H3C MSR 2600 Series Configuration Manual Download Page 89 | Manualshive

Page: 89 / 288

background image

74

Enabling DHCP starvation attack protection

A DHCP starvation attack occurs when an attacker constantly sends forged DHCP requests that contain
identical or different sender MAC addresses in the chaddr field to a DHCP server. This attack exhausts

the IP address resources of the DHCP server so legitimate DHCP clients cannot obtain IP addresses. The

DHCP server might also fail to work because of exhaustion of system resources. For information about the

fields of DHCP packet, see "

DHCP message format

Protect against starvation attacks in the following ways:

•

To relieve a DHCP starvation attack that uses DHCP requests encapsulated with different sender
MAC addresses, you can limit the number of MAC addresses that a Layer 2 port can learn by using

the

mac-address max-mac-count

command. For more information about the command, see

Layer

2—LAN Switching Command Reference

.

•

To prevent a DHCP starvation attack that uses DHCP requests encapsulated with the same sender

MAC address, perform this task to enable MAC address check for DHCP snooping. This function
compares the chaddr field of a received DHCP request with the source MAC address field in the

frame header. If they are the same, the request is considered valid and forwarded to the DHCP

server. If not, the request is discarded.

To enable MAC address check:

Step Command

Remarks

1.

Enter system view.

system-view

N/A

2.

Enter interface view.

interface

interface-type interface-number

N/A

3.

Enable MAC address check.

dhcp snooping check mac-address

By default, MAC address
check is disabled.

Enabling DHCP-REQUEST attack protection

DHCP-REQUEST messages include DHCP lease renewal packets, DHCP-DECLINE packets, and

DHCP-RELEASE packets. This function prevents the unauthorized clients that forge the DHCP-REQUEST

messages from attacking the DHCP server.
Attackers can forge DHCP lease renewal packets to renew leases for legitimate DHCP clients that no

longer need the IP addresses. These forged messages disable the victim DHCP server from releasing the

IP addresses.
Attackers can also forge DHCP-DECLINE or DHCP-RELEASE packets to terminate leases for legitimate
DHCP clients that still need the IP addresses.
To prevent such attacks, you can enable DHCP-REQUEST check. This feature uses DHCP snooping entries

to check incoming DHCP-REQUEST messages. If a matching entry is found for a message, this feature

compares the entry with the message information. If they are consistent, the message is considered as
valid and forwarded to the DHCP server. If they are different, the message is considered as a forged

message and is discarded. If no matching entry is found, the message is considered valid and forwarded

to the DHCP server.
To enable DHCP-REQUEST check:

«
...
87
88
89
90
91
...
»

Summary of Contents for MSR 2600 Series

Page 1: ...H3C MSR Series Routers Layer 3 IP Services Configuration Guide V7 Hangzhou H3C Technologies Co Ltd http www h3c com Software version MSR CMW710 R0007 Document version 6W100 20140320...

Page 2: ...ne SecPath SecCenter SecBlade Comware ITCMM and HUASAN are trademarks of Hangzhou H3C Technologies Co Ltd All other trademarks that may be mentioned in this manual are the property of their respective...

Page 3: ...als and configuration such as IP addressing ARP DNS DHCP NAT GRE and tunneling configuration This preface includes Audience Conventions About the H3C MSR documentation set Obtaining documentation Tech...

Page 4: ...gument or keyword and argument combination before the ampersand sign can be entered 1 to n times A line that starts with a pound sign is comments Symbols Convention Description WARNING An alert that c...

Page 5: ...ut the product release including the version history hardware and software compatibility matrix version upgrade information technical support information and software upgrading Obtaining documentation...

Page 6: ...We appreciate your comments...

Page 7: ...iodic sending of gratuitous ARP packets 8 Configuration procedure 9 Enabling IP conflict notification 10 Configuring proxy ARP 11 Enabling common proxy ARP 11 Enabling local proxy ARP 11 Displaying pr...

Page 8: ...tion task list 35 Creating a DHCP address pool 36 Specifying IP address ranges for a DHCP address pool 36 Specifying gateways for the client 39 Specifying a domain name suffix for the client 40 Specif...

Page 9: ...value for DHCP packets sent by the DHCP relay agent 61 Displaying and maintaining the DHCP relay agent 61 DHCP relay agent configuration examples 61 DHCP relay agent configuration example 61 Option 82...

Page 10: ...uring static domain name resolution 86 Configuring dynamic domain name resolution 87 Configuring the DNS proxy 87 Configuring DNS spoofing 88 Specifying the source interface for DNS packets 88 Configu...

Page 11: ...with ALG 117 NAT configuration task list 118 Configuring static NAT 118 Configuration prerequisites 118 Configuring outbound one to one static NAT 118 Configuring outbound net to net static NAT 119 C...

Page 12: ...table 159 Optimizing IP performance 161 Enabling an interface to receive and forward directed broadcasts destined for the directly connected network 161 Configuration procedure 161 Configuration exam...

Page 13: ...figuring the interface MTU 193 Configuring a static path MTU for a specific IPv6 address 193 Configuring the aging time for dynamic path MTUs 193 Controlling sending ICMPv6 packets 194 Configuring the...

Page 14: ...d maintaining the DHCPv6 relay agent 223 DHCPv6 relay agent configuration example 223 Network requirements 223 Configuration procedure 223 Verifying the configuration 224 Configuring DHCPv6 snooping 2...

Page 15: ...nnel 250 6to4 tunnel configuration example 251 6to4 relay configuration example 253 Configuring an ISATAP tunnel 254 Configuration example 255 Configuring an IPv4 over IPv4 tunnel 258 Configuration ex...

Page 16: ...dress length field is 6 For an IPv4 address the value of the protocol address length field is 4 OP Operation code which describes the type of ARP message Value 1 represents an ARP request and value 2...

Page 17: ...s into the packet and sends the packet to Host B Figure 2 ARP address resolution process If Host A and Host B are on different subnets Host A sends a packet to Host B as follows 5 Host A broadcasts an...

Page 18: ...RP entry on the device To communicate with a host by using a fixed IP to MAC mapping through a specific interface in a specific VLAN configure a long static ARP entry on the device Configuring a stati...

Page 19: ...tries until the number of dynamic ARP entries is below the configured value To set the maximum number of dynamic ARP entries for a device Step Command Remarks 1 Enter system view system view N A 2 Set...

Page 20: ...ARP entries is 20 minutes Enabling dynamic ARP entry check The dynamic ARP entry check function controls whether the device supports dynamic ARP entries containing multicast MAC addresses When dynamic...

Page 21: ...y for a specific IP address MSR 2600 MSR 3600 display arp ip address verbose Display the ARP entry for a specific IP address MSR 5600 display arp ip address slot slot number verbose Display the ARP en...

Page 22: ...interface vlan interface 10 Switch vlan interface10 ip address 192 168 1 2 8 Switch vlan interface10 quit Configure a static ARP entry that has IP address 192 168 1 1 MAC address 00e0 fc01 0000 and o...

Page 23: ...at the traffic destined for the gateway from the hosts is sent to the attacker instead As a result the hosts cannot access the external network To prevent such gateway spoofing attacks you can enable...

Page 24: ...corresponding MAC entries in time Configuration procedure The following conditions apply to the gratuitous ARP configuration You can enable periodic sending of gratuitous ARP packets on up to 1024 in...

Page 25: ...is being used by the receiving device the receiving device sends a gratuitous ARP request and it displays an error message after it receives an ARP reply about the conflict You can use this command to...

Page 26: ...common proxy ARP You can enable common proxy ARP in VLAN interface view Layer 3 Ethernet interface view and Layer 3 Ethernet subinterface view To enable common proxy ARP Step Command Remarks 1 Enter s...

