H3C MSR 2600 Series Скачать руководство пользователя страница 179 | Manualshive

Страница: 179 / 288

background image

164

3.

Upon receiving the ICMP message, the TCP source device calculates the current path MTU of the

TCP connection.

4.

The TCP source device sends subsequent TCP segments that each are smaller than the MSS (MSS
= path MTU – IP header length – TCP header length).

If the TCP source device still receives ICMP error messages when the MSS is smaller than 32 bytes, the

TCP source device will fragment packets.
An ICMP error message received from a router that does not support RFC 1191 has the MTU of the
outgoing interface set to 0. Upon receiving the ICMP message, the TCP source device selects the path

MTU smaller than the current path MTU from the MTU table as described in RFC 1191 to calculate the TCP

MSS. The MTU table contains MTUs of 68, 296, 508, 1006, 1280, 1492, 2002, 4352, 8166, 17914,

32000, and 65535 bytes. Because the minimum TCP MSS specified by the system is 32 bytes, the actual

minimum MTU is 72 bytes.
After you enable TCP path MTU discovery, all new TCP connections will detect the path MTU. The device

uses the path MTU to calculate the MSS to avoid IP fragmentation.
The path MTU uses the following aging mechanism to make sure that the source device can increase the

path MTU when the minimum link MTU on the path increases.

•

When the TCP source device receives an ICMP error message, it reduces the path MTU and starts
an age timer for the path MTU.

•

After the age timer expires, the source device uses a larger MSS in the MTU table as described in
RFC 1191.

•

If no ICMP error message is received within two minutes, the source device increases the MSS again
until the MSS is as large as the MSS negotiated during TCP three-way handshake.

To enable TCP path MTU discovery:

Step Command

Remarks

1.

Enter system view.

system-view

N/A

2.

Enable TCP path MTU
discovery.

tcp path-mtu-discovery

[

aging

age-time

|

no-aging

]

The default setting is
disabled.

Enabling TCP SYN Cookie

A TCP connection is established through a three-way handshake:

1.

The sender sends a SYN packet to the server.

2.

The server receives the SYN packet, establishes a TCP semi-connection in SYN_RECEIVED state,
and replies with a SYN ACK packet to the sender.

3.

The sender receives the SYN ACK packet and replies with an ACK packet. A TCP connection is
established.

An attacker can exploit this mechanism to mount SYN Flood attacks. The attacker sends a large number
of SYN packets, but does not respond to the SYN ACK packets from the server. As a result, the server

establishes a large number of TCP semi-connections and can no longer handle normal services.
SYN Cookie can protect the server from SYN Flood attacks. When the server receives a SYN packet, it

responds with a SYN ACK packet without establishing a TCP semi-connection. The server establishes a
TCP connection and enters ESTABLISHED state only when it receives an ACK packet from the client.

«
...
177
178
179
180
181
...
»

Содержание MSR 2600 Series

Страница 1: ...H3C MSR Series Routers Layer 3 IP Services Configuration Guide V7 Hangzhou H3C Technologies Co Ltd http www h3c com Software version MSR CMW710 R0007 Document version 6W100 20140320...

Страница 2: ...ne SecPath SecCenter SecBlade Comware ITCMM and HUASAN are trademarks of Hangzhou H3C Technologies Co Ltd All other trademarks that may be mentioned in this manual are the property of their respective...

Страница 3: ...als and configuration such as IP addressing ARP DNS DHCP NAT GRE and tunneling configuration This preface includes Audience Conventions About the H3C MSR documentation set Obtaining documentation Tech...

Страница 4: ...gument or keyword and argument combination before the ampersand sign can be entered 1 to n times A line that starts with a pound sign is comments Symbols Convention Description WARNING An alert that c...

Страница 5: ...ut the product release including the version history hardware and software compatibility matrix version upgrade information technical support information and software upgrading Obtaining documentation...

Страница 6: ...We appreciate your comments...

Страница 7: ...iodic sending of gratuitous ARP packets 8 Configuration procedure 9 Enabling IP conflict notification 10 Configuring proxy ARP 11 Enabling common proxy ARP 11 Enabling local proxy ARP 11 Displaying pr...

Страница 8: ...tion task list 35 Creating a DHCP address pool 36 Specifying IP address ranges for a DHCP address pool 36 Specifying gateways for the client 39 Specifying a domain name suffix for the client 40 Specif...

Страница 9: ...value for DHCP packets sent by the DHCP relay agent 61 Displaying and maintaining the DHCP relay agent 61 DHCP relay agent configuration examples 61 DHCP relay agent configuration example 61 Option 82...

Страница 10: ...uring static domain name resolution 86 Configuring dynamic domain name resolution 87 Configuring the DNS proxy 87 Configuring DNS spoofing 88 Specifying the source interface for DNS packets 88 Configu...

Страница 11: ...with ALG 117 NAT configuration task list 118 Configuring static NAT 118 Configuration prerequisites 118 Configuring outbound one to one static NAT 118 Configuring outbound net to net static NAT 119 C...

Страница 12: ...table 159 Optimizing IP performance 161 Enabling an interface to receive and forward directed broadcasts destined for the directly connected network 161 Configuration procedure 161 Configuration exam...

Страница 13: ...figuring the interface MTU 193 Configuring a static path MTU for a specific IPv6 address 193 Configuring the aging time for dynamic path MTUs 193 Controlling sending ICMPv6 packets 194 Configuring the...

Страница 14: ...d maintaining the DHCPv6 relay agent 223 DHCPv6 relay agent configuration example 223 Network requirements 223 Configuration procedure 223 Verifying the configuration 224 Configuring DHCPv6 snooping 2...

Страница 15: ...nnel 250 6to4 tunnel configuration example 251 6to4 relay configuration example 253 Configuring an ISATAP tunnel 254 Configuration example 255 Configuring an IPv4 over IPv4 tunnel 258 Configuration ex...

Страница 16: ...dress length field is 6 For an IPv4 address the value of the protocol address length field is 4 OP Operation code which describes the type of ARP message Value 1 represents an ARP request and value 2...

Страница 17: ...s into the packet and sends the packet to Host B Figure 2 ARP address resolution process If Host A and Host B are on different subnets Host A sends a packet to Host B as follows 5 Host A broadcasts an...

Страница 18: ...RP entry on the device To communicate with a host by using a fixed IP to MAC mapping through a specific interface in a specific VLAN configure a long static ARP entry on the device Configuring a stati...

Страница 19: ...tries until the number of dynamic ARP entries is below the configured value To set the maximum number of dynamic ARP entries for a device Step Command Remarks 1 Enter system view system view N A 2 Set...

Страница 20: ...ARP entries is 20 minutes Enabling dynamic ARP entry check The dynamic ARP entry check function controls whether the device supports dynamic ARP entries containing multicast MAC addresses When dynamic...

Страница 21: ...y for a specific IP address MSR 2600 MSR 3600 display arp ip address verbose Display the ARP entry for a specific IP address MSR 5600 display arp ip address slot slot number verbose Display the ARP en...

Страница 22: ...interface vlan interface 10 Switch vlan interface10 ip address 192 168 1 2 8 Switch vlan interface10 quit Configure a static ARP entry that has IP address 192 168 1 1 MAC address 00e0 fc01 0000 and o...

Страница 23: ...at the traffic destined for the gateway from the hosts is sent to the attacker instead As a result the hosts cannot access the external network To prevent such gateway spoofing attacks you can enable...

Страница 24: ...corresponding MAC entries in time Configuration procedure The following conditions apply to the gratuitous ARP configuration You can enable periodic sending of gratuitous ARP packets on up to 1024 in...

Страница 25: ...is being used by the receiving device the receiving device sends a gratuitous ARP request and it displays an error message after it receives an ARP reply about the conflict You can use this command to...

