How it Works
HP
Loading...
F
Loading...
Loading...
FlexNetwork MSR2003
Table of contents
Loading...

HP FlexNetwork MSR2003 Comware 7 Layer 3—IP Services Configuration Guide

HPE FlexNetwork MSR Router Series
Comware 7 Layer 3—IP Services Configuration Guide
Part number: 5998-8832 Software version: CMW710-R0305 Document version: 6PW106-20160308
© Copyright 2016 Hewlett Packard Enterprise Development LP The info
rmation contained herein is subject to change without notice. The only warranties for Hewlett Packard Enterprise products and services are set forth in the express warranty statements acco mpanying such products and services. Nothing herein should be construe d as constituting an additional warranty. Hewlett Packard Enterprise shall not be liable for technical or editorial errors or omissions co ntained herein.
Confidential computer software. V alid license from Hewlett Packard Enterprise required for possession, use, or copying. Consistent with FAR 12.211 and 12.212, Commercial Computer Software, Computer Software Documentation, and T e chnical Data for Commercial Items are licensed to the U.S. Government under vendor’s standard commercial license.
Links to third-party websites take you outside the Hewlett Packard Enterprise website. Hewlett Packard Enterprise has no control over and is not responsible for information outside the Hewlett Packard Enterprise website.
Acknowledgments
Intel®, Itanium®, Pentium®, Intel Inside®, and the Intel Inside logo are trademarks of Intel Corporation in the United States and other countries.
Microsoft® and Windows® are trademarks of the Microsoft group of companies. Adobe® and Acrobat® are trademarks of Adobe Systems In corporated. Java and Oracle are registered trademarks of Oracle and/or its affiliates. UNIX® is a registered trademark of The Open Group.