Page 27: ...A and Host D have the same prefix and mask but they are located on different subnets No default gateway is configured on Host A and Host D Configure common proxy ARP on the router to enable communica...

Page 28: ...ter interface ethernet 1 1 Router Ethernet1 1 ip address 192 168 20 99 255 255 255 0 Enable common proxy ARP on interface Ethernet 1 1 Router Ethernet1 1 proxy arp enable Router Ethernet1 1 quit After...

Page 29: ...ching the entry is received the entry becomes valid and its aging timer restarts If the aging timer of an ARP entry expires the entry is removed If the ARP snooping device receives an ARP packet that...

Page 30: ...splay ARP snooping entries MSR 5600 display arp snooping vlan vlan id slot slot number count display arp snooping ip ip address slot slot number Remove ARP snooping entries reset arp snooping ip ip ad...

Page 31: ...al ARP packet If not it processes the packet in the following steps 1 Search the DHCP snooping table for a match 2 If a match is found and the interface of the entry is the Ethernet interface that rec...

Page 32: ...ing example Client 200 has obtained an IP address through DHCP With ARP fast reply enabled the AC upon receiving an ARP request from Client 1 directly returns an ARP reply without broadcasting the ARP...

Page 33: ...18 AC vlan1 quit...

Page 34: ...ddress classes Each IP address breaks down into the following sections Net ID Identifies a network The first several bits of a net ID known as the class field or class bits identify the class of the I...

Page 35: ...the boundary between the host ID and the combination of net ID and subnet ID Each subnet mask comprises 32 bits that correspond to the bits in an IP address In a subnet mask consecutive ones represent...

Page 36: ...ses to an interface that obtains an IP address through BOOTP DHCP PPP address negotiation or IP unnumbered The primary and secondary IP addresses you assign to the interface can be located on the same...

Page 37: ...cedure To configure IP unnumbered on an interface Step Command Remarks 1 Enter system view system view N A 2 Enter interface view interface interface type interface number N A 3 Specify the interface...

Page 38: ...24 and set the secondary IP address of the router as the gateway address of the PCs on subnet 172 16 2 0 24 Figure 8 Network diagram Configuration procedure Assign a primary IP address and a secondar...

Page 39: ...bytes from 172 16 2 2 icmp_seq 1 ttl 255 time 7 000 ms 56 bytes from 172 16 2 2 icmp_seq 2 ttl 255 time 1 000 ms 56 bytes from 172 16 2 2 icmp_seq 3 ttl 255 time 2 000 ms 56 bytes from 172 16 2 2 icm...

Page 40: ...the outgoing interface RouterA ip route static 172 16 20 0 255 255 255 0 serial 2 1 2 Configure Router B Assign a primary IP address to Ethernet 1 1 RouterB system view RouterB interface ethernet 1 1...

Page 41: ...1 ttl 254 time 0 000 ms 56 bytes from 172 16 20 2 icmp_seq 2 ttl 254 time 1 000 ms 56 bytes from 172 16 20 2 icmp_seq 3 ttl 254 time 1 000 ms 56 bytes from 172 16 20 2 icmp_seq 4 ttl 254 time 2 000 m...

Page 42: ...nformation about the DHCP relay agent see Configuring the DHCP relay agent Figure 10 A typical DHCP application DHCP address allocation Allocation mechanisms DHCP supports the following allocation mec...

Page 43: ...asts a gratuitous ARP packet to verify whether the IP address assigned by the server is already in use If the client receives no response within the specified time the client uses the assigned IP addr...

Page 44: ...ent a reply back by unicast If this flag is set to 1 the DHCP server sent a reply back by broadcast The remaining bits of the flags field are reserved for future use ciaddr Client IP address if the cl...

Page 45: ...spond to the parameters requested by the client Option 60 Vendor class identifier option It is used by a DHCP client to identify its vendor and by a DHCP server to distinguish DHCP clients by vendor c...

Page 46: ...at indicates the number of PXE servers contained in the sub option and server IP addresses as shown in Figure 15 Figure 15 PXE server address sub option value field Relay agent option Option 82 Option...

Page 47: ...on 184 has the following sub options Sub option 1 Specifies the IP address of the primary network calling processor which serves as the network calling control source and provides program download ser...

Page 48: ...s or ID of a client to an IP address in a DHCP address pool When the client requests an IP address the DHCP server assigns the IP address in the static binding to the client Dynamic address allocation...

Page 49: ...receiving interface has no address pool applied the DHCP server selects an address pool in the following way If the client and the server reside on the same subnet the DHCP server matches the IP addre...

Page 50: ...ion If no IP address is assignable the server does not respond NOTE If a client moves to another subnet the DHCP server selects an IP address in the address pool matching the new subnet instead of ass...

Page 51: ...pool but you cannot configure both Specifying a primary subnet and multiple address ranges for a DHCP address pool Some scenarios need to classify DHCP clients in the same subnet into different addres...

Page 52: ...t To specify address ranges for multiple DHCP user classes repeat this step 9 Optional Specify the address lease duration expired day day hour hour minute minute second second unlimited The default se...

Page 53: ...tion takes effect You can specify a maximum of 32 secondary subnets in each address pool IP addresses specified by the forbidden ip command are not assignable in the current address pool but are assig...

Page 54: ...erface Otherwise an IP address conflict occurs and the bound client cannot obtain an IP address correctly To configure static bindings for DHCP clients that reside on the same device and use the same...

Page 55: ...or the client You can specify a domain name suffix in a DHCP address pool on the DHCP server With this suffix assigned the client only needs to input part of a domain name and the system adds the doma...

Page 56: ...sponse it broadcasts the destination name to get the destination IP address To configure WINS servers and NetBIOS node type in a DHCP address pool Step Command Remarks 1 Enter system view system view...

Page 57: ...meters it performs system initialization without loading any configuration file To configure the IP address of the TFTP server and the boot file name in a DHCP address pool Step Command Remarks 1 Ente...

Page 58: ...ured 6 Optional Specify the failover IP address and dialer string voice config fail over ip address dialer string By default no failover IP address or dialer string is specified Configuring self defin...

Page 59: ...e Option netbios type hex 66 TFTP server name tftp server ascii 67 Boot file name bootfile name ascii 43 Vendor Specific Information N A hex Enabling DHCP You must enable DHCP to validate other DHCP c...

Page 60: ...nterface If the applied address pool does not exist the DHCP server fails to perform dynamic address allocation Configuring IP address conflict detection Before assigning an IP address the DHCP server...

Page 61: ...n the DHCP request is set to 1 To work with DHCP clients that set the broadcast flag to 0 but do not accept unicast responses configure the DHCP server to ignore the broadcast flag and always broadcas...

Page 62: ...equest statically bound addresses To configure the DHCP server to send BOOTP responses in RFC 1048 format Step Command Remarks 1 Enter system view system view N A 2 Enable the DHCP server to send BOOT...

Page 63: ...ol name Display information about DHCP address pools display dhcp server pool pool name Clear information about IP address conflicts reset dhcp server conflict ip ip address Clear information about le...

Page 64: ...dhcp server ip pool 0 Configure a static binding for Router B RouterA dhcp pool 0 static bind ip address 10 1 1 5 25 client identifier 0030 3030 662e 6532 3030 2e30 3030 322d 4574 6865 726e 6574 302f...

Page 65: ...e suffix is aabbcc com the DNS server address is 10 1 1 2 25 and the gateway address is 10 1 1 254 25 and there is no WINS server address Figure 17 Network diagram Configuration procedure 1 Specify IP...

Page 66: ...rifying the configuration After the preceding configuration is complete clients on networks 10 1 1 0 25 and 10 1 1 128 25 can obtain correct IP addresses and other network parameters from Router A You...

