ttl-exceeded
11
Step 3 Run:
commit
Procedure
Step 1 Run:
system-view
72
Prerequisite
The configurations of the security of the IPv4 protocol stack are complete.
Procedure
l
Run the display icmp statistics command to check ICMP traffic statistics.
----End
Example
Run the display icmp statistics command, and you can view ICMP traffic statistics.
<HUAWEI> display icmp statistics
Input: bad format
0
echo
0
source quench
0
echo reply
0
timestamp
0
mask requests
0
time exceeded
0
Mping request
0
Output: echo
0
source quench
0
echo reply
0
timestamp
0
mask requests
0
time exceeded
0
Mping request
0
bad checksum
destination unreachable
redirects
parameter problem
information request
mask replies
other
Mping reply
destination unreachable
redirects
parameter problem
information request
mask replies
0
0
0
0
0
0
0
0
0
0
0
0
0
Mping reply
Run the display ip statistics command, and you can view IP traffic statistics.
<HUAWEI> display ip statistics
Input:
sum
bad protocol
bad checksum
discard srr
Output:
forwarding
dropped
Fragment:
input
dropped
couldn't fragment
Reassembling: sum
2061
0
0
0
0
0
0
0
0
0
local
bad format
bad options
TTL exceeded
local
no route
output
fragmented
392
87
0
0
0
0
0
0
timeouts
Applicable Environment
None.
Issue 01 (2011-10-15)
73
Pre-configuration Tasks
None.
Configuration Procedures
You can choose one or several configuration tasks (excluding "Checking the Configuration") as
required.
Context
The types of TCP timers are shown as follows:
l
The SYN-Wait timer: On sending SYN packets, the TCP starts the SYN-Wait timer. If
response packets are not received before the SYN-Wait timer timeout, the TCP connection
is terminated. The SYN-Wait timer timeout ranges from 2 seconds to 600 seconds, and the
default value is 75 seconds.
The FIN-Wait timer: When the TCP connection status turns from FIN_WAIT_1 to
FIN_WAIT_2, the FIN-Wait timer starts. If FIN packets are not received before the FINWait timer timeout, the TCP connection is terminated. The FIN-Wait timer timeout ranges
from 76 seconds to 3600 seconds, and the default value is 675 seconds.
Procedure
Step 1 Run:
system-view
74
Procedure
Step 1 Run:
system-view
Prerequisite
The configurations of TCP function are complete.
Procedure
l
Run the display tcp status [ [ task-id task-id ] [ socket-id socket-id ] | [ local-ip ipv4address ] [ local-port local-port-number ] [ remote-ip ipv4-address ] [ remote-port
remote-port-number ] ] command to check the TCP connection status.
Run the display tcp statistics command to check the TCP traffic statistics.
----End
Example
Run the display tcp status command. If the information about the TCP connection status is
displayed, it means that the configuration succeeds. For example:
<HUAWEI> display tcp status
-------------------------------------------------------------------------------Pid/SocketID
Local Addr:Port
Foreign Addr:Port
VPNID State
-------------------------------------------------------------------------------0x80C8272D/2
0.0.0.0:23
0.0.0.0:0
42949 LISTEN
0x80932727/6
0.0.0.0:22
0.0.0.0:0
42949 LISTEN
--------------------------------------------------------------------------------
Run the display tcp statistics command. If the TCP traffic statistics are displayed, it means that
the configuration succeeds. For example:
<HUAWEI> display tcp statistics
------------------------ Display TCP Statistics ---------------------Received packets:
Total: 0
Packets in sequence: 0 (bytes)
Issue 01 (2011-10-15)
75
Context
In routine maintenance, you can run the following commands in any view to check the IPv4
running status.
Procedure
l
Run the display interface brief command in any view to view interface brief information.
Run the display ip statistics command in any view to view IP traffic statistics.
Run the display icmp statistics command in any view to view ICMP traffic statistics.
Run the display ip socket command in any view to view the information about the created
IPv4 socket.
Run the display rawip status command in any view to view the information about an IPv4
RawIP connection.
Issue 01 (2011-10-15)
76
Run the display rawlink status command in any view to view the information about an
IPv4 Rawlink connection.
----End
Context
CAUTION
ICMP or IP traffic statistics cannot be restored after being cleared. Therefore, confirm the action
before you run the command.
Procedure
l
After confirming that you need to clear IP and ICMP traffic statistics, run the reset ip
statistics command in the user view.
----End
Networking Requirements
CAUTION
On a single NE5000E, an interface is numbered in the format of slot number/card number/
interface number. On an NE5000E cluster, the interface is numbered in the format of chassis
ID/slot number/card number/interface number. This requires the chassis ID to be specified along
with the slot number.
As shown in Figure 3-5, GE 1/0/1 on the device is connected to a Local Area Network (LAN),
in which hosts belong to two network segments 172.16.1.0/24 and 172.16.2.0/24. It is required
that the device communicate with the two network segments. Hosts on the network segment
172.16.1.0/24 cannot communicate with hosts on the network segment 172.16.2.0/24.
Issue 01 (2011-10-15)
77
Router
GE1/0/1
172.16.1.1/24
172.16.2.1/24 sub
172.16.2.0/24
Configuring Notes
None
Configuration Roadmap
The configuration roadmap is as follows:
1.
Analyze the address of the network segment to which the interface is connected.
2.
Configure a primary IP address for the interface and then configure one or multiple
secondary IP addresses for the interface.
NOTE
The primary and secondary IP addresses of an interface can have overlapped network segments but are not
the same. The secondary IP addresses of an interface must belong to different network segments.
Data Preparation
To complete the configuration, you need the following data:
l
Procedure
Step 1 Configure the device.
# Configure primary and secondary IP addresses for GE 1/0/1 on the device.
<HUAWEI> system-view
[~HUAWEI] sysname Router
[~HUAWEI] commit
[~Router] interface gigabitethernet 1/0/1
[~Router-GigabitEthernet1/0/1] ip address 172.16.1.1 255.255.255.0
[~Router-GigabitEthernet1/0/1] ip address 172.16.2.1 255.255.255.0 sub
[~Router-GigabitEthernet1/0/1] undo shutdown
[~Router-GigabitEthernet1/0/1] commit
[~Router-GigabitEthernet1/0/1] quit
Issue 01 (2011-10-15)
78
# Ping the host on the network segment 172.16.2.0 from the device. Then, the ping operation
succeeds.
[~Router] ping 172.16.2.2
PING 172.16.2.2: 56 data bytes, press CTRL_C to break
Reply from 172.16.2.2: bytes=56 Sequence=1 ttl=255 time=13 ms
Reply from 172.16.2.2: bytes=56 Sequence=2 ttl=255 time=2 ms
Reply from 172.16.2.2: bytes=56 Sequence=3 ttl=255 time=2 ms
Reply from 172.16.2.2: bytes=56 Sequence=4 ttl=255 time=2 ms
Reply from 172.16.2.2: bytes=56 Sequence=5 ttl=255 time=2 ms
--- 172.16.2.2 ping statistics --5 packet(s) transmitted
5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 25/25/26 ms
# The hosts on the two network segments cannot ping each other successfully.
----End
Configuration Files
Configuration file of the Router
#
sysname Router
#
admin
interface GigabitEthernet1/0/1
undo shutdown
ip address 172.16.1.1 255.255.255.0
ip address 172.16.2.1 255.255.255.0 sub
#
return
Issue 01 (2011-10-15)
79
Networking Requirements
CAUTION
On a single NE5000E, an interface is numbered in the format of slot number/card number/
interface number. On an NE5000E cluster, the interface is numbered in the format of chassis
ID/slot number/card number/interface number. This requires the chassis ID to be specified along
with the slot number.
As shown in Figure 3-6, Router A assigns an IP address to POS 1/0/0 on Router B through PPP
negotiation.
Figure 3-6 Configuring IP address negotiation on interfaces
Ethernet
POS 1/0/0
192.168.1.1/24
POS 1/0/0
RouterA
Ethernet
RouterB
Configuring Notes
None
Configuration Roadmap
The configuration roadmap is as follows:
1.
2.
3.
Data Preparation
To complete the configuration, you need the following data:
l
Procedure
Step 1 Configure Router A.
# Configure an IP address for POS 1/0/0.
[~RouterA] interface pos 1/0/0
[~RouterA-Pos1/0/0] ip address 192.168.1.1 255.255.255.0
80
<HUAWEI> system-view
[~HUAWEI] sysname RouterA
[~HUAWEI] commit
[~RouterA-Pos1/0/0] remote address 192.168.1.2
[~RouterA-Pos1/0/0] shutdown
[~RouterA-Pos1/0/0] commit
[~RouterA-Pos1/0/0] undo shutdown
[~RouterA-Pos1/0/0] commit
[~RouterA-Pos1/0/0] quit
Issue 01 (2011-10-15)
81
Configuration Files
l
Networking Requirements
CAUTION
On a single NE5000E, an interface is numbered in the format of slot number/card number/
interface number. On an NE5000E cluster, the interface is numbered in the format of chassis
ID/slot number/card number/interface number. This requires the chassis ID to be specified along
with the slot number.
As shown in Figure 3-7, an enterprise builds its intranet through the ISDN. Router A and Router
B connect to a local LAN through GE interfaces and connect to each other through dialing
interfaces. Each of the two devices connects to the Ethernet through GE 1/0/0 and connects to
the ISDN through POS 2/0/0. To save IP address resources, the dialing interfaces are configured
to borrow IP addresses from GE interfaces.
Issue 01 (2011-10-15)
82
RouterB
RouterA
Ethernet
Ethernet
ISDN
Configuring Notes
None
Configuration Roadmap
The configuration roadmap is as follows:
1.
2.
Data Preparation
To complete the configuration, you need the following data:
l
Procedure
Step 1 Configure Router A.
# Configure an IP address for GE 1/0/0.
<HUAWEI> system-view
[~HUAWEI] sysname RouterA
[~HUAWEI] commit
[~RouterA] interface gigabitethernet 1/0/0
[~RouterA-GigabitEthernet1/0/0] ip address 172.16.10.1 255.255.255.0
[~RouterA-GigabitEthernet1/0/0] undo shutdown
[~RouterA-GigabitEthernet1/0/0] quit
83
<HUAWEI> system-view
[~HUAWEI] sysname RouterB
[~HUAWEI] commit
[~RouterB] interface gigabitethernet 1/0/0
[~RouterB-GigabitEthernet1/0/0] ip address 172.16.20.1 255.255.255.0
[~RouterB-GigabitEthernet1/0/0] undo shutdown
[~RouterB-GigabitEthernet1/0/0] quit
ms
ms
ms
ms
ms
----End
Configuration Files
l
Issue 01 (2011-10-15)
84
Networking Requirements
CAUTION
On a single NE5000E, an interface is numbered in the format of slot number/card number/
interface number. On an NE5000E cluster, the interface is numbered in the format of chassis
ID/slot number/card number/interface number. This requires the chassis ID to be specified along
with the slot number.
As shown in Figure 3-8, Network A and Network B are independent of each other. They access
the Internet through different paths. Network A and Network B access each other through the
same Layer 2 network provided by ISP1.
It is required that Network A and Network B connect to the Layer 2 network provided by ISP1
through Router B, by using IP addresses 192.168.1.11/24 and 192.168.1.12/24 respectively on
the same network segment.
Figure 3-8 Networking diagram of configuring address overlapping on a device
GE1/0/0
192.168.1.1/24
RouterA
AS:100
Layer2
network
r1
GE1/0/0
192.168.1.11/24
r2
GE3/0/0
192.168.1.12/24
POS2/0/0
10.1.1.1/24
POS4/0/0
20.1.1.1/24
POS2/0/0
10.1.1.2/24
RouterB
ISP1 AS:200
RouterC
Network A
Issue 01 (2011-10-15)
POS4/0/0
20.1.1.2/24
RouterD
Network B
85
Configuring Notes
None
Procedure
Step 1 Configure a VPN instance.
# On Router B, create a VPN instance for Network A, and bind the VPN instance to the inbound
interface Gigabit Ethernet 1/0/0 and the outbound interface POS 2/0/0.
<HUAWEI> system-view
[~HUAWEI] sysname RouterB
[~HUAWEI] commit
[~RouterB] ip vpn-instance r1
[~RouterB-vpn-instance-r1] route-distinguisher 100:1
[~RouterB-vpn-instance-r1] quit
[~RouterB] interface gigabitethernet 1/0/0
[~RouterB-GigabitEthernet1/0/0] ip binding vpn-instance r1
[~RouterB-GigabitEthernet1/0/0] ip address 192.168.1.11 24
[~RouterB-GigabitEthernet1/0/0] undo shutdown
[~RouterB-GigabitEthernet1/0/0] quit
[~RouterB] interface pos 2/0/0
[~RouterB-Pos2/0/0] ip binding vpn-instance r1
[~RouterB-Pos2/0/0] ip address 10.1.1.1 24
[~RouterB-Pos2/0/0] undo shutdown
[~RouterB-Pos2/0/0] quit
# On Router B, create a VPN instance for Network B, and bind the VPN instance to the inbound
interface Gigabit Ethernet 3/0/0 and the outbound interface POS 4/0/0.
[~RouterB] ip vpn-instance r2
[~RouterB-vpn-instance-r2] route-distinguisher 100:2
[~RouterB-vpn-instance-r2] quit
[~RouterB] interface gigabitethernet 3/0/0
[~RouterB-GigabitEthernet3/0/0] ip binding vpn-instance r2
[~RouterB-GigabitEthernet3/0/0] ip address 192.168.1.12 24
[~RouterB-GigabitEthernet3/0/0] undo shutdown
[~RouterB-GigabitEthernet3/0/0] quit
[~RouterB] interface pos 4/0/0
[~RouterB-Pos4/0/0] ip binding vpn-instance r2
[~RouterB-Pos4/0/0] ip address 20.1.1.1 24
[~RouterB-Pos4/0/0] undo shutdown
[~RouterB-Pos4/0/0] quit
Step 2 Establish the EBGP neighbor relationship between Router A and the two inbound interfaces on
Router B.