Contents

Configuring ARP ····························································································· 1
Overview ···························································································································································· 1
ARP message format ································································································································· 1 ARP operating mechanism ························································································································ 1
ARP table ··················································································································································· 2 Configuring a static ARP entry ··························································································································· 3 Setting the maximum number of dynamic ARP entries for a device ·································································· 4 Setting the maximum number of dynamic ARP entries for an interface ···························································· 4 Setting the aging timer for dynamic ARP entries ······························································································· 5 Enabling dynamic ARP entry check ··················································································································· 5 Enabling ARP logging ········································································································································ 5 Displaying and maintaining ARP ························································································································ 6 Configuration examples ····································································································································· 7
Long static ARP entry configuration example ···························································································· 7
Short static ARP entry configuration example ···························································································· 8
Configuring gratuitous ARP ············································································ 9
Overview ···························································································································································· 9
Gratuitous ARP packet learning ················································································································· 9
Periodic sending of gratuitous ARP packets ······························································································ 9 Configuration procedure ·································································································································· 10 Enabling IP conflict notification ························································································································ 10
Configuring proxy ARP ················································································· 12
Enabling common proxy ARP ·························································································································· 12 Enabling local proxy ARP ································································································································ 12 Displaying proxy ARP ······································································································································ 13 Common proxy ARP configuration example ···································································································· 13
Network requirements ······························································································································ 13
Configuration procedure ··························································································································· 13
Verifying the configuration ························································································································ 14
Configuring ARP fast-reply ··········································································· 15
Overview ·························································································································································· 15 Configuration procedure ·································································································································· 15 ARP fast-reply configuration example ·············································································································· 15
Network requirements ······························································································································ 15
Configuration procedure ··························································································································· 16
Configuring ARP PnP ··················································································· 17
Overview ·························································································································································· 17 Configuration prerequisites ······························································································································ 17 Configuration procedure ·································································································································· 17 Displaying and maintaining ARP PnP ·············································································································· 18 ARP PnP configuration example ······················································································································ 18
Network requirements ······························································································································ 18
Configuration procedure ··························································································································· 18
Verifying the configuration ························································································································ 19
Configuring ARP suppression ······································································· 20
Overview ·························································································································································· 20 Configuration procedure ·································································································································· 20 Displaying and maintaining ARP suppression ································································································· 21 ARP suppression configuration example ········································································································· 21
Network requirements ······························································································································ 21
Configuration procedure ··························································································································· 22
Verifying the configuration ························································································································ 22
Configuring ARP direct route advertisement ················································· 23
Overview ·························································································································································· 23 Configuration procedure ·································································································································· 23
Configuring IP addressing ············································································· 24
Overview ·························································································································································· 24
IP address classes ··································································································································· 24
Special IP addresses ······························································································································· 25
Subnetting and masking ··························································································································· 25 Assigning an IP address to an interface ·········································································································· 25
Configuration guidelines ··························································································································· 26
Configuration procedure ··························································································································· 26 Configuring IP unnumbered ····························································································································· 26
Configuration guidelines ··························································································································· 26
Configuration prerequisites ······················································································································ 27
Configuration procedure ··························································································································· 27 Displaying and maintaining IP addressing ······································································································· 27 Configuration examples ··································································································································· 27
IP address configuration example ············································································································ 27
IP unnumbered configuration example ···································································································· 29
DHCP overview ····························································································· 31
DHCP address allocation ································································································································· 31
Allocation mechanisms ···························································································································· 31
IP address allocation process ·················································································································· 32
IP address lease extension ······················································································································ 32 DHCP message format ···································································································································· 33 DHCP options ·················································································································································· 34
Common DHCP options ··························································································································· 34
Custom DHCP options ····························································································································· 34 Protocols and standards ·································································································································· 36
Configuring the DHCP server ······································································· 37
Overview ·························································································································································· 37
DHCP address pool ································································································································· 37
IP address allocation sequence ··············································································································· 39 DHCP server configuration task list ················································································································· 39 Configuring an address pool on the DHCP server ··························································································· 40
Configuration task list ······························································································································· 40
Creating a DHCP address pool ················································································································ 40
Specifying IP address ranges for a DHCP address pool ········································································· 40
Specifying gateways for DHCP clients ····································································································· 43
Specifying a domain name suffix for DHCP clients ·················································································· 44
Specifying DNS servers for DHCP clients ································································································ 44
Specifying WINS servers and NetBIOS node type for DHCP clients ······················································· 44
Specifying BIMS server for DHCP clients ································································································ 45
Specifying the configuration file for DHCP client auto-configuration ························································ 45
Specifying a server for DHCP clients ······································································································· 46
Configuring Option 184 parameters for DHCP clients ············································································· 46
Customizing DHCP options ······················································································································ 47
Configuring the DHCP user class whitelist ······························································································· 48 Enabling DHCP ················································································································································ 49 Enabling the DHCP server on an interface ······································································································ 49 Applying an address pool on an interface ········································································································ 49 Configuring IP address conflict detection ········································································································· 50 Enabling handling of Option 82 ························································································································ 50 Configuring DHCP server compatibility ············································································································ 51
Configuring the DHCP server to broadcast all responses ········································································ 51
Configure the DHCP server to ignore BOOTP requests ·········································································· 51
Configuring the DHCP server to send BOOTP responses in RFC 1048 format ······································ 52 Setting the DSCP value for DHCP packets sent by the DHCP server ····························································· 52
ii
Configuring DHCP binding auto backup ·········································································································· 52 Configuring address pool usage alarming ······································································································· 53 Binding gateways to a common MAC address ································································································ 53 Advertising subnets assigned to clients ··········································································································· 54 Applying a DHCP address pool to a VPN instance ·························································································· 55 Enabling client offline detection on the DHCP server ······················································································ 55 Configuring DHCP logging on the DHCP server ······························································································ 56 Displaying and maintaining the DHCP server ·································································································· 56 DHCP server configuration examples ·············································································································· 57
Static IP address assignment configuration example ·············································································· 57
Dynamic IP address assignment configuration example ········································································· 58
DHCP user class configuration example ·································································································· 60
DHCP user class whitelist configuration example ···················································································· 61
Primary and secondary subnets configuration example ·········································································· 62
DHCP option customization configuration example ················································································· 63 Troubleshooting DHCP server configuration ··································································································· 65
Symptom ·················································································································································· 65
Analysis ···················································································································································· 65
Solution ···················································································································································· 65
Configuring the DHCP relay agent ································································ 66
Overview ·························································································································································· 66
Operation ················································································································································· 66
DHCP relay agent support for Option 82 ································································································· 67 DHCP relay agent configuration task list ········································································································· 67 Enabling DHCP ················································································································································ 68 Enabling the DHCP relay agent on an interface ······························································································ 68 Specifying DHCP servers on a relay agent ······································································································ 68 Configuring the DHCP relay agent security functions ······················································································ 69
Enabling the DHCP relay agent to record relay entries ··········································································· 69
Enabling periodic refresh of dynamic relay entries ·················································································· 69
Enabling DHCP starvation attack protection ···························································································· 70 Configuring the DHCP relay agent to release an IP address ··········································································· 71 Configuring Option 82 ······································································································································ 71 Setting the DSCP value for DHCP packets sent by the DHCP relay agent ····················································· 72 Enabling DHCP server proxy on a DHCP relay agent ····················································································· 72 Configuring a DHCP relay address pool ·········································································································· 73 Specifying a gateway address for DHCP clients ······························································································ 74 Enabling client offline detection on the DHCP relay agent ·············································································· 74 Specifying the source address and gateway address in DHCP requests ························································ 74 Displaying and maintaining the DHCP relay agent ·························································································· 75 DHCP relay agent configuration examples ······································································································ 75
DHCP relay agent configuration example ································································································ 75
Option 82 configuration example ············································································································· 76 Troubleshooting DHCP relay agent configuration ···························································································· 77
Symptom ·················································································································································· 77
Analysis ···················································································································································· 77
Solution ···················································································································································· 77
Configuring the DHCP client ········································································· 78
Enabling the DHCP client on an interface ········································································································ 78 Configuring a DHCP client ID for an interface ································································································· 78 Enabling duplicated address detection ············································································································ 79 Setting the DSCP value for DHCP packets sent by the DHCP client ······························································ 79 Displaying and maintaining the DHCP client ··································································································· 79 DHCP client configuration example ················································································································· 80