Page 67: ...ifying the configuration After the preceding configuration is complete clients matching the DHCP user class can obtain IP addresses in the specified range and network configuration parameters from DHC...

Page 68: ...n IP address on the subnet 10 1 1 0 24 and the PXE server addresses from Router A You can use the display dhcp server ip in use command on the DHCP server to view the IP addresses assigned to the clie...

Page 69: ...other one on the client For example to release the IP address and obtain another one on a Windows XP DHCP client a In Windows environment execute the cmd command to enter the DOS environment b Enter i...

Page 70: ...a private network For more information about MCE see MPLS Configuration Guide Operation The DHCP server and client interact with each other in the same way regardless of whether the relay agent exists...

Page 71: ...ng the response to the client Table 3 Handling strategies of the DHCP relay agent If a DHCP request has Handling strategy The DHCP relay agent Option 82 Drop Drops the message Keep Forwards the messag...

Page 72: ...d to the relay agent cannot obtain correct IP addresses To enable the DHCP relay agent on an interface Step Command Remarks 1 Enter system view system view N A 2 Enter interface view interface interfa...

Page 73: ...ies Step Command Remarks 1 Enter system view system view N A 2 Enable the relay agent to record relay entries dhcp relay client information record By default the relay agent does not record relay entr...

Page 74: ...e number of ARP entries that a Layer 3 interface can learn or MAC addresses that a Layer 2 port can learn You can also configure an interface that has learned the maximum MAC addresses to discard pack...

Page 75: ...de identifier of Option 82 must not contain spaces Otherwise the DHCP relay agent drops the message To configure Option 82 Step Command Remarks 1 Enter system view system view N A 2 Enter interface vi...

Page 76: ...on 82 configuration information on the DHCP relay agent display dhcp relay information interface interface type interface number Display relay entries on the DHCP relay agent display dhcp relay client...

Page 77: ...configuration is complete DHCP clients can obtain IP addresses and other network parameters from the DHCP server through the DHCP relay agent You can use the display dhcp relay statistics command to v...

Page 78: ...ormation circuit id string company001 RouterA Ethernet1 1 dhcp relay information remote id string device001 Troubleshooting DHCP relay agent configuration Symptom DHCP clients cannot obtain configurat...

Page 79: ...le ways The new configuration overwrites the old Secondary IP addresses cannot be configured on an interface that is enabled with the DHCP client If the interface obtains an IP address on the same seg...

Page 80: ...e value is the first two characters in the string If the MAC address of a specific interface is used as the client ID the type value is 01 Enabling duplicated address detection DHCP client detects IP...

Page 81: ...r address and static route information The DHCP client IP address resides on network 10 1 1 0 24 The DNS server address is 20 1 1 1 The next hop of the static route to network 20 1 1 0 24 is 10 1 1 2...

Page 82: ...B Configure Ethernet 1 1 to use DHCP for IP address acquisition RouterB system view RouterB interface ethernet 1 1 RouterB Ethernet1 1 ip address dhcp alloc RouterB Ethernet1 1 quit Verifying the conf...

Page 83: ...ation Mask Proto Pre Cost NextHop Interface 10 1 1 0 24 Direct 0 0 10 1 1 3 Eth1 1 10 1 1 3 32 Direct 0 0 127 0 0 1 InLoop0 20 1 1 0 24 Static 70 0 10 1 1 2 Eth1 1 10 1 1 255 32 Direct 0 0 10 1 1 3 Et...

Page 84: ...e information see Configuring ARP fast reply ARP detection Uses DHCP snooping entries to filter ARP packets from unauthorized clients For more information see Security Configuration Guide MAC forced f...

Page 85: ...HCP snooping support for Option 82 Option 82 records the location information about the DHCP client so the administrator can locate the DHCP client for security and accounting purposes For more inform...

Page 86: ...Enabling DHCP REQUEST attack protection Optional Configuring DHCP packet rate limit Configuring basic DHCP snooping Follow these guidelines when you configure basic DHCP snooping Specify the ports con...

Page 87: ...pecify the device name For more information about this command see Fundamentals Command Reference If DHCP snooping and QinQ work together or DHCP snooping receives a DHCP packet with two VLAN tags and...

Page 88: ...view N A 2 Specify a file to save DHCP snooping entries dhcp snooping binding database filename filename url url username username password cipher simple key By default no file is specified This comma...

Page 89: ...If not the request is discarded To enable MAC address check Step Command Remarks 1 Enter system view system view N A 2 Enter interface view interface interface type interface number N A 3 Enable MAC...

Page 90: ...ceive DHCP packets dhcp snooping rate limit rate By default incoming DHCP packets are not rate limited You can configure this command only on Layer 2 Ethernet interfaces Displaying and maintaining DHC...

Page 91: ...w DHCP snooping configuration examples Basic DHCP snooping configuration example Network requirements As shown in Figure 27 configure the port Ethernet 1 1 connected to the DHCP server as a trusted po...

Page 92: ...he circuit ID sub option as company001 and for the remote ID sub option as device001 On Ethernet 1 3 configure the padding format as verbose access node identifier as sysname and code type as ascii fo...

Page 93: ...Ethernet1 3 dhcp snooping information circuit id verbose node identifier sysname format ascii Router Ethernet1 3 dhcp snooping information remote id string device001 Verifying the configuration Use t...

Page 94: ...ually used in relatively stable environments In network environments that change frequently DHCP is more suitable Because a DHCP server can interact with a BOOTP client you can use the DHCP server to...

Page 95: ...interface number BOOTP client configuration example Network requirements As shown in Figure 17 Ethernet 1 1 of Router B connects to the LAN to obtain an IP address from the DHCP server by using BOOTP...

Page 96: ...solution means manually creating mappings between domain names and IP addresses For example you can create a static DNS mapping for a device so that you can Telnet to the device by using the domain na...

Page 97: ...domain name without a dot for example aabbcc the resolver considers the domain name a host name and adds a DNS suffix before performing the query operation If no match is found for the domain names w...

Page 98: ...r receiving a reply from the DNS server the DNS proxy records the IP address to domain name mapping and forwards the reply to the DNS client If no DNS server is designated or no route is available to...

Page 99: ...to the IP address with the dial up interface as the output interface The IP address configured for DNS spoofing is not the actual IP address of the requested domain name so the TTL of the DNS reply is...

Page 100: ...Configuring dynamic domain name resolution To use dynamic domain name resolution configure DNS servers so that DNS queries can be sent to a correct server for resolution A DNS server manually configu...

Page 101: ...P address is specified 3 Optional Configure a DNS suffix dns domain domain name vpn instance vpn instance name By default no DNS suffix is configured and only the provided domain name is resolved Conf...

Page 102: ...Pv4 addresses for the public network or each VPN You can specify DNS server IPv6 addresses for the public network and up to 1024 VPNs and specify a maximum of six DNS server IPv6 addresses for the pub...

Page 103: ...S server is specified on the device Follow these guidelines when you configure DNS spoofing You can configure only one replied IPv4 address and one replied IPv6 address for the public network or a VPN...

Page 104: ...he source interface for DNS packets Step Command Remarks 1 Enter system view system view N A 2 Specify the source interface for DNS packets dns source interface interface type interface number vpn ins...

Page 105: ...reset commands in user view Task Command Display the domain name resolution table display dns host ip ipv6 vpn instance vpn instance name Display IPv4 DNS server information display dns server dynamic...

Page 106: ...time 2 000 ms Ping statistics for host com 5 packet s transmitted 5 packet s received 0 0 packet loss round trip min avg max std dev 1 000 1 200 2 000 0 400 ms Dynamic domain name resolution configur...

