Documentos de Académico
Documentos de Profesional
Documentos de Cultura
V600R003C00
Configuration Guide - IP Services
Issue 02
Date 2011-09-10
HUAWEI TECHNOLOGIES CO., LTD.
Copyright Huawei Technologies Co., Ltd. 2011. All rights reserved.
No part of this document may be reproduced or transmitted in any form or by any means without prior written
consent of Huawei Technologies Co., Ltd.
Trademarks and Permissions
and other Huawei trademarks are trademarks of Huawei Technologies Co., Ltd.
All other trademarks and trade names mentioned in this document are the property of their respective holders.
Notice
The purchased products, services and features are stipulated by the contract made between Huawei and the
customer. All or part of the products, services and features described in this document may not be within the
purchase scope or the usage scope. Unless otherwise specified in the contract, all statements, information,
and recommendations in this document are provided "AS IS" without warranties, guarantees or representations
of any kind, either express or implied.
The information in this document is subject to change without notice. Every effort has been made in the
preparation of this document to ensure accuracy of the contents, but all statements, information, and
recommendations in this document do not constitute the warranty of any kind, express or implied.
Huawei Technologies Co., Ltd.
Address: Huawei Industrial Base
Bantian, Longgang
Shenzhen 518129
People's Republic of China
Website: http://www.huawei.com
Email: support@huawei.com
Issue 02 (2011-09-10) Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
i
About This Document
Purpose
This document describes multiple IP services supported by the NE80E/40E. It discusses basic
configurations of IP addresses, ARP, DNS, IP performance, ACL, IPv6, ACL6, IPv6 over IPv4
tunnels, and IPv4 over IPv6 tunnels.
NOTE
l This document takes interface numbers and link types of the NE40E-X8 as an example. In working
situations, the actual interface numbers and link types may be different from those used in this
document.
l In NE80E/40E series (except for the NE40E-X1/X2), line processing boards are called Line Processing
Units (LPUs) and switching fabric boards are called Switching Fabric Units (SFUs). The NE40E- X1/
X2 has no LPU and SFU, and packet switching and forwarding are centrally performed by the Network
Processing Unit (NPU).
Related Versions
The following table lists the product versions related to this document.
Product Name Version
HUAWEI NetEngine80E/40E
Router
V600R003C00
Intended Audience
This document is intended for:
l Commissioning Engineer
l Data Configuration Engineer
l Network Monitoring Engineer
l System Maintenance Engineer
HUAWEI NetEngine80E/40E Router
Configuration Guide - IP Services About This Document
Issue 02 (2011-09-10) Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
ii
Symbol Conventions
The symbols that may be found in this document are defined as follows.
Symbol Description
Indicates a hazard with a high level of risk that, if
not avoided, will result in death or serious injury.
Indicates a hazard with a medium or low level of risk
which, if not avoided, could result in minor or
moderate injury.
Indicates a potentially hazardous situation that, if
not avoided, could cause device damage, data loss,
and performance degradation, or unexpected results.
Indicates a tip that may help you solve a problem or
save your time.
Provides additional information to emphasize or
supplement important points of the main text.
Command Conventions
The command conventions that may be found in this document are defined as follows.
Convention Description
Boldface The keywords of a command line are in boldface.
Italic Command arguments are in italics.
[ ] Items (keywords or arguments) in brackets [ ] are optional.
{ x | y | ... } Optional items are grouped in braces and separated by
vertical bars. One item is selected.
[ x | y | ... ] Optional items are grouped in brackets and separated by
vertical bars. One item is selected or no item is selected.
{ x | y | ... }
*
Optional items are grouped in braces and separated by
vertical bars. A minimum of one item or a maximum of all
items can be selected.
[ x | y | ... ]
*
Optional items are grouped in brackets and separated by
vertical bars. Several items or no item can be selected.
&<1-n> The parameter before the & sign can be repeated 1 to n times.
# A line starting with the # sign is comments.
HUAWEI NetEngine80E/40E Router
Configuration Guide - IP Services About This Document
Issue 02 (2011-09-10) Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
iii
Change History
Updates between document issues are cumulative. Therefore, the latest document issue contains
all updates made in previous issues.
Changes in Issue 02 (2011-09-10)
The second commercial release has the following updates:
l IP Performance Configuration
The fib-miss-report enable command is provided in 4.2.3 Configuring ICMP
Attributesto allow the LPU to send FibMiss packets to its CPU.
l ANCP Configuration
The chapter of ANCP Configuration is deleted because ANCP is not supported.
Changes in Issue 01 (2011-06-30)
Initial field trial release.
HUAWEI NetEngine80E/40E Router
Configuration Guide - IP Services About This Document
Issue 02 (2011-09-10) Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
iv
Contents
About This Document.....................................................................................................................ii
1 IP Addresses Configuration........................................................................................................1
1.1 IP Addresses Overview......................................................................................................................................2
1.1.1 Introduction to IP Addresses.....................................................................................................................2
1.1.2 Features of IP Addresses Supported by the NE80E/40E...........................................................................2
1.2 Configuring IP Addresses for Interfaces............................................................................................................3
1.2.1 Establishing the Configuration Task.........................................................................................................3
1.2.2 Configuring a Primary IP Address for an Interface...................................................................................4
1.2.3 (Optional) Configuring a Secondary IP Address for an Interface.............................................................4
1.2.4 Checking the Configuration.......................................................................................................................5
1.3 Configuring IP Address Negotiation on Interfaces............................................................................................6
1.3.1 Establishing the Configuration Task.........................................................................................................6
1.3.2 Configuring a Server to Assign an IP Address for a Client Through Negotiation....................................7
1.3.3 Configuring a Client to Obtain an IP Address Through Negotiation........................................................8
1.3.4 Checking the Configuration.......................................................................................................................9
1.4 Configuring IP Address Unnumbered for Interfaces........................................................................................10
1.4.1 Establishing the Configuration Task.......................................................................................................10
1.4.2 Configuring the Primary IP Address of the Interface That Lends an IP Address...................................11
1.4.3 Configuring an Interface That Borrows an IP Address from Another Interface.....................................11
1.4.4 Checking the Configuration.....................................................................................................................12
1.5 Maintaining IP Addresses.................................................................................................................................13
1.5.1 Monitoring Network Operation Status of IP Addresses..........................................................................13
1.6 Configuration Examples...................................................................................................................................13
1.6.1 Example for Configuring Primary and Secondary IP Addresses............................................................13
1.6.2 Example for Obtaining an IP Address Through Negotiation..................................................................15
1.6.3 Example for Configuring IP Address Unnumbered................................................................................18
1.6.4 Example for Configuring IP Address Overlapping on the Same Device................................................20
1.6.5 Example for Configuring an IP Address with a 31-bit Mask..................................................................25
2 ARP Configuration......................................................................................................................28
2.1 Introduction to ARP..........................................................................................................................................30
2.1.1 Overview of ARP....................................................................................................................................30
2.1.2 Features of ARP Supported by the NE80E/40E......................................................................................30
HUAWEI NetEngine80E/40E Router
Configuration Guide - IP Services Contents
Issue 02 (2011-09-10) Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
v
2.2 Configuring Static ARP....................................................................................................................................33
2.2.1 Establishing the Configuration Task.......................................................................................................33
2.2.2 Configuring Common Static ARP Entries...............................................................................................33
2.2.3 Configuring Static ARP Entries in a VLAN...........................................................................................34
2.2.4 Configuring Static ARP Entries in a VPN Instance................................................................................35
2.2.5 Checking the Configuration.....................................................................................................................35
2.3 Optimizing Dynamic ARP................................................................................................................................37
2.3.1 Establishing the Configuration Task.......................................................................................................37
2.3.2 Modify the aging parameters of dynamic ARP.......................................................................................37
2.3.3 Enabling ARP Suppression Function......................................................................................................38
2.3.4 Enabling Layer 2 Topology Detection Function.....................................................................................38
2.3.5 Enabling ARP Check...............................................................................................................................39
2.3.6 Checking the Configuration.....................................................................................................................40
2.4 Configuring Routed Proxy ARP.......................................................................................................................41
2.4.1 Establishing the Configuration Task.......................................................................................................41
2.4.2 Configure an IP Addresses for the Interface............................................................................................42
2.4.3 Enabling the Routed Proxy ARP Function..............................................................................................42
2.4.4 Checking the Configuration.....................................................................................................................43
2.5 Configuring Proxy ARP Within a VLAN........................................................................................................44
2.5.1 Establishing the Configuration Task.......................................................................................................44
2.5.2 Configure an IP Addresses for the Interface............................................................................................45
2.5.3 Configuring the VLAN Associated with the Sub-interface.....................................................................45
2.5.4 Enabling Proxy ARP Within a VLAN....................................................................................................46
2.5.5 Checking the Configuration.....................................................................................................................46
2.6 Configuring Proxy ARP Between VLANs.......................................................................................................48
2.6.1 Establishing the Configuration Task.......................................................................................................48
2.6.2 Configuring an IP Addresses for the Interface........................................................................................48
2.6.3 Configuring the VLAN Associated with the Sub-interface.....................................................................49
2.6.4 Enabling Proxy ARP Between VLANs...................................................................................................50
2.6.5 Checking the Configuration.....................................................................................................................50
2.7 Configuring ARP-Ping IP.................................................................................................................................51
2.7.1 Establishing the Configuration Task.......................................................................................................51
2.7.2 Detecting the IP Address by Using the arp-ping ip Command...............................................................52
2.8 Configuring ARP-Ping MAC...........................................................................................................................53
2.8.1 Establishing the Configuration Task.......................................................................................................53
2.8.2 Detecting the MAC Address by Using the arp-ping mac Command......................................................53
2.9 Configuring the Association Between ARP and Interface Status....................................................................54
2.9.1 Establishing the Configuration Task.......................................................................................................54
2.9.2 Configuring the Association Between ARP and Interface Status...........................................................55
2.9.3 (Optional) Adjusting Parameters about the Association Between ARP and Interface Status.................56
2.10 Maintaining ARP............................................................................................................................................57
2.10.1 Clearing ARP Entries............................................................................................................................57
HUAWEI NetEngine80E/40E Router
Configuration Guide - IP Services Contents
Issue 02 (2011-09-10) Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
vi
2.10.2 Monitoring Network Operation Status of ARP.....................................................................................57
2.11 Configuration Examples.................................................................................................................................58
2.11.1 Example for Configuring Routed Proxy ARP.......................................................................................58
2.11.2 Example for Configuring Proxy ARP Within a VLAN........................................................................60
2.11.3 Example for Configuring Proxy ARP Between VLANs.......................................................................62
2.11.4 Example for Configuring the Association Between ARP and Interface Status.....................................64
2.11.5 Example for Configuring Layer 2 Topology Detection........................................................................69
3 DNS Configuration.....................................................................................................................72
3.1 DNS Overview.................................................................................................................................................73
3.1.1 Introduction to DNS................................................................................................................................73
3.1.2 DNS Supported by the NE80E/40E.........................................................................................................73
3.2 Configuring DNS..............................................................................................................................................73
3.2.1 Establishing the Configuration Task.......................................................................................................73
3.2.2 Configuring Static DNS Entries..............................................................................................................74
3.2.3 Configuring Dynamic DNS.....................................................................................................................75
3.2.4 Checking the Configuration.....................................................................................................................75
3.3 Maintaining DNS..............................................................................................................................................76
3.3.1 Clearing DNS Entries..............................................................................................................................76
3.3.2 Monitoring Network Operation Status of DNS.......................................................................................77
3.4 Configuration Examples...................................................................................................................................77
3.4.1 Example for Configuring DNS................................................................................................................77
4 IP Performance Configuration..................................................................................................81
4.1 IP Performance Overview................................................................................................................................82
4.1.1 Introduction to IP Performance...............................................................................................................82
4.1.2 IP Performance Supported by the NE80E/40E........................................................................................82
4.2 Improving IP Performance...............................................................................................................................83
4.2.1 Establishing the Configuration Task.......................................................................................................83
4.2.2 Configuring the Maximum Transmission Unit of the Interface..............................................................84
4.2.3 Configuring ICMP Attributes..................................................................................................................85
4.2.4 Checking the Configuration.....................................................................................................................85
4.3 Configuring TCP..............................................................................................................................................87
4.3.1 Establishing the Configuration Task.......................................................................................................87
4.3.2 Configuring TCP Timer...........................................................................................................................88
4.3.3 Specifying the Size of a TCP Sliding Window.......................................................................................89
4.3.4 Checking the Configuration.....................................................................................................................89
4.4 Configuring Load Balancing for IP Packet Forwarding...................................................................................90
4.4.1 Establishing the Configuration Task.......................................................................................................90
4.4.2 Configuring the Load Balancing Mode of IP Packet Forwarding...........................................................91
4.4.3 Configuring Interface Unequal-Cost Multiple Path During IP Packet Forwarding................................92
4.4.4 Configuring Global Unequal-Cost Multiple Path During IP Packet Forwarding...................................93
4.4.5 Checking the Configuration.....................................................................................................................93
4.5 Maintaining IP Performance.............................................................................................................................94
HUAWEI NetEngine80E/40E Router
Configuration Guide - IP Services Contents
Issue 02 (2011-09-10) Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
vii
4.5.1 Clearing IP Performance Statistics..........................................................................................................94
4.5.2 Monitoring Network Operation Status of IP Performance......................................................................95
4.6 Configuration Examples...................................................................................................................................96
4.6.1 Example for Limiting Transmission of ICMP Host-Unreachable Packets.............................................96
4.6.2 Example for Configuring Interface Unequal-Cost Multiple Path During IP Packet Forwarding...........99
4.6.3 Example for Configuring Global Unequal-Cost Load Balancing for IP Packet Forwarding................104
5 ACL Configuration....................................................................................................................109
5.1 ACL Overview...............................................................................................................................................110
5.1.1 Introduction to ACL..............................................................................................................................110
5.1.2 ACL Supported by the NE80E/40E.......................................................................................................110
5.2 Configuring an Interface-based ACL.............................................................................................................110
5.2.1 Establishing the Configuration Task.....................................................................................................110
5.2.2 (Optional) Creating a Time Range........................................................................................................111
5.2.3 Creating an Interface-based ACL..........................................................................................................111
5.2.4 (Optional) Configuring ACL Descriptions............................................................................................112
5.2.5 (Optional) Configuring ACL Step.........................................................................................................112
5.2.6 Checking the Configuration...................................................................................................................113
5.3 Configuring a Basic ACL...............................................................................................................................114
5.3.1 Establishing the Configuration Task.....................................................................................................114
5.3.2 (Optional) Creating a Time Range........................................................................................................114
5.3.3 Creating a Basic ACL............................................................................................................................115
5.3.4 (Optional) Configuring ACL Descriptions............................................................................................115
5.3.5 (Optional) Configuring ACL Step.........................................................................................................116
5.3.6 Checking the Configuration...................................................................................................................116
5.4 Configuring an Advanced ACL......................................................................................................................117
5.4.1 Establishing the Configuration Task.....................................................................................................117
5.4.2 (Optional) Creating a Time Range........................................................................................................118
5.4.3 Creating an Advanced ACL..................................................................................................................118
5.4.4 (Optional) Configuring ACL Descriptions............................................................................................119
5.4.5 (Optional) Configuring ACL Step.........................................................................................................120
5.4.6 Checking the Configuration...................................................................................................................120
5.5 Configuring an ACL Based on the Ethernet Frame Header...........................................................................121
5.5.1 Establishing the Configuration Task.....................................................................................................121
5.5.2 Creating an ACL Based on the Ethernet Frame Header........................................................................122
5.5.3 (Optional) Configuring ACL Descriptions............................................................................................122
5.5.4 (Optional) Configuring ACL Step.........................................................................................................123
5.5.5 Checking the Configuration...................................................................................................................123
5.6 Configuring an UCL.......................................................................................................................................124
5.6.1 Establishing the Configuration Task.....................................................................................................124
5.6.2 (Optional) Creating a Time Range........................................................................................................125
5.6.3 Creating an UCL....................................................................................................................................125
5.6.4 (Optional) Configuring ACL Descriptions............................................................................................126
HUAWEI NetEngine80E/40E Router
Configuration Guide - IP Services Contents
Issue 02 (2011-09-10) Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
viii
5.6.5 (Optional) Configuring ACL Step.........................................................................................................127
5.6.6 Checking the Configuration...................................................................................................................127
5.7 Configuring a Named ACL............................................................................................................................128
5.7.1 Establishing the Configuration Task.....................................................................................................128
5.7.2 (Optional) Creating a Time Range........................................................................................................129
5.7.3 Creating a Named ACL.........................................................................................................................129
5.7.4 (Optional) Configuring named ACL Descriptions................................................................................130
5.7.5 (Optional) Configuring named ACL Step.............................................................................................130
5.7.6 Checking the Configuration...................................................................................................................131
5.8 Configuring a MPLS-based ACL...................................................................................................................132
5.8.1 Establishing the Configuration Task.....................................................................................................132
5.8.2 Creating a MPLS-based ACL................................................................................................................132
5.8.3 Configuring Rules for a MPLS-based ACL..........................................................................................133
5.8.4 Checking the Configuration...................................................................................................................133
5.9 Configuration Examples.................................................................................................................................133
5.9.1 Example for Configuring a Traffic Policy Based on Complex Traffic Classification..........................134
5.9.2 Example for Configuring the Security Function of Access Devices.....................................................142
5.9.3 Example for Configuring an ACL Rule that Is Based on the VPN Instance.........................................145
6 Basic IPv6 Configuration......................................................................................................... 149
6.1 Basic IPv6 Overview......................................................................................................................................151
6.1.1 Introduction to IPv6...............................................................................................................................151
6.1.2 IPv6 Supported by the NE80E/40E.......................................................................................................151
6.2 Configuring an IPv6 Address for an Interface................................................................................................153
6.2.1 Establishing the Configuration Task.....................................................................................................153
6.2.2 Enabling IPv6 Packet Forwarding Capability.......................................................................................154
6.2.3 Configuring an IPv6 Link-Local Address for an Interface....................................................................155
6.2.4 Configuring an IPv6 Global Unicast Address for an Interface..............................................................156
6.2.5 Configuring an IPv6 Anycast Address for an Interface.........................................................................156
6.2.6 Checking the Configuration...................................................................................................................157
6.3 Configuring an IPv6 Address Selection Policy Table....................................................................................158
6.4 Configuring IPv6 Neighbor Discovery...........................................................................................................160
6.4.1 Establishing the Configuration Task.....................................................................................................160
6.4.2 Configuring Static Neighbors................................................................................................................161
6.4.3 Enabling RA Message Advertising.......................................................................................................162
6.4.4 Setting the Interval for Advertising RA Messages................................................................................162
6.4.5 Enabling Stateful Auto Configuration...................................................................................................163
6.4.6 Configuring the Address Prefixes to Be Advertised.............................................................................163
6.4.7 Configuring Other Information to Be Advertised.................................................................................164
6.4.8 Configuring the Default Router Priority and Route Information..........................................................165
6.4.9 (Optional) Configuring Routed Proxy ND............................................................................................166
6.4.10 Checking the Configuration.................................................................................................................167
6.5 Configuring IPv6 SEND.................................................................................................................................168
HUAWEI NetEngine80E/40E Router
Configuration Guide - IP Services Contents
Issue 02 (2011-09-10) Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
ix
6.5.1 Establishing the Configuration Task.....................................................................................................168
6.5.2 Configuring a CGA IPv6 Address.........................................................................................................170
6.5.3 Configuring Strict IPv6 SEND..............................................................................................................171
6.5.4 Checking the Configuration...................................................................................................................172
6.6 Configuring PMTU.........................................................................................................................................173
6.6.1 Establishing the Configuration Task.....................................................................................................173
6.6.2 Creating Static PMTU Entries...............................................................................................................173
6.6.3 Configuring PMTU Aging Time...........................................................................................................174
6.6.4 Checking the Configuration...................................................................................................................174
6.7 Configuring TCP6..........................................................................................................................................175
6.7.1 Establishing the Configuration Task.....................................................................................................175
6.7.2 Configuring TCP6 Timers.....................................................................................................................176
6.7.3 Configuring the Size of the TCP6 Sliding Window..............................................................................176
6.7.4 Checking the Configuration...................................................................................................................176
6.8 Maintaining IPv6............................................................................................................................................178
6.8.1 Resetting IPv6........................................................................................................................................178
6.8.2 Monitoring Network Operation Status of IPv6.....................................................................................179
6.9 Configuration Examples.................................................................................................................................180
6.9.1 Example for Configuring an IPv6 Address for an Interface..................................................................180
6.9.2 Example for Configuring IPv6 Neighbor Discovery.............................................................................183
6.9.3 Example for Configuring IPv6 Address Selection Policy Table...........................................................186
6.9.4 Example for Configuring IPv6 SEND...................................................................................................189
6.9.5 Example for Configuring Default Router Priority and Route Information...........................................193
7 IPv6 DNS Configuration..........................................................................................................196
7.1 IPv6 DNS Overview.......................................................................................................................................197
7.1.1 Introduction to IPv6 DNS......................................................................................................................197
7.1.2 IPv6 DNS Supported by the NE80E/40E..............................................................................................197
7.2 Configuring IPv6 DNS...................................................................................................................................197
7.2.1 Establishing the Configuration Task.....................................................................................................197
7.2.2 Configuring a Static IPv6 DNS Entry...................................................................................................198
7.2.3 Configuring the Dynamic IPv6 DNS Services......................................................................................198
7.2.4 Checking the Configuration...................................................................................................................199
7.3 Maintaining IPv6 DNS...................................................................................................................................200
7.3.1 Clearing IPv6 DNS Entries....................................................................................................................200
7.3.2 Monitoring Network Operation Status of IPv6 DNS............................................................................201
7.4 Configuration Examples.................................................................................................................................201
7.4.1 Example for Configuring IPv6 DNS.....................................................................................................202
8 ACL6 Configuration..................................................................................................................206
8.1 ACL6 Overview.............................................................................................................................................207
8.1.1 Introduction to ACL6............................................................................................................................207
8.1.2 ACL6 Supported by the NE80E/40E.....................................................................................................207
8.2 Configuring an Interfaced-based ACL6.........................................................................................................207
HUAWEI NetEngine80E/40E Router
Configuration Guide - IP Services Contents
Issue 02 (2011-09-10) Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
x
8.2.1 Establishing the Configuration Task.....................................................................................................207
8.2.2 (Optional) Configuring the Valid Time Range of ACL6......................................................................208
8.2.3 Creating an Interfaced-based ACL6......................................................................................................208
8.2.4 Checking the Configuration...................................................................................................................209
8.3 Configuring a Basic ACL6.............................................................................................................................209
8.3.1 Establishing the Configuration Task.....................................................................................................210
8.3.2 (Optional) Configuring the Valid Time Range of ACL6......................................................................210
8.3.3 Creating a Basic ACL6..........................................................................................................................211
8.3.4 Checking the Configuration...................................................................................................................211
8.4 Configuring an Advanced ACL6....................................................................................................................212
8.4.1 Establishing the Configuration Task.....................................................................................................212
8.4.2 (Optional) Configuring the Valid Time Range of ACL6......................................................................213
8.4.3 Creating an Advanced ACL6................................................................................................................213
8.4.4 Checking the Configuration...................................................................................................................214
8.5 Configuring a Named ACL6..........................................................................................................................215
8.5.1 Establishing the Configuration Task.....................................................................................................215
8.5.2 (Optional) Configuring the Valid Time Range of ACL6......................................................................216
8.5.3 Creating a Named ACL6.......................................................................................................................216
8.5.4 Checking the Configuration...................................................................................................................217
8.6 Maintaining ACL6..........................................................................................................................................218
8.6.1 Clearing ACL6 Statistics.......................................................................................................................218
8.6.2 Monitoring Network Operation Status of ACL6...................................................................................219
8.7 Configuration Examples.................................................................................................................................219
8.7.1 Example for Configuring an ACL6 to Filter IPv6 Packets...................................................................219
9 IPv6 over IPv4 Tunnel Configuration................................................................................... 224
9.1 IPv6 over IPv4 Tunnel Overview...................................................................................................................225
9.1.1 Introduction to IPv6 over IPv4..............................................................................................................225
9.1.2 IPv6 over IPv4 Supported by the NE80E/40E......................................................................................225
9.2 Configuring IPv4/IPv6 Dual Stacks...............................................................................................................231
9.2.1 Establishing the Configuration Task.....................................................................................................231
9.2.2 Enabling IPv6 Packet Forwarding.........................................................................................................232
9.2.3 Configuring IPv4 and IPv6 Addresses for the Interface........................................................................233
9.3 Configuring an IPv6 over IPv4 Tunnel..........................................................................................................234
9.3.1 Establishing the Configuration Task.....................................................................................................234
9.3.2 Configuring an IPv6 over IPv4 Manual Tunnel....................................................................................235
9.3.3 Configuring an IPV6 over IPv4 GRE Tunnel.......................................................................................236
9.3.4 Configuring an IPv6 over IPv4 Automatic Tunnel...............................................................................237
9.3.5 Configuring a 6to4 Tunnel....................................................................................................................238
9.3.6 Configuring an ISATAP Tunnel............................................................................................................240
9.3.7 Configuring Routes in the Tunnel.........................................................................................................241
9.3.8 Checking the Configuration...................................................................................................................241
9.4 Configuring 6PE.............................................................................................................................................242
HUAWEI NetEngine80E/40E Router
Configuration Guide - IP Services Contents
Issue 02 (2011-09-10) Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
xi
9.4.1 Establishing the Configuration Task.....................................................................................................242
9.4.2 Configuring IPv4/IPv6 Dual Protocol Stacks........................................................................................243
9.4.3 Configuring MPLS................................................................................................................................244
9.4.4 Enabling 6PE Peer.................................................................................................................................245
9.5 Maintaining IPv6 over IPv4 Tunnels..............................................................................................................245
9.5.1 Monitoring the Running Status of IPv6 over IPv4 Tunnel....................................................................245
9.6 Configuration Examples.................................................................................................................................246
9.6.1 Example for Configuring an IPv6 over IPv4 Manual Tunnel...............................................................246
9.6.2 Example for Configuring an IPv6 over IPv4 GRE Tunnel...................................................................249
9.6.3 Example for Configuring an IPv6 over IPv4 Automatic Tunnel...........................................................254
9.6.4 Example for Configuring a 6to4 Tunnel................................................................................................257
9.6.5 Example for Configuring 6to4 Relay....................................................................................................261
9.6.6 Example for Configuring an ISATAP Tunnel.......................................................................................264
9.6.7 Example for Configuring 6PE...............................................................................................................267
10 IPv4 over IPv6 Tunnel Configuration.................................................................................274
10.1 IPv4 over IPv6 Tunnel Overview.................................................................................................................275
10.1.1 Introduction to IPv4 over IPv6............................................................................................................275
10.1.2 IPv4 over IPv6 Supported by the NE80E/40E....................................................................................275
10.2 Configuring an IPv4 over IPv6 Tunnel........................................................................................................276
10.2.1 Establishing the Configuration Task...................................................................................................276
10.2.2 Configuring a Tunnel Interface...........................................................................................................276
10.2.3 Configuring Routes in the Tunnel.......................................................................................................277
10.2.4 Configuring Other Items for an IPv4 over IPv6 Tunnel......................................................................278
10.2.5 Checking the Configuration.................................................................................................................279
10.3 Maintaining IPv4 over IPv6 Tunnels............................................................................................................280
10.3.1 Monitoring the Operation Status of IPv4 over IPv6 Tunnel...............................................................280
10.4 Configuration Examples...............................................................................................................................281
10.4.1 Example for Configuring an IPv4 over IPv6 Tunnel..........................................................................281
A Glossary......................................................................................................................................288
B Acronyms and Abbreviations.................................................................................................292
HUAWEI NetEngine80E/40E Router
Configuration Guide - IP Services Contents
Issue 02 (2011-09-10) Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
xii
1 IP Addresses Configuration
About This Chapter
By assigning IP addresses to network devices, you can enable data communications between
the network devices.
1.1 IP Addresses Overview
An IP address is also called a logical address. The IP address of a network device on the Internet
is the unique identifier of the network device.
1.2 Configuring IP Addresses for Interfaces
Assigning an IP address to a device on a network enables the device to communicate with the
other devices on the network.
1.3 Configuring IP Address Negotiation on Interfaces
If users access the network in the Point-to-Point Protocol (PPP) mode, the server can assign IP
addresses to the clients through the address negotiation function of PPP.
1.4 Configuring IP Address Unnumbered for Interfaces
IP address unnumbered refers to the situation that an interface that is not assigned an IP address
obtains an IP address by borrowing an IP address from another interface.
1.5 Maintaining IP Addresses
Maintaining an IP address involves monitoring the operation of this IP address.
1.6 Configuration Examples
This section includes the networking requirements, precautions for configuration, and
configuration roadmap.
HUAWEI NetEngine80E/40E Router
Configuration Guide - IP Services 1 IP Addresses Configuration
Issue 02 (2011-09-10) Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
1
1.1 IP Addresses Overview
An IP address is also called a logical address. The IP address of a network device on the Internet
is the unique identifier of the network device.
1.1.1 Introduction to IP Addresses
IP is the core of the TCP/IP protocol suite. The packets of the Transmission Control Protocol
(TCP), User Datagram Protocol (UDP), Internet Control Message Protocol (ICMP), and Internet
Group Membership Protocol (IGMP) are all transmitted in the format of IP datagrams. Devices
on different networks communicate with each other using their network layer addresses, namely
IP addresses.
To communicate with each other on Internet Protocol (IP) networks, each host must be assigned
an IP address.
An IP address is a 32-bit number that is composed of two parts, namely, the network ID and
host ID.
The network ID identifies a network and the host ID identifies a host on the network. If the
network IDs of hosts are the same, it indicates that the hosts are on the same network regardless
of their physical locations.
1.1.2 Features of IP Addresses Supported by the NE80E/40E
IP addresses can be obtained through static manual configuration, auto-negotiation, or
borrowing.
The NE80E/40E supports IP address configuration through the following methods:
l Manually configuring an IP address for an interface
l Obtaining an IP address through negotiation
l Borrowing an IP address from other interfaces
The NE80E/40E supports the space overlapping of network segment addresses to save the
address space.
l Different IP addresses in the overlapped network segments but not same can be configured
on different interfaces of the same device. For example, after an interface on a device is
configured with the IP address 20.1.1.1/16, if another interface is configured with the IP
address 20.1.1.2/24, the system prompts a message. However, the configuration is still
successful; if another interface is configured with the IP address 20.1.1.2/16, the system
prompts an IP address conflict. The configuration fails.
l The primary IP address and the secondary IP address in the overlapped network segments
but not same can be configured on the same interface. For example, after the interface is
configured with a primary IP address 20.1.1.1/24, if the secondary IP address is 20.1.1.2/16
sub, the system prompts a message. However, the configuration is still successful.
l The primary IP address and the secondary IP address in the overlapped network segments
but not same can be configured on different interfaces of the same device. However, the
primary IP address and the secondary IP address cannot be the same. For example, after an
interface on a device is configured with the IP address 20.1.1.1/16, if another interface is
HUAWEI NetEngine80E/40E Router
Configuration Guide - IP Services 1 IP Addresses Configuration
Issue 02 (2011-09-10) Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
2
configured with the IP address 20.1.1.2/24 sub, the system prompts a message. However,
the configuration is still successful.
The NE80E/40E supports 31-bit IP address masks. Therefore, there are only two IP addresses
in a network segment, that is, the network address and broadcast address. The two IP addresses
can be used as host addresses.
You can assign the IP addresses with 31-bit masks to Point-to-Point (P2P), Point-to-Multipoint
(P2MP), NBMA Address Resolution Protocol (NBMA),broadcast, and loopback interfaces. For
non-P2P interfaces, if a 31-bit mask is configured, the system prompts acknowledgement
information to protect P2MP orbroadcast links. For example, if an Ethernet interface on a device
is assigned an IP address with a 31-bit mask, this device can access only the host in the directly
connected subnet. It cannot access all hosts in the subnet. In the backbone network of a broadcast
link, if a P2P link exists, you can configure the IP addresses with 31-bit masks.
1.2 Configuring IP Addresses for Interfaces
Assigning an IP address to a device on a network enables the device to communicate with the
other devices on the network.
1.2.1 Establishing the Configuration Task
This section describes the applicable environment, pre-configuration tasks, data preparation, and
configuration procedure for assigning an IP address to an interface.
Applicable Environment
To start IP services on an interface, configure the IP address for the interface. You can assign
several IP addresses to each interface. Among them, one is the primary IP address and the others
are secondary IP addresses.
Generally, you need to configure only a primary IP address for an interface. Secondary IP
addresses, however, are required in some cases. For instance, when a device connects to a
physical network through an interface, and computers on this network belong to two Class C
networks, you need to configure a primary IP address and a secondary IP address for this interface
to ensure that the device can communication with all computers on this network.
Pre-configuration Tasks
Before configuring an IP addresses for an interface, complete the following tasks:
l Configuring the physical parameters for the interface and ensuring that the physical layer
status of the interface is Up
l Configuring the link layer parameters for the interface and ensuring that the status of the
link layer protocol on the interface is Up
Data Preparation
To configure IP addresses for an interface, you need the following data.
HUAWEI NetEngine80E/40E Router
Configuration Guide - IP Services 1 IP Addresses Configuration
Issue 02 (2011-09-10) Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
3
No. Data
1 Interface number
2 Primary IP address and subnet mask of the interface
3 (Optional) Secondary IP address and subnet mask of the interface
1.2.2 Configuring a Primary IP Address for an Interface
An interface can have only one primary IP address.
Procedure
Step 1 Run:
system-view
The system view is displayed.
Step 2 Run:
interface interface-type interface-number
The interface view is displayed.
Step 3 Run:
ip address ip-address { mask | mask-length }
A primary IP address is configured.
An interface has only one primary IP address. If the interface already has a primary IP address,
the newly configured primary IP address replaces the original one.
----End
1.2.3 (Optional) Configuring a Secondary IP Address for an
Interface
To enable an interface to communicate with several networks with different network IDs, you
need to assign a secondary IP address to this interface.
Procedure
Step 1 Run:
system-view
The system view is displayed.
Step 2 Run:
interface interface-type interface-number
The interface view is displayed.
Step 3 Run:
ip address ip-address { mask | mask-length } sub
HUAWEI NetEngine80E/40E Router
Configuration Guide - IP Services 1 IP Addresses Configuration
Issue 02 (2011-09-10) Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
4
A secondary IP address is configured.
A secondary IP address with a 31-bit mask can be configured for an interface.
You can configure a maximum of 255 secondary IP addresses on an interface.
----End
1.2.4 Checking the Configuration
You can view the configuration of the IP address for an interface.
Prerequisite
The configurations of the IP addresses for the interface are complete.
Procedure
l Run the display ip interface [ brief ] [ interface-type [ interface-number ] ] command to
check the IP configuration on the interface.
l Run the display interface [ interface-type [ interface-number ] ] command to check
interface information.
----End
Example
Run the display ip interface command to check that the physical status and link protocol status
of the interface are Up.
<HUAWEI> display ip interface brief gigabitethernet 1/1/0
*down: administratively down
!down: FIB overload down
(l): loopback
(s): spoofing
Interface IP Address/Mask Physical Protocol
GigabitEthernet1/1/0 172.16.13.2/24 up up
Run the display interface command to check information about the IP address and subnet mask
of the interface.
<HUAWEI> display interface gigabitethernet 1/1/0
GigabitEthernet1/1/0 current state : UP
Line protocol current state : UP
Last line protocol up time : 2010-06-22, 19:33:19
Description : GigabitEthernet1/1/0 Interface
The Maximum Transmit Unit is 1500 bytes
Internet Address is 172.16.13.2/24
Internet Address is 172.16.13.150/25 Sub
Internet Address is 172.16.13.200/28 Sub
IP Sending Frames' Format is PKTFMT_ETHNT_2, Hardware address is 00e0-fc08-2b73
Media type is twisted pair, loopback not set, promiscuous mode not set
100Mbps-speed mode, full-duplex mode, link type is autonegotiation
Current system time: 2010-06-29 20:26:18
Last 300 seconds input rate 338 bits/sec, 0 packets/sec
Last 300 seconds output rate 514 bits/sec, 0 packets/sec
Input: 1065 packets, 1571513 bytes
0 broadcasts, 1065 multicasts
0 errors, 0 runts, 0 giants,
0 CRC, 0 collisions, 0 align errors,
0 other errors
Output:2866 packets, 2708571 bytes
0 broadcasts, 2866 multicasts
HUAWEI NetEngine80E/40E Router
Configuration Guide - IP Services 1 IP Addresses Configuration
Issue 02 (2011-09-10) Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
5
0 errors, 0 underruns, 0 collisions
0 packets had been deferred
1.3 Configuring IP Address Negotiation on Interfaces
If users access the network in the Point-to-Point Protocol (PPP) mode, the server can assign IP
addresses to the clients through the address negotiation function of PPP.
Context
NOTE
IP Address Negotiation on Interfaces cannot be configured on the X1 and X2 models of the NE80E/40E.
1.3.1 Establishing the Configuration Task
This section describes the applicable environment, pre-configuration tasks, data preparation, and
configuration procedure for configuring IP address negotiation for an interface.
Applicable Environment
When devices are connected through the PPP link, the client interface can obtains the IP address
from the server through PPP negotiation. This is usually applicable to the situation when the
client connects to the Internet Service Provider (ISP) to access the Internet through the PPP link
such as dial-up. In this case, the ISP device assigns an IP address to the client through PPP
negotiation.
Pre-configuration Tasks
Before configuring IP addresses for interfaces through PPP negotiation, complete the following
tasks:
l Configuring physical parameters of the interface and the link layer protocol PPP on the
server
l Configuring IP addresses for interfaces on the server and making the link layer protocol
Up
l Configuring physical parameters on the interface and the link layer protocol PPP on the
client
Data Preparation
To configure IP addresses for interfaces through PPP negotiation, you need the following data.
No. Data
1 Number of the interface connecting the server to the client
2 ID of the address pool on the server or IP address assigned to the client
3 Range of IP addresses when an address pool is used
4 Number of the interface connecting the client to the server
HUAWEI NetEngine80E/40E Router
Configuration Guide - IP Services 1 IP Addresses Configuration
Issue 02 (2011-09-10) Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
6
1.3.2 Configuring a Server to Assign an IP Address for a Client
Through Negotiation
After being assigned an IP address pool or an IP address, the server can assign IP addresses to
the clients.
Procedure
Step 1 Run:
system-view
The system view is displayed.
NOTE
If there is only one client, the address pool is unnecessary. In this case, skip Steps 2, 3, and 4, and do not
use the keyword pool in Step 6. Instead, directly assign the specified IP address to the client.
Step 2 (Optional) Run:
aaa
The AAA view is displayed.
Step 3 (Optional) Run:
ip pool pool-number start-address [ end-address ]
The local IP address pool is configured.
Step 4 (Optional) Run:
quit
Quit the AAA view.
Step 5 Run:
interface interface-type interface-number
The interface view is displayed.
Obtaining an IP address through negotiation is applied to only the interface encapsulated with
PPP.
Step 6 Run:
remote address { ip-address | pool [ pool-number ] }
An IP address is assigned to the client.
Step 7 Run:
restart
The interface is restarted.
----End
Follow-up Procedure
During preceding configurations, the address pool can also be configured in the domain view.
For details, see the HUAWEI NetEngine80E/40E Router Configuration Guide - Security.
HUAWEI NetEngine80E/40E Router
Configuration Guide - IP Services 1 IP Addresses Configuration
Issue 02 (2011-09-10) Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
7
l If the server authenticates the client, the address is selected from the address pool of the
domain that the client belongs to by default.
l If the server does not authenticate the client and needs to assign an IP address to the client,
the address is selected from the system address pool.
The IP address or the address pool assigned to the peer must differ from the IP address of the
local device.
1.3.3 Configuring a Client to Obtain an IP Address Through
Negotiation
After interface IP address negotiation is enabled on a client, the client can obtain an IP address
from the server.
Procedure
Step 1 Run:
system-view
The system view is displayed.
Step 2 Run:
interface interface-type interface-number
The interface view is displayed.
Obtaining an IP address through negotiation is applied to only the interface encapsulated with
PPP.
Step 3 Run:
ip address ppp-negotiate
The client is configured to obtain an IP address through negotiation.
----End
Follow-up Procedure
If an interface without an IP address supports PPP while the remote peer is configured with an
IP address, enable IP address negotiation on the local interface. This enables the local interface
to obtain an IP address that is generated through PPP negotiation and is assigned by the remote
peer.
When you configure to obtain an IP address through negotiation on the interface, note the
following:
l You can configure IP address negotiation on only the PPP-encapsulated interface. When
the status of the PPP protocol is Down, the IP address generated through negotiation is
deleted.
l After IP address negotiation is configured on the interface, the configuration of IP address
for this interface is not needed any more. You can obtain a new IP address through
negotiation, and the original IP address configured before the IP address negotiation is
deleted.
l You cannot configure a secondary IP address for the interface configured with IP address
negotiation.
HUAWEI NetEngine80E/40E Router
Configuration Guide - IP Services 1 IP Addresses Configuration
Issue 02 (2011-09-10) Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
8
l If you re-configure negotiation on this interface, the IP address generated through the
previous negotiation is deleted and a new IP address is obtained.
l If the address generated through negotiation is deleted, the interface is in the non-address
state.
1.3.4 Checking the Configuration
You can view the configuration of interface IP address negotiation.
Prerequisite
The configurations of IP address negotiation on interfaces are complete.
Procedure
l Run the display ip interface [ brief ] [ interface-type interface-number ] command to check
the IP configuration on the interface.
l Run the display interface [ interface-type [ interface-number ] ] command to check
interface information.
----End
Example
Run the display ip interface command to check that the physical status and link protocol status
of the interface are Up.
<HUAWEI> display ip interface brief gigabitethernet 1/1/0
*down: administratively down
!down: FIB overload down
(l): loopback
(s): spoofing
Interface IP Address/Mask Physical Protocol
GigabitEthernet1/1/0 192.168.1.10/24 up up
Run the display interface command to check information about the IP address and subnet mask
of the interface.
<HUAWEI> display interface pos 1/0/0
Pos1/0/0 current state : UP
Line protocol current state : UP
Last line protocol up time : 2010-06-22 19:33:19
Description : Pos1/0/0 Interface
Route Port,The Maximum Transmit Unit is 4470 bytes, Hold timer is 10(sec)
Internet Address is 192.168.1.10/24
Link layer protocol is PPP
LCP opened, IPCP opened
The Vendor PN is FTRJ1321P1BTL
Port BW: 2.5G, Transceiver max BW: 2.5G, Transceiver Mode: SingleMode
WaveLength: 1310nm, Transmission Distance: 5km
Rx Power: -6.38dBm, normal range: [-23.97, 0.75]dBm
Tx Power: -5.72dBm, normal range: [-13.49, 1.00]dBm
Physical layer is Packet Over SDH
Scramble enabled, clock master, CRC-32, loopback: none
Flag J0 "NetEngine "
Flag J1 "NetEngine "
Flag C2 22(0x16)
Last physical up time : 2010-06-21 14:56:32
Last physical down time : 2010-06-21 14:56:31
Current system time: 2010-06-29 20:26:18
SDH alarm:
section layer: none
HUAWEI NetEngine80E/40E Router
Configuration Guide - IP Services 1 IP Addresses Configuration
Issue 02 (2011-09-10) Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
9
line layer: none
path layer: none
SDH error:
section layer: B1 61575
line layer: B2 12002824 REI 16835916
path layer: B3 65535
Statistics last cleared:never
Last 300 seconds input rate 16 bits/sec, 0 packets/sec
Last 300 seconds output rate 40 bits/sec, 0 packets/sec
Input: 3510 packets, 57372 bytes
Input error: 0 shortpacket, 0 longpacket, 4 CRC, 0 lostpacket
Output: 7270 packets, 344198 bytes
Output error: 0 lostpackets
Output error: 0 overrunpackets, 0 underrunpackets
1.4 Configuring IP Address Unnumbered for Interfaces
IP address unnumbered refers to the situation that an interface that is not assigned an IP address
obtains an IP address by borrowing an IP address from another interface.
1.4.1 Establishing the Configuration Task
This section describes the applicable environment, pre-configuration tasks, data preparation, and
configuration procedure for configuring IP address unnumbered.
Applicable Environment
To save IP address resources in some cases, configure the IP address unnumbered on the
interface. You can also perform this configuration for an interface that is occasionally used rather
than making the interface occupy an IP address constantly.
Restrictions on configuring IP address unnumbered on an interface are as follows:
l The interface of IP address borrower can not be an Ethernet interface.
l The interface of IP address lender cannot be IP address from other.
l Multiple interfaces can borrow the IP address from the interface of IP address lender.
l If the interface of IP address lender has multiple IP addresses, the IP address lender can
only be the primary IP address.
l If the interface of IP address borrower borrows an IP address from the interface with no IP
address, the IP address borrower gets the IP adderss 0.0.0.0.
l The IP address of the virtual loopback interface can be borrowed by other interfaces. The
loopback interface, however, cannot borrow the IP address from other interfaces.
Pre-configuration Tasks
Before configuring IP address unnumbered on an interface, complete the following tasks:
l Configuring physical attributes for the IP address borrower and lender
l Configuring link layer protocols for the IP address borrower and lender
Data Preparation
To configure IP address unnumbered on an interface, you need the following data.
HUAWEI NetEngine80E/40E Router
Configuration Guide - IP Services 1 IP Addresses Configuration
Issue 02 (2011-09-10) Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
10
No. Data
1 Number, IP address, and mask of the interface that lends the IP address to other
interfaces
2 Number of the interface that borrows an IP address from another interface
NOTE
The configuration here only describes how to configure an unnumbered interface to borrow an IP address.
Dynamic routing protocols cannot be enabled on an interface without an IP address. Therefore, you need
to manually configure a static route to the remote network segment to realize communication between
devices.
1.4.2 Configuring the Primary IP Address of the Interface That
Lends an IP Address
Only the primary IP address of an interface can be borrowed.
Procedure
Step 1 Run:
system-view
The system view is displayed.
Step 2 Run:
interface interface-type interface-number
The interface view is displayed.
Step 3 Run:
ip address ip-address { mask | mask-length }
The primary IP address of the interface is configured.
An interface can also obtain the primary IP address through PPP negotiation.
----End
1.4.3 Configuring an Interface That Borrows an IP Address from
Another Interface
An Ethernet interface cannot borrow the IP address of another interface.
Procedure
Step 1 Run:
system-view
The system view is displayed.
Step 2 Run:
interface interface-type interface-number
HUAWEI NetEngine80E/40E Router
Configuration Guide - IP Services 1 IP Addresses Configuration
Issue 02 (2011-09-10) Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
11
The interface view is displayed.
Step 3 Run:
ip address unnumbered interface interface-type interface-number
The interface is configured to borrow an IP address from the specified interface.
The ATM interface, tunnel interface, and the interface encapsulated with frame relay, PPP or
HDLC can borrow the IP address from an Ethernet interface or other interfaces.
----End
1.4.4 Checking the Configuration
You can view the borrowed IP address of an interface.
Prerequisite
The configurations of IP address unnumbered are complete.
Procedure
l Run the display ip interface [ brief ] [ interface-type [ interface-number ] ] command to
check the IP configuration on the interface.
l Run the display interface [ interface-type [ interface-number ] ] command to check
interface information.
----End
Example
Run the display ip interface command. If the physical status and link protocol status of the
interface are Up, it means that the configuration succeeds.
Run the display interface command. If information about the IP address and mask of the
interface is displayed, it means that the configuration succeeds. For example:
<HUAWEI> display interface pos 6/0/0
Pos6/0/0 current state : UP
Line protocol current state : UP
Last line protocol up time : 2010-06-22 19:33:19
Description: Pos6/0/0 Interface
Route Port,The Maximum Transmit Unit is 4470, Hold timer is 10(sec)
Internet Address is unnumbered, using address of GigabitEthernet3/0/9(120.1.1.1/
24)
Link layer protocol is PPP
LCP opened, IPCP opened
The Vendor PN is FTRJ1321P1BTL
Port BW: 2.5G, Transceiver max BW: 2.5G, Transceiver Mode: SingleMode
WaveLength: 1310nm, Transmission Distance: 5km
Rx Power: -6.38dBm, normal range: [-23.97, 0.75]dBm
Tx Power: -5.72dBm, normal range: [-13.49, 1.00]dBm
Physical layer is Packet Over SDH
Scramble enabled, clock master, CRC-32, loopback: none
Flag J0 "NetEngine "
Flag J1 "NetEngine "
Flag C2 22(0x16)
Last physical up time : 2010-06-21 14:56:32
Last physical down time : 2010-06-21 14:56:31
Current system time: 2010-06-29 20:26:18
SDH alarm:
section layer: none
HUAWEI NetEngine80E/40E Router
Configuration Guide - IP Services 1 IP Addresses Configuration
Issue 02 (2011-09-10) Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
12
line layer: none
path layer: none
SDH error:
section layer: B1 0
line layer: B2 0 REI 1370245
path layer: B3 0 REI 56395
Statistics last cleared:never
Last 300 seconds input rate 24 bits/sec, 0 packets/sec
Last 300 seconds output rate 24 bits/sec, 0 packets/sec
Input: 1420 packets, 23131 bytes
Input error: 2 shortpacket, 0 longpacket, 1 CRC, 0 lostpacket
Output: 1421 packets, 23150 bytes
Output error: 0 lostpackets
Output error: 0 overrunpackets, 0 underrunpackets
1.5 Maintaining IP Addresses
Maintaining an IP address involves monitoring the operation of this IP address.
1.5.1 Monitoring Network Operation Status of IP Addresses
This section describes IP address monitoring through the display command.
Context
In routine maintenance, you can run the following commands in any view to check the operation
of IP addresses.
Procedure
l Run the display ip interface [ brief ] [ interface-type [ interface-number ] ] command in
any view to check the IP address configuration on the interface.
l Run the display interface [ interface-type [ interface-number ] ] command in any view to
check information about the interface.
----End
1.6 Configuration Examples
This section includes the networking requirements, precautions for configuration, and
configuration roadmap.
Context
NOTE
This document takes interface numbers and link types of the NE40E-X8 as an example. In working
situations, the actual interface numbers and link types may be different from those used in this document.
1.6.1 Example for Configuring Primary and Secondary IP Addresses
This part describes how to configure a primary IP address and a secondary IP address for an
interface.
HUAWEI NetEngine80E/40E Router
Configuration Guide - IP Services 1 IP Addresses Configuration
Issue 02 (2011-09-10) Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
13
Networking Requirements
As shown in Figure 1-1, GE 1/0/1 of the device connects to a LAN in which computers belong
to one of the two network segments: 172.16.1.0/24 and 172.16.2.0/24. It is required that the
device can communicate with the two network segments. At the same time, the hosts of the two
network segments cannot communicate with each other.
Figure 1-1 Configuring primary and secondary IP addresses for an interface
Router
172.16.1.0/24
172.16.2.0/24
GE1/0/1
172.16.1.1/24
172.16.2.1/24 sub
Configuration Roadmap
The configuration roadmap is as follows:
1. Analyze the address of the network segment to which the interface connects.
2. Configure the primary IP address for the interface and then configure one or more secondary
IP addresses for the interface.
NOTE
The primary IP address and the secondary IP address in the overlapped network segments but not same
can be configured on the same interface. The secondary IP addresses of an interface cannot be in the same
network segment.
Data Preparation
To complete the configuration, you need the following data:
l Primary IP address and subnet mask of the interface
l Secondary IP address and subnet mask of the interface
Procedure
Step 1 Configure the device.
# Configure the primary and secondary IP addresses for GE 1/0/1 of the device.
<HUAWEI> system-view
[HUAWEI] sysname Router
[Router] interface gigabitethernet 1/0/1
[Router-GigabitEthernet1/0/1] ip address 172.16.1.1 255.255.255.0
HUAWEI NetEngine80E/40E Router
Configuration Guide - IP Services 1 IP Addresses Configuration
Issue 02 (2011-09-10) Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
14
[Router-GigabitEthernet1/0/1] ip address 172.16.2.1 255.255.255.0 sub
[Router-GigabitEthernet1/0/1] undo shutdown
[Router-GigabitEthernet1/0/1] quit
Step 2 Verify the configuration.
# Ping the host on the network segment 172.16.1.0 from the device. The ping succeeds.
[Router] ping 172.16.1.2
PING 172.16.1.2: 56 data bytes, press CTRL_C to break
Reply from 172.16.1.2: bytes=56 Sequence=1 ttl=128 time=25 ms
Reply from 172.16.1.2: bytes=56 Sequence=2 ttl=128 time=27 ms
Reply from 172.16.1.2: bytes=56 Sequence=3 ttl=128 time=26 ms
Reply from 172.16.1.2: bytes=56 Sequence=4 ttl=128 time=26 ms
Reply from 172.16.1.2: bytes=56 Sequence=5 ttl=128 time=26 ms
--- 172.16.1.2 ping statistics ---
5 packet(s) transmitted
5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 25/26/27 ms
# Ping the host on the segment 172.16.2.0 from the device. The ping succeeds.
[Router] ping 172.16.2.2
PING 172.16.2.2: 56 data bytes, press CTRL_C to break
Reply from 172.16.2.2: bytes=56 Sequence=1 ttl=128 time=25 ms
Reply from 172.16.2.2: bytes=56 Sequence=2 ttl=128 time=26 ms
Reply from 172.16.2.2: bytes=56 Sequence=3 ttl=128 time=26 ms
Reply from 172.16.2.2: bytes=56 Sequence=4 ttl=128 time=26 ms
Reply from 172.16.2.2: bytes=56 Sequence=5 ttl=128 time=26 ms
--- 172.16.2.2 ping statistics ---
5 packet(s) transmitted
5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 25/25/26 ms
# The hosts of the two network segments cannot ping through each other.
----End
Configuration Files
The following lists the configuration file of the Router:
#
sysname Router
#
interface GigabitEthernet1/0/1
undo shutdown
ip address 172.16.1.1 255.255.255.0
ip address 172.16.2.1 255.255.255.0 sub
#
return
1.6.2 Example for Obtaining an IP Address Through Negotiation
This part describes how an interface obtains an IP address through negotiation.
Networking Requirements
NOTE
Obtaining an IP Address Through Negotiation on Interfaces cannot be configured on the X1 and X2 models
of the NE80E/40E.
As shown in Figure 1-2, Router A allocates an IP address for POS 1/0/0 on Router B through
PPP negotiation.
HUAWEI NetEngine80E/40E Router
Configuration Guide - IP Services 1 IP Addresses Configuration
Issue 02 (2011-09-10) Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
15
Figure 1-2 Networking diagram of allocating IP address through negotiation
RouterA RouterB
POS 1/0/0
192.168.1.1/24
POS 1/0/0
Ethernet Ethernet
Configuration Roadmap
The configuration roadmap is as follows:
1. Configure a local IP address pool.
2. Configure an IP address for the local interface.
3. Specify an IP address or address pool for the remote end.
4. Enable obtaining an IP address through negotiation on the remote end.
Data Preparation
To complete the configuration, you need the following data:
l IP address and subnet mask of the local interface
l The range of the IP address to be allocated to the remote end
Procedure
Step 1 Configure Router A.
# Configure a local IP address pool.
<HUAWEI> system-view
[HUAWEI] sysname RouterA
[RouterA] aaa
[RouterA-aaa] ip pool 1 192.168.1.10 192.168.1.20
[RouterA-aaa] quit
# Configure an IP address for POS 1/0/0.
[RouterA] interface pos 1/0/0
[RouterA-Pos1/0/0] ip address 192.168.1.1 255.255.255.0
# Configure POS 1/0/0 to allocate an IP address to the remote end.
[RouterA-Pos1/0/0] remote address pool 1
[RouterA-Pos1/0/0] shutdown
[RouterA-Pos1/0/0] undo shutdown
[RouterA-Pos1/0/0] quit
Step 2 Configure Router B.
# Enable obtaning an IP address of the interface through PPP negotiation.
<HUAWEI> system-view
[HUAWEI] sysname RouterB
[RouterB] interface pos 1/0/0
[RouterB-Pos1/0/0] ip address ppp-negotiate
[RouterB-Pos1/0/0] undo shutdown
HUAWEI NetEngine80E/40E Router
Configuration Guide - IP Services 1 IP Addresses Configuration
Issue 02 (2011-09-10) Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
16
[RouterB-Pos1/0/0] quit
Step 3 Verify the configuration.
Router B can ping through POS 1/0/0 on Router A.
[RouterB] ping 192.168.1.1
PING 192.168.1.1: 56 data bytes, press CTRL_C to break
Reply from 192.168.1.1: bytes=56 Sequence=1 ttl=255 time=156 ms
Reply from 192.168.1.1: bytes=56 Sequence=2 ttl=255 time=63 ms
Reply from 192.168.1.1: bytes=56 Sequence=3 ttl=255 time=62 ms
Reply from 192.168.1.1: bytes=56 Sequence=4 ttl=255 time=63 ms
Reply from 192.168.1.1: bytes=56 Sequence=5 ttl=255 time=63 ms
--- 192.168.1.1 ping statistics ---
5 packet(s) transmitted
5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 62/81/156 ms
# View the status of POS 1/0/0 on Router B.
[RouterB] display interface pos 1/0/0
Pos1/0/0 current state : UP
Line protocol current state : UP
Last line protocol up time : 2010-06-22 19:33:19
Description : Pos1/0/0 Interface
Route Port,The Maximum Transmit Unit is 4470, Hold timer is 10(sec)
Internet Address is negotiated, 192.168.1.10/32
Link layer protocol is PPP
LCP opened, IPCP opened
The Vendor PN is FTRJ1321P1BTL
Port BW: 2.5G, Transceiver max BW: 2.5G, Transceiver Mode: SingleMode
WaveLength: 1310nm, Transmission Distance: 5km
Rx Power: -6.38dBm, normal range: [-23.97, 0.75]dBm
Tx Power: -5.72dBm, normal range: [-13.49, 1.00]dBm
Physical layer is Packet Over SDH
Scramble enabled, clock master, CRC-32, loopback: none
Flag J0 "NetEngine "
Flag J1 "NetEngine "
Flag C2 22(0x16)
Last physical up time : 2010-06-21 14:56:32
Last physical down time : 2010-06-21 14:56:31
Current system time: 2010-06-29 20:26:18
SDH alarm:
section layer: none
line layer: none
path layer: none
SDH error:
section layer: B1 61575
line layer: B2 12002824 REI 16835916
path layer: B3 65535
Statistics last cleared:never
Last 300 seconds input rate 16 bits/sec, 0 packets/sec
Last 300 seconds output rate 40 bits/sec, 0 packets/sec
Input: 3510 packets, 57372 bytes
Input error: 0 shortpacket, 0 longpacket, 4 CRC, 0 lostpacket
Output: 7270 packets, 344198 bytes
Output error: 0 lostpackets
Output error: 0 overrunpackets, 0 underrunpackets
If the information "Internet Address is negotiated, 192.168.1.10/32" is displayed, it means that
the address negotiation succeeds.
----End
Configuration Files
l Configuration file of Router A
HUAWEI NetEngine80E/40E Router
Configuration Guide - IP Services 1 IP Addresses Configuration
Issue 02 (2011-09-10) Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
17
#
sysname RouterA
#
aaa
ip pool 1 192.168.1.10 192.168.1.20
#
interface Pos1/0/0
link-protocol ppp
undo shutdown
remote address pool 1
ip address 192.168.1.1 255.255.255.0
#
return
l Configuration file of Router B
#
sysname RouterB
#
interface Pos1/0/0
link-protocol ppp
undo shutdown
ip address ppp-negotiate
#
return
1.6.3 Example for Configuring IP Address Unnumbered
This part describes how to configure IP address borrowing for an interface.
Networking Requirements
As shown in Figure 1-3, an enterprise builds its intranet through the ISDN. Router A and Router
B connect to a local LAN through the GE interfaces. The devices connect to each other through
the dialing ports. Each device connects to the LAN through GE 1/0/0 and connects to the ISDN
through POS 2/0/0. To save IP address resources, the dialing ports are planned to borrow the IP
addresses from the GE interfaces.
Figure 1-3 Networking diagram of an IP address unnumbered configuration
RouterA
RouterB
POS2/0/0
POS2/0/0
GE1/0/0
172.16.10.1/24
GE1/0/0
172.16.20.1/24
Ethernet
Ethernet
ISDN
Configuration Roadmap
The configuration roadmap is as follows:
1. Configure IP addresses to be borrowed.
2. Configure the interfaces to borrow IP addresses from other interfaces.
HUAWEI NetEngine80E/40E Router
Configuration Guide - IP Services 1 IP Addresses Configuration
Issue 02 (2011-09-10) Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
18
Data Preparation
To complete the configuration, you need the following data:
l IP address of the interface that lends an IP address
l Number of the interface that lends an IP address
Procedure
Step 1 Configure Router A.
# Configure an IP address for GE 1/0/0.
<HUAWEI> system-view
[HUAWEI] sysname RouterA
[RouterA] interface gigabitethernet 1/0/0
[RouterA-GigabitEthernet1/0/0] ip address 172.16.10.1 255.255.255.0
[RouterA-GigabitEthernet1/0/0] undo shutdown
[RouterA-GigabitEthernet1/0/0] quit
# Configure the POS interface to borrow an IP address from the GE interface.
[RouterA] interface pos 2/0/0
[RouterA-Pos2/0/0] ip address unnumbered interface gigabitethernet 1/0/0
[RouterA-Pos2/0/0] link-protocol ppp
[RouterA-Pos2/0/0] undo shutdown
[RouterA-Pos2/0/0] quit
# Configure an Ethernet route to Router B.
[RouterA] ip route-static 172.16.20.0 255.255.255.0 pos 2/0/0
Step 2 Configure Router B.
# Configure an IP address for GE 1/0/0.
<HUAWEI> system-view
[HUAWEI] sysname RouterB
[RouterB] interface gigabitethernet 1/0/0
[RouterB-GigabitEthernet1/0/0] ip address 172.16.20.1 255.255.255.0
[RouterB-GigabitEthernet1/0/0] undo shutdown
[RouterB-GigabitEthernet1/0/0] quit
# Configure the POS interface to borrow an IP address from the GE interface.
[RouterB] interface pos 2/0/0
[RouterB-Pos2/0/0] ip address unnumbered interface gigabitethernet 1/0/0
[RouterB-Pos2/0/0] link-protocol ppp
[RouterB-Pos2/0/0] undo shutdown
[RouterB-Pos2/0/0] quit
# Configure an Ethernet route to Router A.
[RouterB] ip route-static 172.16.10.0 255.255.255.0 pos 2/0/0
Step 3 Verify the configuration.
# Router A can ping through the address of the host connected to Router B.
[RouterA] ping 172.16.20.2
PING 172.16.20.2: 56 data bytes, press CTRL_C to break
Reply from 172.16.20.2: bytes=56 Sequence=1 ttl=254 time=25 ms
Reply from 172.16.20.2: bytes=56 Sequence=2 ttl=254 time=25 ms
Reply from 172.16.20.2: bytes=56 Sequence=3 ttl=254 time=26 ms
Reply from 172.16.20.2: bytes=56 Sequence=4 ttl=254 time=26 ms
Reply from 172.16.20.2: bytes=56 Sequence=5 ttl=254 time=26 ms
--- 172.16.20.2 ping statistics ---
HUAWEI NetEngine80E/40E Router
Configuration Guide - IP Services 1 IP Addresses Configuration
Issue 02 (2011-09-10) Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
19
5 packet(s) transmitted
5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 25/25/26 ms
----End
Configuration Files
l Configuration file of Router A
#
sysname RouterA
#
interface Pos2/0/0
link-protocol ppp
undo shutdown
ip address unnumbered interface GigabitEthernet1/0/0
#
interface GigabitEthernet1/0/0
undo shutdown
ip address 172.16.10.1 255.255.255.0
#
ip route-static 172.16.20.0 255.255.255.0 Pos2/0/0
#
return
l Configuration file of Router B
#
sysname RouterB
#
interface Pos2/0/0
link-protocol ppp
undo shutdown
ip address unnumbered interface GigabitEthernet1/0/0
#
interface GigabitEthernet1/0/0
undo shutdown
ip address 172.16.20.1 255.255.255.0
#
ip route-static 172.16.10.0 255.255.255.0 Pos2/0/0
#
return
1.6.4 Example for Configuring IP Address Overlapping on the Same
Device
This part describes how to configure IP address overlapping on a device.
Networking Requirements
As shown in Figure 1-4, Network A and Network B are independent from each other. They
access the Internet through different paths. Using the same Layer 2 network provided by ISP 1,
Network A and Network B can access each other.
It is required to use Router B to connect Network A and Network B to the Layer 2 network
provided by ISP 1 by using the IP addresses 192.168.1.11/24 and 192.168.1.12/24.
HUAWEI NetEngine80E/40E Router
Configuration Guide - IP Services 1 IP Addresses Configuration
Issue 02 (2011-09-10) Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
20
Figure 1-4 Networking diagram of configuring IP address overlapping on the same device
ISP1 AS:200
GE1/0/0
192.168.1.11/24
GE3/0/0
192.168.1.12/24
POS2/0/0
10.1.1.1/24
POS4/0/0
20.1.1.1/24
GE1/0/0
192.168.1.1/24
r1
r2
RouterB
Network B
RouterA
AS:100
Network A
Layer2
network
POS2/0/0
10.1.1.2/24
POS4/0/0
20.1.1.2/24
RouterC
RouterD
Procedure
Step 1 Configure a VPN instance.
# On Router B, create a VPN instance for Network A, and bind the VPN instance to the upstream
interface GE 1/0/0 and the downstream interface POS 2/0/0.
<HUAWEI> system-view
[HUAWEI] sysname RouterB
[RouterB] ip vpn-instance r1
[RouterB-vpn-instance-r1] ipv4-family
[RouterB-vpn-instance-r1-af-ipv4] route-distinguisher 100:1
[RouterB-vpn-instance-r1-af-ipv4] quit
[RouterB-vpn-instance-r1] quit
[RouterB] interface gigabitethernet 1/0/0
[RouterB-GigabitEthernet1/0/0] ip binding vpn-instance r1
[RouterB-GigabitEthernet1/0/0] ip address 192.168.1.11 24
[RouterB-GigabitEthernet1/0/0] undo shutdown
[RouterB-GigabitEthernet1/0/0] quit
[RouterB] interface pos 2/0/0
[RouterB-Pos2/0/0] ip binding vpn-instance r1
[RouterB-Pos2/0/0] ip address 10.1.1.1 24
[RouterB-Pos2/0/0] undo shutdown
[RouterB-Pos2/0/0] quit
# On Router B, create a VPN instance for Network B, and bind the VPN instance to the upstream
interface GE 3/0/0 and the downstream interface POS 4/0/0.
[RouterB] ip vpn-instance r2
[RouterB-vpn-instance-r2] ipv4-family
[RouterB-vpn-instance-r2-af-ipv4] route-distinguisher 100:2
[RouterB-vpn-instance-r2-af-ipv4] quit
[RouterB-vpn-instance-r2] quit
[RouterB] interface gigabitethernet 3/0/0
[RouterB-GigabitEthernet3/0/0] ip binding vpn-instance r2
[RouterB-GigabitEthernet3/0/0] ip address 192.168.1.12 24
[RouterB-GigabitEthernet3/0/0] undo shutdown
HUAWEI NetEngine80E/40E Router
Configuration Guide - IP Services 1 IP Addresses Configuration
Issue 02 (2011-09-10) Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
21
[RouterB-GigabitEthernet3/0/0] quit
[RouterB] interface pos 4/0/0
[RouterB-Pos4/0/0] ip binding vpn-instance r2
[RouterB-Pos4/0/0] ip address 20.1.1.1 24
[RouterB-Pos4/0/0] undo shutdown
[RouterB-Pos4/0/0] quit
# On Router B, configure static routes for the two VPN instances.
[RouterB] ip route-static vpn-instance r1 0.0.0.0 0 192.168.1.1
[RouterB] ip route-static vpn-instance r2 0.0.0.0 0 192.168.1.1
Step 2 Set up the EBGP neighbor relationship between Router A and the two upstream interfaces on
Router B respectively.
# Configure Router B.
[RouterB] bgp 200
[RouterB-bgp] router-id 100.1.1.1
[RouterB-bgp] ipv4-family vpn-instance r1
[RouterB-bgp-r1] peer 192.168.1.1 as-number 100
[RouterB-bgp-r1] import-route direct
[RouterB-bgp-r1] quit
[RouterB-bgp] ipv4-family vpn-instance r2
[RouterB-bgp-r2] peer 192.168.1.1 as-number 100
[RouterB-bgp-r2] import-route direct
[RouterB-bgp-r2] quit
[RouterB-bgp] quit
# Configure Router A.
<HUAWEI> system-view
[HUAWEI] sysname RouterA
[RouterA] interface gigabitethernet 1/0/0
[RouterA-GigabitEthernet1/0/0] ip address 192.168.1.1 24
[RouterA-GigabitEthernet1/0/0] undo shutdown
[RouterA-GigabitEthernet1/0/0] quit
[RouterA] bgp 100
[RouterA-bgp] peer 192.168.1.11 as-number 200
[RouterA-bgp] peer 192.168.1.12 as-number 200
[RouterA-bgp] quit
Step 3 Configure IP addresses and static routes for Router C and Router D on the local network.
# Configure the IP address and static route for Router C.
<HUAWEI> system-view
[HUAWEI] sysname RouterC
[RouterC] interface pos 2/0/0
[RouterC-Pos2/0/0] ip address 10.1.1.2 24
[RouterC-Pos2/0/0] undo shutdown
[RouterC-Pos2/0/0] quit
[RouterC] ip route-static 0.0.0.0 0 10.1.1.1
# Configure the IP address and static route for Router D.
<HUAWEI> system-view
[HUAWEI] sysname RouterD
[RouterD] interface pos 4/0/0
[RouterD-Pos4/0/0] ip address 20.1.1.2 24
[RouterD-Pos4/0/0] undo shutdown
[RouterD-Pos4/0/0] quit
[RouterD] ip route-static 0.0.0.0 0 20.1.1.1
Step 4 Verify the configuration.
# After the configurations, view the private routing table on Router B. The routes of the two
local networks connected to Router B belong to two VPN instances (r1 and r2) respectively.
This indicates that the routes are isolated.
HUAWEI NetEngine80E/40E Router
Configuration Guide - IP Services 1 IP Addresses Configuration
Issue 02 (2011-09-10) Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
22
[RouterB] display ip routing-table vpn-instance r1
Route Flags: R - relay, D - download to fib
------------------------------------------------------------------------------
Routing Tables: r1
Destinations : 6 Routes : 6
Destination/Mask Proto Pre Cost Flags NextHop Interface
0.0.0.0/0 Static 60 0 RD 192.168.1.1 GigabitEthernet1/0/0
10.1.1.0/24 Direct 0 0 D 10.1.1.1 Pos2/0/0
10.1.1.1/32 Direct 0 0 D 127.0.0.1 InLoopBack0
10.1.1.2/32 Direct 0 0 D 10.1.1.2 Pos2/0/0
192.168.1.0/24 Direct 0 0 D 192.168.1.11 GigabitEthernet1/0/0
192.168.1.11/32 Direct 0 0 D 127.0.0.1 InLoopBack0
[RouterB] display ip routing-table vpn-instance r2
Route Flags: R - relay, D - download to fib
------------------------------------------------------------------------------
Routing Tables: r2
Destinations : 6 Routes : 6
Destination/Mask Proto Pre Cost Flags NextHop Interface
0.0.0.0/0 Static 60 0 RD 192.168.1.1 GigabitEthernet3/0/0
20.1.1.0/24 Direct 0 0 D 20.1.1.1 Pos4/0/0
20.1.1.1/32 Direct 0 0 D 127.0.0.1 InLoopBack0
20.1.1.2/32 Direct 0 0 D 20.1.1.2 Pos4/0/0
192.168.1.0/24 Direct 0 0 D 192.168.1.12 GigabitEthernet3/0/0
192.168.1.12/32 Direct 0 0 D 127.0.0.1 InLoopBack0
# Run the display ip routing-table command on Router A. The command output shows that
the public routing table on Router A contains routes to the two local networks.