Network requirements ······························································································································ 80
Configuration procedure ··························································································································· 80
Verifying the configuration ························································································································ 81
Configuring DHCP snooping ········································································· 83
Overview ·························································································································································· 83
iii
Application of trusted and untrusted ports ································································································ 84
DHCP snooping support for Option 82 ····································································································· 85 Command and hardware compatibility ············································································································· 85 DHCP snooping configuration task list ············································································································· 85 Configuring basic DHCP snooping ·················································································································· 86 Configuring Option 82 ······································································································································ 86 Configuring DHCP snooping entry auto backup ······························································································ 87 Enabling DHCP starvation attack protection ···································································································· 88 Enabling DHCP-REQUEST attack protection ·································································································· 89 Setting the maximum number of DHCP snooping entries ··············································································· 89 Displaying and maintaining DHCP snooping ··································································································· 90 DHCP snooping configuration examples ········································································································· 90
Basic DHCP snooping configuration example ························································································· 90
Option 82 configuration example ············································································································· 91
Configuring the BOOTP client ······································································· 93
BOOTP application ·········································································································································· 93 Obtaining an IP address dynamically ··············································································································· 93 Protocols and standards ·································································································································· 93 Configuring an interface to use BOOTP for IP address acquisition ································································· 93 Displaying and maintaining BOOTP client ······································································································· 94 BOOTP client configuration example ··············································································································· 94
Network requirements ······························································································································ 94
Configuration procedure ··························································································································· 94
Verifying the configuration ························································································································ 94
Configuring DNS ··························································································· 95
Overview ·························································································································································· 95
Static domain name resolution ················································································································· 95
Dynamic domain name resolution ············································································································ 95
DNS proxy ················································································································································ 96
DNS spoofing ··········································································································································· 97 DNS configuration task list ······························································································································· 98 Configuring the IPv4 DNS client ······················································································································ 98
Configuring static domain name resolution ······························································································ 98
Configuring dynamic domain name resolution ························································································· 99 Configuring the IPv6 DNS client ······················································································································ 99
Configuring static domain name resolution ······························································································ 99
Configuring dynamic domain name resolution ······················································································· 100 Configuring the DNS proxy ···························································································································· 101 Configuring DNS spoofing ····························································································································· 101 Configuring network mode tracking for an output interface ··········································································· 102 Specifying the source interface for DNS packets ··························································································· 102 Configuring the DNS trusted interface ··········································································································· 103 Setting the DSCP value for outgoing DNS packets ······················································································· 103 Displaying and maintaining IPv4 DNS ··········································································································· 103 IPv4 DNS configuration examples ················································································································· 104
Static domain name resolution configuration example ··········································································· 104
Dynamic domain name resolution configuration example ······································································ 105
DNS proxy configuration example ·········································································································· 107 IPv6 DNS configuration examples ················································································································· 108
Static domain name resolution configuration example ··········································································· 108
Dynamic domain name resolution configuration example ······································································ 109
DNS proxy configuration example ·········································································································· 114 Troubleshooting IPv4 DNS configuration ······································································································· 115
Symptom ················································································································································ 115
Solution ·················································································································································· 115 Troubleshooting IPv6 DNS configuration ······································································································· 115
Symptom ················································································································································ 115
Solution ·················································································································································· 115
iv
Configuring DDNS ······················································································ 116
Overview ························································································································································ 116
DDNS application ··································································································································· 116 DDNS client configuration task list ················································································································· 117 Configuring a DDNS policy ···························································································································· 117
Configuration prerequisites ···················································································································· 118
Configuration procedure ························································································································· 118 Applying the DDNS policy to an interface ······································································································ 119 Setting the DSCP value for outgoing DDNS packets ····················································································· 119 Displaying DDNS ··········································································································································· 120 DDNS configuration examples ······················································································································· 120
DDNS configuration example with www.3322.org ················································································· 120
DDNS configuration example with PeanutHull server ············································································ 121
Configuring NAT ························································································· 123
Overview ························································································································································ 123
Terminology ··········································································································································· 123
NAT types ·············································································································································· 123
NAT control ············································································································································ 124 Command and hardware compatibility ··········································································································· 124 NAT implementations ····································································································································· 124
Static NAT ·············································································································································· 124
Dynamic NAT ········································································································································· 124
NAT Server ············································································································································ 125
DS-Lite NAT444 ····································································································································· 126 NAT entries ···················································································································································· 126
NAT session entry ·································································································································· 126
EIM entry ················································································································································ 127
NO-PAT entry ········································································································································· 127 Using NAT with other features ······················································································································· 127
VRF-aware NAT ····································································································································· 127
NAT with DNS mapping ························································································································· 128
NAT with ALG ········································································································································ 128 NAT configuration task list ····························································································································· 129 Configuring static NAT ··································································································································· 129
Configuration prerequisites ···················································································································· 129
Configuring outbound one-to-one static NAT ························································································· 129
Configuring outbound net-to-net static NAT ··························································································· 130
Configuring inbound one-to-one static NAT ··························································································· 130
Configuring inbound net-to-net static NAT ····························································································· 131 Configuring dynamic NAT ······························································································································ 131
Configuration restrictions and guidelines ······························································································· 132
Configuration prerequisites ···················································································································· 132
Configuring outbound dynamic NAT ······································································································ 132
Configuring inbound dynamic NAT ········································································································ 133 Configuring NAT Server ································································································································· 134
Configuring common NAT Server ·········································································································· 134
Configuring load sharing NAT Server ···································································································· 135
Configuring ACL-based NAT Server ······································································································ 136 Configuring DS-Lite NAT444 ························································································································· 136 Configuring NAT with DNS mapping ·············································································································· 137 Configuring NAT hairpin ································································································································· 137 Configuring NAT with ALG ····························································································································· 138 Configuring NAT session logging ··················································································································· 138 Displaying and maintaining NAT ···················································································································· 138 NAT configuration examples ·························································································································· 140
Outbound one-to-one static NAT configuration example ······································································· 140
Outbound dynamic NAT configuration example (non-overlapping addresses) ······································ 141
Outbound bidirectional NAT configuration example ··············································································· 144
NAT Server for external-to-internal access configuration example ························································ 147
NAT Server for external-to-internal access through domain name configuration example ···················· 150
v
Bidirectional NAT for external-to-internal NAT Server access through domain name configuration example
······························································································································································· 153
NAT hairpin in C/S mode configuration example ··················································································· 156
NAT hairpin in P2P mode configuration example ·················································································· 159
Twice NAT configuration example ········································································································· 162
Load sharing NAT Server configuration example ·················································································· 165
NAT with DNS mapping configuration example ····················································································· 167
DS-Lite NAT444 configuration example ································································································· 170
Basic IP forwarding on the device ······························································· 173
FIB table ························································································································································· 173 Displaying FIB table entries ··························································································································· 174
Configuring load sharing ············································································· 175
Command and hardware compatibility ··········································································································· 175 Configuring per-packet or per-flow load sharing ···························································································· 175 Configuring load sharing based on bandwidth ······························································································· 176
Configuring fast forwarding ········································································· 177
Overview ························································································································································ 177 Command and hardware compatibility ··········································································································· 177 Configuring the aging time for fast forwarding entries ··················································································· 177 Configuring fast forwarding load sharing ······································································································· 177 Displaying and maintaining fast forwarding ··································································································· 178
Configuring flow classification ····································································· 179
Feature and hardware compatibility ··············································································································· 179 Specifying a flow classification policy ············································································································ 179
Displaying the adjacency table ··································································· 180
Overview ························································································································································ 180 Command and hardware compatibility ··········································································································· 181 Displaying commands ···································································································································· 181
Configuring IRDP ························································································ 182
Overview ························································································································································ 182
IRDP operation ······································································································································· 182
Basic concepts ······································································································································· 182
Protocols and standards ························································································································ 183 Configuration procedure ································································································································ 183 IRDP configuration example ·························································································································· 184
Network requirements ···························································································································· 184
Configuration procedure ························································································································· 184