# Configure Router B.
[~RouterB] bgp 200
[~RouterB-bgp] router-id 100.1.1.1
[~RouterB-bgp] ipv4-family vpn-instance r1
[~RouterB-bgp-r1] peer 192.168.1.1 as-number 100
[~RouterB-bgp-r1] import-route direct
[~RouterB-bgp-r1] quit
[~RouterB-bgp] ipv4-family vpn-instance r2
[~RouterB-bgp-r2] peer 192.168.1.1 as-number 100
[~RouterB-bgp-r2] import-route direct
[~RouterB-bgp-r2] commit
[~RouterB-bgp-r2] quit
Issue 01 (2011-10-15)
86
# Configure Router A.
<HUAWEI> system-view
[~HUAWEI] sysname RouterA
[~HUAWEI] commit
[~RouterA] interface gigabitethernet 1/0/0
[~RouterA-GigabitEthernet1/0/0] ip address 192.168.1.1 24
[~RouterA-GigabitEthernet1/0/0] undo shutdown
[~RouterA-GigabitEthernet1/0/0] quit
[~RouterA] bgp 100
[~RouterA-bgp] peer 192.168.1.11 as-number 200
[~RouterA-bgp] peer 192.168.1.12 as-number 200
[~RouterA-bgp] commit
[~RouterA-bgp] quit
Step 3 Configure IP addresses and static routes for Router C and Router D on the local network.
# Configure an IP address and a static route for Router C.
<HUAWEI> system-view
[~HUAWEI] sysname RouterC
[~HUAWEI] commit
[~RouterC] interface pos 2/0/0
[~RouterC-Pos2/0/0] ip address 10.1.1.2 24
[~RouterC-Pos2/0/0] undo shutdown
[~RouterC-Pos2/0/0] quit
[~RouterC] ip route-static 0.0.0.0 0 10.1.1.1
[~RouterC] commit
Proto
0.0.0.0/0
10.1.1.0/24
10.1.1.1/32
10.1.1.2/32
192.168.1.0/24
192.168.1.11/32
Static
Direct
Direct
Direct
Direct
Direct
Pre
60
0
0
0
0
0
Cost
0
0
0
0
0
0
Flags
RD
D
D
D
D
D
NextHop
192.168.1.1
10.1.1.1
127.0.0.1
10.1.1.2
192.168.1.11
127.0.0.1
Interface
GigabitEthernet1/0/0
Pos2/0/0
InLoopBack0
Pos2/0/0
GigabitEthernet1/0/0
InLoopBack0
Issue 01 (2011-10-15)
Proto
Pre
Cost
Flags
NextHop
Interface
87
0.0.0.0/0
20.1.1.0/24
20.1.1.1/32
20.1.1.2/32
192.168.1.0/24
192.168.1.12/32
Static
Direct
Direct
Direct
Direct
Direct
60
0
0
0
0
0
0
0
0
0
0
0
RD
D
D
D
D
D
192.168.1.1
20.1.1.1
127.0.0.1
20.1.1.2
192.168.1.12
127.0.0.1
GigabitEthernet3/0/0
Pos4/0/0
InLoopBack0
Pos4/0/0
GigabitEthernet3/0/0
InLoopBack0
# Run the display ip routing-table command on Router A. You can view that the IP routing
table on Router A contains the routes to the two local networks.
[~RouterA] display ip routing-table
Route Flags: R - relay, D - download for forwarding
-----------------------------------------------------------------------------Routing Tables: Public
Destinations : 8
Routes : 8
Destination/Mask
Proto
Pre
10.1.1.0/24
10.1.1.2/32
20.1.1.0/24
20.1.1.2/32
127.0.0.0/8
127.0.0.1/32
192.168.1.0/24
192.168.1.1/32
BGP
BGP
BGP
BGP
Direct
Direct
Direct
Direct
255
255
255
255
0
0
0
0
Cost
0
0
0
0
0
0
0
0
Flags
D
D
D
D
D
D
D
D
NextHop
Interface
192.168.1.11
192.168.1.11
192.168.1.12
192.168.1.12
127.0.0.1
127.0.0.1
192.168.1.1
127.0.0.1
GigabitEthernet1/0/0
GigabitEthernet1/0/0
GigabitEthernet1/0/0
GigabitEthernet1/0/0
InLoopBack0
InLoopBack0
GigabitEthernet1/0/0
InLoopBack0
Devices on the two local networks, Network A and Network B, can ping through each other.
----End
Configuration Files
l
Issue 01 (2011-10-15)
88
interface GigabitEthernet1/0/0
undo shutdown
ip binding vpn-instance r1
ip address 192.168.1.11 255.255.255.0
#
interface GigabitEthernet3/0/0
undo shutdown
ip binding vpn-instance r2
ip address 192.168.1.12 255.255.255.0
#
interface Pos2/0/0
undo shutdown
ip binding vpn-instance r1
link-protocol ppp
ip address 10.1.1.1 255.255.255.0
#
interface Pos4/0/0
undo shutdown
ip binding vpn-instance r2
link-protocol ppp
ip address 20.1.1.1 255.255.255.0
#
bgp 200
router-id 100.1.1.1
#
ipv4-family unicast
undo synchronization
#
ipv4-family vpn-instance r1
import-route direct
peer 192.168.1.1 as-number 100
#
ipv4-family vpn-instance r2
import-route direct
peer 192.168.1.1 as-number 100
#
ip route-static vpn-instance r1 0.0.0.0 0.0.0.0 192.168.1.1
ip route-static vpn-instance r2 0.0.0.0 0.0.0.0 192.168.1.1
#
return
Issue 01 (2011-10-15)
89
Networking Requirements
CAUTION
On a single NE5000E, an interface is numbered in the format of slot number/card number/
interface number. On an NE5000E cluster, the interface is numbered in the format of chassis
ID/slot number/card number/interface number. This requires the chassis ID to be specified along
with the slot number.
As shown in Figure 3-9, Router A and Router B are directly connected through a PPP link.
Figure 3-9 Networking diagram of configuring an IP address with a 31-bit mask
POS1/0/0
10.1.1.1/31
POS1/0/0
10.1.1.0/31
RouterB
RouterA
Configuring Notes
None
Configuration Roadmap
The configuration roadmap is as follows:
1.
2.
Data Preparation
To complete the configuration, you need the following data:
l
Procedure
Step 1 Configure an IP address for each interface.
# Configure an IP address for POS 1/0/0 on Router A.
<HUAWEI> system-view
Issue 01 (2011-10-15)
90
Direct
Direct
Direct
Direct
Direct
0
0
0
0
0
0
0
0
0
0
D
D
D
D
D
10.1.1.1
10.1.1.0
127.0.0.1
127.0.0.1
127.0.0.1
Pos1/0/0
Pos1/0/0
Pos1/0/0
InLoopBack0
InLoopBack0
# After the preceding configurations, check the routing table on Router B. In the routing table,
you can view that both the network address and the broadcast address of the network segment
are used as host addresses.
[~RouterB] display ip routing-table
Route Flags: R - relay, D - download for forwarding
-----------------------------------------------------------------------------Routing Tables: Public
Destinations : 5
Routes : 5
Destination/Mask
10.1.1.0/31
10.1.1.0/32
10.1.1.1/32
127.0.0.0/8
127.0.0.1/32
Proto
Pre
Cost
Direct
Direct
Direct
Direct
Direct
0
0
0
0
0
0
0
0
0
0
Flags NextHop
D
D
D
D
D
10.1.1.0
127.0.0.1
10.1.1.1
127.0.0.1
127.0.0.1
Interface
Pos1/0/0
Pos1/0/0
Pos1/0/0
InLoopBack0
InLoopBack0
----End
Configuration Files
l
Issue 01 (2011-10-15)
91
link-protocol ppp
ip address 10.1.1.1 255.255.255.254
#
return
Issue 01 (2011-10-15)
92
Issue 01 (2011-10-15)
93
ECMP: evenly load-balances traffic over multiple equal-cost paths to a single destination,
irrespective of bandwidth. This results in congestion on some paths with lower bandwidth.
Router A
Data flows
Outinterface 1
Outinterface 2
Outinterface 1
Router C
Issue 01 (2011-10-15)
Outinterface 2
94
To address the preceding problem, Level 2 improved load balancing is configured on Router B's
and Router C's LPUs that receive traffic.
ECMP: Multiple routes with the same preference to a single destination can be configured
on the NE5000E. All these equal-cost routes are used to evenly load-balance IP packets to
the destination.
In addition to manual configuration, a specific routing protocol can also discover multiple
equal-cost routes to a single destination. All these equal-cost routes are valid and carry out
load balancing if the routing protocol has the highest preference among active routing
protocols. Currently, the Open Shortest Path First (OSPF), Border Gateway Protocol
(BGP), and Intermediate System-to-Intermediate System (IS-IS) protocol and static route
support load balancing.
Interface-specific UCMP: UCMP is enabled on specified interfaces. After UCMP has been
enabled on the specified interfaces, the shutdown and undo shutdown commands need to
be run on this interface. This makes the configuration take effect but interrupts traffic.
Global UCMP: Global UCMP takes effect immediately after being enabled. Unlike
situations in interface-specific UCMP, no interface needs to be restarted and traffic will
not be interrupted.
Applicable Environment
ECMP evenly load-balances traffic over multiple equal-cost paths to a single destination,
irrespective of bandwidth. This results in congestion on some paths with lower bandwidth.
ECMP is automatically supported by routing protocols, without being configured. The
NE5000E supports the multi-route mode. Currently, the Open Shortest Path First (OSPF), Border
Gateway Protocol (BGP), and Intermediate System-to-Intermediate System (IS-IS) protocol and
static route support load balancing.
UCMP load-balances traffic among multiple equal-cost paths to a single destination based on
bandwidth ratios, improving load balancing efficiency.
Pre-configuration Tasks
Before configuring IP packet load balancing, complete the following tasks:
Issue 01 (2011-10-15)
95
Connecting interfaces and setting physical parameters for the interfaces to ensure that the
physical interface status is Up
Configuring parameters of a data link layer protocol for interfaces to ensure that the data
link layer protocol status of the interfaces is Up
Configuration Procedures
l
Procedure
Step 1 Run:
system-view
96
NOTE
This interface must be an outbound interface of a route among equal-cost routes. UCMP takes effect on
outbound interfaces associated with equal-cost routes only after all outbound interfaces have been enabled
with UCMP and FIB entries have been refreshed; if one outbound interface is not enabled with UCMP,
ECMP, not UCMP, is performed even though FIB entries have been refreshed.
The interface is restarted, triggering routing entry refreshing. After this, UCMP configurations
take effect.
NOTE
Alternatively, changing the interface IP address also triggers routing entry refreshing to make UCMP
configuration take effect.
Step 5 Run:
commit
Procedure
Step 1 Run:
system-view
97
NOTE
l Ethernet, GE, POS, Eth-Trunk, IP-Trunk, and TE tunnel interfaces support global UCMP.
After UCMP is enabled on a TE tunnel interface, the bandwidth of the TE tunnel interface cannot be
0, but can be any other value.
l Frequently enabling and disabling UCMP on an interface deteriorates system performance. Therefore,
setting the interval between enabling and disabling UCMP to the time equal to or longer than 5 minutes
is recommended.
Step 3 Run:
commit
Procedure
Step 1 Run:
system-view
Level 2 improved load balancing is enabled on the network that implements two-level load
balancing for IPv4, IPv6, or MPLS traffic.
Level 2 improved load balancing is disabled by default.
Step 3 Run:
commit
Prerequisite
The configurations of IP packet load balancing are complete.
Procedure
l
Issue 01 (2011-10-15)
Run the display interface brief command to check bandwidth usage of interfaces. If
unequal-cost multiple path (UCMP) takes effect, the command output shows that the ratio
between traffic volumes on outbound interfaces is similar to the ratio between bandwidth
values of the outbound interfaces.
Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
98
NOTE
Among the paths that perform UCMP, bandwidth of each path must be equal to or higher than 1/64
(if one end of the path is on LPUB or LPUC, the value should be 1/32) of the total bandwidth;
otherwise, the path carries no traffic.
----End
Example
# Display brief information about all interfaces, including bandwidth usage, on the current
device.
<HUAWEI> display interface brief
PHY: Physical
*down: administratively down
^down: standby
(l):loopback
(s):spoofing
(b):BFD down
(e):EFM down
(d):Dampening Suppressed
InUti/OutUti: input utility/output utility
Interface
PHY Protocol
Eth-Trunk0
down down
Eth-Trunk1
down down
GigabitEthernet3/0/0
up
up
GigabitEthernet4/0/1
up
up
GigabitEthernet3/0/2
*down down
GigabitEthernet3/0/3
*down down
NULL0
up
up
InUti
0%
0%
50%
50%
0%
0%
0%
OutUti
0%
0%
50%
50%
0%
0%
0%
inErrors
12
0
23
15
0
0
0
outErrors
0
0
125
78
0
0
0
Networking Requirements
CAUTION
On a single NE5000E, an interface is numbered in the format of slot number/card number/
interface number. On the NE5000E cluster, an interface is numbered in the format of chassis
ID/slot number/card number/interface number. If the slot number is specified, the chassis ID of
the slot must also be specified.