[RouterA] display ip routing-table
Route Flags: R - relay, D - download to fib
------------------------------------------------------------------------------
Routing Tables: Public
Destinations : 8 Routes : 8
Destination/Mask Proto Pre Cost Flags NextHop Interface
10.1.1.0/24 EBGP 255 0 D 192.168.1.11
GigabitEthernet1/0/0
10.1.1.2/32 EBGP 255 0 D 192.168.1.11
GigabitEthernet1/0/0
20.1.1.0/24 EBGP 255 0 D 192.168.1.12
GigabitEthernet1/0/0
20.1.1.2/32 EBGP 255 0 D 192.168.1.12
GigabitEthernet1/0/0
127.0.0.0/8 Direct 0 0 D 127.0.0.1 InLoopBack0
127.0.0.1/32 Direct 0 0 D 127.0.0.1 InLoopBack0
192.168.1.0/24 Direct 0 0 D 192.168.1.1 GigabitEthernet1/0/0
192.168.1.1/32 Direct 0 0 D 127.0.0.1 InLoopBack0
Network A and Network B can ping through each other.
----End
Configuration Files
l Configuration file of Router A
#
sysname RouterA
#
interface GigabitEthernet1/0/0
undo shutdown
ip address 192.168.1.1 255.255.255.0
#
bgp 100
HUAWEI NetEngine80E/40E Router
Configuration Guide - IP Services 1 IP Addresses Configuration
Issue 02 (2011-09-10) Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
23
peer 192.168.1.11 as-number 200
peer 192.168.1.12 as-number 200
#
ipv4-family unicast
undo synchronization
peer 192.168.1.11 enable
peer 192.168.1.12 enable
#
return
l Configuration file of Router B.
#
sysname RouterB
#
ip vpn-instance r1
ipv4-family
route-distinguisher 100:1
#
ip vpn-instance r2
ipv4-family
route-distinguisher 100:2
#
interface GigabitEthernet1/0/0
undo shutdown
ip binding vpn-instance r1
ip address 192.168.1.11 255.255.255.0
#
interface GigabitEthernet3/0/0
undo shutdown
ip binding vpn-instance r2
ip address 192.168.1.12 255.255.255.0
#
interface Pos2/0/0
link-protocol ppp
undo shutdown
ip binding vpn-instance r1
ip address 10.1.1.1 255.255.255.0
#
interface Pos4/0/0
link-protocol ppp
undo shutdown
ip binding vpn-instance r2
ip address 20.1.1.1 255.255.255.0
#
bgp 200
router-id 100.1.1.1
#
ipv4-family unicast
undo synchronization
#
ipv4-family vpn-instance r1
peer 192.168.1.1 as-number 100
import-route direct
#
ipv4-family vpn-instance r2
peer 192.168.1.1 as-number 100
import-route direct
#
ip route-static vpn-instance r1 0.0.0.0 0.0.0.0 192.168.1.1
ip route-static vpn-instance r2 0.0.0.0 0.0.0.0 192.168.1.1
#
return
l Configuration file of Router C
#
sysname RouterC
#
interface pos 2/0/0
link-protocol ppp
undo shutdown
HUAWEI NetEngine80E/40E Router
Configuration Guide - IP Services 1 IP Addresses Configuration
Issue 02 (2011-09-10) Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
24
ip address 10.1.1.2 255.255.255.0
#
ip route-static 0.0.0.0 0.0.0.0 10.1.1.1
#
return
l Configuration file of Router D
#
sysname RouterD
#
interface pos 4/0/0
link-protocol ppp
undo shutdown
ip address 20.1.1.2 255.255.255.0
#
ip route-static 0.0.0.0 0.0.0.0 20.1.1.1
#
Return
1.6.5 Example for Configuring an IP Address with a 31-bit Mask
This part describes how to configure an IP address with a 31-bit mask.
Networking Requirements
As shown in Figure 1-5, Router A and Router B are connected through a PPP link.
Figure 1-5 Networking diagram of configuring an IP address with a 31-bit mask
RouterA
POS1/0/0
10.1.1.1/31
RouterB
POS1/0/0
10.1.1.0/31
Configuration Roadmap
The configuration roadmap is as follows:
1. Configure an IP address with a 31-bit mask for POS 1/0/0 on Router A.
2. Configure an IP address with a 31-bit mask for POS 1/0/0 on Router B.
Data Preparation
To complete the configuration, you need the following data:
l IP address and mask of POS 1/0/0 on Router A
l IP address and mask of POS 1/0/0 on Router B
Procedure
Step 1 Configure an IP address for each interface.
# Configure an IP address for POS 1/0/0 on Router A.
HUAWEI NetEngine80E/40E Router
Configuration Guide - IP Services 1 IP Addresses Configuration
Issue 02 (2011-09-10) Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
25
<HUAWEI> system-view
[HUAWEI] sysname RouterA
[RouterA] interface pos 1/0/0
[RouterA-Pos1/0/0] ip address 10.1.1.1 255.255.255.254
[RouterA-Pos1/0/0] undo shutdown
[RouterA-Pos1/0/0] quit
# Configure an IP address for POS 1/0/0 on Router B.
<HUAWEI> system-view
[HUAWEI] sysname RouterB
[RouterB] interface pos 1/0/0
[RouterB-Pos1/0/0] ip address 10.1.1.0 255.255.255.254
[RouterB-Pos1/0/0] undo shutdown
[RouterB-Pos1/0/0] quit
Step 2 Verify the configuration.
# After the preceding configurations, you can check the routing table on Router A. You can find
that in the routing table, the network address and the broadcast address of the network segment
are both used as host addresses.
[RouterA] display ip routing-table
Route Flags: R - relay, D - download to fib
------------------------------------------------------------------------------
Routing Tables: Public
Destinations : 5 Routes : 5
Destination/Mask Proto Pre Cost Flags NextHop Interface
10.1.1.0/31 Direct 0 0 D 10.1.1.1 Pos1/0/0
10.1.1.0/32 Direct 0 0 D 10.1.1.0 Pos1/0/0
10.1.1.1/32 Direct 0 0 D 127.0.0.1 InLoopBack0
127.0.0.0/8 Direct 0 0 D 127.0.0.1 InLoopBack0
127.0.0.1/32 Direct 0 0 D 127.0.0.1 InLoopBack0
# After the preceding configurations, you can check the routing table on Router B. You can find
that in the routing table, the network address and the broadcast address of the network segment
are both used as host addresses.
[RouterB] display ip routing-table
Route Flags: R - relay, D - download to fib
------------------------------------------------------------------------------
Routing Tables: Public
Destinations : 5 Routes : 5
Destination/Mask Proto Pre Cost Flags NextHop Interface
10.1.1.0/31 Direct 0 0 D 10.1.1.0 Pos1/0/0
10.1.1.0/32 Direct 0 0 D 127.0.0.1 InLoopBack0
10.1.1.1/32 Direct 0 0 D 10.1.1.1 Pos1/0/0
127.0.0.0/8 Direct 0 0 D 127.0.0.1 InLoopBack0
127.0.0.1/32 Direct 0 0 D 127.0.0.1 InLoopBack0
----End
Configuration Files
l Configuration file of Router A
#
sysname RouterA
#
interface Pos1/0/0
link-protocol ppp
undo shutdown
ip address 10.1.1.1 255.255.255.254
#
return
l Configuration file of Router B
#
HUAWEI NetEngine80E/40E Router
Configuration Guide - IP Services 1 IP Addresses Configuration
Issue 02 (2011-09-10) Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
26
sysname RouterB
#
interface Pos1/0/0
link-protocol ppp
undo shutdown
ip address 10.1.1.0 255.255.255.254
#
return
HUAWEI NetEngine80E/40E Router
Configuration Guide - IP Services 1 IP Addresses Configuration
Issue 02 (2011-09-10) Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
27
2 ARP Configuration
About This Chapter
ARP can map an IP address to a MAC address and implements transmission of Ethernet frames.
2.1 Introduction to ARP
ARP, acronym for Address Resolution Protocol, is at the link layer of the TCP/IP protocol suite.
2.2 Configuring Static ARP
Static ARP indicates that there is a fixed mapping between an IP address and a MAC address.
Static ARP needs to be configured by an administrator.
2.3 Optimizing Dynamic ARP
If dynamic ARP is configured, the system automatically resolutes an IP address into an Ethernet
MAC address.
2.4 Configuring Routed Proxy ARP
Proxy ARP enables devices whose IP addresses belong to the same network segment but
different physical networks to communicate with each other.
2.5 Configuring Proxy ARP Within a VLAN
By configuring proxy ARP on a VLAN, you can interconnect isolated hosts on a VLAN.
2.6 Configuring Proxy ARP Between VLANs
By configuring inter-VLAN proxy ARP, you can interconnect hosts on different VLANs.
2.7 Configuring ARP-Ping IP
ARP-Ping IP is a method of detecting whether an IP address is used by another device on a local
area network (LAN) by sending ARP packets.
2.8 Configuring ARP-Ping MAC
ARP-Ping MAC is a method of detecting whether a MAC address is used by another device on
a LAN by sending ICMP packets.
2.9 Configuring the Association Between ARP and Interface Status
By configuring ARP and interface status association, you can determine whether the peer device
can forward packets normally by checking whether the device receives a response to the ARP
detection packet sent to the peer device. In this manner, you can determine the protocol status
(up or down) of the device and triggers fast route convergence.
HUAWEI NetEngine80E/40E Router
Configuration Guide - IP Services 2 ARP Configuration
Issue 02 (2011-09-10) Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
28
2.10 Maintaining ARP
The operations of ARP maintenance include clearing ARP statistics and monitoring ARP
operating status.
2.11 Configuration Examples
This section includes the networking requirements, precautions for configuration, and
configuration roadmap.
HUAWEI NetEngine80E/40E Router
Configuration Guide - IP Services 2 ARP Configuration
Issue 02 (2011-09-10) Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
29
2.1 Introduction to ARP
ARP, acronym for Address Resolution Protocol, is at the link layer of the TCP/IP protocol suite.
2.1.1 Overview of ARP
An Ethernet device must support ARP. ARP implements dynamic mapping between Layer 3 IP
addresses and Layer 2 MAC addresses.
Each host or device on the Local Area Network (LAN) can be configured a 32-bit IP address to
communicate with others. The assigned IP address is independent of the hardware address.
On the Ethernet, a host or a device transmits and receives Ethernet frames according to a 48-bit
Medium Access Control (MAC) address. The MAC address is also called the physical address
or the hardware address, which is assigned to an Ethernet interface when equipment is produced.
Therefore, on an interconnected network, an address resolution mechanism is required to provide
the mapping between MAC addresses and IP addresses.
The Address Resolution Protocol (ARP) maps an IP address to the corresponding MAC address.
2.1.2 Features of ARP Supported by the NE80E/40E
ARP can operate in either of two modes: static and dynamic. The extensions of ARP include
proxy ARP, gratuitous ARP, association between ARP and interface status, and ARP-Ping.
ARP is only used in the IPv4 environment and can only run on Ethernet links.
Introduction to ARP-Ping
ARP-Ping consists of ARP-Ping IP and ARP-Ping MAC. ARP-Ping is developed to maintain
the deployed Layer 2 features.
Introduction to ARP-Ping IP
ARP-Ping IP uses ARP packets to check whether an IP address is used by another device on the
LAN.
Before configuring an IP address for a device, you need to check that this IP address is not used
by another device on the network by sending the ARP packets. Then, you can take appropriate
actions.
You can also run the ping command to check whether the IP address is used by another device
on the network. If enabled with the firewall function that does not reply to Ping packets, the
destination host and device do not reply to Ping packets and think that the IP address is not in
use. ARP is a Layer 2 protocol. In most cases, ARP packets can pass through the firewall. In
this way, the preceding situation does not occur.
Principles of ARP-Ping IP
ARP-Ping IP sends ARP Request packets. The following describes how to implement ARP-Ping
IP:
HUAWEI NetEngine80E/40E Router
Configuration Guide - IP Services 2 ARP Configuration
Issue 02 (2011-09-10) Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
30
1. After setting the specified IP address through command lines, you can send ARP Request
packets and start the timeout timer.
2. After receiving an ARP Request packet, each device or host on the LAN replies with an
ARP Reply packet.
3. After receiving the ARP Reply packet, the source device compares the source IP address
contained in the Reply packet with the IP address input in the command line. If they are
consistent, the MAC address corresponding to the input IP address is displayed and the
timeout timer of ARP Reply packets is disabled. The operation finishes.
If the timeout timer of ARP Reply packets times out, it means that the IP address is not in
use.
As shown in Figure 2-1, Router A and Gigabitethernet A are directly connected. You can run
the arp-ping ip command on Router A to check whether the IP address 10.1.1.2 is in use.
Figure 2-1 Implementation procedure of ARP-Ping IP
Host B
10.1.1.3/32
Host A
10.1.1.2/32
GE1/0/0
10.1.1.1/24
RouterA
Gigabitethernet A
Run the arp-ping ip 10.1.1.2 command on Router A. After receiving the ARP Reply packet
from Host A 10.1.1.2 on the network, Router A displays the MAC address of Host A.Router A
displays the MAC address of Node B.
Through the command output, you can know whether the IP address is used by another host on
the network.
NOTE
The arp-ping ip command is applicable to the outgoing interface in one of the following types: the Gigabit
Ethernet interface, and Eth-Trunk interface, VLANIF interface, member interface of the VLANIF interface,
Ethernet interface, (including the Layer 2 interfaces into which these interfaces are switched).
Introduction to ARP-Ping MAC
ARP-Ping MAC uses ICMP packets to check whether a MAC address is used by another device
on the LAN.
When you know a specific MAC address on a network segment but do not know the
corresponding IP address, you can obtain the IP address corresponding to the MAC address by
sending the broadcast Internet Control Messages Protocol (ICMP) packets through ARP-Ping
MAC. In this way, you can query the IP address corresponding to the specific MAC address on
the network segment.
HUAWEI NetEngine80E/40E Router
Configuration Guide - IP Services 2 ARP Configuration
Issue 02 (2011-09-10) Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
31
Principles of ARP-Ping MAC
ARP-Ping MAC sends broadcast ICMP Echo Request packets. The following describes how to
implement ARP-Ping MAC:
1. After setting the specified MAC address through the command line, you can send broadcast
ICMP Echo Request packets and start the timeout timer.
2. After receiving an ICMP Echo Request packet, each device or host on the LAN replies with
an ICMP Echo Reply packet.
3. After receiving the ICMP Echo Reply packet, the source device compares the source MAC
address contained in the Echo Reply packet with the MAC address input in the command
line. If they are consistent, the IP address of the Echo Reply packet is displayed. Then the
source device prompts you that the MAC address is in use and disables the timeout timer.
The operation finishes.
If the timeout timer of the ICMP Echo Reply packets times out, it means that the MAC
address is not in use.
NOTE
If the system denies the request for replying with the network segment address, the sender cannot receive
the ICMP Echo Reply packet.
As shown in Figure 2-2, Router A and Gigabitethernet A are directly connected. You can run
the arp-ping mac command on Router A to check whether the MAC address 0013-46E7-2EF5
is in use.
Figure 2-2 Implementation procedure of ARP-Ping MAC
Host A
0013-46E7-2EF5
GE1/0/0
10.1.1.1/24
RouterA
Gigabitethernet A
The following describes how to implement ARP-Ping MAC on Router A:
Run the arp-ping mac 0013-46E7-2EF5 10.1.1.0 or arp-ping mac 0013-46E7-2EF5
gigabitethernet 1/0/0 command on Router A. After receiving the ICMP Reply packets replied
by all the hosts on the network, Router A displays the IP address of the host with the MAC
address 0013-46E7-2EF5.
Through the command output, you can obtain the IP address corresponding to the MAC address.
NOTE
The arp-ping mac command is applicable to the outgoing interface in one of the following types: Gigabit
Ethernet interface, VLANIF interface, the Ethernet interface, and Eth-Trunk interface.
HUAWEI NetEngine80E/40E Router
Configuration Guide - IP Services 2 ARP Configuration
Issue 02 (2011-09-10) Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
32
2.2 Configuring Static ARP
Static ARP indicates that there is a fixed mapping between an IP address and a MAC address.
Static ARP needs to be configured by an administrator.
2.2.1 Establishing the Configuration Task
This section describes the applicable environment, pre-configuration tasks, data preparation, and
configuration procedure for configuring static ARP.
Applicable Environment
Static ARP is used in the following situations:
l For the packets whose destination IP address is on another network segment, static ARP
can help these packets traverse a gateway of the local network segment so that the gateway
can forward the packets to their destination.
l When you need to filter out some packets with illegitimate destination IP addresses, static
ARP can bind these illegitimate addresses to a nonexistent MAC address.
Pre-configuration Tasks
Before configuring ARP, complete the following tasks:
l Configuring link layer protocol parameters for the interface and ensuring that the status of
the link layer protocol on the interface is Up
l Configuring the network layer protocol for the interface
Data Preparation
To configure ARP, you need the following data.
No. Data
1 IP address and MAC address of the static ARP entry
2 VPN instance name and VLAN ID to which the static ARP entry belongs
2.2.2 Configuring Common Static ARP Entries
Static ARP entries are required for the communication between common interfaces.
Context
If static ARP and the Virtual Router Redundancy Protocol (VRRP) are enabled on a device
simultaneously, the virtual IP address of the VRRP backup group configured on the Dot1q
termination sub-interface, QinQ termination sub-interface, or VLANIF interface cannot be the
IP address contained in the static ARP entries; otherwise, incorrect host routes are generated and
thus packets cannot be normally forwarded.
HUAWEI NetEngine80E/40E Router
Configuration Guide - IP Services 2 ARP Configuration
Issue 02 (2011-09-10) Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
33
NOTE
To configure static ARP for the packets with double tags, run the arp static cevid command. For details,
see the HUAWEI NetEngine80E/40E Router Command Reference - LAN Access and MAN Access.
Procedure
Step 1 Run:
system-view
The system view is displayed.
Step 2 Run:
arp static ip-address mac-address
Configure common static ARP entries.
NOTE
Static ARP entries keep valid when a device works normally.
----End
2.2.3 Configuring Static ARP Entries in a VLAN
In the scenario where two users belong to the same VLAN but user isolation is configured in
the VLAN, to implement communications between the two users, you need to enable static ARP
within the VLAN on the member interface of the VLAN.
Context
If static ARP and the Virtual Router Redundancy Protocol (VRRP) are enabled on a device
simultaneously, the virtual IP address of the VRRP backup group configured on the Dot1q
termination sub-interface, QinQ termination sub-interface, or VLANIF interface cannot be the
IP address contained in the static ARP entries; otherwise, incorrect host routes are generated and
thus packets cannot be normally forwarded.
NOTE
To configure static ARP for the packets with double tags, run the arp static cevid command. For details,
see the HUAWEI NetEngine80E/40E Router Command Reference - LAN Access and MAN Access.
Procedure
Step 1 Run:
system-view
The system view is displayed.
Step 2 Configure static ARP entries in a Virtual Local Area Network (VLAN).
To configure static ARP entries in a VLAN, do as follows:
l Run the arp static ip-address mac-address vid vlan-id interface interface-type interface-
number command.
It is required to set parameters vid vlan-id and interface interface-type interface-number when
you configure static ARP entries in the VLAN.
HUAWEI NetEngine80E/40E Router
Configuration Guide - IP Services 2 ARP Configuration
Issue 02 (2011-09-10) Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
34
If the interface corresponding to the VLAN is bound to a Virtual Private Network (VPN),
the device can automatically associate the configured static ARP entry with the VPN. This
command is applicable to port-based VLANs.
l Run the arp static ip-address mac-address [ vpn-instance vpn-instance-name ] vid vlan-
id command.
This command is applicable to the sub-interface that supports VLAN and can be bound to
the VPN.
NOTE
Static ARP entries keep valid when a device works normally.
----End
2.2.4 Configuring Static ARP Entries in a VPN Instance
To implement Layer 2 interworking of the devices in a VPN instance, you can configure static
ARP in the VPN instance.
Context
If static ARP and the Virtual Router Redundancy Protocol (VRRP) are enabled on a device
simultaneously, the virtual IP address of the VRRP backup group configured on the Dot1q
termination sub-interface, QinQ termination sub-interface, or VLANIF interface cannot be the
IP address contained in the static ARP entries; otherwise, incorrect host routes are generated and
thus packets cannot be normally forwarded.
NOTE
To configure static ARP for the packets with double tags, run the arp static cevid command. For details,
see the HUAWEI NetEngine80E/40E Router Command Reference - LAN Access and MAN Access.
Procedure
Step 1 Run:
system-view
The system view is displayed.
Step 2 Run:
arp static ip-address mac-address vpn-instance vpn-instance-name
Configure static ARP entries in a VPN instance.
NOTE
Static ARP entries keep valid when a device works normally.
----End
2.2.5 Checking the Configuration
You can view the configuration of static ARP.
Prerequisite
The configurations of the ARP function are complete.
HUAWEI NetEngine80E/40E Router
Configuration Guide - IP Services 2 ARP Configuration
Issue 02 (2011-09-10) Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
35
Procedure
l Run the display arp slot slot-id [ network net-number [ net-mask | mask-length ] ]
[ dynamic | static ] command to check information about ARP mapping tables based on
slots.
l Run the display arp vlan vlan-id interface interface-type interface-number command to
check information about ARP mapping tables based on VLANs.
l Run the display arp vpn-instance vpn-instance-name slot slot-id [ dynamic | static ]
command to check information about ARP mapping tables based on VPN instances.
l Run the display arp statistics { all | slot slot-id } command to check the statistics for ARP
entries.
----End
Example
Run the display arp slot command. If all the ARP entries of the interface board are displayed,
it means that the configuration succeeds. For example:
<HUAWEI> display arp slot 1
IP ADDRESS MAC ADDRESS EXPIRE(M) TYPE INTERFACE VPN-INSTANCE
VLAN/CEVLAN PVC
------------------------------------------------------------------------------
192.168.1.12 0000-0a41-0202 S-- GE1/0/1 r2
192.168.1.1 0000-0a41-0200 17 D-6 GE1/0/1 r2
192.168.1.11 0000-0a41-0201 I - GE1/0/0 r1
192.168.1.1 0000-0a41-0200 17 D-6 GE1/0/0 r1
------------------------------------------------------------------------------
Total:4 Dynamic:2 Static:1 Interface:1
Run the display arp vlancommand. If all the ARP mapping table of a specified VLAN are
displayed, it means that the configuration succeeds. For example:
<HUAWEI> display arp vlan 10 interface gigabitethernet 1/0/1
IP ADDRESS MAC ADDRESS EXPIRE(M) TYPE INTERFACE VPN-INSTANCE
VLAN/CEVLAN PVC
------------------------------------------------------------------------------
1.1.1.3 0002-0002-0002 S-- GE1/0/1
10/-
------------------------------------------------------------------------------
Total:1 Dynamic:0 Static:1 Interface:0
Run the display arp vpn-instance command. If all the ARP entries of the VPN instance are
displayed, it means that the configuration succeeds. For example:
<HUAWEI> display arp vpn-instance r1 slot 1
IP ADDRESS MAC ADDRESS EXPIRE(M) TYPE INTERFACE VPN-INSTANCE
VLAN/CEVLAN PVC
------------------------------------------------------------------------------
192.168.1.11 0000-0a41-0201 I - GE1/0/0 r1
192.168.1.1 0000-0a41-0200 12 S-- GE1/0/0 r1
------------------------------------------------------------------------------
Total:2 Dynamic:0 Static:1 Interface:1
Run the display arp statistics { all | slot slot-id } command. If the statistics for ARP entries are
displayed, it means that the configuration succeeds. For example:
<HUAWEI> display arp statistics all
Dynamic:20 Static:10
HUAWEI NetEngine80E/40E Router
Configuration Guide - IP Services 2 ARP Configuration
Issue 02 (2011-09-10) Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
36
2.3 Optimizing Dynamic ARP
If dynamic ARP is configured, the system automatically resolutes an IP address into an Ethernet
MAC address.
2.3.1 Establishing the Configuration Task
This section describes the applicable environment, pre-configuration tasks, data preparation, and
configuration procedure for optimizing dynamic ARP.
Applicable Environment
Dynamic ARP is one of functions owned by a device or host. You do not need to run a command
to enable dynamic ARP but you can modify some parameters of dynamic ARP.
Pre-configuration Tasks
None
Data Preparation
Optimizing dynamic ARP, you need the following data.
No. Data
1 ID of the Ethernet interface or the virtual Ethernet interface to which the dynamic
ARP entry belongs
2 Aging detection times of the dynamic ARP entry
3 Aging time of the dynamic ARP entry
2.3.2 Modify the aging parameters of dynamic ARP
If the device needs to update ARP entries frequently, you can reduce the aging timeout period
of ARP entries, increase the number of aging detections for ARP entries, and reduce the aging
detection intervals of ARP entries.
Procedure
Step 1 Run:
system-view
The system view is displayed.
Step 2 Run:
interface interface-type interface-number
The Ethernet interface view or the virtual Ethernet interface view is displayed.
HUAWEI NetEngine80E/40E Router
Configuration Guide - IP Services 2 ARP Configuration
Issue 02 (2011-09-10) Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
37
Step 3 Run:
arp detect-times detect-times
The number of aging detection times of the dynamic ARP entries is configured.
Step 4 Run:
arp expire-time expire-times
The timeout period for aging dynamic ARP entries is configured.
By default, the aging detection times of the dynamic ARP entries is three, and the aging timeout
period is 1200 seconds.
----End
2.3.3 Enabling ARP Suppression Function
If the system receives a great number of ARP packets from the same source at a time, the system
needs to update ARP entries repeatedly. To ensure the performance of the system, you can enable
ARP suppression. In this manner, the system only responds to the ARP packets but does not
update ARP entries.
Procedure
Step 1 Run:
system-view
The system view is displayed.
Step 2 Run:
arp-suppress enable
ARP suppression is enabled on the current device.
The ARP suppression function can be enabled only on the Eth-Trunk interface, and VLANIF
interface.
The ARP suppression function can be enabled only on the Eth-Trunk interface, and VLANIF
interface.
By default, ARP suppression is disabled and only VLANIF interfaces are suppressed.
----End
2.3.4 Enabling Layer 2 Topology Detection Function
After Layer 2 topology detection is enabled, the system updates all the ARP entries
corresponding to the VLANs to which a Layer 2 interface belongs, if this Layer 2 interface goes
Up.
Procedure
Step 1 Run:
system-view
The system view is displayed.
Step 2 Run:
HUAWEI NetEngine80E/40E Router
Configuration Guide - IP Services 2 ARP Configuration
Issue 02 (2011-09-10) Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
38
l2-topology detect enable
The Layer 2 topology detection function is enabled.
By default, this function is not enabled.
----End
2.3.5 Enabling ARP Check
ARP check can be enabled to ensure network security. In this case, when an interface receives
an ARP packet, it checks whether the source MAC address and destination MAC address in the
Ethernet packet header are the same as those in the Data field of the ARP packet.
Context
On the metro Ethernet, there are various ARP attacks. To protect the network, you need to
configure ARP security features at the access layer or convergence layer of the network to protect
against ARP attacks.
If there are ARP spoofing attacks on the network, you can run the arp validate command to
enable an interface to check the received ARP packet to determine whether the source MAC
address and destination MAC address in the Ethernet packet header are respectively the same
as those in the Data field of the ARP packet. If they are not the same, the ARP packet is discarded.
If they are the same, the ARP packet is forwarded.
NOTE
l ARP check cannot be configured on sub-interfaces. When a sub-interface receives an ARP packet, the
main interface where the sub-interface is configured checks the ARP packet to determine whether the
destination MAC address in the Ethernet packet header is the same as that in the Data field of the ARP
packet. If they are the same, the sub-interface forwards the ARP packet. If they are not the same, the
sub-interface discards the ARP packet.
l ARP check cannot be configured on VLANIF interfaces. When a VLANIF interface receives an ARP
packet, the physical interface that belongs to the VLAN for which the VLANIF interface is configured
checks the ARP packet to determine whether the destination MAC address in the Ethernet packet header
is the same as that in the Data field of the ARP packet. If they are the same, the VLANIF interface
forwards the ARP packet. If they are not the same, the VLANIF interface discards the ARP packet.
Do as follows on the devices on which ARP check needs to be enabled.
Procedure
Step 1 Run:
system-view
The system view is displayed.
Step 2 Run:
interface { ethernet | gigabitethernet | eth-trunk } interface-number
The view of the Ethernet interface where ARP check needs to be enabled is displayed.
Step 3 Run:
arp validate { source-mac | destination-mac }
*
ARP check is enabled.
l If source-mac is specified:
HUAWEI NetEngine80E/40E Router
Configuration Guide - IP Services 2 ARP Configuration
Issue 02 (2011-09-10) Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
39
After receiving an ARP Request packet, an interface only checks whether the source MAC
address in the Ethernet packet header is consistent with that in the Data field of the ARP
packet.
After receiving an ARP Response packet, an interface only checks whether the source
MAC address in the Ethernet packet header is consistent with that in the Data field of the
ARP packet.
l If destination-mac is specified:
After receiving an ARP Request packet, an interface does not check whether the
destination MAC address in the Ethernet packet header is consistent with that in the Data
field of the ARP packet because ARP packets are broadcast packets.
After receiving an ARP Response packet, an interface only checks whether the destination
MAC address in the Ethernet packet header is consistent with that in the Data field of the
ARP packet.
l If both source-mac and destination-mac are specified:
After receiving an ARP Request packet, an interface only checks whether the source MAC
address in the Ethernet packet header is consistent with that in the Data field of the ARP
packet.
After receiving an ARP Response packet, an interface checks whether both the source
MAC address and destination MAC address in the Ethernet packet header are respectively
the same as those in the Data field of the ARP packet.
----End
2.3.6 Checking the Configuration
You can view the configuration of dynamic ARP.
Prerequisite
The configurations of the ARP function are complete.
Procedure
l Run the display arp interface interface-type interface-number [ vid vlan-id [ cevid cevlan-
id ] ] command to check information about ARP mapping tables based on interfaces.
l Run the display arp slot slot-id [ network net-number [ net-mask | mask-length ] ]
[ dynamic | static ] command to check information about ARP mapping tables based on
slots.
l Run the display arp vpn-instance vpn-instance-name slot slot-id [ dynamic | static ]
command to check information about ARP mapping tables based on VPN instances.
l Run the display arp statistics { all | slot slot-id } command to check the statistics for ARP
entries.
----End
Example
Run the display arp interface command. If all the ARP entries of the interface are displayed,
it means that the configuration succeeds. For example:
<HUAWEI> display arp interface gigabitethernet 1/0/0
IP ADDRESS MAC ADDRESS EXPIRE(M) TYPE INTERFACE VPN-INSTANCE
HUAWEI NetEngine80E/40E Router
Configuration Guide - IP Services 2 ARP Configuration
Issue 02 (2011-09-10) Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
40
VLAN/CEVLAN PVC
------------------------------------------------------------------------------
192.168.1.11 0000-0a41-0201 I - GE1/0/0 r1
192.168.1.1 0000-0a41-0200 15 D-6 GE1/0/0 r1
------------------------------------------------------------------------------
Total:2 Dynamic:1 Static:0 Interface:1
Run the display arp slot command. If all the ARP entries of the interface board are displayed,
it means that the configuration succeeds. For example:
<HUAWEI> display arp slot 1
IP ADDRESS MAC ADDRESS EXPIRE(M) TYPE INTERFACE VPN-INSTANCE
VLAN/CEVLAN PVC
------------------------------------------------------------------------------
192.168.1.12 0000-0a41-0202 I - GE1/0/1 r2
192.168.1.1 0000-0a41-0200 17 D-6 GE1/0/1 r2
192.168.1.11 0000-0a41-0201 I - GE1/0/0 r1
192.168.1.1 0000-0a41-0200 17 D-6 GE1/0/0 r1
------------------------------------------------------------------------------
Total:4 Dynamic:2 Static:0 Interface:2
Run the display arp vpn-instance command. If all the ARP entries of the VPN instance are
displayed, it means that the configuration succeeds. For example:
<HUAWEI> display arp vpn-instance r1 slot 1
IP ADDRESS MAC ADDRESS EXPIRE(M) TYPE INTERFACE VPN-INSTANCE
VLAN/CEVLAN PVC
------------------------------------------------------------------------------
192.168.1.11 0000-0a41-0201 I - GE1/0/0 r1
192.168.1.1 0000-0a41-0200 12 D-6 GE1/0/0 r1
------------------------------------------------------------------------------
Total:2 Dynamic:1 Static:0 Interface:1
Run the display arp statistics { all | slot slot-id } command. If the statistics for ARP entries are
displayed, it means that the configuration succeeds. For example:
<HUAWEI> display arp statistics all
Dynamic:20 Static:10
2.4 Configuring Routed Proxy ARP
Proxy ARP enables devices whose IP addresses belong to the same network segment but
different physical networks to communicate with each other.
2.4.1 Establishing the Configuration Task
This section describes the applicable environment, pre-configuration tasks, data preparation, and
configuration procedure for configuring routed proxy ARP.
Applicable Environment
The two physical networks of an enterprise are in different subnets of the same IP network, and
are separated by a device. You need to enable the proxy ARP on the device interface connected
to the physical networks. This enables communication between the two networks.
Network IDs of subnet hosts must be the same. You need not configure default gateways for
hosts.
Pre-configuration Tasks
Before configuring routed proxy ARP, complete the following tasks:
HUAWEI NetEngine80E/40E Router
Configuration Guide - IP Services 2 ARP Configuration
Issue 02 (2011-09-10) Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
41
l Configuring the physical parameters for the interface and ensuring that the status of the
physical layer of the interface is Up
l Configuring the link layer parameters for the interface and ensuring that the status of the
link layer protocol on the interface is Up
Data Preparation
To configure routed proxy ARP, you need the following data.
No. Data
1 Number of the interface to be enabled with routed proxy ARP
2 IP address of the interface to be enabled with routed proxy ARP
2.4.2 Configure an IP Addresses for the Interface
The IP address assigned to a routed proxy ARP-enabled interface must be on the same network
segment with the IP address of the host on the LAN to which this interface connects.
Procedure
Step 1 Run:
system-view
The system view is displayed.
Step 2 Run:
interface interface-type interface-number [ .subinterface-number ]
The interface view is displayed.
The interfaces supporting routed proxy ARP include GE interfaces, GE sub-interfaces, Virtual-
Ethernet sub-interfaces,Eth-Trunk interfaces, and Eth-Trunk sub-interfaces.
Step 3 Run:
ip address ip-address { mask | mask-length }
The interface is configured with an IP address.
The IP address configured for the interface must be in the same network segment with that of
hosts in the LAN connected with this interface.
----End
2.4.3 Enabling the Routed Proxy ARP Function
To interconnect the subnets in the same IP network, you need to enable routed proxy ARP.
Procedure
Step 1 Run:
system-view
HUAWEI NetEngine80E/40E Router
Configuration Guide - IP Services 2 ARP Configuration
Issue 02 (2011-09-10) Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
42
The system view is displayed.
Step 2 Run:
interface interface-type interface-number
The interface view is displayed.
Step 3 Run:
arp-proxy enable
By default, the routed proxy ARP function is disabled on the interface.
After routed proxy ARP is enabled, you must reduce the aging time of ARP entries in the deviece
so that the number of packets received but cannot be forwarded by the device is decreased. To
configure the aging time of ARP entries.
----End
2.4.4 Checking the Configuration
You can view the configuration of routed proxy ARP.
Prerequisite
The configurations of the routed proxy ARP function are complete.
Procedure
l Run the display arp interface interface-type interface-number [ vid vlan-id [ cevid cevlan-
id ] ] command to check information about ARP mapping tables based on interfaces.
l Run the display arp slot slot-id [ network net-number [ net-mask | mask-length ] ]
[ dynamic | static ] command to check information about ARP mapping tables based on
slots.
l Run the display arp vpn-instance vpn-instance-name slot slot-id [ dynamic | static ]
command to check information about ARP mapping tables based on VPN instances.
l Run the display arp statistics { all | slot slot-id } command to check statistics about ARP
entries.
----End
Example
Run the display arp interface command. If all the ARP entries of the interface are displayed,
it means that the configuration succeeds. For example:
<HUAWEI> display arp interface gigabitethernet 1/0/0
IP ADDRESS MAC ADDRESS EXPIRE(M) TYPE INTERFACE VPN-INSTANCE
VLAN/CEVLAN PVC
------------------------------------------------------------------------------
192.168.1.11 0000-0a41-0201 I - GE1/0/0 r1
192.168.1.1 0000-0a41-0200 15 D-6 GE1/0/0 r1
------------------------------------------------------------------------------
Total:2 Dynamic:1 Static:0 Interface:1
Run the display arp slot command. If all the ARP entries of the interface board are displayed,
it means that the configuration succeeds. For example:
<HUAWEI> display arp slot 1
IP ADDRESS MAC ADDRESS EXPIRE(M) TYPE INTERFACE VPN-INSTANCE
HUAWEI NetEngine80E/40E Router
Configuration Guide - IP Services 2 ARP Configuration
Issue 02 (2011-09-10) Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
43
VLAN/CEVLAN PVC
------------------------------------------------------------------------------
192.168.1.12 0000-0a41-0202 I - GE1/0/1 r2
192.168.1.1 0000-0a41-0200 17 D-6 GE1/0/1 r2
192.168.1.11 0000-0a41-0201 I - GE1/0/0 r1
192.168.1.1 0000-0a41-0200 17 D-6 GE1/0/0 r1
------------------------------------------------------------------------------
Total:4 Dynamic:2 Static:0 Interface:2
Run the display arp vpn-instance command. If all the ARP entries of the VPN instance are
displayed, it means that the configuration succeeds. For example:
<HUAWEI> display arp vpn-instance r1 slot 1
IP ADDRESS MAC ADDRESS EXPIRE(M) TYPE INTERFACE VPN-INSTANCE
VLAN/CEVLAN PVC
------------------------------------------------------------------------------
\192.168.1.11 0000-0a41-0201 I - GE1/0/0 r1
192.168.1.1 0000-0a41-0200 12 D-6 GE1/0/0 r1
------------------------------------------------------------------------------
Total:2 Dynamic:1 Static:0 Interface:1
Run the display arp statistics { all | slot slot-id } command. If statistics about ARP entries are
displayed, it means that the configuration succeeds. For example:
<HUAWEI> display arp statistics all
Dynamic:20 Static:10
2.5 Configuring Proxy ARP Within a VLAN
By configuring proxy ARP on a VLAN, you can interconnect isolated hosts on a VLAN.
2.5.1 Establishing the Configuration Task
This section describes the applicable environment, pre-configuration tasks, data preparation, and
configuration procedure for configuring proxy ARP on a VLAN.
Applicable Environment
If two users are in the same VLAN but they are isolated from each other, to ensure the two users
can communicate, you need to enable proxy ARP within the VLAN on the interface associated
with the VLAN.
Pre-configuration Tasks
Before configuring proxy ARP within a VLAN, complete the following tasks:
l Configuring physical attributes for the interface and ensuring that the status of the physical
layer of the interface is Up
l Configuring the VLAN
l Configuring user isolation in the VLAN
Data Preparation
To configure proxy ARP within a VLAN, you need the following data.
HUAWEI NetEngine80E/40E Router
Configuration Guide - IP Services 2 ARP Configuration
Issue 02 (2011-09-10) Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
44
No. Data
1 Number of the interface to be enabled with proxy ARP in a VLAN
2 IP address of the interface to be enabled with proxy ARP in a VLAN
3 VLAN ID associated with the interface to be enabled with proxy ARP in a VLAN
2.5.2 Configure an IP Addresses for the Interface
The IP address assigned to an interface needs to be in the same network segment with the IP
addresses of the users of the VLANs associated to this interface.
Procedure
Step 1 Run:
system-view
The system view is displayed.
Step 2 Run:
interface { ethernet | gigabitethernet | eth-trunk } interface-number.sub-
interface-number
Or
interface vlanif vlan-id
The interface view is displayed.
The interfaces supporting routed proxy ARP in a VLAN include VLANIF interfaces, Ethernet
sub-interfaces, GE sub-interfaces, and Eth-Trunk sub-interfaces.
Step 3 Run:
ip address ip-address { mask | mask-length }
The interface is configured with an IP address.
The IP address configured for the interface must be in the same network segment with that of
hosts in the VLAN associated with this interface.
----End
2.5.3 Configuring the VLAN Associated with the Sub-interface
Do as follows on the router that uses sub-interfaces to implement interworking in a VLAN.
Context
NOTE
This step is required when you enable proxy ARP in a VLAN on the Ethernet sub-interfaces, GE sub-
interfaces, or Eth-Trunk sub-interfaces.To enable proxy ARP in a VLAN on the VLANIF interface, skip
this step.
HUAWEI NetEngine80E/40E Router
Configuration Guide - IP Services 2 ARP Configuration
Issue 02 (2011-09-10) Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
45
Procedure
Step 1 Run:
system-view
The system view is displayed.
Step 2 Run:
interface { ethernet | gigabitethernet | eth-trunk } interface-number.sub-
interface-number
The sub-interface view is displayed.
Step 3 Run:
vlan-type dot1q low-vid
The Ethernet sub-interface is encapsulated with 802.1Q and the VLAN ID associated with the
sub-interface is configured.
In the NE80E/40E, one sub-interface can be associated with one VLAN.
By default, the sub-interface is not encapsulated and the associated VLAN ID is not configured.
----End
2.5.4 Enabling Proxy ARP Within a VLAN
To interconnect isolated users on a VLAN, you need to enable intra-VLAN proxy ARP on the
interface associated to the VLAN.
Procedure
Step 1 Run:
system-view
The system view is displayed.
Step 2 Run:
interface { ethernet | gigabitethernet | eth-trunk } interface-number.sub-
interface-number
Or
interface vlanif vlan-id
The interface view is displayed.
Step 3 Run:
arp-proxy inner-sub-vlan-proxy enable
Proxy ARP within a VLAN is enabled.
----End
2.5.5 Checking the Configuration
You can view the configuration of intra-VLAN proxy ARP.
Prerequisite
The configurations of the proxy ARP within a VLAN function are complete.
HUAWEI NetEngine80E/40E Router
Configuration Guide - IP Services 2 ARP Configuration
Issue 02 (2011-09-10) Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
46
Procedure
l Run the display arp interface interface-type interface-number [ vid vlan-id [ cevid cevlan-
id ] ] command to check information about ARP mapping tables based on interfaces.
l Run the display arp slot slot-id [ network net-number [ net-mask | mask-length ] ]
[ dynamic | static ] command to check information about ARP mapping tables based on
slots.
l Run the display arp vpn-instance vpn-instance-name slot slot-id [ dynamic | static ]
command to check information about ARP mapping tables based on VPN instances.
l Run the display arp statistics { all | slot slot-id } command to check statistics about ARP
entries.
----End
Example
Run the display arp interface command. If all the ARP entries of the interface are displayed,
it means that the configuration succeeds. For example:
<HUAWEI> display arp interface gigabitethernet 1/0/0
IP ADDRESS MAC ADDRESS EXPIRE(M) TYPE INTERFACE VPN-INSTANCE
VLAN/CEVLAN PVC
------------------------------------------------------------------------------
192.168.1.11 0000-0a41-0201 I - GE1/0/0 r1
192.168.1.1 0000-0a41-0200 15 D-6 GE1/0/0 r1
------------------------------------------------------------------------------
Total:2 Dynamic:1 Static:0 Interface:1
Run the display arp slot command. If all the ARP entries of the interface board are displayed,
it means that the configuration succeeds. For example:
<HUAWEI> display arp slot 1
IP ADDRESS MAC ADDRESS EXPIRE(M) TYPE INTERFACE VPN-INSTANCE
VLAN/CEVLAN PVC
------------------------------------------------------------------------------
192.168.1.12 0000-0a41-0202 I - GE1/0/1 r2
192.168.1.1 0000-0a41-0200 17 D-6 GE1/0/1 r2
192.168.1.11 0000-0a41-0201 I - GE1/0/0 r1
192.168.1.1 0000-0a41-0200 17 D-6 GE1/0/0 r1
------------------------------------------------------------------------------
Total:4 Dynamic:2 Static:0 Interface:2
Run the display arp vpn-instance command. If all the ARP entries of the VPN instance are
displayed, it means that the configuration succeeds. For example:
<HUAWEI> display arp vpn-instance r1 slot 1
IP ADDRESS MAC ADDRESS EXPIRE(M) TYPE INTERFACE VPN-INSTANCE
VLAN/CEVLAN PVC
------------------------------------------------------------------------------
192.168.1.11 0000-0a41-0201 I - GE1/0/0 r1
192.168.1.1 0000-0a41-0200 12 D-6 GE1/0/0 r1
------------------------------------------------------------------------------
Total:2 Dynamic:1 Static:0 Interface:1
Run the display arp statistics { all | slot slot-id } command. If statistics about ARP entries are
displayed, it means that the configuration succeeds. For example:
<HUAWEI> display arp statistics all
Dynamic:20 Static:10
HUAWEI NetEngine80E/40E Router
Configuration Guide - IP Services 2 ARP Configuration
Issue 02 (2011-09-10) Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
47
2.6 Configuring Proxy ARP Between VLANs
By configuring inter-VLAN proxy ARP, you can interconnect hosts on different VLANs.
2.6.1 Establishing the Configuration Task
This section describes the applicable environment, pre-configuration tasks, data preparation, and
configuration procedure for configuring inter-VLAN proxy ARP.
Applicable Environment
If two users belong to different VLANs and they need to communicate, you need to enable proxy
ARP between VLANs on the sub-interface associated with the VLAN.
Sub-VLANs in a super-VLAN cannot communicate with each other. To solve this problem,
enable proxy ARP between VLANs on the VLANIF interface corresponding to the super-
VLAN.
Implementing communication between VLANs through proxy ARP occupies fewer resources
than through than through configuring a VLANIF interface for each sub-VLAN.
IP addresses of hosts in a VLAN must be in the same network segment.
Pre-configuration Tasks
Before configuring proxy ARP between VLANs, complete the following tasks:
l Configuring physical attributes for the interface and ensuring that the status of the physical
layer of the interface is Up
l Configuring VLAN aggregation
Data Preparation
To configure proxy ARP between VLANs, you need the following data.
No. Data
1 Number of the interface to be enabled with proxy ARP between VLANs
2 IP address of the interface to be enabled with proxy ARP between VLANs
3 VLAN ID associated with the interface to be enabled with proxy ARP between
VLANs
2.6.2 Configuring an IP Addresses for the Interface
The IP address assigned to an interface needs to be in the same network segment with the IP
addresses of the users of all the VLANs associated to this interface.
HUAWEI NetEngine80E/40E Router
Configuration Guide - IP Services 2 ARP Configuration
Issue 02 (2011-09-10) Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
48
Procedure
Step 1 Run:
system-view
The system view is displayed.
Step 2 Run:
interface { ethernet | gigabitethernet } interface-number.sub-interface-number
Or
interface vlanif vlan-id
The interface view is displayed.
The interfaces supporting routed proxy ARP between VLANs include VLANIF interfaces,
Ethernet sub-interfaces, GE sub-interfaces, and Eth-Trunk sub-interfaces.
Step 3 Run:
ip address ip-address { mask | mask-length }
The interface is configured with an IP address.
The IP address configured for the interface must be in the same network segment with that of
hosts in the VLAN associated with this interface.
----End
2.6.3 Configuring the VLAN Associated with the Sub-interface
Do as follows on the device that uses sub-interfaces to implement interworking between VLANs.
Context
NOTE
This step is required when you enable proxy ARP between VLANs on the Ethernet sub-interfaces, GE sub-
interfaces, or Eth-Trunk sub-interfaces. To enable proxy ARP between VLANs on the VLANIF interface,
skip this step.
Procedure
Step 1 Run:
system-view
The system view is displayed.
Step 2 Run:
interface { ethernet | gigabitethernet | eth-trunk } interface-number.sub-
interface-number
The sub-interface view is displayed.
Step 3 Run:
vlan-type dot1q
low-vid
The Ethernet sub-interface is encapsulated with 802.1Q and the VLAN ID associated with the
sub-interface is configured.
HUAWEI NetEngine80E/40E Router
Configuration Guide - IP Services 2 ARP Configuration
Issue 02 (2011-09-10) Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
49
In the NE80E/40E, one sub-interface can be associated with one VLAN.
By default, the sub-interface is not encapsulated and the associated VLAN ID is not configured.
----End
2.6.4 Enabling Proxy ARP Between VLANs
To interconnect users on different VLANs, you need to enable inter-VLAN proxy ARP on the
sub-interfaces associated to the VLANs.
Procedure
Step 1 Run:
system-view
The system view is displayed.
Step 2 Run:
interface { ethernet | gigabitethernet } interface-number.sub-interface-number
Or
interface vlanif vlan-id
The interface view is displayed.
The interfaces supporting routed proxy ARP between VLANs include Eth-Trunk sub-interfaces,
VLANIF interfaces, Ethernet sub-interfaces,and GE sub-interfaces.
Step 3 Run:
arp-proxy inter-sub-vlan-proxy enable
Proxy ARP between VLANs is enabled.
----End
2.6.5 Checking the Configuration
You can view the configuration of inter-VLAN proxy ARP.
Prerequisite
The configurations of Proxy ARP Between VLANs are complete.
Procedure
l Run the display arp interface interface-type interface-number [ vid vlan-id [ cevid cevlan-
id ] ] command to check information about ARP mapping tables based on interfaces.
l Run the display arp slot slot-id [ network net-number [ net-mask | mask-length ] ]
[ dynamic | static ] command to check information about ARP mapping tables based on
slots.
l Run the display arp vpn-instance vpn-instance-name slot slot-id [ dynamic | static ]
command to check information about ARP mapping tables based on VPN instances.
l Run the display arp statistics { all | slot slot-id } command to check statistics about ARP
entries.
----End
HUAWEI NetEngine80E/40E Router
Configuration Guide - IP Services 2 ARP Configuration
Issue 02 (2011-09-10) Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
50
Example
Run the display arp interface command. If all the ARP entries of the interface are displayed,
it means that the configuration succeeds. For example:
<HUAWEI> display arp interface gigabitethernet 1/0/0
IP ADDRESS MAC ADDRESS EXPIRE(M) TYPE INTERFACE VPN-INSTANCE
VLAN/CEVLAN PVC
------------------------------------------------------------------------------
192.168.1.11 0000-0a41-0201 I - GE1/0/0 r1
192.168.1.1 0000-0a41-0200 15 D-6 GE1/0/0 r1
------------------------------------------------------------------------------
Total:2 Dynamic:1 Static:0 Interface:1
Run the display arp slot command. If all the ARP entries of the interface board are displayed,
it means that the configuration succeeds. For example:
<HUAWEI> display arp slot 1
IP ADDRESS MAC ADDRESS EXPIRE(M) TYPE INTERFACE VPN-INSTANCE
VLAN/CEVLAN PVC
------------------------------------------------------------------------------
192.168.1.12 0000-0a41-0202 I - GE1/0/1 r2
192.168.1.1 0000-0a41-0200 17 D-6 GE1/0/1 r2
192.168.1.11 0000-0a41-0201 I - GE1/0/0 r1
192.168.1.1 0000-0a41-0200 17 D-6 GE1/0/0 r1
------------------------------------------------------------------------------
Total:4 Dynamic:2 Static:0 Interface:2
Run the display arp vpn-instance command. If all the ARP entries of the VPN instance are
displayed, it means that the configuration succeeds. For example:
<HUAWEI> display arp vpn-instance r1 slot 1
IP ADDRESS MAC ADDRESS EXPIRE(M) TYPE INTERFACE VPN-INSTANCE
VLAN/CEVLAN PVC
------------------------------------------------------------------------------
192.168.1.11 0000-0a41-0201 I - GE1/0/0 r1
192.168.1.1 0000-0a41-0200 12 D-6 GE1/0/0 r1
------------------------------------------------------------------------------
Total:2 Dynamic:1 Static:0 Interface:1
Run the display arp statistics { all | slot slot-id } command. If statistics about ARP entries are
displayed, it means that the configuration succeeds. For example:
<HUAWEI> display arp statistics all
Dynamic:20 Static:10
2.7 Configuring ARP-Ping IP
ARP-Ping IP is a method of detecting whether an IP address is used by another device on a local
area network (LAN) by sending ARP packets.
2.7.1 Establishing the Configuration Task
This section describes the applicable environment, pre-configuration tasks, data preparation, and
configuration procedure for configuring ARP-Ping IP.
Applicable Environment
In the LAN, to configure an IP address for a device, you need to use the arp-ping ip command
to check whether this IP address is used by another device in the network.
HUAWEI NetEngine80E/40E Router
Configuration Guide - IP Services 2 ARP Configuration
Issue 02 (2011-09-10) Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
51
The arp-ping ip command is mainly used in the maintenance of the deployed Lay 2 features.
For example, in the L2VPN networking, such as the virtual private LAN segment (VPLS) and
virtual private wire service (VPWS) that the Ethernet or VLAN is used to access, you can run
the arp-ping ip command on the PE or CE to check whether the IP address is used by the local
or remote host.
You can also run the ping command to check whether the IP address is used by another device
on the network. If enabled with the firewall function that does not reply to Ping packets, the
destination host and device do not reply to Ping packets and think that the IP address is not in
use. ARP is a Layer 2 protocol. In most cases, ARP packets can pass through the firewall. In
this way, the preceding situation does not occur.
Pre-configuration Tasks
Before configuring ARP-Ping IP, complete the following tasks:
l Configuring parameters of the link layer protocol and IP addresses for the interfaces and
ensuring that the status of the link layer protocol on the interfaces is Up.
Data Preparation
To configure ARP-Ping IP, you need the following data.
No. Data
1 IP address to be checked
2.7.2 Detecting the IP Address by Using the arp-ping ip Command
ARP-Ping IP detects whether an IP address is used by a device on a LAN by sending ARP
requests.
Procedure
Step 1 Run:
arp-ping ip ip-address [ interface interface-type interface-number [ vlan-id vlan-
id ] ]
Check whether the IP address is in use.
NOTE
When the specified outgoing interface is a Layer 2 interface, you need to configure vlan-id vlan-id; when
the specified outgoing interface is a Layer 3 interface, you cannot configure vlan-id vlan-id.
The following information is displayed:
l If the following information is displayed, it means that the IP address is not in use.
<HUAWEI> arp-ping ip 110.1.1.2
ARP-Pinging 110.1.1.2:
Request timed out
Request timed out
Request timed out
The IP address is not used by anyone!
l If the following information is displayed, it means that the IP address is in use.
HUAWEI NetEngine80E/40E Router
Configuration Guide - IP Services 2 ARP Configuration
Issue 02 (2011-09-10) Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
52
<HUAWEI> arp-ping ip 128.1.1.1
ARP-Pinging 128.1.1.1:
128.1.1.1 is used by 00e0-517d-f202
----End
2.8 Configuring ARP-Ping MAC
ARP-Ping MAC is a method of detecting whether a MAC address is used by another device on
a LAN by sending ICMP packets.
2.8.1 Establishing the Configuration Task
This section describes the applicable environment, pre-configuration tasks, data preparation, and
configuration procedure for configuring ARP-Ping MAC.
Applicable Environment
To check whether a MAC address is in use or query the IP address through the MAC address,
you can use the arp-ping mac command.
Pre-configuration Tasks
Before configuring ARP-Ping MAC, complete the following tasks:
l Configuring parameters of the link layer protocol and IP addresses for the interfaces and
ensuring that the status of the link layer protocol on the interfaces is Up.
Data Preparation
To configure ARP-Ping MAC, you need the following data.
No. Data
1 MAC address to be checked
2.8.2 Detecting the MAC Address by Using the arp-ping mac
Command
ARP-Ping MAC detects whether an IP address is used by a device on a LAN by sending ICMP
packets.
Procedure
Step 1 Run:
arp-ping mac mac-address { ip-address [ vpn-instance vpn-instance-name ] |
interface interface-type interface-number }
Check whether the MAC address is in use. Alternatively, you can query the IP address through
the MAC address.
The following information is displayed:
HUAWEI NetEngine80E/40E Router
Configuration Guide - IP Services 2 ARP Configuration
Issue 02 (2011-09-10) Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
53
l If the following information is displayed, it means that the MAC address is not in use.
[HUAWEI] arp-ping mac 00e0-517d-f201 interface gigabitethernet 1/0/0
OutInterface: GigabitEthernet1/0/0 MAC[00-E0-51-7D-F2-01], press CTRL_C to
break
Request timed out
Request timed out
Request timed out
----- ARP-Ping MAC statistics -----
3 packet(s) transmitted
0 packet(s) received
MAC[00-E0-51-7D-F2-01] not be used
l If the following information is displayed, it means that the MAC address is in use.
[HUAWEI] arp-ping mac 00e0-517d-f202 interface gigabitethernet 1/0/0
OutInterface: GigabitEthernet1/0/0 MAC[00-E0-51-7D-F2-02], press CTRL_C to
break
----- ARP-Ping MAC statistics -----
1 packet(s) transmitted
1 packet(s) received
IP ADDRESS MAC ADDRESS
128.1.1.1 00-E0-51-7D-F2-02
----End
2.9 Configuring the Association Between ARP and Interface
Status
By configuring ARP and interface status association, you can determine whether the peer device
can forward packets normally by checking whether the device receives a response to the ARP
detection packet sent to the peer device. In this manner, you can determine the protocol status
(up or down) of the device and triggers fast route convergence.
2.9.1 Establishing the Configuration Task
This section describes the applicable environment, pre-configuration tasks, data preparation, and
configuration procedure for configuring ARP and interface status association.
Applicable Environment
If transmission devices exist over a link (between devices in the diagram), the actual physical
path is segmented by the transmission devices although communication ends and transmission
devices are directly connected at the network layer. In such a case, if the link or remote end fails,
the local end must take a long time to detect the fault.
To solve the preceding problem, configure the association between the Bidirectional Forwarding
Detection (BFD) status and the interface status. For details, refer to the chapter "BFD
Configuration" in the HUAWEI NetEngine80E/40E Router Configuration Guide - Reliability.
For the device that does not support the BFD function, the NE80E/40E provides the ARP and
interface status association function so that local interfaces can correctly judge the forwarding
status of the remote end and change its protocol status accordingly (Up or Down). Fast
convergence of routes is thus triggered.
HUAWEI NetEngine80E/40E Router
Configuration Guide - IP Services 2 ARP Configuration
Issue 02 (2011-09-10) Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
54
Figure 2-3 Schematic diagram of transmission device existing between devices
RouterA RouterB
Pre-configuration Task
Before configuring the association between ARP and interface status, complete the following
tasks:
l Configuring physical parameters for interfaces to make the physical statuses of interfaces
Up.
l Configuring link layer parameters and IP addresses for interfaces to make the link protocol
status of interfaces Up.
Data Preparation
To configure the association between ARP and interface status, you need the following data.
No. Data
1 Destination IP address of an ARP probe packet
2 Interval for sending ARP probe packets
3 Maximum times that no response is received for the continually sent ARP probe
packets before the protocol status of an interface turns Down
4 Probe mode
2.9.2 Configuring the Association Between ARP and Interface
Status
Through ARP and interface status association, you can detect link status. Do as follows on the
router to perform probes.
Procedure
Step 1 Run:
system-view
The system view is displayed.
Step 2 Run:
interface interface-type interface-number
The view of the interface to be enabled with the association between ARP and interface status
is displayed.
HUAWEI NetEngine80E/40E Router
Configuration Guide - IP Services 2 ARP Configuration
Issue 02 (2011-09-10) Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
55
NOTE
The association between ARP and interface status can be configured only on Ethernet interfaces, Ethernet
sub-interfaces, Gigabit Ethernet interfaces, and Gigabit Ethernet sub-interfaces.
Step 3 Run:
arp status-detect ip-address
The association between ARP and interface status and the destination IP address of the probe
are configured. The probed IP address must be the IP address of the directly-connected device.
The device to be probed need not be configured.
----End
2.9.3 (Optional) Adjusting Parameters about the Association
Between ARP and Interface Status
The parameters include the intervals at which ARP detection packets are transmitted, maximum
number of times that the device sends ARP detection packets but receives no response before
the ARP protocol status is set to Down, and detection mode. Do as follows on the router to
perform probes.
Procedure
Step 1 Run:
system-view
The system view is displayed.
Step 2 Run:
interface interface-type interface-number
The view of the interface to be enabled with the association between ARP and interface status
is displayed.
Step 3 Run:
arp status-detect interval detect-interval
The interval for sending ARP probe packets is set.
By default, the interval is 1000 ms.
Step 4 Run:
arp status-detect times detect-times
The maximum times that no response is received for the continually sent ARP probe packets
before the protocol status of an interface turns Down are set.
By default, the maximum times are 3.
Step 5 Run:
arp status-detect mode loose
The probe mode is set to loose.
By default, the probe mode is strict.
HUAWEI NetEngine80E/40E Router
Configuration Guide - IP Services 2 ARP Configuration
Issue 02 (2011-09-10) Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
56
l In loose mode, probe packets are sent only when the protocol status turns Up. The remote
end declares the protocol to be Up when receiving any types of legal ARP packets.
l In strict mode, probe packets are sent no matter the protocol status is Up or Down. The device
declares the protocol to be Up only when receiving legal ARP response packets.
NOTE
When you configure ARP probe on both ends, configure the strict mode at least on one end. That is, two
ends cannot be configured with the loose mode concurrently. .This is because when the interface on one
end is Down, the protocol status of the remote end turns Down because of a timeout probe. If the probe
mode is set to loose, both ends never send probe packets actively, which results in the deadlock state.
----End
Follow-up Procedure
The device to be probed need not be configured.
2.10 Maintaining ARP
The operations of ARP maintenance include clearing ARP statistics and monitoring ARP
operating status.
2.10.1 Clearing ARP Entries
This section describes ARP entries clearance through the reset command.
Context
CAUTION
l The mapping between the IP and MAC addresses is deleted after you clear ARP entries. So,
confirm the action before you use the command.
l The static ARP entries cannot restore after you clear it. So, confirm the action before you
use the command.
Procedure
Step 1 Run the reset arp { all | dynamic | interface interface-type interface-number | slot slot-id |
static } command in the user view to clear the ARP entries in the ARP mapping table.
----End
2.10.2 Monitoring Network Operation Status of ARP
This section describes ARP operation monitoring through the display command.
Context
In routine maintenance, you can run the following command in any view to check the operation
of ARP.
HUAWEI NetEngine80E/40E Router
Configuration Guide - IP Services 2 ARP Configuration
Issue 02 (2011-09-10) Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
57
Procedure
l Run the display arp interface interface-type interface-number [ vid vlan-id [ cevid cevlan-
id ] ] command in any view to check the information about the ARP mapping table based
on interfaces.
l Run the display arp slot slot-id [ network net-number [ net-mask ] ] [ dynamic | static ]
command in any view to check the information about ARP mapping tables based on slots.
l Run the display arp vpn-instance vpn-instance-name slot slot-id [ dynamic | static ]
command in any view to check the information about ARP mapping tables based on VPN
instances.
----End
2.11 Configuration Examples
This section includes the networking requirements, precautions for configuration, and
configuration roadmap.
Context
NOTE
This document takes interface numbers and link types of the NE40E-X8 as an example. In working
situations, the actual interface numbers and link types may be different from those used in this document.
2.11.1 Example for Configuring Routed Proxy ARP
This section provides an example of configuring routed proxy ARP.
Networking Requirements
As shown in Figure 2-4, two devices are connected through serial lines. Each device has a GE
1/0/0 interface connecting with a local network. The network segment of the two local networks
is 172.16.0.0/16. No default gateways are specified for Host A and Host B. The device should
be configured with proxy ARP, enabling hosts in two local networks to communicate with each
other.
Figure 2-4 Networking diagram of configuring proxy ARP
Host B
RouterA RouterB
172.16.1.1/24 172.16.2.1/24
GE1/0/0 GE1/0/0
POS2/0/0
172.17.3.1/24
POS2/0/0
172.17.3.2/24
172.16.2.2/16 172.16.1.2/16
Host A
Ethernet A Ethernet B
0000-5e33-ee20
00e0-fc39-80aa 00e0-fc39-80bb
0000-5e33-ee10
HUAWEI NetEngine80E/40E Router
Configuration Guide - IP Services 2 ARP Configuration
Issue 02 (2011-09-10) Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
58
Configuration Roadmap
The configuration roadmap is as follows:
1. Configure IP addresses for interfaces.
2. Enable proxy ARP on interfaces.
3. Configure the default routes.
Data Preparation
To complete the configuration, you need the following data:
l IP address for related interfaces
l Default routes
l IP address of the host
Procedure
Step 1 Configure Router A.
# Configure an IP address for GE 1/0/0.
<HUAWEI> system-view
[HUAWEI] sysname RouterA
[RouterA] interface gigabitethernet 1/0/0
[RouterA-GigabitEthernet1/0/0] ip address 172.16.1.1 255.255.255.0
# Enable proxy ARP.
[RouterA-GigabitEthernet1/0/0] arp-proxy enable
[RouterA-GigabitEthernet1/0/0] undo shutdown
[RouterA-GigabitEthernet1/0/0] quit
# Configure a static route.
[RouterA] ip route-static 0.0.0.0 0 pos 2/0/0 172.17.3.2
# Configure an IP address for POS 2/0/0.
[RouterA] interface pos 2/0/0
[RouterA-Pos2/0/0] ip address 172.17.3.1 255.255.0.0
[RouterA-Pos2/0/0] undo shutdown
[RouterA-Pos2/0/0] quit
Step 2 Configure Router B.
# Configure an IP address for GE 1/0/0.
<HUAWEI> system-view
[HUAWEI] sysname RouterB
[RouterB] interface gigabitethernet 1/0/0
[RouterB-GigabitEthernet1/0/0] ip address 172.16.2.1 255.255.255.0
# Enable proxy ARP.
[RouterB-GigabitEthernet1/0/0] arp-proxy enable
[RouterB-GigabitEthernet1/0/0] undo shutdown
[RouterB-GigabitEthernet1/0/0] quit
# Configure a static route.
[RouterB] ip route-static 0.0.0.0 0 pos 2/0/0 172.17.3.1
# Configure an IP address for POS 2/0/0.
HUAWEI NetEngine80E/40E Router
Configuration Guide - IP Services 2 ARP Configuration
Issue 02 (2011-09-10) Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
59
[RouterB] interface pos 2/0/0
[RouterB-Pos2/0/0] ip address 172.17.3.2 255.255.0.0
[RouterB-Pos2/0/0] undo shutdown
[RouterB-Pos2/0/0] quit
Step 3 Configure the host.
# Configure the IP address of Host A to 172.16.1.2/16.
# Configure the IP address of Host B to 172.16.2.2/16.
Step 4 Verify the configuration.
# Host A can ping through Host B.
# The ARP table of Host A shows that the MAC address of Host B is the MAC address of
GE1/0/0 on Router A.
C:\Documents and Settings\Administrator> arp -a
Interface: 172.16.1.2 --- 0x2
Internet Address Physical Address Type
172.16.2.2 00e0-fc39-80aa dynamic
----End
Configuration Files
l Configuration file of Router A
#
sysname RouterA
#
interface GigabitEthernet1/0/0
undo shutdown
ip address 172.16.1.1 255.255.255.0
arp-proxy enable
#
interface Pos2/0/0
link-protocol ppp
undo shutdown
ip address 172.17.3.1 255.255.255.0
#
ip route-static 0.0.0.0 0 Pos2/0/0 172.17.3.2
#
return
l Configuration file of Router B
#
sysname RouterB
#
interface GigabitEthernet1/0/0
undo shutdown
ip address 172.16.2.1 255.255.255.0
arp-proxy enable
#
interface Pos2/0/0
link-protocol ppp
undo shutdown
ip address 172.17.3.2 255.255.255.0
#
ip route-static 0.0.0.0 0 Pos2/0/0 172.17.3.1
#
return
2.11.2 Example for Configuring Proxy ARP Within a VLAN
This section provides an example of configuring intra-VLAN proxy ARP.
HUAWEI NetEngine80E/40E Router
Configuration Guide - IP Services 2 ARP Configuration
Issue 02 (2011-09-10) Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
60
Networking Requirements
As shown in Figure 2-5, DSLAM is connected to the sub-interface Eth-Trunk1.1 of the device.
Eth-Trunk1.1 is associated with VLAN 10.
PC A and PC B are two users connected with DSLAM. On DSLAM, the interfaces connected
with PC A and PC B belong to the same VLAN. User isolation in a VLAN is configured on
DSLAM.
To implement communication between PC A and PC B, enable proxy ARP within a VLAN on
Eth-Trunk1.1 of the device.
Figure 2-5 Networking diagram of configuring proxy ARP in a VLAN
Router
DSLAM
PC A PC B
Eth-trunk 1.1(Proxy ARP)
VLAN 10
10.10.10.1/24
Configuration Roadmap
The configuration roadmap is as follows:
1. Configure an IP addresses for Eth-Trunk1.1.
2. Configure the VLAN associated with the sub-interface.
3. Enable proxy ARP in a VLAN on Eth-Trunk1.1.
Data Preparation
To complete the configuration, you need the following data:
l IP address of Eth-Trunk1.1
l VLAN ID associated with Eth-Trunk1.1
Procedure
Step 1 Configure an IP address for Eth-Trunk1.1.
<HUAWEI> system-view
HUAWEI NetEngine80E/40E Router
Configuration Guide - IP Services 2 ARP Configuration
Issue 02 (2011-09-10) Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
61
[HUAWEI] sysname Router
[router] interface eth-trunk 1
[router-Eth-Trunk] undo shutdown
[router-Eth-Trunk] quit
[router] interface eth-trunk 1.1
[router-Eth-Trunk1.1] ip address 10.10.10.1 255.255.255.0
[router-Eth-Trunk1.1] undo shutdown
[router-Eth-Trunk1.1] quit
Step 2 Configure IP addresses for PCs.
# Configure IP addresses for PCs. The IP addresses must be in the same network segment with
the IP address of Eth-Trunk1.1.
# After the configurations, PCs and the device can ping through each other but PCs cannot ping
through each other.
Step 3 Associate Eth-Trunk1.1 with VLAN 10.
[router] interface eth-trunk 1.1
[router-Eth-Trunk1.1] vlan-type dot1q 10
Step 4 Enable proxy ARP in VLAN 10 on Eth-Trunk1.1.
[router-Eth-Trunk1.1] arp-proxy inner-sub-vlan-proxy enable
[router-Eth-Trunk1.1] quit
Step 5 Verify the configuration.
# PC A and PC B can ping through each other.
----End
Configuration Files
The configuration file of the Router is as follows:
#
sysname Router
#
interface Eth-Trunk1
undo shutdown
mac-address 00e0-271e-f652
#
interface Eth-Trunk1.1
undo shutdown
vlan-type dot1q 10
ip address 10.10.10.1 255.255.255.0
arp-proxy inner-sub-vlan-proxy enable
#
return
2.11.3 Example for Configuring Proxy ARP Between VLANs
This section provides an example of configuring inter-VLAN proxy ARP.
Networking Requirements
As shown in Figure 2-6, VLAN 2 and VLAN 3 compose a super-VLAN, VLAN 4.
The sub-VLANs (VLAN 2 and VLAN 3) cannot ping through each other.
To implement communication between VLAN 2 and VLAN 3, configure proxy ARP between
VLANs.