Verifying the configuration ······················································································································ 185
Optimizing IP performance ········································································· 186
Command and hardware compatibility ··········································································································· 186 Enabling an interface to receive and forward directed broadcasts destined for the directly connected network
······································································································································································· 186
Configuration procedure ························································································································· 186
Configuration example ··························································································································· 187 Configuring MTU for an interface ··················································································································· 188 Configuring TCP MSS for an interface ··········································································································· 188 Configuring TCP path MTU discovery ··········································································································· 188 Enabling TCP SYN Cookie ···························································································································· 189 Configuring the TCP buffer size ····················································································································· 190 Configuring TCP timers ·································································································································· 190 Enabling sending ICMP error messages ······································································································· 190 Configuring rate limit for ICMP error messages ····························································································· 192 Specifying the source address for ICMP packets ·························································································· 192 Enabling IPv4 local fragment reassembly ······································································································ 193 Displaying and maintaining IP performance optimization ·············································································· 193
vi
Configuring UDP helper ·············································································· 196
Overview ························································································································································ 196 Feature and hardware compatibility ··············································································································· 196 Configuration restrictions and guidelines ······································································································· 196 Configuring UDP helper to convert broadcast to unicast ··············································································· 196 Configuring UDP helper to convert broadcast to multicast ············································································ 197 Configuring UDP helper to convert multicast to broadcast or unicast ···························································· 198 Displaying and maintaining UDP helper ········································································································ 199 UDP helper configuration examples ·············································································································· 199
Configuring UDP helper to convert broadcast to unicast ······································································· 199
Configuring UDP helper to convert broadcast to multicast ···································································· 200
Configuring UDP helper to convert multicast to broadcast ···································································· 201
Configuring basic IPv6 settings ··································································· 202
Overview ························································································································································ 202
IPv6 features ·········································································································································· 202
IPv6 addresses ······································································································································ 203
IPv6 ND protocol ···································································································································· 205
IPv6 path MTU discovery ······················································································································· 207 IPv6 transition technologies ··························································································································· 208
Dual stack ·············································································································································· 208
Tunneling ··············································································································································· 208
NAT-PT ·················································································································································· 209
6PE ························································································································································ 209 Protocols and standards ································································································································ 209 Compatibility information ································································································································ 210
Command and hardware compatibility ··································································································· 210 IPv6 basics configuration task list ·················································································································· 210 Assigning IPv6 addresses to interfaces ········································································································· 211
Configuring an IPv6 global unicast address ··························································································· 211
Configuring an IPv6 link-local address ··································································································· 213
Configuring an IPv6 anycast address ···································································································· 214 Configuring IPv6 ND ······································································································································ 214
Configuring a static neighbor entry ········································································································ 214
Setting the maximum number of dynamic neighbor entries ··································································· 215
Setting the aging timer for ND entries in stale state ··············································································· 215
Minimizing link-local ND entries ············································································································· 216
Setting the hop limit ································································································································ 216
Configuring parameters for RA messages ····························································································· 216
Configuring the maximum number of attempts to send an NS message for DAD ································· 218
Enabling ND proxy ································································································································· 219
Configuring IPv6 ND suppression ·········································································································· 220
Configuring IPv6 ND direct route advertisement ···················································································· 221 Configuring path MTU discovery ···················································································································· 222
Configuring the interface MTU ··············································································································· 222
Configuring a static path MTU for an IPv6 address ··············································································· 223
Configuring the aging time for dynamic path MTUs ··············································································· 223 Controlling sending ICMPv6 messages ········································································································· 223
Configuring the rate limit for ICMPv6 error messages ··········································································· 223
Enabling replying to multicast echo requests ························································································· 224
Enabling sending ICMPv6 destination unreachable messages ····························································· 224
Enabling sending ICMPv6 time exceeded messages ············································································ 225
Enabling sending ICMPv6 redirect messages ······················································································· 225
Specifying the source address for ICMPv6 packets ··············································································· 225 Enabling IPv6 local fragment reassembly ······································································································ 226 Configuring IPv6 load sharing based on bandwidth ······················································································· 226 Displaying and maintaining IPv6 basics ········································································································· 227 IPv6 configuration examples ·························································································································· 230
Basic IPv6 configuration example ·········································································································· 230
IPv6 ND suppression configuration example ························································································· 234 Troubleshooting IPv6 basics configuration ···································································································· 235
vii
Symptom ················································································································································ 235
Solution ·················································································································································· 235
DHCPv6 overview ······················································································· 236
Feature and hardware compatibility ··············································································································· 236 DHCPv6 address/prefix assignment ·············································································································· 236
Rapid assignment involving two messages ··························································································· 236
Assignment involving four messages ····································································································· 236 Address/prefix lease renewal ························································································································· 237 Stateless DHCPv6 ········································································································································· 238 Protocols and standards ································································································································ 238
Configuring the DHCPv6 server ·································································· 240
Overview ························································································································································ 240
IPv6 address assignment ······················································································································· 240
IPv6 prefix assignment ··························································································································· 240
Concepts ················································································································································ 241
DHCPv6 address pool ···························································································································· 241
IPv6 address/prefix allocation sequence ································································································ 242 Configuration task list ····································································································································· 243 Configuring IPv6 prefix assignment ··············································································································· 243
Configuration guidelines ························································································································· 243
Configuration procedure ························································································································· 244 Configuring IPv6 address assignment ··········································································································· 244
Configuration guidelines ························································································································· 245
Configuration procedure ························································································································· 245 Configuring network parameters assignment ································································································ 246
Configuring network parameters in a DHCPv6 address pool ································································· 246
Configuring network parameters in a DHCPv6 option group ································································· 247 Configuring the DHCPv6 server on an interface ···························································································· 247
Configuration guidelines ························································································································· 247
Configuration procedure ························································································································· 248 Setting the DSCP value for DHCPv6 packets sent by the DHCPv6 server ··················································· 248 Configuring DHCPv6 binding auto backup ···································································································· 248 Advertising subnets assigned to clients ········································································································· 249 Applying a DHCPv6 address pool to a VPN instance ···················································································· 250 Configuring DHCPv6 logging on the DHCPv6 server ···················································································· 250 Displaying and maintaining the DHCPv6 server ···························································································· 251 DHCPv6 server configuration examples ········································································································ 252
Dynamic IPv6 prefix assignment configuration example········································································ 252
Dynamic IPv6 address assignment configuration example ···································································· 254
Configuring the DHCPv6 relay agent ·························································· 257
Overview ························································································································································ 257 DHCPv6 relay agent configuration task list ···································································································· 258 Enabling the DHCPv6 relay agent on an interface ························································································ 258 Specifying DHCPv6 servers on the relay agent ····························································································· 258 Setting the DSCP value for DHCPv6 packets sent by the DHCPv6 relay agent ··········································· 259 Specifying a padding mode for the Interface-ID option ·················································································· 259 Configuring a DHCPv6 relay address pool ···································································································· 260 Specifying a gateway address for DHCPv6 clients ························································································ 260 Displaying and maintaining the DHCPv6 relay agent ···················································································· 261 DHCPv6 relay agent configuration example ·································································································· 261
Network requirements ···························································································································· 261
Configuration procedure ························································································································· 262
Verifying the configuration ······················································································································ 262
Configuring the DHCPv6 client ··································································· 264
Overview ························································································································································ 264 Configuration restrictions and guidelines ······································································································· 264 DHCPv6 client configuration task list ············································································································· 264 Configuring IPv6 address acquisition ············································································································· 264
viii
Configuring IPv6 prefix acquisition ················································································································· 265 Configuring IPv6 address and prefix acquisition ···························································································· 265 Configuring stateless DHCPv6 ······················································································································ 265 Setting the DSCP value for DHCPv6 packets sent by the DHCPv6 client ····················································· 265 Displaying and maintaining DHCPv6 client ···································································································· 266 DHCPv6 client configuration examples ·········································································································· 266
IPv6 address acquisition configuration example ···················································································· 266
IPv6 prefix acquisition configuration example ························································································ 268
IPv6 address and prefix acquisition configuration example ··································································· 269
Stateless DHCPv6 configuration example ····························································································· 271
Configuring DHCPv6 snooping ··································································· 274
Overview ························································································································································ 274
Application of trusted and untrusted ports ······························································································ 274 Command and hardware compatibility ··········································································································· 275 Implementation of Option 18 and Option 37 ·································································································· 275
Option 18 for DHCPv6 snooping ············································································································ 275
DHCPv6 snooping support for Option 37 ······························································································· 276 DHCPv6 snooping configuration task list ······································································································· 276 Configuring basic DHCPv6 snooping ············································································································· 277 Configuring Option 18 and Option 37 ············································································································ 277 Configuring DHCPv6 snooping entry auto backup ························································································ 278 Setting the maximum number of DHCPv6 snooping entries ·········································································· 279 Enabling DHCPv6-REQUEST check ············································································································· 279 Displaying and maintaining DHCPv6 snooping ····························································································· 280 DHCPv6 snooping configuration example ····································································································· 280
Network requirements ···························································································································· 280
Configuration procedure ························································································································· 281
Verifying the configuration ······················································································································ 281