Страница 26: ...common proxy ARP You can enable common proxy ARP in VLAN interface view Layer 3 Ethernet interface view and Layer 3 Ethernet subinterface view To enable common proxy ARP Step Command Remarks 1 Enter s...

Страница 27: ...A and Host D have the same prefix and mask but they are located on different subnets No default gateway is configured on Host A and Host D Configure common proxy ARP on the router to enable communica...

Страница 28: ...ter interface ethernet 1 1 Router Ethernet1 1 ip address 192 168 20 99 255 255 255 0 Enable common proxy ARP on interface Ethernet 1 1 Router Ethernet1 1 proxy arp enable Router Ethernet1 1 quit After...

Страница 29: ...ching the entry is received the entry becomes valid and its aging timer restarts If the aging timer of an ARP entry expires the entry is removed If the ARP snooping device receives an ARP packet that...

Страница 30: ...splay ARP snooping entries MSR 5600 display arp snooping vlan vlan id slot slot number count display arp snooping ip ip address slot slot number Remove ARP snooping entries reset arp snooping ip ip ad...

Страница 31: ...al ARP packet If not it processes the packet in the following steps 1 Search the DHCP snooping table for a match 2 If a match is found and the interface of the entry is the Ethernet interface that rec...

Страница 32: ...ing example Client 200 has obtained an IP address through DHCP With ARP fast reply enabled the AC upon receiving an ARP request from Client 1 directly returns an ARP reply without broadcasting the ARP...

Страница 33: ...18 AC vlan1 quit...

Страница 34: ...ddress classes Each IP address breaks down into the following sections Net ID Identifies a network The first several bits of a net ID known as the class field or class bits identify the class of the I...

Страница 35: ...the boundary between the host ID and the combination of net ID and subnet ID Each subnet mask comprises 32 bits that correspond to the bits in an IP address In a subnet mask consecutive ones represent...

Страница 36: ...ses to an interface that obtains an IP address through BOOTP DHCP PPP address negotiation or IP unnumbered The primary and secondary IP addresses you assign to the interface can be located on the same...

Страница 37: ...cedure To configure IP unnumbered on an interface Step Command Remarks 1 Enter system view system view N A 2 Enter interface view interface interface type interface number N A 3 Specify the interface...

Страница 38: ...24 and set the secondary IP address of the router as the gateway address of the PCs on subnet 172 16 2 0 24 Figure 8 Network diagram Configuration procedure Assign a primary IP address and a secondar...

Страница 39: ...bytes from 172 16 2 2 icmp_seq 1 ttl 255 time 7 000 ms 56 bytes from 172 16 2 2 icmp_seq 2 ttl 255 time 1 000 ms 56 bytes from 172 16 2 2 icmp_seq 3 ttl 255 time 2 000 ms 56 bytes from 172 16 2 2 icm...

Страница 40: ...the outgoing interface RouterA ip route static 172 16 20 0 255 255 255 0 serial 2 1 2 Configure Router B Assign a primary IP address to Ethernet 1 1 RouterB system view RouterB interface ethernet 1 1...

Страница 41: ...1 ttl 254 time 0 000 ms 56 bytes from 172 16 20 2 icmp_seq 2 ttl 254 time 1 000 ms 56 bytes from 172 16 20 2 icmp_seq 3 ttl 254 time 1 000 ms 56 bytes from 172 16 20 2 icmp_seq 4 ttl 254 time 2 000 m...

Страница 42: ...nformation about the DHCP relay agent see Configuring the DHCP relay agent Figure 10 A typical DHCP application DHCP address allocation Allocation mechanisms DHCP supports the following allocation mec...

Страница 43: ...asts a gratuitous ARP packet to verify whether the IP address assigned by the server is already in use If the client receives no response within the specified time the client uses the assigned IP addr...

Страница 44: ...ent a reply back by unicast If this flag is set to 1 the DHCP server sent a reply back by broadcast The remaining bits of the flags field are reserved for future use ciaddr Client IP address if the cl...

Страница 45: ...spond to the parameters requested by the client Option 60 Vendor class identifier option It is used by a DHCP client to identify its vendor and by a DHCP server to distinguish DHCP clients by vendor c...

Страница 46: ...at indicates the number of PXE servers contained in the sub option and server IP addresses as shown in Figure 15 Figure 15 PXE server address sub option value field Relay agent option Option 82 Option...

Страница 47: ...on 184 has the following sub options Sub option 1 Specifies the IP address of the primary network calling processor which serves as the network calling control source and provides program download ser...

Страница 48: ...s or ID of a client to an IP address in a DHCP address pool When the client requests an IP address the DHCP server assigns the IP address in the static binding to the client Dynamic address allocation...

Страница 49: ...receiving interface has no address pool applied the DHCP server selects an address pool in the following way If the client and the server reside on the same subnet the DHCP server matches the IP addre...

Страница 50: ...ion If no IP address is assignable the server does not respond NOTE If a client moves to another subnet the DHCP server selects an IP address in the address pool matching the new subnet instead of ass...

Страница 51: ...pool but you cannot configure both Specifying a primary subnet and multiple address ranges for a DHCP address pool Some scenarios need to classify DHCP clients in the same subnet into different addres...

Страница 52: ...t To specify address ranges for multiple DHCP user classes repeat this step 9 Optional Specify the address lease duration expired day day hour hour minute minute second second unlimited The default se...

Страница 53: ...tion takes effect You can specify a maximum of 32 secondary subnets in each address pool IP addresses specified by the forbidden ip command are not assignable in the current address pool but are assig...

Страница 54: ...erface Otherwise an IP address conflict occurs and the bound client cannot obtain an IP address correctly To configure static bindings for DHCP clients that reside on the same device and use the same...

Страница 55: ...or the client You can specify a domain name suffix in a DHCP address pool on the DHCP server With this suffix assigned the client only needs to input part of a domain name and the system adds the doma...

Страница 56: ...sponse it broadcasts the destination name to get the destination IP address To configure WINS servers and NetBIOS node type in a DHCP address pool Step Command Remarks 1 Enter system view system view...

Страница 57: ...meters it performs system initialization without loading any configuration file To configure the IP address of the TFTP server and the boot file name in a DHCP address pool Step Command Remarks 1 Ente...

Страница 58: ...ured 6 Optional Specify the failover IP address and dialer string voice config fail over ip address dialer string By default no failover IP address or dialer string is specified Configuring self defin...

Страница 59: ...e Option netbios type hex 66 TFTP server name tftp server ascii 67 Boot file name bootfile name ascii 43 Vendor Specific Information N A hex Enabling DHCP You must enable DHCP to validate other DHCP c...

Страница 60: ...nterface If the applied address pool does not exist the DHCP server fails to perform dynamic address allocation Configuring IP address conflict detection Before assigning an IP address the DHCP server...

Страница 61: ...n the DHCP request is set to 1 To work with DHCP clients that set the broadcast flag to 0 but do not accept unicast responses configure the DHCP server to ignore the broadcast flag and always broadcas...

Страница 62: ...equest statically bound addresses To configure the DHCP server to send BOOTP responses in RFC 1048 format Step Command Remarks 1 Enter system view system view N A 2 Enable the DHCP server to send BOOT...

Страница 63: ...ol name Display information about DHCP address pools display dhcp server pool pool name Clear information about IP address conflicts reset dhcp server conflict ip ip address Clear information about le...

Страница 64: ...dhcp server ip pool 0 Configure a static binding for Router B RouterA dhcp pool 0 static bind ip address 10 1 1 5 25 client identifier 0030 3030 662e 6532 3030 2e30 3030 322d 4574 6865 726e 6574 302f...

Страница 65: ...e suffix is aabbcc com the DNS server address is 10 1 1 2 25 and the gateway address is 10 1 1 254 25 and there is no WINS server address Figure 17 Network diagram Configuration procedure 1 Specify IP...