HUAWEI NetEngine80E/40E Router
Configuration Guide - IP Services 2 ARP Configuration
Issue 02 (2011-09-10) Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
62
Figure 2-6 Networking diagram of configuring proxy ARP between VLANs
VLAN2 VLAN3
VLAN4
RouterA
VLAN2 VLAN3
Configuration Roadmap
The configuration roadmap is as follows:
1. Configure an IP addresses for VLANIF4.
2. Enable proxy ARP between VLANs on VLANIF4.
Data Preparation
To complete the configuration, you need IP addresses of interfaces.
Procedure
Step 1 Configure an IP address for the VLANIF interface.
<HUAWEI> system-view
[HUAWEI] sysname RouterA
[RouterA] interface vlanif 4
[RouterA-Vlanif4] ip address 10.10.10.1 255.255.255.0
[RouterA-Vlanif4] undo shutdown
[RouterA-Vlanif4] quit
Step 2 Configure IP addresses for PCs.
# Configure IP addresses for PCs. The IP addresses must be in the same network segment with
the IP address of VLANIF4.
# After configurations, PCs and the device can ping through each other but PCs in VLAN 2 and
PCs in VLAN 3 cannot ping through each other.
Step 3 Configure proxy ARP between VLANs.
[RouterA] interface vlanif 4
[RouterA-Vlanif4] arp-proxy inter-sub-vlan-proxy enable
[RouterA-Vlanif4] quit
Step 4 Verify the configuration.
HUAWEI NetEngine80E/40E Router
Configuration Guide - IP Services 2 ARP Configuration
Issue 02 (2011-09-10) Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
63
l PCs in VLAN 2 and PCs in VLAN 3 can ping through each other.
l Check the ARP table on the PC.
# You can find that in the ARP tables of PCs in VLAN 2, the MAC addresses of all PCs in
VLAN 3 are the MAC address of VLANIF4 on the device.
----End
Configuration Files
The configuration file of Router A is as follows:
#
sysname RouterA
#
vlan batch 2 to 4
#
vlan 4
aggregate-vlan
access-vlan 2 to 3
#
interface Vlanif4
undo shutdown
ip address 10.10.10.1 255.255.255.0
arp-proxy inter-sub-vlan-proxy enable
#
Return
2.11.4 Example for Configuring the Association Between ARP and
Interface Status
This section provides an example of configuring ARP and interface status association.
Networking Requirements
As shown in Figure 2-7, two devices are connected through a Layer 2 switch. If a fault occurs
on the GE interface of Router A but the GE interface of Router B is Up because the link between
the switch and Router B works normally. The protocol status of the GE interface of Router B is
also Up. It is required to configure the association between ARP and interface status on Router
B to probe the status of the GE interface of Router A. Router B can then rapidly change its
protocol status according to the interface status change of Router A.
Figure 2-7 Networking diagram of configuring the association between ARP and interface status
RouterA RouterB
GE 1/0/0
10.1.1.1/24
GE 1/0/0
10.1.1.2/24
Switch
Configuration Roadmap
The configuration roadmap is as follows:
1. Configure an IP address for each interface.
HUAWEI NetEngine80E/40E Router
Configuration Guide - IP Services 2 ARP Configuration
Issue 02 (2011-09-10) Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
64
2. Enable the association between ARP and interface status on the interface.
3. Adjust parameters about the association between ARP and interface status to optimize
performance.
Data Preparation
To complete the configuration, you need the following data:
l IP addresses of the interfaces
l Destination IP address of an ARP probe packet
l Interval for sending ARP probe packets
l Maximum times that no response is received for the continually sent ARP probe packets
before the protocol of an interface turns Down
Procedure
Step 1 Configuring an IP address for each interface
# Configure Router A.
<HUAWEI> system-view
[HUAWEI] sysname RouterA
[RouterA] interface gigabitethernet 1/0/0
[RouterA-GigabitEthernet1/0/0] ip address 10.1.1.1 255.255.255.0
[RouterA-GigabitEthernet1/0/0] undo shutdown
[RouterA-GigabitEthernet1/0/0] quit
# Configure Router B.
<HUAWEI> system-view
[HUAWEI] sysname RouterB
[RouterB] interface gigabitethernet 1/0/0
[RouterB-GigabitEthernet1/0/0] ip address 10.1.1.2 255.255.255.0
[RouterB-GigabitEthernet1/0/0] undo shutdown
[RouterB-GigabitEthernet1/0/0] quit
# Ping Router A on Router B. The ping succeeds. Run the display interface command on Router
A and Router B to view statuses of the GE interfaces. You can find that the physical status and
protocol status of the GE interfaces are Up.
[RouterB] ping 10.1.1.1
PING 10.1.1.1: 56 data bytes, press CTRL_C to break
Reply from 10.1.1.1: bytes=56 Sequence=1 ttl=255 time=110 ms
Reply from 10.1.1.1: bytes=56 Sequence=2 ttl=255 time=60 ms
Reply from 10.1.1.1: bytes=56 Sequence=3 ttl=255 time=100 ms
Reply from 10.1.1.1: bytes=56 Sequence=4 ttl=255 time=70 ms
Reply from 10.1.1.1: bytes=56 Sequence=5 ttl=255 time=70 ms
--- 10.1.1.1 ping statistics ---
5 packet(s) transmitted
5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 60/82/110 ms
[RouterA] display interface gigabitethernet 1/0/0
GigabitEthernet1/0/0 current state : UP
Line protocol current state : UP
Last line protocol up time : 2010-06-22, 16:52:54
Description : GigabitEthernet1/0/0 Interface, Route Port
Route Port,The Maximum Transmit Unit is 1500 bytes
Internet Address is 10.1.1.1/24
IP Sending Frames' Format is PKTFMT_ETHNT_2, Hardware address is 0000-5e13-0101
The Vendor PN is SCP6F86-GL-CWH
Port BW: 1G, Transceiver max BW: 1G, Transceiver Mode: MultiMode
WaveLength: 850nm, Transmission Distance: 300m
HUAWEI NetEngine80E/40E Router
Configuration Guide - IP Services 2 ARP Configuration
Issue 02 (2011-09-10) Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
65
Rx Power: -6.38dBm, normal range: [-23.97, 0.75]dBm
Tx Power: -5.72dBm, normal range: [-13.49, 1.00]dBm
Loopback:none, full-duplex mode, negotiation: disable, Pause Flowcontrol:Receive
Enable and Send Enable
Last physical up time : 2010-06-22, 16:52:54
Last physical down time : 2010-06-22, 16:52:53
Current system time: 2010-06-22 16:53:18
Statistics last cleared:never
Last 300 seconds input rate: 208 bits/sec, 0 packets/sec
Last 300 seconds output rate: 544 bits/sec, 1 packets/sec
Input: 882114 bytes, 10877 packets
Output: 2147780 bytes, 31585 packets
Input:
Unicast: 0 packets, Multicast: 7368 packets
Broadcast: 3509 packets, JumboOctets: 0 packets
CRC: 0 packets, Symbol: 0 packets
Overrun: 0 packets
InRangeLength: 0 packets
LongPacket: 0 packets, Jabber: 0 packets, Alignment: 0 packets
Fragment: 0 packets, Undersized Frame: 0 packets
RxPause: 0 packets
Output:
Unicast: 0 packets, Multicast: 0 packets
Broadcast: 31585 packets, JumboOctets: 0 packets
Lost: 0 packets, Overflow: 0 packets, Underrun: 0 packets
TxPause: 0 packets
[RouterB] display interface gigabitethernet 1/0/0
GigabitEthernet1/0/0 current state : UP
Line protocol current state : UP
Last line protocol up time : 2010-06-22 14:56:32
Description : GigabitEthernet1/0/0 Interface, Route Port
Route Port,The Maximum Transmit Unit is 1500 bytes
Internet Address is 10.1.1.2/24
IP Sending Frames' Format is PKTFMT_ETHNT_2, Hardware address is 0000-5e13-0100
The Vendor PN is SCP6F86-GL-CWH
Port BW: 1G, Transceiver max BW: 1G, Transceiver Mode: MultiMode
WaveLength: 850nm, Transmission Distance: 300m
Rx Power: -6.38dBm, normal range: [-23.97, 0.75]dBm
Tx Power: -5.72dBm, normal range: [-13.49, 1.00]dBm
Loopback:none, full-duplex mode, negotiation: disable, Pause Flowcontrol:Receive
Enable and Send Enable
Last physical up time : 2010-06-22 14:56:32
Last physical down time : 2010-06-22 14:56:31
Current system time: 2010-06-22 16:53:19
Statistics last cleared:never
Last 300 seconds input rate: 208 bits/sec, 0 packets/sec
Last 300 seconds output rate: 544 bits/sec, 1 packets/sec
Input: 882114 bytes, 10877 packets
Output: 2147780 bytes, 31585 packets
Input:
Unicast: 0 packets, Multicast: 7368 packets
Broadcast: 3509 packets, JumboOctets: 0 packets
CRC: 0 packets, Symbol: 0 packets
Overrun: 0 packets
InRangeLength: 0 packets
LongPacket: 0 packets, Jabber: 0 packets, Alignment: 0 packets
Fragment: 0 packets, Undersized Frame: 0 packets
RxPause: 0 packets
Output:
Unicast: 0 packets, Multicast: 0 packets
Broadcast: 31585 packets, JumboOctets: 0 packets
Lost: 0 packets, Overflow: 0 packets, Underrun: 0 packets
Step 2 Run the shutdown command on the GE interface of Router A to simulate a fault.
[RouterA] interface gigabitethernet 1/0/0
[RouterA-GigabitEthernet1/0/0] shutdown
[RouterA-GigabitEthernet1/0/0] quit
HUAWEI NetEngine80E/40E Router
Configuration Guide - IP Services 2 ARP Configuration
Issue 02 (2011-09-10) Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
66
# Run the display interface command on Router B to view the status of the GE interfaces. You
can find that the physical status and protocol status of the GE interfaces are Up. Router B,
however, cannot ping through Router A.
[RouterB] display interface gigabitethernet 1/0/0
GigabitEthernet1/0/0 current state : UP
Line protocol current state : UP
Last line protocol up time : 2010-06-22 14:56:32
Description : GigabitEthernet1/0/0 Interface, Route Port
Route Port,The Maximum Transmit Unit is 1500 bytes
Internet Address is 10.1.1.2/24
IP Sending Frames' Format is PKTFMT_ETHNT_2, Hardware address is 0000-5e13-0100
The Vendor PN is SCP6F86-GL-CWH
Port BW: 1G, Transceiver max BW: 1G, Transceiver Mode: MultiMode
WaveLength: 850nm, Transmission Distance: 300m
Rx Power: -6.38dBm, normal range: [-23.97, 0.75]dBm
Tx Power: -5.72dBm, normal range: [-13.49, 1.00]dBm
Loopback:none, full-duplex mode, negotiation: disable, Pause Flowcontrol:Receive
Enable and Send Enable
Last physical up time : 2010-06-22 14:56:32
Last physical down time : 2010-06-22 14:56:31
Current system time: 2010-06-22 16:53:19
Statistics last cleared:never
Last 300 seconds input rate: 208 bits/sec, 0 packets/sec
Last 300 seconds output rate: 544 bits/sec, 1 packets/sec
Input: 882114 bytes, 10877 packets
Output: 2147780 bytes, 31585 packets
Input:
Unicast: 0 packets, Multicast: 7368 packets
Broadcast: 3509 packets, JumboOctets: 0 packets
CRC: 0 packets, Symbol: 0 packets
Overrun: 0 packets
InRangeLength: 0 packets
LongPacket: 0 packets, Jabber: 0 packets, Alignment: 0 packets
Fragment: 0 packets, Undersized Frame: 0 packets
RxPause: 0 packets
Output:
Unicast: 0 packets, Multicast: 0 packets
Broadcast: 31585 packets, JumboOctets: 0 packets
Lost: 0 packets, Overflow: 0 packets, Underrun: 0 packets
[RouterB] ping 10.1.1.1
PING 10.1.1.1: 56 data bytes, press CTRL_C to break
Request time out
Request time out
Request time out
Request time out
Request time out
--- 10.1.1.1 ping statistics ---
5 packet(s) transmitted
0 packet(s) received
100.00% packet loss
Step 3 Enable the association between ARP and interface status on Router B.
# Specify the IP address of the GE interface of Router A as the destination IP address of the
probe.
[RouterB] interface gigabitethernet 1/0/0
[RouterB-GigabitEthernet1/0/0] arp status-detect 10.1.1.1
Step 4 Adjust parameters about the association between ARP and interface status on Router B.
# Set the interval for sending ARP probe packets to 3 seconds.
[RouterB-GigabitEthernet1/0/0] arp status-detect interval 3000
# Set the probe times to five.
[RouterB-GigabitEthernet1/0/0] arp status-detect times 5
HUAWEI NetEngine80E/40E Router
Configuration Guide - IP Services 2 ARP Configuration
Issue 02 (2011-09-10) Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
67
[RouterB-GigabitEthernet1/0/0] quit
# After about 15 seconds (three seconds x five times), the GE interface status of Router B is Up
and the protocol status turns Down.
[RouterB]
Sep 16 2007 15:37:45 RouterB %%01IFNET/4/LINK_STATE(l): Line protocol on interfa
ce GigabitEthernet1/0/0 has turned into DOWN state.
[RouterB] display interface gigabitethernet 1/0/0
GigabitEthernet1/0/0 current state : UP
Line protocol current state : DOWN
Description : GigabitEthernet1/0/0 Interface, Route Port
Route Port,The Maximum Transmit Unit is 1500 bytes
Internet Address is 10.1.1.2/24
IP Sending Frames' Format is PKTFMT_ETHNT_2, Hardware address is 0000-5e13-0100
The Vendor PN is SCP6F86-GL-CWH
Port BW: 1G, Transceiver max BW: 1G, Transceiver Mode: MultiMode
WaveLength: 850nm, Transmission Distance: 300m
Rx Power: -6.38dBm, normal range: [-23.97, 0.75]dBm
Tx Power: -5.72dBm, normal range: [-13.49, 1.00]dBm
Loopback:none, full-duplex mode, negotiation: disable, Pause Flowcontrol:Receive
Enable and Send Enable
Last physical up time : 2010-06-22 14:56:32
Last physical down time : 2010-06-22 14:56:31
Current system time: 2010-06-22 16:55:19
Statistics last cleared:never
Last 300 seconds input rate: 208 bits/sec, 0 packets/sec
Last 300 seconds output rate: 544 bits/sec, 1 packets/sec
Input: 882114 bytes, 10877 packets
Output: 2147780 bytes, 31585 packets
Input:
Unicast: 0 packets, Multicast: 7368 packets
Broadcast: 3509 packets, JumboOctets: 0 packets
CRC: 0 packets, Symbol: 0 packets
Overrun: 0 packets
InRangeLength: 0 packets
LongPacket: 0 packets, Jabber: 0 packets, Alignment: 0 packets
Fragment: 0 packets, Undersized Frame: 0 packets
RxPause: 0 packets
Output:
Unicast: 0 packets, Multicast: 0 packets
Broadcast: 31585 packets, JumboOctets: 0 packets
Lost: 0 packets, Overflow: 0 packets, Underrun: 0 packets
----End
Configuration Files
l Configuration file of Router A
#
sysname RouterA
#
interface GigabitEthernet1/0/0
undo shutdown
ip address 10.1.1.1 255.255.255.0
#
return
l Configuration file of Router B
#
sysname RouterB
#
interface GigabitEthernet1/0/0
undo shutdown
arp status-detect 10.1.1.1
arp status-detect times 5
arp status-detect interval 3000
ip address 10.1.1.2 255.255.255.0
HUAWEI NetEngine80E/40E Router
Configuration Guide - IP Services 2 ARP Configuration
Issue 02 (2011-09-10) Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
68
#
return
2.11.5 Example for Configuring Layer 2 Topology Detection
This section provides an example of configuring Layer 2 topology detection.
Networking Requirements
As shown in Figure 2-8, configure VLAN 100 as the default VLAN of the two GE interfaces
on the device enabled with the portswitch function. Configure the IP addresses of the two GE
interfaces based on the figure.
Figure 2-8 Networking diagram of configuring Layer 2 topology detection
VLANIF100
10.1.1.2/24
PC B
10.1.1.3/24
PC A
10.1.1.1/24
VLAN100
GE 1/0/1 GE 1/0/2
Configuration Roadmap
The configuration roadmap is as follows:
1. Enable portswitch on two GE interfaces and configure them to join VLAN 100 by default.
2. Enable Layer 2 topology detection and view changes of ARP entries.
Data Preparation
To complete the configuration, you need the following data:
l Types and numbers of the interfaces to be added to a VLAN
l IP addresses of the VLANIF interface and the PCs
Procedure
Step 1 Create VLAN 100 and configure VLAN 100 to be the default VLAN of the two GE interfaces
on the device.
# Create VLAN 100 and configure an IP address for the VLANIF interface.
HUAWEI NetEngine80E/40E Router
Configuration Guide - IP Services 2 ARP Configuration
Issue 02 (2011-09-10) Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
69
<HUAWEI> system-view
[HUAWEI] sysname router
[router] vlan 100
[router-vlan100] quit
[router] interface vlanif 100
[router-vlanif100] undo shutdown
[router-vlanif100] ip address 10.1.1.2 24
[router-vlanif100] quit
# Configure the two GE interfaces to join VLAN 100 by default.
[router] interface gigabitethernet 1/0/1
[router-GigabitEthernet1/0/1] undo shutdown
[router-GigabitEthernet1/0/1] portswitch
[router-GigabitEthernet1/0/1] port default vlan 100
[router-GigabitEthernet1/0/1] quit
[router] interface gigabitethernet 1/0/2
[router-GigabitEthernet1/0/2] undo shutdown
[router-GigabitEthernet1/0/2] portswitch
[router-GigabitEthernet1/0/2] port default vlan 100
[router-GigabitEthernet1/0/2] quit
Step 2 Enable the Layer 2 topology detection function.
[router] l2-topology detect enable
Step 3 Restart GE 1/0/1 and view changes of ARP entries and aging time.
# View ARP entries on the device. You can find that the device has learnt the MAC address of
the PC.
[router] display arp all
IP ADDRESS MAC ADDRESS EXPIRE(M) TYPE INTERFACE VPN-
INSTANCE
VLAN/CEVLAN PVC
-----------------------------------------------------------------------------
10.1.1.2 00e0-c01a-4900 I - Vlanif100
10.1.1.1 00e0-c01a-4901 20 DF6 GE1/0/1
100/-
10.1.1.3 00e0-de24-bf04 20 DF6 GE1/0/2
100/-
-----------------------------------------------------------------------------
Total:3 Dynamic:2 Static:0 Interface:1
# Run the shutdown command and then the undoshutdown command on GE 1/0/1 to view the
aging time of ARP entries.
[router] interface gigabitethernet 1/0/1
[router-GigabitEthernet1/0/1] shutdown
[router-GigabitEthernet1/0/1] undo shutdown
[router-GigabitEthernet1/0/1] display arp all
IP ADDRESS MAC ADDRESS EXPIRE(M) TYPE INTERFACE VPN-INSTANCE
VLAN/CEVLAN PVC
----------------------------------------------------------------------------
10.1.1.2 00e0-c01a-4900 I -
Vlanif100
10.1.1.3 00e0-de24-bf04 0 DF6 GE1/0/2
100/-
------------------------------------------------------------------------------
Total:2 Dynamic:1 Static:0 Interface:1
NOTE
The preceding command output shows that the ARP entries learned from GE 1/0/1 are deleted after GE
1/0/1 is shut down. After the undo shutdown command is run on GE 1/0/1 and GE 1/0/1 goes Up, the aging
time of the ARP entries learned from GE 1/0/2 changes to 0. When the aging time is 0, the device sends
an ARP probe packet for updating ARP entries.
[router-GigabitEthernet1/0/1] display arp all
IP ADDRESS MAC ADDRESS EXPIRE(M) TYPE INTERFACE VPN-INSTANCE
HUAWEI NetEngine80E/40E Router
Configuration Guide - IP Services 2 ARP Configuration
Issue 02 (2011-09-10) Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
70
VLAN/CEVLAN PVC
----------------------------------------------------------------------------
10.1.1.2 00e0-c01a-4900 I -
Vlanif100
10.1.1.3 00e0-de24-bf04 20 DF6 GE1/0/2
100/-
----------------------------------------------------------------------------
Total:2 Dynamic:1 Static:0 Interface:1
NOTE
After the entry is updated, the aging time restores the default value, 20 minutes.
----End
Configuration Files
The configuration file of router is as follows:
#
sysname router
#
L2-topolgy detect enable
#
vlan 100
#
interface Vlanif100
undo shutdown
ip address 10.1.1.2 255.255.255.0
#
interface GigabitEthernet1/0/1
undo shutdown
portswitch
port default vlan 100
#
interface GigabitEthernet1/0/2
undo shutdown
portswitch
port default vlan 100
#
return
HUAWEI NetEngine80E/40E Router
Configuration Guide - IP Services 2 ARP Configuration
Issue 02 (2011-09-10) Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
71
3 DNS Configuration
About This Chapter
By configuring the Domain Name System (DNS), you can enable network devices to
communicate with other through their domain names.
3.1 DNS Overview
The DNS is a host naming mechanism. It assigns a domain name, that is easy to memorize and
is of significance, to each host on the Internet in a hierarchical manner.
3.2 Configuring DNS
By configuring the DNS, you can set up a mapping between a domain name and an IP address.
In this manner, you can enable the device to communicate with other devices.
3.3 Maintaining DNS
The operations of DNS maintenance include clearing DNS statistics and monitoring the DNS
operating status.
3.4 Configuration Examples
This section includes the networking requirements, precautions for configuration, and
configuration roadmap.
HUAWEI NetEngine80E/40E Router
Configuration Guide - IP Services 3 DNS Configuration
Issue 02 (2011-09-10) Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
72
3.1 DNS Overview
The DNS is a host naming mechanism. It assigns a domain name, that is easy to memorize and
is of significance, to each host on the Internet in a hierarchical manner.
3.1.1 Introduction to DNS
After each host on the Internet is assigned a domain name, you can set up a mapping between
the domain name and IP address of a host through. In this manner, you can use domain names,
which are easy to memorize and are of significance, instead of complicated IP addresses.
The Domain Name System (DNS) is a host naming mechanism provided by TCP/IP, with which
hosts can be named in the form of character string. This system assumes a hierarchical naming
structure. It designates a meaningful name for the device in the Internet and associates the name
with the IP address through a domain name resolution server. In this manner, you can use domain
names that are easy to remember instead of memorizing complex IP addresses.
3.1.2 DNS Supported by the NE80E/40E
Domain name resolution can be performed in either dynamic mode or static mode.
DNS has two resolution modes: dynamic DNS resolution and static DNS resolution. To resolve
a domain name, the system first uses static DNS resolution. If this mode fails, the system uses
dynamic DNS resolution. To improve resolution efficiency, you can put common domain names
in a static domain name resolution table.
The NE80E/40E supports static resolution and dynamic resolution.
3.2 Configuring DNS
By configuring the DNS, you can set up a mapping between a domain name and an IP address.
In this manner, you can enable the device to communicate with other devices.
3.2.1 Establishing the Configuration Task
This section describes the applicable environment, pre-configuration tasks, data preparation, and
configuration procedure for configuring the DNS.
Applicable Environment
If local users accessing devices need to communicate with other devices by using domain names,
you can configure DNS on the device. An DNS entry is an mapping between a domain name
and an IP address.
If local users communicate with other devices hardly through the domain name or if the DNS
server is unavailable, configure static DNS. Prior to configuring static DNS, you must know the
mapping between the domain name and the IP address. In case of a change in the mapping, you
must modify the DNS entry manually.
You can configure dynamic DNS on the device if local users frequently use domain names for
communicating with other devices and the DNS server is available.
HUAWEI NetEngine80E/40E Router
Configuration Guide - IP Services 3 DNS Configuration
Issue 02 (2011-09-10) Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
73
Pre-configuration Tasks
Before configuring DNS, complete the following tasks:
l Configuring physical attributes of the interface and ensuring that the physical layer status
of the interface is Up
l Configuring parameters of the link layer protocol of the interface and ensuring that the link
layer protocol status of the interface is Up
l Configuring routes between the local device and the DNS server
l Configuring the DNS server
Data Preparation
To configure DNS, you need the following data.
No. Data
1 Domain name and the corresponding IP address in a static DNS entry
2 IP address of a DNS server
3 Domain name or the domain name list of a dynamic DNS entry
3.2.2 Configuring Static DNS Entries
You can create a table of mappings between domain names and IP addresses and add commonly-
used domain names to this table. When a client needs to use the IP address corresponding to a
domain name, the client can search the table for the required IP address. This improves the
efficiency of domain name resolution.
Procedure
Step 1 Run:
system-view
The system view is displayed.
Step 2 Run:
ip host host-name ip-address
The IP address corresponding to the host name is configured.
A host name corresponds to only one IP address. When you configure an IP address for a host
for several times, only the IP address configured at the latest is valid. To resolve several host
names, repeat Step 2.
You can configure a maximum of 50 static DNS entries.
----End
HUAWEI NetEngine80E/40E Router
Configuration Guide - IP Services 3 DNS Configuration
Issue 02 (2011-09-10) Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
74
3.2.3 Configuring Dynamic DNS
To perform dynamic domain name resolution, you need a special domain name resolution server,
which runs a server program. This server provides mappings between domain names and IP
addresses and receives resolution requests from the client.
Procedure
Step 1 Run:
system-view
The system view is displayed.
Step 2 Run:
dns resolve
Dynamic domain name resolution is enabled.
Step 3 Run:
dns server ip-address
A DNS server is specified.
Step 4 (Optional) Run:
dns server source-ip source-ip-address
The IP address of the local device is specified.
The local device uses the specified IP address to communicate with the DNS server, which
ensures communication security.
Step 5 Run:
dns domain domain-name
The suffix of the domain name is added.
----End
Follow-up Procedure
The system supports the configuration of a maximum of 6 domain name servers, 1 source
address, and 10 domain name suffixes.
To configure more than one domain name server, repeat Step 3.
To configure more than one domain name suffix, repeat Step 5.
3.2.4 Checking the Configuration
You can view the configuration of the DNS.
Prerequisite
The configurations of the DNS function are complete.
HUAWEI NetEngine80E/40E Router
Configuration Guide - IP Services 3 DNS Configuration
Issue 02 (2011-09-10) Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
75
Procedure
l Run the display ip host command to check the information about the static DNS entry
table.
l Run the display dns server command to check the configurations about DNS servers.
l Run the display dns domain command to check the configurations about domain name
suffixes.
l Run the display dns dynamic-host command to check the information about dynamic DNS
entries in the domain name cache.
----End
Example
Run the display ip host command. If static DNS entries including the mappings between host
names and IP addresses, are displayed, it means that the configuration succeeds. For example:
<HUAWEI> display ip host
Host Age Flags Address
hw 0 static 10.1.1.1
gww 0 static 192.168.1.1
Run the display dns server command. If IP addresses of all domain servers are displayed, it
means that the configuration succeeds. For example:
<HUAWEI> display dns server
IPv4 Dns Servers :
Domain-server IpAddress
1 172.16.1.1
2 172.16.1.2
IPv6 Dns Servers :
No configured servers.
Run the display dns domain command. If the list of suffixes of domain names is displayed, it
means that the configuration succeeds. For example:
<HUAWEI> display dns domain
No Domain-name
1 com
2 net
Run the display dns dynamic-host command. If information about the dynamic domain name
cache is displayed, it means that the configuration succeeds. For example:
<HUAWEI> display dns dynamic-host
No Domain-name IpAddress TTL Alias
1 www.huawei.com 91.1.1.1 3521
2 www.huawei.com.cn 87.1.1.1 3000
3.3 Maintaining DNS
The operations of DNS maintenance include clearing DNS statistics and monitoring the DNS
operating status.
3.3.1 Clearing DNS Entries
This section describes DNS entry clearance through the reset command.
HUAWEI NetEngine80E/40E Router
Configuration Guide - IP Services 3 DNS Configuration
Issue 02 (2011-09-10) Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
76
Context
CAUTION
DNS entries cannot be restored after being cleared. So, confirm the action before you use this
command.
Procedure
Step 1 Run the reset dns dynamic-host command in the user view to clear dynamic DNS entries
statistics in the domain name cache.
----End
3.3.2 Monitoring Network Operation Status of DNS
This section describes DNS operation monitoring through the display command.
Context
In routine maintenance, you can run the following command in any view to check the operation
of DNS.
Procedure
l Run the display ip host command to check the information about the static DNS entry
table.
l Run the display dns server command to check configurations about DNS servers.
l Run the display dns domain command to check configurations about domain name
suffixes.
l Run the display dns dynamic-host command to check the information about dynamic DNS
entries in the domain name cache.
----End
3.4 Configuration Examples
This section includes the networking requirements, precautions for configuration, and
configuration roadmap.
Context
NOTE
This document takes interface numbers and link types of the NE40E as an example. In working situations,
the actual interface numbers and link types may be different from those used in this document.
3.4.1 Example for Configuring DNS
This section provides an example of configuring the DNS.
HUAWEI NetEngine80E/40E Router
Configuration Guide - IP Services 3 DNS Configuration
Issue 02 (2011-09-10) Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
77
Networking Requirements
As shown in Figure 3-1, Router A acts as a DNS client, being required to access the host
2.1.1.3/16 by using the domain name huawei.com. You need to configure domain name suffixes
"com" and "net".
On Router A, configure static DNS entries of Router B and Router C so that Router A can
communicate with them by using domain names.
Figure 3-1 Networking diagram of DNS
Loopback0
4.1.1.1/32
Loopback0
4.1.1.2/32
GE1/0/0
1.1.1.2/16
GE1/0/1
1.1.1.1/16
GE1/0/0
2.1.1.1/16
GE1/0/0
2.1.1.2/16
GE1/0/1
3.1.1.1/16
RouterA
RouterB RouterC
huawei.com
2.1.1.3/16
DNS Server
3.1.1.2/16
DNS Client
Configuration Roadmap
The configuration roadmap is as follows:
1. Configure static DNS entries.
2. Enable DNS resolution.
3. Configure an IP address for the DNS server.
4. Configure suffixes of domain names.
Data Preparation
To complete the configuration, you need the following data:
l Domain names of Router B and Router C
l IP address of the DNS server
l Suffixes of domain names
Procedure
Step 1 Configure Router A.
# Configure static DNS entries.
<HUAWEI> system-view
[HUAWEI] sysname RouterA
[RouterA] ip host RouterB 4.1.1.1
HUAWEI NetEngine80E/40E Router
Configuration Guide - IP Services 3 DNS Configuration
Issue 02 (2011-09-10) Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
78
[RouterA] ip host RouterC 4.1.1.2
# Enable DNS resolution.
[RouterA] dns resolve
# Configure an IP address for the DNS server.
[RouterA] dns server 3.1.1.2
# Configure a domain name suffix "net".
[RouterA] dns domain net
# Configure a domain name suffix "com".
[RouterA] dns domain com
[RouterA] quit
NOTE
To complete DNS resolution, configuring routes from Router A to the DNS server is mandatory. For
procedures for configuring routes, refer to the NE80E/40E Router Configuration Guide - IP Routing.
Step 2 Verify the configuration.
# Run the ping huawei command on Router A to ping the IP address 2.1.1.3. The ping succeeds.
<RouterA> ping huawei.com
Trying DNS server (3.1.1.2)
PING huawei.com (2.1.1.3): 56 data bytes, press CTRL_C to break
Reply from 2.1.1.3: bytes=56 Sequence=1 ttl=126 time=6 ms
Reply from 2.1.1.3: bytes=56 Sequence=2 ttl=126 time=4 ms
Reply from 2.1.1.3: bytes=56 Sequence=3 ttl=126 time=4 ms
Reply from 2.1.1.3: bytes=56 Sequence=4 ttl=126 time=4 ms
Reply from 2.1.1.3: bytes=56 Sequence=5 ttl=126 time=4 ms
--- huawei.com ping statistics ---
5 packet(s) transmitted
5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 4/4/6 ms
# Run the display ip host command on Router A to view static DNS entries, including mappings
between host names and IP addresses.
<RouterA> display ip host
Host Age Flags Address
RouterB 0 static 4.1.1.1
RouterC 0 static 4.1.1.2
# Run the display dns dynamic-host command on Router A to view dynamic DNS entries in
the domain name cache.
<RouterA> display dns dynamic-host
No Domain-name IpAddress TTL Alias
1 huawei.com 2.1.1.3 3579
NOTE
TTL value in the above display indicates the lifetime of an entry. It is in seconds.
----End
Configuration Files
l Configuration file of Router A
#
sysname RouterA
#
HUAWEI NetEngine80E/40E Router
Configuration Guide - IP Services 3 DNS Configuration
Issue 02 (2011-09-10) Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
79
ip host RouterB 4.1.1.1
ip host RouterC 4.1.1.2
#
dns resolve
dns server 3.1.1.2
dns domain net
dns domain com
#
interface GigabitEthernet1/0/0
undo shutdown
ip address 1.1.1.2 255.255.0.0
#
rip 1
network 1.0.0.0
#
return
l Configuration file of Router B
#
sysname RouterB
#
interface GigabitEthernet1/0/0
undo shutdown
ip address 2.1.1.1 255.255.0.0
#
interface GigabitEthernet1/0/1
undo shutdown
ip address 1.1.1.1 255.255.0.0
#
interface LoopBack0
ip address 4.1.1.1 255.255.255.255
#
rip 1
network 2.0.0.0
network 1.0.0.0
network 4.0.0.0
#
return
l Configuration file of Router C
#
sysname RouterC
#
interface GigabitEthernet1/0/0
undo shutdown
ip address 2.1.1.2 255.255.0.0
#
interface GigabitEthernet1/0/1
undo shutdown
ip address 3.1.1.1 255.255.0.0
#
interface LoopBack0
ip address 4.1.1.2 255.255.255.255
#
rip 1
network 2.0.0.0
network 3.0.0.0
network 4.0.0.0
#
return
HUAWEI NetEngine80E/40E Router
Configuration Guide - IP Services 3 DNS Configuration
Issue 02 (2011-09-10) Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
80
4 IP Performance Configuration
About This Chapter
By configuring IP performance, you can improve the performance of the device.
4.1 IP Performance Overview
By configuring IP performance, you can improve the IP packet forwarding capability of the
device.
4.2 Improving IP Performance
By setting parameters for IP packets, you can optimize the performance of the network.
4.3 Configuring TCP
By setting IP packets, you can improve the performance of the network.
4.4 Configuring Load Balancing for IP Packet Forwarding
By configuring Equal-Cost Multiple Path (ECMP) or Unequal-Cost Multiple Path (UCMP), you
can improve the packet forwarding capability of the network.
4.5 Maintaining IP Performance
You can maintain IP performance by deleting IP performance statistics and monitoring the
operation of IP performance.
4.6 Configuration Examples
This section includes the networking requirements, precautions for configuration, and
configuration roadmap.
HUAWEI NetEngine80E/40E Router
Configuration Guide - IP Services 4 IP Performance Configuration
Issue 02 (2011-09-10) Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
81
4.1 IP Performance Overview
By configuring IP performance, you can improve the IP packet forwarding capability of the
device.
4.1.1 Introduction to IP Performance
By configuring certain parameters and functions, you can improve the IP performance of the
device.
IP performance optimization should be performed on the basis of configurations of some
parameters and enablement of related functions, for example, the interface MTU, ICMP
attributes, and TCP attributes.
Internet Control Message Protocol (ICMP) messages are used by either the IP layer or the higher
layer protocol (TCP or UDP). ICMP communicates error messages or other information that
require attention.
4.1.2 IP Performance Supported by the NE80E/40E
By setting IP, TCP, and ICMP packets, you can improve the performance of the network.
ICMP
l ICMP Host Unreachable messages
When forwarding packets, the device discards the packets and returns an ICMP host
unreachable message to the source to notify that the source must stop sending packets to
this destination if the device encounters the following situations:
There is no route to the destination.
The packet is not for itself.
l ICMP Redirection messages
During packet forwarding, if the device finds the following situations, the device needs to
send an ICMP redirection message to the source device and notices the host to reselect a
correct device to send packets.
The interfaces to receive and forward packets are the same.
The selected route is not created or modified by the ICMP redirection packet.
The selected route is not the route destined for the destination 0.0.0.0.
The subnet mask bit of the source address is the same as that of the outgoing interface.
l ICMP packet sending switches
In normal circumstance, ICMP host unreachable and redirection messages can ensure
normal packet transmission. However, when devices encounter the preceding conditions
frequently, network traffic becomes heavy because devices send a large number of ICMP
messages. This increases the traffic burden. In the case of malicious attacks, network
congestion becomes worse.
To solve this problem, the ICMP host unreachable function can be deployed on the
outbound interface. If this function is disabled, the device does not send out ICMP host
HUAWEI NetEngine80E/40E Router
Configuration Guide - IP Services 4 IP Performance Configuration
Issue 02 (2011-09-10) Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
82
unreachable messages and as a result the traffic burden of the network is released and
malicious attacks to the network is prevented.
Unequal-Cost Load Balancing
The NE80E/40E supports Unequal-Cost Multiple Path (UCMP) among all equal-cost routes to
the same destination.
UCMP supports only flow-based IP packet forwarding.
UCMP applies to only equal-cost routes. It is independent of routing protocols. That is, it does
not concern whether the Interior Gateway Protocol (IGP) or the Border Gateway Protocol (BGP)
is used.
Among the paths that perform UCMP, the bandwidth of each path must not be lower than 1/16
of the total bandwidth; otherwise, the path does not participate in UCMP.
The unequal-cost load balancing is classified into interface unequal-cost load balancing and
global unequal-cost load balancing. The differences between these two modes are described as
follows:
l For the interface unequal-cost load balancing, you need to enable the unequal-cost load
balancing on all the outgoing interfaces that can forward packets. For the global unequal-
cost load balancing, you need to enable the unequal-cost load balancing only in the system
view.
l After the interface unequal-cost load balancing is enabled, you need to restart any interface
to trigger the delivery FIB entries. After the global unequal-cost load balancing is enabled,
FIB entries can be delivered automatically.
The interface unequal-cost load balancing and the global unequal-cost load balancing are
mutually exclusive. You cannot enable both of them.
4.2 Improving IP Performance
By setting parameters for IP packets, you can optimize the performance of the network.
4.2.1 Establishing the Configuration Task
This section describes the applicable environment, pre-configuration tasks, data preparation, and
configuration procedure for configuring IP performance optimization.
Applicable Environment
In some special network environments, you must adjust the IP parameters to achieve the best
performance. Improving IP performance involves configurations of a series of parameters.
Pre-configuration Tasks
Before improving IP performance, complete the following tasks:
l Configuring the physical parameters for related interfaces and ensuring that the status of
the physical layer of the interface is Up
HUAWEI NetEngine80E/40E Router
Configuration Guide - IP Services 4 IP Performance Configuration
Issue 02 (2011-09-10) Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
83
l Configuring the link layer protocol for related interfaces and ensuring that the status of the
link layer protocol on the interface is Up
l Configuring the IP addresses for related interfaces
Data Preparation
To improve IP performance, you need the following data.
No. Data
1 Number and MTU value of the interface
2 Number of the interface which needs source address verification
3 Number of the interface which needs to forward broadcast packets and ACL number
4 Number of the interface which needs to clear the DF
5 Number of the interface which needs to configure ICMP host-unreachable
4.2.2 Configuring the Maximum Transmission Unit of the Interface
The MTU of an interface determines whether a packet needs to be fragmented when passing
through this interface.
Procedure
Step 1 Run:
system-view
The system view is displayed.
Step 2 Run:
interface interface-type interface-number
The interface view is displayed.
Step 3 Run:
mtu mtu
The maximum transmission unit of the interface is configured.
----End
Follow-up Procedure
The default MTU value varies with the interface type. Use the display interface command to
find out the value used.
NOTE
After configuring the MTU on an interface, you must restart the interface; otherwise, the configuration
cannot take effect. To restart the interface, run the restart command or the shutdown and then undo
shutdown commands.
HUAWEI NetEngine80E/40E Router
Configuration Guide - IP Services 4 IP Performance Configuration
Issue 02 (2011-09-10) Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
84
4.2.3 Configuring ICMP Attributes
Controlling the sending and receiving ICMP messages can protect ICMP messages against
attacks.
Context
By default, receiving ICMP messages, and sending ICMP host unreachable messages are
enabled.The LPU does not send FIB Miss packets to the CPU.
CAUTION
l The system sends ICMP host unreachable packets to the peer device only when the fib-miss-
report enable and icmp host-unreachable send commands are configured.
l If sending ICMP host unreachable messages is disabled, the device no longer sends the ICMP
host unreachable message.
l If receiving ICMP messages is disabled, the router does not receive ICMP messages in any
condition.
Do as follows on the router:
Procedure
Step 1 Run:
system-view
The system view is displayed.
Step 2 Run:
icmp receive
Receiving ICMP messages is enabled.
Step 3 Run:
fib-miss-report enable
The LPU is configured to send FIB Miss packets to the CPU.
Step 4 Run:
interface interface-type interface-number
The interface view is displayed.
Step 5 Run:
icmp host-unreachable send
Sending ICMP host unreachable messages is enabled.
----End
4.2.4 Checking the Configuration
You can view the configuration of IP performance optimization.
HUAWEI NetEngine80E/40E Router
Configuration Guide - IP Services 4 IP Performance Configuration
Issue 02 (2011-09-10) Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
85
Prerequisite
The configurations of the improving IP performance function are complete.
Procedure
l Run the display udp statistics command to check the UDP traffic statistics.
l Run the display ip interface [ interface-type interface-number ] command or display ip
interface brief [ interface-type [ interface-number ] | slot slot-number [ card card-
number ] ] command to check the table information of the IP layer interface.
l Run the display ip statistics [ slot slot-id ] command to check the IP traffic statistics.
l Run the display icmp statistics [ slot slot-id ] command to check the ICMP traffic statistics.
l Run the display rawlink statistics command to check the Rawlink statistics.
l Run the display ip socket [ monitor ] [ task-id task-id socket-id socket-id | socket-type
socket-type ] command to check all the current socket API information.
----End
Example
Run the display udp statistics command. If the UDP traffic statistics are displayed, it means
that the configuration succeeds. For example:
<HUAWEI> display udp statistics
Received packets:
Total: 0
Total(64bit high-capacity counter): 0
checksum error: 0
shorter than header: 0, data length larger than packet: 0
unicast(no socket on port): 0
broadcast/multicast(no socket on port): 0
not delivered, input socket full: 0
input packets missing pcb cache: 0
Sent packets:
Total: 0
Total(64bit high-capacity counter): 0
Run the display ip interface command. If the information about IP interfaces is displayed, it
means that the configuration succeeds. For example:
<HUAWEI> display ip interface gigabitethernet 2/0/2
GigabitEthernet2/0/2 current state : UP
Line protocol current state : UP
The Maximum Transmit Unit : 1500 bytes
input packets : 1338, bytes : 117744, multicasts : 1338
output packets : 1336, bytes : 106884, multicasts : 1336
Directed-broadcast packets:
received packets: 0, sent packets: 0
forwarded packets: 0, dropped packets: 0
ARP packet input number: 0
Request packet: 0
Reply packet: 0
Unknown packet: 0
Internet Address is 120.1.1.1/24
Broadcast address : 120.1.1.255
TTL being 1 packet number: 0
TTL invalid packet number: 0
ICMP packet input number: 0
Echo reply: 0
Unreachable: 0
Source quench: 0
HUAWEI NetEngine80E/40E Router
Configuration Guide - IP Services 4 IP Performance Configuration
Issue 02 (2011-09-10) Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
86
Routing redirect: 0
Echo request: 0
Router advert: 0
Router solicit: 0
Time exceed: 0
IP header bad: 0
Timestamp request: 0
Timestamp reply: 0
Information request: 0
Information reply: 0
Netmask request: 0
Netmask reply: 0
Unknown type: 0
DHCP packet deal mode: global
Run the display ip statistics command. If the IP traffic statistics are displayed, it means that the
configuration succeeds. For example:
<HUAWEI> display ip statistics
Run the display icmp statistics command. If the ICMP traffic statistics are displayed, it means
that the configuration succeeds. For example:
<HUAWEI> display icmp statistics
Input: bad formats 0 bad checksum 0
echo 0 destination unreachable 0
source quench 0 redirects 0
echo reply 0 parameter problem 0
timestamp 0 information request 0
mask requests 0 mask replies 0
time exceeded 0
Mping request 0 Mping reply 0
Output:echo 0 destination unreachable 0
source quench 0 redirects 0
echo reply 0 parameter problem 0
timestamp 0 information reply 0
mask requests 0 mask replies 0
time exceeded 0
Mping request 0 Mping reply 0
Run the display rawlink statistics command. If the Rawlink statistics are displayed, it means
that the configuration succeeds. For example:
<HUAWEI> display rawlink statistics
Received packets:
Total: 1771645
ifnet is null: 0
input packets missing pcb cache: 1181096
not pass multicast: 0
no join multicast: 0
full sock and pstMBuf to be freed: 0
full sock and nothing to be freed: 0
full sock and other reason: 0
Send packets:
Total: 125850
4.3 Configuring TCP
By setting IP packets, you can improve the performance of the network.
4.3.1 Establishing the Configuration Task
This section describes the applicable environment, pre-configuration tasks, data preparation, and
configuration procedure for configuring TCP.
HUAWEI NetEngine80E/40E Router
Configuration Guide - IP Services 4 IP Performance Configuration
Issue 02 (2011-09-10) Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
87
Applicable Environment
None.
Pre-configuration Tasks
None.
Data Preparation
To configure TCP, you need the following data.
No. Data
1 SYN-WAIT timer, FIN-WAIT timer, receiving and sending buffer size of the socket
4.3.2 Configuring TCP Timer
By setting two TCP timers, you can control TCP connection time.
Context
The types of TCP timers are shown as follows:
l The SYN-Wait timer: On sending SYN packets, the TCP starts the SYN-Wait timer. If
response packets are not received before the SYN-Wait timer timeout, the TCP connection
is terminated. The SYN-Wait timer timeout ranges from 2 seconds to 600 seconds, and the
default value is 75 seconds.
l The FIN-Wait timer: When the TCP connection status turns from FIN_WAIT_1 to
FIN_WAIT_2, the FIN-Wait timer starts. If FIN packets are not received before the FIN-
Wait timer timeout, the TCP connection is terminated. The FIN-Wait timer timeout ranges
from 76 seconds to 3600 seconds, and the default value is 675 seconds.
Do as follows on the router:
Procedure
Step 1 Run:
system-view
The system view is displayed.
Step 2 Run:
tcp timer syn-timeout interval
The SYN-Wait timer of setting up TCP connections is configured.
Step 3 Run:
tcp timer fin-timeout interval
The FIN_WAIT_2 timer of setting TCP connections is configured.
----End
HUAWEI NetEngine80E/40E Router
Configuration Guide - IP Services 4 IP Performance Configuration
Issue 02 (2011-09-10) Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
88
4.3.3 Specifying the Size of a TCP Sliding Window
By setting the sliding window size for TCP, you can set the sizes of the receiving buffer and
transmitting buffer in the socket. In this manner, you can improve the security of the network.
Procedure
Step 1 Run:
system-view
The system view is displayed.
Step 2 Run:
tcp window window-size
The receiving/sending buffer size of the TCP socket is configured.
The receiving and sending window-size of the connection-oriented socket: It ranges from 1K
bytes to 32K bytes, and the default value is 8K bytes.
----End
4.3.4 Checking the Configuration
You can view the configuration of TCP.
Prerequisite
The configurations of TCP function are complete.
Procedure
l Run the display tcp status [ [ task-id task-id ] [ socket-id socket-id ] | [ local-ip ipv4-
address ] [ local-port local-port-number ] [ remote-ip ipv4-address ] [ remote-port
remote-port-number ] ] command to check the TCP connection status.
l Run the display tcp statistics command to check the TCP traffic statistics.
----End
Example
Run the display tcp status command. If the information about the TCP connection status is
displayed, it means that the configuration succeeds. For example:
<HUAWEI> display tcp status
TCPCB Tid/Soid Local Add:port Foreign Add:port VPNID State
0a5d560c 30 /1 0.0.0.0:23 0.0.0.0:0 14849 Listening
Run the display tcp statistics command. If the TCP traffic statistics are displayed, it means that
the configuration succeeds. For example:
<HUAWEI> display tcp statistics
Received packets:
Total: 0
Total(64bit high-capacity counter): 0
packets in sequence: 0 (0 bytes)
window probe packets: 0, window update packets: 0
checksum error: 0, offset error: 0, short error: 0
HUAWEI NetEngine80E/40E Router
Configuration Guide - IP Services 4 IP Performance Configuration
Issue 02 (2011-09-10) Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
89
duplicate packets: 0 (0 bytes), partially duplicate packets: 0 (0 bytes)
out-of-order packets: 0 (0 bytes)
packets of data after window: 0 (0 bytes)
packets received after close: 0
ACK packets: 0 (0 bytes)
duplicate ACK packets: 0, too much ACK packets: 0
Sent packets:
Total: 0
Total(64bit high-capacity counter): 0
urgent packets: 0
control packets: 0 (including 0 RST)
window probe packets: 0, window update packets: 0
data packets: 0 (0 bytes), data packets retransmitted: 0 (0 bytes)
ACK-only packets: 0 (0 delayed)
Other information:
Retransmitted timeout: 0, connections dropped in retransmitted timeout: 0
Keep alive timeout: 0, keep alive probe: 0, Keep alive timeout, so conne
ctions disconnected : 0
Initiated connections: 0, accepted connections: 0, established connectio
ns: 0
Closed connections: 0 ( dropped: 0, initiated dropped: 0)
Packets dropped with MD5 authentication: 0
Packets permitted with MD5 authentication: 0
Send Packets permitted with Keychain authentication: 0
Receive Packets permitted with Keychain authentication: 0
Receive Packets Dropped with Keychain authentication: 0
4.4 Configuring Load Balancing for IP Packet Forwarding
By configuring Equal-Cost Multiple Path (ECMP) or Unequal-Cost Multiple Path (UCMP), you
can improve the packet forwarding capability of the network.
4.4.1 Establishing the Configuration Task
This section describes the applicable environment, pre-configuration tasks, data preparation, and
configuration procedure for sharing loads of IP packet forwarding.
Applicable Environment
The Equal Cost Multipath Path (ECMP) involves evenly distributing traffic among multiple
equal-cost paths, regardless of the difference in path bandwidth. This, however, usually leads to
the traffic congestion on the low-bandwidth path.
The Unequal Cost Multipath Path (UCMP) involves proportionally distributing traffic among
multiple equal-cost paths by considering the difference in path bandwidth. This can achieve
more reasonable load balancing because traffic is proportionally distributed among paths.
Pre-configuration Tasks
Before configuring load balancing for IP packet forwarding, complete the following tasks:
l Connecting interfaces and setting physical parameters for interfaces to ensure that the
physical layer status of each interface is Up
l Setting parameters of the link layer protocol for interfaces to ensure that the status of the
link layer protocol on each interface is Up
HUAWEI NetEngine80E/40E Router
Configuration Guide - IP Services 4 IP Performance Configuration
Issue 02 (2011-09-10) Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
90
Data Preparation
To configure load balancing for IP packet forwarding, you need the following data.
No. Data
1 Interface type and interface number
2 IP address and subnet mask for the interface
4.4.2 Configuring the Load Balancing Mode of IP Packet
Forwarding
Load balancing can be performed in either of two modes: per-flow and per-packet. Traffic is
balanced on equal-cost routes evenly regardless of the difference in link bandwidths.
Context
Load balancing can be enable during IP packet forwarding.
When flow-based load balancing is carried out, the device considers the protocol type, source
IP address and mask, destination IP and mask, source port range, and destination port range and
then adopts the hash algorithm to calculate a value. Based on the calculated value, it chooses a
link to forward the packets.
When packet-based load balancing is carried out, choose diverse links based on packets from
multiple links to forward packets.
By default, flow-based load balancing is adopted.
Procedure
Step 1 Run:
system-view
The system view is displayed.
Step 2 Run:
l load-balance { flow | packet } [ all | slot slot-id ]
Packets on the device are load balanced.
l load-balance ip-enhance { all | slot slot-id }
Packets received on the device are load balanced.
After the load-balance ip-enhance command is run, the device load balances the received
packets based on the quintuple: the protocol type, the source IP address, the destination IP
address, the source port, and the destination port. If the command is not run, the device load
balances the received packets according to the source IP address, the destination IP address,
the source port, and the destination port of the IP packet in flow-by-flow mode.
HUAWEI NetEngine80E/40E Router
Configuration Guide - IP Services 4 IP Performance Configuration
Issue 02 (2011-09-10) Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
91
NOTE
When the outgoing interfaces are MP interfaces, the load-balance packet [ all | slot slot-id ] command
cannot be run to implement packet-based load balancing among the interfaces. In this case, you can
configure policy-based routing to implement packet-based load balancing.
----End
4.4.3 Configuring Interface Unequal-Cost Multiple Path During IP
Packet Forwarding
If several equal-cost physical links with different bandwidths lead to the same destination, traffic
is balanced among the physical links according to their bandwidths. In this manner, all links
bear different amount of traffic depending on their bandwidths and optimal load balancing is
achieved. After enabling UCMP on an interface, you have to shut down and reenable this
interface. This causes traffic interruption. Therefore, you are recommended to enable UCMP
globally.
Procedure
Step 1 Run:
system-view
The system view is displayed.
Step 2 Run:
interface interface-type interface-number
The interface view is displayed.
NOTE
The interface must be outgoing interfaces of equal-cost routes. The interface UCMP can be realized among
paths only after all outgoing interfaces of equal-cost routes on the device are enabled with UCMP and FIB
entry delivery is triggered; if one outgoing interface is not enabled with UCMP, Equal-Cost Multiple Path
(ECMP) is performed among paths though FIB entry delivery is triggered.
Interface UCMP cannot be enabled globally or on logical interfaces. It can be enabled only on
physical main interfaces.
Step 3 Run:
load-balance unequal-cost enable
Interface UCMP is enabled for IP packet forwarding.
Route recalculation and FIB entry delivery are not triggered at once after UCMP is enabled or
disabled on the interface through command lines. FIB entry delivery is performed only after
UCMP configurations are validated.
Step 4 Run:
shutdown
The interface where UCMP is enabled is shut down.
Step 5 Run:
undo shutdown
The interface is restarted for validating UCMP configurations.
You can reset the interface where UCMP is enabled or disabled to trigger route recalculation
and FIB entry delivery so that UCMP configurations can be validated.
HUAWEI NetEngine80E/40E Router
Configuration Guide - IP Services 4 IP Performance Configuration
Issue 02 (2011-09-10) Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
92
NOTE
Restarting the interface is one method to trigger FIB entry delivery. You can also change the IP address of
the interface to trigger FIB entry delivery and hence validate UCMP configurations.
----End
4.4.4 Configuring Global Unequal-Cost Multiple Path During IP
Packet Forwarding
If several equal-cost physical links with different bandwidths lead to the same destination, traffic
is balanced among the physical links according to their bandwidths. In this manner, all links
bear different amount of traffic depending on their bandwidths and optimal load balancing is
achieved. After load balancing is enabled globally, traffic is not interrupted because no interface
needs to be shut down and then enabled again.
Context
Do as follows on the router to implement global UCMP:
Procedure
Step 1 Run:
system-view
The system view is displayed.
Step 2 Run:
load-balance unequal-cost enable
Global UCMP is enabled for IP packet forwarding.
By default, global UCMP is disabled.
NOTE
l The interfaces that support the UCMP function are Ethernet interfaces, Gigabit Ethernet interfaces,
POS interfaces, ATM interfaces, serial interfaces, MP interfaces, Eth-Trunk interfaces, and IP-Trunk
interfaces and TE Tunnel interfaces.
If UCMP is enabled on a TE tunnel interface, the bandwidth value cannot be changed between 0 and
a non-zero value, but the bandwidth value can be changed between non-zero values.
l Frequent enabling and then disabling UCMP on an interface greatly degrades the system performance.
Therefore, the interval from enabling UCMP to disabling UCMP or from disabling UCMP to enabling
UCMP must be equal to or longer than 5 minutes.
----End
4.4.5 Checking the Configuration
You can view the configuration of load balancing for IP packet forwarding.
Prerequisite
All the load balancing configurations for IP packet forwarding are complete.
HUAWEI NetEngine80E/40E Router
Configuration Guide - IP Services 4 IP Performance Configuration
Issue 02 (2011-09-10) Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
93
Procedure
l Run the display fib [ slot-id ] command to check the FIB table of the interface board.
l Run the display fib acl acl-number [ verbose ] command to check the filtered FIB
information.
l Run the display fib [ slot-id ] destination-address1 [ desinationt-mask1 ] [ longer ]
[ verbose ] command to check the FIB entry which matches a destination address.
l Run the display fib [ slot-id ] destination-address1 destination-mask1 destination-
address2 destination-mask2 [ verbose ] command to check the FIB entry whose destination
address is in the range of destination-address1 destination-mask1 to destination-address2
destination-mask2.
l Run the display fib ip-prefix prefix-name [ verbose ] command to check the FIB entries
that have passed filtering in a certain format according to the input IP prefix name.
l Run the display fib interface interface-type interface-number command to check the FIB
entries that have passed filtering in a certain format according to the input interface type
and interface number.
l Run the display fib next-hop ip-address command to check the FIB entries that have passed
filtering in a certain format according to the input next hop address.
l Run the display fib [ slot-id ] statistics command to check the total number of FIB entries.
l Run the display fib [ slot-id ] command to check the summary of the FIB.
----End
Example
Run the display fib command. If the brief information about the FIB is displayed, it means that
the configuration succeeds. For example:
<HUAWEI> display fib
Route Flags: G - Gateway Route, H - Host Route, U - Up Route
S - Static Route, D - Dynamic Route, B - Black Hole Route
------------------------------------------------------------------------------
Destination/Mask Nexthop Flag TimeStamp Interface TunnelID
169.254.0.0/16 2.1.1.1 U t[0] GE1/0/0 0x0
2.0.0.0/16 2.1.1.1 U t[0] GE1/0/0 0x0
127.0.0.0/8 127.0.0.1 U t[0] InLoop0 0x0
<HUAWEI> display fib acl 2010
Route entry matched by access-list 2010:
Summary counts: 1
Destination/Mask Nexthop Flag TimeStamp Interface TunnelID
127.0.0.0/8 127.0.0.1 U t[0] InLoop0 0x0
4.5 Maintaining IP Performance
You can maintain IP performance by deleting IP performance statistics and monitoring the
operation of IP performance.
4.5.1 Clearing IP Performance Statistics
By running the reset command, you can delete IP performance statistics.
HUAWEI NetEngine80E/40E Router
Configuration Guide - IP Services 4 IP Performance Configuration
Issue 02 (2011-09-10) Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
94
Context
CAUTION
IP/TCP/UDP statistics cannot be restored after you clear it. So, confirm the action before you
use the command.
Procedure
l Run the reset ip statistics [ interface interface-type interface-number | slot slot-id ]
command in the user view to clear the IP statistics.
l Run the reset ip socket monitor [ task-id task-id socket-id socket-id ] command in the
user view to clear information on the socket monitor.
l Run the reset tcp statistics command in the user view to clear the TCP traffic statistics.
l Run the reset udp statistics command in the user view to clear the UDP traffic statistics.
l Run the reset rawlink statistics command in the user view to clear the Rawlink statistics.
l Run the reset rawip statistics command in the user view to clear the RawIP statistics.
----End
4.5.2 Monitoring Network Operation Status of IP Performance
By running the display command, you can monitor the operation of IP performance.
Context
In routine maintenance, you can run the following command in any view to check the operation
of IP performance.
Procedure
l Run the display tcp status [ [ task-id task-id ] [ socket-id socket-id ] | [ local-ip ipv4-
address ] [ local-port local-port-number ] [ remote-ip ipv4-address ] [ remote-port
remote-port-number ] ] command in any view to check TCP connection status.
l Run the display tcp statistics command in any view to check statistics about TCP traffic.
l Run the display udp statistics command in any view to check statistics about UDP traffic.
l Run the display ip interface [ interface-type interface-number ] command or display ip
interface brief [ interface-type [ interface-number ] | slot slot-number [ card card-
number ] ] command in any view to check information about IP interfaces.
l Run the display ip statistics [ slot slot-id ] command in any view to check statistics about
IP traffic.
l Run the display icmp statistics [ slot slot-id ] command in any view to check statistics
about ICMP traffic.
l Run the display rawlink statistics command in any view to check statistics about Rawlink.
l Run the display rawip statistics command in any view to check statistics about RawIP.
l Run the display fib [ slot-id ] command in any view to check the FIB on the specified
interface board.
HUAWEI NetEngine80E/40E Router
Configuration Guide - IP Services 4 IP Performance Configuration
Issue 02 (2011-09-10) Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
95
l Run the display fib acl acl-number [ verbose ] command in any view to check the FIB
information selectively through filtering.
l Run the display fib [ slot-id ] destination-address1 [ desinationt-mask1 ] [ longer ]
[ verbose ] command in any view to filter FIB entries by matching destination IP addresses.
l Run the display fib [ slot-id ] destination-address1 destination-mask1 destination-
address2 destination-mask2 [ verbose ] command in any view to check the FIB entries
with the destination IP addresses in the range from destination-address1 destination-
mask1 to destination-address2 destination-mask2.
l Run the display fib ip-prefix prefix-name [ verbose ] command in any view to check the
FIB entries that have passed filtering in a certain format according to the input IP prefix
name.
l Run the display fib interface interface-type interface-number command in any view to
check the FIB entries that have passed filtering in a certain format according to the input
interface type and interface number.
l Run the display fib next-hop ip-address command in any view to check the FIB entries
that have passed filtering in a certain format according to the input next hop address.
l Run the display fib [ slot-id ] statistics command in any view to check the total number
of FIB entries.
l Run the display fib [ slot-id ] command in any view to check brief information about the
forwarding table.
l Run the display ip socket [ monitor ] [ task-id task-id socket-id socket-id | socket-type
socket-type ] command in any view to check information about all the socket interfaces of
the system.
----End
4.6 Configuration Examples
This section includes the networking requirements, precautions for configuration, and
configuration roadmap.
Context
NOTE
This document takes interface numbers and link types of the NE40E-X8 as an example. In working
situations, the actual interface numbers and link types may be different from those used in this document.
4.6.1 Example for Limiting Transmission of ICMP Host-
Unreachable Packets
This part provides an example for configuring ICMP host-unreachable packets.
Networking Requirements
As shown in Figure 4-1, Router A, Router B and Router C are connected with each other through
their Ethernet ports to test limiting transmission of host-unreachable packets.
HUAWEI NetEngine80E/40E Router
Configuration Guide - IP Services 4 IP Performance Configuration
Issue 02 (2011-09-10) Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
96
Figure 4-1 Networking diagram of configuring ICMP host unreachable packets
RouterA
Internet
RouterB RouterC
GE 1/0/0
1.1.1.1/24
GE 1/0/0
1.1.1.2/24
GE 1/0/0
2.2.2.2/24
Configuration Roadmap
The configuration roadmap is as follows:
1. Configure IP addresses for the interfaces on devices.
2. Configure static routes between devices that are not directly connected.
3. Enable limiting transmission of ICMP Host-unreachable packets.
Data Preparation
To complete the configuration, you need the following data:
l Static routes between devices that are not directly connected
l IP addresses for the interfaces
Procedure
Step 1 Configure Router A.
# Configure static routes on Router A.
<HUAWEI> system-view
[HUAWEI] sysname RouterA
[RouterA] ip route-static 2.2.2.2 24 1.1.1.2
# Configure an IP address for GE 1/0/0.
[RouterA] interface gigabitethernet 1/0/0
[RouterA-GigabitEthernet1/0/0] ip address 1.1.1.1 24
[RouterA-GigabitEthernet1/0/0] undo shutdown
[RouterA-GigabitEthernet1/0/0] quit
Step 2 Configure Router B.
# Disable sending ICMP host unreachable packets on Router B and configure an IP address for
GE 1/0/0.
HUAWEI NetEngine80E/40E Router
Configuration Guide - IP Services 4 IP Performance Configuration
Issue 02 (2011-09-10) Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
97
<HUAWEI> system-view
[HUAWEI] sysname RouterB
[RouterB] interface gigabitethernet 1/0/0
[RouterB-GigabitEthernet1/0/0] undo icmp host-unreachable send
[RouterB-GigabitEthernet1/0/0] ip address 1.1.1.2 24
[RouterB-GigabitEthernet1/0/0] undo shutdown
[RouterB-GigabitEthernet1/0/0] quit
[RouterB] quit
Step 3 Configure Router C.
# Configure an IP address for GE 1/0/0 on Router C.
<HUAWEI> system-view
[HUAWEI] sysname RouterC
[RouterC] interface gigabitethernet 1/0/0
[RouterC-GigabitEthernet1/0/0] ip address 2.2.2.2 24
[RouterC-GigabitEthernet1/0/0] undo shutdown
[RouterC-GigabitEthernet1/0/0] quit
Step 4 Verify the configuration.
# Enable the debugging of the ICMP packets of Router B.
<RouterB> debugging ip icmp
# Run the ping 2.2.2.2 command on Router A. If you can view that Router B does not send the
host unreachable packets, it means that the configuration succeeds. For example:
[RouterA] ping 2.2.2.2
----End
Configuration Files
l Configuration file of Router A
#
sysname RouterA
#
interface GigabitEthernet1/0/0
undo shutdown
ip address 1.1.1.1 255.255.255.0
#
ip route-static 2.2.2.0 255.255.255.0 1.1.1.2
#
return
l Configuration file of Router B
#
sysname RouterB
#
interface GigabitEthernet1/0/0
undo shutdown
ip address 1.1.1.2 255.255.255.0
undo icmp host-unreachable send
#
return
l Configuration file of Router C
#
sysname RouterC
#
interface GigabitEthernet1/0/0
undo shutdown
ip address 2.2.2.2 255.255.255.0
#
return
HUAWEI NetEngine80E/40E Router
Configuration Guide - IP Services 4 IP Performance Configuration
Issue 02 (2011-09-10) Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
98
4.6.2 Example for Configuring Interface Unequal-Cost Multiple
Path During IP Packet Forwarding
This part provides an example for configuring interface UCMP for IP packet forwarding.
Networking Requirements
As shown in Figure 4-2, three paths exist between Router A and Router E. The three paths
respectively travel through Router B, Router C, and Router D. It is required that the three paths
between Router A and Router E perform UCMP during IP packet forwarding. In the example,
the unequal-cost load balancing refers to the interface unequal-cost load balancing.
Figure 4-2 Networking diagram of configuring UCMP
RouterA
RouterB
RouterC
RouterD
RouterE
POS1/0/0
POS4/0/0
GE3/0/0 GE1/0/0 GE2/0/0 GE3/0/0
POS2/0/0
POS4/0/0
GE2/0/0
GE1/0/0
GE2/0/0
GE2/0/0
GE1/0/0
10.1.1.1/24
GE1/0/0
20.1.1.1/24
router Interface IP address
RouterA POS4/0/0 30.1.1.1/24
GE3/0/0 40.1.1.1/24
GE2/0/0 50.1.1.1/24
RouterB POS1/0/0 30.1.1.2/24
POS2/0/0 60.1.1.2/24
RouterC GE1/0/0 40.1.1.2/24
GE2/0/0 70.1.1.2/24
RouterD GE1/0/0 50.1.1.2/24
GE2/0/0 80.1.1.2/24
RouterE POS4/0/0 60.1.1.1/24
GE3/0/0 70.1.1.1/24
GE2/0/0 80.1.1.1/24
Configuration Roadmap
The configuration roadmap is as follows:
1. Configure IGP on each device. Here, Intermediate System to Intermediate System (IS-IS)
is taken as an example.
2. Enable the UCMP function on each interface of Router A so that the three paths between
Router A and Router E can perform UCMP during IP packet forwarding.
HUAWEI NetEngine80E/40E Router
Configuration Guide - IP Services 4 IP Performance Configuration
Issue 02 (2011-09-10) Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
99
Data Preparation
To complete the configuration, you need the following data:
l Interface type and number
l IP address of the interface
l IS-IS area ID and IS-IS level of each device
Procedure
Step 1 Configure an IP address for each interface. The detailed configuration procedure is not
mentioned here.
Step 2 Configure basic IS-IS functions.
# Configure Router A.
[RouterA] isis 1
[RouterA-isis-1] is-level level-1
[RouterA-isis-1] network-entity 10.0000.0000.0001.00
[RouterA-isis-1] quit
[RouterA] interface gigabitethernet 1/0/0
[RouterA-GigabitEthernet1/0/0] isis enable 1
[RouterA-GigabitEthernet1/0/0] quit
[RouterA] interface gigabitethernet 2/0/0
[RouterA-GigabitEthernet2/0/0] isis enable 1
[RouterA-GigabitEthernet2/0/0] quit
[RouterA] interface pos 4/0/0
[RouterA-Pos4/0/0] isis enable 1
[RouterA-Pos4/0/0] quit
[RouterA] interface gigabitethernet 3/0/0
[RouterA-GigabitEthernet3/0/0] isis enable 1
[RouterA-GigabitEthernet3/0/0] quit
# Configure Router B.
[RouterB] isis 1
[RouterB-isis-1] is-level level-1
[RouterB-isis-1] network-entity 10.0000.0000.0002.00
[RouterB-isis-1] quit
[RouterB] interface pos 1/0/0
[RouterB-Pos1/0/0] isis enable 1
[RouterB-Pos1/0/0] quit
[RouterB] interface pos 2/0/0
[RouterB-Pos2/0/0] isis enable 1
[RouterB-Pos2/0/0] quit
# Configure Router C.
[RouterC] isis 1
[RouterC-isis-1] is-level level-1
[RouterC-isis-1] network-entity 10.0000.0000.0003.00
[RouterC-isis-1] quit
[RouterC] interface gigabitethernet 1/0/0
[RouterC-GigabitEthernet1/0/0] isis enable 1
[RouterC-GigabitEthernet1/0/0] quit
[RouterC] interface gigabitethernet 2/0/0
[RouterC-GigabitEthernet2/0/0] isis enable 1
[RouterC-GigabitEthernet2/0/0] quit
# Configure Router D.
[RouterD] isis 1
[RouterD-isis-1] is-level level-1
[RouterD-isis-1] network-entity 10.0000.0000.0004.00
[RouterD-isis-1] quit
HUAWEI NetEngine80E/40E Router
Configuration Guide - IP Services 4 IP Performance Configuration
Issue 02 (2011-09-10) Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
100
[RouterD] interface gigabitethernet 1/0/0
[RouterD-GigabitEthernet1/0/0] isis enable 1
[RouterD-GigabitEthernet1/0/0] quit
[RouterD] interface gigabitethernet 2/0/0
[RouterD-GigabitEthernet2/0/0] isis enable 1
[RouterD-GigabitEthernet2/0/0] quit
# Configure Router E.
[RouterE] isis 1
[RouterE-isis-1] is-level level-1
[RouterE-isis-1] network-entity 10.0000.0000.0005.00
[RouterE-isis-1] quit
[RouterE] interface gigabitethernet 1/0/0
[RouterE-GigabitEthernet1/0/0] isis enable 1
[RouterE-GigabitEthernet1/0/0] quit
[RouterE] interface gigabitethernet 2/0/0
[RouterE-GigabitEthernet2/0/0] isis enable 1
[RouterE-GigabitEthernet2/0/0] quit
[RouterE] interface pos 4/0/0
[RouterE-Pos4/0/0] isis enable 1
[RouterE-Pos4/0/0] quit
[RouterE] interface gigabitethernet 3/0/0
[RouterE-GigabitEthernet3/0/0] isis enable 1
[RouterE-GigabitEthernet3/0/0] quit
Step 3 Check basic IS-IS configurations.