Configuring IPv6 fast forwarding ································································· 282
Overview ························································································································································ 282 Compatibility information ································································································································ 282
Command and hardware compatibility ··································································································· 282 Configuring the aging time for IPv6 fast forwarding entries ··········································································· 282 Configuring IPv6 fast forwarding load sharing ······························································································· 283 Displaying and maintaining IPv6 fast forwarding ··························································································· 283
Configuring tunneling ·················································································· 284
Overview ························································································································································ 284
IPv6 over IPv4 tunneling ························································································································ 284
IPv4 over IPv4 tunneling ························································································································ 286
IPv4 over IPv6 tunneling ························································································································ 287
IPv6 over IPv6 tunneling ························································································································ 291
Protocols and standards ························································································································ 291 Compatibility information ································································································································ 292
Feature and hardware compatibility ······································································································· 292
Command and hardware compatibility ··································································································· 292 Tunneling configuration task list ····················································································································· 292 Configuring a tunnel interface ························································································································ 292 Configuring an IPv6 over IPv4 manual tunnel ································································································ 294
Configuration example ··························································································································· 295 Configuring an automatic IPv4-compatible IPv6 tunnel ················································································· 297
Configuration example ··························································································································· 297 Configuring a 6to4 tunnel ······························································································································· 298
6to4 tunnel configuration example ········································································································· 299
6to4 relay configuration example ··········································································································· 301 Configuring an ISATAP tunnel ······················································································································· 303
Configuration example ··························································································································· 304 Configuring an IPv4 over IPv4 tunnel ············································································································ 306
Configuration example ··························································································································· 307 Configuring an IPv4 over IPv6 manual tunnel ································································································ 308
ix
Configuration example ··························································································································· 309 Configuring a DS-Lite tunnel ·························································································································· 311
Configuration example ··························································································································· 312 Configuring an IPv6 over IPv6 tunnel ············································································································ 314
Configuration example ··························································································································· 315 Displaying and maintaining tunneling configuration ······················································································· 316 Troubleshooting tunneling configuration ········································································································ 317
Symptom ················································································································································ 317
Analysis ·················································································································································· 317
Solution ·················································································································································· 317
Configuring GRE ························································································· 318
Overview ························································································································································ 318
GRE encapsulation format ····················································································································· 318
GRE tunnel operating principle ·············································································································· 318
GRE security mechanisms ····················································································································· 319
GRE application scenarios ····················································································································· 319
Protocols and standards ························································································································ 321 Configuring a GRE/IPv4 tunnel ······················································································································ 322
Configuration guidelines ························································································································· 322
Configuration procedure ························································································································· 322 Configuring a GRE/IPv6 tunnel ······················································································································ 323
Configuration guidelines ························································································································· 324
Configuration procedure ························································································································· 324 Displaying and maintaining GRE ··················································································································· 325 GRE configuration examples ························································································································· 326
Configuring an IPv4 over IPv4 GRE tunnel ···························································································· 326
Configuring an IPv4 over IPv6 GRE tunnel ···························································································· 328 Troubleshooting GRE ···································································································································· 330
Symptom ················································································································································ 330
Analysis ·················································································································································· 330
Solution ·················································································································································· 331
Configuring ADVPN ···················································································· 332
Overview ························································································································································ 332
ADVPN structures ·································································································································· 332
How ADVPN operates ···························································································································· 334
NAT traversal ········································································································································· 337 ADVPN configuration task list ························································································································ 337 Configuring AAA ············································································································································ 337 Configuring the VAM server ··························································································································· 337
Creating an ADVPN domain ·················································································································· 338
Enabling the VAM server ······················································································································· 338
Configuring a pre-shared key for the VAM server ·················································································· 338
Configuring hub groups ·························································································································· 339
Configuring the port number of the VAM server ····················································································· 340
Specifying authentication and encryption algorithms for the VAM server ·············································· 341
Configuring an authentication method ··································································································· 341
Configuring keepalive parameters ········································································································· 341
Configuring the retry timer ······················································································································ 342 Configuring the VAM client ···························································································································· 342
Creating a VAM client ···························································································································· 343
Enabling VAM clients ····························································································································· 343
Specifying VAM servers ························································································································· 343
Specifying an ADVPN domain for a VAM client ····················································································· 343
Configuring a pre-shared key for a VAM client ······················································································ 344
Setting the retry timer and retry times for a VAM client ·········································································· 344
Setting the dumb timer for a VAM client ································································································· 344
Configuring a username and password for a VAM client ······································································· 345 Configuring an ADVPN tunnel interface ········································································································· 345 Configuring routing ········································································································································· 347 Configuring IPsec for ADVPN tunnels ··········································································································· 347
x
Displaying and maintaining ADVPN ··············································································································· 347 ADVPN configuration examples ····················································································································· 349
IPv4 full-mesh ADVPN configuration example ······················································································· 349
IPv6 full-mesh ADVPN configuration example ······················································································· 356
IPv4 hub-spoke ADVPN configuration example ····················································································· 364
IPv6 hub-spoke ADVPN configuration example ····················································································· 372
IPv4 multi-hub-group ADVPN configuration example ············································································ 379
IPv6 multi-hub-group ADVPN configuration example ············································································ 393
IPv4 full-mesh NAT traversal ADVPN configuration example ································································ 408
Configuring WAAS ······················································································ 417
Overview ························································································································································ 417
TFO ························································································································································ 417
DRE ························································································································································ 418
LZ compression ······································································································································ 418 Command and hardware compatibility ··········································································································· 419 Protocols and standards ································································································································ 419 WAAS configuration task list ·························································································································· 419 Configuring a WAAS class ····························································································································· 419 Configuring a WAAS policy ···························································································································· 420 Applying a WAAS policy to an interface ········································································································· 420 Configuring TFO parameters ························································································································· 421 Configuring the TFO blacklist autodiscovery feature ····················································································· 421 Deleting all WAAS settings ···························································································································· 422 Restoring predefined WAAS settings ············································································································· 422 Displaying and maintaining WAAS ················································································································ 422 WAAS configuration examples ······················································································································ 423
Predefined WAAS policy configuration example ···················································································· 423
User-defined WAAS policy configuration example ················································································· 425
Configuring AFT ·························································································· 429
Overview ························································································································································ 429 Compatibility information ································································································································ 429
Command and hardware compatibility ··································································································· 429 AFT implementations ····································································································································· 429
Static AFT ·············································································································································· 429
Dynamic AFT ········································································································································· 429
Prefix translation ···································································································································· 430
AFT internal server ································································································································· 431 AFT translation process ································································································································· 431
For IPv6-initiated communication ··········································································································· 431
For IPv4-initiated communication ··········································································································· 432 AFT with ALG ················································································································································· 433 AFT configuration task list ······························································································································ 433
For IPv6-initiated communication ··········································································································· 433
For IPv4-initiated communication ··········································································································· 434 Enabling AFT ················································································································································· 434 Configuring an IPv6-to-IPv4 destination address translation policy ······························································· 434 Configuring an IPv6-to-IPv4 source address translation policy ····································································· 435 Configuring an IPv4-to-IPv6 destination address translation policy ······························································· 436 Configuring an IPv4-to-IPv6 source address translation policy ····································································· 436 Configuring AFT logging ································································································································ 437 Setting the ToS field to 0 for translated IPv4 packets ···················································································· 437 Setting the Traffic Class field to 0 for translated IPv6 packets ······································································· 437 Displaying and maintaining AFT ···················································································································· 437 AFT configuration examples ·························································································································· 439
Allowing IPv4 Internet access from an IPv6 network ············································································· 439
Providing FTP service from an IPv6 network to the IPv4 Internet ·························································· 442
Allowing mutual access between IPv4 and IPv6 networks ···································································· 443
Allowing IPv6 Internet access from an IPv4 network ············································································· 445
Providing FTP service from an IPv4 network to the IPv6 Internet ·························································· 448
xi
Document conventions and icons ······························································· 451
Conventions ··················································································································································· 451 Network topology icons ·································································································································· 452
Support and other resources ······································································ 453
Accessing Hewlett Packard Enterprise Support ···························································································· 453 Accessing updates ········································································································································· 453
Websites ················································································································································ 454
Customer self repair ······························································································································· 454
Remote support ······································································································································ 454
Documentation feedback ······················································································································· 454
Index ··········································································································· 456
xii