On the network shown in Figure 4-3, three paths between Router A and Router E travel through
Router B, Router C, and Router D respectively. UCMP needs to be performed among these three
Issue 01 (2011-10-15)
99
paths for IP packet forwarding. In this example, UCMP is configured on specified interfaces,
not on an entire Router.
Figure 4-3 Networking diagram for interface-specific UCMP
RouterB
POS1/0/0
POS2/0/0
POS4/0/0
POS4/0/0
RouterC
RouterA
RouterE
GE3/0/0 GE1/0/0
GE2/0/0 GE3/0/0
GE1/0/0
GE1/0/0
10.1.1.1/24
20.1.1.1/24
GE2/0/0
GE2/0/0
RouterD
GE1/0/0
GE2/0/0
Device Name
Interface Name
IP Address
Router A
POS 4/0/0
30.1.1.1/24
GE 3/0/0
40.1.1.1/24
GE 2/0/0
50.1.1.1/24
POS 1/0/0
30.1.1.2/24
POS 2/0/0
60.1.1.2/24
GE 1/0/0
40.1.1.2/24
GE 2/0/0
70.1.1.2/24
GE 1/0/0
50.1.1.2/24
GE 2/0/0
80.1.1.2/24
POS 4/0/0
60.1.1.1/24
GE 3/0/0
70.1.1.1/24
GE 2/0/0
80.1.1.1/24
Router B
Router C
Router D
Router E
Configuration Roadmap
The configuration roadmap is as follows:
1.
2.
Enable UCMP on each interface, allowing the three paths between Router A and Router E
to perform UCMP during IP packet forwarding.
Data Preparation
To complete the configuration, you need the following data:
l
Issue 01 (2011-10-15)
100
Procedure
Step 1 Assign an IP address to each interface. The configuration procedure is not provided.
Step 2 Configure basic IS-IS functions.
# Configure Router A.
[~RouterA] isis 1
[~RouterA-isis-1] is-level level-1
[~RouterA-isis-1] network-entity 10.0000.0000.0001.00
[~RouterA-isis-1] commit
[~RouterA-isis-1] quit
[~RouterA] interface gigabitethernet 1/0/0
[~RouterA-GigabitEthernet1/0/0] isis enable 1
[~RouterA-GigabitEthernet1/0/0] quit
[~RouterA] interface gigabitethernet 2/0/0
[~RouterA-GigabitEthernet2/0/0] isis enable 1
[~RouterA-GigabitEthernet2/0/0] quit
[~RouterA] interface pos 4/0/0
[~RouterA-Pos4/0/0] isis enable 1
[~RouterA-Pos4/0/0] quit
[~RouterA] interface gigabitethernet 3/0/0
[~RouterA-GigabitEthernet3/0/0] isis enable 1
[~RouterA-GigabitEthernet3/0/0] quit
[~RouterA] commit
# Configure Router B.
[~RouterB] isis 1
[~RouterB-isis-1] is-level level-1
[~RouterB-isis-1] network-entity 10.0000.0000.0002.00
[~RouterB-isis-1] commit
[~RouterB-isis-1] quit
[~RouterB] interface pos 1/0/0
[~RouterB-Pos1/0/0] isis enable 1
[~RouterB-Pos1/0/0] quit
[~RouterB] interface pos 2/0/0
[~RouterB-Pos2/0/0] isis enable 1
[~RouterB-Pos2/0/0] quit
# Configure Router C.
[~RouterC] isis 1
[~RouterC-isis-1] is-level level-1
[~RouterC-isis-1] network-entity 10.0000.0000.0003.00
[~RouterC-isis-1] quit
[~RouterC] interface gigabitethernet 1/0/0
[~RouterC-GigabitEthernet1/0/0] isis enable 1
[~RouterC-GigabitEthernet1/0/0] quit
[~RouterC] interface gigabitethernet 2/0/0
[~RouterC-GigabitEthernet2/0/0] isis enable 1
[~RouterC-GigabitEthernet2/0/0] quit
[~RouterC] commit
# Configure Router D.
[~RouterD] isis 1
[~RouterD-isis-1] is-level level-1
[~RouterD-isis-1] network-entity 10.0000.0000.0004.00
[~RouterD-isis-1] commit
[~RouterD-isis-1] quit
[~RouterD] interface gigabitethernet 1/0/0
[~RouterD-GigabitEthernet1/0/0] isis enable 1
[~RouterD-GigabitEthernet1/0/0] quit
[~RouterD] interface gigabitethernet 2/0/0
[~RouterD-GigabitEthernet2/0/0] isis enable 1
[~RouterD-GigabitEthernet2/0/0] quit
[~RouterD] commit
Issue 01 (2011-10-15)
101
# Configure Router E.
[~RouterE] isis 1
[~RouterE-isis-1] is-level level-1
[~RouterE-isis-1] network-entity 10.0000.0000.0005.00
[~RouterE-isis-1] commit
[~RouterE-isis-1] quit
[~RouterE] interface gigabitethernet 1/0/0
[~RouterE-GigabitEthernet1/0/0] isis enable 1
[~RouterE-GigabitEthernet1/0/0] quit
[~RouterE] interface gigabitethernet 2/0/0
[~RouterE-GigabitEthernet2/0/0] isis enable 1
[~RouterE-GigabitEthernet2/0/0] quit
[~RouterE] interface pos 4/0/0
[~RouterE-Pos4/0/0] isis enable 1
[~RouterE-Pos4/0/0] quit
[~RouterE] interface gigabitethernet 3/0/0
[~RouterE-GigabitEthernet3/0/0] isis enable 1
[~RouterE-GigabitEthernet3/0/0] quit
[~RouterE] commit
# Ping Router E (20.1.1.1) from Router A. The ping is successful. The network management
station (NM station) that manages Router A displays that ECMP is implemented among
outbound interfaces.
<RouterA> ping 20.1.1.1
PING 20.1.1.1: 56 data bytes, press CTRL_C to break
Reply from 20.1.1.1: bytes=56 Sequence=1 ttl=254 time=16 ms
Reply from 20.1.1.1: bytes=56 Sequence=2 ttl=254 time=1 ms
Reply from 20.1.1.1: bytes=56 Sequence=3 ttl=254 time=1 ms
Reply from 20.1.1.1: bytes=56 Sequence=4 ttl=254 time=1 ms
Reply from 20.1.1.1: bytes=56 Sequence=5 ttl=254 time=64 ms
--- 20.1.1.1 ping statistics --5 packet(s) transmitted
5 packet(s) received
Issue 01 (2011-10-15)
102
Step 5 Restart GE 2/0/0, GE 3/0/0, POS 4/0/0 to make UCMP configurations take effect on Router A.
[~RouterA] interface gigabitethernet 2/0/0
[~RouterA-GigabitEthernet2/0/0] shutdown
[~RouterA-GigabitEthernet2/0/0] undo shutdown
[~RouterA-GigabitEthernet2/0/0] quit
[~RouterA] interface gigabitethernet 3/0/0
[~RouterA-GigabitEthernet3/0/0] shutdown
[~RouterA-GigabitEthernet3/0/0] undo shutdown
[~RouterA-GigabitEthernet3/0/0] quit
[~RouterA]interface pos 4/0/0
[~RouterA-Pos4/0/0] shutdown
[~RouterA-Pos4/0/0] undo shutdown
[~RouterA-Pos4/0/0] quit
[~RouterA] commit
----End
Configuration Files
l
Issue 01 (2011-10-15)
103
undo shutdown
load-balance unequal-cost enable
ip address 50.1.1.1 255.255.255.0
isis enable 1
#
interface GigabitEthernet3/0/0
undo shutdown
load-balance unequal-cost enable
ip address 40.1.1.1 255.255.255.0
isis enable 1
#
interface Pos4/0/0
link-protocol ppp
undo shutdown
load-balance unequal-cost enable
ip address 30.1.1.1 255.255.255.0
isis enable 1
#
return
Issue 01 (2011-10-15)
104
interface GigabitEthernet1/0/0
undo shutdown
ip address 50.1.1.2 255.255.255.0
isis enable 1
#
interface GigabitEthernet2/0/0
undo shutdown
ip address 80.1.1.2 255.255.255.0
isis enable 1
#
return
Networking Requirements
CAUTION
On a single NE5000E, an interface is numbered in the format of slot number/card number/
interface number. On the NE5000E cluster, an interface is numbered in the format of chassis
ID/slot number/card number/interface number. If the slot number is specified, the chassis ID of
the slot must also be specified.
On the network shown in Figure 4-4, two paths connect Router A and Router C.
l
Issue 01 (2011-10-15)
A physical link connects Router A's GE 2/0/0 and Router B's GE 2/0/0.
Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
105
Router A's GE 3/0/0 and GE 4/0/0 and Router B's GE 3/0/0 and GE 4/0/0 are added to EthTrunk1.
Eth-Trunk1 contains two GE interfaces, and therefore the bandwidth of Eth-Trunk1 is the sum
of the bandwidth of the two member GE links. Global UCMP needs to be performed among the
two member links from Router A to Router C. UCMP needs to be performed among the trunk
member interfaces.
Figure 4-4 Networking diagram for global UCMP
RouterB
POS2/0/0
POS1/0/0
POS4/0/0
RouterA
RouterC
GE3/0/0GE1/0/0
Ethernet1/0/0
10.1.1.1/24
Ethernet2/0/0
GE2/0/0 GE3/0/0
RouterD
Ethernet1/0/0
POS4/0/0
Ethernet1/0/0
20.1.1.1/24
Ethernet2/0/0
Ethernet2/0/0
Device Name
Interface Name
IP Address
Router A
GE 2/0/0
30.1.1.1/24
Eth-Trunk1
40.1.1.1/24
GE 2/0/0
30.1.1.2/24
Eth-Trunk1
40.1.1.2/24
GE 2/0/2
50.1.1.1/24
GE 2/0/2
50.1.1.2/24
Router B
Router C
RouterE
NOTE
In this example, the bandwidth of GE 2/0/0 on Router A and Router B is 1 Gbit/s, that of GE 3/0/0 is 2
Gbit/s, and that of GE 4/0/0 is 3 Gbit/s.
Configuration Roadmap
The configuration roadmap is as follows:
1.
2.
Enable global UCMP on Router A, allowing the two paths between Router A and Router
C to perform UCMP based on bandwidth ratios.
3.
Data Preparation
To complete the configuration, you need the following data:
l
Issue 01 (2011-10-15)
106
Procedure
Step 1 Assign an IP address to every physical interface and Eth-Trunk interface. The configuration
procedure is not provided.
Step 2 Configure static routes.
# Configure Router A.
[~RouterA]
[~RouterA]
[~RouterA]
[~RouterA]
[~RouterA]
ip route-static
ip route-static
ip route-static
ip route-static
commit
20.1.1.0
20.1.1.0
50.1.1.0
50.1.1.0
255.255.255.0
255.255.255.0
255.255.255.0
255.255.255.0
gigabitethernet2/0/0 30.1.1.2
eth-trunk1 40.1.1.2
gigabitethernet2/0/0 30.1.1.2
eth-trunk1 40.1.1.2
# Configure Router B.
[~RouterB]
[~RouterB]
[~RouterB]
[~RouterB]
# Configure Router C.
[~RouterC]
[~RouterC]
[~RouterC]
[~RouterC]
Issue 01 (2011-10-15)
outErrors
210
120
125
0
107
down
down
down
down
down
down
up(s)
up
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
----End
Configuration Files
l
GigabitEthernet2/0/0 30.1.1.2
Eth-Trunk1 40.1.1.2
GigabitEthernet2/0/0 30.1.1.2
Eth-Trunk1 40.1.1.2
Issue 01 (2011-10-15)
108
Issue 01 (2011-10-15)
109
5 ACL6 Configuration
ACL6 Configuration
Issue 01 (2011-10-15)
110
5 ACL6 Configuration
Interface-based ACL6s: classify packets according to the interface from which packets are
received.
Advanced ACL6s: classify packets based on multiple optional parameters, such as source
address, destination address, source port number, destination port number, and protocol
type.
Interface-based ACL6s
The rules in an interface-based ACL6 are defined according to inbound interfaces of packets
and are used to filter packets of different inbound interfaces. The number of an interface-based
ACL6 ranges from 1000 to 1999.
Basic ACL6s
The rules in a basic ACL6 are defined according to source addresses of packets and are used to
filter packets with different source addresses. The number of a basic ACL6 ranges from 2000
to 2999.
Basic ACL6s are commonly applied to the implementation of routing policy and QoS. For
example, by configuring an ACL6, you can control the rights of users logging in to the device
or control the traffic on the device.
Advanced ACL6s
The rules in an advanced ACL6 are defined according to the source addresses, destination
addresses, protocol types, source port numbers, and destination port numbers of packets.
Issue 01 (2011-10-15)
111
5 ACL6 Configuration
Advanced ACL6s can be classified into numbered ACL6s and named ACL6s according to the
naming rule of ACL6s. The number of a numbered ACL6 ranges from 3000 to 3999; the number
of a named ACL6 ranges from 42768 to 59151.
An advanced ACL6 provides more extensive filtering rules, which can be applied to routing
policy and packet filtering. For example, you can configure an advanced ACL6 in the multicast
service to filter multicast packets with different source addresses and group addresses.
Applicable Environment
Figure 5-1 Typical application environment of an interface-based ACL6
Network A
GE1/0/0
Internet
RouterA
Interface-based
GE2/0/0 ACL6 enable
Network B
As shown in Figure 5-1, an ACL that is based on GE 1/0/0 is created on Router A. Router A
accepts all the packets that are sent from Network A to the Internet and denies all the packets
that are sent from Network B to the Internet.