# View IS-IS routing information on Router A.
[RouterA] display isis route
Route information for ISIS(1)
-----------------------------
ISIS(1) Level-1 Forwarding Table
--------------------------------
IPV4 Destination IntCost ExtCost ExitInterface NextHop Flags
--------------------------------------------------------------------------------
10.1.1.0/24 10 NULL GE1/0/0 Direct D/-/
L/-/-
20.1.1.0/24 30 NULL GE3/0/0 40.1.1.2 A/-/-/-/
C
GE2/0/0 50.1.1.2
Pos4/0/0 30.1.1.2
30.1.1.0/24 10 NULL Pos4/0/0 Direct D/L/-
40.1.1.0/24 10 NULL GE3/0/0 Direct D/L/-
50.1.1.0/24 10 NULL GE2/0/0 Direct D/L/-
60.1.1.0/24 20 NULL Pos4/0/0 30.1.1.2 R/-/-
70.1.1.0/24 20 NULL GE3/0/0 40.1.1.2
A/-/-/-/-
80.1.1.0/24 20 NULL GE2/0/0 50.1.1.2 R/-/-
Flags: D-Direct, A-Added to URT, L-Advertised in LSPs, S-IGP Shortcut,
U-Up/Down Bit Set, C-In Computing
# Ping 20.1.1.1 from Router A. By viewing the display on the Network Management Station
(NM Station), you can find that equal-cost load balancing is implemented among outgoing
interfaces.
[RouterA] ping 20.1.1.1
PING 20.1.1.1: 56 data bytes, press CTRL_C to break
Reply from 20.1.1.1: bytes=56 Sequence=1 ttl=254 time=16 ms
Reply from 20.1.1.1: bytes=56 Sequence=2 ttl=254 time=1 ms
Reply from 20.1.1.1: bytes=56 Sequence=3 ttl=254 time=1 ms
Reply from 20.1.1.1: bytes=56 Sequence=4 ttl=254 time=1 ms
Reply from 20.1.1.1: bytes=56 Sequence=5 ttl=254 time=64 ms
--- 20.1.1.1 ping statistics ---
5 packet(s) transmitted
HUAWEI NetEngine80E/40E Router
Configuration Guide - IP Services 4 IP Performance Configuration
Issue 02 (2011-09-10) Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
101
5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 1/16/64 ms
Step 4 Enable UCMP on each outgoing interface of Router A.
[RouterA] interface gigabitethernet 2/0/0
[RouterA-GigabitEthernet2/0/0] load-balance unequal-cost enable
[RouterA-GigabitEthernet2/0/0] quit
[RouterA] interface pos 4/0/0
[RouterA-Pos4/0/0] load-balance unequal-cost enable
[RouterA-Pos4/0/0] quit
[RouterA] interface gigabitethernet 3/0/0
[RouterA-GigabitEthernet3/0/0] load-balance unequal-cost enable
[RouterA-GigabitEthernet3/0/0] quit
Step 5 Re-enable GigabitEthernet2/0/0, GigabitEthernet3/0/0, and POS4/0/0 to validate UCMP
configurations on Router A.
[RouterA] interface gigabitethernet 2/0/0
[RouterA-GigabitEthernet2/0/0] shutdown
[RouterA-GigabitEthernet2/0/0] undo shutdown
[RouterA-GigabitEthernet2/0/0] quit
[RouterA] interface gigabitethernet 3/0/0
[RouterA-GigabitEthernet3/0/0] shutdown
[RouterA-GigabitEthernet3/0/0] undo shutdown
[RouterA-GigabitEthernet3/0/0] quit
[RouterA]interface pos 4/0/0
[RouterA-Pos4/0/0] shutdown
[RouterA-Pos4/0/0] undo shutdown
Step 6 Verify the configuration.
# Ping 20.1.1.1 from Router A. By viewing the display on the NM Station, you can find that
UCMP is realized among outgoing interfaces.
[RouterA] ping 20.1.1.1
PING 20.1.1.1: 56 data bytes, press CTRL_C to break
Reply from 20.1.1.1: bytes=56 Sequence=1 ttl=254 time=16 ms
Reply from 20.1.1.1: bytes=56 Sequence=2 ttl=254 time=1 ms
Reply from 20.1.1.1: bytes=56 Sequence=3 ttl=254 time=1 ms
Reply from 20.1.1.1: bytes=56 Sequence=4 ttl=254 time=1 ms
Reply from 20.1.1.1: bytes=56 Sequence=5 ttl=254 time=64 ms
--- 20.1.1.1 ping statistics ---
5 packet(s) transmitted
5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 1/16/64 ms
----End
Configuration Files
l Configuration file of Router A
#
sysname RouterA
#
isis 1
is-level level-1
network-entity 10.0000.0000.0001.00
#
interface GigabitEthernet1/0/0
undo shutdown
ip address 10.1.1.1 255.255.255.0
isis enable 1
#
interface GigabitEthernet2/0/0
undo shutdown
HUAWEI NetEngine80E/40E Router
Configuration Guide - IP Services 4 IP Performance Configuration
Issue 02 (2011-09-10) Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
102
load-balance unequal-cost enable
ip address 50.1.1.1 255.255.255.0
isis enable 1
#
interface GigabitEthernet3/0/0
undo shutdown
load-balance unequal-cost enable
ip address 40.1.1.1 255.255.255.0
isis enable 1
#
interface Pos4/0/0
link-protocol ppp
undo shutdown
load-balance unequal-cost enable
ip address 30.1.1.1 255.255.255.0
isis enable 1
#
return
l Configuration file of Router B
#
sysname RouterB
#
isis 1
is-level level-1
network-entity 10.0000.0000.0002.00
#
interface Pos1/0/0
undo shutdown
link-protocol ppp
ip address 30.1.1.2 255.255.255.0
isis enable 1
#
interface Pos2/0/0
link-protocol ppp
undo shutdown
ip address 60.1.1.2 255.255.255.0
isis enable 1
#
return
l Configuration file of Router C
#
sysname RouterC
#
isis 1
is-level level-1
network-entity 10.0000.0000.0003.00
#
interface GigabitEthernet1/0/0
undo shutdown
ip address 40.1.1.2 255.255.255.0
isis enable 1
#
interface GigabitEthernet2/0/0
undo shutdown
ip address 70.1.1.2 255.255.255.0
isis enable 1
#
return
l Configuration file of Router D
#
sysname RouterD
#
isis 1
is-level level-1
network-entity 10.0000.0000.0004.00
#
interface GigabitEthernet1/0/0
HUAWEI NetEngine80E/40E Router
Configuration Guide - IP Services 4 IP Performance Configuration
Issue 02 (2011-09-10) Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
103
undo shutdown
ip address 50.1.1.2 255.255.255.0
isis enable 1
#
interface GigabitEthernet2/0/0
undo shutdown
ip address 80.1.1.2 255.255.255.0
isis enable 1
#
return
l Configuration file of Router E
#
sysname RouterE
#
isis 1
is-level level-1
network-entity 10.0000.0000.0005.00
#
interface GigabitEthernet1/0/0
undo shutdown
ip address 20.1.1.1 255.255.255.0
isis enable 1
#
interface GigabitEthernet2/0/0
undo shutdown
ip address 80.1.1.1 255.255.255.0
isis enable 1
#
interface GigabitEthernet3/0/0
undo shutdown
ip address 70.1.1.1 255.255.255.0
isis enable 1
#
interface Pos4/0/0
link-protocol ppp
undo shutdown
ip address 60.1.1.1 255.255.255.0
isis enable 1
#
return
4.6.3 Example for Configuring Global Unequal-Cost Load
Balancing for IP Packet Forwarding
This part provides an example for configuring global UCMP for IP packet forwarding.
Networking Requirements
As shown in Figure 4-3, Router A and Router C are connected through two links.
l GE 2/0/0 on Router A and GE 2/0/0 on Router B are connected through a physical link.
l Eth-Trunk1 interface on Router A has two member interfaces, GE 3/0/0 and GE 4/0/0; Eth-
Trunk1 interface on Router B has two member interfaces, GE 3/0/0 and GE 4/0/0.
Eth-Trunk1 interface has two GE interfaces, and thus the bandwidth of Eth-Trunk1 interface is
twice that of a single physical link. It is aimed to perform unequal-cost load balancing for IP
packet forwarding in the two links between Router A and Router C. In the example, unequal-
cost load balancing refers to global unequal-cost load balancing.
HUAWEI NetEngine80E/40E Router
Configuration Guide - IP Services 4 IP Performance Configuration
Issue 02 (2011-09-10) Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
104
Figure 4-3 Networking diagram of configuring unequal-cost load balancing
RouterA RouterB RouterC
GE3/0/0
GE2/0/0
GE4/0/0 GE10/0
10.1.1.1/24
GE3/0/0
GE4/0/0
GE2/0/0
GE1/0/0
20.1.1.1/24
GE2/0/2
GE2/0/2
Eth-
Trunk1
Device Name Interface Name IP Address
Router A GE 2/0/0 30.1.1.1/24
Eth-Trunk1 40.1.1.1/24
Router B GE 2/0/0 30.1.1.2/24
Eth-Trunk1 40.1.1.2/24
GE 2/0/2 50.1.1.1/24
Router C GE 2/0/2 50.1.1.2/24
Configuration Roadmap
The configuration roadmap is as follows:
1. Configure a static route on each device.
2. Enable unequal-cost load balancing on Router B so that the two links between Router A
and Router C can perform unequal-cost load balancing for IP packet forwarding.
Data Preparation
To complete the configuration, you need the following data:
l Interface type and number
l IP address of each interface
l Number of the Eth-Trunk
Procedure
Step 1 Configure an IP address for each interface. The configuration details are not mentioned here.
Step 2 Configure a static route.
# Configure Router A.
[RouterA] ip route-static 20.1.1.0 255.255.255.0 gigabitethernet2/0/0 30.1.1.2
[RouterA] ip route-static 20.1.1.0 255.255.255.0 eth-trunk1 40.1.1.2
[RouterA] ip route-static 50.1.1.0 255.255.255.0 gigabitethernet2/0/0 30.1.1.2
[RouterA] ip route-static 50.1.1.0 255.255.255.0 eth-trunk1 40.1.1.2
# Configure Router B.
[RouterB] ip route-static 10.1.1.0 255.255.255.0 gigabitethernet2/0/0 30.1.1.1
[RouterB] ip route-static 10.1.1.0 255.255.255.0 eth-trunk1 40.1.1.1
[RouterB] ip route-static 20.1.1.0 255.255.255.0 gigabitethernet2/0/2 50.1.1.2
# Configure Router C.
[RouterC] ip route-static 10.1.1.0 255.255.255.0 gigabitethernet2/0/2 50.1.1.1
HUAWEI NetEngine80E/40E Router
Configuration Guide - IP Services 4 IP Performance Configuration
Issue 02 (2011-09-10) Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
105
[RouterC] ip route-static 30.1.1.0 255.255.255.0 gigabitethernet2/0/2 50.1.1.1
[RouterC] ip route-static 40.1.1.0 255.255.255.0 GigabitEthernet2/0/2 50.1.1.1
Step 3 Enable unequal-cost load balancing on Router B.
[RouterB] load-balance unequal-cost enable
Step 4 Verify the configuration.
# Router C can ping through 10.1.1.1. Run the display fib verbose command to view bandwidth
information of the outbound interface. The command output shows that the bandwidth of Eth-
Trunk1 interface is twice that of GE 2/0/0. This indicates that unequal-cost load balancing is
enabled.
[RouterC] ping -c 100 -t 10 -m 10 10.1.1.1
PING 10.1.1.1: 56 data bytes, press CTRL_C to break
Reply from 10.1.1.1: bytes=56 Sequence=1 ttl=254 time=3 ms
Reply from 10.1.1.1: bytes=56 Sequence=2 ttl=254 time=1 ms
Reply from 10.1.1.1: bytes=56 Sequence=3 ttl=254 time=1 ms
...
--- 10.1.1.1 ping statistics ---
100 packet(s) transmitted
99 packet(s) received
1.00% packet loss
round-trip min/avg/max = 1/1/6 ms
[RouterB] display fib 10.1.1.1 verbose
Route Entry Count: 2
Destination: 10.1.1.0 Mask : 255.255.255.0
Nexthop : 30.1.1.1 OutIf : GigabitEthernet2/0/2
LocalAddr : 30.1.1.2 LocalMask: 0.0.0.0
Flags : GSU Age : 11128sec
ATIndex : 0 Slot : 2
LspFwdFlag : 0 LspToken : 0x0
InLabel : NULL OriginAs : 0
BGPNextHop : 0.0.0.0 PeerAs : 0
QosInfo : 0x0 OriginQos: 0x0
NexthopBak : 0.0.0.0 OutIfBak : [No Intf]
LspTokenBak: 0x0 InLabelBak : NULL
LspToken_ForInLabelBak : 0x0
EntryRefCount : 0
VlanId : 0x0
LspType : 0 Label_ForLspTokenBak : 0
MplsMtu : 0 Gateway_ForLspTokenBak : 0
NextToken : 0x0 IfIndex_ForLspTokenBak : 0
Label_NextToken : 0 Label : 0
LspBfdState : 0
OutIfSpeed(Kbits/sec) : 1000000
Destination: 10.1.1.0 Mask : 255.255.255.0
Nexthop : 40.1.1.1 OutIf : Eth-Trunk1
LocalAddr : 40.1.1.2 LocalMask: 0.0.0.0
Flags : GSU Age : 11128sec
ATIndex : 0 Slot : 0
LspFwdFlag : 0 LspToken : 0x0
InLabel : NULL OriginAs : 0
BGPNextHop : 0.0.0.0 PeerAs : 0
QosInfo : 0x0 OriginQos: 0x0
NexthopBak : 0.0.0.0 OutIfBak : [No Intf]
LspTokenBak: 0x0 InLabelBak : NULL
LspToken_ForInLabelBak : 0x0
EntryRefCount : 0
VlanId : 0x0
LspType : 0 Label_ForLspTokenBak : 0
MplsMtu : 0 Gateway_ForLspTokenBak : 0
NextToken : 0x0 IfIndex_ForLspTokenBak : 0
Label_NextToken : 0 Label : 0
LspBfdState : 0
OutIfSpeed(Kbits/sec) : 2000000
----End
HUAWEI NetEngine80E/40E Router
Configuration Guide - IP Services 4 IP Performance Configuration
Issue 02 (2011-09-10) Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
106
Configuration Files
l Configuration file of Router A
#
sysname RouterA
#
interface Eth-Trunk1
ip address 40.1.1.1 255.255.255.0
#
interface GigabitEthernet1/0/0
undo shutdown
ip address 10.1.1.1 255.255.255.0
#
interface GigabitEthernet2/0/0
undo shutdown
ip address 30.1.1.1 255.255.255.0
#
interface GigabitEthernet3/0/0
undo shutdown
eth-trunk 1
#
interface GigabitEthernet4/0/0
undo shutdown
eth-trunk 1
#
ip route-static 20.1.1.0 255.255.255.0 GigabitEthernet2/0/0 30.1.1.2
ip route-static 20.1.1.0 255.255.255.0 Eth-Trunk1 40.1.1.2
ip route-static 50.1.1.0 255.255.255.0 GigabitEthernet2/0/0 30.1.1.2
ip route-static 50.1.1.0 255.255.255.0 Eth-Trunk1 40.1.1.2
#
return
l Configuration file of Router B
#
sysname RouterB
#
load-balance unequal-cost enable
#
interface Eth-Trunk1
ip address 40.1.1.2 255.255.255.0
#
interface GigabitEthernet2/0/0
undo shutdown
ip address 30.1.1.2 255.255.255.0
#
interface GigabitEthernet2/0/2
undo shutdown
ip address 50.1.1.1 255.255.255.0
#
interface GigabitEthernet3/0/0
undo shutdown
eth-trunk 1
#
interface GigabitEthernet4/0/0
undo shutdown
eth-trunk 1
#
ip route-static 10.1.1.0 255.255.255.0 GigabitEthernet2/0/0 30.1.1.1
ip route-static 10.1.1.0 255.255.255.0 Eth-Trunk1 40.1.1.1
ip route-static 20.1.1.0 255.255.255.0 GigabitEthernet2/0/2 50.1.1.2
#
return
l Configuration file of Router C
#
sysname RouterC
#
ip route-static 10.1.1.0 255.255.255.0 GigabitEthernet2/0/2 50.1.1.1
ip route-static 30.1.1.0 255.255.255.0 GigabitEthernet2/0/2 50.1.1.1
HUAWEI NetEngine80E/40E Router
Configuration Guide - IP Services 4 IP Performance Configuration
Issue 02 (2011-09-10) Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
107
ip route-static 40.1.1.0 255.255.255.0 GigabitEthernet2/0/2 50.1.1.1
#
interface GigabitEthernet1/0/0
undo shutdown
ip address 20.1.1.1 255.255.255.0
#
interface GigabitEthernet2/0/2
undo shutdown
ip address 50.1.1.2 255.255.255.0
#
return
HUAWEI NetEngine80E/40E Router
Configuration Guide - IP Services 4 IP Performance Configuration
Issue 02 (2011-09-10) Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
108
5 ACL Configuration
About This Chapter
You can distinguish packets through an ACL and process them in different manners.
5.1 ACL Overview
An ACL can be applied to multiple purposes, including PBR and packet filtering.
5.2 Configuring an Interface-based ACL
An interface-based ACL is an ACL that specifies rules according to interfaces that receive
packets.
5.3 Configuring a Basic ACL
When defining rules in a basic ACL, you can specify only source IP addresses.
5.4 Configuring an Advanced ACL
An advanced ACL defines rules based on the source address, destination address, type of the
protocol over IP, and protocol features, for example, the source port and destination port of TCP
and the type and code of ICMP.
5.5 Configuring an ACL Based on the Ethernet Frame Header
This section describes how to configure an Ethernet frame header-based ACL.
5.6 Configuring an UCL
This section describes how to configure a UCL.
5.7 Configuring a Named ACL
A named ACL is an advanced ACL. A named ACL defines rules based on the source address,
destination address, type of the protocol over IP, and protocol features, for example, the source
port and destination port of TCP and the type and code of ICMP.
5.8 Configuring a MPLS-based ACL
MPLS-based ACL defines rules to filter packets based on the Exp value, Label value, and TTL
value of MPLS packets.
5.9 Configuration Examples
This section includes the networking requirements, precautions for configuration, and
configuration roadmap.
HUAWEI NetEngine80E/40E Router
Configuration Guide - IP Services 5 ACL Configuration
Issue 02 (2011-09-10) Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
109
5.1 ACL Overview
An ACL can be applied to multiple purposes, including PBR and packet filtering.
5.1.1 Introduction to ACL
An ACL is a list of rules. An ACL classifies packets according to ACL rules, and then a device
determines whether to accept the classified packets according to the rules in the ACL.
An ACL includes a group of orderly rules that consist of rule { deny | permit } clauses. The
rules are described with some parameters, such as based on the source address, the destination
address, and the port number of data packets. The ACL classifies data packets according to these
rules. After these rules are applied to the device, the device can determine whether to receive or
deny packets.
The ACL is classified into these types:
l Basic ACL: classifies packets based on the source address.
l Advanced ACL: classifies packets more detailedly based on the source address, destination
address, source port number, destination port number, and protocol type.
l Interface-based ACL: classifies packets based on the interface from which the packets are
received.
l Ethernet Frame Header ACL: classifies packets more detailedly based on the source MAC
address and destination MAC address.
l User ACL: classifies packets more detailedly based on user groups.
NOTE
Actually, an ACL is a group of rules used to define classes of packets. It cannot be used to filter packet.
For detailed processing methods of packets, you need to import detailed functions of ACL. In the NE80E/
40E, the ACL must be in conjunction with some functions, such as policy-based routing (PBR), firewall,
and traffic classification to filter packets.
The default action defined in the ACL rule is deny. Therefore, to allow the subsequent flows to pass, you
need to specify the action in the ACL rule to permit.
5.1.2 ACL Supported by the NE80E/40E
According to the differences in filtering rules, ACLs can be categorized into interface-based
ACLs, basic ACLs, advanced ACLs, and MPLS ACLs.
The NE80E/40E supports an interface-based ACLs, basic ACLs, advanced ACLs, Ethernet
frame header-based ACLs, and ACL-based users (UCLs).
5.2 Configuring an Interface-based ACL
An interface-based ACL is an ACL that specifies rules according to interfaces that receive
packets.
5.2.1 Establishing the Configuration Task
This section describes the applicable environment, pre-configuration tasks, data preparation, and
configuration procedure for configuring an interface-based ACL.
HUAWEI NetEngine80E/40E Router
Configuration Guide - IP Services 5 ACL Configuration
Issue 02 (2011-09-10) Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
110
Applicable Environment
An ACL can be applied to various services such as route policies and packet filtering. It
distinguishes different kinds of packets for different processing.
Pre-configuration Tasks
None.
Data Preparation
To configure an ACL, you need the following data.
No. Data
1 (Optional) Name of the time range in which the Interface-based ACL takes effect
and the start time and end time of the time range
2 Rule ID of the Interface-based ACL, permit or deny rule
3 Interface type and Interface number of the interface in which the Interface-based
ACL takes effect
4 (Optional) Description of the Interface-based ACL
5 (Optional) Step of the Interface-based ACL
5.2.2 (Optional) Creating a Time Range
By performing this configuration task, you can specify the time range when an ACL remains
valid.
Procedure
Step 1 Run:
system-view
The system view is displayed.
Step 2 Run:
time-range time-name { start-time to end-time days | from time1 date1 [ to time2
date2 ] }
An ACL time range is created.
You can configure multiple time ranges at the same name.
----End
5.2.3 Creating an Interface-based ACL
This part describes how to create an interface-based ACL, whose number ranges from 1000 to
1999, and specify filtering rules according to the packet-receiving interface.
HUAWEI NetEngine80E/40E Router
Configuration Guide - IP Services 5 ACL Configuration
Issue 02 (2011-09-10) Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
111
Procedure
Step 1 Run:
system-view
The system view is displayed.
Step 2 Run:
acl [ number ] acl-number [ match-order { auto | config } ]
An interface-based ACL is created.
Step 3 Run:
rule [ rule-id ] { deny | permit } interface { interface-type interface-number |
any } [ logging | time-range time-name ] *
ACL rules are defined.
interface-type interface-number indicates the specified interface type and interface number.
any indicates any interface. logging takes effect on only software-based forwarding such as the
application of a routing policy.
----End
5.2.4 (Optional) Configuring ACL Descriptions
By configuring ACL descriptions, you can know the purpose of an ACL when viewing the
configuration of the ACL.
Procedure
Step 1 Run:
system-view
The system view is displayed.
Step 2 Run:
acl acl-number
The ACL view is displayed.
Step 3 Run:
description text
ACL description is created.
The ACL description covers the function of ACL rules. Its length should be less than 127
characters.
----End
5.2.5 (Optional) Configuring ACL Step
An ACL step is the difference between two adjacent automatically-assigned ACL numbers.
Procedure
Step 1 Run:
HUAWEI NetEngine80E/40E Router
Configuration Guide - IP Services 5 ACL Configuration
Issue 02 (2011-09-10) Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
112
system-view
The system view is displayed.
Step 2 Run:
acl [ number ] acl-number [ match-order { auto | config } ]
The ACL view is displayed.
Step 3 Run:
step step
ACL step is configured.
Note the following when modifying ACL configurations:
l The undo step command restores the step to the default and realigns ACL rules.
l The default step of the ACL rule is 5.
----End
5.2.6 Checking the Configuration
You can view the configuration of an interface-based ACL.
Prerequisite
The configurations of the ACL function are complete.
Procedure
l Run the display acl { acl-number | all } command to check the configured ACL rule.
l Run the display statistics acl { acl-number | all }control-plane command to check the
statistics about the packets matching the ACL rule in soft forwarding.
l Run the display time-range { time-name | all } command to check the time range.
----End
Example
Run the display acl command. If the ACL number, the number of rules, and detailed step
description, and ACL rules are displayed, it means that the configuration succeeds. For example:
<HUAWEI> display acl 1200
Interface Based ACL 1200, 1 rule
Acl's step is 5
rule 5 permit interface Pos4/0/0
Using the display statistics aclcontrol-plane command, you can view the statistics about the
packets matching the ACL rule in soft forwarding.
<HUAWEI> display statistics acl 1000 control-plane
Interface Based ACL 1000, 1 rule
Acl's step is 5
rule 5 deny interface any (10 times matched)
Run the display time-range command. If the configuration and status of the current time range
are displayed, it means that the configuration succeeds. For example:
<HUAWEI> display time-range all
HUAWEI NetEngine80E/40E Router
Configuration Guide - IP Services 5 ACL Configuration
Issue 02 (2011-09-10) Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
113
Current time is 14:19:16 3-15-2006 Wednesday
Time-range : time1 ( Inactive )
10:00 to 12:00 daily
Time-range : time2 ( Inactive )
from 13:00 2006/4/1 to 23:59 2099/12/31
Time-range : active1 ( Active )
14:00 to 00:00 daily
5.3 Configuring a Basic ACL
When defining rules in a basic ACL, you can specify only source IP addresses.
5.3.1 Establishing the Configuration Task
This section describes the applicable environment, pre-configuration tasks, data preparation, and
configuration procedure for configuring a basic ACL.
Applicable Environment
An ACL can be applied to various services, such as routing policies and packet filtering, to
implement differentiated packet processing based on packet types. When defining rules for a
basic ACL, you need to specify source IP addresses.
Pre-configuration Tasks
None.
Data Preparation
To configure a basic ACL, you need the following data.
No. Data
1 (Optional) Name of the time range in which the basic ACL takes effect and the start
time and end time of the time range
2 Number of the basic ACL
3 Rule ID of the basic ACL, permit or deny rule, and source IP address
4 (Optional) Description of the basic ACL
5 (Optional) Step of the basic ACL
5.3.2 (Optional) Creating a Time Range
By performing this configuration task, you can specify the time range when an ACL remains
valid.
Procedure
Step 1 Run:
HUAWEI NetEngine80E/40E Router
Configuration Guide - IP Services 5 ACL Configuration
Issue 02 (2011-09-10) Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
114
system-view
The system view is displayed.
Step 2 Run:
time-range time-name { start-time to end-time days | from time1 date1 [ to time2
date2 ] }
An ACL time range is created.
You can configure multiple time ranges at the same name.
----End
5.3.3 Creating a Basic ACL
This part describes how to create a basic ACL, whose number ranges from 2000 to 2999, and
specify filtering rules according to source interfaces.
Procedure
Step 1 Run:
system-view
The system view is displayed.
Step 2 Run:
acl [ number ] acl-number [ match-order { auto | config } ]
A basic ACL is created.
Step 3 Run:
rule [ rule-id ] { deny | permit } [ fragment-type fragment-type-name | source
{ source-ip-address source-wildcard | any } | time-range time-name | vpn-instance
vpn-instance-name ]*
ACL rules are defined.
----End
5.3.4 (Optional) Configuring ACL Descriptions
By configuring ACL descriptions, you can know the purpose of an ACL when viewing the
configuration of the ACL.
Procedure
Step 1 Run:
system-view
The system view is displayed.
Step 2 Run:
acl acl-number
The ACL view is displayed.
Step 3 Run:
description text
HUAWEI NetEngine80E/40E Router
Configuration Guide - IP Services 5 ACL Configuration
Issue 02 (2011-09-10) Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
115
ACL description is created.
The ACL description covers the function of ACL rules. Its length should be less than 127
characters.
----End
5.3.5 (Optional) Configuring ACL Step
An ACL step is the difference between two adjacent automatically-assigned ACL numbers.
Procedure
Step 1 Run:
system-view
The system view is displayed.
Step 2 Run:
acl [ number ] acl-number [ match-order { auto | config } ]
The ACL view is displayed.
Step 3 Run:
step step
ACL step is configured.
Note the following when modifying ACL configurations:
l The undo step command restores the step to the default and realigns ACL rules.
l The default step of the ACL rule is 5.
----End
5.3.6 Checking the Configuration
You can view the configuration of a basic ACL.
Prerequisite
The configurations of the ACL function are complete.
Procedure
l Run the display acl { acl-number | all } command to check the configured ACL rule.
l Run the display statistics acl { acl-number | all }control-plane command to check the
statistics about the packets matching the ACL rule in soft forwarding.
l Run the display time-range { time-name | all } command to check the time range.
----End
Example
Run the display acl command. If the ACL number, the number of rules, and detailed step
description, and ACL rules are displayed, it means that the configuration succeeds. For example:
HUAWEI NetEngine80E/40E Router
Configuration Guide - IP Services 5 ACL Configuration
Issue 02 (2011-09-10) Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
116
<HUAWEI> display acl 2000
Basic ACL 2000, 1 rule
Acl's step is 5
rule 5 deny source 10.1.1.1 0
Using the display statistics acl control-plane command, you can view the statistics about the
packets matching the ACL rule in soft forwarding.
<HUAWEI> display statistics acl 2000 control-plane
Basic ACL 2000, 1 rule
Acl's step is 5
rule 5 deny source 10.1.1.1 0 (234 times matched)
Run the display time-range command. If the configuration and status of the current time range
are displayed, it means that the configuration succeeds. For example:
<HUAWEI> display time-range all
Current time is 14:19:16 3-15-2006 Wednesday
Time-range : time1 ( Inactive )
10:00 to 12:00 daily
Time-range : time2 ( Inactive )
from 13:00 2006/4/1 to 23:59 2099/12/31
Time-range : active1 ( Active )
14:00 to 00:00 daily
5.4 Configuring an Advanced ACL
An advanced ACL defines rules based on the source address, destination address, type of the
protocol over IP, and protocol features, for example, the source port and destination port of TCP
and the type and code of ICMP.
5.4.1 Establishing the Configuration Task
This section describes the applicable environment, pre-configuration tasks, data preparation, and
configuration procedure for configuring an advanced ACL.
Application Environment
An ACL can be applied to various services, such as routing policies and packet filtering, to
implement differentiated packet processing based on packet types. When defining rules for an
advanced ACL, you need to specify the source IP address, destination IP address, IP bearer
protocol type, TCP source port, TCP destination port, or ICMP message type and code.
Pre-configuration Tasks
None.
Data Preparation
To configure an advanced ACL, you need the following data.
No. Data
1 (Optional) Name of the time range in which the advanced ACL takes effect and the
start time and end time of the time range
2 Number of the advanced ACL
HUAWEI NetEngine80E/40E Router
Configuration Guide - IP Services 5 ACL Configuration
Issue 02 (2011-09-10) Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
117
No. Data
3 Rule ID of the advanced ACL, permit or deny rule
4 IP bearer protocol type, source and destination ports, source and destination IP
address, and source IP address fragmented or not, or ICMP message type and code,
packet priority, ToS, and timeout period of the ACL rule
5 (Optional) Description of the advanced ACL
6 (Optional) Step of the advanced ACL
5.4.2 (Optional) Creating a Time Range
By performing this configuration task, you can specify the time range when an ACL remains
valid.
Procedure
Step 1 Run:
system-view
The system view is displayed.
Step 2 Run:
time-range time-name { start-time to end-time days | from time1 date1 [ to time2
date2 ] }
An ACL time range is created.
You can configure multiple time ranges at the same name.
----End
5.4.3 Creating an Advanced ACL
This part describes how to create an advanced ACL, whose number ranges from 3000 to 3999,
and specify filtering rules according to the source address, destination address, type of the
protocol over IP, for example, the source port and destination port of TCP and the type of ICMP.
Procedure
Step 1 Run:
system-view
The system view is displayed.
Step 2 Run:
acl [ number ] acl-number [ match-order { auto | config } ]
An advanced ACL is created.
Step 3 Perform the following as required.
l When protocol is specified as TCP or UDP
Run:
HUAWEI NetEngine80E/40E Router
Configuration Guide - IP Services 5 ACL Configuration
Issue 02 (2011-09-10) Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
118
rule [ rule-id ] { deny | permit } protocol [ destination { destination-ip-address destination-
wildcard | any } | destination-port operator port | fragment-type fragment-type-name |
source { source-ip-address source-wildcard | any } | source-port operator port | syn-flag
syn-flag | time-range time-name | vpn-instance vpn-instance-name | dscp dscp ]
*
rule [ rule-id ] { deny | permit } protocol [ destination { destination-ip-address destination-
wildcard | any } | destination-port operator port | fragment-type fragment-type-name |
source { source-ip-address source-wildcard | any } | source-port operator port | syn-flag
syn-flag | time-range time-name | vpn-instance vpn-instance-name | dscp dscp |
precedence precedence |tos tos ]
*
ACL rules are defined.
syn-flag syn-flag applies to TCP only.
l When protocol is specified as ICMP
Run:
rule [ rule-id ] { deny | permit } protocol [ destination { destination-ip-address destination-
wildcard | any } | fragment-type fragment-type-name | icmp-type { icmp-name | icmp-type
icmp-code } | source { source-ip-address source-wildcard | any } | time-range time-name |
vpn-instance vpn-instance-name | dscp dscp ]
*
rule [ rule-id ] { deny | permit } protocol [ destination { destination-ip-address destination-
wildcard | any } | fragment-type fragment-type-name | icmp-type { icmp-name |icmp-type
icmp-code } |source { source-ip-address source-wildcard | any } | time-range time-name |
vpn-instance vpn-instance-name | precedence precedence | tos tos ]
*
ACL rules are defined.
l When protocol is specified as other protocol except TCP, UDP or ICMP
Run:
rule [ rule-id ] { deny | permit } protocol [ destination { destination-ip-address destination-
wildcard | any } | fragment-type fragment-type-name | source { source-ip-address source-
wildcard | any } | time-range time-name | vpn-instance vpn-instance-name | dscp dscp ]
*
rule [ rule-id ] { deny | permit } protocol [ destination { destination-ip-address destination-
wildcard | any } | fragment-type fragment-type-name | source { source-ip-address source-
wildcard | any } | time-range time-name | vpn-instance vpn-instance-name | precedence
precedence | tos tos ]
*
ACL rules are defined.
Configure different advanced ACLs on the device for different protocols over IP. Different
protocols have different parameters combination. For example, TCP and UDP have optional
parameter [ source-port operator port ] [ destination-port operator port ] while other protocols
do not.
----End
5.4.4 (Optional) Configuring ACL Descriptions
By configuring ACL descriptions, you can know the purpose of an ACL when viewing the
configuration of the ACL.
Procedure
Step 1 Run:
system-view
HUAWEI NetEngine80E/40E Router
Configuration Guide - IP Services 5 ACL Configuration
Issue 02 (2011-09-10) Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
119
The system view is displayed.
Step 2 Run:
acl acl-number
The ACL view is displayed.
Step 3 Run:
description text
ACL description is created.
The ACL description covers the function of ACL rules. Its length should be less than 127
characters.
----End
5.4.5 (Optional) Configuring ACL Step
An ACL step is the difference between two adjacent automatically-assigned ACL numbers.
Procedure
Step 1 Run:
system-view
The system view is displayed.
Step 2 Run:
acl [ number ] acl-number [ match-order { auto | config } ]
The ACL view is displayed.
Step 3 Run:
step step
ACL step is configured.
Note the following when modifying ACL configurations:
l The undo step command restores the step to the default and realigns ACL rules.
l The default step of the ACL rule is 5.
----End
5.4.6 Checking the Configuration
You can view the configuration of an advanced ACL.
Prerequisite
The configurations of the ACL function are complete.
Procedure
l Run the display acl { acl-number | all } command to check the configured ACL rule.
l Run the display statistics acl { acl-number | all }control-plane command to check the
statistics about the packets matching the ACL rule in soft forwarding.
HUAWEI NetEngine80E/40E Router
Configuration Guide - IP Services 5 ACL Configuration
Issue 02 (2011-09-10) Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
120
l Run the display time-range { time-name | all } command to check the time range.
----End
Example
Run the display acl command. If the ACL number, the number of rules, and detailed step
description, and ACL rules are displayed, it means that the configuration succeeds. For example:
<HUAWEI> display acl 3000
Advanced ACL 3000, 1 rule
Acl's step is 5
rule 5 deny ip source 10.1.1.1 0
Using the display statistics aclcontrol-plane command, you can view the statistics about the
packets matching the ACL rule in soft forwarding.
<HUAWEI> display statistics acl 3000 control-plane
Advanced ACL 3000, 1 rule
Acl's step is 5
rule 5 permit ip (1305 times matched)
Run the display time-range command. If the configuration and status of the current time range
are displayed, it means that the configuration succeeds. For example:
<HUAWEI> display time-range all
Current time is 14:19:16 3-15-2006 Wednesday
Time-range : time1 ( Inactive )
10:00 to 12:00 daily
Time-range : time2 ( Inactive )
from 13:00 2006/4/1 to 23:59 2099/12/31
Time-range : active1 ( Active )
14:00 to 00:00 daily
5.5 Configuring an ACL Based on the Ethernet Frame
Header
This section describes how to configure an Ethernet frame header-based ACL.
5.5.1 Establishing the Configuration Task
Application Environment
An ACL can be applied to various services, such as routing policies and packet filtering, to
implement differentiated packet processing based on packet types. The rules for an ACL based
on the Ethernet frame header are defined on the basis of source MAC addresses, destination
MAC addresses, and protocol types of packets.
Pre-configuration Tasks
None.
Data Preparation
To configure an Ethernet frame header-based ACL, you need the following data.
HUAWEI NetEngine80E/40E Router
Configuration Guide - IP Services 5 ACL Configuration
Issue 02 (2011-09-10) Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
121
No. Data
1 Number of the Ethernet frame header-based ACL
2 Source MAC addresses, destination MAC addresses, and protocol types
3 (Optional) Description of the Ethernet frame header-based ACL
4 (Optional) Step of the Ethernet frame header-based ACL
5.5.2 Creating an ACL Based on the Ethernet Frame Header
Context
The acl-number, based on an Ethernet frame header, ranges from 4000 to 4099.
Do as follows on the router:
Procedure
Step 1 Run:
system-view
The system view is displayed.
Step 2 Run:
acl [ number ] acl-number [ match-order { auto | config } ]
An Ethernet frame header-based ACL is created.
Step 3 Run:
rule [ rule-id ] { deny | permit } [ type type type-mask | source-mac source-mac
sourcemac-mask | dest-mac dest-mac destmac-mask ]
ACL rules are defined.
----End
5.5.3 (Optional) Configuring ACL Descriptions
By configuring ACL descriptions, you can know the purpose of an ACL when viewing the
configuration of the ACL.
Procedure
Step 1 Run:
system-view
The system view is displayed.
Step 2 Run:
acl acl-number
The ACL view is displayed.
HUAWEI NetEngine80E/40E Router
Configuration Guide - IP Services 5 ACL Configuration
Issue 02 (2011-09-10) Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
122
Step 3 Run:
description text
ACL description is created.
The ACL description covers the function of ACL rules. Its length should be less than 127
characters.
----End
5.5.4 (Optional) Configuring ACL Step
An ACL step is the difference between two adjacent automatically-assigned ACL numbers.
Procedure
Step 1 Run:
system-view
The system view is displayed.
Step 2 Run:
acl [ number ] acl-number [ match-order { auto | config } ]
The ACL view is displayed.
Step 3 Run:
step step
ACL step is configured.
Note the following when modifying ACL configurations:
l The undo step command restores the step to the default and realigns ACL rules.
l The default step of the ACL rule is 5.
----End
5.5.5 Checking the Configuration
Prerequisite
The configurations of an Ethernet frame header-based ACL function are complete.
Procedure
l Run the display acl { acl-number | all } command to check the configured ACL rule.
l Run the display statistics acl control-plane { acl-number | all } control-plane [ |
{ begin | include | exclude } regular-expression ] command to check the statistics for the
packets matching the ACL rule in soft forwarding.
----End
Example
Run the display aclcommand. If the ACL number, the number of rules, step description, and
ACL rules are displayed, then the configuration has succeeded. For example:
HUAWEI NetEngine80E/40E Router
Configuration Guide - IP Services 5 ACL Configuration
Issue 02 (2011-09-10) Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
123
<HUAWEI> display acl 4000
Ethernet frame ACL 4000, 2 rules
Acl's step is 5
rule 5 deny source-mac 0000-0000-0000 0002-0002-0002 dest-mac 0002-0002-0002 00
03-0003-0003
rule 10 deny type 0200 0222 dest-mac 0000-0000-0000 0002-0002-0002
Using the display statistics acl control-plane command, you can view the statistics for the
packets matching the ACL rule in soft forwarding.
<HUAWEI> display statistics acl 4000 control-plane
Ethernet frame ACL 4000, 2 rules
Acl's step is 5
rule 5 deny source-mac 0000-0000-0000 0002-0002-0002 dest-mac 0002-0002-0002
0003-0003-0003(45 times matched)
rule 10 deny type 0200 0222 dest-mac 0000-0000-0000 0002-0002-0002(76 times
matched)
5.6 Configuring an UCL
This section describes how to configure a UCL.
5.6.1 Establishing the Configuration Task
Application Environment
After being configured with the user-based ACL (UCL), the device can provide different services
to different user groups. Similar to the configuration for advanced ACL, you need to specify
either the source IP address, destination IP address, IP bearer protocol type, TCP source port,
TCP destination port, or the ICMP message type and code for the UCL.
Pre-configuration Tasks
None.
Data Preparation
To configure an UCL, you need the following data.
No. Data
1 (Optional) Name of the time range during which the advanced UCL takes effect and
the start time and end time of the time range
2 Number of the UCL
3 Rule ID of the UCL, permit or deny rule
4 Either IP bearer protocol type, source and destination ports, source and destination
IP address, and source IP address whether fragmented or not, or the ICMP message
type and code, packet priority, ToS, and timeout period of the ACL rule
5 (Optional) Description of the UCL
6 (Optional) Step of the UCL
HUAWEI NetEngine80E/40E Router
Configuration Guide - IP Services 5 ACL Configuration
Issue 02 (2011-09-10) Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
124
5.6.2 (Optional) Creating a Time Range
Context
Do as follows on the router:
Procedure
Step 1 Run:
system-view
The system view is displayed.
Step 2 Run:
time-range time-name { start-time to end-time days | from time1 date1 [ to time2
date2 ] }
An ACL time range is created.
You can configure multiple time ranges with the same name.
----End
5.6.3 Creating an UCL
Context
The range of acl-number for a UCL is 6000 to 9999.
Do as follows on the router:
Procedure
Step 1 Run:
system-view
The system view is displayed.
Step 2 Run:
acl [ number ] acl-number [ match-order { auto | config } ]
A UCL is created.
Step 3 Perform the following as required.
l If protocol is specified as TCP or UDP
rule [ rule-id ] { deny | permit } protocol source user-group source-group-name
[ destination { any | ip-address { destination-ip-address destination-wildcard | any } } |
destination-port operator port | fragment-type fragment-type-name | logging | source-
port operator port | syn-flag syn-flag | time-range time-name | vpn-instance vpn-instance-
name | dscp dscp ]
*
rule [ rule-id ] { deny | permit } protocol source user-group source-group-name
[ destination { any | ip-address { destination-ip-address destination-wildcard | any } } |
destination-port operator port | fragment-type fragment-type-name | logging | source-
HUAWEI NetEngine80E/40E Router
Configuration Guide - IP Services 5 ACL Configuration
Issue 02 (2011-09-10) Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
125
port operator port | syn-flag syn-flag | time-range time-name | vpn-instance vpn-instance-
name | precedence precedence | tos tos ]
*
syn-flag syn-flag applies to TCP only.
l If protocol is specified as ICMP
rule [ rule-id ] { deny | permit } protocol source user-group source-group-name
[ destination { any | ip-address { destination-ip-address destination-wildcard | any } } |
fragment-type fragment-type-name | icmp-type { icmp-name | icmp-type icmp-code } |
logging | time-range time-name | dscp dscp ]
*
rule [ rule-id ] { deny | permit } protocol source user-group source-group-name
[ destination { any | ip-address { destination-ip-address destination-wildcard | any } } |
fragment-type fragment-type-name | icmp-type { icmp-name | icmp-type icmp-code } |
logging | time-range time-name | precedence precedence | tos tos ]
*
l If protocolis specified as a protocol other than TCP, UDP or ICMP
rule [ rule-id ] { deny | permit } protocol source user-group source-group-name
[ destination { any | ip-address { destination-ip-address destination-wildcard | any } } |
fragment-type fragment-type-name } | logging | time-range time-name | dscp dscp ]
*
rule [ rule-id ] { deny | permit } protocol source user-group source-group-name
[ destination { any | ip-address { destination-ip-address destination-wildcard | any } } |
fragment-type fragment-type-name } | logging | time-range time-name | precedence
precedence | tos tos ]
*
Configure different UCLs on the device for different IP protocols. Different protocols have
different combinations of parameters. For example, TCP and UDP have the optional parameter
[ source-port operator port ] [ destination-port operator port ] while other protocols do not.
----End
5.6.4 (Optional) Configuring ACL Descriptions
Context
Do as follows on the router:
Procedure
Step 1 Run:
system-view
The system view is displayed.
Step 2 Run:
acl acl-number
The ACL view is displayed.
Step 3 Run:
description text
An ACL description is created.
HUAWEI NetEngine80E/40E Router
Configuration Guide - IP Services 5 ACL Configuration
Issue 02 (2011-09-10) Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
126
The ACL description covers the functions of ACL rules. Its length should be less than 127
characters.
----End
5.6.5 (Optional) Configuring ACL Step
Context
Do as follows on the router:
Procedure
Step 1 Run:
system-view
The system view is displayed.
Step 2 Run:
acl [ number ] acl-number [ match-order { auto | config } ]
The ACL view is displayed.
Step 3 Run:
step step
ACL step is configured.
Note the following when modifying ACL configurations:
l The undo step command restores the step to the default and realigns ACL rules.
l The default step for ACL rules is 5.
----End
5.6.6 Checking the Configuration
Prerequisite
The configurations of the UCL function are complete.
Procedure
l Run the display acl { acl-number | all } command to check the configured ACL rule.
l Run the display time-range { time-name | all } command to check the time range.
----End
Example
Run the display acl command. If the ACL number, the number of rules, step description, and
ACL rules are displayed, then the configuration has succeeded. For example:
<HUAWEI> display acl 6000
Ucl ACL 6000, 1 rule
Acl's step is 5
rule 5 deny tcp source user-group 1
HUAWEI NetEngine80E/40E Router
Configuration Guide - IP Services 5 ACL Configuration
Issue 02 (2011-09-10) Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
127
Run the display time-rangecommand. If the configuration and status of the current time range
are displayed, then the configuration has succeeded. For example:
<HUAWEI> display time-range all
Current time is 14:19:16 3-15-2006 Wednesday
Time-range : time1 ( Inactive )
10:00 to 12:00 daily
Time-range : time2 ( Inactive )
from 13:00 2006/4/1 to 23:59 2099/12/31
Time-range : active1 ( Active )
14:00 to 00:00 daily
5.7 Configuring a Named ACL
A named ACL is an advanced ACL. A named ACL defines rules based on the source address,
destination address, type of the protocol over IP, and protocol features, for example, the source
port and destination port of TCP and the type and code of ICMP.
5.7.1 Establishing the Configuration Task
This section describes the applicable environment, pre-configuration tasks, data preparation, and
configuration procedure for configuring a named ACL.
Application Environment
An ACL can be applied to various services, such as routing policies and packet filtering, to
implement differentiated packet processing based on packet types. Named ACLs are advanced
ACLs because you need to define rules for the named ACLs by specifying the source IP address,
destination IP address, IP bearer protocol type, TCP source port, TCP destination port, or ICMP
protocol type and code.
Pre-configuration Tasks
None.
Data Preparation
To configure a named ACL, you need the following data.
No. Data
1 (Optional) Name of the time range in which the named ACL takes effect and the start
time and end time of the time range
2 Rule ID of the named ACL, permit or deny rule, and source IP address
3 IP bearer protocol type, source and destination ports, destination IP address, or ICMP
message type and code, packet priority, ToS, and timeout period of the ACL rule
4 (Optional) Description of the named ACL
5 (Optional) Step of the named ACL
HUAWEI NetEngine80E/40E Router
Configuration Guide - IP Services 5 ACL Configuration
Issue 02 (2011-09-10) Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
128
5.7.2 (Optional) Creating a Time Range
By performing this configuration task, you can specify the time range when an ACL remains
valid.
Procedure
Step 1 Run:
system-view
The system view is displayed.
Step 2 Run:
time-range time-name { start-time to end-time days | from time1 date1 [ to time2
date2 ] }
An ACL time range is created.
You can configure multiple time ranges at the same name.
----End
5.7.3 Creating a Named ACL
This part describes how to create an ACL whose name is a character string and how to specify
filtering rules according to the source address, destination address, type of the protocol over IP,
for example, the source port and destination port of TCP and the type of ICMP.
Procedure
Step 1 Run:
system-view
The system view is displayed.
Step 2 Run:
acl name acl-name [ number acl-number ] [ match-order { auto | config } ]
A named ACL is created and the named ACL view is displayed.
Step 3 Perform the following steps as required to configure rules for the named ACL. One ACL can
be configured with multiple rules.
l When protocol is TCP or UDP, run:
rule [ rule-id ] { deny | permit } protocol [ destination { destination-ip-address destination-
wildcard | any } | destination-port operator port | fragment-type fragment-type-name |
source { source-ip-address source-wildcard | any } | source-port operator port | vpn-
instance vpn-instance-name | syn-flag syn-flag time-range time-name | dscp dscp ]
*
rule [ rule-id ] { deny | permit } protocol [ destination { destination-ip-address destination-
wildcard | any } | destination-port operator port | fragment-type fragment-type-name |
source { source-ip-address source-wildcard | any } | source-port operator port | syn-flag
syn-flag time-range time-name | vpn-instance vpn-instance-name | precedence
precedence |tos tos ]
*
syn-flagsyn-flag needs to be specified only when TCP is used.
l When protocol is ICMP, run:
HUAWEI NetEngine80E/40E Router
Configuration Guide - IP Services 5 ACL Configuration
Issue 02 (2011-09-10) Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
129
rule [ rule-id ] { deny | permit } protocol [ destination { destination-ip-address destination-
wildcard | any } | fragment-type fragment-type-name | icmp-type { icmp-name | icmp-type
icmp-code } | source { source-ip-address source-wildcard | any } | time-range time-name |
vpn-instance vpn-instance-name | dscp dscp ]
*
rule [ rule-id ] { deny | permit } protocol [ destination { destination-ip-address destination-
wildcard | any } | fragment-type fragment-type-name | icmp-type { icmp-name |icmp-type
icmp-code } |source { source-ip-address source-wildcard | any } | time-range time-name |
vpn-instance vpn-instance-name | precedence precedence | tos tos ]
*
l When protocol is not TCP, UDP, or ICMP, run:
rule [ rule-id ] { deny | permit } protocol [ destination { destination-ip-address destination-
wildcard | any } | fragment-type fragment-type-name | source { source-ip-address source-
wildcard | any } | time-range time-name | vpn-instance vpn-instance-name | dscp dscp ]
*
rule [ rule-id ] { deny | permit } protocol [ destination { destination-ip-address destination-
wildcard | any } | fragment-type fragment-type-name | source { source-ip-address source-
wildcard | any } | time-range time-name | vpn-instance vpn-instance-name | precedence
precedence | tos tos ]
*
Configure different advanced ACLs on the device for different protocols over IP. Different
protocols have different parameters combination. For example, TCP and UDP have optional
parameter [ source-port operator port ] [ destination-port operator port ] while other protocols
do not.
----End
5.7.4 (Optional) Configuring named ACL Descriptions
By configuring ACL descriptions, you can know the purpose of an ACL when viewing the
configuration of the ACL.
Procedure
Step 1 Run:
system-view
The system view is displayed.
Step 2 Run:
acl name acl-name
The named ACL view is displayed.
Step 3 Run:
description text
The named ACL description is created.
The ACL description covers the function of ACL rules. Its length should be less than 127
characters.
----End
5.7.5 (Optional) Configuring named ACL Step
An ACL step is the difference between two adjacent automatically-assigned ACL numbers.
HUAWEI NetEngine80E/40E Router
Configuration Guide - IP Services 5 ACL Configuration
Issue 02 (2011-09-10) Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
130
Procedure
Step 1 Run:
system-view
The system view is displayed.
Step 2 Run:
acl name acl-name
The named ACL view is displayed.
Step 3 Run:
step step
ACL step is configured.
Note the following when modifying named ACL configurations:
l The undo step command restores the step to the default and realigns ACL rules.
l The default step of the ACL rule is 5.
----End
5.7.6 Checking the Configuration
You can view the configuration of a named ACL.
Prerequisite
The configurations of the ACL function are complete.
Procedure
l Run the display acl name acl-name command to check the configured ACL rule.
l Run the display statistics acl { acl-number | all | name acl-name }control-plane command
to check the statistics about the packets matching the ACL rule in soft forwarding.
----End
Example
# Check the configurations of named ACL, whose name is test.
<HUAWEI> display acl name test
Advanced Name ACL test, 1 rule
Acl's step is 5
rule 5 permit ip
# View the statistics about the packets matching ACL named test in soft forwarding.
<HUAWEI> display statistics acl name test control-plane
Advanced ACL test, 2 rules
Acl's step is 5
rule 5 deny ip destination 1.1.5.0 0.0.0.255 (10 times matched)
rule 10 deny ip destination 1.1.6.0 0.0.0.255 (23 times matched)
HUAWEI NetEngine80E/40E Router
Configuration Guide - IP Services 5 ACL Configuration
Issue 02 (2011-09-10) Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
131
5.8 Configuring a MPLS-based ACL
MPLS-based ACL defines rules to filter packets based on the Exp value, Label value, and TTL
value of MPLS packets.
5.8.1 Establishing the Configuration Task
This section describes the applicable environment, pre-configuration tasks, data preparation, and
configuration procedure for configuring a MPLS-based ACL.
Application Environment
An MPLS-based ACL can be applied to QoS service, defines rules to filter packets based on the
Exp value, Label value, and TTL value of MPLS packets.
Pre-configuration Tasks
None.
Data Preparation
To configure a MPLS-based ACL, you need the following data.
No. Data
1 Rule ID of the MPLS ACL, rules that are defined to deny or permit packets.
2 Exp value, Label value, and TTL value of MPLS packets.
5.8.2 Creating a MPLS-based ACL
This part describes how to create a MPLS-based ACL, whose number ranges from 10000 to
10999.
Procedure
Step 1 Run:
system-view
The system view is displayed.
Step 2 Run:
acl [ number ] acl-number
A MPLS-based ACL is created.
----End
HUAWEI NetEngine80E/40E Router
Configuration Guide - IP Services 5 ACL Configuration
Issue 02 (2011-09-10) Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
132
5.8.3 Configuring Rules for a MPLS-based ACL
MPLS-based ACL defines rules to filter packets based on the Exp value, Label value, and TTL
value of MPLS packets.
Procedure
Step 1 Run:
system-view
The system view is displayed.
Step 2 Run:
acl [ number ] acl-number
The MPLS-based ACL view is displayed.
Step 3 Run:
rule [ rule-id ] { deny | permit } [ exp { exp-value | any } &<1-4> | label { label-
value | any } &<1-4> | ttl { ttl-operator ttl-value | any } &<1-3> ]
*
Rules for the MPLS-based ACL are configured.
----End
5.8.4 Checking the Configuration
You can view the configuration of a MPLS-based ACL.
Prerequisite
The configuration of the MPLS-based ACL is complete.
Procedure
l Run the display acl { acl-number | all } command to check the configured ACL rule.
----End
Example
After running the preceding command, you can view the ACL number, number of ACL rules,
and rule contents.
<HUAWEI> display acl 10001
Mpls ACL 10001, 2 rules
Acl's step is 5
rule 5 permit exp 2 any any any (0 times matched)
rule 10 permit ttl gt 2 any any (0 times matched)
5.9 Configuration Examples
This section includes the networking requirements, precautions for configuration, and
configuration roadmap.
HUAWEI NetEngine80E/40E Router
Configuration Guide - IP Services 5 ACL Configuration
Issue 02 (2011-09-10) Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
133
Context
NOTE
This document takes interface numbers and link types of the NE40E-X8 as an example. In working
situations, the actual interface numbers and link types may be different from those used in this document.
5.9.1 Example for Configuring a Traffic Policy Based on Complex
Traffic Classification
This section provides an example for configuring traffic classifiers and traffic behaviors and
applying them in complex traffic classification.
Networking Requirements
As shown in Figure 5-1, PE1, P, and PE2 are routers on an MPLS backbone network; CE1 and
CE2 are access routers on the edge of the backbone network. Three users from the local network
access the Internet through CE1.
l On CE1, the CIR of the users from the network segment 1.1.1.0 is limited to 10 Mbit/s and
the CBS is limited to 150000 bytes.
l On CE1, the CIR of the users from the network segment 2.1.1.0 is limited to 5 Mbit/s and
the CBS is limited to 100000 bytes.
l On CE1, the CIR of the users from the network segment 3.1.1.0 is limited to 2 Mbit/s and
the CBS is limited to 100000 bytes.
l On CE1, the DSCP values of the service packets from the three network segments are
marked to 40, 26, and 0.
l PE1 accesses the MPLS backbone network at the CIR of 15 Mbit/s, the CBS of 300000
bytes, the PIR of 20 Mbit/s, and the PBS of 500000 bytes.
l On CE1, the CIR of the UDP packets (except DNS, SNMP, SNMP Trap, and Syslog
packets) is limited to 5 Mbit/s, the CBS is limited to 100000 bytes, and the PIR is limited
to 15 Mbit/s.
HUAWEI NetEngine80E/40E Router
Configuration Guide - IP Services 5 ACL Configuration
Issue 02 (2011-09-10) Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
134
Figure 5-1 Diagram for configuring a traffic policy based on complex traffic classification
GE4/0/0
GE3/0/0
GE1/0/0
GE2/0/0
PE1
PE2
GE1/0/0
20.1.1.2/24
11.11.11.11/32 22.22.22.22/32
POS2/0/0
100.1.1.1/24
POS2/0/0
110.1.1.1/24
10.1.1.1/24
P
GE1/0/0
10.1.1.2/24
33.33.33.33/32
POS1/0/0
100.1.1.2/24
POS2/0/0
110.1.1.2/24
1.1.1.0
2.1.1.0
3.1.1.0
CE1
CE2
Loopback0
Loopback0
Loopback0
GE2/0/0
20.1.1.1/24
Configuration Roadmap
The configuration roadmap is as follows:
1. Configure ACL rules.
2. Configure traffic classifiers.
3. Configure traffic behaviors.
4. Configure traffic policies.
5. Apply traffic policies to interfaces.
Data Preparation
To complete the configuration, you need the following data:
l ACL numbers 2001, 2002, 2003, 3001, and 3002
l DSCP values of the packets from the three network segments, which are re-marked to be
40, 26, and 0 respectively
l CIRs (10 Mbit/s, 5 Mbit/s, and 2 Mbit/s) and CBSs (150000 bytes, 100000 bytes, and
100000 bytes) of the traffic from the three network segments
l CIR (5 Mbit/s), CBS (100000 bytes), and PIR (15 Mbit/s) of the UDP packets (except DNS,
SNMP, SNMP Trap, and Syslog packets) on CE1
HUAWEI NetEngine80E/40E Router
Configuration Guide - IP Services 5 ACL Configuration
Issue 02 (2011-09-10) Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
135
l CIR (15 Mbit/s), CBS (300000 bytes), PIR (20 Mbit/s), and PBS (500000 bytes) of traffic
on PE1
l Names of traffic classifiers, traffic behaviors, and traffic policies, and numbers of interfaces
to which traffic policies are applied
Procedure
Step 1 Configure IP addresses of interfaces, routes, and basic MPLS functions. The detailed
configurations are not mentioned.
Step 2 Configure complex traffic classification on CE1 to control the traffic that accesses CE1 from
the three local networks.
# Define ACL rules.
<CE1> system-view
[CE1] acl number 2001
[CE1-acl-basic-2001] rule permit source 1.1.1.0 0.0.0.255
[CE1-acl-basic-2001] quit
[CE1] acl number 2002
[CE1-acl-basic-2002] rule permit source 2.1.1.0 0.0.0.255
[CE1-acl-basic-2002] quit
[CE1] acl number 2003
[CE1-acl-basic-2003] rule permit source 3.1.1.0 0.0.0.255
[CE1-acl-basic-2003] quit
[CE1] acl number 3001
[CE1-acl-basic-3001] rule 0 permit udp destination-port eq dns
[CE1-acl-basic-3001] rule 1 permit udp destination-port eq snmp
[CE1-acl-basic-3001] rule 2 permit udp destination-port eq snmptrap
[CE1-acl-basic-3001] rule 3 permit udp destination-port eq syslog
[CE1-acl-basic-3001] quit
[CE1] acl number 3002
[CE1-acl-basic-3002] rule 4 permit udp
[CE1-acl-basic-3002] quit
# Configure traffic classifiers and define ACL-based matching rules.
[CE1] traffic classifier a
[CE1-classifier-a] if-match acl 2001
[CE1-classifier-a] quit
[CE1] traffic classifier b
[CE1-classifier-b] if-match acl 2002
[CE1-classifier-b] quit
[CE1] traffic classifier c
[CE1-classifier-c] if-match acl 2003
[CE1-classifier-c] quit
[CE1]traffic classifier udplimit
[CE1-classifier-udplimit] if-match acl 3001
[CE1-classifier-udplimit] quit
[CE1] traffic classifier udplimit1
[CE1-classifier-udplimit1] if-match acl 3002
[CE1-classifier-udplimit1] quit
After the preceding configuration, you can run the display traffic classifier command to view
the configuration of the traffic classifiers.
[CE1] display traffic classifier user-defined
User Defined Classifier Information:
Classifier: a
Operator: OR
Rule(s): if-match acl 2001
Classifier: c
Operator: OR
Rule(s): if-match acl 2003
Classifier: b
Operator: OR
HUAWEI NetEngine80E/40E Router
Configuration Guide - IP Services 5 ACL Configuration
Issue 02 (2011-09-10) Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
136
Rule(s): if-match acl 2002
Classifier: udplimit
Operator: OR
Rule(s) : if-match acl 3001
Classifier: udplimit1
Operator: OR
Rule(s) : if-match acl 3002
# Define traffic behaviors, configure traffic policing, and re-mark DSCP values.
[CE1] traffic behavior e
[CE1-behavior-e] car cir 10000 cbs 150000 pbs 0
[CE1-behavior-e] remark dscp 40
[CE1-behavior-e] quit
[CE1] traffic behavior f
[CE1-behavior-f] car cir 5000 cbs 100000 pbs 0
[CE1-behavior-f] remark dscp 26
[CE1-behavior-f] quit
[CE1] traffic behavior g
[CE1-behavior-g] car cir 2000 cbs 100000 pbs 0
[CE1-behavior-g] remark dscp 0
[CE1-behavior-g] quit
[CE1] traffic behavior udplimit
[CE1-behavior-udplimit] permit
[CE1-behavior-udplimit] quit
[CE1] traffic behavior udplimit1
[CE1-behavior-udplimit1] car cir 5000 cbs 100000 pbs 150000 green pass yellow
discard red discard
[CE1-behavior-udplimit1] quit
# Define traffic policies and associate the traffic classifiers with the traffic behaviors.
[CE1] traffic policy 1
[CE1-trafficpolicy-1] classifier a behavior e
[CE1-trafficpolicy-1] quit
[CE1] traffic policy 2
[CE1-trafficpolicy-2] classifier b behavior f
[CE1-trafficpolicy-2] quit
[CE1] traffic policy 3
[CE1-trafficpolicy-3] classifier c behavior g
[CE1-trafficpolicy-3] quit
[CE1] traffic policy udplimit
[CE1-trafficpolicy-udplimit] classifier udplimit behavior udplimit
[CE1-trafficpolicy-udplimit] classifier udplimit1 behavior udplimit1
[CE1-trafficpolicy-3] quit
After the preceding configuration, run the display traffic policy command to view the
configuration of the traffic policies, traffic classifiers defined in the traffic policies, and the traffic
behaviors associated with traffic classifiers.
[CE1] display traffic policy user-defined
User Defined Traffic Policy Information:
Policy: 1
Classifier: default-class
Behavior: be
-none-
Classifier: a
Behavior: e
Committed Access Rate:
CIR 10000 (Kbps), PIR 0 (Kbps), CBS 15000 (byte), PBS 0 (byte)
Conform Action: pass
Yellow Action: pass
Exceed Action: discard
Marking:
Remark DSCP cs5
Policy: 2
Classifier: default-class
Behavior: be
-none-
HUAWEI NetEngine80E/40E Router
Configuration Guide - IP Services 5 ACL Configuration
Issue 02 (2011-09-10) Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
137
Classifier: b
Behavior: f
Committed Access Rate:
CIR 5000 (Kbps), PIR 0 (Kbps), CBS 100000 (byte), PBS 0 (byte)
Conform Action: pass
Yellow Action: pass
Exceed Action: discard
Marking:
Remark DSCP af31
Policy: 3
Classifier: default-class
Behavior: be
-none-
Classifier: c
Behavior: g
Committed Access Rate:
CIR 2000 (Kbps), PIR 0 (Kbps), CBS 100000 (byte), PBS 0 (byte)
Conform Action: pass
Yellow Action: pass
Exceed Action: discard
Marking:
Remark DSCP default
Policy: udplimit
Classifier: default-class
Behavior: be
-none-
Classifier: udplimit
Behavior: udplimit
Firewall:
permit
Classifier: udplimit1
Behavior: udplimit1
Committed Access Rate:
CIR 5000 (Kbps), PIR 0 (Kbps), CBS 10000 (byte), PBS 15000 (byte)
Conform Action: pass
Yellow Action: discard
Exceed Action: discard
# Apply the traffic policies to the inbound interfaces.
[CE1] interface gigabitethernet 1/0/0
[CE1-GigabitEthernet1/0/0] undo shutdown
[CE1-GigabitEthernet1/0/0] traffic-policy 1 inbound
[CE1-GigabitEthernet1/0/0] quit
[CE1] interface gigabitethernet 3/0/0
[CE1-GigabitEthernet3/0/0] undo shutdown
[CE1-GigabitEthernet3/0/0] traffic-policy 2 inbound
[CE1-GigabitEthernet3/0/0] quit
[CE1] interface gigabitethernet 4/0/0
[CE1-GigabitEthernet4/0/0] undo shutdown
[CE1-GigabitEthernet4/0/0] traffic-policy 3 inbound
[CE1] interface gigabitethernet 2/0/0
[CE1-GigabitEthernet2/0/0] undo shutdown
[CE1-GigabitEthernet2/0/0] traffic-policy udplimit outbound
Step 3 Configure complex traffic classification on PE1 to control the traffic that goes to the MPLS
backbone network.
# Configure traffic classifiers and define matching rules.
<PE1> system-view
[PE1] traffic classifier pe
[PE1-classifier-pe] if-match any
[PE1-classifier-pe] quit
After the preceding configuration, you can run the display traffic classifier command to view
the configuration of the traffic classifiers.
[PE1] display traffic classifier user-defined
HUAWEI NetEngine80E/40E Router
Configuration Guide - IP Services 5 ACL Configuration
Issue 02 (2011-09-10) Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
138
User Defined Classifier Information:
Classifier: pe
Operator: OR
Rule(s): if-match any
# Define traffic behaviors and configure traffic policing.
[PE1] traffic behavior pe
[PE1-behavior-pe] car cir 15000 pir 20000 cbs 300000 pbs 500000
[PE1-behavior-pe] quit
# Define traffic policies and associate the traffic classifiers with the traffic behaviors.
[PE1] traffic policy pe
[PE1-trafficpolicy-pe] classifier pe behavior pe
[PE1-trafficpolicy-pe] quit
After the preceding configuration, you can run the display traffic policy command to view the
configuration of the traffic policies, traffic classifiers defined in the traffic policies, and the traffic
behaviors associated with the traffic classifiers.
[PE1] display traffic policy user-defined
User Defined Traffic Policy Information:
Policy: pe
Classifier: default-class
Behavior: be
-none-
Classifier: pe
Behavior: pe
Committed Access Rate:
CIR 15000 (Kbps), PIR 20000 (Kbps), CBS 300000 (byte), PBS 500000 (byte)
Conform Action: pass
Yellow Action: pass
Exceed Action: discard
# Apply the traffic policies to the inbound interfaces.
[PE1] interface gigabitethernet 1/0/0
[PE1-GigabitEthernet1/0/0] undo shutdown
[PE1-GigabitEthernet1/0/0] traffic-policy pe inbound
[PE1-GigabitEthernet1/0/0] quit
Step 4 Verify the configuration.
Run the display interface command on CE1 and PE1. You can view that the traffic on the
interfaces is controlled according to the configured traffic policies.
----End
Configuration Files
l Configuration file of CE1
#
sysname CE1
#
acl number 2001
rule 5 permit source 1.1.1.0 0.0.0.255
acl number 2002
rule 5 permit source 2.1.1.0 0.0.0.255
acl number 2003
rule 5 permit source 3.1.1.0 0.0.0.255
acl number 3001
rule 0 permit udp destination-port eq dns
rule 1 permit udp destination-port eq snmp
rule 2 permit udp destination-port eq snmptrap
rule 3 permit udp destination-port eq syslog
acl number 3302
HUAWEI NetEngine80E/40E Router
Configuration Guide - IP Services 5 ACL Configuration
Issue 02 (2011-09-10) Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
139
rule 4 permit udp
#
traffic classifier a operator or
if-match acl 2001
traffic classifier c operator or
if-match acl 2003
traffic classifier b operator or
if-match acl 2002
traffic classifier udp-limit operator or
if-match acl 3001
traffic classifier udp-limit1 operator or
if-match acl 3002
#
traffic behavior e
car cir 10000 cbs 150000 pbs 0 green pass red discard
remark dscp cs5
traffic behavior g
car cir 2000 cbs 100000 pbs 0 green pass red discard
remark dscp default
traffic behavior f
car cir 5000 cbs 100000 pbs 0 green pass red discard
remark dscp af31
traffic behavior udp-limit
traffic behavior udp-limit1
car cir 5000 cbs 100000 pbs 150000 green pass yellow discard red discard
#
traffic policy 3
classifier c behavior g
traffic policy 2
classifier b behavior f
traffic policy 1
classifier a behavior e
traffic policy udp-limit
classifier udp-limit behavior udp-limit
classifier udp-limit1 behavior udp-limit1
#
interface GigabitEthernet1/0/0
undo shutdown
ip address 1.1.1.1 255.255.255.0
traffic-policy 1 inbound
#
interface GigabitEthernet2/0/0
undo shutdown
ip address 10.1.1.1 255.255.255.0
traffic-policy udplimit outbound
#
interface GigabitEthernet3/0/0
undo shutdown
ip address 2.1.1.1 255.255.255.0
traffic-policy 2 inbound
#
interface GigabitEthernet4/0/0
undo shutdown
ip address 3.1.1.1 255.255.255.0
traffic-policy 3 inbound
#
ospf 1
area 0.0.0.0
network 1.1.1.0 0.0.0.255
network 2.1.1.0 0.0.0.255
network 3.1.1.0 0.0.0.255
network 10.1.1.0 0.0.0.255
#
return
l Configuration file of PE1
#
sysname PE1
#
mpls lsr-id 11.11.11.11
HUAWEI NetEngine80E/40E Router
Configuration Guide - IP Services 5 ACL Configuration
Issue 02 (2011-09-10) Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
140
mpls
#
mpls ldp
#
traffic classifier pe operator or
if-match any
#
traffic behavior pe
car cir 15000 pir 20000 cbs 300000 pbs 500000 green pass yellow pass red
discard
#
traffic policy pe
classifier pe behavior pe
#
interface GigabitEthernet1/0/0
undo shutdown
ip address 10.1.1.2 255.255.255.0
traffic-policy pe inbound
#
interface Pos2/0/0
undo shutdown
ip address 100.1.1.1 255.255.255.0
mpls
mpls ldp
#
interface LoopBack0
ip address 11.11.11.11 255.255.255.255
#
ospf 1
area 0.0.0.0
network 10.1.1.0 0.0.0.255
network 100.1.1.0 0.0.0.255
network 11.11.11.11 0.0.0.0
#
return
l Configuration file of P
#
sysname P
#
mpls lsr-id 33.33.33.33
mpls
#
mpls ldp
#
interface Pos1/0/0
link-protocol ppp
ip address 100.1.1.2 255.255.255.0
mpls
mpls ldp
#
interface Pos2/0/0
link-protocol ppp
ip address 110.1.1.1 255.255.255.0
mpls
mpls ldp
#
interface LoopBack0
ip address 33.33.33.33 255.255.255.255
#
ospf 1
area 0.0.0.0
network 100.1.1.0 0.0.0.255
network 110.1.1.0 0.0.0.255
network 33.33.33.33 0.0.0.0
#
return
l Configuration file of PE2
#
HUAWEI NetEngine80E/40E Router
Configuration Guide - IP Services 5 ACL Configuration
Issue 02 (2011-09-10) Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
141
sysname PE2
#
mpls lsr-id 22.22.22.22
mpls
#
mpls ldp
#
interface GigabitEthernet1/0/0
undo shutdown
ip address 20.1.1.2 255.255.255.0
#
interface Pos2/0/0
undo shutdown
ip address 110.1.1.1 255.255.255.0
mpls
mpls ldp
#
interface LoopBack0
ip address 22.22.22.22 255.255.255.255
#
ospf 10
area 0.0.0.0
network 110.1.1.0 0.0.0.255
network 20.1.1.0 0.0.0.255
network 22.22.22.22 0.0.0.0
#
return
l Configuration file of CE2
#
sysname CE2
#
interface GigabitEthernet2/0/0
undo shutdown
ip address 20.1.1.1 255.255.255.0
#
ospf 1
area 0.0.0.0
network 20.1.1.0 0.0.0.255
#
return
5.9.2 Example for Configuring the Security Function of Access
Devices
This section provides an example of configuring the security function of access devices.