Configuring ARP

Overview

ARP resolves IP addresses into MAC addresses on Ethernet networks.

ARP message format

ARP uses two types of messages: ARP request and ARP reply. Figure 1 shows the format of ARP request/reply messages. Numbers in the figure refer to field lengths.
Figure 1 ARP message format
Hardware type—Hardware address type. The value 1 represents Ethernet.
Protocol type—Type of the protocol address to be mapped. The hexadecimal value 0x0800
represents IP.
Hardware address length and protocol address length— Length, in bytes, of a hardware address and a protocol address. For an Ethernet address, the value of the hardware address length field is 6. For an IPv4 address, the value of the protocol address length field is 4.
OP—Operation code, which describes the type of ARP message. The value 1 represents an ARP request, and the value 2 represents an ARP reply.
Sender hardware address—Hardware address of the device sending the message.
Sender protocol address—Protocol address of the device sendin g the message.
Target hardware address—Hardware address of the device to which the message is being
sent.
Target protocol address—Protocol address of the device to which the message is being sen t.

ARP operating mechanism

As shown in Figure 2, Host A and Host B are on the same subnet. Host A sends a packet to Host B as follows:
1. Host A looks through the ARP table for an ARP entry for Host B. If one entry is found, Host A uses the MAC address in the entry to encapsulate the IP packet into a data link layer frame. Then Host A sends the frame to Host B.
2. If Host A finds no entry for Host B, Host A buffers the packet and broadcasts an ARP request. The payload of the ARP request contains the following information:
{ Sender IP address and sender MAC address—Host A's IP address and MAC address. { Target IP address—Host B's IP address. { Target MAC address—An all-zero MAC address.
1
All hosts on this subnet can receive the broadcast request, but only the requested host (Host B) processes the request.
3. Host B compares its own IP address with the target IP address in the ARP request. If they are the same, Host B operates as follows:
a. Adds the sender IP address and sender MAC address into its ARP table. b. Encapsulates its MAC add ress into an ARP reply. c. Unicasts the ARP reply to Host A.
4. After receiving the ARP reply, Host A operates as follows: a. Adds the MAC address of Host B into its ARP table. b. Encapsulates the MAC add ress into the packet and sends the packet to Host B.
Figure 2 ARP address resolution process
If Host A and Host B are on different subnets, Host A sends a packet to Host B as follows:
1. Host A broadcasts an ARP request where the target IP address is the IP address of the gateway.
2. The gateway responds with its MAC address in an ARP reply to Host A.
3. Host A uses the gateway's MAC address to encapsulate the packet, and then sends the packet
to the gateway.
4. If the gateway has an ARP entry for Host B, it forwards the packet to Host B directly. If not, the gateway broadcasts an ARP request, in which the target IP address is the IP address of Host B.
5. After the gateway gets the MAC address of Host B, it sends the packet to Host B.

ARP table

An ARP table stores dynamic, static, OpenFlow, and Rule ARP entries.
Dynamic ARP entry
ARP automatically creates and updates dynamic entries. A dynamic ARP entry is removed when its aging timer expires or the output interface goes down. In addition, a dynamic ARP entry can be overwritten by a static ARP entry.
Static ARP entry
A static ARP entry is manually configured and maintained. It does not age out and cannot be overwritten by any dynamic ARP entry.
Static ARP entries protect communication between devices because attack packets cannot modify the IP-to-MAC mapping in a static ARP entry.
The device supports the following types of static ARP entries:
2
Long static ARP entry—It contains the IP address, MAC address, VLAN, and o utput interface. It is directly used for forwarding packets.
Short static ARP entry—It contains only the IP address and MAC address.
{ If the output interface is a Layer 3 Ethernet interface, the short ARP entry can be directly
used to forward packets.
{ If the output interface is a VLAN interface, the device sends an ARP request whose target IP
address is the IP address in the short entry. If the sender IP and MAC addresses in the received ARP reply match the short static ARP entry, the device performs the following operations:
Adds the interface that received the ARP reply to the short static ARP entry.
Uses the resolved short static ARP entry to forward IP packets.
To communicate with a host by using a fixed IP-to-MAC mapping, configure a short static ARP entry on the device. To communicate with a host by using a fixed IP-to-MAC mapping through an interface in a VLAN, configure a long static ARP entry on the device.
OpenFlow ARP entry
ARP creates OpenFlow ARP entries by learning from the OpenFlow module. An OpenFlow ARP entry does not age out, and it cannot be updated. It can be overwritten by a static ARP entry. An OpenFlow ARP entry can be used directly to forward packet s. For more information about OpenFlow , see OpenFlow Configuration Guide.
Rule ARP entry
ARP creates Rule ARP entries by learning from the IPoE or portal module. A Rule ARP entry does not age out, and it cannot be updated. It can be overwritten by a static ARP entry. A Rule ARP entry can be used directly to forward packets. For more information about IPoE, see Layer 2—WAN Access Configuration Guide. For more information about portal, see Security Configuration Guide.