Pre-configuration Tasks
Before configuring an interfaced-based ACL6, complete the following task:
l
Issue 01 (2011-10-15)
Configuring the parameters of the link layer protocol for interfaces to ensure that the link
layer protocol status of the interface is Up
112
5 ACL6 Configuration
Configuration Procedure
Figure 5-2 Flowchart for configuring an interface-based ACL6
Procedure
Step 1 Run:
system-view
Procedure
Step 1 Run:
system-view
Issue 01 (2011-10-15)
113
5 ACL6 Configuration
Prerequisite
The configuration of the interface-based ACL6 is complete.
Procedure
Step 1 Run: display acl ipv6 { acl6-number | all } The configuration of the interface-based ACL6 is
displayed.
----End
Example
After running the preceding command, you can view the ACL number, number of ACL rules,
and rule contents.
<HUAWEI> display acl ipv6 1000
Interface Based IPv6 ACL 1000, 1 rule
Acl's match-order is config
rule 5 permit interface Pos4/0/0 (0 times matched)
Issue 01 (2011-10-15)
114
5 ACL6 Configuration
Applicable Environment
Figure 5-3 Typical application environment of a basic ACL6
Network A
GE1/0/0 Router A
Network B
Internet
Basic ACL6 enable
GE2/0/0
Network C
As shown in Figure 5-3, a basic ACL6 is created on Router A. Router A accepts all the packets
that are sent from Network A, Network B, and Network C to the Internet.
Pre-configuration Tasks
Before configuring a basic ACL6, complete the following task:
l
Configuring the parameters of the link layer protocol for interfaces to ensure that the link
layer protocol status of the interface is Up
Configuration Procedure
Figure 5-4 Flowchart for configuring a basic ACL6
115
5 ACL6 Configuration
Procedure
Step 1 Run:
system-view
Procedure
Step 1 Run:
system-view
116
5 ACL6 Configuration
Prerequisite
The configuration of the basic ACL6 is complete.
Procedure
Step 1 Run the display acl ipv6 { acl6-number | all } command to view the configuration of the basic
ACL6.
----End
Example
After running the display acl ipv6 command, you can view the ACL6 number, number of ACL6
rules, and rule contents.
<HUAWEI> display acl ipv6 2200
Basic IPv6 ACL 2200, 1 rule
Acl's match-order is config
rule 5 permit (3 times matched)
Applicable Environment
Figure 5-5 Typical application environment of an advanced ACL6
Network A
Network D
ICMPv6
packet
RouterA
RouterD
RouterE
ICMPv6
packet
Network B
RouterB
Network C
RouterC
As shown in Figure 5-5, an advanced ACL6 is created on Router E. Router E needs to accept
all the ICMPv6 packets sent from Router B to Router D and deny all the ICMPv6 packets sent
from Router A to Router C.
Issue 01 (2011-10-15)
117
5 ACL6 Configuration
Pre-configuration Tasks
Before configuring an advanced ACL6, complete the following task:
l
Configuring the parameters of the link layer protocol for interfaces to ensure that the link
layer protocol status of the interface is Up
Configuration Procedure
Figure 5-6 Flowchart for configuring an advanced ACL6
Configure numbered
advanced ACL6
Configure named
advanced ACL6
Procedure
Step 1 Run:
system-view
118
5 ACL6 Configuration
Procedure
Step 1 Run:
system-view
Prerequisite
The configuration of the advanced ACL6 is complete.
Issue 01 (2011-10-15)
119
5 ACL6 Configuration
Procedure
Step 1 Run the display acl ipv6 { name acl-name | acl6-number | all } command to view the
configuration of the advanced ACL6.
----End
Example
After running display acl ipv6 command, you can view the ACL6 number, number of ACL6
rules, and rule contents.
<HUAWEI> display acl ipv6 3100
Advanced IPv6 ACL 3100, 3 rules
ACL's match-order is config
rule 0 permit icmpv6 (1 times matched)
rule 1 permit ipv6 source 3001::/16 destination 4001::/16 (2 times matched)
rule 2 permit tcp source 5001::/16 (3 times matched)
Applicable Environment
To control certain types of traffic in a specified period, you can configure the validity period of
an ACL6 rule to determine the time traffic passes. For example, to ensure reliable transmission
of video traffic at prime time at night, you need to limit the volume of traffic for common online
users.
After this configuration task is performed, a time range is created. Then, you can specify the
time range as the validity period when creating an ACL6 rule.
The validity period of an ACL6 rule can be either of the following types:
l
Relative time range: The validity period is a periodic period, for example, each Monday.
Pre-configuration Tasks
Before configuring the Validity Period of an ACL6 Rule, complete the following tasks:
l
Configuring the parameters of the link layer protocol for interfaces to ensure that the link
layer protocol status of the interface is Up
Configuring an ACL6
Issue 01 (2011-10-15)
120
5 ACL6 Configuration
Configuration Procedure
Figure 5-7 Flowchart for configuring the validity period of an ACL6 rule
Procedure
Step 1 Run:
system-view
Procedure
Step 1 Run:
system-view
121
5 ACL6 Configuration
Step 2 Run:
acl ipv6 [ number ] acl6-number
When a period which is not existed is configured for the ACL6, the ACL6 will be rule invalid.
Step 4 Run:
commit
Prerequisite
The configuration of the validity period for an ACL6 rule is complete.
Procedure
Step 1 Run the display time-range { time-name | all } to view the validity period for the ACL6 rule.
----End
Example
Run the display time-range command to view the configuration and status of the validity period
for the ACL6 rule are displayed.
<HUAWEI> display time-range all
Current time is 14:19:16 3-15-2006 Wednesday
Time-range : time1 ( Inactive )
10:00 to 12:00 daily
Time-range : time2 ( Inactive )
from 13:00 2006/4/1 to 23:59 2099/12/31
Time-range : active1 ( Active )
14:00 to 00:00 daily
122
5 ACL6 Configuration
Context
CAUTION
Statistics cannot be restored after being cleared. So, confirm the action before you run the
following command.
Procedure
Step 1 After checking that ACL6 Statistics need to be cleared, run the reset acl ipv6 counter { acl6number | name acl-name | all } command in the user view.
----End
Context
In routine maintenance, you can run the following command in any view to check the ACL6
operation.
Procedure
l
Run:
display acl ipv6 { acl6-number | name acl-name | all }
Issue 01 (2011-10-15)
123
124
of the token bucket reaches the upper threshold. If the number of ICMPv6 messages exceeds
the upper threshold, extra messages are discarded.
6.9 Configuring PMTUs
Through the configuration of a PMTU, devices on the network send packets based on the same
MTU so that packets do not need to be fragmented in the transmission process and the burden
of intermediate devices is reduced. Therefore, network resources are efficiently made use of to
achieve the optimal traffic throughput.
6.10 Configuring TCP6
By setting TCP6 packets, you can improve the performance of the network.
6.11 Maintaining IPv6
This section describes how to maintain IPv6. The detailed configurations include clearing IPv6
statistics and monitoring IPv6 running status.
6.12 Configuration Examples
You can know the configuration process according to the configuration flowchart. Each
configuration example consists of such information as the networking requirements,
configuration notes, and configuration roadmap.
Issue 01 (2011-10-15)
125
IPv6 Address
An 128-bit IPv6 address can be in either of the following formats:
l
X:X:X:X:X:X:X:X
In this format, an 128-bit IP address is divided into eight groups. The 16 bits in each group
are represented by four hexadecimal characters, namely, 0 to 9 and A to F. These groups
are separated by a colon (:). Each "X" represents four hexadecimal characters.
X:X:X:X:X:X:d.d.d.d
Including IPv4-mapped IPv6 address
In this format, "X:X:X:X:X:X" represents the high-order six groups of numbers, and the
16 bits in each group are represented by hexadecimal numbers. "d.d.d.d" represents the
low-order four groups of numbers, and the 8 bits in each group are represented by decimal
numbers. "d.d.d.d" is a standard IPv4 address.
Interface identifier: It is of 128-n bits and equals the host ID of an IPv4 address.
126
Router Advertisement
A Router Advertisement (RA) message is used in neighbor discovery. An RA message carries
information such as a prefix and a flag bit.
IPv6 PMTU
The problem of different MTUs of the packets from different networks can be addressed in the
following methods:
l
The routers fragment packets as required. In this method, the source end only needs to
fragment packets; the intermediate routers, however, need to both fragment and reassemble
packets.
The source end fragments packets based on a proper MTU so that the packets do not need
to be fragmented on intermediate routers. In this manner, the burden on the intermediate
routers can be reduced. Since IPv6 intermediate routers do not support IPv6 packet
fragmentation, this method is adopted to address the problem.
The Path MTU Discovery (PMTU) mechanism is designed to find a smallest MTU for a path
from the source end to the destination end.
Applicable Environment
If a router intends to communicate with an IPv6 device, you need to configure IPv6 addresses
for the interfaces on the router.
On the NE5000E, you can configure IPv6 addresses on the following types of interface:
l
Serial interface (only the serial interface of a PPP link or an HDLC link supports IPv6)
POS interface (only the POS interface of a PPP link or an HDLC link supports IPv6)
Issue 01 (2011-10-15)
127
Tunnel interface
Loopback interface
Eth-Trunk interface
After the IPv6 function is enabled on an interface, the system automatically generates a
link-local address for the interface.
The link-local address that is manually configured must be valid (usually with the FE80::/10
prefix).
Link-local addresses are used for the communication between link-local nodes. It means that
link-local addresses are usually used for the communication between protocols, and are not
directly related to the communication between users. Therefore, automatic generation of linklocal addresses is recommended.
Global unicast addresses, equivalent to public IPv4 addresses, are used for data forwarding on
a public network and are necessary for the communication between users.
EUI-64 addresses function the same as global unicast addresses. The difference is that only the
network bits need to be specified for an EUI-64 address, and the host bits are derived from the
interface MAC address; for a global unicast address, all the 128 bits must be specified. You must
note that the prefix length of the network bits of an EUI-64 address cannot be more than 64 bits.
Both or either of EUI-64 addresses and global unicast addresses can be configured on an interface
for communications. The addresses that are configured on the same interface, however, must
belong to different network segments.
IPv6 addresses are classified into unicast addresses, multicast addresses, and anycast addresses.
Multicast address: identifies a group of interfaces that belong to different nodes and is similar
to an IPv4 multicast address. The packets with a multicast destination address are transmitted
to all the interfaces identified by this multicast address. Anycast address: identifies multiple
interfaces that generally belong to different nodes. A packet addressed for an anycast address is
sent to the interface that is nearest to the sender based on the distance vector in the interface
group identified by the anycast address. Currently, anycast addresses are applicable to a few
scenarios. In typical applications, anycast addresses are used by a large number of 6to4 relay
routers in a 6to4 tunnel to enhance the network expandability.
Pre-configuration Tasks
Before configuring IPv6 addresses for interfaces, complete the following tasks:
l
Connecting interfaces and setting physical parameters for the interfaces to ensure that the
physical status of the interfaces is Up
Setting parameters of the link layer protocols for the interfaces to ensure that the status of
the link layer protocols on the interfaces is Up
Issue 01 (2011-10-15)
128
Configuration Procedures
Figure 6-1 Flowchart of configuring IPv6 addresses
Enable IPv6
Configure a link-local
address on an interface
Configure a global unicast
address on an interface
Configure an anicast
address on an interface
Mandatory
procedure
Optional
procedure
Procedure
Step 1 Run:
system-view
129
Procedure
Step 1 Run:
system-view
Procedure
Step 1 Run:
system-view
Issue 01 (2011-10-15)
130
Context
Anycast addresses and unicast addresses are in the same address range. An anycast address is
used to identify a group of interfaces on different nodes.
l
The packets destined for an anycast address are transmitted to an interface that is in the
interface group identified by the anycast address and is closest to the source node. (The
distance between an interface and the source node is calculated based on the routing
protocol). The packets destined for a multicast address are transmitted to a group of
interfaces with the multicast address.
When the 6to4 tunnel is used for the communication between the 6to4 network and the native
IPv6 network, the NE5000E supports the configuration of an anycast address with the prefix of
2002:c058:6301:: on the tunnel interface of the 6to4 relay route device.
Alternatively, you can configure a 6to4 address on the tunnel interface of the 6to4 relay route
device. When multiple 6to4 relay route devices are configured on the network, the difference
between the two methods is as follows:
l
If an 6to4 address is used, you need to configure different addresses for tunnel interfaces
of all devices.
If an anycast address is used, you need to configure the same address for the tunnel
interfaces of all devices. In this manner, the number of addresses is reduced.
Procedure
Step 1 Run:
system-view
131
Step 4 Run:
commit
Prerequisite
The configurations of IPv6 addresses are complete.
Procedure
Step 1 Run the display ipv6 interface [ interface-type interface-number | brief ] command to view
information about IPv6 on the specified interface.
Step 2 Run the display ipv6 statistics [ interface interface-type interface-number ] command to view
the statistics about IPv6 packets on the interfaces.
----End
Example
Run the display ipv6 interface command, and you can view the IPv6 addresses that are
configured on the interface.
<HUAWEI> display ipv6 interface gigabitethernet 1/0/0
GigabitEthernet1/0/0 current state : UP
IPv6 protocol current state : UP
link-local address is FE80::3A6F:12FF:FE10:300
Global unicast address(es):
1::1, subnet is 1::/64
Joined group address(es):
FF02::1:FF10:300
FF02::1:FF00:1
FF02::1
FF02::2
MTU is 1500 bytes
ND DAD is enabled, number of DAD attempts: 1.
ND reachable time is 30000 milliseconds.
ND retransmit interval is 1000 milliseconds.
Hosts use stateless autoconfig for addresses.
Run the display ipv6 interface brief command, and you can view the IPv6 addresses that are
configured on the interface and the interface status.