Networking Requirements
As shown in Figure 5-2, Router A, Router B, Router C are access devices; Router D, Router E,
and Router F are core devices; Access devices are connected to core devices by 10G interfaces.
The network provides voice and 3G services. Security policies need to be configured on access
devices to control the access of users and to guarantee the security of both the network and
devices.
HUAWEI NetEngine80E/40E Router
Configuration Guide - IP Services 5 ACL Configuration
Issue 02 (2011-09-10) Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
142
Figure 5-2 Networking of configuring the security function of access devices
RouterA
RouterC
RouterD
RouterB
RouterF RouterE
GE1/0/0
GE1/0/0
GE1/0/0
Internet
Internet
Internet
Configuration Roadmap
The configuration roadmap is as follows:
1. Set the passwords to be used for login in NMS and CLI modes.
2. Log information about login failures.
3. Create an Access Control List (ACL) to deny specified services carried on TCP and UDP
interfaces (to defend virus).
Data Preparation
To complete the configuration, you need the following data:
l IP address of each interface
l Passwords to be used for login in NMS and CLI modes
Procedure
Step 1 Configure an IP address for each interface. The configuration details are not mentioned here.
Step 2 Set the passwords to be used for login in NMS and CLI modes.
<RouterA> system-view
[RouterA] user-interface console 0
[RouterA-ui-con0] shell
[RouterA-ui-con0] authentication mode password
[RouterA-ui-con0] set authentication password cipher huawei
[RouterA-ui-con0] idle-timeout 30 0
[RouterA-ui-con0] quit
[RouterA] user-interface maximum-vty 15
[RouterA] user-interface vty 5 14
[RouterA-ui-vty5-14] shell
[RouterA-ui-vty5-14] authentication mode password
[RouterA-ui-vty5-14] set authentication password cipher huawei
HUAWEI NetEngine80E/40E Router
Configuration Guide - IP Services 5 ACL Configuration
Issue 02 (2011-09-10) Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
143
[RouterA-ui-vty5-14] idle-timeout 30 0
[RouterA-ui-vty5-14] quit
NOTE
Configurations for each access devices are similar. Take Router A for example.
Step 3 Set logs to be exported to the control console.
[RouterA] info-center enable
[RouterA] info-center source default channel 9 log level warnings
[RouterA] info-center logfile channel channel9
[RouterA] quit
<RouterA> terminal logging
Step 4 Configure the ACL to prevent devices from being attacked from specified TCP and UDP
interfaces.
NOTE
Configuring the ACL must be performed on the access device interface that is on the access side.
<RouterA> system-view
[RouterA] acl number 3001
[RouterA-acl-adv-3001] description anti-virus
[RouterA-acl-adv-3001] rule 5 deny tcp destination-port eq 445
[RouterA-acl-adv-3001] rule 10 deny udp destination-port eq 445
[RouterA-acl-adv-3001] rule 15 deny tcp destination-port eq 135
[RouterA-acl-adv-3001] rule 20 deny udp destination-port eq 135
[RouterA-acl-adv-3001] rule 25 deny tcp destination-port eq 137
[RouterA-acl-adv-3001] rule 30 deny udp destination-port eq netbios-ns
[RouterA-acl-adv-3001] rule 35 deny tcp destination-port eq 139
[RouterA-acl-adv-3001] rule 40 deny udp destination-port eq netbios-ssn
[RouterA-acl-adv-3001] rule 45 deny udp destination-port eq 1433
[RouterA-acl-adv-3001] rule 50 deny udp destination-port eq 1434
[RouterA-acl-adv-3001] rule 55 deny tcp destination-port eq 4444
[RouterA-acl-adv-3001] rule 60 deny tcp destination-port eq 5554
[RouterA-acl-adv-3001] rule 65 deny udp destination-port eq 5554
[RouterA-acl-adv-3001] rule 70 deny tcp destination-port eq 9996
[RouterA-acl-adv-3001] rule 75 deny udp destination-port eq 9996
[RouterA-acl-adv-3001] rule 110 permit ip
[RouterA-acl-adv-3001] quit
[RouterA] traffic classifier anti-virus operator or
[RouterA-classifier-anti-virus] if-match acl 3001
[RouterA-classifier-anti-virus] quit
[RouterA] traffic behavior anti-virus
[RouterA-behavior-anti-virus] quit
[RouterA] traffic policy anti-virus
[RouterA-trafficpolicy-anti-virus] classifier anti-virus behavior anti-virus
[RouterA-trafficpolicy-anti-virus] quit
[RouterA] interface gigabitethernet 1/0/0
[RouterA-GigabitEthernet1/0/0] traffic-policy anti-virus inbound
[RouterA-GigabitEthernet1/0/0] traffic-policy anti-virus outbound
----End
Configuration Files
NOTE
Only the configuration file on the Router A is provided.
l Configuration file of Router A
#
sysname RouterA
#
info-center source default channel 9 log level warning
#
acl number 3001
description anti-virus
HUAWEI NetEngine80E/40E Router
Configuration Guide - IP Services 5 ACL Configuration
Issue 02 (2011-09-10) Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
144
rule 5 deny tcp destination-port eq 445
rule 10 deny udp destination-port eq 445
rule 15 deny tcp destination-port eq 135
rule 20 deny udp destination-port eq 135
rule 25 deny tcp destination-port eq 137
rule 30 deny udp destination-port eq netbios-ns
rule 35 deny tcp destination-port eq 139
rule 40 deny udp destination-port eq netbios-ssn
rule 45 deny udp destination-port eq 1433
rule 50 deny udp destination-port eq 1434
rule 55 deny tcp destination-port eq 4444
rule 60 deny tcp destination-port eq 5554
rule 65 deny udp destination-port eq 5554
rule 70 deny tcp destination-port eq 9996
rule 75 deny udp destination-port eq 9996
rule 110 permit ip
#
traffic classifier anti-virus operator or
if-match acl 3001
#
traffic behavior anti-virus
#
traffic policy anti-virus
classifier anti-virus behavior anti-virus
#
interface GigabitEthernet1/0/0
undo shutdown
traffic-policy anti-virus inbound
traffic-policy anti-virus outbound
#
user-interface maximum-vty 15
user-interface con 0
authentication-mode password
set authentication password cipher N`C55QK<`=/Q=^Q`MAF4<1!!
idle-timeout 30 0
user-interface vty 0 4
user-interface vty 5 14
set authentication password cipher N`C55QK<`=/Q=^Q`MAF4<1!!
idle-timeout 30 0
user-interface vty 16 20
#
return
5.9.3 Example for Configuring an ACL Rule that Is Based on the
VPN Instance
This section provides an example of configuring an ACL rule that is based on the VPN instance.
Networking Requirements
As shown in Figure 5-3, two VPN instances are configured on the PE1. CE1 belongs to VPN-
A, whose VPN-target is 111:1; CE2 belongs to VPN-B, whose VPN-target is 222:2. An ACL
rule is configured on the PE to permit users in VPN-A to log in to the PE through Telnet and to
prevent users in VPN-B from logging in to the PE. Users in different VPNs cannot communicate
with each other.
HUAWEI NetEngine80E/40E Router
Configuration Guide - IP Services 5 ACL Configuration
Issue 02 (2011-09-10) Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
145
Figure 5-3 Typical networking of configuring an ACL rule
PE1
AS: 65420
VPN-B
CE2
AS: 65410
VPN-A
CE1
GE1/0/0
10.1.1.2/24
GE2/0/0
11.1.1.1/24
AS: 100
GE1/0/0
11.1.1.2/24
GE1/0/0
10.1.1.1/24
Configuration Roadmap
The configuration roadmap is as follows:
1. Configure VPN instances.
2. Define the ACL rule.
3. Configure users in different VPNs with different authorities for logging into the PE.
Data Preparation
To complete the configuration, you need the following data:
l ACL number
l VPN instance name
Procedure
Step 1 Configure VPN instances on the PE and connect CE1 and CE2 to the PE.
# Configure VPN-A.
<HUAWEI> system-view
[HUAWEI] sysname PE
[PE] ip vpn-instance vpna
[PE-vpn-instance-vpna] route-distinguisher 100:1
[PE-vpn-instance-vpna] vpn-target 111:1 both
[PE-vpn-instance-vpna] quit
[PE] interface gigabitethernet 1/0/0
[PE-GigabitEthernet1/0/0] ip binding vpn-instance vpna
[PE-GigabitEthernet1/0/0] ip address 10.1.1.1 24
[PE-GigabitEthernet1/0/0] quit
# Configure VPN-B.
[PE] ip vpn-instance vpnb
[PE-vpn-instance-vpnb] route-distinguisher 100:2
[PE-vpn-instance-vpnb] vpn-target 222:2 both
[PE-vpn-instance-vpnb] quit
[PE] interface gigabitethernet 2/0/0
[PE-GigabitEthernet2/0/0] ip binding vpn-instance vpnb
[PE-GigabitEthernet2/0/0] ip address 11.1.1.1 24
[PE-GigabitEthernet2/0/0] quit
Step 2 Configure an ACL rule and then apply the rule on the PE. After that, users in VPN-A can log in
to the PE through Telnet; whereas users in VPN-B cannot log in to the PE.
HUAWEI NetEngine80E/40E Router
Configuration Guide - IP Services 5 ACL Configuration
Issue 02 (2011-09-10) Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
146
[PE] acl number 2001
[PE-acl-adv-2001] rule permit vpn-instance vpna
[PE-acl-adv-2001] rule deny vpn-instance vpnb
[PE-acl-adv-2001] quit
Step 3 Use the ACL rule configured on the PE to control the login of users to the PE through Telnet.
[PE] user-interface vty 0 4
[PE-ui-vty0-4] authentication-mode none
[PE-ui-vty0-4] acl 2001 inbound
Step 4 Verify the configuration.
# Telnet CE1 to the PE.
<CE1> telnet 10.1.1.1
Trying 10.1.1.1 ...
Press CTRL+K to abort
Connected to 10.1.1.1 ...
***********************************************************
* Copyright (C) 2000-2009 Huawei Technologies Co., Ltd *
* Without the owner's prior written consent, *
* no decompiling or reverse-engineering shall be allowed. *
* Notice: *
* This is a private communication system. *
* Unauthorized access or use may lead to prosecution. *
***********************************************************
Info: The max number of VTY users is 10, and the number
of current VTY users on line is 1.
<PE>
CE1 can log in to the PE through Telnet.
# Telnet CE2 to the PE.
<CE2> telnet 10.1.1.1
Trying 10.1.1.1 ...
Press CTRL+K to abort
Error: Failed to connect to the remote host.
CE2 cannot log in to the PE through Telnet.
----End
Configuration Files
l Configuration file of the PE
#
sysname PE
#
ip vpn-instance vpna
route-distinguisher 100:1
vpn-target 111:1 export-extcommunity
vpn-target 111:1 import-extcommunity
ip vpn-instance vpnb
route-distinguisher 100:2
vpn-target 222:2 export-extcommunity
vpn-target 222:2 import-extcommunity
#
acl number 2001
rule 5 permit vpn-instance vpna
rule 10 deny vpn-instance vpnb
#
aaa
authentication-scheme default
#
authorization-scheme default
#
accounting-scheme default
HUAWEI NetEngine80E/40E Router
Configuration Guide - IP Services 5 ACL Configuration
Issue 02 (2011-09-10) Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
147
#
domain default
#
#
interface GigabitEthernet1/0/0
undo shutdown
ip binding vpn-instance vpna
ip address 10.1.1.1 255.255.255.0
#
interface GigabitEthernet2/0/0
undo shutdown
ip binding vpn-instance vpnb
ip address 11.1.1.1 255.255.255.0
#
user-interface con 0
user-interface vty 0 4
acl 2001 inbound
authentication-mode none
user-interface vty 16 20
#
return
l Configuration file of CE1
#
sysname CE1
#
aaa
authentication-scheme default
#
authorization-scheme default
#
accounting-scheme default
#
domain default
#
#
interface GigabitEthernet1/0/0
undo shutdown
ip address 10.1.1.2 255.255.255.0
#
user-interface con 0
user-interface vty 0 4
user-interface vty 16 20
#
return
l Configuration file of CE2
#
sysname CE2
#
aaa
authentication-scheme default
#
authorization-scheme default
#
accounting-scheme default
#
domain default
#
#
interface GigabitEthernet1/0/0
undo shutdown
ip address 11.1.1.2 255.255.255.0
#
user-interface con 0
user-interface vty 0 4
user-interface vty 16 20
#
return
HUAWEI NetEngine80E/40E Router
Configuration Guide - IP Services 5 ACL Configuration
Issue 02 (2011-09-10) Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
148
6 Basic IPv6 Configuration
About This Chapter
The IPv6 protocol stack is a support for routing protocols and application protocols on an IPv6
network.
6.1 Basic IPv6 Overview
Internet Protocol version 6 (IPv6) is a proposed next generation for the Internet Protocol, which
was introduced by the Internet Engineering Task Force (IETF) and formerly known as IPng.
6.2 Configuring an IPv6 Address for an Interface
Assigning an IPv6 address to a device on a network enables the device to communicate with the
other devices on the network.
6.3 Configuring an IPv6 Address Selection Policy Table
If multiple addresses are configured on an interface of the device, the IPv6 address selection
policy table can be used to select source and destination addresses for packets.
6.4 Configuring IPv6 Neighbor Discovery
IPv6 neighbor discovery (ND) is a packet transmission process to identify the relationship
between neighboring nodes. The Neighbor Discovery Protocol (NDP) replaces the Address
Resolution Protocol (ARP), ICMP Router Discovery messages, and ICMP Redirect messages,
and introduces neighbor reachability detection.
6.5 Configuring IPv6 SEND
The SEcure Neighbor Discovery (SEND) protocol is a security extension of the Neighbor
Discovery Protocol (NDP) in IPv6.
6.6 Configuring PMTU
By setting the PMTU, you can select a proper MTU for packet transmission. In this manner,
packets do not have to be fragmented during transmission and loads on intermediate devices are
reduced. In addition, network resources are used more efficiently and the network throughput
reaches the optimal value.
6.7 Configuring TCP6
By setting TCP6 packets, you can improve the performance of the network.
6.8 Maintaining IPv6
This section describes how to maintain IPv6. Detailed operations include deleting information
about IPv6 operation and monitoring IPv6 operation.
HUAWEI NetEngine80E/40E Router
Configuration Guide - IP Services 6 Basic IPv6 Configuration
Issue 02 (2011-09-10) Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
149
6.9 Configuration Examples
This section includes the networking requirements, precautions for configuration, and
configuration roadmap. An example is used to describe how to configure an IPv6 address and
Neighbor Discovery Protocol for an interface.
HUAWEI NetEngine80E/40E Router
Configuration Guide - IP Services 6 Basic IPv6 Configuration
Issue 02 (2011-09-10) Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
150
6.1 Basic IPv6 Overview
Internet Protocol version 6 (IPv6) is a proposed next generation for the Internet Protocol, which
was introduced by the Internet Engineering Task Force (IETF) and formerly known as IPng.
6.1.1 Introduction to IPv6
IPv6 is an upgraded version of IPv4 and solves many problems with IPv4.
Internet Protocol Version 6 (IPv6), also called IP Next Generation (IPng), is the standard network
protocol of the second generation. It is a set of specifications designed by the Internet
Engineering Task Force (IETF). IPv6 is the upgraded version of IPv4. The most remarkable
difference between IPv6 and IPv4 is that the IP address lengthens from 32 bits to 128 bits.
6.1.2 IPv6 Supported by the NE80E/40E
The basic functions of IPv6 include IPv6 address configuration, IPv6 neighbor discovery,
duplicate address detection, router advertisement, ICMPv6 packet control, and Path MTU
(PMTU) configuration. The IPv6 protocol stack is a support for routing protocols and application
protocols.
The NE80E/40E supports the IPv6 protocol suite and TCP6 protocol suite.
IPv6 Address
A 128-bit IPv6 address has the following formats:
l X:X:X:X:X:X:X:X
In this format, a 128-bit IP address is divided into eight groups. The 16 bits of each group
are represented by four hexadecimal characters, that is, 0 to 9, and A to F. The groups are
separated by colons. Every "X" represents a group of hexadecimal values.
l X:X:X:X:X:X:d.d.d.d
This format is for the following types of addresses:
IPv4-compatible IPv6 address
IPv4-mapped IPv6 address
IPv4-compatible IPv6 address is used to configure an IPv6 over IPv4 tunnel.
In this type of address, "X" represents the first six groups of numbers. Each "X" stands for
16 bits that are represented by hexadecimal numbers. "d" represents the subsequent four
group of numbers. Each "d" stands for eight bits that are represented by decimal numbers.
"d.d.d.d" is a standard IPv4 address.
An IPv6 address can be divided into two parts:
l Network prefix: equals the network ID of an IPv4 address. It is of n bits.
l Interface identifier: equals the host ID in an IPv4 address. It is of 128-n bits.
Selection of Source and Destination Addresses
When network administrators need to specify or plan a source and a destination addresses, they
can define a group of address selection rules. An address selection policy table can be created
HUAWEI NetEngine80E/40E Router
Configuration Guide - IP Services 6 Basic IPv6 Configuration
Issue 02 (2011-09-10) Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
151
based on these rules. Similar to a routing table, this table can be queried based on the longest
match rule. The address is selected based on a source and a destination addresses.
IPv6 Neighbor Discovery
The IPv6 neighbor discovery (ND) is a group of messages and processes that define the
relationship between neighboring nodes. ND replaces the Address Resolution Protocol (ARP)
messages and the Internet Control Message Protocol (ICMP) device discovery messages. It also
provides additional functions.
IPv6 SEND
The SEcure Neighbor Discovery (SEND) protocol is a security extension of the Neighbor
Discovery Protocol (NDP) in IPv6.
IPv6 PMTU
Generally, the problem that different networks have different Maximum Transmission Units
(MTU) can be solved in the following ways:
l Devices fragment packets as required. The source host only needs to fragment packets;
however, the intermediate router not only needs to fragment packets, but also to reassemble
packets.
l The source host sends packets based on a proper MTU so that packets need not be
fragmented on the intermediate router. In such a case, packet processing burden on the
intermediate router can be reduced. During IPv6 packet transmission, only this way can be
adopted because IPv6 intermediate routers do not support packet fragmentation.
The Path MTU (PMTU) Discovery mechanism aims at finding a proper MTU value on the path
from the source to the destination.
IPv6 FIB
Connecting network topologies of different types needs the configuration of different routing
protocols. This brings about Routing Information Base (RIB). The RIB is a base of the
Forwarding Information Base (FIB). Guided by route management policies, a device extracts a
minimum of necessary forwarding information from RIB and adds the information to the FIB.
Through the route management module, you can also add static routes into the FIB.
A FIB contains a group of minimum information needed by a device during packet forwarding.
An FIB entry usually contains the destination address, prefix length, transport port, next-hop
address, route flag, and time stamp. A device forwards packets according to FIB entries.
The FIB mechanism consists of two parts: FIB agent (used on the control plane) and FIB
container (used on the forwarding plane). A FIB agent is responsible for interacting with the
RM module for delivering FIB entries to the forwarding engine, and to the I/O board in a
distributed system.
A FIB contains the following information:
l Destination address: indicates the network or host a packet is destined for.
l Prefix length: indicates the length of the destination address prefix. From the prefix length,
you can infer that the destination address is a network address or a host address.
HUAWEI NetEngine80E/40E Router
Configuration Guide - IP Services 6 Basic IPv6 Configuration
Issue 02 (2011-09-10) Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
152
l Nexthop: indicates the address of the close next hop through which the packet reaches the
destination.
l Flag(s): identifies route features.
l Interface: indicates the outgoing interface of the packet.
l Timestamp: Indicates the time when an FIB entry is established.
6.2 Configuring an IPv6 Address for an Interface
Assigning an IPv6 address to a device on a network enables the device to communicate with the
other devices on the network.
6.2.1 Establishing the Configuration Task
This section describes the applicable environment, pre-configuration tasks, data preparation, and
configuration procedure for assigning an IPv6 address to an interface.
Applicable Environment
When a device communicates with an IPv6 device, you need to configure IPv6 address for the
interface. The NE80E/40E supports configuring IPv6 addresses for the following interfaces:
l GigabitEthernet interfaces and sub-interfaces
l POS interfaces (Only the POS interfaces configured with PPP or HDLC as the link protocol
support IPv6.)
l Tunnel interfaces
l Loopback interfaces
l Eth-Trunk interfaces, Eth-Trunk sub-interfaces, and IP-Trunk interfaces
l VLANIF interfaces
You can configure 10 addresses for one interface. Addresses can be the link-local address and
the global unicast address.
The link-local address is used in ND, and in the communication between nodes on the local link
in the stateless address auto-configuration. The packets using the link-local address as the source
or destination address are not forwarded to other links.
The link-local address can be automatically generated or manually configured. After being
enable with automatic address generation capability, the system automatically generates a link-
local address. The link-local address configured manually must be a valid link-local address
(FE80::/10).
It is recommended to automatically generate a link-local address because the link-local address
is used only for the communication between link-local nodes. Commonly, it is used to implement
communication requirements of protocol and is not directly related to the communication
between users.
The global unicast address is equivalent to the IPv4 public address. It is used for data forwarding
across the pubic network, which is necessary for the communication between users.
An EUI-64 address has the same function as an global unicast address. The difference is that
only the network bits need to be specified for the EUI-64 address and the host bits are transformed
from the MAC addresses of the interface while a complete 128-bit address need to be specified
HUAWEI NetEngine80E/40E Router
Configuration Guide - IP Services 6 Basic IPv6 Configuration
Issue 02 (2011-09-10) Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
153
for the global unicast address. Note that the prefix length of the network bits in an EUI-64 address
must not be longer than 64 bits.
The EUI-64 address and the global unicast address can be configured simultaneously or
alternatively. However, the IP addresses configured for one interface cannot be in the same
network segment.
Pre-configuration Tasks
Before configuring IPv6 addresses, complete the following tasks:
l Configuring the physical features of the interface and ensuring that the status of the physical
layer of the interface is Up
l Configuring the link layer parameters for the interface and ensuring that the status of the
link layer protocol on the interface is Up
Data Preparation
To configure IPv6 addresses for an interface, you need the following data.
No. Data
1 Number of the interface
2 Link-local address configured manually
3 Global unicast address and prefix length
6.2.2 Enabling IPv6 Packet Forwarding Capability
You can perform other IPv6 configurations on an interface only when IPv6 is enabled in the
interface view. To enable IPv6 packet forwarding on an interface, you must configure IPv6 in
the system view.
Context
To enable a device to forward IPv6 packets, you must enable the IPv6 capability in both the
system view and the interface view. This is because:
l If you run the ipv6 command only in the system view, only the IPv6 packet forwarding
capability is enabled on a device. The IPv6 function, however, is not enabled on the interface
and hence you cannot perform any IPv6 configurations.
l If you run the ipv6 enable command only in the interface view, the IPv6 capability is
enabled only on an interface. Therefore, the device cannot forward IPv6 data.
Procedure
Step 1 Run:
system-view
The system view is displayed.
HUAWEI NetEngine80E/40E Router
Configuration Guide - IP Services 6 Basic IPv6 Configuration
Issue 02 (2011-09-10) Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
154
Step 2 Run:
ipv6
The IPv6 packet forwarding capability is enabled.
By default, the IPv6 packet forwarding capability is disabled.
To enable a device to forward IPv6 packets, you must run this command in the system view;
otherwise, the device cannot forward IPv6 packets although you enable IPv6 on the interface.
Step 3 Run:
interface interface-type interface-number
The view of the interface to be enabled with the IPv6 capability is displayed.
Step 4 Run:
ipv6 enable
The IPv6 capability is enabled on the interface.
Before performing IPv6 configurations in the interface view, you must enable the IPv6 capability
in the interface view.
By default, the IPv6 capability is disabled on the interface.
----End
6.2.3 Configuring an IPv6 Link-Local Address for an Interface
The local address of a link is used in the neighbor discovery protocol, and in the communications
between nodes on the local end of the link in stateless address auto-configuration. The local
address of a link is valid only for the link. A packet with a link-local address as the source or
destination address is forwarded only along the local link.
Procedure
Step 1 Run:
system-view
The system view is displayed.
Step 2 Run:
interface interface-type interface-number
The interface view is displayed.
Step 3 Perform the following as required.
Run:
ipv6 address auto link-local
Auto generation of the IPv6 link-local address is enabled.
Or
Run:
ipv6 address ipv6-address link-local
The IPv6 link-local address is manually configured.
HUAWEI NetEngine80E/40E Router
Configuration Guide - IP Services 6 Basic IPv6 Configuration
Issue 02 (2011-09-10) Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
155
Besides configuring a link-local address through the preceding two commands, you can also
configure a global unicast IPv6 address for auto generating a link-local address. For details, see
Configuring an IPv6 Global Unicast Address for an Interface.
----End
6.2.4 Configuring an IPv6 Global Unicast Address for an Interface
A global unicast IP address is equal to an Internet IPv4 address and can be used for links whose
route prefixes can be aggregated. In this manner, routing entries can be reduced.
Procedure
Step 1 Run:
system-view
The system view is displayed.
Step 2 Run:
interface interface-type interface-number
The interface view is displayed.
Step 3 Run:
ipv6 address { ipv6-address prefix-length | ipv6-address/prefix-length } or ipv6
address { ipv6-address prefix-length | ipv6-address/prefix-length } eui-64
The global unicast address is configured on the interface.
----End
6.2.5 Configuring an IPv6 Anycast Address for an Interface
An anycast address is used to identify a group of interfaces.
Context
Anycast addresses and unicast addresses are in the same address range. An anycast address is
used to identify a group of interfaces on different nodes.
l Similar to a multicast address, an anycast address is listened to by multiple nodes.
Therefore, it is only used as a destination address.
l The packets destined for an anycast address are transmitted to an interface that is in the
interface group identified by the anycast address and is closest to the source node. (The
distance between an interface and the source node is calculated based on the routing
protocol). The packets destined for a multicast address are transmitted to a group of
interfaces with the multicast address.
When the 6to4 tunnel is used for the communication between the 6to4 network and the native
IPv6 network, the NE80E/40E supports the configuration of an anycast address with the prefix
of 2002:c058:6301:: on the tunnel interface of the 6to4 relay route device.
Alternatively, you can configure a 6to4 address on the tunnel interface of the 6to4 relay route
device. When multiple 6to4 relay route devices are configured on the network, the difference
between the two methods is as follows:
HUAWEI NetEngine80E/40E Router
Configuration Guide - IP Services 6 Basic IPv6 Configuration
Issue 02 (2011-09-10) Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
156
l If an 6to4 address is used, you need to configure different addresses for tunnel interfaces
of all devices.
l If an anycast address is used, you need to configure the same address for the tunnel
interfaces of all devices. In this manner, the number of addresses is reduced.
Procedure
Step 1 Run:
system-view
The system view is displayed.
Step 2 Run:
interface interface-type interface-number
The interface view is displayed.
Step 3 Run:
ipv6 address { ipv6-address prefix-length | ipv6-address/prefix-length } anycast
An IPv6 anycast address is assigned to an interface.
----End
6.2.6 Checking the Configuration
You can view the configuration of the IPv6 address for an interface.
Prerequisite
The configurations of the IPv6 addresses are complete.
Procedure
l Run the display ipv6 interface [ interface-type interface-number | brief ] command to
check the IPv6 information of an interface.
l Run the display ipv6 statistics [ slot slot-id | interface interface-type interface-number ]
command to check the IPv6 packet statistics.
----End
Example
Run the display ipv6 interface command. If the IPv6 address of the interface is displayed, it
means that the configuration succeeds. For example:
<HUAWEI> display ipv6 interface gigabitethernet 1/0/0
GigabitEthernet1/0/0 current state : UP ,
IPv6 protocol current state : UP
IPv6 is enabled, link-local address is FE80::200:1FF:FE04:5D00
Global unicast address(es):
2001::1, subnet is 2001::/64
Joined group address(es):
FF02::1:FF00:1
FF02::1:FF04:5D00
FF02::2
FF02::1
MTU is 1500 bytes
ND DAD is enabled, number of DAD attempts: 1
HUAWEI NetEngine80E/40E Router
Configuration Guide - IP Services 6 Basic IPv6 Configuration
Issue 02 (2011-09-10) Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
157
ND reachable time is 30000 milliseconds
ND retransmit interval is 1000 milliseconds
Hosts use stateless autoconfig for addresses
Run the display ipv6 interface command. If the configured IPv6 address and interface status
are displayed, it means that the configuration succeeds.
<HUAWEI> display ipv6 interface brief
*down: administratively down
!down: FIB overload down
(l): loopback
(s): spoofing
Interface Physical Protocol
GigabitEthernet2/0/2 up up
[IPv6 Address] 2030::101:101
GigabitEthernet2/0/3 up up
[IPv6 Address] 2001::1
LoopBack0 up up(s)
[IPv6 Address] Unassigned
Run the display ipv6 statistics command. If the statistics on IPv6 packets is displayed, it means
that the configuration succeeds.
<HUAWEI> display ipv6 statistics
IPv6 Protocol:
Sent packets:
Total : 3630
Local sent out : 3630 Forwarded : 0
Raw packets : 0 Discarded : 0
Fragmented : 0 Fragments : 0
Fragments failed : 0 Multicast : 0
Received packets:
Total : 3630 Local host : 3630
Hop count exceeded : 0 Header error : 0
Too big : 0 Routing failed : 0
Address error : 0 Protocol error : 0
Truncated : 0 Option error : 0
Fragments : 0 Reassembled : 0
Reassembly timeout : 0 Multicast : 0
6.3 Configuring an IPv6 Address Selection Policy Table
If multiple addresses are configured on an interface of the device, the IPv6 address selection
policy table can be used to select source and destination addresses for packets.
Applicable Environment
IPv6 addresses can be classified into different types based on different applications.
l Link local addresses and global unicast addresses based on the effective range of the IPv6
addresses
l Temporary addresses and public addresses based on security levels
l Home addresses and care-of addresses based on the application in the mobile IPv6 field
l Physical interface addresses and logical interface addresses based on the interface attributes
The preceding IPv6 addresses can be configured on the same interface of the router. In this case,
the device must select a source address or a destination addresses from multiple addresses on
the interface. If the device supports the IPv4/IPv6 dual-stack, it also must select IPv4 addresses
or IPv6 addresses for communication. For example, if a domain name maps both an IPv4 address
HUAWEI NetEngine80E/40E Router
Configuration Guide - IP Services 6 Basic IPv6 Configuration
Issue 02 (2011-09-10) Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
158
and an IPv6 address, the system must select an address to respond to the DNS request of the
client.
An IPv6 address selection policy table solves the preceding problems. It defines a group of
address selection rules. The source and destination addresses of packets can be specified or
planned based on these rules. This table, similar to a routing table, can be queried by using the
longest matching rule. The address is selected based on the source and destination addresses.
l The label parameter can be used to determine the result of source address selection. The
address whose label value is the same as the label value of the destination address is selected
preferably as the source address.
l The destination address is selected based on both the label and the precedence parameters.
If label values of the candidate addresses are the same, the address whose precedence value
is largest is selected preferably as the destination address.
Pre-configuration Tasks
None.
Procedure
Step 1 Run:
system-view
The system view is displayed.
Step 2 Run:
ipv6 address-policy [ vpn-instance vpn-instance-name ] ipv6-address prefix-length
precedence label
The source or destination address selection policies are configured.
By default, only default address selection policy entries are contained. These entries are prefixed
with ::1, ::, 2002::, FC00::, and ::ffff:0:0.
A maximum of 50 address selection policy entries are supported by the system.
----End
Checking the Configuration
Run the following commands to check the previous configuration.
l Run the display ipv6 address-policy [ vpn-instance vpn-instance-name ] { all | ipv6-
address prefix-length } command to check address selection policy entries.
Run the display ipv6 address-policy all command, and you can check all address selection
policy entries, including the default address selection policy entries and the address selection
policy entry configured by ipv6 address-policy command whose prefix is 3::.
<HUAWEI> display ipv6 address-policy all
Policy Table :
Total:6
-------------------------------------------------------------------------------
Prefix : :: PrefixLength : 0
Precedence : 40 Label : 1
Default : Yes
Prefix : ::1 PrefixLength : 128
HUAWEI NetEngine80E/40E Router
Configuration Guide - IP Services 6 Basic IPv6 Configuration
Issue 02 (2011-09-10) Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
159
Precedence : 50 Label : 0
Default : Yes
Prefix : ::FFFF:0.0.0.0 PrefixLength : 96
Precedence : 10 Label : 4
Default : Yes
Prefix : 3:: PrefixLength : 64
Precedence : 40 Label : 20
Default : No
Prefix : 2002:: PrefixLength : 16
Precedence : 30 Label : 2
Default : Yes
Prefix : FC00:: PrefixLength : 7
Precedence : 20 Label : 3
Default : Yes
-------------------------------------------------------------------------------
6.4 Configuring IPv6 Neighbor Discovery
IPv6 neighbor discovery (ND) is a packet transmission process to identify the relationship
between neighboring nodes. The Neighbor Discovery Protocol (NDP) replaces the Address
Resolution Protocol (ARP), ICMP Router Discovery messages, and ICMP Redirect messages,
and introduces neighbor reachability detection.
6.4.1 Establishing the Configuration Task
This section describes the applicable environment, pre-configuration tasks, data preparation, and
configuration procedure for IPv6 neighbor discovery.
Applicable Environment
After an IPv6 address is configured for a node, the node checks whether this address can be used
and does not conflict with any other address. If a node is a host, a router needs to notify the host
of the optimal next hop address of a packet to be sent by the host to a specific destination. If a
node is a router, it needs to advertise its address, address prefix, and other configuration
parameters to instruct hosts to configure parameters. During IPv6 packet forwarding, a node
needs to know the neighboring nodes' link-layer addresses and check their reachability. The
Neighbor Discovery (ND) function can be used to meet the requirements.
Most of the ND configurations are implemented based on the interfaces.
The IPv6 ND configuration is supported on the following interfaces:
l GigabitEthernet interfaces and their sub-interfaces
l POS interfaces (Only the POS interfaces configured with PPP or HDLC as the link protocol
support IPv6.)
l Tunnel interfaces
l Loopback interfaces
l Eth-Trunk interfaces, Eth-Trunk sub-interfaces, and IP-Trunk interfaces
l VLANIF interfaces
HUAWEI NetEngine80E/40E Router
Configuration Guide - IP Services 6 Basic IPv6 Configuration
Issue 02 (2011-09-10) Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
160
NOTE
Though the POS interfaces can be configured with IPv6 ND-related commands, packet sending or packet
forwarding on these interfaces actually do not require neighbor entries.
Pre-configuration Tasks
Before configuring IPv6 neighbor discovery, complete the following tasks:
l Configuring the physical features for the interface and ensuring that the status of the
physical layer of the interface is Up
l Configuring link layer parameters for the interface
l Configuring the IPv6 address for the interface
Data Preparation
To configure IPv6 neighbor discovery, you need the following data.
No. Data
1 Number of interface which needs to be configured with IPv6 ND
2 IPv6 address and MAC address of the static neighbor
3 Intervals, prefix, and life duration of RA messages
4 Flag bit of automatic configuration
5 Hop limit of ND
6 Sending times of DAD
7 Intervals for re-transmitting NS messages
8 NUD reachable time
9 Interface MTU
6.4.2 Configuring Static Neighbors
By configuring a static neighbor, you can obtain the mapping of the IPv6 address and MAC
address of the neighbor.
Procedure
Step 1 Run:
system-view
The system view is displayed.
Step 2 Run:
interface interface-type interface-number
The interface view is displayed.
HUAWEI NetEngine80E/40E Router
Configuration Guide - IP Services 6 Basic IPv6 Configuration
Issue 02 (2011-09-10) Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
161
Step 3 Run one of the following commands as required:
l To configure a static neighbor entry on a common Layer 3 interface, run the ipv6
neighbor ipv6-address mac-address command.
l To configure a static neighbor entry on a VLANIF interface, run the ipv6 neighbor ipv6-
address mac-address vid vlan-id interface-type interface-number command.
l To configure a static neighbor entry on a sub-interface for QinQ VLAN tag termination, run
the ipv6 neighbor ipv6-address mac-address vid vid [ cevid cevid ] command.
NOTE
If an interface is configured with dynamic QinQ, you cannot configure a static neighbor entry on it.
Static neighbors can be configured for interfaces and their sub-interfaces. You can configure up
to 300 neighbors on each interface.
----End
6.4.3 Enabling RA Message Advertising
After being enabled with router advertisement, the device can send router advertisement
messages, providing prefixes for hosts.
Procedure
Step 1 Run:
system-view
The system view is displayed.
Step 2 Run:
interface interface-type interface-number
The interface view is displayed.
Step 3 Run:
(Optional)undo ipv6 nd ra halt
The function of advertising RA messages is enabled.
----End
6.4.4 Setting the Interval for Advertising RA Messages
The device periodically sends router advertisement messages containing information such as
prefixes and flag bits.
Procedure
Step 1 Run:
system-view
The system view is displayed.
Step 2 Run:
interface interface-type interface-number
The interface view is displayed.
HUAWEI NetEngine80E/40E Router
Configuration Guide - IP Services 6 Basic IPv6 Configuration
Issue 02 (2011-09-10) Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
162
Step 3 Run:
ipv6 nd ra { max-interval maximum-interval | min-interval minimum-interval }
The interval for advertising RA messages is configured.
By default, the maximum interval is 600 seconds and the minimum interval is 200 seconds.
The maximum interval can not be shorter than the minimum interval.
When the maximum interval is less than 9 seconds, the minimum interval is set to the same value
as the maximum interval.
----End
6.4.5 Enabling Stateful Auto Configuration
After being enabled with stateful auto-configuration, the host can obtain an IPv6 address through
stateful auto-configuration, for example, the DHCP server.
Procedure
Step 1 Run:
system-view
The system view is displayed.
Step 2 Run:
interface interface-type interface-number
The interface view is displayed.
Step 3 Run:
ipv6 nd autoconfig managed-address-flag
The flag bit for stateful auto configuration addresses is set.
If this flag is set, hosts use the stateful protocol for address auto-configuration in addition to any
addresses auto-configured using stateless address auto-configuration.
Step 4 Run:
ipv6 nd autoconfig other-flag
The flag bit for other stateful configurations is set.
When this flag is set, hosts use the stateful protocol for auto-configuration of other (non-address)
information.
----End
6.4.6 Configuring the Address Prefixes to Be Advertised
Nodes of the local links can perform address auto-configuration by using prefixes of these
addresses.
Procedure
Step 1 Run:
system-view
HUAWEI NetEngine80E/40E Router
Configuration Guide - IP Services 6 Basic IPv6 Configuration
Issue 02 (2011-09-10) Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
163
The system view is displayed.
Step 2 Run:
interface interface-type interface-number
The interface view is displayed.
Step 3 Run:
ipv6 nd ra prefix { ipv6-address ipv6-prefix-length | ipv6-prefix/ipv6-prefix-
length } valid-lifetime preferred-lifetime [ no-autoconfig ] [ off-link ]
The prefix of RA messages is configured.
----End
6.4.7 Configuring Other Information to Be Advertised
A router advertisement message carries information such as the maximum number of hops,
prefix option, neighbor hold time, and keepalive time.
Context
Duplicate Address Detect (DAD) is a process of IPv6 automatic address configuration. You can
configure the number of DAD messages which are sent continuously.
Set the interval of sending Neighbor Solicitation (NS) messages on the device. By default, NS
re-transmitting time interval is 1000ms.
Neighbor Unreachability Detection (NUD) checks the reachability of neighbors. By default,
NUD value is 30000ms.
The MTU of the interface determines whether to fragment IP packets on the interface. Default
MTUs vary with interface types. The MTU on an GigabitEthernet interface defaults to be 1500
bytes.
Procedure
Step 1 Run:
system-view
The system view is displayed.
Step 2 Run:
ipv6 nd hop-limit limit
ND hop limit is configured.
The value of limit ranges from 1 to 255. By default, it is 64.
Step 3 Run:
interface interface-type interface-number
The interface view is displayed.
Step 4 Run:
ipv6 nd ra hop-limit limit
ND hop limit is configured.
The value of limit ranges from 0 to 255. By default, it is 64.
HUAWEI NetEngine80E/40E Router
Configuration Guide - IP Services 6 Basic IPv6 Configuration
Issue 02 (2011-09-10) Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
164
NOTE
l If the ipv6 nd ra hop-limit command has been run on an interface, the hop limit for an RA message
uses the value configured on the interface.
l If the ipv6 nd ra hop-limit command has not been run on an interface, the hop limit for an RA message
uses the value configured globally, that is, the value configured in the ipv6 nd hop-limit command.
Step 5 Run:
ipv6 nd ra router-lifetime ra-lifetime
The life duration of RA messages is configured.
NOTE
l When the ipv6 nd ra command is run to set the interval for advertising RA messages, the interval must
be less than or equal to the life duration.
l By default, the maximum interval is 600 seconds, and the minimum interval is 200 seconds.
l By default, the life duration of RA messages is 1800 seconds. If the prefix is configured, the duration
is still 1800 seconds.
Step 6 Run:
ipv6 nd dad attempts value
Times to send DAD messages are configured.
Step 7 Run:
ipv6 nd ns retrans-timer interval
The interval for re-sending NS messages is set.
Step 8 Run:
ipv6 nd nud reachable-time value
The NUD reachable time is set.
Step 9 Run:
ipv6 mtu mtu
MTU of the interface is configured.
The IPv6 MTU should be smaller than 9600 bytes on the GigabitEthernet of the LPUF-20.
----End
Follow-up Procedure
If the IPv6 MTU value is changed, run the shutdown command and the undo shudown
command orderly in the interface view to validate the configuration.
6.4.8 Configuring the Default Router Priority and Route
Information
RA packets that carry the default router priority and route information can be transmitted over
the local link. In this manner, a proper router can be selected to forward packets of a host.
Context
If a host is connected to multiple routers, the host must select a router to forward packets based
on the destination addresses of packets. The router can advertise the default router priority and
HUAWEI NetEngine80E/40E Router
Configuration Guide - IP Services 6 Basic IPv6 Configuration
Issue 02 (2011-09-10) Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
165
specified route information to the host so that the host can select a proper forwarding router
based on the destination addresses of packets.
After receiving the RA packets carrying the route information, the host updates its routing table.
When sending packets to another device, the host queries the routing table and selects a proper
route to send packets.
When receiving the RA packets that carry the priority of default routers, the host updates its
default router table. When sending packets to another device, if there is no route to be selected,
the host queries the default router table. Then, the host selects a router with the highest priority
on the local link to send packets. If the router is faulty, the host selects another router in
descending order of priority.
Procedure
Step 1 Run:
system-view
The system view is displayed.
Step 2 Run:
interface interface-type interface-number
The interface view is displayed.
Step 3 Run:
ipv6 nd ra preference { high | medium | low }
The default router priority is configured in RA packets.
Step 4 Run:
ipv6 nd ra route-information ipv6-address prefix-length lifetime route-lifetime
[ preference { high | medium | low } ]
Route information is configured in RA packets.
----End
6.4.9 (Optional) Configuring Routed Proxy ND
This configuration can be used if an enterprise has two physical networks in different subnets
of the same IP network, but separated by a device. You must enable the proxy ND on the device
interface connected to the physical networks for the two networks to communicate.
Procedure
Step 1 Run:
system-view
The system view is displayed.
Step 2 Run:
interface interface-type interface-number
The interface view is displayed.
Step 3 Run:
bas
HUAWEI NetEngine80E/40E Router
Configuration Guide - IP Services 6 Basic IPv6 Configuration
Issue 02 (2011-09-10) Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
166
A BAS interface is created and the BAS interface view is displayed.
Step 4 Run:
nd-proxy enable
Routed proxy ND is enabled.
----End
6.4.10 Checking the Configuration
You can view the configuration of IPv6 neighbor discovery.
Prerequisite
The configurations of the IPv6 neighbor discovery function are complete.
Procedure
l Run the display ipv6 neighbors [ ipv6-address | [ vid vlan-id ] interface-type interface-
number | vpn-instance vpn-instance-name ], display ipv6 neighbors [ interface-type
interface-number [ vid vid [ cevid cevid ] ] ], or display ipv6 neighbors slot slot-id
[ verbose ] [ [vid vlan-id ] [ interface-type interface-number ] ] command to check the
neighbor information in the cache.
l Run the display ipv6 neighbors[ [ vid vlan-id] interface-type interface-number ] command
to check the neighbor information in the cache.
l Run the display ipv6 interface [ interface-type interface-number | brief ] command to
check the IPv6 information of an interface. If the interface is in the Up state, the
configuration is successful.
----End
Example
Run the display ipv6 neighbors command. If the cache of the neighbor information contains
neighbors' IPv6 addresses and the specified interfaces, it means that the configuration succeeds.
<HUAWEI> display ipv6 neighbors gigabitEthernet1/0/0
--------------------------------------------------------
IPv6 Address : 3003::2
Link-layer : 00e0-fc89-fe6e State : STALE
Interface : GE1/0/0 Age : 7
VLAN : - CEVLAN: -
VPN name : vpn1 Is Router: TRUE
Secure FLAG : UN-SECURE
IPv6 Address : FE80::2E0:FCFF:FE89:FE6E
Link-layer : 00e0-fc89-fe6e State : STALE
Interface : GE1/0/0 Age : 7
VLAN : - CEVLAN: -
VPN name : vpn1 Is Router: TRUE
Secure FLAG : UN-SECURE
---------------------------------------------------------
Total: 2 Dynamic: 2 Static: 0
Run the display ipv6 interface command. If information about the IPv6 address on the interface
is displayed, it means that the configuration succeeds.
<HUAWEI> display ipv6 interface gigabitethernet 1/0/0
GigabitEthernet1/0/0 current state : UP
HUAWEI NetEngine80E/40E Router
Configuration Guide - IP Services 6 Basic IPv6 Configuration
Issue 02 (2011-09-10) Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
167
IPv6 protocol current state : UP
IPv6 is enabled, link-local address is FE80::200:1FF:FE04:5D00
Global unicast address(es):
2001::1, subnet is 2001::/64
Joined group address(es):
FF02::1:FF00:1
FF02::1:FF04:5D00
FF02::2
FF02::1
MTU is 1500 bytes
ND DAD is enabled, number of DAD attempts: 1
ND reachable time is 30000 milliseconds
ND retransmit interval is 1000 milliseconds
Hosts use stateless autoconfig for addresses
Run the display ipv6 interface brief command. If information about the IPv6 address on the
interface and interface status are displayed, it means that the configuration succeeds.
<HUAWEI> display ipv6 interface brief
*down: administratively down
!down: FIB overload down
(l): loopback
(s): spoofing
Interface Physical Protocol
GigabitEthernet2/0/2 up up
[IPv6 Address] 2030::101:101
GigabitEthernet2/0/3 up up
[IPv6 Address] 2001::1
LoopBack0 up up(s)
[IPv6 Address] Unassigned
6.5 Configuring IPv6 SEND
The SEcure Neighbor Discovery (SEND) protocol is a security extension of the Neighbor
Discovery Protocol (NDP) in IPv6.
6.5.1 Establishing the Configuration Task
This section describes the applicable environment, pre-configuration tasks, data preparation, and
configuration procedure of IPv6 SEND.
Applicable Environment
IPv6 nodes use the Neighbor Discovery Protocol (NDP) to discover other nodes on the link and
to ensure reachability between neighbors. Therefore, NDP must be secured. IPSec can protect
NDP, but this requires too many complicated configurations. Therefore, IPv6 SEND can be
configured to protect NDP.
The SEND protocol is designed to address the following attacks to NDP:
l Redirect attack: Neighbor Solicitation (NS) or Neighbor Advertisement (NA) spoofing,
malicious last hop router, spoofed redirect message, and replay attack
An attacking node causes packets of legitimate nodes to be sent to some other link-layer
addresses. This can be done by either sending an NS message with a different source link-
layer address option, or sending an NA message with a different destination link-layer
address option.
l Denial-of-Service (DoS) attack: Neighbor Unreachability Detection (NUD) failure,
Duplicate Address Detection (DAD) attack, bogus address configuration prefix, and
parameter spoofing
HUAWEI NetEngine80E/40E Router
Configuration Guide - IP Services 6 Basic IPv6 Configuration
Issue 02 (2011-09-10) Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
168
An attacker keeps sending fabricated NA messages in response to NUD NS messages. After
having failed to send NS messages for several times, a host deletes the neighbor entries of
the attacked node, which causes the attacked node to fail to communicate with the host. An
attacker can also respond to every DAD attempt, simulating that it (the attacker) has already
taken the address claimed by the attacked node into use. In this case, the attacked node may
be unable to obtain an IP address and fail to work properly.
To counter the preceding security threats, SEND introduces two new options: a
Cryptographically Generated Addresses (CGA) option and a Rivest Shamir Adleman (RSA)
option.
l CGAs are used to make sure that the sender of a Neighbor Discovery (ND) message is the
"owner" of the claimed address. (The address is the source address of the ND message.)
l RSA is a digital signature of an ND message, and is used to verify the integrity of the ND
message and the validity of the ND message sender.
To encounter the threats to NDP, SEND also defines two options in an ND message:
l Nonce option: used to prevent replay attacks by assuring that a particular NA message is
linked to the NS message that triggered it. For example, during the exchange of NS and
NA messages, both the NS and NA messages carry a Nonce option. The NS message sender
then determines whether the received NA message is valid based on the carried Nonce
option.
l Timestamp option: used to protect unsolicited advertisement and redirect messages. A
sender must ensure that each received message contains a latest timestamp.
Currently, IPv6 SEND is supported on the following types of interfaces:
l Ethernet interface and its sub-interfaces
l GigabitEthernet interface and its sub-interfaces
l Serial interface whose link protocol is PPP or HDLC
l POS interface whose link protocol is PPP or HDLC
l Eth-Trunk interface, Eth-Trunk sub-interfaces, and IP-Trunk interface
l VLANIF interface
NOTE
IPv6 ND related commands can be run on serial and POS interfaces, and no neighbor entries are needed
when packets are being sent or forwarded from these interfaces.
Pre-configuration Tasks
Before configuring IPv6 SEND, complete the following tasks:
l Setting parameters for the link layer protocols on the interfaces to ensure that the link layer
protocols are Up
l Configuring IPv6 ND
Data Preparation
To configure IPv6 SEND, you need the following data.
HUAWEI NetEngine80E/40E Router
Configuration Guide - IP Services 6 Basic IPv6 Configuration
Issue 02 (2011-09-10) Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
169
No. Data
1 RSA key pair name and associated parameter
2 Number of the interface where IPv6 SEND is configured
3 Modifier value and security level of a CGA address
4 CGA IPv6 address
5 Rate limit for processing received ND messages
6 Key length allowed on an interface
7 Timestamp parameters in an ND message
6.5.2 Configuring a CGA IPv6 Address
To enable IPv6 SEND to protect ND messages that carry CGA and RSA options, you need to
configure a CGA IPv6 address on an interface that sends ND messages.
Context
If a CGA IPv6 address is configured on an interface, the ND message sent by the interface will
carry CGA and RSA options. After receiving the ND message, the remote interface checks the
validity of the ND message sender and the integrity of the ND message based on the CGA and
RSA options.
Procedure
Step 1 Run:
system-view
The system view is displayed.
Step 2 Run:
rsa key-pair label label-name modulus modulus-bits
An RSA key pair is created.
Step 3 Run:
interface interface-type interface-number
The view of the interface where a CGA IPv6 address needs to be configured is displayed.
Step 4 Run:
ipv6 security rsakey-pair key-label
The RSA key pair is bound to the interface to generate a CGA address.
Step 5 Run:
ipv6 security modifier sec-level sec-value [ modifier-value ]
The modifier value and security level are configured for the CGA address.
HUAWEI NetEngine80E/40E Router
Configuration Guide - IP Services 6 Basic IPv6 Configuration
Issue 02 (2011-09-10) Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
170
The modifier value can be manually configured only when the security level of the CGA address
is 0.
Step 6 Run:
ipv6 address { ipv6-address prefix-length | ipv6-address/prefix-length } cga
Or
ipv6 address ipv6-address link-local cga
A CGA IPv6 address is configured.
----End
Follow-up Procedure
Run the ipv6 nd security strict command to enable the strict security mode on the interface.
NOTE
If a local device is enabled with the strict security mode whereas the remote device is not, the local device
considers the messages sent by the remote device invalid and discards them.
6.5.3 Configuring Strict IPv6 SEND
After the rate limit for processing received ND messages, the key length allowed on the interface,
and the timestamp in the ND messages are set, the system considers the received ND messages
that do not meet these requirements invalid.
Context
When working in strict security mode, an interface regards the received ND message insecure
and discards it in the following cases:
l The rate of processing the received ND message exceeds the rate limit of the system.
l The key length in the received ND message is out of the length range allowed on the
interface.
l The difference between the receive time and the send time of the ND message is out of the
time range allowed on the interface.
NOTE
On a link, device A is configured with strict IPv6 SEND whereas device B is not. In this case, device A
regards the ND messages sent from device B insecure and rejects them.
Procedure
Step 1 Run:
system-view
The system view is displayed.
Step 2 (Optional) Run:
ipv6 nd security rate-limit ratelimit-value
The rate limit for processing received ND messages is set.
Step 3 Run:
interface interface-type interface-number
HUAWEI NetEngine80E/40E Router
Configuration Guide - IP Services 6 Basic IPv6 Configuration
Issue 02 (2011-09-10) Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
171
The interface view is displayed.
Step 4 (Optional) Run:
ipv6 nd security key-length { minimum keylen-value | maximum keylen-value }
*
The key length allowed on the interface is set.
Step 5 (Optional) Run:
ipv6 nd security timestamp { fuzz-factor fuzz-value | delta delta-value | drift
drift-value }
*
The timestamp configuration parameters are set
Step 6 Run:
ipv6 nd security strict
The strict security mode is enabled on the interface.
----End
6.5.4 Checking the Configuration
The IPv6 SEND configurations can be checked.
Prerequisite
The configurations of IPv6 SEND are complete.
Procedure
l Run the display ipv6 security interface interface-type interface-number command to
check the IPv6 SEND configurations.
----End
Example
Run the display ipv6 security interface interface-type interface-number command, and you
can check the IPv6 SEND configurations.
<HUAWEI> display ipv6 security gigabitethernet 1/0/0
(L) : Link local address
SEND information for the interface : GigabitEthernet1/0/0
----------------------------------------------------------------------------
IPv6 address PrefixLength Collision Count
----------------------------------------------------------------------------
FE80::18A8:19F0:C5A4:7A52 (L) 10 0
1::18F5:E2FA:63CF:31DE 64 0
----------------------------------------------------------------------------
SEND sec value : 0
SEND security modifier value : 1::1
SEND RSA key label bound : huawei
SEND ND minimum key length value : 1280
SEND ND maximum key length value : 2000
SEND ND Timestamp delta value : 100
SEND ND Timestamp fuzz value : 2
SEND ND Timestamp drift value : 2
SEND ND fully secured mode : enabled
HUAWEI NetEngine80E/40E Router
Configuration Guide - IP Services 6 Basic IPv6 Configuration
Issue 02 (2011-09-10) Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
172
6.6 Configuring PMTU
By setting the PMTU, you can select a proper MTU for packet transmission. In this manner,
packets do not have to be fragmented during transmission and loads on intermediate devices are
reduced. In addition, network resources are used more efficiently and the network throughput
reaches the optimal value.
6.6.1 Establishing the Configuration Task
This section describes the applicable environment, pre-configuration tasks, data preparation, and
configuration procedure for configuring the PMTU.
Applicable Environment
By setting PMTUs on interfaces, you can enable devices to send packets based on proper MTUs
across the network. This avoids packet fragmentation, reduces the burden of the devices,
implements efficient usage of network resources and achieves the best throughput.
Pre-configuration Tasks
Before configuring PMTUs, complete the following tasks:
l Configuring the physical features for the interface and ensuring that the status of the
physical layer of the interface is Up
l Configuring the link layer protocol for the interface
Data Preparation
To configure PMTUs, you need the following data.
No. Data
1 IPv6 address and PMTU value to be configured
2 PMTU aging time
6.6.2 Creating Static PMTU Entries
You can configure a static PMTU according to the lowest MTU of the path that a packet is to
traverse. This speeds up packet transmission.
Procedure
Step 1 Run:
system-view
The system view is displayed.
Step 2 Run:
ipv6 pathmtu ipv6-address [ path-mtu ]
HUAWEI NetEngine80E/40E Router
Configuration Guide - IP Services 6 Basic IPv6 Configuration
Issue 02 (2011-09-10) Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
173
The PMTU value of a specified IPv6 address is configured.
By default, the PMTU of the IPv6 address is 1500 bytes.
l The maximum number of static PMTU entries is 300.
l The maximum number of static PMTU entries of each VPN instance is 32.
l The maximum number of dynamic and static PMTU entries on the public network is 1024.
l The maximum number of PMTU entries in all VPN instances is 50000.
----End
6.6.3 Configuring PMTU Aging Time
By setting the PMTU aging time, you can change the keepalive time of dynamic PMTU entries
in the cache. A static PMTU entry never ages.
Procedure
Step 1 Run:
system-view
The system view is displayed.
Step 2 Run:
ipv6 pathmtu age age-time
The aging time of PMTU is configured.
By default, the dynamic PMTU aging time is 10 minutes.
If the static PMTU exist, the dynamic PMTU dose not take effect.
----End
6.6.4 Checking the Configuration
You can view the configuration of a PMTU.
Prerequisite
The configurations of the PMTU are complete.
Procedure
l Run the display ipv6 pathmtu { ipv6-address | all | dynamic | static } command to check
all PMTU items.
l Run the display ipv6 interface [ interface-type interface-number | brief ] command to
check the current MTU of the interface.
----End
Example
Run the display ipv6 pathmtu command. If the destination IPv6 address, the PMTU value, the
aging time and type are displayed, it means that the configuration succeeds.
<HUAWEI> display ipv6 pathmtu all
HUAWEI NetEngine80E/40E Router
Configuration Guide - IP Services 6 Basic IPv6 Configuration
Issue 02 (2011-09-10) Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
174
IPv6 Destination Address ZoneID PathMTU Age Type
fe80::12 0 1300 40 Dynamic
2222::3 0 1280 -- Static
Run the display ipv6 interface command. If the current MTU of the interface is displayed, it
means that the configuration succeeds.
<HUAWEI> display ipv6 interface gigabitethernet 1/0/0
GigabitEthernet1/0/0 current state : UP ,
IPv6 protocol current state : UP
IPv6 is enabled, link-local address is FE80::200:1FF:FE04:5D00
Global unicast address(es):
2001::1, subnet is 2001::/64
Joined group address(es):
FF02::1:FF00:1
FF02::1:FF04:5D00
FF02::2
FF02::1
MTU is 1500 bytes
ND DAD is enabled, number of DAD attempts: 1
ND reachable time is 30000 milliseconds
ND retransmit interval is 1000 milliseconds
Hosts use stateless autoconfig for addresses
6.7 Configuring TCP6
By setting TCP6 packets, you can improve the performance of the network.
6.7.1 Establishing the Configuration Task
This section describes the applicable environment, pre-configuration tasks, data preparation, and
configuration procedure for configuring TCP6.
Applicable Environment
To optimize network performance, you need to adjust the TCP6 parameters.
Pre-configuration Tasks
Before configuring TCP6, complete the following tasks:
l Connecting and configuring the physical features for the interface and ensuring that the
status of the physical layer of the interface is Up
l Configuring the link layer protocol parameters for the interface and ensuring that the status
of the link layer protocol on the interface is Up
Data Preparation
To configure TCP6, you need the following data.
No. Data
1 Value of TCP6 FIN-WAIT timer
2 Value of TCP6 SYN-WAIT timer
3 Size of TCP6 Sliding Window
HUAWEI NetEngine80E/40E Router
Configuration Guide - IP Services 6 Basic IPv6 Configuration
Issue 02 (2011-09-10) Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
175
6.7.2 Configuring TCP6 Timers
By setting two TCP6 timers, you can control the TCP connection time.
Procedure
Step 1 Run:
system-view
The system view is displayed.
Step 2 Run:
tcp ipv6 timer syn-timeout timer-value
The TCP6 SYN-WAIT timer is set.
By default, the SYN-WAIT timer is 75s.
Step 3 Run:
tcp ipv6 timer fin-timeout timer-value
The TCP6 FIN-WAIT timer is set.
By default, the FIN-WAIT timer is 675s.
----End
6.7.3 Configuring the Size of the TCP6 Sliding Window
By setting the sliding window size for TCP6, you can set the sizes of the receiving buffer and
transmitting buffer in the socket. In this manner, you can improve the performance of the
network.
Procedure
Step 1 Run:
system-view
The system view is displayed.
Step 2 Run:
tcp ipv6 window window-size
The size of the TCP6 sliding window is configured.
The size of the TCP6 sliding window ranges from 1 KB to 32 KB. By default, the size of the
TCP6 sliding window is 8 KB.
----End
6.7.4 Checking the Configuration
You can view the configuration of TCP6.
HUAWEI NetEngine80E/40E Router
Configuration Guide - IP Services 6 Basic IPv6 Configuration
Issue 02 (2011-09-10) Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
176
Prerequisite
The configurations of the TCP6 function are complete.
Procedure
l Run the display tcp ipv6 statistics command to check related TCP6 statistics.
l Run the display tcp ipv6 status command to check the TCP6 connection status.
l Run the display udp ipv6 statistics command to check related UDP6 statistics.
l Run the display ipv6 socket [ socktype socket-type ] [ task-id task-id socket-id socket-
id ] command to check the information of the specified socket.
----End
Example
Run the display tcp ipv6 statistics, display tcp ipv6 status, and display udp ipv6 statistics
commands. If the connection status and statistic of TCP6 and UDP6 are displayed, it means that
the configuration succeeds.
<HUAWEI> display tcp ipv6 statistics
Received packets:
total: 0
packets in sequence: 0 (0 bytes)
window probe packets: 0
window update packets: 0
checksum error: 0
offset error: 0
short error: 0
duplicate packets: 0 (0 bytes)
partially duplicate packets: 0 (0 bytes)
out-of-order packets: 0 (0 bytes)
packets with data after window: 0 (0 bytes)
packets after close: 0
ACK packets: 0 (0 bytes)
duplicate ACK packets: 0
too much ACK packets: 0
packets dropped due to MD5 authentication failure: 0
packets receieved with MD5 Signature Option: 0
Sent packets:
total: 0
urgent packets: 0
control packets: 0 (including 0 RST)
window probe packets: 0
window update packets: 0
data packets: 0 (0 bytes)
data packets retransmitted: 0 (0 bytes)
ACK only packets: 0 (0 delayed)
packets sent with MD5 Signature Option: 0
Other Statistics:
retransmitted timeout: 0
connections dropped in retransmitted timeout: 0
keepalive timeout: 0
keepalive probe: 0
keepalive timeout, so connections disconnected: 0
initiated connections: 0
accepted connections: 0
established connections: 0
closed connections: 0 (dropped: 0, initiated dropped: 0)
<HUAWEI> display tcp ipv6 status
TCP6CB Local Address Foreign Address State
09e39ae4 3000::2->179 3000::1->49158 Time_Wait
HUAWEI NetEngine80E/40E Router
Configuration Guide - IP Services 6 Basic IPv6 Configuration
Issue 02 (2011-09-10) Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
177
09e36f24 3000::2->49152 3000::1->179 Established
07da08f8 ::->179 ::->0 Listening
07d96da8 ::->23 ::->0 Listening
<HUAWEI> display udp ipv6 statistics
Received packets:
total: 0
total(64bit high-capacity counter): 0
checksum error: 0
shorter than header: 0
invalid message length: 0
no socket on port: 0
no multicast port: 0
not delivered, input socket full: 0
input packets missing pcb cache: 0
packets sent for external pre processing: 1
Sent packets:
total: 0
total(64bit high-capacity counter): 0
Run the display ipv6 socket command. If the related socket information is displayed, it means
that the configuration succeeds.
<HUAWEI> display ipv6 socket
SOCK_STREAM:
Task = VTYD(14), socketid = 4, Proto = 6,
LA = ::->22, FA = ::->0,
sndbuf = 8192, rcvbuf = 8192, sb_cc = 0, rb_cc = 0,
socket option = SO_ACCEPTCONN SO_REUSEPORT SO_SENDVPNID,
socket state = SS_PRIV SS_ASYNC
Task = VTYD(14), socketid = 3, Proto = 6,
LA = ::->23, FA = ::->0,
sndbuf = 8192, rcvbuf = 8192, sb_cc = 0, rb_cc = 0,
socket option = SO_ACCEPTCONN SO_REUSEPORT SO_SENDVPNID,
socket state = SS_PRIV SS_ASYNC
SOCK_RAW:
6.8 Maintaining IPv6
This section describes how to maintain IPv6. Detailed operations include deleting information
about IPv6 operation and monitoring IPv6 operation.
6.8.1 Resetting IPv6
This section describes clearance of information about IPv6 operation through the reset command.
Context
CAUTION
IPv6 statistics cannot restore after you clear it. So, confirm the action before you use the
command.
Procedure
l Run the reset ipv6 statistics [ slot slot-id ] command in the user view to clear statistics of
processing IPv6 packets after you confirm it.
HUAWEI NetEngine80E/40E Router
Configuration Guide - IP Services 6 Basic IPv6 Configuration
Issue 02 (2011-09-10) Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
178
l Run the reset ipv6 pathmtu { all | dynamic | static } command in the user view to clear
PMTU entries in the cache after you confirm it.
l Run the reset ipv6 address-policy [ vpn-instance vpn-instance-name ] command in the
user view to clear address selection policy entries.
l Run the reset ipv6 nd security statistics interface-type interface-number command in the
user view to clear statistics on IPv6 SEND messages on a specified interface.
l Run the reset ipv6 nd security timestamp interface-type interface-number command in
the user view to clear the timestamp of an IPv6 SEND message on a specified interface.
l Run the reset ipv6 nd security nonce interface-type interface-number command in the
user view to clear the Nonce value of an IPv6 SEND message on a specified interface.
l Run the reset ipv6 neighbors { all | dynamic | static | vid vlan-id [ interface-type interface-
number] | interface-type interface-number [ dynamic | static ] } command in the user view
to clear IPv6 neighbor entries in the cache after you confirm it.
l Run the reset tcp ipv6 statistics command in the user view to clear all TCP6 statistics after
you confirm it.
l Run the reset udp ipv6 statistics command in the user view to clear all UDP6 statistics
after you confirm it.
----End
6.8.2 Monitoring Network Operation Status of IPv6
This section describes IPv6 operation monitoring through the display command.
Context
In routine maintenance, you can run the following command in any view to check the operation
of IPv6.
Procedure
l Run the display ipv6 interface [ interface-type interface-number | brief ] command in any
view to check the IPv6 information about the interface.
l Run the display ipv6 statistics [ slot slot-id | interface interface-type interface-number ]
command in any view to check IPv6 packet statistics.
l Run the display icmpv6 statistics [ slot slot-id | interface interface-type interface-
number ] command in any view to check the operation of ICMPv6 packet statistics.
l Run the display ipv6 neighbors [ ipv6-address | [ vid vlan-id ] interface-type interface-
number ], display ipv6 neighbors [ interface-type interface-number [ vid vid [ cevid
cevid ] ] ], or display ipv6 neighbors slot slot-id [ verbose ] [ [vid vlan-id ] [ interface-
type interface-number ] ] command in any view to check contents about the neighbor cache.
l Run the display ipv6 address-policy [ vpn-instance vpn-instance-name ] { all | ipv6-
address prefix-length } command in any view to check address selection policy entries.
l Run the display ipv6 security interface interface-type interface-number command in any
view to check the IPv6 SEND configuration on a specified interface.
l Run the display ipv6 nd security timestamp interface-type interface-number command
in any view to check the timestamp of an IPv6 SEND message.
l Run the display ipv6 nd security nonce interface-type interface-number command in any
view to check the Nonce value of an IPv6 SEND message.
HUAWEI NetEngine80E/40E Router
Configuration Guide - IP Services 6 Basic IPv6 Configuration
Issue 02 (2011-09-10) Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
179
l Run the display ipv6 nd security statistics interface-type interface-number command in
any view to check the statistics on IPv6 SEND messages.
l Run the display ipv6 neighbors [ [ vid vlan-id ] interface-type interface-number ]
command in any view to check contents about the neighbor cache.
l Run the display ipv6 pathmtu { ipv6-address | all | dynamic | static } command in any
view to check all PMTU entries.
l Run the display tcp ipv6 statistics command in any view to check TCP6 statistics.
l Run the display tcp ipv6 status command in any view to check TCP6 connection status.
l Run the display udp ipv6 statistics command in any view to check UDP6 statistics.
l Run the display ipv6 socket [ socktype socket-type ] [ task-id task-id socket-id socket-
id ] command in any view to check information about the specified socket.
l Run the display ipv6 fib [ [ slot-id ] verbose ] command in any view to check information
about the FIB.
----End
6.9 Configuration Examples
This section includes the networking requirements, precautions for configuration, and
configuration roadmap. An example is used to describe how to configure an IPv6 address and
Neighbor Discovery Protocol for an interface.
Context
NOTE
This document takes interface numbers and link types of the NE40E-X8 as an example. In working
situations, the actual interface numbers and link types may be different from those used in this document.
6.9.1 Example for Configuring an IPv6 Address for an Interface
This part provides an example for configuring the IPv6 address of an interface.