Page 107: ...figuration might vary with DNS servers The following configuration is performed on a PC running Windows Server 2000 a Select Start Programs Administrative Tools DNS The DNS server configuration page a...

Page 108: ...the page that appears enter host name host and IP address 3 1 1 1 e Click Add Host The mapping between the IP address and host name is created Figure 36 Adding a mapping between domain name and IP add...

Page 109: ...from 3 1 1 1 icmp_seq 3 ttl 255 time 1 000 ms 56 bytes from 3 1 1 1 icmp_seq 4 ttl 255 time 2 000 ms Ping statistics for host 5 packet s transmitted 5 packet s received 0 0 packet loss round trip min...

Page 110: ...roxy DeviceA dns proxy enable 3 Configure the DNS client DeviceB system view Specify the DNS server 2 1 1 2 DeviceB dns server 2 1 1 2 Verifying the configuration Use the ping host com command on Devi...

Page 111: ...ss escape sequence to break 56 bytes from 1 2 icmp_seq 0 hlim 128 time 1 000 ms 56 bytes from 1 2 icmp_seq 1 hlim 128 time 0 000 ms 56 bytes from 1 2 icmp_seq 2 hlim 128 time 1 000 ms 56 bytes from 1...

Page 112: ...on a PC running Windows Server 2003 Make sure that the DNS server supports the IPv6 DNS function so that the server can process IPv6 DNS packets and the interfaces of the DNS server can forward IPv6 p...

Page 113: ...98 Figure 41 Creating a record d On the page that appears select IPv6 Host AAAA as the resource record type...

Page 114: ...99 Figure 42 Selecting the resource record type e Type host name host and IPv6 address 1 1 f Click OK The mapping between the IPv6 address and host name is created...

Page 115: ...host is normal and that the translated destination IP address is 1 1 Device ping ipv6 host Ping6 56 data bytes 3 1 1 1 press escape sequence to break 56 bytes from 1 1 icmp_seq 0 hlim 128 time 1 000...

Page 116: ...e DNS proxy Figure 44 Network diagram Configuration procedure Before performing the following configuration make sure Device A the DNS server and the host are reachable to each other and the IP addres...

Page 117: ...y dns host ip command to verify that the specified domain name is in the cache 2 If the specified domain name does not exist check that the DNS client can communicate with the DNS server 3 If the spec...

Page 118: ...103...

Page 119: ...rnet user typically uses the domain name to access an application layer server such as an HTTP server or an FTP server When its IP address changes the application layer server runs as a DDNS client th...

Page 120: ...dns update system dyndns hostname h myip a DYNDNS http members dyndns org nic update system dyndns hostname h myip a DYNS http www dyns cx postscript php host h ip a ZONEEDIT http dynamic zoneedit com...

Page 121: ...cation does not take effect You are not encouraged to manually change the h and a for your configuration might be incorrect For more information about applying DDNS policies see Applying the DDNS poli...

Page 122: ...he DDNS server into the IPv4 address For more information see Configuring the IPv4 DNS client To apply the DDNS policy to an interface Step Command Remarks 1 Enter system view system view N A 2 Enter...

Page 123: ...ns policy policy name DDNS configuration examples DDNS configuration example with www 3322 org Network requirements As shown in Figure 46 Router is a Web server with the domain name whatever 3322 org...

Page 124: ...s of the DNS server as 1 1 1 1 Router dns server 1 1 1 1 Apply DDNS policy 3322 org to Ethernet 1 1 to enable DDNS update and dynamically update the mapping between domain name whatever 3322 org and t...

Page 125: ...mple nevets Set the DDNS update request interval to 12 minutes Router ddns policy oray cn interval 0 0 12 Router ddns policy oray cn quit Specify the IP address of the DNS server as 1 1 1 1 Router dns...

Page 126: ...sses to its NAT table 3 The external server receives the packet and responds 4 The NAT device receives the reply and performs a NAT table lookup by using the source IP address as the key The device th...

Page 127: ...device Bidirectional NAT is performed on incoming packets on the receiving interface and on outgoing packets on the sending interface Bidirectional NAT is applied when source and destination addresse...

Page 128: ...m the NAT address pool The translation is created when the real host initiates a connection and the translation lasts for the duration of the connection A user might use different IP address for each...

Page 129: ...ckets from any external host to access the internal user by using the NAT address and port which improves communication among hosts that connect to different NAT gateways Address and Port Dependent Ma...

Page 130: ...e source and destination IP addresses of a packet on the interface NAT hairpin can be in P2P or C S mode depending on the scenarios P2P The P2P mode applies to the scenario where users in the internal...

Page 131: ...slation for connections originating from external hosts to the NAT address and port based on the EIM entry An EIM entry ages out after all related NAT session entries age out NO PAT entry A NAT device...

Page 132: ...ng must operate with the NAT Server feature NAT with DNS mapping maps the domain name of the internal server to the public IP address public port number and protocol type of the server NAT Server maps...

Page 133: ...n be implemented by one to one or net to net mapping for outbound and inbound translation Do not configure inbound static NAT separately Typically inbound static NAT works with other NAT translation m...

Page 134: ...nterface that connects the external network When the source IP address of a packet from the private network matches the internal NAT address pool the source IP address is translated into a public addr...

Page 135: ...he interface nat static enable By default static NAT is disabled Configuring inbound net to net static NAT Configure inbound net to net static NAT for translation between a private network and a publi...

Page 136: ...N instance in the ACL rule for packet matching For more information about ACLs see ACL and QoS Configuration Guide Determine whether to enable the Easy IP function If you use the IP address of an inte...

Page 137: ...This command takes effect only on outbound dynamic NAT for PAT Configuring inbound dynamic NAT To implement bidirectional NAT you must use inbound dynamic NAT with outbound dynamic NAT NAT Server or o...

Page 138: ...port number to the real IP address and port number of an internal server on the interface that connects the external network An internal server can be located in a common private network or an MPLS L3...

Page 139: ...esses with a single global port nat server protocol pro type global global address1 global address2 global port vpn instance global name inside local address local port1 local port2 vpn instance local...

Page 140: ...figure a DNS mapping for NAT nat dns map domain domain name protocol pro type interface interface type interface number ip global ip port global port By default no DNS mapping for NAT exists You can c...

Page 141: ...lows is reached the NAT session is logged To enable NAT logging Step Command Remarks 1 Enter system view system view N A 2 Enable NAT logging nat log enable acl acl number By default NAT logging is di...

Page 142: ...nat session source ip source ip destination ip destination ip vpn instance vpn name verbose Display sessions that have been NATed MSR 5600 display nat session source ip source ip destination ip desti...

Page 143: ...bound static NAT mappings IP to IP Local IP 10 110 10 8 Global IP 202 38 1 100 Interfaces enabled with static NAT There are 1 interfaces enabled with static NAT Interface GigabitEthernet1 2 Use the di...

Page 144: ...r nat address group 0 quit Configure ACL 2000 and create a rule to permit packets only from segment 192 168 1 0 24 to pass through Router acl number 2000 Router acl basic 2000 rule permit source 192 1...

Page 145: ...ssion verbose command to display NAT session information generated when Host A accesses the WWW server Router display nat session verbose Initiator Source IP port 192 168 1 10 52992 Destination IP por...

Page 146: ...rnal user configure inbound dynamic NAT with ALG and DNS mapping so that NAT can translate the Web server s address in the payload to a dynamically assigned NAT address The internal host uses the NAT...

Page 147: ...t1 2 nat outbound 2000 address group 2 Router GigabitEthernet1 2 quit Configure a static route to 202 38 1 2 with GigabitEthernet 1 2 as the output interface and 20 2 2 2 as the next hop The next hop...