Configuring a static ARP entry

A static ARP entry is effective when the device functions correctly. If a VLAN or VLAN interface is deleted, long static ARP entries in the VLAN are delet ed, and resolved short static ARP entries in the VLAN become unresolved.
A resolved short static ARP entry becomes unresolved upon certain events. For example, it becomes unresolved when the resolved output interface goes down.
A long static ARP entry is ineffective in either of the following situations:
The IP address in the entry conflicts with a local IP address.
No local interface has an IP address in the same subnet as the IP address in the ARP entry.
Follow these guidelines when you configure a long static ARP entry:
The vlan-id argument must be the ID of an existing VLAN where the ARP entry resides. The specified Ethernet interface must belong to that VLAN.
The VLAN interface must be created. Its IP address and the IP address specified by the ip-address argument must be on the same subnet.
To configure a static ARP entry:
Step Command Remarks
1. Enter system view.
system-view
N/A
3
Step Command Remarks
Configure a long static ARP entry:
arp static ip-address mac-address vlan-id interface-type
2. Configure a static ARP entry.
interface-number [ vpn-instance vpn-instance-name ]
Configure a short static ARP entry:
arp static ip-address mac-address [ vpn-instance vpn-instance-name ]
By default, no static ARP entry is configured.

Setting the maximum number of dynamic ARP entries for a device

A device can dynamically learn ARP entries. To prevent a device from holding too many ARP entries, you can set the maximum number of dynamic ARP entries that the device can learn. When the maximum number is reached, the device stops learning ARP entries.
If you set a value lower than the number of existing dynamic ARP entries, the device does not remove the existing entries unless they are aged out.
To set the maximum number of dynamic ARP entries for a device:
Step Command Remarks
1. Enter system view.
2. Set the maximum
number of dynamic ARP entries for the device.
system-view
arp max-learning-number
number
N/A If the value for the number argument is set to
0, the device is disabled from learning dynamic ARP entries.

Setting the maximum number of dynamic ARP entries for an interface

An interface can dynamically learn ARP entries. To prevent an interface from holding too many ARP entries, you can set the maximum number of dynamic ARP entries that the interface can learn. Whe n the maximum number is reached, the interface stops learning ARP entries.
You can set limits for both a Layer 2 interface and the VLAN interface for a permitted VLAN on the Layer 2 interface. The Layer 2 interface learns an ARP entry only when neither limit is reached.
To set the maximum number of dynamic ARP entries for an interface:
Step Command Remarks
1. Enter system view.
2. Enter interface view.
3. Set the maximum number
of dynamic ARP entries for the interface.
system-view interface
interface-number
arp max-learning-num
number
interface-type
N/A
N/A
If the value of the number argument is set to 0, the interface is disabled from learning dynamic ARP entries.
4

Setting the aging timer for dynamic ARP entries

Each dynamic ARP entry in the ARP table has a limited lifetime, called an aging timer. The aging timer of a dynamic ARP entry is reset each time the dynamic ARP entry is updated. A dynamic ARP entry that is not updated before its aging timer expires is deleted from the ARP table.
To set the aging timer for dynamic ARP entrie s:
Step Command Remarks
1. Enter system view.
2. Set the aging timer for
dynamic ARP entries.
system-view
arp timer aging
aging-time
N/A By default, the aging time for dynamic ARP
entries is 20 minutes.

Enabling dynamic ARP entry check

The dynamic ARP entry check function disables the device from supporting dynamic ARP entries that contain multicast MAC addresses. The device cannot learn dynamic ARP entries containing multicast MAC addresses. You cannot manually add static ARP entries containing multicast MAC addresses.
When dynamic ARP entry check is disabled, ARP entries containing multicast MAC addresses are supported. The device can learn dynamic ARP entries containing m ulticast MAC addresses obtained from the ARP packets sourced from a unicast MAC address. You can also manually add static ARP entries containing multicast MAC addresses.
To enable dynamic ARP entry check:
Step Command Remarks
1. Enter system view.
2. Enable dynamic ARP entry
check.
system-view
arp check enable

Enabling ARP logging

This function enables a device to log ARP events when ARP cannot resolve IP addresses correctly. The device can log the following ARP events:
On a proxy ARP-disabled interface, the target IP address of a received ARP packet is not one of the following IP addresses:
{ The IP address of the receiving interface. { The virtual IP address of the VRRP group. { The public IP address after NAT.
The sender IP address of a received ARP reply conflicts with one of the following IP addresses:
{ The IP address of the receiving interface. { The virtual IP address of the VRRP group. { The public IP address after NAT.
N/A By default, dynamic ARP entry check is
enabled.
The device sends ARP log messages to the informatio n center . You can use the info-center source command to specify the log output rules for the information center. For more information about information center, see Network Management and Monitoring Configuration Guide.
5
To enable the ARP logging function:
Step Command Remarks
1. Enter system view.
2. Enable the ARP logging
function.
system-view
arp check log enable

Displaying and maintaining ARP

IMPORTANT:
Clearing ARP entries from the ARP table might cause communication failures. Make sure the entries to be cleared do not affect current communications.
Execute display commands in any view and reset commands in user view.
Task Command
Display ARP entries (centralized devices in standalone mode).
display arp
interface-type interface-number ] [
[ [
all
|
dynamic
N/A By default, ARP logging is disabled.
|
static
] |
count
vlan
verbose
|
vlan-id |
interface
]
Display ARP entries (distributed devices in standalone mode/centralized devices in IRF mode).
Display ARP entries (distributed devices in IRF mode).
Display the ARP entry for an IP address (centralized devices in standalone mode).
Display the ARP entry for an IP address (distributed devices in standalone mode/centralized devices in IRF mode).
Display the ARP entry for an IP address (distributed devices in IRF mode).
Display the ARP entries for a VPN instance.
Display the aging timer of dynamic ARP entries.
Clear ARP entries from the ARP table (centralized devices in standalone mode).
Clear ARP entries from the ARP table (distributed devices in standalone mode/centralized devices in IRF mode).
display arp
vlan-id |
verbose ] display arp
slot
slot-number ] |
interface-number ] [
display arp
display arp
display arp
slot-number ] [
display arp vpn-instance
display arp timer aging
reset arp
interface-number |
reset arp
interface-number |
all
[ [
interface
all
[ [
ip-address [
ip-address [
ip-address [
verbose ]
all
dynamic
{
|
all
dynamic
{
|
dynamic
|
interface-type interface-number ] [
dynamic
|
vlan
count
verbose ]
slot
static }
slot
slot-number |
static
|
static
|
vlan-id |
verbose ]
|
slot-number ] [
chassis
vpn-instance-name [
interface
|
interface
|
slot
] [
chassis
] [
interface
chassis-number
interface-type
interface-type
static }
slot-number ] |
count
chassis-number
interface-type
verbose ]
slot
count ]
vlan
|
Clear ARP entries from the ARP table (distributed devices in IRF mode).
reset arp dynamic
6
all
{
|
interface
|
chassis
chassis-number
interface-type interface-number |
slot
slot-number |
static }