Страница 66: ...rifying the configuration After the preceding configuration is complete clients on networks 10 1 1 0 25 and 10 1 1 128 25 can obtain correct IP addresses and other network parameters from Router A You...

Страница 67: ...ifying the configuration After the preceding configuration is complete clients matching the DHCP user class can obtain IP addresses in the specified range and network configuration parameters from DHC...

Страница 68: ...n IP address on the subnet 10 1 1 0 24 and the PXE server addresses from Router A You can use the display dhcp server ip in use command on the DHCP server to view the IP addresses assigned to the clie...

Страница 69: ...other one on the client For example to release the IP address and obtain another one on a Windows XP DHCP client a In Windows environment execute the cmd command to enter the DOS environment b Enter i...

Страница 70: ...a private network For more information about MCE see MPLS Configuration Guide Operation The DHCP server and client interact with each other in the same way regardless of whether the relay agent exists...

Страница 71: ...ng the response to the client Table 3 Handling strategies of the DHCP relay agent If a DHCP request has Handling strategy The DHCP relay agent Option 82 Drop Drops the message Keep Forwards the messag...

Страница 72: ...d to the relay agent cannot obtain correct IP addresses To enable the DHCP relay agent on an interface Step Command Remarks 1 Enter system view system view N A 2 Enter interface view interface interfa...

Страница 73: ...ies Step Command Remarks 1 Enter system view system view N A 2 Enable the relay agent to record relay entries dhcp relay client information record By default the relay agent does not record relay entr...

Страница 74: ...e number of ARP entries that a Layer 3 interface can learn or MAC addresses that a Layer 2 port can learn You can also configure an interface that has learned the maximum MAC addresses to discard pack...

Страница 75: ...de identifier of Option 82 must not contain spaces Otherwise the DHCP relay agent drops the message To configure Option 82 Step Command Remarks 1 Enter system view system view N A 2 Enter interface vi...

Страница 76: ...on 82 configuration information on the DHCP relay agent display dhcp relay information interface interface type interface number Display relay entries on the DHCP relay agent display dhcp relay client...

Страница 77: ...configuration is complete DHCP clients can obtain IP addresses and other network parameters from the DHCP server through the DHCP relay agent You can use the display dhcp relay statistics command to v...

Страница 78: ...ormation circuit id string company001 RouterA Ethernet1 1 dhcp relay information remote id string device001 Troubleshooting DHCP relay agent configuration Symptom DHCP clients cannot obtain configurat...

Страница 79: ...le ways The new configuration overwrites the old Secondary IP addresses cannot be configured on an interface that is enabled with the DHCP client If the interface obtains an IP address on the same seg...

Страница 80: ...e value is the first two characters in the string If the MAC address of a specific interface is used as the client ID the type value is 01 Enabling duplicated address detection DHCP client detects IP...

Страница 81: ...r address and static route information The DHCP client IP address resides on network 10 1 1 0 24 The DNS server address is 20 1 1 1 The next hop of the static route to network 20 1 1 0 24 is 10 1 1 2...

Страница 82: ...B Configure Ethernet 1 1 to use DHCP for IP address acquisition RouterB system view RouterB interface ethernet 1 1 RouterB Ethernet1 1 ip address dhcp alloc RouterB Ethernet1 1 quit Verifying the conf...

Страница 83: ...ation Mask Proto Pre Cost NextHop Interface 10 1 1 0 24 Direct 0 0 10 1 1 3 Eth1 1 10 1 1 3 32 Direct 0 0 127 0 0 1 InLoop0 20 1 1 0 24 Static 70 0 10 1 1 2 Eth1 1 10 1 1 255 32 Direct 0 0 10 1 1 3 Et...

Страница 84: ...e information see Configuring ARP fast reply ARP detection Uses DHCP snooping entries to filter ARP packets from unauthorized clients For more information see Security Configuration Guide MAC forced f...

Страница 85: ...HCP snooping support for Option 82 Option 82 records the location information about the DHCP client so the administrator can locate the DHCP client for security and accounting purposes For more inform...

Страница 86: ...Enabling DHCP REQUEST attack protection Optional Configuring DHCP packet rate limit Configuring basic DHCP snooping Follow these guidelines when you configure basic DHCP snooping Specify the ports con...

Страница 87: ...pecify the device name For more information about this command see Fundamentals Command Reference If DHCP snooping and QinQ work together or DHCP snooping receives a DHCP packet with two VLAN tags and...

Страница 88: ...view N A 2 Specify a file to save DHCP snooping entries dhcp snooping binding database filename filename url url username username password cipher simple key By default no file is specified This comma...

Страница 89: ...If not the request is discarded To enable MAC address check Step Command Remarks 1 Enter system view system view N A 2 Enter interface view interface interface type interface number N A 3 Enable MAC...

Страница 90: ...ceive DHCP packets dhcp snooping rate limit rate By default incoming DHCP packets are not rate limited You can configure this command only on Layer 2 Ethernet interfaces Displaying and maintaining DHC...

Страница 91: ...w DHCP snooping configuration examples Basic DHCP snooping configuration example Network requirements As shown in Figure 27 configure the port Ethernet 1 1 connected to the DHCP server as a trusted po...

Страница 92: ...he circuit ID sub option as company001 and for the remote ID sub option as device001 On Ethernet 1 3 configure the padding format as verbose access node identifier as sysname and code type as ascii fo...

Страница 93: ...Ethernet1 3 dhcp snooping information circuit id verbose node identifier sysname format ascii Router Ethernet1 3 dhcp snooping information remote id string device001 Verifying the configuration Use t...

Страница 94: ...ually used in relatively stable environments In network environments that change frequently DHCP is more suitable Because a DHCP server can interact with a BOOTP client you can use the DHCP server to...

Страница 95: ...interface number BOOTP client configuration example Network requirements As shown in Figure 17 Ethernet 1 1 of Router B connects to the LAN to obtain an IP address from the DHCP server by using BOOTP...

Страница 96: ...solution means manually creating mappings between domain names and IP addresses For example you can create a static DNS mapping for a device so that you can Telnet to the device by using the domain na...

Страница 97: ...domain name without a dot for example aabbcc the resolver considers the domain name a host name and adds a DNS suffix before performing the query operation If no match is found for the domain names w...

Страница 98: ...r receiving a reply from the DNS server the DNS proxy records the IP address to domain name mapping and forwards the reply to the DNS client If no DNS server is designated or no route is available to...

Страница 99: ...to the IP address with the dial up interface as the output interface The IP address configured for DNS spoofing is not the actual IP address of the requested domain name so the TTL of the DNS reply is...

Страница 100: ...Configuring dynamic domain name resolution To use dynamic domain name resolution configure DNS servers so that DNS queries can be sent to a correct server for resolution A DNS server manually configu...

Страница 101: ...P address is specified 3 Optional Configure a DNS suffix dns domain domain name vpn instance vpn instance name By default no DNS suffix is configured and only the provided domain name is resolved Conf...

Страница 102: ...Pv4 addresses for the public network or each VPN You can specify DNS server IPv6 addresses for the public network and up to 1024 VPNs and specify a maximum of six DNS server IPv6 addresses for the pub...

Страница 103: ...S server is specified on the device Follow these guidelines when you configure DNS spoofing You can configure only one replied IPv4 address and one replied IPv6 address for the public network or a VPN...

Страница 104: ...he source interface for DNS packets Step Command Remarks 1 Enter system view system view N A 2 Specify the source interface for DNS packets dns source interface interface type interface number vpn ins...

Страница 105: ...reset commands in user view Task Command Display the domain name resolution table display dns host ip ipv6 vpn instance vpn instance name Display IPv4 DNS server information display dns server dynamic...

Страница 106: ...time 2 000 ms Ping statistics for host com 5 packet s transmitted 5 packet s received 0 0 packet loss round trip min avg max std dev 1 000 1 200 2 000 0 400 ms Dynamic domain name resolution configur...