<HUAWEI> display ipv6 interface brief
*down: administratively down
!down: FIB overload down
(l): loopback
(s): spoofing
Interface
Physical
GigabitEthernet2/0/2
up
[IPv6 Address] 2030::101:101
Protocol
up
Run the display ipv6 statistics command, and you can view the statistics about IPv6 packets.
<HUAWEI> display ipv6 statistics
Issue 01 (2011-10-15)
132
IPv6 protocol:
Sent packets:
Total
Local sent out
Raw packets
: 3630
: 3630
: 0
Forwarded
Discarded
: 0
: 0
Fragmented
Fragments failed
: 0
: 0
Fragments
Multicast
: 0
: 0
:
:
:
:
:
:
:
Local host
Header error
Routing failed
Protocol error
Option error
Reassembled
Multicast
:
:
:
:
:
:
:
Received packets:
Total
Hop count exceeded
Too big
Address error
Truncated
Fragments
Reassembly timeout
3630
0
0
0
0
0
0
3630
0
0
0
0
0
0
Applicable Environment
IPv6 addresses can be classified into different types based on different applications.
l
Link local addresses and global unicast addresses based on the effective range of the IPv6
addresses
Home addresses and care-of addresses based on the application in the mobile IPv6 field
Physical interface addresses and logical interface addresses based on the interface attributes
The preceding IPv6 addresses can be configured on the same interface of the router. In this case,
the device must select a source address or a destination addresses from multiple addresses on
the interface. If the device supports the IPv4/IPv6 dual-stack, it also must select IPv4 addresses
or IPv6 addresses for communication. For example, if a domain name maps both an IPv4 address
and an IPv6 address, the system must select an address to respond to the DNS request of the
client.
An IPv6 address selection policy table solves the preceding problems. It defines a group of
address selection rules. The source and destination addresses of packets can be specified or
planned based on these rules. This table, similar to a routing table, can be queried by using the
longest matching rule. The address is selected based on the source and destination addresses.
l
The label parameter can be used to determine the result of source address selection. The
address whose label value is the same as the label value of the destination address is selected
preferably as the source address.
The destination address is selected based on both the label and the precedence parameters.
If label values of the candidate addresses are the same, the address whose precedence value
is largest is selected preferably as the destination address.
Issue 01 (2011-10-15)
133
Pre-configuration Tasks
None.
Procedure
Step 1 Run:
system-view
Run the display ipv6 address-policy [ vpn-instance vpn-instance-name ] { all | ipv6address prefix-length } command to check address selection policy entries.
Run the display ipv6 address-policy all command, and you can check all address selection
policy entries, including the default address selection policy entries and the address selection
policy entry configured by ipv6 address-policy command whose prefix is 3::.
<HUAWEI> display ipv6 address-policy all
Policy Table :
Total:6
------------------------------------------------------------------------------Prefix
: ::
PrefixLength : 0
Precedence : 40
Label
: 1
Default
: Yes
Prefix
: ::1
Precedence : 50
Default
: Yes
PrefixLength
Label
: 128
: 0
Prefix
: ::FFFF:0.0.0.0
Precedence : 10
Default
: Yes
PrefixLength
Label
: 96
: 4
Prefix
: 3::
Precedence : 40
Default
: No
PrefixLength
Label
Prefix
: 2002::
Precedence : 30
Default
: Yes
Issue 01 (2011-10-15)
: 64
: 20
PrefixLength
Label
: 16
: 2
134
Prefix
: FC00::
Precedence : 20
Default
: Yes
PrefixLength
Label
: 7
: 3
-------------------------------------------------------------------------------
Applicable Environment
Most ND configurations are based on interfaces.
Currently, you can configure IPv6 ND on the following types of interface:
l
Serial interface (only the serial interface of a PPP link or an HDLC link supports IPv6)
POS interface (only the POS interface of a PPP link or an HDLC link supports IPv6)
Tunnel interface
Loopback interface
Commands related to the IPv6 configuration can be run on serial and POS interfaces, but the forwarding
of packets on these two types of interface does not require neighbor entries.
Pre-configuration Tasks
Before configuring IPv6 neighbor discovery, complete the following tasks:
l
Connecting interfaces and setting physical parameters for the interfaces to ensure that the
physical status of the interfaces is Up
Issue 01 (2011-10-15)
135
Configuration Procedures
Figure 6-2 Flowchart of configuring IPv6 neighbor discovery
Procedure
Step 1 Run:
system-view
The view of the interface where static neighbors need to be configured is displayed.
Step 3 Run:
ipv6 neighbor ipv6-address mac-address
136
6.5.2 Setting the Aging Time for Neighbor Entries in the Stale State
Setting the aging time for neighbor entries in the Stale state speeds up the aging of neighbor
entries. That is, you can delete the neighbor entries that do not exist in time by shortening the
aging time of the neighbor entries in the Stale state.
Procedure
Step 1 Run:
system-view
The view of the interface where the aging time for the neighbor entries in the Stale state needs
to be set is displayed.
Step 3 Run:
ipv6 nd stale-timeout seconds
The aging time for the neighbor entries in the Stale state is set.
By default, the aging time for the neighbor entries in the Stale state is 86400s.
Step 4 Run:
commit
Procedure
Step 1 Run:
system-view
137
Prerequisite
The configurations of IPv6 neighbor discovery are complete.
Procedure
Step 1 Run the display ipv6 neighbors [ [ vid vlan-id ] interface-type interface-number ] command to
view information in the buffer of each neighbor.
Step 2 Run the display ipv6 interface [ interface-type interface-number | brief ] command to view
information about IPv6 on the interfaces.
----End
Example
Run the display ipv6 neighbors command, and you can view that information about IPv6
addresses and the interface on which the addresses are configured is stored in the buffer of each
neighbor.
<HUAWEI> display ipv6 neighbors gigabitethernet 1/0/0
-------------------------------------------------------IPv6 Address : 3003::2
Link-layer
: 00e0-fc89-fe6e
State : STALE
Interface
: GE1/0/0
Age
: 7
VPN name
: vpn1
VLAN : IPv6 Address : FE80::2E0:FCFF:FE89:FE6E
Link-layer
: 00e0-fc89-fe6e
State : STALE
Interface
: GE1/0/0
Age
: 7
VPN name
: vpn1
VLAN : --------------------------------------------------------Total: 2
Dynamic: 2
Static: 0
Run the display ipv6 interface command, and you can view the IPv6 addresses that are
configured on the interface.
<HUAWEI> display ipv6 interface gigabitethernet 1/0/0
GigabitEthernet1/0/0 current state : UP
IPv6 protocol current state : UP
link-local address is FE80::200:1FF:FE04:5D00
Global unicast address(es):
2001::1, subnet is 2001::/64
Joined group address(es):
FF02::1:FF00:1
FF02::1:FF04:5D00
FF02::2
FF02::1
MTU is 1500 bytes
Issue 01 (2011-10-15)
138
Run the display ipv6 interface briefcommand, and you can view the IPv6 addresses that are
configured on the interface and the interface status.
<HUAWEI> display ipv6 interface brief
*down: administratively down
!down: FIB overload down
(l): loopback
(s): spoofing
Interface
Physical
GigabitEthernet2/0/2
up
[IPv6 Address] 2030::101:101
Protocol
up
Applicable Environment
Duplicate address detection (DAD) is a process in which a device checks whether the address
to be used has been used by another device. Before configuring an IPv6 unicast address for an
interface, you must check all the devices on the local link to ensure that the IPv6 unicast address
is unique and is not used by another device.
Pre-configuration Tasks
Before configuring DAD, complete the following tasks:
l
Connecting interfaces and setting physical parameters for the interfaces to ensure that the
physical status of the interfaces is Up
Configuration Procedures
You can choose one of the following configuration tasks (excluding "Checking the
Configuration") as required.
Procedure
Step 1 Run:
system-view
Issue 01 (2011-10-15)
139
The view of the interface where the number of times of duplicate address detection needs to be
set is displayed.
Step 3 Run:
ipv6 nd dad attempts value
Procedure
Step 1 Run:
system-view
140
Prerequisite
The configurations of duplicate address detection are complete.
Procedure
Step 1 Run the display ipv6 interface [ interface-type interface-number | brief ] command to view
information about duplicate address detection.
----End
Example
Run the display ipv6 interface command, and you can view the number of times of duplicate
address detection on the interface.
<HUAWEI> display ipv6 interface gigabitethernet 1/0/0
GigabitEthernet1/0/0 current state : UP
IPv6 protocol current state : UP
link-local address is FE80::200:1FF:FE04:5D00
Global unicast address(es):
2001::1, subnet is 2001::/64
Joined group address(es):
FF02::1:FF00:1
FF02::1:FF04:5D00
FF02::2
FF02::1
MTU is 1500 bytes
ND DAD is enabled, number of DAD attempts: 2
ND reachable time is 30000 milliseconds
ND retransmit interval is 1000 milliseconds
Hosts use stateless autoconfig for addresses
6.7 Configuring RA
A router periodically sends Router Advertisement (RA) messages that carry prefixes and flag
bits, or responds to the router request messages with RA messages.
Applicable Environment
The information carried in RA messages includes the parameters of the hosts on the local link.
Pre-configuration Tasks
Before configuring RA, complete the following tasks:
l
Connecting interfaces and setting physical parameters for the interfaces to ensure that the
physical status of the interfaces is Up
Issue 01 (2011-10-15)
141
Configuration Procedures
Figure 6-3 Flowchart of configuring RA
Enable RA
6.7.1 Enabling RA
After being enabled with RA, a device can advertises RA messages to provide route prefixes for
hosts.
Procedure
Step 1 Run:
system-view
RA is enabled.
Step 4 Run:
commit
142
Procedure
Step 1 Run:
system-view
Procedure
Step 1 Run:
system-view
Issue 01 (2011-10-15)
143
When you run the ipv6 nd ra command to set the interval for advertising RA messages, the specified
interval must be shorter than or equal to the life cycle of an RA message.
Step 7 Run:
commit
Prerequisite
All configurations of RA are complete.
Procedure
Step 1 Run the display ipv6 interface [ interface-type interface-number | brief ] command to view
information in RA messages.
----End
Example
Run the display ipv6 interface command, and you can view the configuration of RA on the
interface.
<HUAWEI> display ipv6 interface gigabitethernet 1/0/0
GigabitEthernet1/0/0 current state : UP
IPv6 protocol current state : UP
link-local address is FE80::200:1FF:FE04:5D00
Global unicast address(es):
2001::1, subnet is 2001::/64
Joined group address(es):
FF02::1:FF00:1
FF02::1:FF04:5D00
FF02::2
FF02::1
MTU is 1500 bytes
ND DAD is enabled, number of DAD attempts: 1
ND reachable time is 30000 milliseconds
ND retransmit interval is 1000 milliseconds
Hosts use stateless autoconfig for addresses
Issue 01 (2011-10-15)
144
Pre-configuration Tasks
Before configuring ICMPv6 message control, complete the following tasks:
l
Connecting interfaces and setting physical parameters for the interfaces to ensure that the
physical status of the interfaces is Up
Procedure
Step 1 Run:
system-view
Run the display ipv6 interface command, and you can view the IPv6 addresses that are
configured on the interface.
<HUAWEI> display ipv6 interface gigabitethernet 1/0/0
GigabitEthernet1/0/0 current state : UP
IPv6 protocol current state : UP
link-local address is FE80::200:1FF:FE04:5D00
Global unicast address(es):
Issue 01 (2011-10-15)
145
Run the display icmpv6 statistics command, and you can view statistics about ICMPv6 traffic.
<HUAWEI> display icmpv6 statistics
ICMPv6 protocol:
Sent packets:
Total
Unreached
Hop count exceeded
Too big
Echo replied
Router advert
Neighbor advert
Rate limited
:
:
:
:
:
:
:
:
16
0
0
0
5
0
2
0
:
:
:
:
:
:
:
:
:
:
:
16
0
0
0
0
0
0
5
0
2
0
Prohibited
Parameter problem
Echoed
Router solicit
Neighbor solicit
Redirected
:
:
:
:
:
:
0
0
5
0
4
0
Format error
Too short
Bad length
Unknown error type
Prohibited
Parameter problem
Echoed
Router solicit
Neighbor solicit
Redirected
:
:
:
:
:
:
:
:
:
:
0
0
0
0
0
2
5
0
4
0
Received packets:
Total
Checksum error
Bad code
Unknown info type
Unreached
Hop count exceeded
Too big
Echo replied
Router advert
Neighbor advert
Rate limited
Pre-configuration Tasks
Before configuring PMTUs, complete the following task:
l
Configuring the IPv6 MTU of the Interface, for details please refer to Configuring the MTU
of the Interface
Configuration Procedures
You can choose one of the following configuration tasks (excluding "Checking the
Configuration") as required.
Issue 01 (2011-10-15)
146
Dynamic PMTU values can be set on a device by default, ensuring the smallest value of MTU
values is used on all interfaces along the source to the destination nodes.
Configuring a static PMTU sets the maximum length of a packet that can be sent from the source
end to the destination end. This prevents attacks initiated by sending jambo packets.
The static PMTU value is equal to or smaller than the IPv6 MTU value of each interface along
the link. If the a static PMTU value is larger than the IPv6 MTU value of an interface, the packet
will be fragmented on the node with a smaller IPv6 MTU.
Procedure
Step 1 Run:
system-view
The PMTU is configured for the path destined for the specified IPv6 address.
By default, the PMTU of the path destined for an IPv6 address is 1500 bytes.
Step 3 Run:
commit
Procedure
Step 1 Run:
system-view
147
When both static PMTUs and dynamic PMTUs are configured, only static PMTUs take effect.