Page 148: ...stance VLAN ID VLL ID Protocol TCP 6 State TCP_ESTABLISHED Application HTTP Start time 2012 08 15 14 53 29 TTL 3597s Interface in GigabitEthernet1 2 Interface out GigabitEthernet1 1 Initiator Responde...

Page 149: ...1 and port 8080 Router GigabitEthernet1 2 nat server protocol tcp global 202 38 1 1 8080 inside 10 110 10 2 www Configure NAT Server to allow external users to access the SMTP server by using the add...

Page 150: ...ior Mapping mode Address and Port Dependent ACL NAT ALG DNS Enabled FTP Enabled H323 Enabled ICMP ERROR Enabled Use the display nat session verbose command to display NAT session information generated...

Page 151: ...k diagram Configuration considerations To make sure the external host can access the internal DNS server configure the NAT Server feature to map the internal IP address and port of the DNS server to a...

Page 152: ...GigabitEthernet1 2 quit Verifying the configuration After completing the configurations Host on the external network can access the internal Web server by using the server s domain name Display all N...

Page 153: ...14 53 29 TTL 3597s Interface in GigabitEthernet1 2 Interface out GigabitEthernet1 1 Initiator Responder 7 packets 308 bytes Responder Initiator 5 packets 312 bytes Total sessions found 1 Bidirectiona...

Page 154: ...m the external host arrives at the NAT device the source IP address overlaps with the real address of the Web server Configure inbound dynamic NAT to translate the source IP address to a dynamically a...

Page 155: ...Router GigabitEthernet1 2 quit Configure a static route to 202 38 1 3 with GigabitEthernet 1 2 as the output interface and 20 2 2 2 as the next hop The next hop address varies with network settings Ro...

Page 156: ...8080 VPN instance VLAN ID VLL ID Protocol TCP 6 Responder Source IP port 192 168 1 2 8080 Destination IP port 202 38 1 3 1025 VPN instance VLAN ID VLL ID Protocol TCP 6 State TCP_ESTABLISHED Applicat...

Page 157: ...s Details not shown Configure ACL 2000 and create a rule to permit packets only from segment 192 168 1 0 24 to be translated Router system view Router acl number 2000 Router acl basic 2000 rule permit...

Page 158: ...1 2 21 Local IP port 192 168 1 4 21 NAT logging Log enable Disabled Flow begin Disabled Flow end Disabled Flow active Disabled NAT hairpinning There are 1 interfaces enabled with NAT hairpinning Inter...

Page 159: ...Configure NAT hairpin so that The internal clients can register the same external address to the external server The internal clients can access each other through the IP address and port number obtai...

Page 160: ...ACL 2000 the source address and port number are translated to the same external address and port number Router nat mapping behavior endpoint independent acl 2000 Enable NAT hairpin on interface Gigabi...

Page 161: ...P port 202 38 1 3 1024 VPN instance VLAN ID VLL ID Protocol UDP 17 State UDP_READY Application TFTP Start time 2012 08 15 15 53 36 TTL 46s Interface in GigabitEthernet1 1 Interface out GigabitEthernet...

Page 162: ...NAT on interface GigabitEthernet 1 2 Router interface gigabitethernet 1 2 Router GigabitEthernet1 2 nat static enable Router GigabitEthernet1 2 quit Enable static NAT on interface GigabitEthernet 1 1...

Page 163: ...nder Source IP port 192 168 1 2 42496 Destination IP port 172 16 1 2 0 VPN instance VLAN ID VLL ID vpn2 Protocol ICMP 1 State ICMP_REPLY Application INVALID Start time 2012 08 16 09 30 49 TTL 27s Inte...

Page 164: ...t1 2 nat server protocol tcp global 202 38 1 1 ftp inside server group 0 Router GigabitEthernet1 2 quit Verifying the configuration After completing the configurations external hosts can access the in...

Page 165: ...VPN instance VLAN ID VLL ID Protocol TCP 6 Responder Source IP port 10 110 10 3 21 Destination IP port 202 38 1 25 53957 VPN instance VLAN ID VLL ID Protocol TCP 6 State TCP_ESTABLISHED Application F...

Page 166: ...thernet 1 2 Router interface gigabitethernet 1 2 Configure NAT Server to allow external hosts to access the internal Web server by using the address 202 38 1 2 Router GigabitEthernet1 2 nat server pro...

Page 167: ...al servers Interface GigabitEthernet1 2 Protocol 6 TCP Global IP port 202 38 1 2 21 Local IP port 10 110 10 2 21 Interface GigabitEthernet1 2 Protocol 6 TCP Global IP port 202 38 1 2 80 Local IP port...

Page 168: ...153 H323 Enabled ICMP ERROR Enabled...

Page 169: ...elay F FRR Destination Mask Nexthop Flag OutInterface Token Label 10 2 0 0 16 10 2 1 1 U GE0 1 Null 10 2 1 1 32 127 0 0 1 UH InLoop0 Null 127 0 0 0 8 127 0 0 1 U InLoop0 Null 127 0 0 1 32 127 0 0 1 UH...

Page 170: ...155 Task Command Display FIB entries display fib vpn instance vpn instance name ip address mask mask length...

Page 171: ...aging time of fast forwarding entries ip fast forwarding aging time aging time By default the aging time is 30 seconds Displaying and maintaining fast forwarding Execute display commands in any view a...

Page 172: ...ernet 1 2 RouterC system view RouterC interface ethernet 1 2 RouterC Ethernet1 2 ip address 22 1 1 2 255 0 0 0 RouterC Ethernet1 2 quit Configure a static route RouterC ip route static 11 1 1 0 255 0...

Page 173: ...es 56 Sequence 2 ttl 254 time 1 ms Reply from 22 1 1 2 bytes 56 Sequence 3 ttl 254 time 1 ms Reply from 22 1 1 2 bytes 56 Sequence 4 ttl 254 time 2 ms Reply from 22 1 1 2 bytes 56 Sequence 5 ttl 254 t...

Page 174: ...is used for adjacency table lookup Routing interface Output interface in the matching route entry This interface is used for adjacency table lookup and it can be logical or physical Physical interfac...

Page 175: ...mmand Display IPv6 adjacency table information display ipv6 adjacent table all physical interface interface type interface number routing interface interface type interface number slot slot number cou...

Page 176: ...ask enables an interface to accept directed broadcast packets that are destined for and received from the directly connected network to support UDP helper which converts the directed broadcasts to uni...

Page 177: ...ew RouterB ip route static 1 1 1 1 24 2 2 2 2 Specify an IP address for Ethernet 1 2 RouterB interface ethernet 1 2 RouterB Ethernet1 2 ip address 2 2 2 1 24 Enable Ethernet 1 2 to receive directed br...

Page 178: ...fter the configuration rather than the TCP connections that already exist This configuration is effective only for IP packets If MPLS is enabled on the interface do not configure the TCP MSS on the in...

Page 179: ...th MTU and starts an age timer for the path MTU After the age timer expires the source device uses a larger MSS in the MTU table as described in RFC 1 191 If no ICMP error message is received within t...

Page 180: ...tes the connection If a FIN packet is received TCP changes connection state to TIME_WAIT If a non FIN packet is received TCP restarts the timer and tears down the connection when the timer expires To...

Page 181: ...er protocol of the packet is not supported by the device the device sends a Protocol Unreachable ICMP error packet to the source NOTE If a DHCP enabled device receives an ICMP echo reply without sendi...

Page 182: ...is placed in the bucket To configure rate limit for ICMP error messages Step Command Remarks 1 Enter system view system view N A 2 Set the interval and bucket size for ICMP error messages ip icmp erro...

Page 183: ...lapping fragment attack occurs Buffer overflow attack If the number of concurrent reassemblies or the number of fragments per datagram exceeds the upper limits a buffer overflow attack occurs Configur...