Networking Requirement
As shown in Figure 6-1, Router A and Router B are connected through POS interfaces. It is
required to configure IPv6 global unicast addresses for the interfaces and test the connectivity
between them.
The IPv6 global unicast addresses to be configured for the interfaces are 3001::1/64 and
3001::2/64.
Figure 6-1 Networking diagram of configuring an IPv6 address for an interface
RouterA
RouterB
POS 1/0/0
3001::1/64
POS 1/0/0
3001::2/64
HUAWEI NetEngine80E/40E Router
Configuration Guide - IP Services 6 Basic IPv6 Configuration
Issue 02 (2011-09-10) Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
180
Configuration Roadmap
The configuration roadmap is as follows:
1. Enable IPv6 forwarding capability on devices.
2. Configure IPv6 global unicast addresses for the interfaces.
Data Preparation
To complement the configuration, you need the following data:
l Global unicast addresses of the interfaces
Procedure
Step 1 Enable IPv6 packet forwarding on Router A and Router B.
# Configure Router A
<HUAWEI> system-view
[HUAWEI] sysname RouterA
[RouterA] ipv6
# Configure Router B
<HUAWEI> system-view
[HUAWEI] sysname RouterB
[RouterB] ipv6
Step 2 Configure IPv6 global unicast addresses for the interfaces.
# Configure Router A.
[RouterA] interface pos 1/0/0
[RouterA-Pos1/0/0] ipv6 enable
[RouterA-Pos1/0/0] ipv6 address 3001::1/64
[RouterA-Pos1/0/0] undo shutdown
[RouterA-Pos1/0/0] quit
# Configure Router B.
[RouterB] interface pos 1/0/0
[RouterB-Pos1/0/0] ipv6 enable
[RouterB-Pos1/0/0] ipv6 address 3001::2/64
[RouterB-Pos1/0/0] undo shutdown
[RouterB-Pos1/0/0] quit
Step 3 Verify the configuration.
If the configuration succeeds, you can view the configured IPv6 global unicast addresses and
status of the interface and the IPv6 protocol are both Up.
# Display interface information of Router A.
[RouterA] display ipv6 interface pos 1/0/0
Pos1/0/0 current state : UP
IPv6 protocol current state : UP
IPv6 is enabled, link-local address is FE80::C964:0:B8B6:1
Global unicast address(es):
3001::1, subnet is 3001::/64
Joined group address(es):
FF02::1:FF00:1
FF02::1:FFB6:1
FF02::2
FF02::1
HUAWEI NetEngine80E/40E Router
Configuration Guide - IP Services 6 Basic IPv6 Configuration
Issue 02 (2011-09-10) Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
181
MTU is 4470 bytes
ND DAD is enabled, number of DAD attempts: 1
ND reachable time is 30000 milliseconds
ND retransmit interval is 1000 milliseconds
Hosts use stateless autoconfig for addresses
# Display interface information of Router B.
[RouterB] display ipv6 interface pos 1/0/0
Pos1/0/0 current state : UP
IPv6 protocol current state : UP
IPv6 is enabled, link-local address is FE80::2D6F:0:7AF3:1
Global unicast address(es):
3001::2, subnet is 3001::/64
Joined group address(es):
FF02::1:FF00:2
FF02::1:FFF3:1
FF02::2
FF02::1
MTU is 4470 bytes
ND DAD is enabled, number of DAD attempts: 1
ND reachable time is 30000 milliseconds
ND retransmit interval is 1000 milliseconds
Hosts use stateless autoconfig for addresses
# On Router A, ping the link-local address of Router B. Note that you need to use the parameter
-i to specify the interface.
[RouterA] ping ipv6 fe80::2d6f:0:7af3:1 -i pos 1/0/0
PING FE80::2D6F:0:7AF3:1 : 56 data bytes, press CTRL_C to break
Reply from FE80::2D6F:0:7AF3:1
bytes=56 Sequence=1 hop limit=64 time = 60 ms
Reply from FE80::2D6F:0:7AF3:1
bytes=56 Sequence=2 hop limit=64 time = 50 ms
Reply from FE80::2D6F:0:7AF3:1
bytes=56 Sequence=3 hop limit=64 time = 50 ms
Reply from FE80::2D6F:0:7AF3:1
bytes=56 Sequence=4 hop limit=64 time = 30 ms
Reply from FE80::2D6F:0:7AF3:1
bytes=56 Sequence=5 hop limit=64 time = 1 ms
--- FE80::2D6F:0:7AF3:1 ping statistics ---
5 packet(s) transmitted
5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 1/38/60 ms
# On Router A, ping the global unicast IPv6 address of Router B.
[RouterA] ping ipv6 3001::2
PING 3001::2 : 56 data bytes, press CTRL_C to break
Reply from 3001::2
bytes=56 Sequence=1 hop limit=64 time = 30 ms
Reply from 3001::2
bytes=56 Sequence=2 hop limit=64 time = 50 ms
Reply from 3001::2
bytes=56 Sequence=3 hop limit=64 time = 50 ms
Reply from 3001::2
bytes=56 Sequence=4 hop limit=64 time = 20 ms
Reply from 3001::2
bytes=56 Sequence=5 hop limit=64 time = 40 ms
--- 3001::2 ping statistics ---
5 packet(s) transmitted
5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 20/38/50 ms
----End
HUAWEI NetEngine80E/40E Router
Configuration Guide - IP Services 6 Basic IPv6 Configuration
Issue 02 (2011-09-10) Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
182
Configuration Files
l Configuration file of Router A
#
sysname RouterA
#
ipv6
#
interface pos1/0/0
link-protocol ppp
undo shutdown
ipv6 enable
ipv6 address 3001::1/64
#
return
l Configuration file of Router B
#
sysname RouterB
#
ipv6
#
interface pos1/0/0
link-protocol ppp
undo shutdown
ipv6 enable
ipv6 address 3001::2/64
#
return
6.9.2 Example for Configuring IPv6 Neighbor Discovery
This section provides an example of configuring IPv6 Neighbor Discovery.
Networking Requirements
As shown in Figure 6-2, device is directly connected to the PC by GE 1/0/10. This PC runs the
Windows XP operating system.
Figure 6-2 Example for configuring IPv6 neighbor discovery
Router
PC
GE1/0/10
3000::/64 eui-64
Configuration Roadmap
The configuration roadmap is as follows:
1. Configure the local unicast addresses of the link and EUI-64 site separately on GE 1/0/10.
2. Configure the RA prefix message to be advertised on GE 1/0/10 and enable the
advertisement of the RA prefix message.
HUAWEI NetEngine80E/40E Router
Configuration Guide - IP Services 6 Basic IPv6 Configuration
Issue 02 (2011-09-10) Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
183
Data Preparation
To complete the configuration, you need the following data:
l Local unicast addresses of the link and EUI-64 site on GE 1/0/10
l RA prefix message to be advertised
Procedure
Step 1 Enable the IPv6 forwarding on devices.
<HUAWEI> system-view
[HUAWEI] ipv6
Step 2 Configure the local unicast address of the link on GE 1/0/10.
[HUAWEI] interface gigabitethernet 1/0/10
[HUAWEI-GigabitEthernet1/0/10] undo shutdown
[HUAWEI-GigabitEthernet1/0/10] ipv6 enable
[HUAWEI-GigabitEthernet1/0/10] ipv6 address auto link-local
Step 3 Configure the local unicast address of the EUI-64 site on GE 1/0/10 and the prefix in the RA
message.
NOTE
A PC can automatically obtain the RA prefix message from devices only after the Router Advertisement
(RA) prefix message to be advertised is configured and the advertisement of the RA prefix message is
enabled on devices.
[HUAWEI-GigabitEthernet1/0/10] ipv6 address 3000::/64 eui-64
[HUAWEI-GigabitEthernet1/0/10] ipv6 nd ra prefix 3000::/64 1000 1000
[HUAWEI-GigabitEthernet1/0/10] undo ipv6 nd ra halt
Step 4 Verify the configuration.
If configurations are successful, you can view the configured local unicast address of the link
and the EUI-64 site and find that GE 1/0/10 is Up and IPv6 is Up.
# Display information about interfaces of devices.
[HUAWEI-GigabitEthernet1/0/10] display this ipv6 interface
GigabitEthernet1/0/10 current state : UP
IPv6 protocol current state : UP
IPv6 is enabled, link-local address is FE80::2E0:FCFF:FE7D:A497
Global unicast address(es):
3000::2E0:FCFF:FE7D:A497, subnet is 3000::/64
Joined group address(es):
FF02::1:FF7D:A497
FF02::2
FF02::1
MTU is 1500 bytes
ND DAD is enabled, number of DAD attempts: 1
ND reachable time is 30000 milliseconds
ND retransmit interval is 1000 milliseconds
ND advertised reachable time is 0 milliseconds
ND advertised retransmit interval is 0 milliseconds
ND router advertisement max interval 600 seconds, min interval 200 seconds
ND router advertisements live for 1800 seconds
Hosts use stateless autoconfig for addresses
# Display information about PCs.
Ethernet adapter 1:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Realtek RTL8139 Family PCI Fast Ethe
rnet NIC #2
HUAWEI NetEngine80E/40E Router
Configuration Guide - IP Services 6 Basic IPv6 Configuration
Issue 02 (2011-09-10) Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
184
Physical Address. . . . . . . . . : 00-E0-4C-77-A1-B6
Dhcp Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 110.1.1.33
Subnet Mask . . . . . . . . . . . : 255.0.0.0
IP Address. . . . . . . . . . . . : 3000::78b3:4397:c0c4:f078
IP Address. . . . . . . . . . . . : 3000::2e0:4cff:fe77:a1b6
IP Address. . . . . . . . . . . . : fe80::2e0:4cff:fe77:a1b6%6
Default Gateway . . . . . . . . . : fe80::288:ff:fe10:b%6
DNS Servers . . . . . . . . . . . : fec0:0:0:ffff::1%1
fec0:0:0:ffff::2%1
fec0:0:0:ffff::3%1
# Ping the local unicast address of the link on the PC from the device with the use of the parameter
-i which specifies the interface corresponding to the local unicast address.
[HUAWEI-GigabitEthernet1/0/10] ping ipv6 fe80::2e0:4cff:fe77:a1b6 -i
gigabitethernet1/0/10
PING FE80::2E0:4CFF:FE77:A1B6: 56 data bytes, press CTRL_C to break
Reply from FE80::2E0:4CFF:FE77:A1B6
bytes=56 Sequence=1 hop limit=64 time = 60 ms
Reply from FE80::2E0:4CFF:FE77:A1B6
bytes=56 Sequence=2 hop limit=64 time = 50 ms
Reply from FE80::2E0:4CFF:FE77:A1B6
bytes=56 Sequence=3 hop limit=64 time = 50 ms
Reply from FE80::2E0:4CFF:FE77:A1B6
bytes=56 Sequence=4 hop limit=64 time = 30 ms
Reply from FE80::2E0:4CFF:FE77:A1B6
bytes=56 Sequence=5 hop limit=64 time = 1 ms
--- FE80::2E0:4CFF:FE77:A1B6 ping statistics ---
5 packet(s) transmitted
5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 1/38/60 ms
# Ping the local unicast address of the EUI-64 site of the PC from the device.
[HUAWEI-GigabitEthernet1/0/10] ping ipv6 3000::78b3:4397:c0c4:f078
PING 3000::78B3:4397:C0C4:F078 : 56 data bytes, press CTRL_C to break
Reply from 3000::78B3:4397:C0C4:F078
bytes=56 Sequence=1 hop limit=64 time = 30 ms
Reply from 3000::78B3:4397:C0C4:F078
bytes=56 Sequence=2 hop limit=64 time = 50 ms
Reply from 3000::78B3:4397:C0C4:F078
bytes=56 Sequence=3 hop limit=64 time = 50 ms
Reply from 3000::78B3:4397:C0C4:F078
bytes=56 Sequence=4 hop limit=64 time = 20 ms
Reply from 3000::78B3:4397:C0C4:F078
bytes=56 Sequence=5 hop limit=64 time = 40 ms
--- 3000::78B3:4397:C0C4:F078 ping statistics ---
5 packet(s) transmitted
5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 20/38/50 ms
----End
Configuration Files
Configuration file of HUAWEI
#
sysname HUAWEI
#
ipv6
#
interface GigabitEthernet1/0/10
undo shutdown
ipv6 enable
HUAWEI NetEngine80E/40E Router
Configuration Guide - IP Services 6 Basic IPv6 Configuration
Issue 02 (2011-09-10) Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
185
ipv6 address 3000::/64 eui-64
ipv6 address auto link-local
ipv6 nd ra prefix 3000::/64 1000 1000
undo ipv6 nd ra halt
#
return
6.9.3 Example for Configuring IPv6 Address Selection Policy Table
This part describes how to configure IPv6 address selection policy table.
Networking Requirements
As shown in Figure 6-3, the domain name (huawei.com) of Server A maps multiple IPv6
addresses. When Router A, as an IPv6 DNS client, accesses Server A by using the domain name
(huawei.com), the DNS Server sends all IPv6 addresses of Server A to Router A. Then,Router
A queries the IPv6 address selection policy table to select a proper IPv6 address as the destination
address of Server A.
Figure 6-3 Networking diagram for configuring an IPv6 address selection policy table
GE1/0/0
RouterA
huawei.com
b::1/64
DNS Server
abcd::1234/64
DNS Client
2001::1/64
a::1/64
Server A
fed0:1::2/64
2001:2::2/64
abcd::7764
Ethernet
Configuration Notes
None
Configuration Roadmap
The configuration roadmap is as follows:
1. Configure IPv6 address selection policy entries.
2. Configure dynamic IPv6 DNS services.
HUAWEI NetEngine80E/40E Router
Configuration Guide - IP Services 6 Basic IPv6 Configuration
Issue 02 (2011-09-10) Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
186
Data Preparation
To complete the configuration, you need the following data:
l IPv6 addresses on the interface of Router A
l Addresses, label values and precedence values of IPv6 address selection policy entries
l IPv6 addresses of the DNS server
Procedure
Step 1 Configure IPv6 address selection policy entries
# Configure IPv6 addresses for the interface.
<HUAWEI> system-view
[HUAWEI] sysname RouterA
[RouterA] ipv6
[RouterA] interface gigabitethernet 1/0/0
[RouterA-GigabitEthernet1/0/0] undo shutdown
[RouterA-GigabitEthernet1/0/0] ipv6 enable
[RouterA-GigabitEthernet1/0/0] ipv6 address fe80::1 link-local
[RouterA-GigabitEthernet1/0/0] ipv6 address fed0:1::2 64
[RouterA-GigabitEthernet1/0/0] ipv6 address 2001:2::2 64
[RouterA-GigabitEthernet1/0/0] ipv6 address abcd::77 64
[RouterA-GigabitEthernet1/0/0] quit
# Configure destination address selection policies.
[RouterA] ipv6 address-policy fed0:1::2 128 100 100
[RouterA] ipv6 address-policy 2001::1 128 100 100
Step 2 Configure dynamic IPv6 DNS services.
[RouterA] dns resolve
[RouterA] dns server ipv6 abcd::1234
[RouterA] dns domain com
[RouterA] quit
Step 3 Verify the configuration.
# Run the ping ipv6 huawei.com command on Router A, and you can find that Server A can
be pinged successfully, with the destination IP address being 2001::1.
<RouterA> ping ipv6 huawei.com
Resolved Host (huawei.com -> 2001::1)
PING huawei.com : 56 data bytes, press CTRL_C to break
Reply from 2001::1: bytes=56 Sequence=1 ttl=126 time=6 ms
Reply from 2001::1: bytes=56 Sequence=2 ttl=126 time=4 ms
Reply from 2001::1: bytes=56 Sequence=3 ttl=126 time=4 ms
Reply from 2001::1: bytes=56 Sequence=4 ttl=126 time=4 ms
Reply from 2001::1: bytes=56 Sequence=5 ttl=126 time=4 ms
--- huawei.com ping statistics ---
5 packet(s) transmitted
5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 4/4/6 ms
# Run the display ipv6 interface gigabitethernet 1/0/0 command on Router A, and you can
view information about the IPv6 address of GigabitEthernet 1/0/0.
<RouterA> display ipv6 interface gigabitethernet 1/0/0
GigabitEthernet1/0/0 current state : UP
IPv6 protocol current state : UP
IPv6 is enabled, link-local address is FE80::1
Global unicast address(es):
HUAWEI NetEngine80E/40E Router
Configuration Guide - IP Services 6 Basic IPv6 Configuration
Issue 02 (2011-09-10) Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
187
FED0:1::2, subnet is FED0:1::/64
2001:2::2, subnet is 2001:2::/64
ABCD::77, subnet is ABCD::/64
Joined group address(es):
FF02::1:FF00:77
FF02::2
FF02::1
FF02::1:FF00:2
FF02::1:FF00:1
MTU is 1500 bytes
ND DAD is enabled, number of DAD attempts: 1
ND reachable time is 30000 milliseconds
ND retransmit interval is 1000 milliseconds
Hosts use stateless autoconfig for addresses
# Run the display ipv6 address-policy all command on Router A, and you can view information
about address selection policy entries.
<RouterA> display ipv6 address-policy all
Policy Table :
Total:7
-------------------------------------------------------------------------------
Prefix : :: PrefixLength : 0
Precedence : 40 Label : 1
Default : Yes
Prefix : ::1 PrefixLength : 128
Precedence : 50 Label : 0
Default : Yes
Prefix : ::FFFF:0.0.0.0 PrefixLength : 96
Precedence : 10 Label : 4
Default : Yes
Prefix : 2001::1 PrefixLength : 128
Precedence : 100 Label : 100
Default : No
Prefix : 2002:: PrefixLength : 16
Precedence : 30 Label : 2
Default : Yes
Prefix : FC00:: PrefixLength : 7
Precedence : 20 Label : 3
Default : Yes
Prefix : FED0:1::2 PrefixLength : 128
Precedence : 100 Label : 100
Default : No
-------------------------------------------------------------------------------
----End
Configuration Files
l Configuration file of Router A
#
sysname RouterA
#
ipv6
#
dns resolve
dns server ipv6 abcd::1234
dns domain com
#
interface GigabitEthernet1/0/0
undo shutdown
HUAWEI NetEngine80E/40E Router
Configuration Guide - IP Services 6 Basic IPv6 Configuration
Issue 02 (2011-09-10) Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
188
ipv6 enable
ipv6 address FED0:1::2/64
ipv6 address 2001:2::2/64
ipv6 address 1001::1/64
ipv6 address FE80::1 link-local
#
ipv6 address-policy 2001::1 128 100 100
ipv6 address-policy FED0:1::2 128 100 100
#
return
6.9.4 Example for Configuring IPv6 SEND
This section provides examples for configuring IPv6 SEND.
Networking Requirements
As shown in Figure 6-4, IPv6 SEND is configured on Router A. Assume that Router B is an
attacker. When Router B sends messages to Router A, Router A regards them invalid and discards
them.
Figure 6-4 Networking diagram for configuring IPv6 SEND
RouterB
GE 1/0/0
GE 1/0/0
RouterA
SEND enabled Attacker
3000::/64 cga
1::1/64 1::2/64
3000::2/64
Configuration Notes
None.
Configuration Roadmap
The configuration roadmap is as follows:
1. Configure a CGA IPv6 address and a common IPv6 address on Router A.
2. Enable the strict security mode on an interface of Router A.
3. Configure an IPv6 address for an interface on Router B.
Data Preparation
To complete the configuration, you need the following data:
l RSA key pair name
l Modifier value and security level of a CGA address
l CGA IPv6 address
l IPv6 address of Router B
HUAWEI NetEngine80E/40E Router
Configuration Guide - IP Services 6 Basic IPv6 Configuration
Issue 02 (2011-09-10) Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
189
Procedure
Step 1 Configure a CGA IPv6 address on Router A.
<HUAWEIA> system-view
[HUAWEIA] sysname RouterA
[RouterA] ipv6
[RouterA] rsa key-pair label huawei
NOTES: If the key modulus is greater than 512, It may take few minutes. Please
wait
Key Successfully Created
[RouterA] interface gigabitethernet 1/0/0
[RouterA-GigabitEthernet1/0/0] undo shutdown
[RouterA-GigabitEthernet1/0/0] ipv6 enable
[RouterA-GigabitEthernet1/0/0] ipv6 security rsakey-pair huawei
[RouterA-GigabitEthernet1/0/0] ipv6 security modifier sec-level 1
[RouterA-GigabitEthernet1/0/0] ipv6 address fe80::3 link-local cga
[RouterA-GigabitEthernet1/0/0] ipv6 address 3000::2/64 cga
[RouterA-GigabitEthernet1/0/0] ipv6 address 1::1/64
Step 2 Enable the strict security mode on an interface of Router A.
[RouterA-GigabitEthernet1/0/0] ipv6 nd security strict
Step 3 Configure an IPv6 address of Router B.
<HUAWEIB> system-view
[HUAWEIB] sysname RouterB
[RouterB] ipv6
[RouterB] interface gigabitethernet 1/0/0
[RouterB-GigabitEthernet1/0/0] undo shutdown
[RouterB-GigabitEthernet1/0/0] ipv6 enable
[RouterB-GigabitEthernet1/0/0] ipv6 address auto link-local
[RouterB-GigabitEthernet1/0/1] ipv6 address 3000::2/64
[RouterB-GigabitEthernet1/0/1] ipv6 address 1::2/64
Step 4 Verify the configuration.
If the configuration is successful, you can view that the IPv6 address and IPv6 SEND have been
configured and the interface status and IPv6 protocol status are Up.
# View information about GE 1/0/0 on Router A.
[RouterA-GigabitEthernet1/0/0] display this ipv6 interface
GigabitEthernet1/0/0 current state : UP
IPv6 protocol current state : UP
IPv6 is enabled, link-local address is FE80::3057:B5D6:6BD6:6CA8
Global unicast address(es):
3000::2092:84CE:827B:D5A4, subnet is 3000::/64
1::1, subnet is 1::/64
Joined group address(es):
FF02::1:FF7B:D5A4
FF02::2
FF02::1
FF02::1:FFD6:6CA8
MTU is 1500 bytes
ND DAD is enabled, number of DAD attempts: 1
ND reachable time is 30000 milliseconds
ND retransmit interval is 1000 milliseconds
Hosts use stateless autoconfig for addresses
# View the IPv6 SEND configuration on GE 1/0/0 of Router A.
[RouterA-GigabitEthernet1/0/0] display ipv6 security interface gigabitethernet
1/0/0
(L) : Link local address
SEND information for the interface : GigabitEthernet1/0/0
----------------------------------------------------------------------------
IPv6 address PrefixLength Collision Count
HUAWEI NetEngine80E/40E Router
Configuration Guide - IP Services 6 Basic IPv6 Configuration
Issue 02 (2011-09-10) Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
190
----------------------------------------------------------------------------
FE80::3057:B5D6:6BD6:6CA8 (L) 10 0
3000::2092:84CE:827B:D5A4 64 0
----------------------------------------------------------------------------
SEND sec value : 1
SEND security modifier value : 585D:9EA0:328:2792:B763:1DE3:BBC4:D22D
SEND RSA key label bound : huawei
SEND ND minimum key length value : 512
SEND ND maximum key length value : 2048
SEND ND Timestamp delta value : 300
SEND ND Timestamp fuzz value : 1
SEND ND Timestamp drift value : 1
SEND ND fully secured mode : enabled
# View information about GE 1/0/0 on Router B.
[RouterB-GigabitEthernet1/0/0] display this ipv6 interface
GigabitEthernet1/0/0 current state : UP
IPv6 protocol current state : UP
IPv6 is enabled, link-local address is FE80::2E0:E6FF:FE13:8100
Global unicast address(es):
3000::2, subnet is 3000::/64
1::2, subnet is 1::/64
Joined group address(es):
FF02::1:FF00:2
FF02::2
FF02::1
FF02::1:FF13:8100
MTU is 1500 bytes
ND DAD is enabled, number of DAD attempts: 1
ND reachable time is 30000 milliseconds
ND retransmit interval is 1000 milliseconds
Hosts use stateless autoconfig for addresses
# Ping the CGA link-local address of Router A from Router B. The ping fails because IPv6
SEND is configured on Router A.
[Router B-GigabitEthernet1/0/0] ping ipv6 FE80::3057:B5D6:6BD6:6CA8 -i
gigabitethernet 1/0/0
PING FE80::3057:B5D6:6BD6:6CA8 : 56 data bytes, press CTRL_C to break
Request time out
Request time out
Request time out
Request time out
Request time out
--- FE80::3057:B5D6:6BD6:6CA8 ping statistics ---
5 packet(s) transmitted
0 packet(s) received
100.00% packet loss
round-trip min/avg/max = 0/0/0 ms
# Ping the CGA global unicast address of Router A from Router B. The ping fails because IPv6
SEND is configured on Router A.
[Router B-GigabitEthernet1/0/0] ping ipv6 3000::2092:84CE:827B:D5A4
PING 3000::2092:84CE:827B:D5A4 : 56 data bytes, press CTRL_C to break
Request time out
Request time out
Request time out
Request time out
Request time out
--- 3000::2092:84CE:827B:D5A4 ping statistics ---
5 packet(s) transmitted
0 packet(s) received
100.00% packet loss
round-trip min/avg/max = 0/0/0 ms
HUAWEI NetEngine80E/40E Router
Configuration Guide - IP Services 6 Basic IPv6 Configuration
Issue 02 (2011-09-10) Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
191
# Ping the common global unicast address of Router A from Router B. The ping fails because
IPv6 SEND is configured on Router A.
[Router B-GigabitEthernet1/0/0] ping ipv6 1::1
PING 1::1 : 56 data bytes, press CTRL_C to break
Request time out
Request time out
Request time out
Request time out
Request time out
--- 3000::2092:84CE:827B:D5A4 ping statistics ---
5 packet(s) transmitted
0 packet(s) received
100.00% packet loss
round-trip min/avg/max = 0/0/0 ms
# Disable IPv6 SEND on Router A. The ping from Router B to Router A is successful. The
following part provides an example of pinging the CGA global unicast address of Router A.
[RouterA-GigabitEthernet1/0/0] undo ipv6 nd security strict
[Router B-GigabitEthernet1/0/0] ping ipv6 3000::2092:84CE:827B:D5A4
PING 3000::2092:84CE:827B:D5A4 : 56 data bytes, press CTRL_C to break
Reply from 3000::2092:84CE:827B:D5A4
bytes=56 Sequence=1 hop limit=64 time = 1 ms
Reply from 3000::2092:84CE:827B:D5A4
bytes=56 Sequence=2 hop limit=64 time = 20 ms
Reply from 3000::2092:84CE:827B:D5A4
bytes=56 Sequence=3 hop limit=64 time = 1 ms
Reply from 3000::2092:84CE:827B:D5A4
bytes=56 Sequence=4 hop limit=64 time = 1 ms
Reply from 3000::2092:84CE:827B:D5A4
bytes=56 Sequence=5 hop limit=64 time = 1 ms
--- 3000::2092:84CE:827B:D5A4 ping statistics ---
5 packet(s) transmitted
5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 1/4/20 ms
----End
Configuration Files
l Configuration file of Router A
#
sysname RouterA
#
ipv6
#
rsa key-pair label huawei
#
interface GigabitEthernet1/0/0
undo shutdown
ipv6 enable
ipv6 security rsakey-pair huawei
ipv6 security modifier sec-level 1 585D:9EA0:328:2792:B763:1DE3:BBC4:D22D
ipv6 address 3000::/64 cga
ipv6 address 1::1/64
ipv6 address FE80::3057:B5D6:6BD6:6CA8 link-local cga
ipv6 nd security strict
#
return
l Configuration file of Router B
HUAWEI NetEngine80E/40E Router
Configuration Guide - IP Services 6 Basic IPv6 Configuration
Issue 02 (2011-09-10) Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
192
#
sysname RouterB
#
ipv6
#
interface GigabitEthernet1/0/0
undo shutdown
ipv6 enable
ipv6 address 3000::2/64
ipv6 address 1::2/64
ipv6 address auto link-local
#
return
6.9.5 Example for Configuring Default Router Priority and Route
Information
This part describes how to configure default router priorities and route information.
Networking Requirements
As shown in Figure 6-5, a PC is connected to Router A and Router B by using Switch A. The
PC selects a proper router to forward packets based on destination addresses of packets.
Figure 6-5 Networking of Configuring Default Router Priorities and Route Information
RouterA
PC
GE1/0/0
2002::2/64
RouterB
GE1/0/0
4004::2/64
4004::1/64
2002::1/64
SwitchA
Configuration Notes
The PC supports RFC 4191, by which it can learn the default router priorities and route
information in RA packets.
Configuration Roadmap
The configuration roadmap is as follows:
1. Configure default router priorities and route information on Router A and Router B.
HUAWEI NetEngine80E/40E Router
Configuration Guide - IP Services 6 Basic IPv6 Configuration
Issue 02 (2011-09-10) Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
193
Data Preparation
To complete the configuration, you need the following data:
l IPv6 addresses of interfaces on Router A and Router B
l Default router priorities and route information
Procedure
Step 1 Configure default router priorities and route information.
# Configure Router A.
<HUAWEI> system-view
[HUAWEI] sysname RouterA
[RouterA] ipv6
[RouterA] interface gigabitethernet 1/0/0
[RouterA-GigabitEthernet1/0/0] undo shutdown
[RouterA-GigabitEthernet1/0/0] ipv6 enable
[RouterA-GigabitEthernet1/0/0] undo ipv6 nd ra halt
[RouterA-GigabitEthernet1/0/0] ipv6 address fe80::1 link-local
[RouterA-GigabitEthernet1/0/0] ipv6 address 2002::2/64
[RouterA-GigabitEthernet1/0/0] ipv6 nd ra preference high
[RouterA-GigabitEthernet1/0/0] ipv6 nd ra route-information 2002:: 64 lifetime 2000
preference high
[RouterA-GigabitEthernet1/0/0] quit
# Configure Router B.
<HUAWEI> system-view
[HUAWEI] sysname RouterB
[RouterB] ipv6
[RouterB] interface gigabitethernet 1/0/0
[RouterB-GigabitEthernet1/0/0] undo shutdown
[RouterB-GigabitEthernet1/0/0] ipv6 enable
[RouterB-GigabitEthernet1/0/0] undo ipv6 nd ra halt
[RouterB-GigabitEthernet1/0/0] ipv6 address fe80::2 link-local
[RouterB-GigabitEthernet1/0/0] ipv6 address 4004::2/64
[RouterB-GigabitEthernet1/0/0] ipv6 nd ra preference low
[RouterB-GigabitEthernet1/0/0] ipv6 nd ra route-information 4004:: 64 lifetime 2000
preference high
[RouterA-GigabitEthernet1/0/0] quit
Step 2 Verify the configuration.
# Check the configuration of the PC, and you can find that the default gateway of the PC is
Router A.
C:\Documents and Settings\Administrator>ipconfig /all
Ethernet adapter 1:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Realtek RTL8139 Family PCI Fast Ethe
rnet NIC #2
Physical Address. . . . . . . . . : 00-E0-4C-77-A1-B6
Dhcp Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 110.1.1.33
Subnet Mask . . . . . . . . . . . : 255.0.0.0
IP Address. . . . . . . . . . . . : 3000::78b3:4397:c0c4:f078
IP Address. . . . . . . . . . . . : 3000::2e0:4cff:fe77:a1b6
IP Address. . . . . . . . . . . . : 2002::1
IP Address. . . . . . . . . . . . : 4004::1
IP Address. . . . . . . . . . . . : fe80::2e0:4cff:fe77:a1b6%6
Default Gateway . . . . . . . . . : 2002::2
DNS Servers . . . . . . . . . . . : fec0:0:0:ffff::1%1
fec0:0:0:ffff::2%1
fec0:0:0:ffff::3%1
HUAWEI NetEngine80E/40E Router
Configuration Guide - IP Services 6 Basic IPv6 Configuration
Issue 02 (2011-09-10) Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
194
# Check the routing table of the PC, and you can find the routing entries learned by the PC.
C:\Documents and Settings\Administrator>netsh
netsh>interface ipv6
netsh interface ipv6>show route
Querying active state...
Publish Type Met Prefix Idx Gateway/Interface Name
------- -------- ---- ------------------------ --- ---------------------
no Manual 3 4004::/64 4 fe80::2
no Manual 3 2002::/64 4 fe80::1
yes Manual 3 1414::/64 4 Local Area Connection
yes Manual 3 1212::/64 4 Local Area Connection
----End
Configuration Files
l Configuration file of Router A
#
sysname RouterA
#
ipv6
#
interface GigabitEthernet1/0/0
undo shutdown
ipv6 enable
ipv6 address 2002::2/64
ipv6 address FE80::1 link-local
ipv6 nd ra preference high
ipv6 nd ra route-information 2002:: 64 lifetime 2000 preference high
undo ipv6 nd ra halt
#
return
l Configuration file of Router B
#
sysname RouterB
#
ipv6
#
interface GigabitEthernet1/0/0
undo shutdown
ipv6 enable
ipv6 address 4004::2/64
ipv6 address FE80::2 link-local
ipv6 nd ra preference low
ipv6 nd ra route-information 4004:: 64 lifetime 2000 preference high
undo ipv6 nd ra halt
#
return
HUAWEI NetEngine80E/40E Router
Configuration Guide - IP Services 6 Basic IPv6 Configuration
Issue 02 (2011-09-10) Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
195
7 IPv6 DNS Configuration
About This Chapter
By configuring the IPv6 Domain Name System (DNS), you can enable network devices to
communicate with other through their domain names.
7.1 IPv6 DNS Overview
The DNS is a host naming mechanism. It assigns an easy-to-memorize name of significance to
each host on the Internet in a hierarchical manner.
7.2 Configuring IPv6 DNS
By configuring the IPv6 DNS, you can set up a mapping between a domain name and an IPv6
address. In this manner, you can enable the device to communicate with other devices.
7.3 Maintaining IPv6 DNS
This section describes how to maintain the IPv6 DNS. Detailed operations include deleting IPv6
DNS entries and monitoring IPv6 DNS operation.
7.4 Configuration Examples
This section includes the networking requirements, precautions for configuration, and
configuration roadmap.
HUAWEI NetEngine80E/40E Router
Configuration Guide - IP Services 7 IPv6 DNS Configuration
Issue 02 (2011-09-10) Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
196
7.1 IPv6 DNS Overview
The DNS is a host naming mechanism. It assigns an easy-to-memorize name of significance to
each host on the Internet in a hierarchical manner.
7.1.1 Introduction to IPv6 DNS
After each host on the Internet is assigned a domain name, you can set up mapping between the
domain name and IP address of a host. In this manner, you can use domain names, which are
easy to memorize and are of significance, instead of complicated IP addresses.
IPv6 DNS has two resolution modes: dynamic IPv6 DNS resolution and static IPv6 DNS
resolution. To resolve a domain name, the system first uses static IPv6 DNS resolution. If this
mode fails, the system uses dynamic IPv6 DNS resolution. To improve resolution efficiency,
you can put common domain names in a static domain name resolution table.
7.1.2 IPv6 DNS Supported by the NE80E/40E
IPv6 domain name resolution can be performed in either dynamic mode or static mode.
IPv6 domain name system (DNS) is similar to IPv4 DNS. For configurations of IPv4 DNS, refer
to "DNS Configuration."
7.2 Configuring IPv6 DNS
By configuring the IPv6 DNS, you can set up a mapping between a domain name and an IPv6
address. In this manner, you can enable the device to communicate with other devices.
7.2.1 Establishing the Configuration Task
This section describes the applicable environment, pre-configuration tasks, data preparation, and
configuration procedure for configuring the IPv6 DNS.
Applicable Environment
DNS needs to be configured if the local users log on to a device using domain names to
communicate with other devices. The IPv6 DNS entries show the mapping between domain
names and IPv6 addresses.
If users seldom use the domain name to access other devices, or if the DNS server is unavailable,
a static DNS needs to be configured. To configure a static IPv6 DNS, the network administrator
needs to know the relation between domain names and IPv6 addresses, and manually modify
the IPv6 DNS entry when the relation changes.
If the users need to use the domain name to access many devices, and the DNS server is available,
a dynamic DNS can be configured. The dynamic DNS needs to be supported by a DNS server.
Pre-configuration Tasks
Before configuring IPv6 DNS, configure the route between a local device and a DNS server.
HUAWEI NetEngine80E/40E Router
Configuration Guide - IP Services 7 IPv6 DNS Configuration
Issue 02 (2011-09-10) Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
197
Data Preparation
To configure IPv6 DNS, you need the following data.
No. Data
1 Domain name of the static IPv6 DNS entry and the corresponding IPv6 address
2 IPv6 address of the IPv6 DNS server
3 Domain name of the dynamic IPv6 DNS or the domain name list
7.2.2 Configuring a Static IPv6 DNS Entry
You can create a table of mappings between domain names and IPv6 addresses and add common
domain names to this table. When a client needs to use the IPv6 address corresponding to a
domain name, the client can search the table for the required IPv6 address. This improves the
efficiency of domain name resolution.
Procedure
Step 1 Run:
system-view
The system view is displayed.
Step 2 Run:
ipv6 host host-name ipv6-address
The host name and the corresponding IPv6 address are configured.
If the same host is configured with IPv6 addresses for several times, the IPv6 address configured
earliest is used when needing to find the host with the IPv6 address, such as ping this host.
----End
7.2.3 Configuring the Dynamic IPv6 DNS Services
To perform dynamic domain name resolution, you need a special domain name resolution server,
which runs a server program. This server provides mappings between domain names and IPv6
addresses and receives resolution requests from the client.
Context
If the IPv6 DNS server is configured with a link-local address, the interface name should also
be configured with the IPv6 address.
Figure 7-1 DNS server connecting IPv4 and IPv6 networks
IPv4 link
DNS server DNS IPv4 client DNS IPv6 client
IPv6 link
HUAWEI NetEngine80E/40E Router
Configuration Guide - IP Services 7 IPv6 DNS Configuration
Issue 02 (2011-09-10) Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
198
CAUTION
If multiple DNS servers are configured, the servers are queried in the order of configuration till
proper response is received. If both IPv4 and IPv6 servers are configured, the A query is first
sent to the IPv4 server, while AAAA query packets are first sent to the IPv6 server.
The DNS domains are configured on a device and the domain names can be searched. If the
DNS fails in searching for a host name, it appends a domain name to the host name following a
"." and continues the DNS search. You can configure some commonly used domain names like
"com", and "net". For example, if the search for the host name "huawei" fails, the system then
searches for "huawei.com" or "huawei.net".
Do as follows on the router:
Procedure
Step 1 Run:
system-view
The system view is displayed.
Step 2 Run:
dns resolve
The dynamic domain name resolution is enabled.
Step 3 Run:
dns server ipv6 ipv6-address [ interface-type interface-number ]
The IPv6 DNS server is configured.
Step 4 Run:
dns server ipv6 source-ip ipv6-address
The IPv6 address of the local device is specified.
After the source IPv6 address is specified for the local device, the local device uses the specified
source IPv6 address to communicate with the IPv6 DNS server to ensure the security of check.
Step 5 Run:
dns domain domain-name
The suffix of domain names is added.
----End
7.2.4 Checking the Configuration
You can view the configuration of the IPv6 DNS.
Prerequisite
The configurations of the IPv6 DNS function are complete.
HUAWEI NetEngine80E/40E Router
Configuration Guide - IP Services 7 IPv6 DNS Configuration
Issue 02 (2011-09-10) Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
199
Procedure
l Run the display ipv6 host command to check the static IPv6 DNS table.
l Run the display dns server command to check the configuration of the DNS server.
l Run the display dns domain command to check the configuration of the suffix list of the
domain name.
l Run the display dns ipv6 dynamic-host command to check the cache of the dynamic
domain name.
----End
Example
Run the display ipv6 host command. If the static IPv6 DNS entries, including the host name
and the IPv6 address, are displayed, it means that the configuration succeeds. For example:
<HUAWEI> display ipv6 host
Host Age Flags IPv6Address (es)
RTB 0 static 20::1
RTA 0 static 20::2
Run the display dns server command. If the IPv6 addresses of all DNS servers are displayed,
it means that the configuration succeeds. For example:
<HUAWEI> display dns server
IPv4 Dns Servers :
Domain-server IpAddress
1 169.254.65.125
IPv6 Dns Servers:
Domain-server Ipv6Address (Interface Name)
1 3001::2
2 FE80::2 GigabitEthernet6/0/0
Run the display dns domain command. If the suffixes of the domain names are displayed, it
means that the configuration succeeds. For example:
<HUAWEI> display dns domain
No Domain-name
1 com
2 net
Run the display dns ipv6 dynamic-host command. If information about the cache of the
dynamic domain name is displayed, it means that the configuration succeeds. For example:
<HUAWEI> display dns ipv6 dynamic-host
No Domain-name Ipv6address TTL
1 huawei6 3001::2 6
7.3 Maintaining IPv6 DNS
This section describes how to maintain the IPv6 DNS. Detailed operations include deleting IPv6
DNS entries and monitoring IPv6 DNS operation.
7.3.1 Clearing IPv6 DNS Entries
This section describes IPv6 DNS entry clearance through the reset command.
HUAWEI NetEngine80E/40E Router
Configuration Guide - IP Services 7 IPv6 DNS Configuration
Issue 02 (2011-09-10) Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
200
Context
CAUTION
IPv6 DNS entries cannot be restored after being cleared. So, confirm the action before you use
this command.
Procedure
Step 1 Run the reset dns ipv6 dynamic-host command in the user view to clear dynamic IPv6 DNS
entries statistics in the domain name cache.
----End
7.3.2 Monitoring Network Operation Status of IPv6 DNS
This section describes IPv6 DNS operation monitoring through the display command.
Context
In routine maintenance, you can run the following commands in any view to check the operation
of IPv6 DNS.
Procedure
l Run:
display dns domain
Domain names are checked.
l Run:
display dns server
Configurations of the DNS server are checked.
l Run:
display dns ipv6 dynamic-host
Contents about the cache of the IPv6 dynamic domain names are checked.
l Run:
display ipv6 host
The static DNS table is checked.
----End
7.4 Configuration Examples
This section includes the networking requirements, precautions for configuration, and
configuration roadmap.
HUAWEI NetEngine80E/40E Router
Configuration Guide - IP Services 7 IPv6 DNS Configuration
Issue 02 (2011-09-10) Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
201
Context
NOTE
This document takes interface numbers and link types of the NE40E-X8 as an example. In working
situations, the actual interface numbers and link types may be different from those used in this document.
7.4.1 Example for Configuring IPv6 DNS
This section provides an example of configuring the IPv6 DNS.
Networking Requirements
As shown in Figure 7-2, Router A, functioning as the IPv6 DNS client and working jointly
whose IPv6 DNS server, can access the host with the IP address as 2002::1/64 based on the
domain name huawei.com.
On RouterA, the static IPv6 DNS entries of Router B and Router C are configured. This ensures
that Router A can manage both the routers based on the domain names RouterB and RouterC.
Figure 7-2 Networking diagram of IPv6 DNS configurations
GE1/0/0
2001::1/64
GE1/0/1
2001::2/64
GE1/0/0
2002::2/64
GE1/0/0
2002::3/64
GE1/0/1
2003::1/64
RouterA
RouterB RouterC
huawei.com
2002::1/64
DNS Server
2003::2/64
DNS Client
Configuration Roadmap
The configuration roadmap is as follows:
1. Configure static IPv6 DNS entries.
2. Enable the DNS resolution function.
3. Configure IPv6 address of the IPv6 DNS server.
4. Set the domain name suffix.
Data Preparation
To complete the configuration, you need the following data:
l Domain names of Router B and Router C
l IPv6 address of the IPv6 DNS server
l Domain name suffix
HUAWEI NetEngine80E/40E Router
Configuration Guide - IP Services 7 IPv6 DNS Configuration
Issue 02 (2011-09-10) Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
202
Procedure
Step 1 Configure Router A.
# Configure static IPv6 DNS entries.
<RouterA> system-view
[RouterA] ipv6 host RouterB 2001::2
[RouterA] ipv6 host RouterC 2002::3
# Enable the DNS resolution function.
[RouterA] dns resolve
# Configure the IPv6 address of the IPv6 DNS server.
[RouterA] dns server ipv6 2003::2
# Set the domain name suffix to ".net".
[RouterA] dns domain net
# Set the domain name suffix to ".com".
[RouterA] dns domain com
[RouterA] quit
NOTE
To resolve the domain name, you also need to configure the route from Router A to the IPv6 DNS server.
For details of how to configure the route, refer to the NE80E/40E Router Configuration Guide - IP Routing.
Step 2 Verify the configuration.
# Run the ping ipv6 huawei.com command on Router A. You can find that the Ping operation
succeeds, and the destination IP address is 2002::1.
<RouterA> ping ipv6 huawei.com
Resolved Host ( huawei.com -> 2002::1)
PING huawei.com : 56 data bytes, press CTRL_C to break
Reply from 2002::1: bytes=56 Sequence=1 ttl=126 time=6 ms
Reply from 2002::1: bytes=56 Sequence=2 ttl=126 time=4 ms
Reply from 2002::1: bytes=56 Sequence=3 ttl=126 time=4 ms
Reply from 2002::1: bytes=56 Sequence=4 ttl=126 time=4 ms
Reply from 2002::1: bytes=56 Sequence=5 ttl=126 time=4 ms
--- huawei.com ping statistics ---
5 packet(s) transmitted
5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 4/4/6 ms
# Run the display ipv6 host command on Router A. You can view the mapping relationships
between the host names in static IPv6 DNS entries and the IPv6 addresses.
<RouterA> display ipv6 host
Host Age Flags IPv6Address (es)
RouterB 0 static 2001::2
RouterC 0 static 2002::3
Run the display dns ipv6 dynamic-host command on Router A. You can view information
about dynamic IPv6 DNS entries in the dynamic cache.
<RouterA> display dns ipv6 dynamic-host
No Domain-name Ipv6address TTL
1 huawei.com 2002::1 3579
HUAWEI NetEngine80E/40E Router
Configuration Guide - IP Services 7 IPv6 DNS Configuration
Issue 02 (2011-09-10) Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
203
NOTE
TTL in the command output indicates the life time of the entry, in seconds.
----End
Configuration Files
l Configuration file of Router A
#
sysname RouterA
#
ipv6
#
ipv6 host RouterB 2001::2
ipv6 host RouterC 2002::3
#
dns resolve
dns server ipv6 2003::2
dns domain net
dns domain com
#
interface GigabitEthernet1/0/0
undo shutdown
ipv6 enable
ipv6 address 2001::1/64
ripng 1 enable
#
ripng 1
#
return
l Configuration file of Router B
#
sysname RouterB
#
ipv6
#
interface GigabitEthernet1/0/1
undo shutdown
ipv6 enable
ipv6 address 2001::2/64
ripng 1 enable
#
interface GigabitEthernet1/0/0
undo shutdown
ipv6 enable
ipv6 address 2002::2/64
ripng 1 enable
#
ripng 1
#
return
l Configuration file of Router C
#
sysname RouterC
#
ipv6
#
interface GigabitEthernet1/0/0
undo shutdown
ipv6 address 2002::3/64
ripng 1 enable
#
interface GigabitEthernet1/0/1
undo shutdown
ipv6 address 2003::1/64
HUAWEI NetEngine80E/40E Router
Configuration Guide - IP Services 7 IPv6 DNS Configuration
Issue 02 (2011-09-10) Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
204
ripng 1 enable
#
ripng 1
#
return
HUAWEI NetEngine80E/40E Router
Configuration Guide - IP Services 7 IPv6 DNS Configuration
Issue 02 (2011-09-10) Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
205
8 ACL6 Configuration
About This Chapter
You can distinguish packets through an ACL6 and process them in different manners.
8.1 ACL6 Overview
An ACL can be applied to multiple purposes, including PBR and packet filtering.
8.2 Configuring an Interfaced-based ACL6
An interface-based ACL6 is an ACL that specifies rules according to interfaces that receive
packets.
8.3 Configuring a Basic ACL6
When defining rules in a basic ACL6, you can specify only source IP addresses.
8.4 Configuring an Advanced ACL6
An advanced ACL6 defines rules based on the source address, destination address, type of the
protocol over IP, and protocol features, for example, the source port and destination port of TCP
and the type and code of ICMP.
8.5 Configuring a Named ACL6
A named ACL is an advanced ACL6. A named ACL defines rules based on the source address,
destination address, type of the protocol over IP, and protocol features, for example, the source
port and destination port of TCP and the type and code of ICMP.
8.6 Maintaining ACL6
This section describes how to maintain an ACL6. Detailed operations include deleting ACL6
statistics and monitoring the ACL6 operation.
8.7 Configuration Examples
Familiarize yourself with the configuration procedures against the networking diagram. Each
configuration example consists of the networking requirements, configuration precautions,
configuration roadmap, configuration procedures, and configuration files.
HUAWEI NetEngine80E/40E Router
Configuration Guide - IP Services 8 ACL6 Configuration
Issue 02 (2011-09-10) Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
206
8.1 ACL6 Overview
An ACL can be applied to multiple purposes, including PBR and packet filtering.
8.1.1 Introduction to ACL6
An ACL is a list of rules. An IPv6 ACL classifies packets according to ACL rules, and then a
router determines whether to accept the classified packets according to these ACL rules.
NOTE
In this manual, ACL applies to filter IPv4 packets and ACL6 applies to filter IPv6 packets.
8.1.2 ACL6 Supported by the NE80E/40E
According to the differences in filtering rules, ACL6s can be categorized into interface-based
ACL6s, basic ACL6s, and advanced ACL6s.
ACL6 is classified into the following types based on application goals:
l Basic ACL6: classifies data packets only based on the source IP addresses.
l Advanced ACL6: classifies data packets more detailedly based on the source and
destination IP addresses, source and destination port numbers, and protocol type.
l Interface-based ACL6: classifies data packets based on the interfaces that receive packets.
8.2 Configuring an Interfaced-based ACL6
An interface-based ACL6 is an ACL that specifies rules according to interfaces that receive
packets.
8.2.1 Establishing the Configuration Task
This section describes the applicable environment, pre-configuration tasks, data preparation, and
configuration procedure for configuring an interface-based ACL6.
Applicable Environment
An ACL6 can be applied to the following tasks:
l Configuring the packet filtering policy
l Configuring the policy-based routing
l Configuring the routing policy
Pre-configuration Tasks
Before configuring ACL6, complete the following task:
l Starting the device normally
HUAWEI NetEngine80E/40E Router
Configuration Guide - IP Services 8 ACL6 Configuration
Issue 02 (2011-09-10) Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
207
Data Preparation
To configure an ACL6, you need the following data:
No. Data
1 (Optional) Name of the time range in which the Interface-based ACL6 takes effect
and the start time and end time of the time range
2 ACL6 number, permit or deny rules
3 Type and number of the interface where the ACL6 is applied
8.2.2 (Optional) Configuring the Valid Time Range of ACL6
By performing this configuration task, you can specify the time range when an ACL6 remains
valid.
Procedure
Step 1 Run:
system-view
The system view is displayed.
Step 2 Run:
time-range time-name { start-time to end-time days | from time1 date1 [ to time2
date2 ] }
A time rang is created.
----End
8.2.3 Creating an Interfaced-based ACL6
This part describes how to create an interface-based ACL6, whose number ranges from 1000 to
1999, and specify filtering rules according to the packet-receiving interface.
Procedure
Step 1 Run:
system-view
The system view is displayed.
Step 2 Run:
acl ipv6 [ number ] acl6-number [ match-order { auto | config } ]
The interface-based ACL6 is created and the corresponding view is displayed.
Step 3 Run:
rule [ rule-id ] { deny | permit } interface { interface-type interface-number |
any } [ logging | time-range time-name ]*
HUAWEI NetEngine80E/40E Router
Configuration Guide - IP Services 8 ACL6 Configuration
Issue 02 (2011-09-10) Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
208
ACL6 rules are defined.
----End
8.2.4 Checking the Configuration
You can view the configuration of an interface-based ACL6.
Prerequisite
The configurations of the interface-based ACL6 function are complete.
Procedure
l Run the display acl ipv6 { acl6-number | all } command to check the ACL6 rules.
l Run the display statistics acl ipv6 { acl-number | all } control-plane command to check
the statistics about the packets matching ACL6 in soft forwarding.
l Run the display time-range { time-name | all } command to check the time range.
----End
Example
After the configuration, run the preceding command. You can view ACL6 number, contents of
the rules, and matching times of the rules.
<HUAWEI> display acl ipv6 1000
Interface Based IPv6 ACL 1000, 1 rule
rule 5 permit interface Pos4/0/0
After the preceding configurations, the statistics about the packets matching ACL6 in soft
forwarding is displayed after the display statistics acl ipv6 control-plane command is used.
<HUAWEI> display statistics acl ipv6 1000 control-plane
Interface Based IPv6 ACL 1000, 3 rules
rule 0 deny interface any (1035 times matched)
rule 1 permit interface Pos6/0/3 (586 times matched)
rule 2 permit interface GigabitEthernet3/0/11 (103 times matched)
Run the display time-range command. If the configuration and status of the current time range
are displayed, it means that the configuration succeeds. For example:
<HUAWEI> display time-range all
Current time is 14:19:16 3-15-2006 Wednesday
Time-range : time1 ( Inactive )
10:00 to 12:00 daily
Time-range : time2 ( Inactive )
from 13:00 2006/4/1 to 23:59 2099/12/31
Time-range : active1 ( Active )
14:00 to 00:00 daily
8.3 Configuring a Basic ACL6
When defining rules in a basic ACL6, you can specify only source IP addresses.
HUAWEI NetEngine80E/40E Router
Configuration Guide - IP Services 8 ACL6 Configuration
Issue 02 (2011-09-10) Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
209
8.3.1 Establishing the Configuration Task
This section describes the applicable environment, pre-configuration tasks, data preparation, and
configuration procedure for configuring a basic ACL6.
Applicable Environment
An ACL6 can be applied to the following tasks:
l Configuring the packet filtering policy
l Configuring the policy-based routing
l Configuring the routing policy
Pre-configuration Tasks
Before configuring an ACL6, start the device normally.
Data Preparation
To configure an ACL6, you need the following data.
No. Data
1 (Optional) Name of the time range in which the basic ACL takes effect and the start
time and end time of the time range
2 ACL6 number, permit or deny rules, source IP address
8.3.2 (Optional) Configuring the Valid Time Range of ACL6
By performing this configuration task, you can specify the time range when an ACL6 remains
valid.
Procedure
Step 1 Run:
system-view
The system view is displayed.
Step 2 Run:
time-range time-name { start-time to end-time days | from time1 date1 [ to time2
date2 ] }
A time rang is created.
This configuration task is used to create a time range. Multiple time ranges with the same name
can be created.
----End
HUAWEI NetEngine80E/40E Router
Configuration Guide - IP Services 8 ACL6 Configuration
Issue 02 (2011-09-10) Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
210
8.3.3 Creating a Basic ACL6
This part describes how to create a basic ACL6, whose number ranges from 2000 to 2999, and
specify filtering rules according to source interfaces.
Procedure
Step 1 Run:
system-view
The system view is displayed.
Step 2 Run:
acl ipv6 [ number ] acl6-number [ match-order { auto | config } ]
A basic ACL6 is created and the basic ACL6 view is displayed.
Step 3 Run:
rule [ rule-id ] { deny | permit } [ fragment | logging | source { source-ipv6-
address prefix-length | source-ipv6-address/prefix-length | any } | time-range time-
name | vpn-instance vpn-instance-name ] *
ACL6 rules are defined.
Defining ACL6 rules for the basic ACL6 is based only on the source IP address.
----End
8.3.4 Checking the Configuration
You can view the configuration of a basic ACL6.
Prerequisite
The configurations of the Basic ACL6 function are complete.
Procedure
l Run the display acl ipv6 { acl6-number | all } command to check the configured ACL6
rule.
l Run the display statistics acl ipv6 { acl-number | all } control-plane command to check
the statistics about the packets matching ACL6 in soft forwarding.
l Run the display time-range { time-name | all } command to check the time range.
----End
Example
Run the display acl ipv6 command. If the ACL6 number, the number of rules, detailed step
description, and ACL6 rules are displayed, it means that the configuration succeeds. For
example:
<HUAWEI> display acl ipv6 2200
Basic IPv6 ACL 2200, 1 rule
Acl's step is 5
rule 5 permit
HUAWEI NetEngine80E/40E Router
Configuration Guide - IP Services 8 ACL6 Configuration
Issue 02 (2011-09-10) Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
211
After the preceding configurations, the statistics about the packets matching ACL6 in soft
forwarding is displayed after the display statistics acl ipv6 control-plane command is used.
<HUAWEI> display statistics acl ipv6 2200 control-plane
Basic IPv6 ACL 2200, 3 rules
rule 0 permit source 2030:5060::9050/64 (235 times matched)
rule 1 deny source 4050:7080::4060/96 (560 times matched)
rule 80 permit source FE80::9040/32 (729 times matched)
Run the display time-range command. If the configuration and status of the current time range
are displayed, it means that the configuration succeeds. For example:
<HUAWEI> display time-range all
Current time is 14:19:16 3-15-2006 Wednesday
Time-range : time1 ( Inactive )
10:00 to 12:00 daily
Time-range : time2 ( Inactive )
from 13:00 2006/4/1 to 23:59 2099/12/31
Time-range : active1 ( Active )
14:00 to 00:00 daily
8.4 Configuring an Advanced ACL6
An advanced ACL6 defines rules based on the source address, destination address, type of the
protocol over IP, and protocol features, for example, the source port and destination port of TCP
and the type and code of ICMP.
8.4.1 Establishing the Configuration Task
This section describes the applicable environment, pre-configuration tasks, data preparation, and
configuration procedure for configuring an advanced ACL6.
Applicable Environment
An ACL6 can be applied to the following tasks:
l Configuring the packet filtering policy
l Configuring the policy-based routing
l Configuring the routing policy
Pre-configuration Tasks
Before configuring an ACL6, complete the following task:
l Starting the device normally
Data Preparation
To configure an ACL6, you need the following data:
No. Data
1 (Optional) Name of the time range in which the advanced ACL takes effect and the
start time and end time of the time range
2 ACL6 number, permit or deny rules
HUAWEI NetEngine80E/40E Router
Configuration Guide - IP Services 8 ACL6 Configuration
Issue 02 (2011-09-10) Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
212
No. Data
3 Protocol type, source and destination port numbers, source and destination IP address,
and source IP address fragment or not, ICMP message type and coding, priority, ToS,
and valid time
8.4.2 (Optional) Configuring the Valid Time Range of ACL6
By performing this configuration task, you can specify the time range when an ACL6 remains
valid.
Procedure
Step 1 Run:
system-view
The system view is displayed.
Step 2 Run:
time-range time-name { start-time to end-time days | from time1 date1 [ to time2
date2 ] }
A time rang is created.
This configuration task is used to create a time range. Multiple time ranges with the same name
can be created.
----End
8.4.3 Creating an Advanced ACL6
This part describes how to create an advanced ACL6, whose number ranges from 3000 to 3999,
and specify filtering rules according to the source address, destination address, type of the
protocol over IP, for example, the source port and destination port of TCP and the type of ICMP.
Procedure
Step 1 Run:
system-view
The system view is displayed.
Step 2 Run:
acl ipv6 [ number ] acl6-number [ match-order { auto | config } ]
The advance ACL6 is created and the advanced ACL6 view is displayed.
Step 3 Perform the following configuration as required.
l When protocol is specified as TCP or UDP
Run:
rule [ rule-id ] { deny | permit } protocol [ destination { destination-ipv6-address prefix-
length | destination-ipv6-address/prefix-length | any } | destination-port operator port |
fragment | logging | source { source-ipv6-address prefix-length | source-ipv6-address/
HUAWEI NetEngine80E/40E Router
Configuration Guide - IP Services 8 ACL6 Configuration
Issue 02 (2011-09-10) Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
213
prefix-length | any } | source-port operator port | time-range time-name | vpn-instance
vpn-instance-name | precedence precedence | tos tos ]
*
rule [ rule-id ] { deny | permit } protocol [ destination { destination-ipv6-address prefix-
length | destination-ipv6-address/prefix-length | any } | destination-port operator port |
fragment | logging | source { source-ipv6-address prefix-length | source-ipv6-address/
prefix-length | any } | source-port operator port | time-range time-name | vpn-instance
vpn-instance-name | dscp dscp ]
*
ACL6 rules are defined.
l When protocol is specified as ICMPv6
Run:
rule [ rule-id ] { deny | permit } protocol [ destination { destination-ipv6-address prefix-
length | destination-ipv6-address/prefix-length | any } | fragment | icmpv6-type { icmp6-
type-name | icmp6-type icmp6-code } | logging | source { source-ipv6-address prefix-
length | source-ipv6-address/prefix-length | any } | time-range time-name | vpn-instance
vpn-instance-name | precedence precedence | tos tos ]
*
rule [ rule-id ] { deny | permit } protocol [ destination { destination-ipv6-address prefix-
length | destination-ipv6-address/prefix-length | any } | fragment | icmpv6-type { icmp6-
type-name | icmp6-type icmp6-code } | logging | source { source-ipv6-address prefix-
length | source-ipv6-address/prefix-length | any } | time-range time-name | vpn-instance
vpn-instance-name | dscp dscp ]
*
ACL6 rules are defined.
l When protocol is specified as other protocols except TCP, UDP, and ICMPv6
Run:
rule [ rule-id ] { deny | permit } protocol [ destination { destination-ipv6-address prefix-
length | destination-ipv6-address/prefix-length | any } | fragment | logging | source { source-
ipv6-address prefix-length | source-ipv6-address/prefix-length | any } | time-range time-
name | vpn-instance vpn-instance-name | precedence precedence | tos tos ]
*
rule [ rule-id ] { deny | permit } protocol [ destination { destination-ipv6-address prefix-
length | destination-ipv6-address/prefix-length | any } | fragment | logging | source { source-
ipv6-address prefix-length | source-ipv6-address/prefix-length | any } | time-range time-
name | vpn-instance vpn-instance-name | dscp dscp ]
*
ACL6 rules are defined.
----End
8.4.4 Checking the Configuration
You can view the configuration of an advanced ACL6.
Prerequisite
The configurations of the Advanced ACL6 function are complete.
Procedure
l Run the display acl ipv6 { acl6-number | all } command to check the configured ACL6
rule.
l Run the display statistics acl ipv6 { acl-number | all } control-plane command to check
the statistics about the packets matching ACL6 in soft forwarding.
HUAWEI NetEngine80E/40E Router
Configuration Guide - IP Services 8 ACL6 Configuration
Issue 02 (2011-09-10) Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
214
l Run the display time-range { time-name | all } command to check the time range.
----End
Example
Run the display acl ipv6 command. If the ACL6 number, the number of rules, detailed step
description, and ACL6 rules are displayed, it means that the configuration succeeds. For
example:
<HUAWEI> display acl ipv6 3100
Advanced IPv6 ACL 3100, 3 rules,
rule 0 permit icmpv6
rule 1 permit ipv6 source 3001::/16 destination 4001::/16
rule 2 permit tcp source 5001::/16
After the preceding configurations, the statistics about the packets matching ACL6 in soft
forwarding is displayed after the display statistics acl ipv6 control-plane command is used.
<HUAWEI> display statistics acl ipv6 3000 control-plane
Advanced IPv6 ACL 3000, 1 rule
rule 1 permit ipv6 source 4001::/16 (137 times matched)
Run the display time-range command. If the configuration and status of the current time range
are displayed, it means that the configuration succeeds. For example:
<HUAWEI> display time-range all
Current time is 14:19:16 3-15-2006 Wednesday
Time-range : time1 ( Inactive )
10:00 to 12:00 daily
Time-range : time2 ( Inactive )
from 13:00 2006/4/1 to 23:59 2099/12/31
Time-range : active1 ( Active )
14:00 to 00:00 daily
8.5 Configuring a Named ACL6
A named ACL is an advanced ACL6. A named ACL defines rules based on the source address,
destination address, type of the protocol over IP, and protocol features, for example, the source
port and destination port of TCP and the type and code of ICMP.
8.5.1 Establishing the Configuration Task
This section describes the applicable environment, pre-configuration tasks, data preparation, and
configuration procedure for configuring a named ACL6.
Application Environment
An ACL6 can be applied to various services, such as routing policies and packet filtering, to
implement differentiated packet processing based on packet types.. Named ACL6s are advanced
ACL6s because you need to define rules for the named ACL6s by specifying the source IP
address, destination IP address, IP bearer protocol type, TCP source port, TCP destination port,
or ICMP protocol type and code.
Pre-configuration Tasks
None.
HUAWEI NetEngine80E/40E Router
Configuration Guide - IP Services 8 ACL6 Configuration
Issue 02 (2011-09-10) Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
215
Data Preparation
To configure a named ACL6, you need the following data.
No. Data
1 (Optional) Name of the time range in which the named ACL6 takes effect and the
start time and end time of the time range
2 Rule ID of the named ACL6, permit or deny rule, and source IP address
3 IP bearer protocol type, source and destination ports, destination IP address, or ICMP
message type and code, packet priority, ToS, and timeout period of the ACL rule
4 (Optional) Description of the named ACL6
5 (Optional) Step of the named ACL6
8.5.2 (Optional) Configuring the Valid Time Range of ACL6
By performing this configuration task, you can specify the time range when an ACL6 remains
valid.
Procedure
Step 1 Run:
system-view
The system view is displayed.
Step 2 Run:
time-range time-name { start-time to end-time days | from time1 date1 [ to time2
date2 ] }
A time rang is created.
This configuration task is used to create a time range. Multiple time ranges with the same name
can be created.
----End
8.5.3 Creating a Named ACL6
This part describes how to create an ACL6 whose name is a character string and how to specify
filtering rules according to the source address, destination address, type of the protocol over IP,
for example, the source port and destination port of TCP and the type of ICMP.
Context
A named ACL6 is an advanced ACL6 and its acl-number ranges from 42768 to 45767.
Do as follows on the router:
HUAWEI NetEngine80E/40E Router
Configuration Guide - IP Services 8 ACL6 Configuration
Issue 02 (2011-09-10) Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
216
Procedure
Step 1 Run:
system-view
The system view is displayed.
Step 2 Run:
acl ipv6 name acl-name [ number acl-number ] [ match-order { auto | config } ]
A named ACL6 is created and the named ACL view is displayed.
Step 3 Perform the following steps as required to configure rules for the named ACL6:
l When protocol is TCP or UDP, run:
rule [ rule-id ] { deny | permit } protocol [ destination { destination-ip-address destination-
wildcard | any } | destination-port operator port | fragment-type fragment-type-name |
source { source-ip-address source-wildcard | any } | source-port operator port | syn-flag
syn-flag time-range time-name | dscp dscp ]
*
rule [ rule-id ] { deny | permit } protocol [ destination { destination-ip-address destination-
wildcard | any } | destination-port operator port | fragment-type fragment-type-name |
source { source-ip-address source-wildcard | any } | source-port operator port | syn-flag
syn-flag time-range time-name | precedence precedence |tos tos ]
*
syn-flagsyn-flag needs to be specified only when TCP is used.
l When protocol is ICMPv6, run:
rule [ rule-id ] { deny | permit } protocol [ destination { destination-ip-address destination-
wildcard | any } | fragment-type fragment-type-name | icmp-type { icmp-name | icmp-type
icmp-code } | source { source-ip-address source-wildcard | any } | time-range time-name |
dscp dscp ]
*
rule [ rule-id ] { deny | permit } protocol [ destination { destination-ip-address destination-
wildcard | any } | fragment-type fragment-type-name | icmp-type { icmp-name |icmp-type
icmp-code } |source { source-ip-address source-wildcard | any } | time-range time-name |
precedence precedence | tos tos ]
*
l When protocol is not TCP, UDP, or ICMPv6, run:
rule [ rule-id ] { deny | permit } protocol [ destination { destination-ip-address destination-
wildcard | any } | fragment-type fragment-type-name | source { source-ip-address source-
wildcard | any } | time-range time-name | dscp dscp ]
*
rule [ rule-id ] { deny | permit } protocol [ destination { destination-ip-address destination-
wildcard | any } | fragment-type fragment-type-name | source { source-ip-address source-
wildcard | any } | time-range time-name | precedence precedence | tos tos ]
*
Configure different advanced ACLs on the device for different protocols over IP. Different
protocols have different parameters combination. For example, TCP and UDP have optional
parameter [ source-port operator port ] [ destination-port operator port ] while other protocols
do not.
----End
8.5.4 Checking the Configuration
You can view the configuration of a named ACL6.
HUAWEI NetEngine80E/40E Router
Configuration Guide - IP Services 8 ACL6 Configuration
Issue 02 (2011-09-10) Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
217
Prerequisite
The configurations of the ACL6 function are complete.
Procedure
l Run the display acl ipv6 name acl-name command to check the configured ACL6 rule.
l Run the display statistics acl ipv6 { acl-number | all | name acl-name } control-plane
command to check the statistics about the packets matching ACL6 in soft forwarding.
l Run the display time-range { time-name | all } command to check the time range.
----End
Example
# Check the configurations of named ACL6, whose name is test.
<HUAWEI> display acl ipv6 name test
Advanced IPv6 Name ACL test, 1 rule
Acl's step is 5
rule 5 permit ip
# View the statistics about the packets matching ACL6 3000 in soft forwarding.
<HUAWEI> display statistics acl ipv6 3000 control-plane
Advanced IPv6 ACL 3000, 1 rule
rule 0 permit ipv6 (335 times matched)
# View the statistics about the packets matching ACL6 named test in soft forwarding.
<HUAWEI> display statistics acl ipv6 name test control-plane
Advanced IPv6 ACL test, 2 rules,
rule 0 permit 1 (10 times matched)
rule 1 permit ipv6 (23 times matched)
Run the display time-range command. If the configuration and status of the current time range
are displayed, it means that the configuration succeeds. For example:
<HUAWEI> display time-range all
Current time is 14:19:16 3-15-2006 Wednesday
Time-range : time1 ( Inactive )
10:00 to 12:00 daily
Time-range : time2 ( Inactive )
from 13:00 2006/4/1 to 23:59 2099/12/31
Time-range : active1 ( Active )
14:00 to 00:00 daily
8.6 Maintaining ACL6
This section describes how to maintain an ACL6. Detailed operations include deleting ACL6
statistics and monitoring the ACL6 operation.
8.6.1 Clearing ACL6 Statistics
This section describes clearance of ACL6 statistics through the reset command.
HUAWEI NetEngine80E/40E Router
Configuration Guide - IP Services 8 ACL6 Configuration
Issue 02 (2011-09-10) Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
218
Context
CAUTION
Statistics cannot be restored after you clear it. So, confirm the action before you use the
command.
Procedure
Step 1 Run the reset acl ipv6 counter { acl6-number | name acl-name | all } command in the user
view to clear the ACL6 counter.
----End
8.6.2 Monitoring Network Operation Status of ACL6
This section describes ACL6 operation monitoring through the display command.
Context
In routine maintenance, you can run the following command in any view to check the operation
of ACL6.
Procedure
l Run the display acl ipv6 { acl6-number | name acl-name | all } command in any view to
check the configured ACL6 rules.
l Run the display statistics acl ipv6 { acl6-number | all | name acl-name } control-plane
command in any view to check the statistics about the packets matching ACL6 in soft
forwarding.
----End
8.7 Configuration Examples
Familiarize yourself with the configuration procedures against the networking diagram. Each
configuration example consists of the networking requirements, configuration precautions,
configuration roadmap, configuration procedures, and configuration files.
Context
NOTE
This document takes interface numbers and link types of the NE40E-X8 as an example. In working
situations, the actual interface numbers and link types may be different from those used in this document.
8.7.1 Example for Configuring an ACL6 to Filter IPv6 Packets
This section provides an example for configuring an ACL6 and IPv6 packet filtering.