Страница 107: ...figuration might vary with DNS servers The following configuration is performed on a PC running Windows Server 2000 a Select Start Programs Administrative Tools DNS The DNS server configuration page a...

Страница 108: ...the page that appears enter host name host and IP address 3 1 1 1 e Click Add Host The mapping between the IP address and host name is created Figure 36 Adding a mapping between domain name and IP add...

Страница 109: ...from 3 1 1 1 icmp_seq 3 ttl 255 time 1 000 ms 56 bytes from 3 1 1 1 icmp_seq 4 ttl 255 time 2 000 ms Ping statistics for host 5 packet s transmitted 5 packet s received 0 0 packet loss round trip min...

Страница 110: ...roxy DeviceA dns proxy enable 3 Configure the DNS client DeviceB system view Specify the DNS server 2 1 1 2 DeviceB dns server 2 1 1 2 Verifying the configuration Use the ping host com command on Devi...

Страница 111: ...ss escape sequence to break 56 bytes from 1 2 icmp_seq 0 hlim 128 time 1 000 ms 56 bytes from 1 2 icmp_seq 1 hlim 128 time 0 000 ms 56 bytes from 1 2 icmp_seq 2 hlim 128 time 1 000 ms 56 bytes from 1...

Страница 112: ...on a PC running Windows Server 2003 Make sure that the DNS server supports the IPv6 DNS function so that the server can process IPv6 DNS packets and the interfaces of the DNS server can forward IPv6 p...

Страница 113: ...98 Figure 41 Creating a record d On the page that appears select IPv6 Host AAAA as the resource record type...

Страница 114: ...99 Figure 42 Selecting the resource record type e Type host name host and IPv6 address 1 1 f Click OK The mapping between the IPv6 address and host name is created...

Страница 115: ...host is normal and that the translated destination IP address is 1 1 Device ping ipv6 host Ping6 56 data bytes 3 1 1 1 press escape sequence to break 56 bytes from 1 1 icmp_seq 0 hlim 128 time 1 000...

Страница 116: ...e DNS proxy Figure 44 Network diagram Configuration procedure Before performing the following configuration make sure Device A the DNS server and the host are reachable to each other and the IP addres...

Страница 117: ...y dns host ip command to verify that the specified domain name is in the cache 2 If the specified domain name does not exist check that the DNS client can communicate with the DNS server 3 If the spec...

Страница 118: ...103...

Страница 119: ...rnet user typically uses the domain name to access an application layer server such as an HTTP server or an FTP server When its IP address changes the application layer server runs as a DDNS client th...

Страница 120: ...dns update system dyndns hostname h myip a DYNDNS http members dyndns org nic update system dyndns hostname h myip a DYNS http www dyns cx postscript php host h ip a ZONEEDIT http dynamic zoneedit com...

Страница 121: ...cation does not take effect You are not encouraged to manually change the h and a for your configuration might be incorrect For more information about applying DDNS policies see Applying the DDNS poli...

Страница 122: ...he DDNS server into the IPv4 address For more information see Configuring the IPv4 DNS client To apply the DDNS policy to an interface Step Command Remarks 1 Enter system view system view N A 2 Enter...

Страница 123: ...ns policy policy name DDNS configuration examples DDNS configuration example with www 3322 org Network requirements As shown in Figure 46 Router is a Web server with the domain name whatever 3322 org...

Страница 124: ...s of the DNS server as 1 1 1 1 Router dns server 1 1 1 1 Apply DDNS policy 3322 org to Ethernet 1 1 to enable DDNS update and dynamically update the mapping between domain name whatever 3322 org and t...

Страница 125: ...mple nevets Set the DDNS update request interval to 12 minutes Router ddns policy oray cn interval 0 0 12 Router ddns policy oray cn quit Specify the IP address of the DNS server as 1 1 1 1 Router dns...

Страница 126: ...sses to its NAT table 3 The external server receives the packet and responds 4 The NAT device receives the reply and performs a NAT table lookup by using the source IP address as the key The device th...

Страница 127: ...device Bidirectional NAT is performed on incoming packets on the receiving interface and on outgoing packets on the sending interface Bidirectional NAT is applied when source and destination addresse...

Страница 128: ...m the NAT address pool The translation is created when the real host initiates a connection and the translation lasts for the duration of the connection A user might use different IP address for each...

Страница 129: ...ckets from any external host to access the internal user by using the NAT address and port which improves communication among hosts that connect to different NAT gateways Address and Port Dependent Ma...

Страница 130: ...e source and destination IP addresses of a packet on the interface NAT hairpin can be in P2P or C S mode depending on the scenarios P2P The P2P mode applies to the scenario where users in the internal...

Страница 131: ...slation for connections originating from external hosts to the NAT address and port based on the EIM entry An EIM entry ages out after all related NAT session entries age out NO PAT entry A NAT device...

Страница 132: ...ng must operate with the NAT Server feature NAT with DNS mapping maps the domain name of the internal server to the public IP address public port number and protocol type of the server NAT Server maps...

Страница 133: ...n be implemented by one to one or net to net mapping for outbound and inbound translation Do not configure inbound static NAT separately Typically inbound static NAT works with other NAT translation m...

Страница 134: ...nterface that connects the external network When the source IP address of a packet from the private network matches the internal NAT address pool the source IP address is translated into a public addr...

Страница 135: ...he interface nat static enable By default static NAT is disabled Configuring inbound net to net static NAT Configure inbound net to net static NAT for translation between a private network and a publi...

Страница 136: ...N instance in the ACL rule for packet matching For more information about ACLs see ACL and QoS Configuration Guide Determine whether to enable the Easy IP function If you use the IP address of an inte...

Страница 137: ...This command takes effect only on outbound dynamic NAT for PAT Configuring inbound dynamic NAT To implement bidirectional NAT you must use inbound dynamic NAT with outbound dynamic NAT NAT Server or o...

Страница 138: ...port number to the real IP address and port number of an internal server on the interface that connects the external network An internal server can be located in a common private network or an MPLS L3...

Страница 139: ...esses with a single global port nat server protocol pro type global global address1 global address2 global port vpn instance global name inside local address local port1 local port2 vpn instance local...

Страница 140: ...figure a DNS mapping for NAT nat dns map domain domain name protocol pro type interface interface type interface number ip global ip port global port By default no DNS mapping for NAT exists You can c...

Страница 141: ...lows is reached the NAT session is logged To enable NAT logging Step Command Remarks 1 Enter system view system view N A 2 Enable NAT logging nat log enable acl acl number By default NAT logging is di...

Страница 142: ...nat session source ip source ip destination ip destination ip vpn instance vpn name verbose Display sessions that have been NATed MSR 5600 display nat session source ip source ip destination ip desti...

Страница 143: ...bound static NAT mappings IP to IP Local IP 10 110 10 8 Global IP 202 38 1 100 Interfaces enabled with static NAT There are 1 interfaces enabled with static NAT Interface GigabitEthernet1 2 Use the di...

Страница 144: ...r nat address group 0 quit Configure ACL 2000 and create a rule to permit packets only from segment 192 168 1 0 24 to pass through Router acl number 2000 Router acl basic 2000 rule permit source 192 1...

Страница 145: ...ssion verbose command to display NAT session information generated when Host A accesses the WWW server Router display nat session verbose Initiator Source IP port 192 168 1 10 52992 Destination IP por...

Страница 146: ...rnal user configure inbound dynamic NAT with ALG and DNS mapping so that NAT can translate the Web server s address in the payload to a dynamically assigned NAT address The internal host uses the NAT...

Страница 147: ...t1 2 nat outbound 2000 address group 2 Router GigabitEthernet1 2 quit Configure a static route to 202 38 1 2 with GigabitEthernet 1 2 as the output interface and 20 2 2 2 as the next hop The next hop...