Step 3 Run:
commit
Prerequisite
All configurations of PMTUs are complete.
Procedure
Step 1 Run the display ipv6 pathmtu { ipv6-address | all | dynamic | static } command to view all
PMTU entries.
Step 2 Run the display ipv6 interface [ interface-type interface-number | brief ] command to view the
current MTU on an interface.
----End
Example
Run the display ipv6 pathmtu command, and you can view the destination IPv6 address, PMTU,
aging time of PMTU entries, and type of PMTU entries.
<HUAWEI> display ipv6 pathmtu all
Total: 2
Dynamic: 1
Static: 1
----------------------------------------------------------------------------IPv6 Destination Address
fe80::12
2222::3
ZoneID
0
0
PathMTU
1300
1280
LifeTime(M)
40
-
Type
Dynamic
Static
Run the display ipv6 interface command, and you can view the current MPU on the interface.
<HUAWEI> display ipv6 interface gigabitethernet 1/0/0
GigabitEthernet1/0/0 current state : UP ,
IPv6 protocol current state : UP
link-local address is FE80::200:1FF:FE04:5D00
Global unicast address(es):
2001::1, subnet is 2001::/64
Joined group address(es):
FF02::1:FF00:1
FF02::1:FF04:5D00
FF02::2
FF02::1
MTU is 1500 bytes
ND DAD is enabled, number of DAD attempts: 1
ND reachable time is 30000 milliseconds
ND retransmit interval is 1000 milliseconds
Hosts use stateless autoconfig for addresses
Issue 01 (2011-10-15)
148
Applicable Environment
To optimize network performance, you need to adjust the TCP6 parameters.
Pre-configuration Tasks
Before configuring TCP6, complete the following tasks:
l
Connecting and configuring the physical features for the interface and ensuring that the
status of the physical layer of the interface is Up
Configuring the link layer protocol parameters for the interface and ensuring that the status
of the link layer protocol on the interface is Up
Configuration Procedures
You can choose one or several configuration tasks (excluding "Checking the Configuration") as
required.
Context
The types of TCP6 timers are shown as follows:
l
The SYN-Wait timer: On sending SYN packets, the TCP6 starts the SYN-Wait timer. If
response packets are not received before the SYN-Wait timer timeout, the TCP6 connection
is terminated. The SYN-Wait timer timeout ranges from 2 seconds to 600 seconds, and the
default value is 75 seconds.
The FIN-Wait timer: When the TCP connection status turns from FIN_WAIT_1 to
FIN_WAIT_2, the FIN-Wait timer starts. If FIN packets are not received before the FINWait timer timeout, the TCP6 connection is terminated. The FIN-Wait timer timeout ranges
from 76 seconds to 3600 seconds, and the default value is 675 seconds.
Procedure
Step 1 Run:
system-view
149
Step 3 Run:
tcp ipv6 timer fin-timeout interval
Procedure
Step 1 Run:
system-view
Prerequisite
The configurations of the TCP6 function are complete.
Procedure
l
Run the display tcp ipv6 status [ [ task-id task-id ] [ socket-id socket-id ] | [ local-ip ipv4address ] [ local-port local-port-number ] [ remote-ip ipv4-address ] [ remote-port
remote-port-number ] ] command to check the TCP connection status.
Run the display tcp ipv6 statistics command to check the TCP traffic statistics.
Run the display ipv6 socket[ monitor ] [ socktype socket-type ] [ pid pid ] [ socket-id
socket-id ] command to check the information of the specified socket.
----End
Issue 01 (2011-10-15)
150
Example
Run the display tcp ipv6 status command. If the information about the TCP connection status
is displayed, it means that the configuration succeeds. For example:
-------------------------------------------------------------------------------Pid/SocketID
Local Addr:Port
Foreign Addr:Port
VPNID
State
-------------------------------------------------------------------------------0x80C8272D/6
:: : 23
:: : 0
0
LISTEN
--------------------------------------------------------------------------------
Run the display tcp ipv6 statistics command. If the TCP traffic statistics are displayed, it means
that the configuration succeeds. For example:
<HUAWEI> display tcp ipv6 statistics
------------------------ Display TCP Statistics ---------------------Received packets:
Total: 0
Packets in sequence: 0 (bytes)
Window probe packets: 0
Window update packets: 0
Checksum error: 0
Offset error: 0
Short error: 0
Duplicate packet: 0 (bytes)
Partially duplicate packet: 0 (bytes)
Out-of-order packets: 0 (bytes)
Packets with data after window: 0
Packet after close: 0
ACK packets: 0 (bytes)
Duplicate ACK packets: 0
Send packets:
Total: 0
Urgent packet: 0
Control packet: 0 (RST)
Window probe packets: 0
Window update packets: 0
Data packets: 0
Data packets retransmitted: 0
ACK only packets: 0
Retransmitted timeout: 0
Connection dropped in retransmitted timeout: 0
Keepalive timeout: 0
Keepalive probe: 0
Keepalive timeout, so connections disconnected: 0
Initiated connections: 0
Accepted connections: 0
Established connections: 0
Closed connections: 0
Packets dropped with MD5 authentication: 0
Packets premitted with MD5 authentication: 0
----------------------------------------------------------------------<HUAWEI> display tcp statistics
SOCK_STREAM:
Task = VTYD(14), socketid = 4, Proto = 6,
LA = ::->22, FA = ::->0,
sndbuf = 8192, rcvbuf = 8192, sb_cc = 0, rb_cc = 0,
socket option = SO_ACCEPTCONN SO_REUSEPORT SO_SENDVPNID,
socket state = SS_PRIV SS_ASYNC
Task = VTYD(14), socketid = 3, Proto = 6,
LA = ::->23, FA = ::->0,
sndbuf = 8192, rcvbuf = 8192, sb_cc = 0, rb_cc = 0,
socket option = SO_ACCEPTCONN SO_REUSEPORT SO_SENDVPNID,
socket state = SS_PRIV SS_ASYNC
Issue 01 (2011-10-15)
151
Run the display ipv6 socket command. If the related socket information is displayed, it means
that the configuration succeeds. For example:
<HUAWEI> display ipv6 socket socktype 1
SOCK_STREAM:
Task = VTYD(14), socketid = 4, Proto = 6,
LA = ::->22, FA = ::->0,
sndbuf = 8192, rcvbuf = 8192, sb_cc = 0, rb_cc = 0,
socket option = SO_ACCEPTCONN SO_REUSEPORT SO_SENDVPNID,
socket state = SS_PRIV SS_ASYNC
Task = VTYD(14), socketid = 3, Proto = 6,
LA = ::->23, FA = ::->0,
sndbuf = 8192, rcvbuf = 8192, sb_cc = 0, rb_cc = 0,
socket option = SO_ACCEPTCONN SO_REUSEPORT SO_SENDVPNID,
socket state = SS_PRIV SS_ASYNC
Context
CAUTION
Ipv6 statistics cannot be restored after being cleared. Therefore, confirm the action before you
use the command.
Procedure
l
After checking that IPv6 statistics need to be cleared, run the reset ipv6 statistics command
in the user view.
After checking that all TCP6 statistics need to be cleared, run the reset tcp ipv6
statistics command in the user view.
After checking that all UDP6 statistics need to be cleared, run the reset udp ipv6
statistics command in the user view.
After checking that the PMTU entries in the buffer need to be cleared, run the reset ipv6
pathmtu [ vpn-instance vpn-instance-name | all ] command in the user view.
After checking that the information in the buffers of IPv6 neighbors needs to be cleared,
run the reset ipv6 neighbors { all | vid vlan-id [ interface-type interface-number] |
interface-type interface-number } command in the user view.
----End
152
Context
In routine maintenance, you can run the following commands in any view to check the running
status of IPv6.
Procedure
l
Run the display ipv6 interface [ interface-type interface-number | brief ] command in any
view to view information about IPv6 on an interface.
Run the display tcp ipv6 statistics command in any view to check TCP6 statistics.
Run the display ipv6 address-policy [ vpn-instance vpn-instance-name ] { all | ipv6address prefix-length } command in any view to check address selection policy entries.
Run the display ipv6 pathmtu { ipv6-address | all | dynamic | static } command in any
view to view all PMTU entries.
----End
Networking Requirements
CAUTION
On a single NE5000E, an interface is numbered in the format of slot number/card number/
interface number. On an NE5000E cluster, the interface is numbered in the format of chassis
ID/slot number/card number/interface number. This requires the chassis ID to be specified along
with the slot number.
As shown in Figure 6-4, Router A and Router B are connected through POS interfaces. Global
unicast IPv6 addresses need to be configured for the POS interfaces to check the connectivity
between the two interfaces.
The global unicast IPv6 addresses to be configured are 3001::1/64 and 3001::2/64.
Issue 01 (2011-10-15)
153
RouterA
POS 1/0/0
3001::2/64
RouterB
Configuration Notes
None.
Configuration Roadmap
The configuration roadmap is as follows:
1.
2.
Data Preparation
To complete the configuration, you need the following data:
l
Procedure
Step 1 Configure global unicast addresses for interfaces.
# Configure Router A.
<HUAWEI> system-view
[~HUAWEI] sysname RouterA
[~HUAWEI] commit
[~RouterA] interface pos 1/0/0
[~RouterA-Pos1/0/0] ipv6 enable
[~RouterA-Pos1/0/0] ipv6 address 3001::1 64
[~RouterA-Pos1/0/0] undo shutdown
[~RouterA-Pos1/0/0] commit
[~RouterA-Pos1/0/0] quit
# Configure Router B.
<HUAWEI> system-view
[~HUAWEI] sysname RouterB
[~HUAWEI] commit
[~RouterB] interface pos 1/0/0
[~RouterB-Pos1/0/0] ipv6 enable
[~RouterB-Pos1/0/0] ipv6 address 3001::2 64
[~RouterB-Pos1/0/0] undo shutdown
[~RouterB-Pos1/0/0] commit
[~RouterB-Pos1/0/0] quit
154
# Ping the link-local address of Router B from Router A. Note that you need to use the parameter
-i to specify the interface corresponding to the link-local address.
[~RouterA] ping ipv6 fe80::2d6f:0:7af3:1 -i pos 1/0/0
PING FE80::2D6F:0:7AF3:1 : 56 data bytes, press CTRL_C to break
Reply from FE80::2D6F:0:7AF3:1
bytes=56 Sequence=1 hop limit=64 time = 60 ms
Reply from FE80::2D6F:0:7AF3:1
bytes=56 Sequence=2 hop limit=64 time = 50 ms
Reply from FE80::2D6F:0:7AF3:1
bytes=56 Sequence=3 hop limit=64 time = 50 ms
Reply from FE80::2D6F:0:7AF3:1
bytes=56 Sequence=4 hop limit=64 time = 30 ms
Reply from FE80::2D6F:0:7AF3:1
bytes=56 Sequence=5 hop limit=64 time = 1 ms
--- FE80::2D6F:0:7AF3:1 ping statistics --5 packet(s) transmitted
5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 1/38/60 ms
Issue 01 (2011-10-15)
155
time = 20 ms
time = 40 ms
----End
Configuration Files
l
Networking Requirements
CAUTION
On a single NE5000E, an interface is numbered in the format of slot number/card number/
interface number. On the NE5000E cluster, an interface is numbered in the format of chassis
ID/slot number/card number/interface number. If the slot number is specified, the chassis ID of
the slot must also be specified.
As shown in Figure 6-5, device is directly connected to the PC by GE 1/0/10. This PC runs the
Windows XP operating system.
Issue 01 (2011-10-15)
156
Router A
PC
GE1/0/10
3000::/64 eui-64
Configuration Roadmap
The configuration roadmap is as follows:
1.
Configure a link-local unicast address and global EUI-64 unicast addresses on GE 1/0/10.
2.
Data Preparation
To complete the configuration, you need the following data:
l
Procedure
Step 1 Configure the local unicast address of the link on GE 1/0/10. After the ipv6 enable command
is run on an interface, the system automatically generates a link-local address for the interface.
<HUAWEI> system-view
[~HUAWEI] sysname RouterA
[~HUAWEI] commit
[~RouterA] interface gigabitethernet 1/0/10
[~RouterA-GigabitEthernet1/0/10] undo shutdown
[~RouterA-GigabitEthernet1/0/10] ipv6 enable
[~RouterA-GigabitEthernet1/0/10] commit
Step 2 Configure the local unicast address of the EUI-64 site on GE 1/0/10 and the prefix in the RA
message.
NOTE
A PC can automatically obtain the RA prefix message from devices only after the Router Advertisement
(RA) prefix message to be advertised is configured and the advertisement of the RA prefix message is
enabled on devices.
[~RouterA-GigabitEthernet1/0/10]
[~RouterA-GigabitEthernet1/0/10]
[~RouterA-GigabitEthernet1/0/10]
[~RouterA-GigabitEthernet1/0/10]
[~RouterA-GigabitEthernet1/0/10]
Issue 01 (2011-10-15)
157
DNS Suffix . :
. . . . . . . : Realtek RTL8139 Family PCI Fast Ethe
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
:
:
:
:
:
:
:
:
:
00-E0-4C-77-A1-B6
No
110.1.1.33
255.0.0.0
3000::78b3:4397:c0c4:f078
3000::2e0:4cff:fe77:a1b6
fe80::2e0:4cff:fe77:a1b6%6
fe80::288:ff:fe10:b%6
fec0:0:0:ffff::1%1
fec0:0:0:ffff::2%1
fec0:0:0:ffff::3%1
# Ping the local unicast address of the link on the PC from the device with the use of the parameter
-i which specifies the interface corresponding to the local unicast address.