HUAWEI NetEngine80E/40E Router
Configuration Guide - IP Services 8 ACL6 Configuration
Issue 02 (2011-09-10) Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
219
Networking Requirements
As shown in Figure 8-1, Router A and Router B are connected through POS interfaces.
Configure ACL6 rules on Router A to prevent the IPv6 packets with the source IP address 3001::2
from entering POS1 /0/0 of Router A.
Figure 8-1 Networking diagram of configuring an ACL6 to filter IPv6 packets
RouterA RouterB
POS1/0/0
3001::1/64
POS1/0/0
3001::2/64 Loopback2
3002::2/64
Configuration Roadmap
The configuration roadmap is as follows:
1. Define an ACL6 number.
2. Define rules in the ACL6.
3. Set the traffic classifier, behavior, and policy.
Data Preparation
To complete the configuration, you need the following data:
l ACL6 number
l Source IPv6 address denied by the ACL6 rule
Procedure
Step 1 Enable IPv6 forwarding capabilities on Router A and Router B, configure interface parameters,
and check connectivity between them.
# Configure Router A.
<HUAWEI> system-view
[HUAWEI] sysname RouterA
[RouterA] ipv6
[RouterA] interface pos 1/0/0
[RouterA-Pos1/0/0] ipv6 enable
[RouterA-Pos1/0/0] ipv6 address 3001::1 64
[RouterA-Pos1/0/0] undo shutdown
[RouterA-Pos1/0/0] quit
# Configure a static route on Router A.
[RouterA] ipv6 route-static 3002:: 64 3001::2
# Configure Router B.
<HUAWEI> system-view
[HUAWEI] sysname RouterB
[RouterB] ipv6
[RouterB] interface loopback 2
[RouterB-LoopBack2] ipv6 enable
[RouterB-LoopBack2] ipv6 address 3002::2 64
HUAWEI NetEngine80E/40E Router
Configuration Guide - IP Services 8 ACL6 Configuration
Issue 02 (2011-09-10) Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
220
[RouterB-LoopBack2] quit
[RouterB] interface pos 1/0/0
[RouterB-Pos1/0/0] ipv6 enable
[RouterB-Pos1/0/0] ipv6 address 3001::2 64
[RouterB-Pos1/0/0] undo shutdown
[RouterB-Pos1/0/0] quit
# Ping POS 1/0/0 of Router A from POS 1/0/0 of Router B.
[RouterB] ping ipv6 -a 3001::2 3001::1
PING 3001::1 : 56 data bytes, press CTRL_C to break
Reply from 3001::1
bytes=56 Sequence=1 hop limit=64 time = 80 ms
Reply from 3001::1
bytes=56 Sequence=2 hop limit=64 time = 50 ms
Reply from 3001::1
bytes=56 Sequence=3 hop limit=64 time = 40 ms
Reply from 3001::1
bytes=56 Sequence=4 hop limit=64 time = 30 ms
Reply from 3001::1
bytes=56 Sequence=5 hop limit=64 time = 1 ms
--- 3001::1 ping statistics ---
5 packet(s) transmitted
5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 1/40/80 ms
The ping succeeds without timeout or abnormal delay.
# Ping POS 1/0/0 of Router A from loopback2 of Router B.
[RouterB] ping ipv6 -a 3002::2 3001::1
PING 3001::1 : 56 data bytes, press CTRL_C to break
Reply from 3001::1
bytes=56 Sequence=1 hop limit=64 time = 60 ms
Reply from 3001::1
bytes=56 Sequence=2 hop limit=64 time = 30 ms
Reply from 3001::1
bytes=56 Sequence=3 hop limit=64 time = 20 ms
Reply from 3001::1
bytes=56 Sequence=4 hop limit=64 time = 50 ms
Reply from 3001::1
bytes=56 Sequence=5 hop limit=64 time = 20 ms
--- 3001::1 ping statistics ---
5 packet(s) transmitted
5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 20/36/60 ms
The ping succeeds without timeout or abnormal delay.
Step 2 Create an ACL6 rule and apply the rule on the interface to prevent the IPv6 packets from 3001::2.
# Configure Router A.
[RouterA] acl ipv6 number 3001
[RouterA-acl6-adv-3001] rule deny ipv6 source 3001::2/128
[RouterA-acl6-adv-3001] quit
[RouterA] traffic classifier bb
[RouterA-classifier-bb] if-match ipv6 acl 3001
[RouterA-classifier-bb] quit
[RouterA] traffic behavior aa
[RouterA-behavior-aa] permit
[RouterA-behavior-aa] quit
[RouterA] traffic policy cc
[RouterA-trafficpolicy-cc] classifier bb behavior aa
[RouterA-trafficpolicy-cc] quit
[RouterA] interface pos 1/0/0
HUAWEI NetEngine80E/40E Router
Configuration Guide - IP Services 8 ACL6 Configuration
Issue 02 (2011-09-10) Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
221
[RouterA-Pos1/0/0] traffic-policy cc inbound
[RouterA-Pos1/0/0] quit
Step 3 Verify the configuration.
# Ping POS 1/0/0 of Router A from POS 1/0/0 of Router B.
[RouterB] ping ipv6 -a 3001::2 3001::1
PING 3001::1 : 56 data bytes, press CTRL_C to break
Request time out
Request time out
Request time out
Request time out
Request time out
--- 3001::1 ping statistics ---
5 packet(s) transmitted
0 packet(s) received
100.00% packet loss
round-trip min/avg/max = 0/0/0 ms
The ping fails.
# Ping POS 1/0/0 of Router A from loopback2 of Router B.
[RouterB] ping ipv6 -a 3002::2 3001::1
PING 3001::1 : 56 data bytes, press CTRL_C to break
Reply from 3001::1
bytes=56 Sequence=1 hop limit=64 time = 80 ms
Reply from 3001::1
bytes=56 Sequence=2 hop limit=64 time = 50 ms
Reply from 3001::1
bytes=56 Sequence=3 hop limit=64 time = 40 ms
Reply from 3001::1
bytes=56 Sequence=4 hop limit=64 time = 40 ms
Reply from 3001::1
bytes=56 Sequence=5 hop limit=64 time = 30 ms
--- 3001::1 ping statistics ---
5 packet(s) transmitted
5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 30/48/80 ms
The ping succeeds without timeout or abnormal delay.
----End
Configuration Files
l Configuration file of Router A
#
sysname RouterA
#
ipv6
#
acl ipv6 number 3001
rule 0 deny ipv6 source 3001::2/128
#
traffic classifier bb operator or
if-match ipv6 acl 3001
#
traffic behavior aa
#
traffic policy cc
undo share-mode
classifier bb behavior aa
#
interface pos1/0/0
link-protocol ppp
HUAWEI NetEngine80E/40E Router
Configuration Guide - IP Services 8 ACL6 Configuration
Issue 02 (2011-09-10) Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
222
undo shutdown
traffic-policy cc inbound
ipv6 enable
ipv6 address 3001::1/64
#
ipv6 route-static 3002:: 64 3001::2
#
return
l Configuration file of Router B
#
sysname RouterB
#
ipv6
#
interface pos1/0/0
link-protocol ppp
undo shutdown
ipv6 enable
ipv6 address 3001::2/64
#
interface LoopBack2
ipv6 enable
ipv6 address 3002::2/64
#
return
HUAWEI NetEngine80E/40E Router
Configuration Guide - IP Services 8 ACL6 Configuration
Issue 02 (2011-09-10) Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
223
9 IPv6 over IPv4 Tunnel Configuration
About This Chapter
The IPv6 over IPv4 tunnel technology is developed to address the problem in the transition from
IPv4 networks to IPv6 networks.
9.1 IPv6 over IPv4 Tunnel Overview
The IPv6 over IPv4 tunnel technology provides connectivity for isolated IPv6 networks by using
existing IPv4 networks.
9.2 Configuring IPv4/IPv6 Dual Stacks
To establish an IPv6 over IPv4 tunnel, you need to configure both the IPv4 protocol suite and
the IPv6 protocol suite on the devices where an IPv4 network borders an IPv6 network.
9.3 Configuring an IPv6 over IPv4 Tunnel
You can interconnect IPv6 networks by using IPv4 networks.
9.4 Configuring 6PE
By performing this configuration task, you can interconnect IPv6 networks through the existing
MPLS network.
9.5 Maintaining IPv6 over IPv4 Tunnels
This section describes how to maintain an IPv6 over IPv4 tunnel, including how to monitor an
IPv6 over IPv4 tunnel.
9.6 Configuration Examples
This section includes the networking requirements, configuration notes, and configuration
roadmap.
HUAWEI NetEngine80E/40E Router
Configuration Guide - IP Services 9 IPv6 over IPv4 Tunnel Configuration
Issue 02 (2011-09-10) Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
224
9.1 IPv6 over IPv4 Tunnel Overview
The IPv6 over IPv4 tunnel technology provides connectivity for isolated IPv6 networks by using
existing IPv4 networks.
9.1.1 Introduction to IPv6 over IPv4
An IPv6 packet is transparently transmitted after being encapsulated into an IPv4 packet.
During the transition from the IPv4 Internet to the IPv6 Internet, IPv4 networks have been widely
deployed while IPv6 domains are isolated and dispersed around the world. It is not economical
to connect these isolated sites with private lines.
The usual method is tunnel technology. This technology creates tunnels over IPv4 networks to
connect isolated IPv6 domains. This is similar to the situation where the tunnel technology is
used to deploy VPNs on the IP networks.
The tunnel used to connect isolated IPv6 domains over IPv4 networks is called IPv6 over IPv4
tunnel. To implement this tunnel, enable IPv4/IPv6 dual stacks on the devices at the border of
the IPv4 network and the IPv6 network.
9.1.2 IPv6 over IPv4 Supported by the NE80E/40E
You can configure manual IPv6 over IPv4 tunnels or 6to4 tunnels to interconnect IPv6 networks.
NOTE
Configuring an IPV6 over IPv4 GRE Tunnel cannot be configured on the X1 and X2 models of the NE80E/
40E.
Dual Stacks
The simplest way for an IPv6 node to remain compatible with an IPv4 node is to reserve a
complete IPv4 protocol stack. In this way, the IPv6 node maintains a dual-stack structure. Figure
9-1 shows a single stack structure and a dual stack structure.
Figure 9-1 Single stack and dual stack structures (Ethernet)
IPv6
TCP UDP
IPv4/IPv6 Application
Ethernet
Protocol ID:
0x0800
Protocol ID:
0x86DD
IPv4
TCP
UDP
IPv4 Application
Ethernet
Protocol ID:
0x0800
IPv4 Stack Dual Stack
HUAWEI NetEngine80E/40E Router
Configuration Guide - IP Services 9 IPv6 over IPv4 Tunnel Configuration
Issue 02 (2011-09-10) Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
225
The characteristics of the dual-stack structure are as follows:
l Supported by multiple link layer protocols
Multiple link layer protocols, such as Ethernet, support dual stacks. The link layer in the
above diagram is the Ethernet. For an Ethernet frame with the protocol ID field value of
0x0800 indicates that the network layer has IPv4 packets. The ID field value of 0x86DD
indicates that the network has IPv6 packets.
l Supported by multiple applications
Multiple applications such as DNS, FTP and Telnet support dual stacks. The upper
application, such as DNS, can select TCP or UDP as its transport layer protocol. However,
it prefers the IPv6 protocol stack rather than IPv4 to be the network layer protocol.
IPv6 over IPv4 Tunnel
Figure 9-2 shows principles of the IPv6 over IPv4 tunnel technology.
1. Enabling IPv4/IPv6 dual stacks
Enable IPv4/IPv6 dual stacks on the border device.
2. Encapsulating IPv6 packets
After receiving a packet from the IPv6 network, the border device takes the received IPv6
packet as the payload, adds an IPv4 packet header before the payload and encapsulates it
into an IPv4 packet if it finds that the destination of the packet is not for itself.
3. Transmitting the encapsulated packet
In the IPv4 network, the encapsulated packet is transmitted to the peer border device.
4. Decapsulating the packet
The peer border device decapsulates the packet, removes the IPv4 packet header, and
forwards the resulting IPv6 packet to the remote IPv6 network.
Figure 9-2 Schematic diagram of IPv6 over IPv4 tunnel
IPv6
IPv6
IPv6 Header IPv6 Data
IPv6 Header IPv6 Data
Dual Stack
Router
IPv6 host
IPv6 host
Tunnel
Dual Stack
Router
IPv4
IPv4 Header IPv6 Header IPv6 Data
The virtual tunnel that transmits IPv6 packets between the border devices is called the IPv6 over
IPv4 tunnel. Tunnels can be classified according to their setup modes.
The common IPv6 over IPv4 tunnel modes include:
l IPv6 over IPv4 manual tunnels
l IPv6 over IPv4 GRE tunnels (GRE tunnels)
l IPv6 over IPv4 tunnel automatic tunnels
l 6to4 tunnels
HUAWEI NetEngine80E/40E Router
Configuration Guide - IP Services 9 IPv6 over IPv4 Tunnel Configuration
Issue 02 (2011-09-10) Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
226
l Intrasite Automatic Tunnel Addressing Protocol (ISATAP) tunnels
IPv6 over IPv4 Manual Tunnel
An IPv6 over IPv4 manual tunnel is set up by configuring the border devices of two tunnel ends.
The source IPv4 address and destination IPv4 address of such a tunnel must be configured
statically.
A manual tunnel is equivalent to a permanent link between two IPv6 networks over an IPv4
backbone network. It is the fixed channel for regular and secure communication between the
two border devices.
The manual tunnel can be used between isolated IPv6 networks. It can also be used between a
border device and a host. In this case, the host and the device on both ends of the tunnel must
support the IPv4 and the IPv6 protocol stacks.
IPv6 over IPv4 GRE Tunnel
The IPv6 traffic can be carried over the IPv4 GRE tunnels. When carrying the IPv6 traffic, the
IPv4 GRE tunnels are called IPv6 over IPv4 GRE tunnels (GRE tunnel for short). Like the IPv6
over IPv4 manual tunnel, a GRE tunnel is a link between two nodes, with a separate tunnel for
each link. The tunnels are not tied to a specific passenger or transport protocol, and only carry
IPv6 as the passenger protocol and GRE as the carrier protocol.
The GRE tunnel is also manually created on the border devices at the tunnels. You need to
statically specify the source IPv4 address and destination IPv4 address of the GRE tunnel. Unlike
the manual tunnel, the GRE tunnel can be set to check the GRE packet header and to authenticate
the tunnel keyword to enhance the tunnel security.
The GRE tunnel is used to connect border devices, or connect a border device and a host system.
Both the host and the device on both the ends of the tunnel must support the IPv4 and the IPv6
protocol stacks.
IPv6 over IPv4 Automatic Tunnel
To create an IPv6 over IPv4 automatic tunnel, you need a special kind of IPv6 address, namely
an IPv4-compatible IPv6 address.
The format of IPv4-compatible IPv6 address is as follows:
0:0:0:0:0:0:IPv4-address
Its high-order 96 bits are all 0s, and its low-order 32 bits form an IPv4 address. This IPv4 address
must be reachable in the IPv4 network, and cannot be a multicast address, a broadcast address,
a loopback address or an unspecified address (0.0.0.0).
To configure an automatic tunnel, specify just the source address of the tunnel on a border device
or a host. The destination address of the tunnel is automatically obtained from the destination
IP address field carried in the original IPv6 packet.
The IPv6 over IPv4 automatic tunnel is usually used when an isolated IPv4/IPv6 dual stack host
needs to access a remote IPv6 network over an IPv4 network. The automatic tunnel needs to be
configured between the isolated IPv4/IPv6 host and the IPv4/IPv6 device.
While setting up an automatic tunnel, configure the IPv4-compatible IPv6 address on both the
ends of the tunnel. The IPv4-compatible IPv6 address depends on the IPv4 address of the physical
HUAWEI NetEngine80E/40E Router
Configuration Guide - IP Services 9 IPv6 over IPv4 Tunnel Configuration
Issue 02 (2011-09-10) Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
227
interface of the tunnel. It is limited to the shortage of the IPv4 address. Therefore, it has certain
limitations.
6to4 Tunnel
A 6to4 tunnel is a mechanism that connects several isolated IPv6 domains to each other over an
IPv4 network. The 6to4 tunnel can be configured on the border device between the isolated IPv6
network and the IPv4 network. The border device on both the ends of the 6to4 tunnel must
support the IPv4 and the IPv6 dual protocol stacks at the same time.
The key difference between the 6to4 tunnel and the manual tunnel is that the former can be a
point-to-multipoint connection, and the latter is only a point-to-point connection. Hence, the
devices of the 6to4 tunnel are not configured in pairs.
The 6to4 tunnel can automatically find another end of the tunnel, like the automatic tunnel. You
need not specify the IPv4-compatible IPv6 address for it.
The 6to4 tunnel uses a kind of special IPv6 address, namely the 6to4 address with the following
format:
2002:IPv4 address: subnet ID:interface ID
The prefix of the 6to4 address is 2002:IPv4 address with the length of 48 bits. Of these, the IPv4
address is a globally unique one requested for an isolated IPv6 domain. This IPv4 address must
be configured on the IPv6/IPv4 border device's physical interface that is connected with the IPv4
network. The length of the subnet ID is 16 bits, and that of the interface ID is 64 bits. Both the
subnet ID and the interface ID are allocated in the isolated IPv6 domains.
As shown in Figure 9-3, Site1 and Site2 are 6to4 networks, and hosts and devices in the 6to4
network are allocated with 6to4 addresses. The IPv4 address contained in the 6to4 address of
the host or device in Site1 is the IPv4 address of the interface through which Router A accesses
the IPv4 network. Similarly, the IPv4 address contained in the 6to4 address of the host or device
in Site2 is the IPv4 address of the interface through which Router B accesses the IPv4 network.
Router A and Router B are both 6to4 devices.
Figure 9-3 6to4 tunnel and 6to4 relay
6to4
Network
Site1
IPv4
Network
IPv6
Internet
Site3
6to4
Router
6to4
Relay
RouterA
RouterC
6to4
Network
Site2
6to4
Router
RouterB
When the host in Site1 accesses the host in Site2, the process concerned is as follows:
HUAWEI NetEngine80E/40E Router
Configuration Guide - IP Services 9 IPv6 over IPv4 Tunnel Configuration
Issue 02 (2011-09-10) Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
228
1. The IPv6 packet is transmitted to Router A.
2. Router A checks the destination address of the IPv6 packet and finds that the address is the
6to4 address, from which Router A obtains the remote IPv4 address of the 6to4 tunnel.
3. Router A encapsulates this IPv6 packet into the IPv4 packet. The destination address of
IPv4 packet header is the remote IPv4 address of the tunnel, and its source address is the
local IPv4 address of the tunnel.
4. Router A forwards the IPv4 packet in the IPv4 network to Router B.
5. Router B decapsulates it to obtain the previous IPv6 packet, and then sends the IPv6 packet
to the destination host in Site2.
The above process implements the communication between the 6to4 networks. To implement
the communication between the 6to4 network and native IPv6 network, a 6to4 relay device is
needed. The so-called native IPv6 network means that both its internal host and device are not
configured with the 6to4 address.
The 6to4 relay device is the gateway between the 6to4 network and the native IPv6 network.
One side of the 6to4 relay device is connected to the native IPv6 network; the other side is
connected to the IPv4 network and creates the 6to4 tunnel with the 6to4 device.
As shown in Figure 9-3, when the host in the 6to4 network accesses the IPv6 Internet, the process
concerned is as follows:
1. The IPv6 packet is routed to Router A.
2. A 6to4 tunnel is created between Router A and Router C.
3. The IPv6 packet is encapsulated into the IPv4 packet and is sent to Router C.
4. Router C decapsulates the IPv4 packet to obtain the previous IPv6 packet, and sends the
IPv6 packet to the destination host in the IPv6 Internet.
ISATAP Tunnel
The ISATAP tunnel is used when the IPv4/IPv6 host in an IPv4 network accesses an IPv6
network. The ISATAP tunnel can be created between an ISATAP host and an ISATAP device.
The ISATAP format address is needed to create the ISATAP tunnel. Its structure is as follows:
Prefix (64bit)::5EFE:IPv4-Address
When the ISATAP tunnel is created (since the IPv4/IPv6 host and the ISATAP device are in a
same IPv4 network), the IPv4 address embedded into the ISATAP address can be either a public
network address or a private network address.
As shown in Figure 9-4, the process for an IPv4/IPv6 host to obtain an IPv6 address is as follows:
1. The IPv4/IPv6 host sends a request message to a device.
The IPv4/IPv6 host uses the link-local address in the ISATAP format to send a router
request message to the ISATAP device. It encapsulates the message into the IPv4 packet.
2. The ISATAP device responds to the request message.
The ISATAP device uses a router notification message to respond to the request. The router
notification message contains the ISATAP prefix, which is manually configured on the
device.
3. The IPv4/IPv6 host obtains its IPv6 address.
HUAWEI NetEngine80E/40E Router
Configuration Guide - IP Services 9 IPv6 over IPv4 Tunnel Configuration
Issue 02 (2011-09-10) Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
229
The IPv4/IPv6 host obtains its own IPv6 address by combining the ISATAP prefix with
5EFE:IPv4-Address, and uses this address to access the IPv6 host.
Figure 9-4 ISATAP tunnel
IPv6
Network
IPv4/IPv6 Host
IPv6 Host
ISATAP Tunnel
IPv4
Network
ISATAP
Router
2.1.1.1
FE80::5EFE:0201:0101
3FFE::5EFE:0201:0101
The principle of an IPv4 or IPv6 host accessing an IPv6 network is as follows:
1. The IPv4 or IPv6 host in the IPv4 network obtains an IPv6 address based on the steps given
above.
2. The IPv4 or IPv6 host sends packets that are encapsulated in an IPv4 packet to the host in
the IPv6 network.
3. An ISATAP device decapsulates the IPv4 packet and sends the IPv6 packets to the IPv6
host.
6PE
On an IPv4 backbone network where the MPLS is deployed, the ISP can use the IPv6 Provider
Edge (6PE) technology to provide the interconnection capacity for the IPv6 networks of
dispersed users. 6PE is the PE with the IPv6 capacity.
Figure 9-5 shows the principle of interconnecting isolated IPv6 domains through 6PE.
1. When the 6PE device receives an IPv6 packet from the CE, it directly labels the packet to
translate the packet into an MPLS packet that can be transmitted over the IPv4 backbone
network.
2. The MPLS packet is forwarded to the remote 6PE through the LSP.
3. The remote 6PE removes the label and finds the IPv6 routing table according to the
destination address in the resulting IPv6 packet header.
4. The remote 6PE then sends the packet to the destination host in the remote IPv6 network
through the remote CE.
HUAWEI NetEngine80E/40E Router
Configuration Guide - IP Services 9 IPv6 over IPv4 Tunnel Configuration
Issue 02 (2011-09-10) Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
230
Figure 9-5 Networking diagram of 6PE
6PE
Router
IPv6
Customer
site
IPv6
Customer
site
6PE
Router
CE
CE
IPv4/MPLS
IBGP
PE
Note the following points when you connect isolated IPv6 sites through a 6PE tunnel:
l Enable IPv4, MPLS and IPv6 on 6PE.
l MP-BGP also needs to be enabled between 6PEs to receive or send IPv6 routes from/to the
remote 6PE.
l The IGP over ISP's IPv4 backbone network can be OSPF or IS-IS.
l Static routing protocol, IGP or EBGP can work between CE and 6PE.
When ISPs tend to extend their IPv4 or MPLS networks with IPv6 traffic exchange capability
on MPLS, they only need to update their PE devices.
9.2 Configuring IPv4/IPv6 Dual Stacks
To establish an IPv6 over IPv4 tunnel, you need to configure both the IPv4 protocol suite and
the IPv6 protocol suite on the devices where an IPv4 network borders an IPv6 network.
9.2.1 Establishing the Configuration Task
This section describes the applicable environment, pre-configuration tasks, data preparation, and
configuration procedure for the IPv4/IPv6 dual protocol stack.
Applicable Environment
If a device has both IPv4 and IPv6 connections, the IPv4/IPv6 dual protocol stacks need to be
enabled on the device.
Enabling the IPv4/IPv6 dual protocol stacks on the NE80E/40E is a simple process. Enable the
IPv6 packet forwarding capacity in the system view and configure an IPv4 address or IPv6
address on the corresponding interface. The device can then forward IPv4 and IPv6 packets on
the corresponding interface.
Pre-configuration Tasks
Before configuring IPv6 tunnels, complete the following tasks:
HUAWEI NetEngine80E/40E Router
Configuration Guide - IP Services 9 IPv6 over IPv4 Tunnel Configuration
Issue 02 (2011-09-10) Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
231
l Configuring the physical parameters for the interface and ensuring that the status of the
physical layer of the interface is Up
l Configuring the link layer parameters for the interface
Data Preparation
To configure IPv4/IPv6 dual stacks, you need the following data.
No. Data
1 Type and number of the interface connected with the IPv4 network
2 IPv4 address and mask of the interface connected with the IPv4 network
3 Type and number of the interface connected with the IPv6 network
4 IPv6 address and prefix of the interface connected with the IPv6 network
9.2.2 Enabling IPv6 Packet Forwarding
To enable IPv6 packet forwarding, you need to enable IPv6 in both the interface view and the
system view.
Context
To enable a device to forward IPv6 packets, you must enable the IPv6 capability in both the
system view and the interface view. This is because:
l If you run the ipv6 command only in the system view, only the IPv6 packet forwarding
capability is enabled on a device. The interface on the device is not of the IPv6 capability
and hence you cannot perform any IPv6 configurations.
l If you run the ipv6 enable command only in the interface view, the IPv6 capability is
enabled only on an interface but the device cannot forward IPv6 data.
Procedure
Step 1 Run:
system-view
The system view is displayed.
Step 2 Run:
ipv6
The IPv6 packet forwarding capability is enabled.
To enable a device to forward IPv6 packets, you must run this command in the system view;
otherwise, the device cannot forward IPv6 packets although the interface is configured with an
IPv6 address.
By default, the IPv6 packet forwarding capability is disabled.
Step 3 Run:
interface interface-type interface-number
HUAWEI NetEngine80E/40E Router
Configuration Guide - IP Services 9 IPv6 over IPv4 Tunnel Configuration
Issue 02 (2011-09-10) Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
232
The view of the interface to be enabled with the IPv6 capability is displayed.
Step 4 Run:
ipv6 enable
The IPv6 capability is enabled on the interface.
Before performing IPv6 configurations in the interface view, you must enable the IPv6 capability
in the interface view.
By default, the IPv6 capability is disabled on the interface.
----End
9.2.3 Configuring IPv4 and IPv6 Addresses for the Interface
You need to configure IPv4 and IPv6 addresses separately on the IPv4 and IPv6 networks.
Procedure
Step 1 Run:
system-view
The system view is displayed.
Step 2 Run:
interface interface-type interface-number
The interface view of the IPv4 network is displayed.
Step 3 Run:
ip address ip-address { mask | mask-length }
An IPv4 address is assigned to the interface.
Step 4 Run:
quit
Return to the system view.
Step 5 Run:
interface interface-type interface-number
The interface view of the IPv6 network is displayed.
Step 6 Perform the following configuration as required.
l Run:
ipv6 address auto link-local
The link-local address is set to be automatically generated.
l Run:
ipv6 address ipv6-address link-local
The link-local address of the interface is configured.
l Run:
ipv6 address { ipv6-address prefix-length | ipv6-address/prefix-length }
The global unicast address is configured.
l Run:
HUAWEI NetEngine80E/40E Router
Configuration Guide - IP Services 9 IPv6 over IPv4 Tunnel Configuration
Issue 02 (2011-09-10) Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
233
ipv6 address { ipv6-address prefix-length | ipv6-address/prefix-length } eui-64
The IPv6 EUI-64 address is configured.
----End
9.3 Configuring an IPv6 over IPv4 Tunnel
You can interconnect IPv6 networks by using IPv4 networks.
Context
NOTE
Configuring an IPV6 over IPv4 GRE Tunnel cannot be configured on the X1 and X2 models of the NE80E/
40E.
9.3.1 Establishing the Configuration Task
This section describes the applicable environment, pre-configuration tasks, data preparation, and
configuration procedure for configuring an IPv6 over IPv4 tunnel.
Applicable Environment
To enable communication between two IPv6 networks over the IPv4 network, configure an IPv6
over IPv4 tunnel on the border device of the IPv4 and IPv6 networks.
Pre-configuration Tasks
Before configuring an IPv6 over IPv4 tunnel, complete the following tasks:
l Configuring the physical parameters for the interface and ensuring that the status of the
physical layer of the interface is Up
l Configuring the link layer protocol for the interface and ensuring that the status of the link
layer protocol on the interface is Up
l Configuring the IPv4/IPv6 dual-protocol stacks
Data Preparation
To configure an IPv6 over IPv4 tunnel, you need the following data.
No. Data
1 Number, IPv6 address and prefix length of the tunnel
2 Encapsulation mode of packets over the tunnel
3 Source IPv4 address or interface number of the tunnel
4 Destination IPv4 address of the tunnel
5 Authentication word of the GRE tunnel (only for the GRE tunnel)
HUAWEI NetEngine80E/40E Router
Configuration Guide - IP Services 9 IPv6 over IPv4 Tunnel Configuration
Issue 02 (2011-09-10) Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
234
9.3.2 Configuring an IPv6 over IPv4 Manual Tunnel
A manual IPv6 over IPv4 tunnel is a P2P tunnel. The source address and destination address of
a manual IPv6 over IPv4 tunnel are both manually assigned. The source address and destination
address of a manual IPv6 over IPv4 tunnel on the same device must be unique. A manual IPv6
over IPv4 tunnel acts as a permanent link that crosses an IPv4 network and connects two IPv6
networks. Border devices can communicate with each other securely and regularly through
manual IPv6 over IPv4 tunnels.
Context
Note the following when configuring an IPv6 over IPv4 manual tunnel:
l Before configuring other parameters of an IPv6 tunnel, you must create a tunnel interface.
l The source interface of the tunnel must be specified by the address or number of the
loopback interface on the local route.
l The destination interface of the tunnel must be specified by the address of the loopback
interface on the peer device.
l You need to conduct the following configurations on the devices on both the ends of the
tunnel. During the configuration, note that the source address of the local tunnel end is the
destination address set for the remote tunnel end; the destination address of the local tunnel
end is the source address set for the remote tunnel end.
l To support dynamic routing protocol, you also need to configure the tunnel interface with
a network address.
Procedure
Step 1 Run:
system-view
The system view is displayed.
Step 2 Run:
interface tunnel interface-number
The tunnel interface is created.
Step 3 Run:
tunnel-protocol ipv6-ipv4
The tunnel is specified be an IPv6 over IPv4 manual tunnel.
Step 4 Run:
source { ip-address | interface-type interface-number }
The source address or source interface of the tunnel is specified.
NOTE
For the actual implementation on the NE80E/40E, the source interface of the tunnel can only be a loopback
interface but the source address of the tunnel can be either the address of a physical interface or the address
of a loopback interface.
Step 5 Run:
destination dest-ip-address
The destination address of the tunnel is specified.
HUAWEI NetEngine80E/40E Router
Configuration Guide - IP Services 9 IPv6 over IPv4 Tunnel Configuration
Issue 02 (2011-09-10) Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
235
NOTE
The destination address of the tunnel can be the address of a physical interface or the address of a loopback
interface.
Step 6 Run:
ipv6 enable
IPv6 is enabled on the interface.
Step 7 Run:
ipv6 address { ipv6-address prefix-length | ipv6-address/prefix-length }
The tunnel interface is configured with an IPv6 address.
----End
9.3.3 Configuring an IPV6 over IPv4 GRE Tunnel
Through the IPv6 over IPv4 GRE technology, the IPv6 traffic can be carried over the IPv4 GRE
tunnels.
Context
l Note the following when configuring an IPv6 over IPv4 GRE tunnel:
Before configuring other parameters of an IPv6 tunnel, you must create a tunnel
interface.
The slot number of the created tunnel interface must be the same as that of the SPUC.
You need to create the loopback interface and assign an IP address to it.
The source interface of the tunnel must be specified by the address or number of the
loopback interface on the local route.
The destination interface of the tunnel must be specified by the address of the loopback
interface on the peer device.
You need to conduct the following configurations on the devices on both the ends of
the tunnel. During the configuration, note that the source address of the local tunnel end
is the destination address set for the remote tunnel end; the destination address of the
local tunnel end is the source address set for the remote tunnel end.
To make the tunnel support the routing protocol, configure an IP address for the tunnel
interface.
l Setting the key word of the GRE packet header
The configuration of key word of GRE packet header is also optional. If the key word is
configured, the receiver checks the KEY field in the GRE packet header. If the key word
in the packet header is similar to the one configured locally, the receiver continues to process
the packet. Otherwise, it discards the packet.
Procedure
Step 1 Run:
set board-type slot slot-id tunnel
The service mode of the SPUC is set to Tunnel.
Step 2 Run:
system-view
HUAWEI NetEngine80E/40E Router
Configuration Guide - IP Services 9 IPv6 over IPv4 Tunnel Configuration
Issue 02 (2011-09-10) Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
236
The system view is displayed.
Step 3 Run:
interface tunnel interface-number
The tunnel interface is created.
The slot number of the created tunnel interface must be the same as that of the SPUC. For
instance, when the SPUC is inserted in slot 2, the slot number of the tunnel interface must be 2.
Step 4 Run:
tunnel-protocol gre
The tunnel is specified as a GRE tunnel.
When you configure an IPv6 over IPv4 GRE tunnel, you must run the target-boardslot-
number and binding tunnel gre commands respectively on the loopback interface to bind the
SPUC to GRE.
Step 5 Run:
source { ip-address | interface-type interface-number }
The source address or source interface of the tunnel is specified.
The source address specified by sourceipv4-address must be the IPv4 address of the loopback
interface bound to the SPUC through the target-board command; the source interface specified
by sourceinterface-type interface-number must be the loopback interface bound to the SPUC
through the target-board command.
Step 6 Run:
destination dest-ip-address
The destination address of the tunnel is specified.
Step 7 (Optional) Run:
gre key key-number
The key word of the GRE packets header is set.
Step 8 Run:
ipv6 enable
IPv6 is enabled on the interface.
Step 9 Run:
ipv6 address { ipv6-address prefix-length | ipv6-address/prefix-length }
The IPv6 address of the tunnel interface is configured.
----End
9.3.4 Configuring an IPv6 over IPv4 Automatic Tunnel
By configuring an automatic IPv6 over IPv4 tunnel, you can enable an isolated IPv4/IPv6 dual
stack host to access a remote IPv6 network through an IPv4 network. IPv6 over IPv4 automatic
tunnels do not support IPv6 packet forwarding.
Context
Note the following when configuring an IPv6 over IPv4 automatic tunnel:
HUAWEI NetEngine80E/40E Router
Configuration Guide - IP Services 9 IPv6 over IPv4 Tunnel Configuration
Issue 02 (2011-09-10) Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
237
l Before configuring the other parameters of an IPv6 tunnel, you must create a tunnel
interface.
l The source interface of the tunnel must be specified by the address or number of the
loopback interface on the local route.
l When configuring an IPv6 over IPv4 automatic tunnel, you can specify only the source
address of the tunnel. The destination address of the tunnel is automatically obtained from
the destination IP address field carried in the original IPv6 packet. Note that the source
interface of the IPv6 over IPv4 automatic tunnel must be unique.
l The IPv6 address configured for the automatic tunnel must be an IPv4-compatible IPv6
address. That is, the high-order 96 bits are 0 and the low-order 32 bits represent an IPv4
address of an interface in the IPv4 network.
Procedure
Step 1 Run:
system-view
The system view is displayed.
Step 2 Run:
interface tunnel interface-number
A tunnel interface is configured.
Step 3 Run:
tunnel-protocol ipv6-ipv4 auto-tunnel
The tunnel is specified as an IPv6 over IPv4 automatic tunnel.
Step 4 Run:
source { ip-address | interface-type interface-number }
The source address or source interface of the tunnel is specified.
Step 5 Run:
ipv6 enable
IPv6 is enabled on the interface.
Step 6 Run:
ipv6 address { ipv6-address prefix-length | ipv6-address/prefix-length }
The tunnel interface is configured with an IPv6 address.
----End
9.3.5 Configuring a 6to4 Tunnel
A 6to4 tunnel is a P2MP tunnel and can interconnect IPv6 networks which are isolated from
each other through an IPv4 network.
Context
Note the following when configuring a 6to4 tunnel:
l Before configuring other parameters of the tunnel, create a tunnel interface.
HUAWEI NetEngine80E/40E Router
Configuration Guide - IP Services 9 IPv6 over IPv4 Tunnel Configuration
Issue 02 (2011-09-10) Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
238
l When the specified source interface of the tunnel is a physical interface, it is recommended
to set the tunnel ID to be the same as the number of the physical interface.
l The source tunnel interface must be specified by the address or number of the loopback
interface on the local route.
l When configuring a 6to4 tunnel, you need to specify only the source tunnel interface. The
destination address of the tunnel is automatically obtained from the destination IP address
field carried in the original IPv6 packet. Note that the source interface of the 6to4 tunnel
must be unique.
l On the border device, configure a 6to4 address on the interface that is connected with the
6to4 network, and configure an IPv4 address on the interface that is connected with the
IPv4 network. To make the tunnel support the routing protocol, configure an IP address for
the tunnel interface.
Procedure
Step 1 Run:
system-view
The system view is displayed.
Step 2 Run:
interface tunnel interface-number
A tunnel interface is created.
Step 3 Run:
tunnel-protocol ipv6-ipv4 6to4
The tunnel is specified as a 6to4 tunnel.
Step 4 Run:
source { ip-address | interface-type interface-number }
The source address or source interface of the tunnel is specified.
Step 5 Run:
ipv6 enable
IPv6 is enabled on the interface.
Step 6 Run:
ipv6 address { ipv6-address prefix-length | ipv6-address/prefix-length }
The interface is configured with an IPv6 address.
NOTE
The prefix of the IPv6 address configured for the interface must be the same as the 6to4 network prefix of
the border device.
----End
Follow-up Procedure
The configuration of 6to4 relay needed to access the IPv6 network, is similar to the 6to4 tunnel.
For the configuration example, see "Example for Configuring 6to4 Relay."
HUAWEI NetEngine80E/40E Router
Configuration Guide - IP Services 9 IPv6 over IPv4 Tunnel Configuration
Issue 02 (2011-09-10) Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
239
9.3.6 Configuring an ISATAP Tunnel
Intra-site Automatic Tunnel Addressing Protocol (ISATAP) tunnels are used in the situation
where IPv4/IPv6 hosts in an IPv4 network need to access an IPv6 network. An ISATAP tunnel
can be established between an ISATAP host and an ISATAP device.
Context
Note the following when configuring an ISATAP tunnel:
l Before configuring other parameters of the tunnel, create a tunnel interface.
l When the specified source interface of the tunnel is a physical interface, it is recommended
to set the tunnel ID to be the same as the number of the physical interface.
l When configuring an ISATAP tunnel, you need to specify only the source address of the
tunnel. The destination address of the tunnel is automatically obtained from the destination
IP address field carried in the original IPv6 packet. Note that the source interface of the
ISATAP tunnel must be unique.
l The IPv6 address configured on the tunnel interface is an ISATAP address with a prefix
length of 64 bits.
Procedure
Step 1 Run:
system-view
The system view is displayed.
Step 2 Run:
interface tunnel interface-number
A tunnel interface is created.
Step 3 Run:
tunnel-protocol ipv6-ipv4 isatap
The tunnel is specified as an ISATAP tunnel.
Step 4 Run:
source { ip-address | interface-type interface-number }
The source address or source interface of the tunnel is specified.
Step 5 Run:
ipv6 address { ipv6-address prefix-length | ipv6-address/prefix-length }
The tunnel interface is configured with an IPv6 address.
Step 6 Run:
undo ipv6 nd ra halt
The device is allowed to advertise routes.
----End
HUAWEI NetEngine80E/40E Router
Configuration Guide - IP Services 9 IPv6 over IPv4 Tunnel Configuration
Issue 02 (2011-09-10) Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
240
9.3.7 Configuring Routes in the Tunnel
Packets can be normally forwarded only when routes exist on both the source device and
destination device of the tunnel.
Context
Configuring routes in the tunnel comprises configuring static routes and dynamic routes.
l To configure the static route, you need to configure the route from the IP address of the
local loopback interface (the source address) to the destination address (IP address of the
peer loopback interface).
l You can enable dynamic routing protocol on the tunnel interface connected to the private
networks and on the device interface.
9.3.8 Checking the Configuration
You can view the configuration of an IPv6 over IPv4 tunnel.
Prerequisite
The configurations of the IPv6 over IPv4 Tunnel function are complete.
Procedure
Step 1 Run the display device slot-id command to check whether the service mode of the SPUC is
Tunnel.
Step 2 Run the display ipv6 interface tunnel interface-number command to check the IPv6 attributes
of a tunnel interface.
----End
Example
If the service mode of the SPUC is Tunnel, run the display device 3 command, and you can
view that the type of the SPUC on the router is displayed as General.
<HUAWEI> display device 3
SPU3's detail information:
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Description: Line Processing Unit - General
Board status: Normal
Register: Registered
Uptime: 2009/02/26 18:33:23
CPU Utilization(%): 3%
Mem Usage(%): 19%
Clock information:
State item State
Current syn-clock: 17
Current line-clock: 23
Syn-clock state: Locked VCXO_OK REF_OK
Syn-clock 17 state: Actived
Syn-clock 18 state: Inactived
Line-clock 23 state: Inactived
Line-clock 24 state: Inactived
Statistic information:
Statistic item Statistic number
SERDES interface link lost: 0
HUAWEI NetEngine80E/40E Router
Configuration Guide - IP Services 9 IPv6 over IPv4 Tunnel Configuration
Issue 02 (2011-09-10) Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
241
Mpu switchs: 0
Syn-clock switchs: 0
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Run the display ipv6 interface tunnel command. If the IPv6 packets forwarding is enabled,
you can see the state of tunnel interface is Up, the state of IPv6 protocol is Up, source address
and ND parameters.
<HUAWEI> display ipv6 interface tunnel 3/0/0
Tunnel3/0/0 current state : UP
IPv6 protocol current state : UP
IPv6 is enabled, link-local address is FE80::201:102
Global unicast address(es):
::2.1.1.2, subnet is ::/96
Joined group address(es):
FF02::1:FF01:102
FF02::2
FF02::1
MTU is 1500 bytes
ND reachable time is 30000 milliseconds
ND retransmit interval is 1000 milliseconds
Hosts use stateless autoconfig for addresses
9.4 Configuring 6PE
By performing this configuration task, you can interconnect IPv6 networks through the existing
MPLS network.
9.4.1 Establishing the Configuration Task
This section describes the applicable environment, pre-configuration tasks, data preparation, and
configuration procedure for configuring 6PE.
Applicable Environment
To interconnect IPv6 networks over the existing MPLS network, 6PE must be configured on the
PE devices.
Pre-configuration Tasks
Before configuring 6PE, complete the following tasks:
l Configuring the physical features of interfaces and ensuring that the status of the physical
layer of the interface is Up
l Configuring the link layer protocols on interface and ensuring that the status of the link
layer protocol on the interface is Up
l Configuring routes from 6PE to CE
l Configuring routes to the backbone network
Data Preparation
To configure 6PE, you need the following data.
HUAWEI NetEngine80E/40E Router
Configuration Guide - IP Services 9 IPv6 over IPv4 Tunnel Configuration
Issue 02 (2011-09-10) Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
242
No. Data
1 Interface number and IPv6 address of the 6PE's interface connected with CE devices
2 Interface number and IPv4 address of the 6PE's interface
3 Interface number and IPv4 address of the loopback interface to be created
4 LSP triggering policy
5 IPv4 address of the peer of the 6PE
9.4.2 Configuring IPv4/IPv6 Dual Protocol Stacks
You need to enable the IPv4/IPv6 dual stack on the border device of the IPv4 and IPv6 networks.
Procedure
Step 1 Run:
system-view
The system view is displayed.
Step 2 Run:
ipv6
The IPv6 packet forwarding is enabled.
Step 3 Run:
interface interface-type interface-number
The interface view of the IPv4 network is displayed.
Step 4 Run:
ip address ip-address { mask | mask-length }
The interface is configured with an IPv4 address.
Step 5 Run:
quit
Return to the system view.
Step 6 Run:
interface interface-type interface-number
The interface view of the IPv6 network is displayed.
Step 7 Run:
ipv6 enable
IPv6 is enabled on the interface.
Step 8 Run:
ipv6 address { ipv6-address prefix-length | ipv6-address/prefix-length } eui-64
Or
HUAWEI NetEngine80E/40E Router
Configuration Guide - IP Services 9 IPv6 over IPv4 Tunnel Configuration
Issue 02 (2011-09-10) Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
243
ipv6 address { ipv6-address prefix-length | ipv6-address/prefix-length }
The interface is configured with an IPv6 address.
Step 9 Run:
quit
Return to the system view.
----End
9.4.3 Configuring MPLS
This section describes how to configure the basic functions of MPLS including LSP setup and
LDP enabling.
Procedure
Step 1 Run:
system-view
The system view is displayed.
Step 2 Run:
mpls lsr-id ip-address
The LSR ID is specified.
Step 3 Run:
mpls
MPLS is enabled and the MPLS view is displayed.
Step 4 Run:
quit
Return to the system view.
Step 5 Run:
mpls ldp
MPLS LDP is enabled.
Step 6 Run:
quit
Exit the system view.
Step 7 Run:
interface interface-type interface-number
The interface view of the IPv4 network is displayed.
Step 8 Run:
mpls
MPLS is enabled on the interface.
Step 9 Run:
mpls ldp
HUAWEI NetEngine80E/40E Router
Configuration Guide - IP Services 9 IPv6 over IPv4 Tunnel Configuration
Issue 02 (2011-09-10) Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
244
MPLS LDP is enabled on the interface.
----End
9.4.4 Enabling 6PE Peer
By configuring a particular 6PE peer, you can configure a particular 6PE peer to exchange
routing information with the peer configured in the IPv6 view.
Procedure
Step 1 Run:
system-view
The system view is displayed.
Step 2 Run:
bgp as-number
The BGP view is displayed.
Step 3 Run:
peer ipv4-address as-number as-number
The IP address and the AS number of a specified BGP peer are specified.
Step 4 Run:
peer ipv4-address connect-interface interface-type interface-number
PE peer is specified to connect with a specified interface.
Step 5 Run:
ipv6-family
The BGP-IPv6 unicast address family view is displayed.
Step 6 Run:
peer peer-ipv4-address enable
6PE peer is enabled.
Step 7 Run:
peer peer-ipv4-address label-route-capability
Label routing capacity is enabled for 6PE.
----End
9.5 Maintaining IPv6 over IPv4 Tunnels
This section describes how to maintain an IPv6 over IPv4 tunnel, including how to monitor an
IPv6 over IPv4 tunnel.
9.5.1 Monitoring the Running Status of IPv6 over IPv4 Tunnel
This section describes how to monitor an IPv6 over IPv4 tunnel.
HUAWEI NetEngine80E/40E Router
Configuration Guide - IP Services 9 IPv6 over IPv4 Tunnel Configuration
Issue 02 (2011-09-10) Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
245
Context
In routine maintenance, you can run the following command in any view to check the operation
of IPv6 over IPv4 tunnel.
Procedure
Step 1 Run the display ipv6 interface tunnel { interface-number } command in any view to check the
operation status of the tunnel interface.
----End
9.6 Configuration Examples
This section includes the networking requirements, configuration notes, and configuration
roadmap.
Context
NOTE
This document takes interface numbers and link types of the NE40E-X8 as an example. In working
situations, the actual interface numbers and link types may be different from those used in this document.
9.6.1 Example for Configuring an IPv6 over IPv4 Manual Tunnel
This section provides an example for configuring a manual IPv6 over IPv4 tunnel.
Networking Requirements
As shown in Figure 9-6, two IPv6 networks are connected to Router B in the IPv4 backbone
network respectively through Router A and Router C. To enable communication between two
IPv6 networks, configure an IPv6 over IPv4 manual tunnel between Router A and Router C.
NOTE
It is recommended that in an actual networking environment, the source address of the tunnel is specified
as the IP address of the loopback interface of the local device or the source interface of the tunnel is specified
as the loopback interface on the local device. It is also recommended that in an actual networking
environment, the destination address of the tunnel is specified as the IP address of the loopback interface
of the peer device.
Figure 9-6 Networking diagram of the IPv6 over IPv4 manual tunnel
RouterA RouterC
Dual
Stack
Dual
Stack
GE1/0/0
192.168.50.2/24
IPv4
network
GE1/0/0
192.168.51.2/24
IPv6
IPv6
Router
B
GE1/0/0
192.168.50.1/24
GE2/0/0
192.168.51.1/24
Router B
HUAWEI NetEngine80E/40E Router
Configuration Guide - IP Services 9 IPv6 over IPv4 Tunnel Configuration
Issue 02 (2011-09-10) Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
246
Configuration Roadmap
The configuration roadmap of IPv6 over IPv4 manual tunnel is as follows:
1. Configure IP addresses for physical interfaces.
2. Configure IPv6 addresses, the source interface, and the destination addresses for the tunnel
interfaces.
3. Set the tunnel protocol as IPv6-IPv4.
Data Preparation
To complete the configuration, you need the following data:
l IP addresses of interfaces
l IPv6 addresses, the source interfaces and the destination addresses of the tunnel interfaces
Procedure
Step 1 Configure Router A.
# Configure an IP address for the interface.
<HUAWEI> system-view
[HUAWEI] sysname RouterA
[RouterA] ipv6
[RouterA] interface gigabitethernet 1/0/0
[RouterA-GigabitEthernet1/0/0] ip address 192.168.50.2 255.255.255.0
[RouterA-GigabitEthernet1/0/0] undo shutdown
[RouterA-GigabitEthernet1/0/0] quit
# Set the tunnel protocol as IPv6-IPv4.
[RouterA] interface tunnel 1/0/0
[RouterA-Tunnel1/0/0] tunnel-protocol ipv6-ipv4
# Configure the IPv6 address, source interface, and destination address for the tunnel interface.
[RouterA-Tunnel1/0/0] ipv6 enable
[RouterA-Tunnel1/0/0] ipv6 address 3001::1/64
[RouterA-Tunnel1/0/0] source 192.168.50.2
[RouterA-Tunnel1/0/0] destination 192.168.51.2
[RouterA-Tunnel1/0/0] quit
# Configure static routes.
[RouterA] ip route-static 192.168.51.2 255.255.255.0 192.168.50.1
Step 2 Configure Router B.
# Configure an IP address for the interface.
<HUAWEI> system-view
[HUAWEI] sysname RouterB
[RouterB] interface gigabitethernet 1/0/0
[RouterB-GigabitEthernet1/0/0] ip address 192.168.50.1 255.255.255.0
[RouterB-GigabitEthernet1/0/0] undo shutdown
[RouterB-GigabitEthernet1/0/0] quit
[RouterB] interface gigabitethernet 2/0/0
[RouterB-GigabitEthernet2/0/0] ip address 192.168.51.1 255.255.255.0
[RouterB-GigabitEthernet2/0/0] undo shutdown
HUAWEI NetEngine80E/40E Router
Configuration Guide - IP Services 9 IPv6 over IPv4 Tunnel Configuration
Issue 02 (2011-09-10) Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
247
[RouterB-GigabitEthernet2/0/0] quit
Step 3 Configure Router C.
# Configure an IP address for the interface.
<HUAWEI> system-view
[HUAWEI] sysname RouterC
[RouterC] ipv6
[RouterC] interface gigabitethernet 1/0/0
[RouterC-GigabitEthernet1/0/0] ip address 192.168.51.2 255.255.255.0
[RouterC-GigabitEthernet1/0/0] undo shutdown
[RouterC-GigabitEthernet1/0/0] quit
# Set the tunnel protocol as IPv6-IPv4.
[RouterC] interface tunnel 1/0/0
[RouterC-Tunnel1/0/0] tunnel-protocol ipv6-ipv4
# Configure the IPv6 address, source interface, and destination address for the tunnel interface.
[RouterC-Tunnel1/0/0] ipv6 enable
[RouterC-Tunnel1/0/0] ipv6 address 3001::2/64
[RouterC-Tunnel1/0/0] source 192.168.51.2
[RouterC-Tunnel1/0/0] destination 192.168.50.2
[RouterC-Tunnel1/0/0] quit
# Configure a static route.
[RouterC] ip route-static 192.168.50.2 255.255.255.0 192.168.51.1
Step 4 Verify the configuration.
# On Router C, ping the IPv4 address of the interface GE 1/0/0 of Router A. Router C can receive
response packets from Router A.
[RouterC] ping 192.168.50.2
PING 192.168.50.2: 56 data bytes, press CTRL_C to break
Reply from 192.168.50.2: bytes=56 Sequence=1 ttl=255 time=84 ms
Reply from 192.168.50.2: bytes=56 Sequence=2 ttl=255 time=27 ms
Reply from 192.168.50.2: bytes=56 Sequence=3 ttl=255 time=25 ms
Reply from 192.168.50.2: bytes=56 Sequence=4 ttl=255 time=3 ms
Reply from 192.168.50.2: bytes=56 Sequence=5 ttl=255 time=24 ms
--- 192.168.50.2 ping statistics ---
5 packet(s) transmitted
5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 3/32/84 ms
# On Router C, ping the IPv6 address of Tunnel 1/0/0 of Router A. Router C can receive response
packets from Router A.
[RouterC] ping ipv6 3001::1
PING 3001::1 : 56 data bytes, press CTRL_C to break
Reply from 3001::1
bytes=56 Sequence=1 hop limit=255 time = 28 ms
Reply from 3001::1
bytes=56 Sequence=2 hop limit=255 time = 27 ms
Reply from 3001::1
bytes=56 Sequence=3 hop limit=255 time = 26 ms
Reply from 3001::1
bytes=56 Sequence=4 hop limit=255 time = 27 ms
Reply from 3001::1
bytes=56 Sequence=5 hop limit=255 time = 26 ms
--- 3001::1 ping statistics ---
5 packet(s) transmitted
5 packet(s) received
0.00% packet loss
HUAWEI NetEngine80E/40E Router
Configuration Guide - IP Services 9 IPv6 over IPv4 Tunnel Configuration
Issue 02 (2011-09-10) Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
248
round-trip min/avg/max = 26/26/28 ms
----End
Configuration File
l Configuration file of Router A
#
sysname RouterA
#
ipv6
#
interface GigabitEthernet1/0/0
undo shutdown
ip address 192.168.50.2 255.255.255.0
#
interface Tunnel1/0/0
ipv6 enable
ipv6 address 3001::1/64
tunnel-protocol ipv6-ipv4
source 192.168.50.2
destination 192.168.51.2
#
ip route-static 192.168.51.0 255.255.255.0 192.168.50.1
#
return
l Configuration file of Router B
#
sysname RouterB
#
interface GigabitEthernet1/0/0
undo shutdown
ip address 192.168.50.1 255.255.255.0
#
interface GigabitEthernet2/0/0
undo shutdown
ip address 192.168.51.1 255.255.255.0
#
return
l Configuration file of Router C
#
sysname RouterC
#
ipv6
#
interface GigabitEthernet1/0/0
undo shutdown
ip address 192.168.51.2 255.255.255.0
#
interface Tunnel1/0/0
ipv6 enable
ipv6 address 3001::2/64
tunnel-protocol ipv6-ipv4
source 192.168.51.2
destination 192.168.50.2
#
ip route-static 192.168.50.0 255.255.255.0 192.168.51.1
#
return
9.6.2 Example for Configuring an IPv6 over IPv4 GRE Tunnel
HUAWEI NetEngine80E/40E Router
Configuration Guide - IP Services 9 IPv6 over IPv4 Tunnel Configuration
Issue 02 (2011-09-10) Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
249
Networking Requirements
NOTE
An IPV6 over IPv4 GRE Tunnel cannot be configured on the X1 and X2 models of the NE80E/40E.
As shown in Figure 9-7, two IPv6 networks are connected to Router B in the IPv4 network
through Router A and Router C, respectively. To allow the two IPv6 networks to communicate
with each other, configure an IPv6 over IPv4 GRE tunnel between Router A and Router C.
NOTE
When configuring an IPv6 over IPv4 GRE tunnel, you must set the service mode of the SPUC to Tunnel
and bind the SPUC to the tunnel.
Figure 9-7 Networking diagram of the IPv6 over IPv4 GRE tunnel
Loopback1
1.1.1.1/32
Loopback1
2.2.2.2/32
RouterA RouterC
Dual
Stack
Dual
Stack
POS1/0/0
192.168.50.2/24
IPv4
network
POS1/0/0
192.168.51.2/24
IPv6
IPv6
POS1/0/0
192.168.50.1/24
POS2/0/0
192.168.51.1/24
RouterB
Configuration Roadmap
The configuration roadmap is as follows:
1. Configure IP addresses for interfaces.
2. Configure IPv6 addresses, the source interface, and the destination address of the tunnel
interfaces.
3. Set the tunnel protocol as GRE.
Data Preparation
To complete the configuration, you need the following data:
l IP addresses of interfaces
l IPv6 addresses and the source interface, and the destination address
Procedure
Step 1 Configure Router A.
HUAWEI NetEngine80E/40E Router
Configuration Guide - IP Services 9 IPv6 over IPv4 Tunnel Configuration
Issue 02 (2011-09-10) Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
250
# Configure an IP address for the interface.
<HUAWEI> system-view
[HUAWEI] sysname RouterA
[RouterA] ipv6
[RouterA] interface pos 1/0/0
[RouterA-Pos1/0/0] ip address 192.168.50.2 255.255.255.0
[RouterA-Pos1/0/0] undo shutdown
[RouterA-Pos1/0/0] quit
# Create a loopback interface and assign an IPv4 address to it.
[RouterA] interface Loopback 1
[RouterA-LoopBack1] ip address 1.1.1.1 32
[RouterA-LoopBack1] quit
# Configure a static route from Router A to Router C.
[RouterA] ip route-static 192.168.51.2 255.255.255.0 192.168.50.1
[RouterA] ip route-static 2.2.2.2 255.255.255.255 192.168.50.1
[RouterA] quit
# Set the service mode of the SPUC to Tunnel and the tunnel protocol mode to GRE.
<RouterA> set board-type slot 6 tunnel
[RouterA] system-view
[RouterA] interface tunnel 6/0/0
[RouterA-Tunnel6/0/0] tunnel-protocol gre
# Configure the IPv6 address, source interface, and destination address for the tunnel interface.
Bind the tunnel to the SPUC.
[RouterA] interface Loopback 1
[RouterA-LoopBack1] target-board 6
[RouterA-LoopBack1] binding tunnel gre
[RouterA-LoopBack1] quit
[RouterA] interface Tunnel 6/0/0
[RouterA-Tunnel6/0/0] ipv6 enable
[RouterA-Tunnel6/0/0] ipv6 address 3001::1 64
[RouterA-Tunnel6/0/0] source loopback 1
[RouterA-Tunnel6/0/0] destination 2.2.2.2
[RouterA-Tunnel6/0/0] quit
NOTE
The device supports tunnel binding only on the loopback interface.
Step 2 Configure Router B.
# Configure an IP address for the interface.
<HUAWEI> system-view
[HUAWEI] sysname RouterB
[RouterB] interface pos 1/0/0
[RouterB-Pos1/0/0] ip address 192.168.50.1 255.255.255.0
[RouterB-Pos1/0/0] undo shutdown
[RouterB-Pos1/0/0] quit
[RouterB] interface pos 2/0/0
[RouterB-Pos2/0/0] ip address 192.168.51.1 255.255.255.0
[RouterB-Pos2/0/0] undo shutdown
[RouterB-Pos2/0/0] quit
Step 3 Configure Router C.
# Configure an IP address for the interface.
<HUAWEI> system-view
[HUAWEI] sysname RouterC
[RouterC] ipv6
[RouterC] interface pos 1/0/0
HUAWEI NetEngine80E/40E Router
Configuration Guide - IP Services 9 IPv6 over IPv4 Tunnel Configuration
Issue 02 (2011-09-10) Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
251
[RouterC-Pos1/0/0] ip address 192.168.51.2 255.255.255.0
[RouterC-Pos1/0/0] undo shutdown
[RouterC-Pos1/0/0] quit
# Create a loopback interface and assign an IPv4 address to it.
[RouterC] interface Loopback 1
[RouterC-LoopBack1] ip address 2.2.2.2 32
[RouterC-LoopBack1] quit
# Configure a static route from Router C to Router A.
[RouterC] ip route-static 192.168.50.2 255.255.255.0 192.168.51.1
[RouterC] ip route-static 1.1.1.1 255.255.255.255 192.168.51.1
[RouterC] quit
On Router C, ping the IPv4 address of POS 1/0/0 on Router A. Router C receives the response
packets from Router A.
[RouterC] ping 192.168.50.2
PING 192.168.50.2: 56 data bytes, press CTRL_C to break
Reply from 192.168.50.2: bytes=56 Sequence=1 ttl=255 time=1 ms
Reply from 192.168.50.2: bytes=56 Sequence=2 ttl=255 time=1 ms
Reply from 192.168.50.2: bytes=56 Sequence=3 ttl=255 time=1 ms
Reply from 192.168.50.2: bytes=56 Sequence=4 ttl=255 time=1 ms
Reply from 192.168.50.2: bytes=56 Sequence=5 ttl=255 time=1 ms
--- 192.168.50.2 ping statistics ---
5 packet(s) transmitted
5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 1/1/1 ms
[RouterC] ping 1.1.1.1
PING 1.1.1.1.2: 56 data bytes, press CTRL_C to break
Reply from 1.1.1.1: bytes=56 Sequence=1 ttl=255 time=1 ms
Reply from 1.1.1.1: bytes=56 Sequence=2 ttl=255 time=1 ms
Reply from 1.1.1.1: bytes=56 Sequence=3 ttl=255 time=1 ms
Reply from 1.1.1.1: bytes=56 Sequence=4 ttl=255 time=1 ms
Reply from 1.1.1.1: bytes=56 Sequence=5 ttl=255 time=1 ms
--- 1.1.1.1 ping statistics ---
5 packet(s) transmitted
5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 1/1/1 ms
This indicates that a reachable route exists between Router A and Router C.
# Set the service mode of the SPUC to Tunnel and the tunnel protocol mode to GRE.
<RouterC> set board-type slot 6 tunnel
[RouterC] system-view
[RouterC] interface tunnel 6/0/0
[RouterC-Tunnel6/0/0] tunnel-protocol gre
# Configure the IPv6 address, source interface, and destination IP address of the tunnel interface.
Bind the tunnel to the SPUC.
[RouterC] interface Loopback 1
[RouterC-LoopBack1] target-board 6
[RouterC-LoopBack1] binding tunnel gre
[RouterC-LoopBack1] quit
[RouterC] interface Tunnel 6/0/0
[RouterC-Tunnel6/0/0] ipv6 enable
[RouterC-Tunnel6/0/0] ipv6 address 3001::2 64
[RouterC-Tunnel6/0/0] source loopback 1
[RouterC-Tunnel6/0/0] destination 1.1.1.1
[RouterC-Tunnel6/0/0] quit
HUAWEI NetEngine80E/40E Router
Configuration Guide - IP Services 9 IPv6 over IPv4 Tunnel Configuration
Issue 02 (2011-09-10) Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
252
NOTE
The device supports tunnel binding only on the loopback interface.
Step 4 Verify the configuration
# On Router C, ping the IPv6 address of Tunnel 1/0/0 on Router A. Router C receives the response
packets from Router A.
[RouterC] ping ipv6 3001::1
PING 3001::1 : 56 data bytes, press CTRL_C to break
Reply from 3001::1
bytes=56 Sequence=1 hop limit=255 time = 28 ms
Reply from 3001::1
bytes=56 Sequence=2 hop limit=255 time = 27 ms
Reply from 3001::1
bytes=56 Sequence=3 hop limit=255 time = 26 ms
Reply from 3001::1
bytes=56 Sequence=4 hop limit=255 time = 27 ms
Reply from 3001::1
bytes=56 Sequence=5 hop limit=255 time = 26 ms
--- 3001::1 ping statistics ---
5 packet(s) transmitted
5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 26/26/28 ms
----End
Configuration Files
l Configuration file of Router A
#
sysname RouterA
#
ipv6
#
interface pos1/0/0
link-protocol ppp
ip address 192.168.50.2 255.255.255.0
#
interface LoopBack1
ip address 1.1.1.1 255.255.255.255
target-board 6
binding tunnel gre
#
interface Tunnel6/0/0
ipv6 enable
ipv6 address 3001::1/64
tunnel-protocol gre
source loopback 1
destination 2.2.2.2
#
ip route-static 192.168.51.2 255.255.255.0 192.168.50.1
ip route-static 2.2.2.2 255.255.255.255 192.168.50.1
#
return
l Configuration file of Router B
#
sysname RouterB
#
interface Pos1/0/0
link-protocol ppp
ip address 192.168.50.1 255.255.255.0
#
interface Pos2/0/0
link-protocol ppp
HUAWEI NetEngine80E/40E Router
Configuration Guide - IP Services 9 IPv6 over IPv4 Tunnel Configuration
Issue 02 (2011-09-10) Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
253
ip address 192.168.51.1 255.255.255.0
#
return
l Configuration file of Router C
#
sysname RouterC
#
ipv6
#
interface pos1/0/0
link-protocol ppp
ip address 192.168.51.2 255.255.255.0
#
interface LoopBack1
ip address 2.2.2.2 255.255.255.255
target-board 6
binding tunnel gre
#
interface Tunnel6/0/0
ipv6 enable
ipv6 address 3001::2/64
tunnel-protocol gre
source loopback 1
destination 1.1.1.1
#
ip route-static 192.168.50.0 255.255.255.0 192.168.51.1
ip route-static 1.1.1.1 255.255.255.255 192.168.51.1
#
return
9.6.3 Example for Configuring an IPv6 over IPv4 Automatic Tunnel
Networking Requirements
As shown in Figure 9-8, two IPv6 networks are connected with the IPv4 backbone network
through Router A and Router B, respectively. To enable communications between the two IPv6
networks, configure an IPv6 over IPv4 automatic tunnel between Router A and Router B.
The interfaces connecting Router A and Router B to the IPv4 backbone network should be
configured with public IPv4 addresses.
NOTE
One of the following choices is recommended for real world networking environments. The source address
of the tunnel should be specified as the IP address of the loopback interface of the local device or the source
interface of the tunnel should be specified as the loopback interface on the local device. It is also
recommended that the destination address of the tunnel be specified as the IP address of the loopback
interface of the peer device in a real world networking environment.
Figure 9-8 Networking diagram of the IPv6 over IPv4 automatic tunnel
loopback1
3.3.3.3/32
loopback1
4.4.4.4/32
RouterA RouterB
POS1/0/0
2.1.1.1/8
IPv4
IPv6
IPv6
POS1/0/0
2.1.1.2/8
Tunnel 1/0/0
::2.1.1.1/96
Tunnel 1/0/0
::2.1.1.2/96
Dual
Stack
Dual
Stack
HUAWEI NetEngine80E/40E Router
Configuration Guide - IP Services 9 IPv6 over IPv4 Tunnel Configuration
Issue 02 (2011-09-10) Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
254
Configuration Roadmap
The configuration roadmap is as follows:
1. Configure IP addresses for interfaces.
2. Configure the IPv6 addresses and source interface of the tunnel interface.
3. Set the tunnel protocol as automatic tunnel protocol.
Data Preparation
To complete the configuration, you need the following data:
l IP addresses of interfaces
l IPv6 address and source interface of the tunnel interface
To configure an automatic tunnel, the source interface of the tunnel rather than the destination
interface must be specified.
Procedure
Step 1 Configure Router A.
# Configure the IPv4/IPv6 dual protocol stacks.
<HUAWEI> system-view
[HUAWEI] sysname RouterA
[RouterA] ipv6
[RouterA] interface pos 1/0/0
[RouterA-pos1/0/0] ip address 2.1.1.1 255.0.0.0
[RouterA-pos1/0/0] quit
# Create a loopback interface and assign an IPv4 address to it.
[RouterA] interface loopback 1
[RouterA-LoopBack1] ip address 3.3.3.3 32
[RouterA-LoopBack1] quit
# Configure a static route from Router A to Router B.
[RouterA] ip route-static 2.1.1.2 255.0.0.0 2.1.1.2
[RouterA] ip route-static 4.4.4.4 255.255.255.255 2.1.1.2
# Configure an automatic tunnel.
[RouterA] interface tunnel 1/0/0
[RouterA-Tunnel1/0/0] tunnel-protocol ipv6-ipv4 auto-tunnel
[RouterA-Tunnel1/0/0] ipv6 enable
[RouterA-Tunnel1/0/0] ipv6 address ::3.3.3.3/96
[RouterA-Tunnel1/0/0] source loopback 1
[RouterA-Tunnel1/0/0] quit
Step 2 Configure Router B.
# Configure the IPv4/IPv6 dual protocol stacks.
<HUAWEI> system-view
[HUAWEI] sysname RouterB
[RouterB] ipv6
[RouterB] interface pos 1/0/0
[RouterB-pos1/0/0] ip address 2.1.1.2 255.0.0.0
[RouterB-Pos1/0/0] quit
HUAWEI NetEngine80E/40E Router
Configuration Guide - IP Services 9 IPv6 over IPv4 Tunnel Configuration
Issue 02 (2011-09-10) Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
255
# Create a loopback interface and assign an IPv4 address to it.
[RouterB] interface loopback 1
[RouterB-LoopBack1] ip address 4.4.4.4 32
[RouterB-LoopBack1] quit
# Configure a static route from Router B to Router A.
[RouterB] ip route-static 2.1.1.1 255.0.0.0 2.1.1.1
[RouterB] ip route-static 3.3.3.3 255.255.255.255 2.1.1.1
# Configure an automatic tunnel.
[RouterB] interface tunnel 1/0/0
[RouterB-Tunnel1/0/0] tunnel-protocol ipv6-ipv4 auto-tunnel
[RouterB-Tunnel1/0/0] ipv6 enable
[RouterB-Tunnel1/0/0] ipv6 address ::4.4.4.4/96
[RouterB-Tunnel1/0/0] source loopback 1
[RouterB-Tunnel1/0/0] quit
Step 3 Verify the configuration.
# On Router A, view the status of Tunnel 1/0/0 and find it is Up.
[RouterA] display ipv6 interface tunnel 1/0/0
Tunnel1/0/0 current state : UP
IPv6 protocol current state : UP
IPv6 is enabled, link-local address is FE80::201:101
Global unicast address(es):
::3.3.3.3, subnet is ::/96
Joined group address(es):
FF02::1:FF01:101
FF02::2
FF02::1
MTU is 1500 bytes
ND reachable time is 30000 milliseconds
ND retransmit interval is 1000 milliseconds
Hosts use stateless autoconfig for addresses
# On Router A, ping the IPv4-compatible IPv6 address of tunnel peer.
[RouterA] ping ipv6 ::4.4.4.4
PING ::4.4.4.4 : 56 data bytes, press CTRL_C to break
Reply from ::4.4.4.4
bytes=56 Sequence=1 hop limit=64 time = 30 ms
Reply from ::4.4.4.4
bytes=56 Sequence=2 hop limit=64 time = 40 ms
Reply from ::4.4.4.4
bytes=56 Sequence=3 hop limit=64 time = 50 ms
Reply from ::4.4.4.4
bytes=56 Sequence=4 hop limit=64 time = 1 ms
Reply from ::4.4.4.4
bytes=56 Sequence=5 hop limit=64 time = 50 ms
--- ::4.4.4.4 ping statistics ---
5 packet(s) transmitted
5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 1/34/50 ms
----End
Configuration File
l Configuration file of Router A
#
sysname RouterA
#
ipv6
HUAWEI NetEngine80E/40E Router
Configuration Guide - IP Services 9 IPv6 over IPv4 Tunnel Configuration
Issue 02 (2011-09-10) Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
256
#
interface pos1/0/0
link-protocol ppp
ip address 2.1.1.1 255.0.0.0
#
interface LoopBack1
ip address 3.3.3.3 255.255.255.255
#
interface Tunnel 1/0/0
ipv6 enable
ipv6 address ::3.3.3.3/96
tunnel-protocol ipv6-ipv4 auto-tunnel
source loopback 1
#
ip route-static 2.1.1.2 255.0.0.0 2.1.1.2
ip route-static 4.4.4.4 255.255.255.255 2.1.1.2
#
return
l Configuration file of Router B
#
sysname RouterB
#
ipv6
#
interface pos1/0/0
link-protocol ppp
ip address 2.1.1.2 255.0.0.0
#
interface LoopBack1
ip address 4.4.4.4 255.255.255.255
#
interface Tunnel 1/0/0
ipv6 enable
ipv6 address ::4.4.4.4/96
tunnel-protocol ipv6-ipv4 auto-tunnel
source loopback 1
#
ip route-static 2.1.1.1 255.0.0.0 2.1.1.1
ip route-static 3.3.3.3 255.255.255.255 2.1.1.1
#
return
9.6.4 Example for Configuring a 6to4 Tunnel
This section provides an example for configuring a 6to4 tunnel.