Страница 148: ...stance VLAN ID VLL ID Protocol TCP 6 State TCP_ESTABLISHED Application HTTP Start time 2012 08 15 14 53 29 TTL 3597s Interface in GigabitEthernet1 2 Interface out GigabitEthernet1 1 Initiator Responde...

Страница 149: ...1 and port 8080 Router GigabitEthernet1 2 nat server protocol tcp global 202 38 1 1 8080 inside 10 110 10 2 www Configure NAT Server to allow external users to access the SMTP server by using the add...

Страница 150: ...ior Mapping mode Address and Port Dependent ACL NAT ALG DNS Enabled FTP Enabled H323 Enabled ICMP ERROR Enabled Use the display nat session verbose command to display NAT session information generated...

Страница 151: ...k diagram Configuration considerations To make sure the external host can access the internal DNS server configure the NAT Server feature to map the internal IP address and port of the DNS server to a...

Страница 152: ...GigabitEthernet1 2 quit Verifying the configuration After completing the configurations Host on the external network can access the internal Web server by using the server s domain name Display all N...

Страница 153: ...14 53 29 TTL 3597s Interface in GigabitEthernet1 2 Interface out GigabitEthernet1 1 Initiator Responder 7 packets 308 bytes Responder Initiator 5 packets 312 bytes Total sessions found 1 Bidirectiona...

Страница 154: ...m the external host arrives at the NAT device the source IP address overlaps with the real address of the Web server Configure inbound dynamic NAT to translate the source IP address to a dynamically a...

Страница 155: ...Router GigabitEthernet1 2 quit Configure a static route to 202 38 1 3 with GigabitEthernet 1 2 as the output interface and 20 2 2 2 as the next hop The next hop address varies with network settings Ro...

Страница 156: ...8080 VPN instance VLAN ID VLL ID Protocol TCP 6 Responder Source IP port 192 168 1 2 8080 Destination IP port 202 38 1 3 1025 VPN instance VLAN ID VLL ID Protocol TCP 6 State TCP_ESTABLISHED Applicat...

Страница 157: ...s Details not shown Configure ACL 2000 and create a rule to permit packets only from segment 192 168 1 0 24 to be translated Router system view Router acl number 2000 Router acl basic 2000 rule permit...

Страница 158: ...1 2 21 Local IP port 192 168 1 4 21 NAT logging Log enable Disabled Flow begin Disabled Flow end Disabled Flow active Disabled NAT hairpinning There are 1 interfaces enabled with NAT hairpinning Inter...

Страница 159: ...Configure NAT hairpin so that The internal clients can register the same external address to the external server The internal clients can access each other through the IP address and port number obtai...

Страница 160: ...ACL 2000 the source address and port number are translated to the same external address and port number Router nat mapping behavior endpoint independent acl 2000 Enable NAT hairpin on interface Gigabi...

Страница 161: ...P port 202 38 1 3 1024 VPN instance VLAN ID VLL ID Protocol UDP 17 State UDP_READY Application TFTP Start time 2012 08 15 15 53 36 TTL 46s Interface in GigabitEthernet1 1 Interface out GigabitEthernet...

Страница 162: ...NAT on interface GigabitEthernet 1 2 Router interface gigabitethernet 1 2 Router GigabitEthernet1 2 nat static enable Router GigabitEthernet1 2 quit Enable static NAT on interface GigabitEthernet 1 1...

Страница 163: ...nder Source IP port 192 168 1 2 42496 Destination IP port 172 16 1 2 0 VPN instance VLAN ID VLL ID vpn2 Protocol ICMP 1 State ICMP_REPLY Application INVALID Start time 2012 08 16 09 30 49 TTL 27s Inte...

Страница 164: ...t1 2 nat server protocol tcp global 202 38 1 1 ftp inside server group 0 Router GigabitEthernet1 2 quit Verifying the configuration After completing the configurations external hosts can access the in...

Страница 165: ...VPN instance VLAN ID VLL ID Protocol TCP 6 Responder Source IP port 10 110 10 3 21 Destination IP port 202 38 1 25 53957 VPN instance VLAN ID VLL ID Protocol TCP 6 State TCP_ESTABLISHED Application F...

Страница 166: ...thernet 1 2 Router interface gigabitethernet 1 2 Configure NAT Server to allow external hosts to access the internal Web server by using the address 202 38 1 2 Router GigabitEthernet1 2 nat server pro...

Страница 167: ...al servers Interface GigabitEthernet1 2 Protocol 6 TCP Global IP port 202 38 1 2 21 Local IP port 10 110 10 2 21 Interface GigabitEthernet1 2 Protocol 6 TCP Global IP port 202 38 1 2 80 Local IP port...

Страница 168: ...153 H323 Enabled ICMP ERROR Enabled...

Страница 169: ...elay F FRR Destination Mask Nexthop Flag OutInterface Token Label 10 2 0 0 16 10 2 1 1 U GE0 1 Null 10 2 1 1 32 127 0 0 1 UH InLoop0 Null 127 0 0 0 8 127 0 0 1 U InLoop0 Null 127 0 0 1 32 127 0 0 1 UH...

Страница 170: ...155 Task Command Display FIB entries display fib vpn instance vpn instance name ip address mask mask length...

Страница 171: ...aging time of fast forwarding entries ip fast forwarding aging time aging time By default the aging time is 30 seconds Displaying and maintaining fast forwarding Execute display commands in any view a...

Страница 172: ...ernet 1 2 RouterC system view RouterC interface ethernet 1 2 RouterC Ethernet1 2 ip address 22 1 1 2 255 0 0 0 RouterC Ethernet1 2 quit Configure a static route RouterC ip route static 11 1 1 0 255 0...

Страница 173: ...es 56 Sequence 2 ttl 254 time 1 ms Reply from 22 1 1 2 bytes 56 Sequence 3 ttl 254 time 1 ms Reply from 22 1 1 2 bytes 56 Sequence 4 ttl 254 time 2 ms Reply from 22 1 1 2 bytes 56 Sequence 5 ttl 254 t...

Страница 174: ...is used for adjacency table lookup Routing interface Output interface in the matching route entry This interface is used for adjacency table lookup and it can be logical or physical Physical interfac...

Страница 175: ...mmand Display IPv6 adjacency table information display ipv6 adjacent table all physical interface interface type interface number routing interface interface type interface number slot slot number cou...

Страница 176: ...ask enables an interface to accept directed broadcast packets that are destined for and received from the directly connected network to support UDP helper which converts the directed broadcasts to uni...

Страница 177: ...ew RouterB ip route static 1 1 1 1 24 2 2 2 2 Specify an IP address for Ethernet 1 2 RouterB interface ethernet 1 2 RouterB Ethernet1 2 ip address 2 2 2 1 24 Enable Ethernet 1 2 to receive directed br...

Страница 178: ...fter the configuration rather than the TCP connections that already exist This configuration is effective only for IP packets If MPLS is enabled on the interface do not configure the TCP MSS on the in...

Страница 179: ...th MTU and starts an age timer for the path MTU After the age timer expires the source device uses a larger MSS in the MTU table as described in RFC 1 191 If no ICMP error message is received within t...

Страница 180: ...tes the connection If a FIN packet is received TCP changes connection state to TIME_WAIT If a non FIN packet is received TCP restarts the timer and tears down the connection when the timer expires To...

Страница 181: ...er protocol of the packet is not supported by the device the device sends a Protocol Unreachable ICMP error packet to the source NOTE If a DHCP enabled device receives an ICMP echo reply without sendi...

Страница 182: ...is placed in the bucket To configure rate limit for ICMP error messages Step Command Remarks 1 Enter system view system view N A 2 Set the interval and bucket size for ICMP error messages ip icmp erro...

Страница 183: ...lapping fragment attack occurs Buffer overflow attack If the number of concurrent reassemblies or the number of fragments per datagram exceeds the upper limits a buffer overflow attack occurs Configur...