Page 184: ...nd reset commands in user view Task Command Display brief information about RawIP connections MSR 2600 MSR 3600 display rawip Display brief information about RawIP connections MSR 5600 display rawip s...

Page 185: ...al reassembly interface interface type interface number Display TCP traffic statistics MSR 2600 MSR 3600 display tcp statistics Display TCP traffic statistics MSR 5600 display tcp statistics slot slot...

Page 186: ...guidelines when you configure UDP helper By default an interface does not receive directed broadcasts destined for the directly connected network To use UDP helper execute the ip forward broadcast com...

Page 187: ...d broadcast packets with UDP destination port 55 and destination IP address 255 255 255 255 or 10 1 10 255 255 to the destination server 10 2 1 1 16 Figure 66 Network diagram Configuration procedure M...

Page 188: ...guration Display information about UDP packets forwarded by UDP helper on the interface Ethernet 1 1 RouterA Ethernet1 1 display udp helper interface ethernet 1 1 Interface Server address Packets sent...

Page 189: ...ndling and improve forwarding efficiency Although the IPv6 address size is four times the IPv4 address size the basic IPv6 packet header size is only twice the size of the option less IPv4 packet head...

Page 190: ...ages and ICMPv4 Redirect messages and provides a series of other functions Flexible extension headers IPv6 eliminates the Options field in the header and introduces optional extension headers to provi...

Page 191: ...9 lists the mappings between address types and format prefixes Table 6 Mappings between address types and format prefixes Type Format prefix binary IPv6 prefix ID Unicast address Unspecified address...

Page 192: ...erfaces generate EUI 64 address based interface identifiers differently On an IEEE 802 interface such as an Ethernet interface and a VLAN interface The interface identifier is derived from the link la...

Page 193: ...on when certain conditions are met Address resolution This function is similar to ARP in IPv4 An IPv6 node acquires the link layer addresses of neighboring nodes on the same link through NS and NA mes...

Page 194: ...by Host B after receiving the NA message from Host B If receiving no NA message Host A decides that the IPv6 address is not in use and uses this address Router prefix discovery and stateless address a...

Page 195: ...iscovery process 1 The source host sends a packet no larger than its MTU to the destination host 2 If the MTU of a device s output interface is smaller than the packet the device discards the packet a...

Page 196: ...tion between a pure IPv4 node and a pure IPv6 node For more information about NAT PT see Configuring NAT PT 6PE 6PE enables communication between isolated IPv6 networks over an IPv4 backbone network 6...

Page 197: ...ink local address Configuring an IPv6 anycast address Optional Configuring IPv6 ND Configuring a static neighbor entry Setting the maximum number of dynamic neighbor entries Setting the aging timer fo...

Page 198: ...l unicast address on an interface the manually configured one takes effect but it does not overwrite the automatically generated address If you remove the manually configured global unicast address th...

Page 199: ...e RA message and a random interface ID generated through MD5 You can also configure the interface to preferably use the temporary IPv6 address as the source address of sent packets When the valid life...

Page 200: ...one link local address To avoid link local address conflicts use the automatic generation method Manual assignment takes precedence over automatic generation If you first use automatic generation and...

Page 201: ...local address If the interface has no IPv6 global unicast address it has no link local address Configuring an IPv6 anycast address Step Command Remarks 1 Enter system view system view N A 2 Enter inte...

Page 202: ...bor information To prevent an interface from occupying too many neighbor table resources you can set the maximum number of dynamic neighbors that an interface can learn To set the maximum number of dy...

Page 203: ...v6 nd ra hop limit unspecified command the device sets the hop limit value configured by this task in a sent RA message A host receiving the RA message fills the value into the Hop Limit field of sent...

Page 204: ...hbor after the specified reachable time expires the device reconfirms whether the neighbor is reachable Router Preference Specifies the router preference in a RA message A host selects a router as the...

Page 205: ...ify unlimited hops in RA messages ipv6 nd ra hop limit unspecified By default the maximum number of hops in RA messages is 64 6 Set the M flag bit to 1 ipv6 nd autoconfig managed address flag By defau...

Page 206: ...of a host on another network With ND proxy hosts on different broadcast domains can communicate with each other as they would on the same network ND proxy includes common ND proxy and local ND proxy C...

Page 207: ...AN is used the two hosts must belong to different sub VLANs If isolate user VLAN is used the two hosts must belong to different secondary VLANs Configuration procedure You can enable common ND proxy a...

Page 208: ...c path MTU If the packet exceeds the smaller one of the two values the device fragments the packet according to the smaller value After sending the fragmented packets the device dynamically finds the...

Page 209: ...bucket To configure the rate limit for ICMPv6 error messages Step Command Remarks 1 Enter system view system view N A 2 Set the interval and bucket size for ICMPv6 error messages ipv6 icmpv6 error in...

Page 210: ...ck risks To enable sending ICMPv6 destination unreachable messages Step Command Remarks 1 Enter system view system view N A 2 Enable sending ICMPv6 destination unreachable messages ipv6 unreachables e...

Page 211: ...f the loopback interface as the source IPv6 address This feature helps users to locate the sending device easily If you specify an IP address in the ping command ping echo requests use the specified a...

Page 212: ...tics MSR 2600 MSR 3600 display ipv6 statistics Display IPv6 and ICMPv6 statistics MSR 5600 display ipv6 statistics slot slot number Display brief information about IPv6 RawIP connections MSR 2600 MSR...

Page 213: ...interface type interface number static Clear IPv6 neighbor information MSR 5600 reset ipv6 neighbors all dynamic interface interface type interface number slot slot number static Clear path MTUs rese...

Page 214: ...v6 address 3001 2 64 RouterB Ethernet1 1 quit Configure an IPv6 static route to the host RouterB ipv6 route static 2001 64 3001 1 3 Configure the host Enable IPv6 on the host to automatically obtain a...

Page 215: ...horts 0 InTruncatedPkts 0 InHopLimitExceeds 0 InBadHeaders 0 InBadOptions 0 ReasmReqds 0 ReasmOKs 0 InFragDrops 0 InFragTimeouts 0 OutFragFails 0 InUnknownProtos 0 InDelivers 47 OutRequests 89 OutForw...

Page 216: ...horts 0 InTruncatedPkts 0 InHopLimitExceeds 0 InBadHeaders 0 InBadOptions 0 ReasmReqds 0 ReasmOKs 0 InFragDrops 0 InFragTimeouts 0 OutFragFails 0 InUnknownProtos 0 InDelivers 159 OutRequests 1012 OutF...

Page 217: ...nMcastPkts 28 InMcastNotMembers 0 OutMcastPkts 7 InAddrErrors 0 InDiscards 0 OutDiscards 0 Ping Router A and Router B from the host and ping Router A and the host from Router B to verify that they can...

Page 218: ...hat Router B can ping Router A and the host The host can also ping Router B and Router A output not shown Troubleshooting IPv6 basics configuration Symptom An IPv6 address cannot be pinged Solution 1...

Page 219: ...two messages Assignment involving four messages As shown in Figure 77 four message assignment operates in the following steps 1 The DHCPv6 client sends a Solicit message to request an IPv6 address pre...

Page 220: ...er responds with a Reply message informing the client about whether or not the lease is renewed Figure 79 Using the Rebind message for address prefix lease renewal As shown in Figure 79 if the DHCPv6...

Page 221: ...s an Information request message to the multicast address of all DHCPv6 servers and DHCPv6 relay agents The Information request message contains an Option Request option that specifies the requested c...

Page 222: ...6 addresses assigned to the clients include the following types Temporary IPv6 addresses Internally used and frequently changed without lease renewal Non temporary IPv6 addresses Correctly used by DHC...