Networking Requirements
As shown in Figure 9-9, two IPv6 networks are both 6to4 networks. Router A and Router B are
connected with the 6to4 network and the IPv4 network. To enable communication between the
hosts in the two 6to4 network, it is required to set up a 6to4 tunnel between Router A and Router
B.
To enable communication between 6to4 networks, configure 6to4 addresses for the hosts in the
6to4 network. A 6to4 address has a 48-bit prefix composed of 2002:IPv4 address:. As shown
in Figure 9-9, the IPv4 address of the interface through which A is connected to the IPv4 network
is 2.1.1.1. Therefore, the 6to4 address of A in the 6to4 network should start with
2002:0201:0101::.
HUAWEI NetEngine80E/40E Router
Configuration Guide - IP Services 9 IPv6 over IPv4 Tunnel Configuration
Issue 02 (2011-09-10) Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
257
NOTE
It is recommended that in an actual networking environment, the source address of the tunnel is specified
as the IP address of the loopback interface of the local device or the source interface of the tunnel is specified
as the loopback interface on the local device. It is also recommended that in an actual networking
environment, the destination address of the tunnel is specified as the IP address of the loopback interface
of the peer device.
Figure 9-9 Networking diagram of the 6to4 tunnel
RouterA
RouterB
POS1/0/0
2.1.1.1
POS1/0/0
2.1.1.2
Tunnel 1/0/0
2002:201:101::1/64
Tunnel 1/0/0
2002:201:102::1/64
2002:201:101:1::2 PC1
IPv6
2002:201:102:1::2
PC2
GE2/0/0
2002:201:102:1::1/64
IPv6
GE2/0/0
2002:201:101:1::1/64
6to4
Router
6to4
Router
IPv4
Configuration Roadmap
The configuration roadmap is as follows:
1. Configure IPv4/IPv6 dual-protocol stacks.
2. Configure the tunnel protocol as 6to4.
3. Configure related routes.
Data Preparation
To complete the configuration, you need the following data:
l IPv4 or IPv6 addresses of interfaces
l Source tunnel interface
Procedure
Step 1 Configure Router A.
# Configure IPv4/IPv6 dual protocol stacks.
<HUAWEI> system-view
[HUAWEI] sysname RouterA
[RouterA] ipv6
[RouterA] interface pos 1/0/0
[RouterA-pos1/0/0] ip address 2.1.1.1 8
[RouterA-pos1/0/0] undo shutdown
[RouterA-pos1/0/0] quit
[RouterA] interface gigabitethernet 2/0/0
[RouterA-GigabitEthernet2/0/0] ipv6 enable
[RouterA-GigabitEthernet2/0/0] ipv6 address 2002:0201:0101:1::1/64
HUAWEI NetEngine80E/40E Router
Configuration Guide - IP Services 9 IPv6 over IPv4 Tunnel Configuration
Issue 02 (2011-09-10) Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
258
[RouterA-GigabitEthernet2/0/0] undo shutdown
[RouterA-GigabitEthernet2/0/0] quit
# Configure a 6to4 tunnel.
[RouterA] interface tunnel 1/0/0
[RouterA-Tunnel1/0/0] tunnel-protocol ipv6-ipv4 6to4
[RouterA-Tunnel1/0/0] ipv6 enable
[RouterA-Tunnel1/0/0] ipv6 address 2002:0201:0101::1/64
[RouterA-Tunnel1/0/0] source 2.1.1.1
[RouterA-Tunnel1/0/0] quit
# Configure a route to other 6to4 networks.
[RouterA] ipv6 route-static 2002:: 16 tunnel 1/0/0
Step 2 Configure Router B.
# Configure IPv4/IPv6 dual protocol stacks.
<HUAWEI> system-view
[HUAWEI] sysname RouterB
[RouterB] ipv6
[RouterB] interface pos 1/0/0
[RouterB-pos1/0/0] ip address 2.1.1.2 8
[RouterB-pos1/0/0] undo shutdown
[RouterB-pos1/0/0] quit
[RouterB] interface gigabitethernet 2/0/0
[RouterB-GigabitEthernet2/0/0] ipv6 enable
[RouterB-GigabitEthernet2/0/0] ipv6 address 2002:0201:0102:1::1/64
[RouterB-GigabitEthernet2/0/0] undo shutdown
[RouterB-GigabitEthernet2/0/0] quit
# Configure a 6to4 tunnel.
[RouterB] interface tunnel 1/0/0
[RouterB-Tunnel1/0/0] tunnel-protocol ipv6-ipv4 6to4
[RouterB-Tunnel1/0/0] ipv6 enable
[RouterB-Tunnel1/0/0] ipv6 address 2002:0201:0102::1/64
[RouterB-Tunnel1/0/0] source 2.1.1.2
[RouterB-Tunnel1/0/0] quit
# Configure a route to other 6to4 networks.
[RouterB] ipv6 route-static 2002:: 16 tunnel 1/0/0
NOTE
There must be an accessible route between Router A and Router B. In this example, both the devices are
directly connected; therefore, no routing protocol needs to be configured.
Step 3 Verify the configuration.
# Check the IPv6 state of Tunnel 1/0/0 on Router A and find it is UP.
[RouterA] display ipv6 interface tunnel 1/0/0
Tunnel1/0/0 current state : UP
IPv6 protocol current state : UP
IPv6 is enabled, link-local address is FE80::201:101
Global unicast address(es):
2002:201:101::1, subnet is 2002:201:101::/64
Joined group address(es):
FF02::1:FF01:101
FF02::1:FF00:1
FF02::2
FF02::1
MTU is 1500 bytes
ND reachable time is 30000 milliseconds
ND retransmit interval is 1000 milliseconds
Hosts use stateless autoconfig for addresses
HUAWEI NetEngine80E/40E Router
Configuration Guide - IP Services 9 IPv6 over IPv4 Tunnel Configuration
Issue 02 (2011-09-10) Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
259
# Router A can ping through the 6to4 address of GE 2/0/0 of Router B.
[RouterA] ping ipv6 2002:0201:0102:1::1
PING 2002:0201:0102:1::1 : 56 data bytes, press CTRL_C to break
Reply from 2002:201:102:1::1
bytes=56 Sequence=1 hop limit=255 time = 8 ms
Reply from 2002:201:102:1::1
bytes=56 Sequence=2 hop limit=255 time = 25 ms
Reply from 2002:201:102:1::1
bytes=56 Sequence=3 hop limit=255 time = 4 ms
Reply from 2002:201:102:1::1
bytes=56 Sequence=4 hop limit=255 time = 5 ms
Reply from 2002:201:102:1::1
bytes=56 Sequence=5 hop limit=255 time = 5 ms
--- 2002:0201:0102:1::1 ping statistics ---
5 packet(s) transmitted
5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 4/9/25 ms
----End
Configuration Files
l Configuration file of Router A
#
sysname RouterA
#
ipv6
#
interface pos1/0/0
link-protocol ppp
undo shutdown
ip address 2.1.1.1 255.0.0.0
#
interface GigabitEthernet 2/0/0
undo shutdown
ipv6 enable
ipv6 address 2002:201:101:1::1/64
#
interface Tunnel 1/0/0
ipv6 enable
ipv6 address 2002:201:101::1/64
tunnel-protocol ipv6-ipv4 6to4
source 2.1.1.1
#
ipv6 route-static 2002:: 16 Tunnel 1/0/0
#
return
l Configuration file of Router B
#
sysname RouterB
#
ipv6
#
interface pos1/0/0
link-protocol ppp
undo shutdown
ip address 2.1.1.2 255.0.0.0
#
interface GigabitEthernet2/0/0
undo shutdown
ipv6 enable
ipv6 address 2002:201:102:1::1/64
#
interface Tunnel 1/0/0
ipv6 enable
HUAWEI NetEngine80E/40E Router
Configuration Guide - IP Services 9 IPv6 over IPv4 Tunnel Configuration
Issue 02 (2011-09-10) Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
260
ipv6 address 2002:201:102::1/64
tunnel-protocol ipv6-ipv4 6to4
source 2.1.1.2
#
ipv6 route-static 2002:: 16 Tunnel 1/0/0
#
return
9.6.5 Example for Configuring 6to4 Relay
This section provides an example for configuring 6to4 relay.
Networking Requirements
As shown in Figure 9-10, Router A is a 6to4 device and is connected with an IPv6 network. As
a 6to4 relay device, Router B is connected with the IPv6 Internet (2001::/64). To enable
communication between the host in the 6to4 network and the host in the IPv6 Internet, configure
a 6to4 tunnel between Router A and Router B.
The configuration of the tunnel between a 6to4 relay device and a common 6to4 device is similar
to that between common 6to4 devices. A static route to the IPv6 Internet shall be configured on
the common 6to4 device so that the 6to4 network and the IPv6 network can communicate with
each other.
NOTE
It is recommended that in an actual networking environment, the source address of the tunnel is specified
as the IP address of the loopback interface of the local device or the source interface of the tunnel is specified
as the loopback interface on the local device. It is also recommended that in an actual networking
environment, the destination address of the tunnel is specified as the IP address of the loopback interface
of the peer device.
Figure 9-10 Networking diagram of accessing the IPv6 network through 6to4 relay
RouterA RouterB
POS1/0/0
2.1.1.1
POS1/0/0
2.1.1.2
Tunnel 1/0/0
2002:201:101::1/64
Tunnel 1/0/0
2002:201:102::1/64
2002:201:101:1::2
PC1
6to4
2001::2
PC2
GE2/0/0
2001::1/64
IPv6
GE2/0/0
2002:201:101:1::1/64
6to4
Router
6to4
Relay
IPv4
Configuration Roadmap
The configuration roadmap is as follows:
1. Configure IPv4/IPv6 dual protocol stacks.
HUAWEI NetEngine80E/40E Router
Configuration Guide - IP Services 9 IPv6 over IPv4 Tunnel Configuration
Issue 02 (2011-09-10) Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
261
2. Configure a 6to4 tunnel.
3. Configure related static routes.
Data Preparation
To complete the configuration, you need the following data:
l IPv4 or IPv6 addresses of interfaces
l Source tunnel interface
l Static routes to the devices that are not directly connected
Procedure
Step 1 Configure Router A.
# Configure IPv4/IPv6 dual protocol stacks.
<HUAWEI> system-view
[HUAWEI] sysname RouterA
[RouterA] ipv6
[RouterA] interface pos 1/0/0
[RouterA-Pos1/0/0] ip address 2.1.1.1 255.0.0.0
[RouterA-Pos1/0/0] undo shutdown
[RouterA-Pos1/0/0] quit
[RouterA] interface gigabitethernet 2/0/0
[RouterA-GigabitEthernet2/0/0] ipv6 enable
[RouterA-GigabitEthernet2/0/0] ipv6 address 2002:0201:0101:1::1/64
[RouterA-GigabitEthernet2/0/0] undo shutdown
[RouterA-GigabitEthernet2/0/0] quit
# Configure a 6to4 tunnel.
[RouterA] interface tunnel 1/0/0
[RouterA-Tunnel1/0/0] tunnel-protocol ipv6-ipv4 6to4
[RouterA-Tunnel1/0/0] ipv6 enable
[RouterA-Tunnel1/0/0] ipv6 address 2002:0201:0101::1/64
[RouterA-Tunnel1/0/0] source 2.1.1.1
[RouterA-Tunnel1/0/0] quit
# Configure a static route to 2002::/16.
[RouterA] ipv6 route-static 2002:: 16 tunnel 1/0/0
# Configure a default route to the IPv6 network.
[RouterA] ipv6 route-static :: 0 2002:0201:0102::1
Step 2 Configure Router B.
# Configure IPv4/IPv6 dual protocol stacks.
<HUAWEI> system-view
[HUAWEI] sysname RouterB
[RouterB] ipv6
[RouterB] interface pos 1/0/0
[RouterB-Pos1/0/0] ip address 2.1.1.2 255.0.0.0
[RouterB-Pos1/0/0] undo shutdown
[RouterB-Pos1/0/0] quit
[RouterB] interface gigabitethernet 2/0/0
[RouterB-GigabitEthernet2/0/0] ipv6 enable
[RouterB-GigabitEthernet2/0/0] ipv6 address 2001::1/64
[RouterB-GigabitEthernet2/0/0] undo shutdown
[RouterB-GigabitEthernet2/0/0] quit
# Configure a 6to4 tunnel.
HUAWEI NetEngine80E/40E Router
Configuration Guide - IP Services 9 IPv6 over IPv4 Tunnel Configuration
Issue 02 (2011-09-10) Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
262
[RouterB] interface tunnel 1/0/0
[RouterB-Tunnel1/0/0] tunnel-protocol ipv6-ipv4 6to4
[RouterB-Tunnel1/0/0] ipv6 enable
[RouterB-Tunnel1/0/0] ipv6 address 2002:0201:0102::1/64
[RouterB-Tunnel1/0/0] source 2.1.1.2
[RouterB-Tunnel1/0/0] quit
# Configure a static route to 2002::/16.
[RouterB] ipv6 route-static 2002:: 16 tunnel1/0/0
Step 3 Verify the configuration.
# Router A can ping through the IPv6 address of GE 2/0/0 on Router B.
[RouterA] ping ipv6 2001::1
PING 2001::1 : 56 data bytes, press CTRL_C to break
Reply from 2001::1
bytes=56 Sequence=1 hop limit=255 time = 29 ms
Reply from 2001::1
bytes=56 Sequence=2 hop limit=255 time = 5 ms
Reply from 2001::1
bytes=56 Sequence=3 hop limit=255 time = 5 ms
Reply from 2001::1
bytes=56 Sequence=4 hop limit=255 time = 5 ms
Reply from 2001::1
bytes=56 Sequence=5 hop limit=255 time = 26 ms
--- 2001::1 ping statistics ---
5 packet(s) transmitted
5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 5/14/29 ms
----End
Configuration Files
l Configuration file of Router A
#
sysname RouterA
#
ipv6
#
interface pos1/0/0
link-protocol ppp
undo shutdown
ip address 2.1.1.1 255.0.0.0
#
interface GigabitEthernet2/0/0
undo shutdown
ipv6 enable
ipv6 address 2002:201:101:1::1/64
#
interface Tunnel 1/0/0
ipv6 enable
ipv6 address 2002:201:101::1/64
tunnel-protocol ipv6-ipv4 6to4
source 2.1.1.1
#
#
ipv6 route-static :: 0 2002:201:102::1
#
ipv6 route-static 2002:: 16 Tunnel 1/0/0
#
return
l Configuration file of Router B
#
HUAWEI NetEngine80E/40E Router
Configuration Guide - IP Services 9 IPv6 over IPv4 Tunnel Configuration
Issue 02 (2011-09-10) Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
263
sysname RouterB
#
ipv6
#
source 2.1.1.2
#
link-protocol ppp
undo shutdown
ip address 2.1.1.2 255.0.0.0
#
interface GigabitEthernet2/0/0
undo shutdown
ipv6 enable
ipv6 address 2001::1/64
#
interface Tunnel 1/0/0
ipv6 enable
ipv6 address 2002:201:102::1/64
tunnel-protocol ipv6-ipv4 6to4
source Pos1/0/0
#
ipv6 route-static 2002:: 16 Tunnel 1/0/0
#
return
9.6.6 Example for Configuring an ISATAP Tunnel
This section provides an example for configuring an ISATAP tunnel.
Network Requirements
As shown in Figure 9-11, an IPv6 host in the IPv4 network running the Windows XP system
needs to access the IPv6 network through a border device. Both the IPv6 host and the border
device support ISATAP. Then you need to set up an ISATAP tunnel between the IPv6 host and
the border device.
Figure 9-11 Networking diagram of the ISATAP tunnel
IPv4
network
IPv6
network
ISATAP Host
IPv6 Host
2.1.1.2
FE80::5EFE:0201:0102
2001::5EFE:0201:0102
ISATAP
Router
GE2/0/0
2.1.1.1/8
GE1/0/0
3001::1/64
3001::2
Configuration Roadmap
The configuration roadmap is as follows:
1. Configure IPv4/IPv6 dual protocol stacks.
2. Configure an ISATAP tunnel.
3. Configure static routes from the IPv6 host to the ISATAP host.
HUAWEI NetEngine80E/40E Router
Configuration Guide - IP Services 9 IPv6 over IPv4 Tunnel Configuration
Issue 02 (2011-09-10) Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
264
Data Preparation
To complete the configuration, you need the following data:
l IPv4 or IPv6 addresses of interfaces
l Source interface of the tunnel
Procedure
Step 1 Configure the ISATAP device.
# Enable IPv4/IPv6 dual protocol stacks and configure an IP address for each interface.
<HUAWEI> system-view
[HUAWEI] sysname Router
[Router] ipv6
[Router] interface gigabitethernet 1/0/0
[Router-GigabitEthernet1/0/0] ipv6 enable
[Router-GigabitEthernet1/0/0] ipv6 address 3001::1/64
[Router-GigabitEthernet1/0/0] undo shutdown
[Router-GigabitEthernet1/0/0] quit
[Router] interface gigabitethernet 2/0/0
[Router-GigabitEthernet2/0/0] ip address 2.1.1.1 255.0.0.0
[Router-GigabitEthernet2/0/0] undo shutdown
[Router-GigabitEthernet2/0/0] quit
# Configure an ISATAP tunnel.
[Router] interface tunnel 2/0/0
[Router-Tunnel2/0/0] tunnel-protocol ipv6-ipv4 isatap
[Router-Tunnel2/0/0] ipv6 enable
[Router-Tunnel2/0/0] ipv6 address 2001::/64 eui-64
[HUAWEI-Tunnel2/0/0] source 2.1.1.1
[Router-Tunnel2/0/0] undo ipv6 nd ra halt
[Router-Tunnel2/0/0] quit
Step 2 Configure the ISATAP host.
# Configure a static route to the border device. (The pseudo interface number of the host is 2.
You can run the ipv6 if command to view the interface corresponding to the automatic tunneling
pseudo interface.
C:\> ipv6 rlu 2 2.1.1.1
Step 3 Configure the IPv6 host.
# Configure a static route on the IPv6 host to the border device, so hosts in different networks
can communicate through the ISATAP tunnel.
C:\> ipv6 rtu 2001::/64 6/3001::1
Step 4 Verify the configuration.
Check the status of the Tunnel 2/0/0 on the ISATAP device and find it is Up.
[Router] display ipv6 interface tunnel 2/0/0
Tunnel2/0/0 current state : UP
IPv6 protocol current state : UP
IPv6 is enabled, link-local address is FE80::5EFE:201:101
Global unicast address(es):
2001::5EFE:201:101, subnet is 2001::/64
Joined group address(es):
FF02::1:FF01:101
FF02::2
FF02::1
MTU is 1500 bytes
HUAWEI NetEngine80E/40E Router
Configuration Guide - IP Services 9 IPv6 over IPv4 Tunnel Configuration
Issue 02 (2011-09-10) Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
265
ND reachable time is 30000 milliseconds
ND retransmit interval is 1000 milliseconds
ND advertised reachable time is 0 milliseconds
ND advertised retransmit interval is 0 milliseconds
ND router advertisement max interval 600 seconds, min interval 200 seconds
ND router advertisements live for 1800 seconds
Hosts use stateless autoconfig for addresses
# On the ISATAP device, ping the global unicast IP address of the tunnel interface on the
ISATAP host.
[Router] ping ipv6 2001::5efe:2.1.1.2
PING 2001::5efe:2.1.1.2 : 56 data bytes, press CTRL_C to break
Reply from 2001::5EFE:201:102
bytes=56 Sequence=1 hop limit=64 time = 4 ms
Reply from 2001::5EFE:201:102
bytes=56 Sequence=2 hop limit=64 time = 3 ms
Reply from 2001::5EFE:201:102
bytes=56 Sequence=3 hop limit=64 time = 2 ms
Reply from 2001::5EFE:201:102
bytes=56 Sequence=4 hop limit=64 time = 2 ms
Reply from 2001::5EFE:201:102
bytes=56 Sequence=5 hop limit=64 time = 2 ms
--- 2001::5efe:2.1.1.2 ping statistics ---
5 packet(s) transmitted
5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 2/2/4 ms
# On the ISATAP host, ping the global unicast IP address of the ISATAP device.
C:\> ping6 2001::5efe:2.1.1.1
Pinging 2001::5efe:2.1.1.1
from 2001::5efe:2.1.1.2 with 32 bytes of data:
Reply from 2001::5efe:2.1.1.1: bytes=32 time=1ms
Reply from 2001::5efe:2.1.1.1: bytes=32 time=1ms
Reply from 2001::5efe:2.1.1.1: bytes=32 time=1ms
Reply from 2001::5efe:2.1.1.1: bytes=32 time=1ms
Ping statistics for 2001::5efe:2.1.1.1:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 1ms, Maximum = 1ms, Average = 1ms
# The ISATAP host can ping through the IPv6 host.
C:\> ping6 3001::2
Pinging 3001::2 with 32 bytes of data:
Reply from 3001::2: time<1ms
Reply from 3001::2: time<1ms
Reply from 3001::2: time<1ms
Reply from 3001::2: time<1ms
Ping statistics for 3001::2:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 0ms, Average = 0ms
----End
Configuration Files
The configuration file of the ISATAP device is as follows:
#
sysname ISATAP
#
ipv6
#
interface GigabitEthernet1/0/0
HUAWEI NetEngine80E/40E Router
Configuration Guide - IP Services 9 IPv6 over IPv4 Tunnel Configuration
Issue 02 (2011-09-10) Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
266
undo shutdown
ipv6 enable
ipv6 address 3001::1/64
#
interface GigabitEthernet2/0/0
undo shutdown
ip address 2.1.1.1 255.0.0.0
#
interface Tunnel2/0/0
ipv6 enable
ipv6 address 2001::/64 eui-64
undo ipv6 nd ra halt
tunnel-protocol ipv6-ipv4 isatap
source 2.1.1.1
#
return
9.6.7 Example for Configuring 6PE
This section provides an example of configuring the 6PE.
Networking Requirements
As shown in Figure 9-12, PE1 and PE2 support the 6PE features and CE1 and CE2 support the
IPv6 protocol. IPv4 IBGP connections need to be established between PEs in the IPv4/MPLS
network. Run the OSPF protocol in the IPv4/MPLS network. CEs are in the IPv6 networks,
Using the IPv6 address, CEs exchange the routing information with PEs along the static routes.
It is required to use the 6PE feature to connect the IPv6 networks of the user over the IPv4/MPLS
network of the ISP.
Figure 9-12 Networking diagram of 6PE
PE1
POS1/0/0
3000:435::1/64
POS2/0/0
4.3.5.1/24
IPv6
Customer
site
IPv6
Customer
site
POS2/0/0
4.3.5.2/24
PE2
CE1
CE2
POS1/0/0
3000:435::2/64
POS1/0/0
3000:1065::2/64
IPv4/MPLS
POS1/0/0
3000:1065::1/64
Configuration Roadmap
The configuration roadmap is as follows:
1. Configure 6PE, enable IPv6 capability, and configure IPv4/IPv6 dual protocol stacks.
2. Configure 6PE and enable MPLS capability.
3. Configure the 6PE peer.
4. Configure an IPv6 address for the interface and a static route on CE.
HUAWEI NetEngine80E/40E Router
Configuration Guide - IP Services 9 IPv6 over IPv4 Tunnel Configuration
Issue 02 (2011-09-10) Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
267
Data Preparation
To complete the configuration, you need the following data:
l IP addresses of interfaces
l LSR ID
Procedure
Step 1 Configure 6PE, enable IPv6 capability, and configure IPv4/IPv6 dual protocol stacks.
# Configure PE1 and enable its IPv6 capability.
<HUAWEI> system-view
[HUAWEI] sysname PE1
[PE1] ipv6
# Configure PE2 and enable its IPv6 capability.
<HUAWEI> system-view
[HUAWEI] sysname PE2
[PE2] ipv6
# Configure an IPv6 address for POS 1/0/0 on PE1 and an IP address for loopback0.
[PE1] interface pos 1/0/0
[PE1-Pos1/0/0] ipv6 enable
[PE1-Pos1/0/0] ipv6 address 3000:435::1 64
[PE1-Pos1/0/0] undo shutdown
[PE1-Pos1/0/0] quit
[PE1] interface loopback 0
[PE1-LoopBack0] ip address 1.1.1.9 255.255.255.255
[PE1-LoopBack0] quit
# Configure an IPv6 address for POS 1/0/0 on PE2 and an IP address for loopback0.
[PE2] interface pos 1/0/0
[PE2-Pos1/0/0] ipv6 enable
[PE2-Pos1/0/0] ipv6 address 3000:1065::1 64
[PE2-Pos1/0/0] undo shutdown
[PE2-Pos1/0/0] quit
[PE2] interface loopback 0
[PE2-LoopBack0] ip address 2.2.2.9 255.255.255.255
[PE2-LoopBack0] quit
Step 2 Configure 6PE and enable MPLS capability.
# Configure an IP address for POS 2/0/0 on PE1 and enable MPLS and LDP on it.
[PE1] mpls lsr-id 1.1.1.9
[PE1] mpls
Mpls starting, please wait... OK!
[PE1-mpls] quit
[PE1] mpls ldp
[PE1-mpls-ldp] quit
[PE1] interface pos 2/0/0
[PE1-Pos2/0/0] ip address 4.3.5.1 255.255.255.0
[PE1-Pos2/0/0] mpls
[PE1-Pos2/0/0] mpls ldp
[PE1-Pos2/0/0] undo shutdown
[PE1-Pos2/0/0] quit
# Configure an IP address for POS 2/0/0 on PE2 and enable MPLS and LDP on it.
[PE2] mpls lsr-id 2.2.2.9
[PE2] mpls
Mpls starting, please wait... OK!
HUAWEI NetEngine80E/40E Router
Configuration Guide - IP Services 9 IPv6 over IPv4 Tunnel Configuration
Issue 02 (2011-09-10) Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
268
[PE2-mpls] quit
[PE2] mpls ldp
[PE2-mpls-ldp] quit
[PE2] interface pos 2/0/0
[PE2-Pos2/0/0] ip address 4.3.5.2 255.255.255.0
[PE2-Pos2/0/0] mpls
[PE2-Pos2/0/0] mpls ldp
[PE2-Pos2/0/0] undo shutdown
[PE2-Pos2/0/0] quit
# Configure OSPF on PE1 and trigger the setup of LSPs.
[PE1] ospf
[PE1-ospf-1] area 0
[PE1-ospf-1-area-0.0.0.0] network 1.1.1.9 0.0.0.0
[PE1-ospf-1-area-0.0.0.0] network 4.3.5.0 0.0.0.255
[PE1-ospf-1-area-0.0.0.0] quit
[PE1-ospf-1] quit
# Configure OSPF on PE2 and trigger the setup of LSPs.
[PE2] ospf
[PE2-ospf-1] area 0
[PE2-ospf-1-area-0.0.0.0] network 2.2.2.9 0.0.0.0
[PE2-ospf-1-area-0.0.0.0] network 4.3.5.0 0.0.0.255
[PE2-ospf-1-area-0.0.0.0] quit
[PE2-ospf-1] quit
Step 3 Configure the 6PE peer.
# Configure IBGP on PE1 and enable 6PE capability on the peer and import IPv6 direct routes
and static routes from each other.
[PE1] bgp 65100
[PE1-bgp] peer 2.2.2.9 as-number 65100
[PE1-bgp] peer 2.2.2.9 connect-interface loopback 0
[PE1-bgp] ipv6-family
[PE1-bgp-af-ipv6] import-route direct
[PE1-bgp-af-ipv6] import-route static
[PE1-bgp-af-ipv6] peer 2.2.2.9 enable
[PE1-bgp-af-ipv6] peer 2.2.2.9 label-route-capability
[PE1-bgp-af-ipv6] quit
[PE1-bgp] quit
# Configure IBGP on PE2 and enable 6PE capability on the peer and import IPv6 direct routes
and static routes from each other.
[PE2] bgp 65100
[PE2-bgp] peer 1.1.1.9 as-number 65100
[PE2-bgp] peer 1.1.1.9 connect-interface loopback 0
[PE2-bgp] ipv6-family
[PE2-bgp-af-ipv6] import-route direct
[PE2-bgp-af-ipv6] import-route static
[PE2-bgp-af-ipv6] peer 1.1.1.9 enable
[PE2-bgp-af-ipv6] peer 1.1.1.9 label-route-capability
[PE2-bgp-af-ipv6] quit
[PE2-bgp] quit
Step 4 Configure an IPv6 address for the interface and a static route on CE.
# Configure CE1 and set up an IPv6 connection between CE1 and PE1.
<HUAWEI> system-view
[HUAWEI] sysname CE1
[CE1] ipv6
[CE1] interface pos 1/0/0
[CE1-Pos1/0/0] ipv6 enable
[CE1-Pos1/0/0] ipv6 address 3000:435::2 64
[CE1-Pos1/0/0] undo shutdown
HUAWEI NetEngine80E/40E Router
Configuration Guide - IP Services 9 IPv6 over IPv4 Tunnel Configuration
Issue 02 (2011-09-10) Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
269
[CE1-Pos1/0/0] quit
[CE1] ipv6 route-static :: 0 pos 1/0/0
# Configure CE2 and set up an IPv6 connection between CE2 and PE2.
<HUAWEI> system-view
[HUAWEI] sysname CE2
[CE2] ipv6
[CE2] interface pos 1/0/0
[CE2-Pos1/0/0] ipv6 enable
[CE2-Pos1/0/0] ipv6 address 3000:1065::2 64
[CE2-Pos1/0/0] undo shutdown
[CE2-Pos1/0/0] quit
[CE2] ipv6 route-static :: 0 pos 1/0/0
Step 5 Verify the configuration.
# Display the LSP information on PE1.
[PE1] display mpls lsp
-----------------------------------------------------------
LSP Information: LDP LSP
-----------------------------------------------------------
FEC In/Out Label In/Out IF Vrf Name
2.2.2.9/32 NULL/3 -/Pos2/0/0
2.2.2.9/32 3/NULL -/-
-----------------------------------------------------------
LSP Information: BGP IPV6 LSP
-----------------------------------------------------------
FEC : 3000:435::/64
In Label : 109568 Out Label : -----
In Interface : ----- OutInterface : -----
Vrf Name :
# Display the IPv6 routing information on PE1.
[PE1] display bgp ipv6 routing-table
Total Number of Routes: 5
BGP Local router ID is 1.1.1.9
Status codes: * - valid, > - best, d - damped,
h - history, i - internal, s - suppressed, S - Stale
Origin : i - IGP, e - EGP, ? - incomplete
*> Network : ::1 PrefixLen : 128
NextHop : :: LocPrf :
MED : 0 PrefVal : 0
Label :
Path/Ogn : ?
*> Network : 3000:435:: PrefixLen : 64
NextHop : :: LocPrf :
MED : 0 PrefVal : 0
Label : NULL/109568
Path/Ogn : ?
*> Network : 3000:435::1 PrefixLen : 128
NextHop : :: LocPrf :
MED : 0 PrefVal : 0
Label :
Path/Ogn : ?
*>i Network : 3000:1065:: PrefixLen : 64
NextHop : ::FFFF:2.2.2.9 LocPrf : 100
MED : 0 PrefVal : 0
Label : 109568/NULL
Path/Ogn : ?
*> Network : FE80:: PrefixLen : 10
HUAWEI NetEngine80E/40E Router
Configuration Guide - IP Services 9 IPv6 over IPv4 Tunnel Configuration
Issue 02 (2011-09-10) Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
270
NextHop : :: LocPrf :
MED : 0 PrefVal : 0
Label :
Path/Ogn : ?
# CE1 can ping through the IPv6 address of CE2.
[CE1] ping ipv6 3000:1065::2
PING 3000:1065::2 : 56 data bytes, press CTRL_C to break
Reply from 3000:1065::2
bytes=56 Sequence=1 hop limit=63 time = 50 ms
Reply from 3000:1065::2
bytes=56 Sequence=2 hop limit=63 time = 1 ms
Reply from 3000:1065::2
bytes=56 Sequence=3 hop limit=63 time = 1 ms
Reply from 3000:1065::2
bytes=56 Sequence=4 hop limit=63 time = 1 ms
Reply from 3000:1065::2
bytes=56 Sequence=5 hop limit=63 time = 1 ms
--- 3000:1065::2 ping statistics ---
5 packet(s) transmitted
5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 1/10/50 ms
----End
Configuration Files
l Configuration file of PE1
#
sysname PE1
#
ipv6
#
mpls lsr-id 1.1.1.9
mpls
#
mpls ldp
#
interface Pos1/0/0
link-protocol ppp
undo shutdown
ipv6 enable
ipv6 address 3000:435::1
#
interface Pos2/0/0
link-protocol ppp
undo shutdown
ip address 4.3.5.1 255.255.255.0
mpls
mpls ldp
#
interface LoopBack0
ip address 1.1.1.9 255.255.255.255
#
bgp 65100
peer 2.2.2.9 as-number 65100
peer 2.2.2.9 connect-interface LoopBack0
#
ipv4-family unicast
undo synchronization
peer 2.2.2.9 enable
#
ipv6-family
undo synchronization
import-route direct
HUAWEI NetEngine80E/40E Router
Configuration Guide - IP Services 9 IPv6 over IPv4 Tunnel Configuration
Issue 02 (2011-09-10) Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
271
import-route static
peer 2.2.2.9 enable
peer 2.2.2.9 label-route-capability
#
ospf 1
area 0.0.0.0
network 1.1.1.9 0.0.0.0
network 4.3.5.0 0.0.0.255
#
return
l Configuration file of PE2
#
sysname PE2
#
ipv6
#
mpls lsr-id 2.2.2.9
mpls
#
mpls ldp
#
interface Pos1/0/0
link-protocol ppp
undo shutdown
ipv6 enable
ipv6 address 3000:1065::1
#
interface Pos2/0/0
link-protocol ppp
undo shutdown
ip address 4.3.5.2 255.255.255.0
mpls
mpls ldp
#
interface LoopBack0
ip address 2.2.2.9 255.255.255.255
#
bgp 65100
peer 1.1.1.9 as-number 65100
peer 1.1.1.9 connect-interface LoopBack0
#
ipv4-family unicast
undo synchronization
peer 1.1.1.9 enable
#
ipv6-family
undo synchronization
import-route direct
import-route static
peer 1.1.1.9 enable
peer 1.1.1.9 label-route-capability
#
ospf 1
area 0.0.0.0
network 2.2.2.9 0.0.0.0
network 4.3.5.0 0.0.0.255
#
return
l Configuration file of CE1
#
sysname CE1
#
ipv6
#
interface Pos1/0/0
link-protocol ppp
undo shutdown
ipv6 enable
HUAWEI NetEngine80E/40E Router
Configuration Guide - IP Services 9 IPv6 over IPv4 Tunnel Configuration
Issue 02 (2011-09-10) Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
272
ipv6 address 3000:435::2
#
ipv6 route-static :: 0 Pos1/0/0
#
return
l Configuration file of CE2
#
sysname CE2
#
ipv6
#
interface Pos1/0/0
link-protocol ppp
undo shutdown
ipv6 enable
ipv6 address 3000:1065::2
#
ipv6 route-static :: 0 Pos1/0/0
#
return
HUAWEI NetEngine80E/40E Router
Configuration Guide - IP Services 9 IPv6 over IPv4 Tunnel Configuration
Issue 02 (2011-09-10) Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
273
10 IPv4 over IPv6 Tunnel Configuration
About This Chapter
The IPv4 over IPv6 tunnel technology is used to interconnect isolated IPv4 networks during the
transition from IPv4 Internet into the IPv6 Internet.
Context
NOTE
IPv4 over IPv6 Tunnel cannot be configured on the X1 and X2 models of the NE80E/40E.
10.1 IPv4 over IPv6 Tunnel Overview
The principle of the IPv4 over IPv6 tunnel technology is that IPv4 packets are encapsulated into
IPv6 packets at the ingress of the tunnel.
10.2 Configuring an IPv4 over IPv6 Tunnel
This configuration task enables transmission of an IPv4 packet added with an IPv6 header on
the device configured with the IPv4/IPv6 dual stack.
10.3 Maintaining IPv4 over IPv6 Tunnels
This section describes how to maintain an IPv4 over IPv6 tunnel, including how to monitor an
IPv4 over IPv6 tunnel.
10.4 Configuration Examples
This section includes the networking requirements, configuration notes, and configuration
roadmap.
HUAWEI NetEngine80E/40E Router
Configuration Guide - IP Services 10 IPv4 over IPv6 Tunnel Configuration
Issue 02 (2011-09-10) Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
274
10.1 IPv4 over IPv6 Tunnel Overview
The principle of the IPv4 over IPv6 tunnel technology is that IPv4 packets are encapsulated into
IPv6 packets at the ingress of the tunnel.
10.1.1 Introduction to IPv4 over IPv6
You can create tunnels on the IPv6 networks to connect IPv4 isolated sites so that IPv4 isolated
sites can access other IPv4 networks through the IPv6 Internet.
During the transition from the IPv4 Internet to the IPv6 Internet, IPv6 networks have been widely
deployed, whereas IPv4 networks are isolated. The tunnel technology can be adopted to establish
tunnels over IPv6 networks to connect isolated IPv4 networks. This is similar to the situation
where the tunnel technology is used to deploy VPNs on IP networks. The tunnel used to connect
isolated IPv4 networks over IPv6 networks is called an IPv4 over IPv6 tunnel.
10.1.2 IPv4 over IPv6 Supported by the NE80E/40E
This section describes how to interconnect IPv4 networks through IPv6 networks.
The NE80E/40E supports the enabling of IPv4 and IPv6 protocol stacks on the devices at the
border of IPv6 and IPv4 networks.
Figure 10-1 Networking diagram of an IPv4 over IPv6 tunnel
IPv4
Host
IPv4
network
IPv6
network
IPv4
network
Dual Stack
Router
Dual Stack
Router
IPv4
Host
IPv4 over IPv6 Tunnel
IPv4
Payload
IPv6
Header
IPv4
Header
IPv4
Payload
IPv4
Header
IPv4
Payload
IPv4
Header
Figure 10-1 shows the principles of the IPv4 over IPv6 tunnel technology.
1. Enabling IPv4/IPv6 dual stacks
Enable IPv4 and IPv6 protocol stacks on the border device.
2. Encapsulating IPv6 packets
HUAWEI NetEngine80E/40E Router
Configuration Guide - IP Services 10 IPv4 over IPv6 Tunnel Configuration
Issue 02 (2011-09-10) Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
275
After receiving a packet from the IPv4 network, the border device takes the received IPv4
packet as the payload, adds an IPv6 packet header before the payload, and encapsulates it
into an IPv6 packet if the device finds that the destination of the packet is not itself.
3. Transmitting the encapsulated packet
In the IPv6 network, the encapsulated packet is transmitted to the peer border device.
4. Decapsulating the packet
The peer border device decapsulates the packet, removes the IPv6 packet header, and
forwards the decapsulated IPv4 packet to the remote IPv4 network.
10.2 Configuring an IPv4 over IPv6 Tunnel
This configuration task enables transmission of an IPv4 packet added with an IPv6 header on
the device configured with the IPv4/IPv6 dual stack.
10.2.1 Establishing the Configuration Task
This section describes the applicable environment, pre-configuration tasks, data preparation, and
configuration procedure for configuring an IPv6 over IPv4 tunnel.
Applicable Environment
To implement communication between IPv4 networks over the IPv6 network, configure an IPv4
over IPv6 tunnel on the border device of IPv4 and IPv6 networks.
Pre-configuration Tasks
Before configuring an IPv4 over IPv6 tunnel, complete the following tasks:
l Implementing the IP connectivity between the source and destination interfaces
l Configuring IPv4 and IPv6 protocol stacks
Data Preparation
To configure an IPv4 over IPv6 tunnel, you need the following data.
No. Data
1 Number of the tunnel interface
2 Source IPv6 address or source interface of the tunnel interface
3 Destination IPv6 address of the tunnel interface
4 IPv4 address of the tunnel interface or the interface from which the IPv4 address is
borrowed
10.2.2 Configuring a Tunnel Interface
To configure a tunnel interface, you need to configure the source and destination addresses of
the tunnel.
HUAWEI NetEngine80E/40E Router
Configuration Guide - IP Services 10 IPv4 over IPv6 Tunnel Configuration
Issue 02 (2011-09-10) Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
276
Procedure
Step 1 Run:
set board-type slot slot slot-id tunnel
The service mode of the SPUC is set to Tunnel.
Step 2 Run:
system-view
The system view is displayed.
Step 3 Run:
interface tunnel interface-number
The tunnel interface is created and the tunnel interface view is displayed.
The slot number of the created tunnel interface must be the same as that of the SPUC. For
instance, when the SPUC is inserted in slot 2, the slot number of the tunnel interface must be 2.
Step 4 Run:
tunnel-protocol ipv4-ipv6
The tunnel is specified as an IPv4 over IPv6 tunnel.
When you configure an IPv4 over IPv6 GRE tunnel, you must run the target-board slot-
number command on the loopback interface to bind the SPUC to 4 over 6 protocol.
Step 5 Run:
source { source-ip-address | interface-type interface-number }
The source IPv6 address or source interface of the tunnel interface is specified.
The source address specified by sourceip-address must be the IPv6 address of the loopback
interface bound to the SPUC through the target-board command; the source interface specified
by sourceinterface-type must be the loopback interface bound to the SPUC through the target-
board command.
Step 6 Run:
destination ip-address
The destination IPv6 address of the Tunnel interface is configured.
Step 7 Run one of the following commands to specify the IP address of the tunnel interface:
l Run the ip address ip-address { mask | mask-length } [ sub ] command to configure the IPv4
address of the tunnel interface.
l Run the ip address unnumbered interface interface-type interface-number command to
configure the tunnel interface to borrow an IPv4 address.
----End
10.2.3 Configuring Routes in the Tunnel
Packets can be normally forwarded only when routes exist on both the source device and
destination device of the tunnel. Do as follows on the devices on both ends of the tunnel.
HUAWEI NetEngine80E/40E Router
Configuration Guide - IP Services 10 IPv4 over IPv6 Tunnel Configuration
Issue 02 (2011-09-10) Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
277
Procedure
Step 1 Run:
system-view
The system view is displayed.
Step 2 Choose one of the following methods to configure the route with the outgoing interface as the
tunnel interface:
l Run the ip route-static ip-address { mask | mask-length } tunnel interface-number command
to configure static routes. When configuring the static routes, you must configure the both
ends of the tunnel. Note that the destination address is the destination IPv4 address of the
packet to be encapsulated with the IPv4 over IPv6 tunnel; the next hop is the local tunnel
interface.
l Configure dynamic routes. You can use the Border Gateway Protocol (BGP) or the Interior
Gateway Protocol (IGP), excluding Intermediate System-to-Intermediate System (IS-IS).
Detailed configurations are not mentioned here.
When configuring a dynamic routing protocol, you must enable it on the tunnel interface and
the interface on the link through which the IPv4 network is connected to the IPv6 network.
----End
10.2.4 Configuring Other Items for an IPv4 over IPv6 Tunnel
The other configurations of an IPv4 over IPv6 tunnel include the number of times that IPv6
encapsulation is performed for an IPv4 packet, traffic flag, maximum hops, and traffic class. Do
as follows on the devices on both ends of the tunnel.
Procedure
Step 1 Run:
system-view
The system view is displayed.
Step 2 Run:
interface tunnel interface-number
The tunnel interface view is displayed.
Step 3 Run:
tunnel ipv4-ipv6 flow-label label-value
The flow label value is set.
By default, the flow label value is 0.
Step 4 Run:
tunnel ipv4-ipv6 hop-limit hop-limit
The hop limit is set.
By default, the hop limit is set to 64.
Step 5 Run:
tunnel ipv4-ipv6 traffic-class { original | class-value }
The traffic level is set.
HUAWEI NetEngine80E/40E Router
Configuration Guide - IP Services 10 IPv4 over IPv6 Tunnel Configuration
Issue 02 (2011-09-10) Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
278
By default, the traffic level is 0.
----End
10.2.5 Checking the Configuration
You can view the configuration of an IPv4 over IPv6 tunnel.
Prerequisite
The configurations of the IPv4 over IPv6 Tunnel function are complete.
Procedure
l Run the display device slot-id command to check whether the service mode of the SPUC
is Tunnel.
l Run the display interface tunnel [ interface-number ] command to check the working
status of the tunnel interface.
l Run the display ip routing-table command to check the routing table.
----End
Example
If the service mode of the SPUC is Tunnel, run the display device 3 command, and you can
view that the type of the SPUC on the router is displayed as General.
<HUAWEI> display device 3
SPU3's detail information:
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Description: Line Processing Unit - General
Board status: Normal
Register: Registered
Uptime: 2009/02/26 18:33:23
CPU Utilization(%): 3%
Mem Usage(%): 19%
Clock information:
State item State
Current syn-clock: 17
Current line-clock: 23
Syn-clock state: Locked VCXO_OK REF_OK
Syn-clock 17 state: Actived
Syn-clock 18 state: Inactived
Line-clock 23 state: Inactived
Line-clock 24 state: Inactived
Statistic information:
Statistic item Statistic number
SERDES interface link lost: 0
Mpu switchs: 0
Syn-clock switchs: 0
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Run the display interface tunnel command. If the status of the tunnel interface is Up, it means
that the configuration succeeds. For example:
<HUAWEI> display interface tunnel 2/0/0
Tunnel2/0/0 current state : UP
Line protocol current state : UP
Last line protocol up time : 2010-06-22, 19:33:19
Description : Tunnel2/0/0 Interface, Route Port
Route Port,The Maximum Transmit Unit is 1452 bytes
Internet Address is 10.1.1.1/30
HUAWEI NetEngine80E/40E Router
Configuration Guide - IP Services 10 IPv4 over IPv6 Tunnel Configuration
Issue 02 (2011-09-10) Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
279
Encapsulation is TUNNEL6, loopback not set
Tunnel protocol/transport (IPv6 or IPV4) over IPv6
Tunnel Source 2001::1 (Pos2/0/0)
Tunnel Destination 2002::2
Tunnel Encapsulation limit 4
Tunnel Traffic class not set
Tunnel Flow label not set
Tunnel Hop limit 64
Current system time: 2010-06-29 20:26:18
5 minutes input rate 10 bits/sec, 0 packets/sec
5 minutes output rate 14 bits/sec, 0 packets/sec
493 packets input, 38480 bytes
0 input error
447 packets output, 53144 bytes
0 output error
Run the display ip routing-table command. If the route with the outgoing interface as the tunnel
interface is displayed in the IPv4 routing table, it means that the configuration succeeds. For
example:
<HUAWEI> display ip routing-table
Routing Tables: Public
Destinations : 11 Routes : 11
Destination/Mask Proto Pre Cost NextHop Interface
10.1.1.0/24 Direct 0 0 10.1.1.2 GigabitEthernet2/0/0
10.1.1.2/32 Direct 0 0 127.0.0.1 InLoopBack0
10.2.1.0/24 Static 60 0 40.1.1.1 Tunnel2/0/0
20.1.1.0/24 Direct 0 0 20.1.1.1 Pos2/0/0
20.1.1.1/32 Direct 0 0 127.0.0.1 InLoopBack0
20.1.1.2/32 Direct 0 0 20.1.1.2 Pos1/0/0
30.1.1.0/24 OSPF 10 3124 20.1.1.2 Pos1/0/0
40.1.1.0/24 Direct 0 0 40.1.1.1 Tunnel2/0/0
40.1.1.1/32 Direct 0 0 127.0.0.1 InLoopBack0
127.0.0.0/8 Direct 0 0 127.0.0.1 InLoopBack0
127.0.0.1/32 Direct 0 0 127.0.0.1 InLoopBack0
Run the ping -a source-ipv4-address dest-ipv4-address command. The local tunnel interface
can ping through the destination tunnel interface.
10.3 Maintaining IPv4 over IPv6 Tunnels
This section describes how to maintain an IPv4 over IPv6 tunnel, including how to monitor an
IPv4 over IPv6 tunnel.
10.3.1 Monitoring the Operation Status of IPv4 over IPv6 Tunnel
This section describes how to monitor an IPv4 over IPv6 tunnel.
Context
In routine maintenance, you can run the following command in any view to check the operation
of IPv4 over IPv6 tunnel.
Procedure
l Run the display interface tunnel [ interface-number ] command in any view to check the
operation status of the tunnel interface.
l Run the display interface tunnel interface-number command in any view to check the
IPv4 attributes of the tunnel interface.
----End
HUAWEI NetEngine80E/40E Router
Configuration Guide - IP Services 10 IPv4 over IPv6 Tunnel Configuration
Issue 02 (2011-09-10) Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
280
10.4 Configuration Examples
This section includes the networking requirements, configuration notes, and configuration
roadmap.
10.4.1 Example for Configuring an IPv4 over IPv6 Tunnel
Networking Requirements
Figure 10-2 Networking diagram of an IPv4 over IPv6 tunnel
IPv6
network IPv4
network
IPv4
network
RT1
RT5
RT2
RT3 RT4
POS1/0/0
10.1.2.2/30
POS1/0/0
10.1.2.1/30
POS2/0/0
10.1.3.1/30
POS1/0/0
10.1.3.2/30
POS2/0/0
2001::1/64
POS1/0/0
2001::2/64
POS1/0/0
2002::2/64
POS2/0/0
2002::1/64
As shown in Figure 10-2, two IPv4 networks are connected to an IPv6 network through Router
1 and Router 5, respectively. Border devices Router 2 and Router 4 of the IPv6 network support
IPv4 and IPv6 dual stacks. To enable communications between the two IPv4 networks, configure
an IPv4 over IPv6 tunnel between Router 2 and Router 4.
NOTE
l An IPv4 over IPv6 tunnel does not support IS-IS.
l When configuring an IPv4 over IPv6 tunnel, you must set the service mode of the SPUC to Tunnel. In
addition, you must bind the SPUC to the tunnel.
Configuration Roadmap
The configuration roadmap is as follows:
1. Configure an IPv4 over IPv6 tunnel on the border devices at both ends of the IPv6 network.
HUAWEI NetEngine80E/40E Router
Configuration Guide - IP Services 10 IPv4 over IPv6 Tunnel Configuration
Issue 02 (2011-09-10) Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
281
2. Use a dynamic routing protocol to configure the route with the outgoing interface as the
tunnel interface.
Data Preparation
To complete the configuration, you need the following data:
l Routing protocols applied to the IPv6 and IPv4 networks
l Source and destination IPv6 addresses of the tunnel
l IPv4 address of the tunnel interface
Procedure
Step 1 Configure the IPv6 address of the physical interface and IS-ISv6 of the IPv6 network to
implement the connectivity of the IPv6 network.
# Configure Router 2.
<HUAWEI> system-view
[HUAWEI] sysname Router2
[Router2] ipv6
[Router2] interface pos 2/0/0
[Router2-Pos2/0/0] ipv6 enable
[Router2-Pos2/0/0] ipv6 address 2001::1 64
[Router2-Pos2/0/0] undo shutdown
[Router2-Pos2/0/0] quit
[Router2] isis 1
[Router2-isis-1] network-entity 10.0000.0000.0001.00
[Router2-isis-1] ipv6 enable topology standard
[Router2-isis-1] quit
[Router2] interface pos 2/0/0
[Router2-Pos2/0/0] isis ipv6 enable 1
[Router2-Pos2/0/0] quit
# Create a loopback interface, assign an IPv6 address to it, and enable IS-ISv6.
[Router2] interface Loopback 1
[Router2-LoopBack1] ipv6 enable
[Router2-LoopBack1] ipv6 address 2::2 64
[Router2-LoopBack1] isis ipv6 enable 1
[Router2-LoopBack1] quit
# Configure Router 3.
<HUAWEI> system-view
[HUAWEI] sysname Router3
[Router3] ipv6
[Router3] interface pos 1/0/0
[Router3-Pos1/0/0] ipv6 enable
[Router3-Pos1/0/0] ipv6 address 2001::2 64
[Router3-Pos1/0/0] undo shutdown
[Router3-Pos1/0/0] quit
[Router3] interface pos 2/0/0
[Router3-Pos2/0/0] ipv6 enable
[Router3-Pos2/0/0] ipv6 address 2002::1 64
[Router3-Pos2/0/0] undo shutdown
[Router3-Pos2/0/0] quit
[Router3] isis 1
[Router3-isis-1] network-entity 10.0000.0000.0002.00
[Router3-isis-1] ipv6 enable topology standard
[Router3-isis-1] quit
[Router3] interface pos 1/0/0
[Router3-Pos1/0/0] isis ipv6 enable 1
[Router3-Pos1/0/0] quit
[Router3] interface pos 2/0/0
HUAWEI NetEngine80E/40E Router
Configuration Guide - IP Services 10 IPv4 over IPv6 Tunnel Configuration
Issue 02 (2011-09-10) Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
282
[Router3-Pos2/0/0] isis ipv6 enable 1
[Router3-Pos2/0/0] quit
# Configure Router 4.
<HUAWEI> system-view
[HUAWEI] sysname Router4
[Router4] ipv6
[Router4] interface pos 1/0/0
[Router4-Pos1/0/0] ipv6 enable
[Router4-Pos1/0/0] ipv6 address 2002::2 64
[Router4-Pos1/0/0] undo shutdown
[Router4-Pos1/0/0] quit
[Router4] isis 1
[Router4-isis-1] network-entity 10.0000.0000.0003.00
[Router4-isis-1] ipv6 enable topology standard
[Router4-isis-1] quit
[Router4] interface pos 1/0/0
[Router4-Pos1/0/0] isis ipv6 enable 1
[Router4-Pos1/0/0] quit
# Create a loopback interface, assign an IPv6 address to it, and enable IS-ISv6.
[Router4] interface Loopback 1
[Router4-LoopBack1] ipv6 enable
[Router4-LoopBack1] ipv6 address 4::4 64
[Router4-LoopBack1] isis ipv6 enable 1
[Router4-LoopBack1] quit
Step 2 Configure the IPv4 address and OSPF of the physical interfaces for the IPv4 networks to
implement the connectivity of the IPv4 networks.
# Configure Router 1.
<HUAWEI> system-view
[HUAWEI] sysname Router1
[Router1] interface pos 1/0/0
[Router1-Pos1/0/0] ip address 10.1.2.2 30
[Router1-Pos1/0/0] undo shutdown
[Router1-Pos1/0/0] quit
[Router1] ospf 1
[Router1-ospf-1] area 0
[Router1-ospf-1-area-0.0.0.0] network 10.1.2.0 0.0.0.3
# Configure Router 2.
<Router2> system-view
[Router2] interface pos 1/0/0
[Router2-Pos1/0/0] ip address 10.1.2.1 30
[Router2-Pos1/0/0] undo shutdown
[Router2-Pos1/0/0] quit
[Router2] ospf 1
[Router2-ospf-1] area 0
[Router2-ospf-1-area-0.0.0.0] network 10.1.2.0 0.0.0.3
# Configure Router 4.
<Router4> system-view
[Router4] interface pos 1/0/0
[Router4-Pos1/0/0] ip address 10.1.3.1 30
[Router4-Pos1/0/0] quit
[Router4] ospf 1
[Router4-ospf-1] area 0
[Router4-ospf-1-area-0.0.0.0] network 10.1.3.0 0.0.0.3
# Configure Router 5.
<HUAWEI> system-view
[HUAWEI] sysname Router5
HUAWEI NetEngine80E/40E Router
Configuration Guide - IP Services 10 IPv4 over IPv6 Tunnel Configuration
Issue 02 (2011-09-10) Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
283
[Router5] interface pos 1/0/0
[Router5-Pos1/0/0] ip address 10.1.3.2 30
[Router5-Pos1/0/0] undo shutdown
[Router5-Pos1/0/0] quit
[Router5] ospf 1
[Router5-ospf-1] area 0
[Router5-ospf-1-area-0.0.0.0] network 10.1.3.0 0.0.0.3
Step 3 Configure the tunnel interface.
# Create a tunnel interface and configure the IPv4 address, source IPv6 address (or source
interface), and destination IPv6 address of the tunnel interface. Bind the SPUC to the tunnel.
NOTE
The device supports tunnel binding only on the loopback interface.
# Configure Router 2.
<Router2> set board-type slot 6 tunnel
<Router2> system-view
[Router2] interface Loopback 1
[Router2-LoopBack1] target-board 6
[Router2-LoopBack1] binding tunnel ipv4-ipv6
[Router2-LoopBack1] quit
[Router2] interface tunnel 6/0/0
[Router2-Tunnel6/0/0] tunnel-protocol ipv4-ipv6
[Router2-Tunnel6/0/0] ip address 10.1.1.1 30
[Router2-Tunnel6/0/0] source loopback1
[Router2-Tunnel6/0/0] destination 4::4
# Configure Router 4.
<Router4> set board-type slot 6 tunnel
<Router4> system-view
[Router4] interface Loopback 1
[Router4-LoopBack1] target-board 6
[Router4-LoopBack1] binding tunnel ipv4-ipv6
[Router4-LoopBack1] quit
[Router4] interface tunnel 6/0/0
[Router4-Tunnel6/0/0] tunnel-protocol ipv4-ipv6
[Router4-Tunnel6/0/0] ip address 10.1.1.2 30
[Router4-Tunnel6/0/0] source loopback1
[Router4-Tunnel6/0/0] destination 2::2
Step 4 Configure the route with the outgoing interface as the tunnel interface.
# Configure Router 2.
<Router2> system-view
[Router2] ospf 1
[Router2-ospf-1] area 0
[Router2-ospf-1-area-0.0.0.0] network 10.1.1.0 0.0.0.3
[Router2-ospf-1-area-0.0.0.0] quit
[Router2-ospf-1] quit
# Configure Router 4.
<Router4> system-view
[Router4] ospf 1
[Router4-ospf-1] area 0
[Router4-ospf-1-area-0.0.0.0] network 10.1.1.0 0.0.0.3
Step 5 Verify the configuration.
After the configuration is completed, view the tunnel interface on Router 2 and Router 4. You
can view that the protocol status of the tunnel interface is Up.
HUAWEI NetEngine80E/40E Router
Configuration Guide - IP Services 10 IPv4 over IPv6 Tunnel Configuration
Issue 02 (2011-09-10) Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
284
[Router2] display interface tunnel 6/0/0
Tunnel6/0/0 current state : UP
Line protocol current state : UP
Last up time: 2007-11-16, 12:26:17
Description : Tunnel2/0/0 Interface, Route Port
The Maximum Transmit Unit is 1452 bytes
Internet Address is 10.1.1.1/30
Encapsulation is TUNNEL6, loopback not set
Tunnel protocol/transport (IPv6 or IPV4) over IPv6
Tunnel Source 2001::1 (Pos2/0/0)
Tunnel Destination 2002::2
Tunnel Encapsulation limit 4
Tunnel Traffic class not set
Tunnel Flow label not set
Tunnel Hop limit 64
5 minutes input rate 10 bits/sec, 0 packets/sec
5 minutes output rate 14 bits/sec, 0 packets/sec
493 packets input, 38480 bytes
0 input error
447 packets output, 53144 bytes
0 output error
On Router 2 and Router 4, view the IPv4 routing table. You can view that the outgoing interfaces
to the remote IPv4 network are tunnel interfaces.
[Router2] display ip routing-table
Routing Tables: Public
Destinations : 9 Routes : 9
Destination/Mask Proto Pre Cost NextHop Interface
1.1.1.1/32 Direct 0 0 127.0.0.1 InLoopBack0
10.1.1.0/30 Direct 0 0 10.1.1.1 Tunnel2/0/0
10.1.1.1/32 Direct 0 0 127.0.0.1 InLoopBack0
10.1.2.0/30 Direct 0 0 10.1.2.1 Pos1/0/0
10.1.2.1/32 Direct 0 0 127.0.0.1 InLoopBack0
10.1.2.2/32 Direct 0 0 10.1.2.2 Pos1/0/0
10.1.3.0/24 OSPF 10 2 10.1.1.2 Tunnel2/0/0
127.0.0.0/8 Direct 0 0 127.0.0.1 InLoopBack0
127.0.0.1/32 Direct 0 0 127.0.0.1 InLoopBack0
Router 1 and Router 5 can ping through each other.
----End
Configuration Files
l Configuration file of Router 1
#
sysname Router1
#
interface Pos1/0/0
link-protocol ppp
undo shutdown
ip address 10.1.2.2 255.255.255.252
#
ospf 1
area 0.0.0.0
network 10.1.2.0 0.0.0.3
#
return
l Configuration file of Router 2
#
sysname Router2
#
ipv6
#
isis 1
network-entity 10.0000.0000.0001.00
HUAWEI NetEngine80E/40E Router
Configuration Guide - IP Services 10 IPv4 over IPv6 Tunnel Configuration
Issue 02 (2011-09-10) Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
285
#
ipv6 enable topology standard
#
interface Pos1/0/0
link-protocol ppp
ip address 10.1.2.1 255.255.255.252
#
interface Pos2/0/0
link-protocol ppp
ipv6 enable
ipv6 address 2001::1/64
isis ipv6 enable 1
#
interface LoopBack1
ipv6 enable
ipv6 address 2::2 64
isis ipv6 enable 1
target-board 6
binding tunnel ipv4-ipv6
#
interface Tunnel6/0/0
ip address 10.1.1.1 255.255.255.252
tunnel-protocol ipv4-ipv6
source loopback 1
destination 4::4
#
ospf 1
area 0.0.0.0
network 10.1.2.0 0.0.0.3
network 10.1.1.0 0.0.0.3
#
return
l Configuration file of Router 3
#
sysname Router3
#
ipv6
#
isis 1
network-entity 10.0000.0000.0002.00
#
ipv6 enable topology standard
#
interface Pos1/0/0
link-protocol ppp
undo shutdown
ivp6 enable
ipv6 address 2001::2/64
isis ipv6 enable 1
#
interface Pos2/0/0
link-protocol ppp
undo shutdown
ipv6 enable
ipv6 address 2002::1/64
isis ipv6 enable 1
#
return
l Configuration file of Router 4
#
sysname Router4
#
ipv6
#
isis 1
network-entity 10.0000.0000.0003.00
#
ipv6 enable topology standard
HUAWEI NetEngine80E/40E Router
Configuration Guide - IP Services 10 IPv4 over IPv6 Tunnel Configuration
Issue 02 (2011-09-10) Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
286
#
#
interface Pos1/0/0
link-protocol ppp
ipv6 enable
ipv6 address 2002::2/64
isis ipv6 enable 1
#
interface Pos2/0/0
link-protocol ppp
ip address 10.1.3.1 255.255.255.252
#
interface LoopBack1
ipv6 enable
ipv6 address 4::4 64
isis ipv6 enable 1
target-board 6
binding tunnel ipv4-ipv6
#
interface Tunnel6/0/0
ip address 10.1.1.2 255.255.255.252
tunnel-protocol ipv4-ipv6
source loopback 1
destination 2::2
#
ospf 1
area 0.0.0.0
network 10.1.1.0 0.0.0.3
network 10.1.3.0 0.0.0.3
#
return
l Configuration file of Router 5
#
sysname Router1
#
interface Pos1/0/0
link-protocol ppp
undo shutdown
ip address 10.1.3.2 255.255.255.252
#
ospf 1
area 0.0.0.0
network 10.1.3.0 0.0.0.3
#
return
HUAWEI NetEngine80E/40E Router
Configuration Guide - IP Services 10 IPv4 over IPv6 Tunnel Configuration
Issue 02 (2011-09-10) Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
287
A Glossary
This appendix collates frequently used glossaries in this document.
A
Access Control List A list composed of multiple sequential permit/deny statements.
In firewall, after ACL is applied to an interface on the device, the
device decides which packet can be forwarded and which packet
should be denied. In QoS, ACL is used to classify traffic.
Acknowledge To confirm an action. The acknowledgement (ACK) message is
sent from one device to another.
Address Resolution
Protocol
A protocol used to map an IP Address to a MAC address, as
defined in RFC 826.
ATM An asynchronous Transfer Mode. It is a data transmission
technology in which data (files, voice and video) is transferred in
cells with a fixed length (53 Bytes). The fixed length makes the
cell be processed by the hardware. The object of ATM is to make
good use of high-speed transmission medium such as E3, SONET
and T3.
B
Broadcast To send packets to all ports of the nodes in the network.
D
Domain name A name composed of numbers or characters. Each domain name
corresponds to an IP address.
Dotted decimal notation A format of IP address. IP addresses in this format are separated
into four parts by a dot "." with each part is in the decimal numeral.
E
HUAWEI NetEngine80E/40E Router
Configuration Guide - IP Services A Glossary
Issue 02 (2011-09-10) Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
288
Ethernet A technology complemented in LAN. It adopts Carrier Sense
Multiple Access/Collision Detection. The speed of an Ethernet
interface can be 10 Mbit/s, 100 Mbit/s, 1000 Mbit/s or 10000
Mbit/s. The Ethernet network features high reliability and easy
maintaining..
F
File Transfer Protocol An application layer protocol based on TCP/IP. It is used to
transfer large amounts of data reliably between the user and the
remote host. FTP is implemented based on corresponding file
system.
I
IPv6 A update version of IPv4. It is also called IP Next Generation
(IPng). The specifications and standardizations provided by it are
consistent with the Internet Engineering Task Force
(IETF).Internet Protocol Version 6 (IPv6) is also called. It is a
new version of the Internet Protocol, designed as the successor to
IPv4. The specifications and standardizations provided by it are
consistent with the Internet Engineering Task Force (IETF).The
difference between IPv6 and IPv4 is that an IPv4 address has 32
bits while an IPv6 address has 128 bits.
L
Local Area Network A network intended to serve a small geographic area, (few square
kilometers or less), a single office or building, or a small defined
group of users. It features high speed and little errors. Ethernet,
FDDI and Toke Ring are three technologies implemented in LAN.
M
MAC address A link layer address or physical address. It is six bytes long.
MTU A maximum size of packets that an interface can process. It is in
bytes
N
Neighbor Discovery A process to discover neighboring modes.
P
Ping To test the reachablitly of a device in the network through ICMP
Echo message.
HUAWEI NetEngine80E/40E Router
Configuration Guide - IP Services A Glossary
Issue 02 (2011-09-10) Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
289
Policy-based Routing A routing mechanism based on user-defined policies. It can
implement secure communication and load balancing.
PPP A serial point to point link used for special transmission between
two devices.
R
Router A device running on the network layer. After receiving a packet,
the device searches the routing table for a proper route and sends
the packet to the next hop. The last hop device sends the packet
to the host directly.
T
Telnet An application layer protocol based on TCP/IP. It implements
remote login and virtual terminal. It
Time Range A special time period.
Traffic A group of packets sent from the source to the destination and
matching certain classification.
Tunnel In VPN, it is a transport tunnel set up between two entities to
prevent interior users from interrupting and ensure security.
U
Unicast To send packets to one destination network.
V
VPN Virtual Private Network (VPN). It implements an apparent single
private network (as seen by the user), over a number of separate
public and private networks. Virtual indicates that this kind of
network is a logical network.
VRP Versatile Routing Platform. It is a versatile operating system
platform developed by Huawei.
W
Wide Area Network A network that covers a large geographic area, such as a country
or a state. Devices in this network are connected through certain
protocol or physical links.
X
HUAWEI NetEngine80E/40E Router
Configuration Guide - IP Services A Glossary
Issue 02 (2011-09-10) Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
290
X.25 A data link layer protocol. It defines the communication in the
Public Data Network (PDN) between a host and a remote
terminal.
HUAWEI NetEngine80E/40E Router
Configuration Guide - IP Services A Glossary
Issue 02 (2011-09-10) Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
291
B Acronyms and Abbreviations
This appendix collates frequently used acronyms and abbreviations in this document.
A
AAA Authentication, Authorization and Accounting
ACK Acknowledgement
ASCII American Standard Code for Information Interchange
ATM Asynchronous Transfer Mode
B
BGP Border Gateway Protocol
C
CIDR Classless Inter-Domain Routing
D
DHCP Dynamic Host Configuration Protocol
DLCI Data Link Control Identifier
DNS Domain Name System
DOS Denial of Service
DAD Duplicate Address Detect
E
EBGP External BGP
HUAWEI NetEngine80E/40E Router
Configuration Guide - IP Services B Acronyms and Abbreviations
Issue 02 (2011-09-10) Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
292
F
FEC Forward Error Correction
FIB Forward Information Base
G
GRE Generic Routing Encapsulation
H
HDLC High level Data Link Control
HTTP Hyper Text Transport Protocol
I
IBGP Internal BGP
ICMP Internet Control Message Protocol
IEEE Institute of Electrical and Electronics Engineers
IETF Internet Engineering Task Force
IGP Interior Gateway Protocol
IP Internet Protocol
IPoEoA IP over Ethernet over AAL5
IPSec Internet Protocol SECurity extensions
IS-IS Intermediate System-Intermediate System
ISP Internet Service Provider
L
LDP Label Distribution Protocol
LSP Label Switch Path
M
MAC Medium Access Control
MED Multi-Exit discrimination
MPLS Multi-Protocol Label Switching
N
HUAWEI NetEngine80E/40E Router
Configuration Guide - IP Services B Acronyms and Abbreviations
Issue 02 (2011-09-10) Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
293
NAT Network Address Translation
NAT-PT Network Address Translation - Protocol Translation
NIC Network Information Center
O
OSPF Open Shortest Path First
P
PC Personal Computer
PE Provider Edge
POS Packet Over SDH/SONET
PPP Point-to-Point Protocol
PVC Permanent Virtual Circuit
Q
QoS Quality of Service
R
RIP Routing Information Protocol
RPR Resilient Packet Ring
S
SLIP Serial Line Internet Protocol
SNMP Simple Network Management Protocol
SVC Switched Virtual Channel
T
TCP Transmission Control Protocol
TFTP Trivial File Transfer Protocol
TOS Type of Service
TTL Time To Live
HUAWEI NetEngine80E/40E Router
Configuration Guide - IP Services B Acronyms and Abbreviations
Issue 02 (2011-09-10) Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
294
U
UDP User Datagram Protocol
URPF Unicast Reverse Path Forwarding
V
VLAN Virtual Local Area Network
VPN Virtual Private Network
VRP Versatile Routing Platform
VRRP Virtual Router Redundancy Protocol
VT Virtual-Template
W
WINS Windows Internet Name Service
WWW World Wide Web
HUAWEI NetEngine80E/40E Router
Configuration Guide - IP Services B Acronyms and Abbreviations
Issue 02 (2011-09-10) Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
295