[~RouterA-GigabitEthernet1/0/10] ping ipv6 fe80::2e0:4cff:fe77:a1b6 -i
gigabitethernet1/0/10
PING FE80::2E0:4CFF:FE77:A1B6: 56 data bytes, press CTRL_C to break
Reply from FE80::2E0:4CFF:FE77:A1B6
bytes=56 Sequence=1 hop limit=64 time = 60 ms
Reply from FE80::2E0:4CFF:FE77:A1B6
bytes=56 Sequence=2 hop limit=64 time = 50 ms
Reply from FE80::2E0:4CFF:FE77:A1B6
bytes=56 Sequence=3 hop limit=64 time = 50 ms
Reply from FE80::2E0:4CFF:FE77:A1B6
bytes=56 Sequence=4 hop limit=64 time = 30 ms
Reply from FE80::2E0:4CFF:FE77:A1B6
bytes=56 Sequence=5 hop limit=64 time = 1 ms
--- FE80::2E0:4CFF:FE77:A1B6 ping statistics --5 packet(s) transmitted
5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 1/38/60 ms
# Ping the local unicast address of global EUI-64 of the PC from the device.
[~RouterA-GigabitEthernet1/0/10] ping ipv6 3000::78b3:4397:c0c4:f078
PING 3000::78B3:4397:C0C4:F078 : 56 data bytes, press CTRL_C to break
Reply from 3000::78B3:4397:C0C4:F078
bytes=56 Sequence=1 hop limit=64 time = 30 ms
Reply from 3000::78B3:4397:C0C4:F078
bytes=56 Sequence=2 hop limit=64 time = 50 ms
Reply from 3000::78B3:4397:C0C4:F078
bytes=56 Sequence=3 hop limit=64 time = 50 ms
Reply from 3000::78B3:4397:C0C4:F078
Issue 01 (2011-10-15)
158
----End
Configuration Files
Configuration file of Router A
#
sysname RouterA
#
interface GigabitEthernet1/0/10
undo shutdown
ipv6 enable
ipv6 nd ra prefix 3000::/64 1000 1000
ipv6 address 3000::/64 eui-64
undo ipv6 nd ra halt
#
return
Networking Requirements
CAUTION
On a single NE5000E, an interface is numbered in the format of slot number/card number/
interface number. On the NE5000E cluster, an interface is numbered in the format of chassis
ID/slot number/card number/interface number. If the slot number is specified, the chassis ID of
the slot must also be specified.
As shown in Figure 6-6, the domain name (huawei.com) of Server A maps multiple IPv6
addresses. When Router A, as an IPv6 DNS client, accesses Server A by using the domain name
(huawei.com), the DNS Server sends all IPv6 addresses of Server A to Router A. Then,Router
A queries the IPv6 address selection policy table to select a proper IPv6 address as the destination
address of Server A.
Issue 01 (2011-10-15)
159
Figure 6-6 Networking diagram for configuring an IPv6 address selection policy table
DNS Server
abcd::1234/64
DNS Client
RouterA
Ethernet
GE1/0/0
a::1/64
2001:2::2/64
b::1/64
2001::1/64
fed0:1::2/64
abcd::7764
huawei.com
Server A
Configuration Notes
None
Configuration Roadmap
The configuration roadmap is as follows:
1.
2.
Data Preparation
To complete the configuration, you need the following data:
l
Addresses, label values and precedence values of IPv6 address selection policy entries
Procedure
Step 1 Configure IPv6 address selection policy entries
# Configure IPv6 addresses for the interface.
<HUAWEI> system-view
[~HUAWEI] sysname RouterA
[~HUAWEI] commit
[~RouterA] interface gigabitethernet
[~RouterA-GigabitEthernet1/0/0] undo
[~RouterA-GigabitEthernet1/0/0] ipv6
[~RouterA-GigabitEthernet1/0/0] ipv6
Issue 01 (2011-10-15)
1/0/0
shutdown
enable
address fe80::1 link-local
160
dns resolve
dns server ipv6 abcd::1234
dns domain com
commit
quit
break
time=6
time=4
time=4
time=4
time=4
ms
ms
ms
ms
ms
5 packet(s) transmitted
5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 4/4/6 ms
# Run the display ipv6 interface gigabitethernet 1/0/0 command on Router A, and you can
view information about the IPv6 address of GigabitEthernet 1/0/0.
<RouterA> display ipv6 interface gigabitethernet 1/0/0
GigabitEthernet1/0/0 current state : UP
IPv6 protocol current state : UP
IPv6 is enabled, link-local address is FE80::1
Global unicast address(es):
FED0:1::2, subnet is FED0:1::/64
2001:2::2, subnet is 2001:2::/64
ABCD::77, subnet is ABCD::/64
Joined group address(es):
FF02::1:FF00:77
FF02::2
FF02::1
FF02::1:FF00:2
FF02::1:FF00:1
MTU is 1500 bytes
ND DAD is enabled, number of DAD attempts: 1
ND reachable time is 30000 milliseconds
ND retransmit interval is 1000 milliseconds
Hosts use stateless autoconfig for addresses
# Run the display ipv6 address-policy all command on Router A, and you can view information
about address selection policy entries.
<RouterA> display ipv6 address-policy all
Policy Table :
Total:7
Issue 01 (2011-10-15)
161
------------------------------------------------------------------------------Prefix
: ::
PrefixLength : 0
Precedence : 40
Label
: 1
Default
: Yes
Prefix
: ::1
Precedence : 50
Default
: Yes
PrefixLength
Label
: 128
: 0
Prefix
: ::FFFF:0.0.0.0
Precedence : 10
Default
: Yes
PrefixLength
Label
: 96
: 4
Prefix
: 2001::1
Precedence : 100
Default
: No
PrefixLength
Label
: 128
: 100
Prefix
: 2002::
Precedence : 30
Default
: Yes
PrefixLength
Label
: 16
: 2
Prefix
: FC00::
Precedence : 20
Default
: Yes
PrefixLength
Label
: 7
: 3
Prefix
: FED0:1::2
Precedence : 100
Default
: No
PrefixLength
Label
: 128
: 100
-------------------------------------------------------------------------------
----End
Configuration Files
l
address
address
address
address
1001::1/64
2001:2::2/64
FE80::1 link-local
FED0:1::2/64
#
ipv6 address-policy 2001::1 128 100 100
ipv6 address-policy FED0:1::2 128 100 100
#
return
Issue 01 (2011-10-15)
162
Issue 01 (2011-10-15)
163
Configuring both the IPv4 and IPv6 protocol suites on the border routers.
The IPv4 and IPv6 protocol suites are both configured on the border routers.
2.
3.
4.
Dual Stack
Router
IPv6
IPv4
Tunnel
Dual Stack
Router
IPv6
IPv6 host
IPv6 host
IPv6 Header
IPv6 Data
IPv4 Header
Issue 01 (2011-10-15)
IPv6 Header
IPv6 Data
164
The virtual tunnel that links the two border routers and transmits the IPv6 packet is referred to
as an IPv6 over IPv4 tunnel. You can categorize IPv6 over IPv4 tunnels according to creating
modes. At present, the common modes of creating IPv6 over IPv4 tunnels are as follows:
l
6to4 tunnels
6to4 Tunnels
A 6to4 tunnel is also a tunnel that interconnects IPv6 networks through an IPv4 network. You
can configure a 6to4 tunnel on the routers where an IPv4 network borders IPv6 networks. The
boarder routers at the two ends of a 6to4 tunnel must support both the IPv4 protocol suite and
the IPv6 protocol suite.
Unlike a manual IPv6 over IPv4 tunnel, a 6to4 tunnel can be a P2MP connection. A manual IPv6
over IPv4 tunnel is a P2P connection. Hence, the routers at the two ends of a 6to4 tunnel are not
configured in pairs.
An end of a 6to4 tunnel can automatically detect the other end of the tunnel.
6to4 tunnels use 6to4 addresses, which are special IPv6 addresses and whose format is as follows:
2002:IPv4 address:subnet ID:interface ID
The prefix of a 6to4 address contains 48 bits and is in the format of 2002:IPv4 address. The
IPv4 address contained in a 6to4 address is a globally-unique address that is applied for an IPv6
network. You must configure this IPv4 address on the physical interface connecting the border
router to the IPv4 network. The subnet ID is 16 bits long and the interface ID is 64 bits long.
You can allocate them within the IPv6 network.
As shown in Figure 7-2, Site1 and Site2 are both 6to4 networks and the hosts and routers on
them are assigned 6to4 tunnel addresses. The IPv4 address contained in the 6to4 addresses of
the host and router on Site1 is the IPv4 address of the interface connecting routerA to the IPv4
network. The IPv4 address contained in the 6to4 addresses of the host and router on Site2 is the
IPv4 address of the interface connecting routerB to the IPv4 network. routerA and routerB are
both 6to4 routers.
Issue 01 (2011-10-15)
165
6to4
Router
6to4
Network
Site1
6to4
Router
6to4
Network
Site2
RouterB
IPv4
Network
RouterA
6to4
Relay
RouterC
IPv6
Internet
Site3
The process of the access of the host on Site1 to the host on Site2 is as follows:
1.
2.
routerA finds that the destination address of the packet is a 6to4 address and obtains the
IPv4 address of the peer end of the 6to4 tunnel from the 6to4 address.
3.
routerA encapsulates the IPv6 packet into an IPv4 packet. The destination address contained
in the header of the IPv4 packet is the IPv4 address of the peer end of the 6to4 tunnel; the
source address contained in the header of the IPv4 packet is the IPv4 address of the local
end of the 6to4 tunnel.
4.
routerA forwards this IPv4 packet to routerB through the IPv4 network.
5.
routerB decapsulates this IPv4 packet and obtains the original IPv6 packet. Then, routerB
forwards the IPv6 packet to the destination host on Site2.
Through the preceding process, you can implement communications between 6to4 networks. A
native IPv6 network refers to an IPv6 network where the hosts and routers are not assigned 6to4
addresses. To implement communications between a native IPv6 network and a 6to4 network,
you need to use a 6to4 relay router.
A 6to4 relay router functions as a gateway between a 6to4 network and a native IPv6 network.
A 6to4 relay router links a native IPv6 network to an IPv4 network. A 6to4 tunnel is set up
between the 6to4 router and the 6to4 relay router. Figure 7-2 shows the process of the access
of the host on the 6to4 network to the IPv6 Internet:
1.
2.
3.
The IPv6 packet is encapsulated into an IPv4 packet and then is forwarded to routerC.
4.
routerC decapsulates the IPv4 packet into the original IPv6 packet and forwards it to the
destination host on the IPv6 Internet.
166
over IPv4 tunnel acts as a permanent link that crosses an IPv4 network and connects two IPv6
networks. Border routers can communicate with each other securely and regularly through
manual IPv6 over IPv4 tunnels.
Applicable Environment
To enable IPv6 networks to communicate with each other through an IPv4 network, you need
to configure IPv6 over IPv4 tunnels on the routers where IPv6 networks border an IPv4 network.
You can create a manual IPv6 over IPv4 tunnel between two border routers to provide reliable
connections for IPv6 networks that are isolated from each other. You can also create a manual
IPv6 over IPv4 tunnel between a terminal and a border router to enable the terminal to access
an IPv6 network. The devices between which a manual IPv6 over IPv4 tunnel is created must
support both the IPv4 protocol suite and the IPv6 protocol suite. The devices between which no
manual IPv6 over IPv4 tunnel is created do not have to support both the IPv4 protocol suite and
the IPv6 protocol suite. To create manual IPv6 over IPv4 tunnels between a border router and
multiple devices, you must configure multiple manual IPv6 over IPv4 tunnels on the border
router. In this manner, you can provide connections for multiple IPv6 networks.
Pre-configuration Tasks
Before configuring a manual IPv6 over IPv4 tunnel, complete the following tasks:
l
Connecting interfaces and setting the physical parameters of the interfaces to ensure that
their physical layer status is up
Setting parameters of the link layer protocol for the interfaces to ensure that their status of
the link layer protocol is up
Procedure
Step 1 Run:
system-view
Issue 01 (2011-10-15)
167
The destination address of an IPv6 over IPv4 tunnel can be a physical interface address or a loopback
interface address.
Step 6 Run:
ipv6 enable
Run the display ipv6 interface tunnel interface-number command to check the IPv6
configuration of the tunnel interface.
Run the display ipv6 interface tunnel command, and you can view that both the status of the
tunnel interface and IPv6 protocol is Up. In addition, you can view the source address and values
of ND parameters.
<HUAWEI> display ipv6 interface tunnel 3
Tunnel3 current state : UP
IPv6 protocol current state : UP
link-local address is FE80::201:102
Global unicast address(es):
::2.1.1.2, subnet is ::/96
Joined group address(es):
FF02::1:FF01:102
FF02::2
FF02::1
MTU is 1500 bytes
ND DAD is enabled, number of DAD attempts: 1.
ND reachable time is 30000 milliseconds.
ND retransmit interval is 1000 milliseconds.
Hosts use stateless autoconfig for addresses.
Related Tasks
7.6.1 Example for Configuring a Manual IPv6 over IPv4 Tunnel
168
Applicable Environment
To enable IPv6 networks to communicate with each other through an IPv4 network, you need
to configure IPv6 over IPv4 tunnels on the routers where IPv6 networks border an IPv4 network.
6to4 tunnels use special 6to4 addresses that are in the format of 2002:a.b.c.d::/48, in which a.b.c.d
represents the source address of the tunnel interface. During communications, the IPv4 address
in a 6to4 address is used to encapsulate packets. The 6to4 tunnel does not need to be configured
with a destination address.