Страница 184: ...nd reset commands in user view Task Command Display brief information about RawIP connections MSR 2600 MSR 3600 display rawip Display brief information about RawIP connections MSR 5600 display rawip s...

Страница 185: ...al reassembly interface interface type interface number Display TCP traffic statistics MSR 2600 MSR 3600 display tcp statistics Display TCP traffic statistics MSR 5600 display tcp statistics slot slot...

Страница 186: ...guidelines when you configure UDP helper By default an interface does not receive directed broadcasts destined for the directly connected network To use UDP helper execute the ip forward broadcast com...

Страница 187: ...d broadcast packets with UDP destination port 55 and destination IP address 255 255 255 255 or 10 1 10 255 255 to the destination server 10 2 1 1 16 Figure 66 Network diagram Configuration procedure M...

Страница 188: ...guration Display information about UDP packets forwarded by UDP helper on the interface Ethernet 1 1 RouterA Ethernet1 1 display udp helper interface ethernet 1 1 Interface Server address Packets sent...

Страница 189: ...ndling and improve forwarding efficiency Although the IPv6 address size is four times the IPv4 address size the basic IPv6 packet header size is only twice the size of the option less IPv4 packet head...

Страница 190: ...ages and ICMPv4 Redirect messages and provides a series of other functions Flexible extension headers IPv6 eliminates the Options field in the header and introduces optional extension headers to provi...

Страница 191: ...9 lists the mappings between address types and format prefixes Table 6 Mappings between address types and format prefixes Type Format prefix binary IPv6 prefix ID Unicast address Unspecified address...

Страница 192: ...erfaces generate EUI 64 address based interface identifiers differently On an IEEE 802 interface such as an Ethernet interface and a VLAN interface The interface identifier is derived from the link la...

Страница 193: ...on when certain conditions are met Address resolution This function is similar to ARP in IPv4 An IPv6 node acquires the link layer addresses of neighboring nodes on the same link through NS and NA mes...

Страница 194: ...by Host B after receiving the NA message from Host B If receiving no NA message Host A decides that the IPv6 address is not in use and uses this address Router prefix discovery and stateless address a...

Страница 195: ...iscovery process 1 The source host sends a packet no larger than its MTU to the destination host 2 If the MTU of a device s output interface is smaller than the packet the device discards the packet a...

Страница 196: ...tion between a pure IPv4 node and a pure IPv6 node For more information about NAT PT see Configuring NAT PT 6PE 6PE enables communication between isolated IPv6 networks over an IPv4 backbone network 6...

Страница 197: ...ink local address Configuring an IPv6 anycast address Optional Configuring IPv6 ND Configuring a static neighbor entry Setting the maximum number of dynamic neighbor entries Setting the aging timer fo...

Страница 198: ...l unicast address on an interface the manually configured one takes effect but it does not overwrite the automatically generated address If you remove the manually configured global unicast address th...

Страница 199: ...e RA message and a random interface ID generated through MD5 You can also configure the interface to preferably use the temporary IPv6 address as the source address of sent packets When the valid life...

Страница 200: ...one link local address To avoid link local address conflicts use the automatic generation method Manual assignment takes precedence over automatic generation If you first use automatic generation and...

Страница 201: ...local address If the interface has no IPv6 global unicast address it has no link local address Configuring an IPv6 anycast address Step Command Remarks 1 Enter system view system view N A 2 Enter inte...

Страница 202: ...bor information To prevent an interface from occupying too many neighbor table resources you can set the maximum number of dynamic neighbors that an interface can learn To set the maximum number of dy...

Страница 203: ...v6 nd ra hop limit unspecified command the device sets the hop limit value configured by this task in a sent RA message A host receiving the RA message fills the value into the Hop Limit field of sent...

Страница 204: ...hbor after the specified reachable time expires the device reconfirms whether the neighbor is reachable Router Preference Specifies the router preference in a RA message A host selects a router as the...

Страница 205: ...ify unlimited hops in RA messages ipv6 nd ra hop limit unspecified By default the maximum number of hops in RA messages is 64 6 Set the M flag bit to 1 ipv6 nd autoconfig managed address flag By defau...

Страница 206: ...of a host on another network With ND proxy hosts on different broadcast domains can communicate with each other as they would on the same network ND proxy includes common ND proxy and local ND proxy C...

Страница 207: ...AN is used the two hosts must belong to different sub VLANs If isolate user VLAN is used the two hosts must belong to different secondary VLANs Configuration procedure You can enable common ND proxy a...

Страница 208: ...c path MTU If the packet exceeds the smaller one of the two values the device fragments the packet according to the smaller value After sending the fragmented packets the device dynamically finds the...

Страница 209: ...bucket To configure the rate limit for ICMPv6 error messages Step Command Remarks 1 Enter system view system view N A 2 Set the interval and bucket size for ICMPv6 error messages ipv6 icmpv6 error in...

Страница 210: ...ck risks To enable sending ICMPv6 destination unreachable messages Step Command Remarks 1 Enter system view system view N A 2 Enable sending ICMPv6 destination unreachable messages ipv6 unreachables e...

Страница 211: ...f the loopback interface as the source IPv6 address This feature helps users to locate the sending device easily If you specify an IP address in the ping command ping echo requests use the specified a...

Страница 212: ...tics MSR 2600 MSR 3600 display ipv6 statistics Display IPv6 and ICMPv6 statistics MSR 5600 display ipv6 statistics slot slot number Display brief information about IPv6 RawIP connections MSR 2600 MSR...

Страница 213: ...interface type interface number static Clear IPv6 neighbor information MSR 5600 reset ipv6 neighbors all dynamic interface interface type interface number slot slot number static Clear path MTUs rese...

Страница 214: ...v6 address 3001 2 64 RouterB Ethernet1 1 quit Configure an IPv6 static route to the host RouterB ipv6 route static 2001 64 3001 1 3 Configure the host Enable IPv6 on the host to automatically obtain a...

Страница 215: ...horts 0 InTruncatedPkts 0 InHopLimitExceeds 0 InBadHeaders 0 InBadOptions 0 ReasmReqds 0 ReasmOKs 0 InFragDrops 0 InFragTimeouts 0 OutFragFails 0 InUnknownProtos 0 InDelivers 47 OutRequests 89 OutForw...

Страница 216: ...horts 0 InTruncatedPkts 0 InHopLimitExceeds 0 InBadHeaders 0 InBadOptions 0 ReasmReqds 0 ReasmOKs 0 InFragDrops 0 InFragTimeouts 0 OutFragFails 0 InUnknownProtos 0 InDelivers 159 OutRequests 1012 OutF...

Страница 217: ...nMcastPkts 28 InMcastNotMembers 0 OutMcastPkts 7 InAddrErrors 0 InDiscards 0 OutDiscards 0 Ping Router A and Router B from the host and ping Router A and the host from Router B to verify that they can...

Страница 218: ...hat Router B can ping Router A and the host The host can also ping Router B and Router A output not shown Troubleshooting IPv6 basics configuration Symptom An IPv6 address cannot be pinged Solution 1...

Страница 219: ...two messages Assignment involving four messages As shown in Figure 77 four message assignment operates in the following steps 1 The DHCPv6 client sends a Solicit message to request an IPv6 address pre...

Страница 220: ...er responds with a Reply message informing the client about whether or not the lease is renewed Figure 79 Using the Rebind message for address prefix lease renewal As shown in Figure 79 if the DHCPv6...

Страница 221: ...s an Information request message to the multicast address of all DHCPv6 servers and DHCPv6 relay agents The Information request message contains an Option Request option that specifies the requested c...

Страница 222: ...6 addresses assigned to the clients include the following types Temporary IPv6 addresses Internally used and frequently changed without lease renewal Non temporary IPv6 addresses Correctly used by DHC...