Page 223: ...sed on link layer address DUID LL defined in RFC 3315 Figure 83 shows the DUID LL format where DUID type The device supports the DUID type of DUID LL with the value of 0x0003 Hardware type The device...

Page 224: ...of the client to an IPv6 prefix in the DHCPv6 address pool When the client requests an IPv6 prefix the DHCPv6 server assigns the IPv6 prefix in the static binding to the client Dynamic prefix allocati...

Page 225: ...duration If no IPv6 address prefix is assignable the server does not respond If a client moves to another subnet the DHCPv6 server selects an IPv6 address prefix from the address pool that matches th...

Page 226: ...ix still can be assigned to the client To exclude multiple IPv6 prefix ranges repeat this step 3 Create a prefix pool ipv6 dhcp prefix pool prefix pool number prefix prefix prefix len assign len assig...

Page 227: ...er cannot assign temporary addresses to clients Configuration guidelines You can specify only one non temporary address range and one temporary address range in an address pool The address ranges spec...

Page 228: ...d lifetime valid lifetime By default no non temporary IPv6 address range is specified and all unicast addresses on the subnet are assignable 6 Optional Specify a temporary IPv6 address range temporary...

Page 229: ...there is no assignable IPv6 address prefix in the address pool the DHCPv6 server cannot to assign an IPv6 address prefix to a client Configure global address assignment on the interface The DHCPv6 se...

Page 230: ...transmission priority of the packet To set the DSCP value for DHCPv6 packets sent by the DHCPv6 server Step Command Remarks 1 Enter system view system view N A 2 Set the DSCP value for DHCPv6 packets...

Page 231: ...ss pool pool name Clear information about IPv6 prefix bindings reset ipv6 dhcp server pd in use pool pool name prefix prefix prefix len Clear packets statistics on the DHCPv6 server reset ipv6 dhcp se...

Page 232: ...00030001CA0006A40000 preferred lifetime 86400 valid lifetime 259200 Configure the DNS server address as 2 2 3 Router dhcp6 pool 1 dns server 2 2 3 Configure the domain name as aaa com Router dhcp6 po...

Page 233: ...t obtains an IPv6 prefix display the binding information on the DHCPv6 server Router Ethernet1 1 display ipv6 dhcp server pd in use Pool 1 IPv6 prefix Type Lease expiration 2001 410 201 48 Static C Ju...

Page 234: ...outerA ipv6 dhcp server forbidden address 1 2 0 0 2 Create DHCPv6 address pool 1 to assign IPv6 addresses and other configuration parameters to clients in subnet 1 1 0 0 0 96 RouterA ipv6 dhcp pool 1...

Page 235: ...uration clients in subnets 1 1 0 0 0 96 and 1 2 0 0 0 96 can obtain IPv6 addresses and other configuration parameters from the DHCPv6 server Router A You can use the display ipv6 dhcp server ip in use...

Page 236: ...Rapid Commit option to the multicast address FF02 1 2 of all the DHCPv6 servers and relay agents After receiving the Solicit message the DHCPv6 relay agent encapsulates the message into the Relay Mes...

Page 237: ...igure the DHCPv6 relay agent Step Command Remarks 1 Enter system view system view N A 2 Enter interface view interface interface type interface number N A 3 Enable DHCPv6 relay agent on the interface...

Page 238: ...he DHCPv6 relay agent reset ipv6 dhcp relay statistics interface interface type interface number DHCPv6 relay agent configuration example Network requirements As shown in Figure 88 configure the DHCPv...

Page 239: ...t1 1 undo ipv6 nd ra halt RouterA Ethernet1 1 ipv6 nd autoconfig managed address flag RouterA Ethernet1 1 ipv6 nd autoconfig other flag Verifying the configuration Display DHCPv6 server address inform...

Page 240: ...usted port discards received messages sent by DHCPv6 servers to prevent unauthorized servers from assigning IPv6 addresses DHCPv6 snooping reads DHCP ACK messages received from trusted ports and DHCP...

Page 241: ...6 snooping device adds Option 18 to the received DHCPv6 request message before forwarding it to the DHCPv6 server The server then assigns IP address to the client based on the client information in Op...

Page 242: ...mat Figure 91 shows the Option 37 fields Option code Option code Option length Size of the option data Enterprise number Enterprise number Port index Port that receives the DHCPv6 request from the cli...

Page 243: ...all ports are untrusted ports after DHCPv6 snooping is enabled 5 Return to system view quit N A 6 Enter interface view interface interface type interface number This interface must connect to the DHC...

Page 244: ...tem view system view N A 2 Specify a file to store DHCPv6 snooping entries ipv6 dhcp snooping binding database filename filename By default no file is specified This command enables the device to imme...

Page 245: ...releasing the IP addresses Attackers can also forge DHCPv6 DECLINE or DHCPv6 RELEASE messages to terminate leases for legitimate DHCPv6 clients that still need the IP addresses The DHCPv6 REQUEST che...

Page 246: ...atistics Display DHCPv6 packet statistics for DHCPv6 snooping MSR 5600 display ipv6 dhcp snooping packet statistics slot slot number Clear DHCPv6 snooping entries reset ipv6 dhcp snooping binding all...

Page 247: ...Enable recording of client information in DHCPv6 snooping entries Router interface Ethernet 1 2 Router Ethernet1 2 ipv6 dhcp snooping binding record Router Ethernet1 2 quit Verifying the configuratio...

Page 248: ...fast forwarding By default IPv6 fast forwarding is enabled 3 Set the aging time of IPv6 fast forwarding entries ipv6 fast forwarding aging time aging time By default the aging time of IPv6 fast forwa...

Page 249: ...address of interface Ethernet 1 2 RouterC system view RouterC interface ethernet 1 2 RouterC Ethernet1 2 ipv6 address 2001 1 64 RouterC Ethernet1 2 quit Configure a static route RouterC ipv6 route st...

Page 250: ...rom 2001 1 bytes 56 Sequence 4 hop limit 64 time 1 ms Reply from 2001 1 bytes 56 Sequence 5 hop limit 64 time 1 ms 2001 1 ping statistics 5 packet s transmitted 5 packet s received 0 00 packet loss ro...

Page 251: ...unneling GRE DVPN and IPsec tunneling Traffic engineering such as MPLS TE to prevent network congestion Unless otherwise specified the term tunnel in this document refers to IPv6 over IPv4 IPv4 over I...

Page 252: ...el mode Tunnel source destination address Destination IPv6 address format Manually configured tunnel IPv6 over IPv4 manual tunneling The source and destination IPv4 addresses are manually configured O...

Page 253: ...e interface connected to the IPv4 network The subnet number identifies a subnet in the 6to4 network The subnet number interface ID uniquely identifies a host in the 6to4 network 6to4 tunneling uses an...

Page 254: ...s in the IP header If the packet is destined for the IPv4 host connected to Device B Device A delivers the packet to the tunnel interface c The tunnel interface adds a new IPv4 header to the IPv4 pack...

Page 255: ...ers the packet to the IPv6 protocol stack d The IPv6 protocol stack uses the destination IPv6 address of the packet to look up the routing table and then sends it out De encapsulation e Upon receiving...

Page 256: ...ally a CPE router that connects end hosts IPv4 packets entering the B4 router are encapsulated into IPv6 packets and sent to the AFTR IPv6 packets from the AFTR are de encapsulated into IPv4 packets a...

Page 257: ...ID mapping to obtain the IP address of the B4 router uses the address as the destination address of the encapsulated IPv6 packet and forwards the packet to the B4 router Figure 100 shows an example of...

Page 258: ...l interface adds an IPv6 header to it and submits it to the IPv6 protocol stack d The IPv6 protocol stack forwards the packet according to its destination IPv6 address De encapsulation e Upon receivin...