Pre-configuration Tasks
Before configuring a 6to4 tunnel, complete the following tasks:
l
Connecting interfaces and setting the physical parameters of the interfaces to ensure that
their physical layer status is up
Setting parameters of the link layer protocol for the interfaces to ensure that their status of
the link layer protocol is up
Procedure
Step 1 Run:
system-view
The prefix of the IPv6 address specified in the preceding command is the same as the prefix of the address
of the 6to4 network where the border router resides.
Step 7 Run:
commit
Issue 01 (2011-10-15)
169
Run the display ipv6 interface tunnel interface-number command to check the IPv6
configuration of the tunnel interface.
Run the display ipv6 interface tunnel command, and you can view that the status of the tunnel
interface and IPv6 protocol is both Up. In addition, you can view the source address and the
value of the ND parameter.
<HUAWEI> display ipv6 interface tunnel 3
Tunnel3 current state : UP
IPv6 protocol current state : UP
link-local address is FE80::201:102
Global unicast address(es):
2002:201:101::1, subnet is 2002:201:101::/64
Joined group address(es):
FF02::1:FF01:102
FF02::2
FF02::1
MTU is 1500 bytes
ND DAD is enabled, number of DAD attempts: 1.
ND reachable time is 30000 milliseconds.
ND retransmit interval is 1000 milliseconds.
Hosts use stateless autoconfig for addresses.
Related Tasks
7.6.2 Example for Configuring a 6to4 Tunnel
7.6.3 Example for Configuring 6to4 Relay
Context
In routine maintenance, you can run the following command in any view to monitor an IPv6
over IPv4 tunnel.
Procedure
Step 1 Run the display ipv6 interface tunnel interface-number command to view the operation status
of the tunnel interface.
----End
Issue 01 (2011-10-15)
170
Networking Requirements
CAUTION
On a single NE5000E, an interface is numbered in the format of slot number/card number/
interface number. On an NE5000E cluster, the interface is numbered in the format of chassis
ID/slot number/card number/interface number. This requires the chassis ID to be specified along
with the slot number.
As shown in Figure 7-3, two IPv6 networks are connected to Router B on the IPv4 backbone
network through Router A and Router C. A manual IPv6 over IPv4 tunnel needs to be configured
between Router A and Router C to interconnect the two IPv6 networks.
Figure 7-3 Diagram of configuring a manual IPv6 over IPv4 tunnel
IPv4
network
Router
GE1/0/0
B
GE2/0/0
192.168.50.1/24
192.168.51.1/24
GE1/0/0
GE1/0/0
192.168.50.2/24
Router B
192.168.51.2/24
Dual
Dual
Stack
Stack
IPv6
RouterA
RouterC
IPv6
Precautions
During the configuration, pay attention to the following points:
l
You need to create a tunnel interface. Then, you can set the parameters of the tunnel
interface.
You need to perform the following configuration on both routers at the two ends of the
tunnel. Note that the source address of the local of a tunnel is the destination address of the
Issue 01 (2011-10-15)
171
remote of the tunnel. Similarly, the destination address of the local of a tunnel is the source
address of the remote of the tunnel.
l
To support routing protocols, you need to configure the network address of the tunnel
interface.
Configuration Roadmap
The configuration roadmap of a manual IPv6 over IPv4 tunnel is as follows:
1.
2.
Configure the IPv6 address, source interface number, and destination address of the tunnel
interface.
3.
Data Preparation
To complete the configuration, you need the following data:
l
IPv6 address, source interface number, and destination address of the tunnel
Procedure
Step 1 Configure Router A.
# Configure the IP address of the interface.
<HUAWEI> system-view
[~HUAWEI] sysname RouterA
[~HUAWEI] commit
[~RouterA] interface gigabitethernet 1/0/0
[~RouterA-GigabitEthernet1/0/0] ip address 192.168.50.2 255.255.255.0
[~RouterA-GigabitEthernet1/0/0] undo shutdown
[~RouterA-GigabitEthernet1/0/0] quit
# Configure the IPv6 address, source interface number, and destination address of the tunnel
interface.
[~RouterA-Tunnel1]
[~RouterA-Tunnel1]
[~RouterA-Tunnel1]
[~RouterA-Tunnel1]
[~RouterA-Tunnel1]
ipv6 enable
ipv6 address 3001::1 64
source 192.168.50.2
destination 192.168.51.2
quit
Issue 01 (2011-10-15)
172
# Configure the IPv6 address, source interface number, and destination address of the tunnel
interface.
[~RouterC-Tunnel1]
[~RouterC-Tunnel1]
[~RouterC-Tunnel1]
[~RouterC-Tunnel1]
[~RouterC-Tunnel1]
ipv6 enable
ipv6 address 3001::2 64
source 192.168.51.2
destination 192.168.50.2
quit
# Ping the IPv6 address of Tunnel 1 on Router A from Router C, and a response packet is received.
[~RouterC] ping ipv6 3001::1
PING 3001::1 : 56 data bytes, press CTRL_C to break
Reply from 3001::1
bytes=56 Sequence=1 hop limit=64 time = 28 ms
Reply from 3001::1
bytes=56 Sequence=2 hop limit=64 time = 27 ms
Reply from 3001::1
Issue 01 (2011-10-15)
173
----End
Configuration Files
l
Issue 01 (2011-10-15)
174
Related Tasks
7.3 Configuring a Manual IPv6 over IPv4 Tunnel
Networking Requirements
CAUTION
On a single NE5000E, an interface is numbered in the format of slot number/card number/
interface number. On an NE5000E cluster, the interface is numbered in the format of chassis
ID/slot number/card number/interface number. This requires the chassis ID to be specified along
with the slot number.
As shown in Figure 7-4, the two IPv6 networks are both 6to4 networks; both Router A and
Router B connect with a 6to4 network and the IPv4 backbone network. A 6to4 tunnel needs to
be created between Router A and Router B to interconnect the hosts on the two 6to4 networks.
You need to assign 6to4 addresses to the hosts on the two 6to4 networks to interconnect the two
6to4 networks. The prefix of a 6to4 address contains 48 bits and is in the format of 2002:IPv4
address. As shown in Figure 7-4, the IPv4 address of the interface connecting Router A to the
IPv4 network is 2.1.1.1. Therefore, the prefix of the 6to4 address of the 6to4 network where
Router A resides is 2002:0201:0101::, prefix length is 64.
Figure 7-4 Networking diagram of configuring a 6to4 tunnel
IPv4
POS1/0/0
POS1/0/0
2.1.1.1
2.1.1.2
RouterA
RouterB
GE2/0/0
6to4
6to4
GE2/0/0
2002:201:101:1::1/64
Router
Router
2002:201:102:1::1/64
Tunnel 1
Tunnel 1
2002:201:101::1/64
2002:201:102::1/64
PC1
2002:201:101:1::2
2002:201:102:1::2
IPv6
PC2
IPv6
Precautions
During the configuration, pay attention to the following points:
l
Issue 01 (2011-10-15)
You need to create a tunnel interface first. Then, you can set the parameters of the tunnel
interface.
Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
175
When configuring a 6to4 tunnel, you need to configure only the source address of the tunnel.
The destination address of the tunnel is contained in the original IPv6 packet. The source
address of a 6to4 tunnel must be unique.
You must assign a 6to4 address to the interface connecting a border router to a 6to4 network
and assign an IPv4 address to the interface connecting a border router to an IPv4 network.
To support routing protocols, you also need to configure the network address of the tunnel
interface.
Configuration Roadmap
The configuration roadmap is as follows:
1.
Configure both the IPv4 and IPv6 protocol suites on the routers.
2.
3.
Data Preparation
To complete the configuration, you need the following data:
l
Procedure
Step 1 Configure Router A.
# Configure the IPv4 and IPv6 protocol suites.
<HUAWEI> system-view
[~HUAWEI] sysname RouterA
[~HUAWEI] commit
[~RouterA] interface pos 1/0/0
[~RouterA-pos1/0/0] ip address 2.1.1.1 8
[~RouterA-pos1/0/0] undo shutdown
[~RouterA-pos1/0/0] quit
[~RouterA] interface gigabitethernet 2/0/0
[~RouterA-GigabitEthernet2/0/0] ipv6 enable
[~RouterA-GigabitEthernet2/0/0] ipv6 address 2002:0201:0101:1::1 64
[~RouterA-GigabitEthernet2/0/0] undo shutdown
[~RouterA-GigabitEthernet2/0/0] quit
Step 2 ConfigureRouter B.
# Configure the IPv4 and IPv6 protocol suites.
<HUAWEI> system-view
Issue 01 (2011-10-15)
176
A reachable route is required between Router A and Router B. In this example, the two routers are directly
connected. Hence, no routing protocol is configured.
# You can ping the 6to4 address of GE 2/0/0 on Router B from Router A.
[~RouterA] ping ipv6 2002:0201:0102:1::1
PING 2002:201:102:1::1 : 56 data bytes, press CTRL_C to break
Reply from 2002:201:102:1::1
bytes=56 Sequence=1 hop limit=64 time=37 ms
Reply from 2002:201:102:1::1
bytes=56 Sequence=2 hop limit=64 time=2 ms
Reply from 2002:201:102:1::1
bytes=56 Sequence=3 hop limit=64 time=8 ms
Reply from 2002:201:102:1::1
bytes=56 Sequence=4 hop limit=64 time=1 ms
Reply from 2002:201:102:1::1
bytes=56 Sequence=5 hop limit=64 time=2 ms
---2002:201:102:1::1 ping statistics--5 packet(s) transmitted
5 packet(s) received
Issue 01 (2011-10-15)
177
----End
Configuration Files
l
Related Tasks
7.4 Configuring a 6to4 Tunnel
178
Networking Requirements
CAUTION
On a single NE5000E, an interface is numbered in the format of slot number/card number/
interface number. On an NE5000E cluster, the interface is numbered in the format of chassis
ID/slot number/card number/interface number. This requires the chassis ID to be specified along
with the slot number.
As shown in Figure 7-5, Router A functions as a 6to4 router and is connected to the 6to4 network;
Router B is a 6to4 relay router and is connected to the IPv6 network (2001::/64); Router A is
connected to Router B through the IPv4 backbone network. A 6to4 tunnel needs to be configured
between Router A and Router B to interconnect the hosts on the 6to4 network and the IPv6
network.
The method of configuring a tunnel between a 6to4 relay router and a common 6to4 router is
the same as the method of configuring a tunnel between common 6to4 routers. To interconnect
a 6to4 network with an IPv6 network, you need to configure a static route to the IPv6 network
on the common 6to4 router.
Figure 7-5 Networking diagram of configuring 6to4 relay
POS1/0/0
2.1.1.1
RouterA
GE2/0/0
2002:201:101:1::1/64
PC1
6to4
IPv4
6to4
Router
Tunnel 1
2002:201:101::1/64
POS1/0/0
2.1.1.2
6to4
Relay
RouterB
GE2/0/0
2001::1/64
Tunnel 1
2002:201:102::1/64
2002:201:101:1::2
2001::2
PC2
IPv6
Precautions
During the configuration, pay attention to the following points:
l
You need to create a tunnel interface first. Then, you can set the parameters of the tunnel
interface.
When configuring a 6to4 tunnel, you need to configure only the source address of the tunnel.
The destination address of the tunnel is the same as the destination address contained in
the original IPv6 packet. The source address of a 6to4 tunnel must be unique.
You need to assign a 6to4 address to the interface connecting a border router to a 6to4
network and assign an IPv4 address to the interface connecting a border router to an IPv4
Issue 01 (2011-10-15)
179
network. To support routing protocols, you need to configure the network address of the
tunnel interface.
Configuration Roadmap
The configuration roadmap is as follows:
1.
Configure both the IPv4 and IPv6 protocol suites on the routers.
2.
3.
Data Preparation
To complete the configuration, you need the following data:
l
Procedure
Step 1 Configure Router A.
# Configure the IPv4 and IPv6 protocol suites.
<HUAWEI> system-view
[~HUAWEI] sysname RouterA
[~HUAWEI] commit
[~RouterA] interface pos 1/0/0
[~RouterA-Pos1/0/0] ip address 2.1.1.1 255.0.0.0
[~RouterA-Pos1/0/0] undo shutdown
[~RouterA-Pos1/0/0] quit
[~RouterA] interface gigabitethernet 2/0/0
[~RouterA-GigabitEthernet2/0/0] ipv6 enable
[~RouterA-GigabitEthernet2/0/0] ipv6 address 2002:0201:0101:1::1 64
[~RouterA-GigabitEthernet2/0/0] undo shutdown
[~RouterA-GigabitEthernet2/0/0] quit
Step 2 ConfigureRouter B.
# Configure the IPv4 and IPv6 protocol suites.
<HUAWEI> system-view
[~HUAWEI] sysname RouterB
Issue 01 (2011-10-15)
180
[~HUAWEI] commit
[~RouterB] interface pos 1/0/0
[~RouterB-Pos1/0/0] ip address 2.1.1.2 255.0.0.0
[~RouterB-Pos1/0/0] undo shutdown
[~RouterB-Pos1/0/0] quit
[~RouterB] interface gigabitethernet 2/0/0
[~RouterB-GigabitEthernet2/0/0] ipv6 enable
[~RouterB-GigabitEthernet2/0/0] ipv6 address 2001::1 64
[~RouterB-GigabitEthernet2/0/0] undo shutdown
[~RouterB-GigabitEthernet2/0/0] quit
----End
Configuration Files
l
Issue 01 (2011-10-15)
181
ipv6 enable
ipv6 address 2002:201:101::1/64
tunnel-protocol ipv6-ipv4 6to4
source 2.1.1.1
#
ipv6 route-static :: 0 2002:201:102::1
#
ipv6 route-static 2002:: 16 Tunnel 1
#
return
Related Tasks
7.4 Configuring a 6to4 Tunnel
Issue 01 (2011-10-15)
182