Страница 223: ...sed on link layer address DUID LL defined in RFC 3315 Figure 83 shows the DUID LL format where DUID type The device supports the DUID type of DUID LL with the value of 0x0003 Hardware type The device...

Страница 224: ...of the client to an IPv6 prefix in the DHCPv6 address pool When the client requests an IPv6 prefix the DHCPv6 server assigns the IPv6 prefix in the static binding to the client Dynamic prefix allocati...

Страница 225: ...duration If no IPv6 address prefix is assignable the server does not respond If a client moves to another subnet the DHCPv6 server selects an IPv6 address prefix from the address pool that matches th...

Страница 226: ...ix still can be assigned to the client To exclude multiple IPv6 prefix ranges repeat this step 3 Create a prefix pool ipv6 dhcp prefix pool prefix pool number prefix prefix prefix len assign len assig...

Страница 227: ...er cannot assign temporary addresses to clients Configuration guidelines You can specify only one non temporary address range and one temporary address range in an address pool The address ranges spec...

Страница 228: ...d lifetime valid lifetime By default no non temporary IPv6 address range is specified and all unicast addresses on the subnet are assignable 6 Optional Specify a temporary IPv6 address range temporary...

Страница 229: ...there is no assignable IPv6 address prefix in the address pool the DHCPv6 server cannot to assign an IPv6 address prefix to a client Configure global address assignment on the interface The DHCPv6 se...

Страница 230: ...transmission priority of the packet To set the DSCP value for DHCPv6 packets sent by the DHCPv6 server Step Command Remarks 1 Enter system view system view N A 2 Set the DSCP value for DHCPv6 packets...

Страница 231: ...ss pool pool name Clear information about IPv6 prefix bindings reset ipv6 dhcp server pd in use pool pool name prefix prefix prefix len Clear packets statistics on the DHCPv6 server reset ipv6 dhcp se...

Страница 232: ...00030001CA0006A40000 preferred lifetime 86400 valid lifetime 259200 Configure the DNS server address as 2 2 3 Router dhcp6 pool 1 dns server 2 2 3 Configure the domain name as aaa com Router dhcp6 po...

Страница 233: ...t obtains an IPv6 prefix display the binding information on the DHCPv6 server Router Ethernet1 1 display ipv6 dhcp server pd in use Pool 1 IPv6 prefix Type Lease expiration 2001 410 201 48 Static C Ju...

Страница 234: ...outerA ipv6 dhcp server forbidden address 1 2 0 0 2 Create DHCPv6 address pool 1 to assign IPv6 addresses and other configuration parameters to clients in subnet 1 1 0 0 0 96 RouterA ipv6 dhcp pool 1...

Страница 235: ...uration clients in subnets 1 1 0 0 0 96 and 1 2 0 0 0 96 can obtain IPv6 addresses and other configuration parameters from the DHCPv6 server Router A You can use the display ipv6 dhcp server ip in use...

Страница 236: ...Rapid Commit option to the multicast address FF02 1 2 of all the DHCPv6 servers and relay agents After receiving the Solicit message the DHCPv6 relay agent encapsulates the message into the Relay Mes...

Страница 237: ...igure the DHCPv6 relay agent Step Command Remarks 1 Enter system view system view N A 2 Enter interface view interface interface type interface number N A 3 Enable DHCPv6 relay agent on the interface...

Страница 238: ...he DHCPv6 relay agent reset ipv6 dhcp relay statistics interface interface type interface number DHCPv6 relay agent configuration example Network requirements As shown in Figure 88 configure the DHCPv...

Страница 239: ...t1 1 undo ipv6 nd ra halt RouterA Ethernet1 1 ipv6 nd autoconfig managed address flag RouterA Ethernet1 1 ipv6 nd autoconfig other flag Verifying the configuration Display DHCPv6 server address inform...

Страница 240: ...usted port discards received messages sent by DHCPv6 servers to prevent unauthorized servers from assigning IPv6 addresses DHCPv6 snooping reads DHCP ACK messages received from trusted ports and DHCP...

Страница 241: ...6 snooping device adds Option 18 to the received DHCPv6 request message before forwarding it to the DHCPv6 server The server then assigns IP address to the client based on the client information in Op...

Страница 242: ...mat Figure 91 shows the Option 37 fields Option code Option code Option length Size of the option data Enterprise number Enterprise number Port index Port that receives the DHCPv6 request from the cli...

Страница 243: ...all ports are untrusted ports after DHCPv6 snooping is enabled 5 Return to system view quit N A 6 Enter interface view interface interface type interface number This interface must connect to the DHC...

Страница 244: ...tem view system view N A 2 Specify a file to store DHCPv6 snooping entries ipv6 dhcp snooping binding database filename filename By default no file is specified This command enables the device to imme...

Страница 245: ...releasing the IP addresses Attackers can also forge DHCPv6 DECLINE or DHCPv6 RELEASE messages to terminate leases for legitimate DHCPv6 clients that still need the IP addresses The DHCPv6 REQUEST che...

Страница 246: ...atistics Display DHCPv6 packet statistics for DHCPv6 snooping MSR 5600 display ipv6 dhcp snooping packet statistics slot slot number Clear DHCPv6 snooping entries reset ipv6 dhcp snooping binding all...

Страница 247: ...Enable recording of client information in DHCPv6 snooping entries Router interface Ethernet 1 2 Router Ethernet1 2 ipv6 dhcp snooping binding record Router Ethernet1 2 quit Verifying the configuratio...

Страница 248: ...fast forwarding By default IPv6 fast forwarding is enabled 3 Set the aging time of IPv6 fast forwarding entries ipv6 fast forwarding aging time aging time By default the aging time of IPv6 fast forwa...

Страница 249: ...address of interface Ethernet 1 2 RouterC system view RouterC interface ethernet 1 2 RouterC Ethernet1 2 ipv6 address 2001 1 64 RouterC Ethernet1 2 quit Configure a static route RouterC ipv6 route st...

Страница 250: ...rom 2001 1 bytes 56 Sequence 4 hop limit 64 time 1 ms Reply from 2001 1 bytes 56 Sequence 5 hop limit 64 time 1 ms 2001 1 ping statistics 5 packet s transmitted 5 packet s received 0 00 packet loss ro...

Страница 251: ...unneling GRE DVPN and IPsec tunneling Traffic engineering such as MPLS TE to prevent network congestion Unless otherwise specified the term tunnel in this document refers to IPv6 over IPv4 IPv4 over I...

Страница 252: ...el mode Tunnel source destination address Destination IPv6 address format Manually configured tunnel IPv6 over IPv4 manual tunneling The source and destination IPv4 addresses are manually configured O...

Страница 253: ...e interface connected to the IPv4 network The subnet number identifies a subnet in the 6to4 network The subnet number interface ID uniquely identifies a host in the 6to4 network 6to4 tunneling uses an...

Страница 254: ...s in the IP header If the packet is destined for the IPv4 host connected to Device B Device A delivers the packet to the tunnel interface c The tunnel interface adds a new IPv4 header to the IPv4 pack...

Страница 255: ...ers the packet to the IPv6 protocol stack d The IPv6 protocol stack uses the destination IPv6 address of the packet to look up the routing table and then sends it out De encapsulation e Upon receiving...

Страница 256: ...ally a CPE router that connects end hosts IPv4 packets entering the B4 router are encapsulated into IPv6 packets and sent to the AFTR IPv6 packets from the AFTR are de encapsulated into IPv4 packets a...

Страница 257: ...ID mapping to obtain the IP address of the B4 router uses the address as the destination address of the encapsulated IPv6 packet and forwards the packet to the B4 router Figure 100 shows an example of...

Страница 258: ...l interface adds an IPv6 header to it and submits it to the IPv6 protocol stack d The IPv6 protocol stack forwards the packet according to its destination IPv6 address De encapsulation e Upon receivin...