Page 259: ...moved on an MSR 5600 router the tunnel interfaces configured still exist To delete a tunnel interface use the undo interface tunnel command To configure a tunnel interface Step Command Remarks 1 Enter...

Page 260: ...ual tunnel Follow these guidelines when you configure an IPv6 over IPv4 manual tunnel The tunnel destination address specified on the local device must be identical with the tunnel source address spec...

Page 261: ...eled packets 6 Optional Set the DF bit for tunneled packets tunnel dfbit enable The DF bit is not set for tunneled packets by default 7 Return to system view quit N A 8 Optional Enable dropping of IPv...

Page 262: ...address for Ethernet 1 2 RouterB system view RouterB interface ethernet 1 2 RouterB Ethernet1 2 ip address 192 168 50 1 255 255 255 0 RouterB Ethernet1 2 quit Specify an IPv6 address for Ethernet 1 1...

Page 263: ...le IPv6 tunnel because the destination address of the tunnel is embedded in the destination IPv4 compatible IPv6 address of packets The source addresses of local tunnels of the same tunnel mode cannot...

Page 264: ...auto tunnel Specify an IPv4 compatible IPv6 address for the tunnel interface RouterA Tunnel0 ipv6 address 192 168 100 1 96 Specify Ethernet1 1 as the source interface of the tunnel interface RouterA T...

Page 265: ...namic routing you must configure a static route destined for the destination IPv6 network if the destination IPv6 network is not in the same subnet as the IPv6 address of the tunnel interface You can...

Page 266: ...address of Ethernet 1 2 on Router A is 2 1 1 1 24 and the corresponding 6to4 prefix is 2002 0201 0101 48 Host A must use this prefix The IPv4 address of Ethernet 1 2 on Router B is 5 1 1 1 24 and the...

Page 267: ...erface RouterB interface tunnel 0 mode ipv6 ipv4 6to4 Specify an IPv6 address for the tunnel interface RouterB Tunnel0 ipv6 address 3002 1 64 Specify the source interface as Ethernet1 2 for the tunnel...

Page 268: ...101 48 The next hop of the static route must be an address using this prefix Figure 105 Network diagram Configuration procedure Make sure Router A and Router B can reach each other through IPv4 Config...

Page 269: ...as the source interface of the tunnel interface RouterB Tunnel0 source ethernet 1 2 RouterB Tunnel0 quit Configure a static route destined for 2002 16 through the tunnel interface RouterB ipv6 route...

Page 270: ...No IPv6 address is configured for the tunnel interface by default 4 Configure a source address or source interface for the tunnel interface source ip address interface type interface number By default...

Page 271: ...ge advertised by the ISATAP router Router Tunnel0 undo ipv6 nd ra halt Router Tunnel0 quit Configure the ISATAP host Configurations on the ISATAP host vary with the operating systems The following exa...

Page 272: ...al unicast address 2001 5efe 1 1 1 2 The message uses Router Discovery indicates that the router discovery function is enabled on the host Display information about IPv6 routes on the host C ipv6 rt 2...

Page 273: ...ss of the route passing the tunnel interface must not be on the same subnet as the destination address configured on the tunnel interface To configure an IPv4 over IPv4 tunnel Step Command Remarks 1 E...

Page 274: ...rial 2 0 RouterA Serial2 0 ip address 2 1 1 1 255 255 255 0 RouterA Serial2 0 quit Create an IPv4 over IPv4 tunnel interface tunnel 1 RouterA interface tunnel 1 mode ipv4 ipv4 Specify an IPv4 address...

Page 275: ...3 1 from 10 1 1 1 56 data bytes press escape sequence to break 56 bytes from 10 1 3 1 icmp_seq 0 ttl 255 time 2 000 ms 56 bytes from 10 1 3 1 icmp_seq 1 ttl 255 time 1 000 ms 56 bytes from 10 1 3 1 ic...

Page 276: ...pv6 address By default no destination address is configured for the tunnel The tunnel destination address must be the IPv6 address of the receiving interface on the tunnel peer It is used as the desti...

Page 277: ...Ethernet1 1 quit Specify an IPv6 address for Serial 2 1 which is the physical interface of the tunnel RouterB interface serial 2 1 RouterB Serial2 1 ipv6 address 2002 2 1 64 RouterB Serial2 1 quit Cre...

Page 278: ...network through the tunnel interface You can configure a static route and specify the local tunnel interface as the egress interface or specify the IPv6 address of the peer tunnel interface as the ne...

Page 279: ...lite enable By default DS Lite tunneling is disabled Only after you use this command the AFTR can tunnel IPv4 packets from the public IPv4 network to the B4 router Configuration example Network requi...

Page 280: ...B Ethernet1 2 ipv6 address 2 2 64 RouterB Ethernet1 2 quit Configure a DS Lite tunnel interface tunnel2 RouterB interface tunnel 2 mode ds lite aftr Configure an IPv4 address for the tunnel interface...

Page 281: ...network through the tunnel interface You can configure a static route and specify the local tunnel interface as the egress interface or specify the IPv6 address of the peer tunnel interface as the nex...

Page 282: ...Pv4 compatible IPv6 addresses tunnel discard ipv4 compatible packet The default setting is disabled Configuration example Network requirements As shown in Figure 1 10 configure an IPv6 over IPv6 tunne...

Page 283: ...erB interface tunnel 2 mode ipv6 Specify an IPv6 address for the tunnel interface RouterB Tunnel2 ipv6 address 3001 1 2 64 Specify the IP address of Serial 2 1 as the source address for the tunnel int...

Page 284: ...r statistics on tunnel interfaces reset counters interface tunnel number Troubleshooting tunneling configuration Symptom A tunnel interface configured with related parameters such as tunnel source add...

Page 285: ...ource IP address destination IP address source port number destination port number and protocol number This policy takes the first in first out rule Packet based policy Forwards packets in sequence to...

Page 286: ...Configuring an IPv6 over IPv6 tunnel 266 Configuring an ISATAP tunnel 254 Configuring basic DHCP snooping 71 Configuring basic DHCPv6 snooping 228 Configuring DHCP packet rate limit 75 Configuring DH...

Page 287: ...maintaining the DHCPv6 relay agent 223 Displaying and maintaining the DHCPv6 server 215 Displaying and maintaining tunneling configuration 269 Displaying and maintaining UDP helper 172 Displaying DDNS...

Page 288: ...of DHCPv6 snooping entries 230 Setting the maximum number of dynamic ARP entries for a device 4 Setting the maximum number of dynamic ARP entries for an interface 4 Specifying a flow classification p...

Reviews:

No comments

Related manuals for MSR 2600 Series

Brand: IBM Pages: 72

Brand: H3C Pages: 6

OfficeConnect 3CP4144

Brand: 3Com Pages: 4

OfficeConnect 3CP4144

Brand: 3Com Pages: 2

Brand: H3C Pages: 60

Brand: H3C Pages: 149

Brand: 3Com Pages: 27

OfficeConnect 3C19500

Brand: 3Com Pages: 52

ROADRECORDER 8000

Brand: Safety Vision Pages: 40

Brand: LaCie Pages: 22

Brand: EnGenius Pages: 3

Brand: Patton electronics Pages: 12

Brand: Moxa Technologies Pages: 2

Brand: Moxa Technologies Pages: 36

Brand: ADIC Pages: 140

Brand: Tripp Lite Pages: 3

Brand: KYLAND Technology Pages: 24

Brand: Xantech Pages: 6

Brands by name

0 1 2 3 4 5 6 7 8 9 A B C D E F G H I J K L M N O P Q R S T U V W X Y Z

Popular brands

Load more brands