Страница 259: ...moved on an MSR 5600 router the tunnel interfaces configured still exist To delete a tunnel interface use the undo interface tunnel command To configure a tunnel interface Step Command Remarks 1 Enter...

Страница 260: ...ual tunnel Follow these guidelines when you configure an IPv6 over IPv4 manual tunnel The tunnel destination address specified on the local device must be identical with the tunnel source address spec...

Страница 261: ...eled packets 6 Optional Set the DF bit for tunneled packets tunnel dfbit enable The DF bit is not set for tunneled packets by default 7 Return to system view quit N A 8 Optional Enable dropping of IPv...

Страница 262: ...address for Ethernet 1 2 RouterB system view RouterB interface ethernet 1 2 RouterB Ethernet1 2 ip address 192 168 50 1 255 255 255 0 RouterB Ethernet1 2 quit Specify an IPv6 address for Ethernet 1 1...

Страница 263: ...le IPv6 tunnel because the destination address of the tunnel is embedded in the destination IPv4 compatible IPv6 address of packets The source addresses of local tunnels of the same tunnel mode cannot...

Страница 264: ...auto tunnel Specify an IPv4 compatible IPv6 address for the tunnel interface RouterA Tunnel0 ipv6 address 192 168 100 1 96 Specify Ethernet1 1 as the source interface of the tunnel interface RouterA T...

Страница 265: ...namic routing you must configure a static route destined for the destination IPv6 network if the destination IPv6 network is not in the same subnet as the IPv6 address of the tunnel interface You can...

Страница 266: ...address of Ethernet 1 2 on Router A is 2 1 1 1 24 and the corresponding 6to4 prefix is 2002 0201 0101 48 Host A must use this prefix The IPv4 address of Ethernet 1 2 on Router B is 5 1 1 1 24 and the...

Страница 267: ...erface RouterB interface tunnel 0 mode ipv6 ipv4 6to4 Specify an IPv6 address for the tunnel interface RouterB Tunnel0 ipv6 address 3002 1 64 Specify the source interface as Ethernet1 2 for the tunnel...

Страница 268: ...101 48 The next hop of the static route must be an address using this prefix Figure 105 Network diagram Configuration procedure Make sure Router A and Router B can reach each other through IPv4 Config...

Страница 269: ...as the source interface of the tunnel interface RouterB Tunnel0 source ethernet 1 2 RouterB Tunnel0 quit Configure a static route destined for 2002 16 through the tunnel interface RouterB ipv6 route...

Страница 270: ...No IPv6 address is configured for the tunnel interface by default 4 Configure a source address or source interface for the tunnel interface source ip address interface type interface number By default...

Страница 271: ...ge advertised by the ISATAP router Router Tunnel0 undo ipv6 nd ra halt Router Tunnel0 quit Configure the ISATAP host Configurations on the ISATAP host vary with the operating systems The following exa...

Страница 272: ...al unicast address 2001 5efe 1 1 1 2 The message uses Router Discovery indicates that the router discovery function is enabled on the host Display information about IPv6 routes on the host C ipv6 rt 2...

Страница 273: ...ss of the route passing the tunnel interface must not be on the same subnet as the destination address configured on the tunnel interface To configure an IPv4 over IPv4 tunnel Step Command Remarks 1 E...

Страница 274: ...rial 2 0 RouterA Serial2 0 ip address 2 1 1 1 255 255 255 0 RouterA Serial2 0 quit Create an IPv4 over IPv4 tunnel interface tunnel 1 RouterA interface tunnel 1 mode ipv4 ipv4 Specify an IPv4 address...

Страница 275: ...3 1 from 10 1 1 1 56 data bytes press escape sequence to break 56 bytes from 10 1 3 1 icmp_seq 0 ttl 255 time 2 000 ms 56 bytes from 10 1 3 1 icmp_seq 1 ttl 255 time 1 000 ms 56 bytes from 10 1 3 1 ic...

Страница 276: ...pv6 address By default no destination address is configured for the tunnel The tunnel destination address must be the IPv6 address of the receiving interface on the tunnel peer It is used as the desti...

Страница 277: ...Ethernet1 1 quit Specify an IPv6 address for Serial 2 1 which is the physical interface of the tunnel RouterB interface serial 2 1 RouterB Serial2 1 ipv6 address 2002 2 1 64 RouterB Serial2 1 quit Cre...

Страница 278: ...network through the tunnel interface You can configure a static route and specify the local tunnel interface as the egress interface or specify the IPv6 address of the peer tunnel interface as the ne...

Страница 279: ...lite enable By default DS Lite tunneling is disabled Only after you use this command the AFTR can tunnel IPv4 packets from the public IPv4 network to the B4 router Configuration example Network requi...

Страница 280: ...B Ethernet1 2 ipv6 address 2 2 64 RouterB Ethernet1 2 quit Configure a DS Lite tunnel interface tunnel2 RouterB interface tunnel 2 mode ds lite aftr Configure an IPv4 address for the tunnel interface...

Страница 281: ...network through the tunnel interface You can configure a static route and specify the local tunnel interface as the egress interface or specify the IPv6 address of the peer tunnel interface as the nex...

Страница 282: ...Pv4 compatible IPv6 addresses tunnel discard ipv4 compatible packet The default setting is disabled Configuration example Network requirements As shown in Figure 1 10 configure an IPv6 over IPv6 tunne...

Страница 283: ...erB interface tunnel 2 mode ipv6 Specify an IPv6 address for the tunnel interface RouterB Tunnel2 ipv6 address 3001 1 2 64 Specify the IP address of Serial 2 1 as the source address for the tunnel int...

Страница 284: ...r statistics on tunnel interfaces reset counters interface tunnel number Troubleshooting tunneling configuration Symptom A tunnel interface configured with related parameters such as tunnel source add...

Страница 285: ...ource IP address destination IP address source port number destination port number and protocol number This policy takes the first in first out rule Packet based policy Forwards packets in sequence to...

Страница 286: ...Configuring an IPv6 over IPv6 tunnel 266 Configuring an ISATAP tunnel 254 Configuring basic DHCP snooping 71 Configuring basic DHCPv6 snooping 228 Configuring DHCP packet rate limit 75 Configuring DH...

Страница 287: ...maintaining the DHCPv6 relay agent 223 Displaying and maintaining the DHCPv6 server 215 Displaying and maintaining tunneling configuration 269 Displaying and maintaining UDP helper 172 Displaying DDNS...

Страница 288: ...of DHCPv6 snooping entries 230 Setting the maximum number of dynamic ARP entries for a device 4 Setting the maximum number of dynamic ARP entries for an interface 4 Specifying a flow classification p...

Отзывы:

Нет отзывов

Похожие инструкции для MSR 2600 Series

8 Port 10/100Mbit/s Ethernet Smart Switch with Fibre Uplink

Бренд: Tyco Electronics Страницы: 18

Бренд: IBM Страницы: 4

Бренд: TFortis Страницы: 86

Бренд: Conceptronic Страницы: 230

Бренд: process-informatik Страницы: 8

Бренд: LogLogic Страницы: 30

Бренд: Mercusys Страницы: 35

PCH1 T P Series

Бренд: Parker Страницы: 107

Бренд: Juniper Страницы: 2

Бренд: QTech Страницы: 406

PXI PXITM -1000

Бренд: National Instruments Страницы: 55

Бренд: Paradyne Страницы: 6

Бренд: Multi-Link Страницы: 31

Бренд: MicroNova Страницы: 113

ipRocketLink 3101 Series

Бренд: Patton Страницы: 119

Бренд: Zhone Страницы: 494

Бренд: Hama Страницы: 45

Бренд: Tripp Lite Страницы: 2

Бренды по названию

0 1 2 3 4 5 6 7 8 9 A B C D E F G H I J K L M N O P Q R S T U V W X Y Z

Популярные бренды

Загрузить еще бренды