Configuration examples

Long static ARP entry configuration example

Network requirements
As shown in Figure 3, hosts are connected to Router B. Router B is connected to Router A through interface GigabitEthernet 2/0/1 in VLAN 10.
To ensure secure communications between Router A and Router B, configure a long static ARP entry for Router A on Router B.
Figure 3 Network diagram
Configuration procedure
# Create VLAN 10.
<RouterB> system-view [RouterB] vlan 10 [RouterB-vlan10] quit
# Add interface GigabitEthe rnet 2/0/1 to VLAN 10.
[RouterB] interface gigabitethernet 2/0/1 [RouterB-GigabitEthernet2/0/1] port access vlan 10 [RouterB-GigabitEthernet2/0/1] quit
# Create VLAN-interface 10 and configure its IP address.
[RouterB] interface vlan-interface 10 [RouterB-vlan-interface10] ip address 192.168.1.2 8 [RouterB-vlan-interface10] quit
# Configure a static ARP e ntry t hat has I P addres s 192.168. 1.1, M AC add ress 0 0e0-f c01-000 0, and output interface GigabitEthernet 2/0/1 in VLAN 10.
[RouterB] arp static 192.168.1.1 00e0-fc01-0000 10 gigabitethernet 2/0/1
Verifying the configuration
# Verify that Router B has a long static ARP entry for Router A.
[RouterB] display arp static Type: S-Static D-Dynamic O-Openflow R-Rule M-Multiport I-Invalid IP address MAC address VLAN Interface Aging Type
7
192.168.1.1 00e0-fc01-0000 10 GE2/0/1 N/A S

Short static ARP entry configuration example

Network requirements
As shown in Figure 4, hosts are connected to Router B. Router B is connected to Router A through interface GigabitEthernet 2/0/2.
To ensure secure communications between Router A and Router B, configure a short static ARP entry for Router A on Router B.
Figure 4 Network diagram
Configuration procedure
# Configure an IP address for GigabitEthernet 2/0/2.
<RouterB> system-view [RouterB] interface gigabitethernet 2/0/2 [RouterB-GigabitEthernet2/0/2] ip address 192.168.1.2/24 [RouterB-GigabitEthernet2/0/2] quit
# Configure a static ARP entry that has IP address 192.168.1.1 and MAC address 00e0-fc01-001f.
[RouterB] arp static 192.168.1.1 00e0-fc01-001f
Verifying the configuration
# Verify that Router B has a sho rt static ARP entry for Router A.
[RouterB] display arp static Type: S-Static D-Dynamic O-Openflow R-Rule M-Multiport I-Invalid IP address MAC address VLAN Interface Aging Type
192.168.1.1 00e0-fc01-001f N/A N/A N/A S
8

Configuring gratuitous ARP

Overview

In a gratuitous ARP packet, the sender IP address and the target IP address are the IP address of the sending device.
A device sends a gratuitous ARP packet for either of the following purposes:
Determine whether its IP address i s already used by another device. If the IP address is already used, the device is informed of the conflict by an ARP reply.
Inform other devices of a MAC address change.

Gratuitous ARP packet learning

This function enables a device to create or update ARP entries by using the sender IP and MAC addresses in received gratuitous ARP packets.
When this function is disabled, the device uses received gratuitous ARP packets to update existing ARP entries only. ARP entries are not created based on the received gratuito us ARP packets, which saves ARP table space.

Periodic sending of gratuitous ARP packets

Enabling periodic sending of gratuitous ARP packets helps downstream devices update ARP entries or MAC entries in a timely manner.
This feature can implement the following functions:
Prevent gateway spoofing. Gateway spoofing occurs when an attacker uses the gateway address to send gratuitous ARP
packets to the hosts on a network. The traffic destined for the gateway from the hosts is sent to the attacker instead. As a result, the hosts cannot access the external network.
To prevent such gateway spoofing attacks, you can enable the gateway to send gratuitous ARP packets at intervals. Gratuitous ARP packets contain the primary IP address and manually configured secondary IP addresses of the gateway, so hosts can learn correct gateway information.
Prevent ARP entries from aging out. If network traffic is heavy or if the host CPU usage is high, received ARP packets can be
discarded or are not promptly processed. Eventually, the dynamic ARP entries on the receiving host age out. The traffic between the host and the corresponding devices is inte rrupted until the host re-creates the ARP entries.
To prevent this problem, you can enable the gateway to send gratuitous ARP packets periodically. Gratuitous ARP packets contain the primary IP address and manually configured secondary IP addresses of the gateway, so the receiving hosts can update ARP entries in a timely manner.
Prevent the virtual IP address of a VRRP group from being used by a host. The master router of a VRRP group can periodically send gratuitous ARP packets to the hosts
on the local network. The hosts can then update local ARP entries and avoid using the virtual IP address of the VRRP group. The sender MAC address in the gratuitous ARP packet is the virtual MAC address of the virtual router. For more information about VRRP, see High Availability Configuration Guide.
9
Update MAC entries of devices in the VLANs having ambiguous Dot1q or QinQ termination configured.
In VRRP configuration, if ambiguous Dot1q or QinQ termination is configured for multiple VLANs and VRRP groups, interfaces configured with VLAN termination must be disabled from transmitting broadcast/multicast packets. Also, a VRRP control VLAN must be configured so that VRRP advertisements can be transmitted within the control VLAN only. I n such case s, you can enable periodic sending of gratuitous ARP packets containing the following addresses:
{ The VRRP virtual IP address. { The primary IP address or a manually configured secondary IP address of the sending
interface on the subinterfaces.
When a VRRP f a il ov er o cc urs, d ev i ces in the VLANs can use the gratuitou s ARP packets to update their corresponding MAC entries in a timely manner. For more information about ambiguous Dot1q or QinQ termination, see Layer 2—LAN Switching Configuration Guide.

Configuration procedure

The following conditions apply to the gratuitous ARP configuration:
You can enable periodic sending of gratuitous ARP packets on a maximum of 1024 interfaces.
Periodic sending of gratuitous ARP packets takes effect only when the link of the enabled
interface goes up and an IP address has been assigned to the interface.
If you change the interval for sending gratuitous ARP packets, the configuration is effective at the next sending interval.
The frequency of sending gratuitous ARP packets might be much lower than the sending interval set by the user in any of the following circumstances:
{ This function is enabled on multiple interfaces. { Each interface is configured with multiple secondary IP addresses. { A small sending interval is configured when the previous two conditions exist.
To configure gratuitous ARP:
Step Command Remarks
1. Enter system view.
2. Enable learning of gratuitous
ARP packets.
3. Enable the device to send gratuitous ARP packets upon receiving ARP requests whose sender IP address belongs to a different subnet.
4. Enter interface view.
5. Enable periodic sending of
gratuitous ARP packets and set the sending interval.
system-view
gratuitous-arp-learning enable
gratuitous-arp-sending enable
interface
interface-number
arp send-gratuitous-arp
interval
[
interface-type
milliseconds ]

Enabling IP conflict notification

By default, if the sender IP address of an ARP packet is being used by the receiving device, the receiving device sends a gratuitous ARP request. It also displays an error message after it receives an ARP reply about the conflict.
N/A By default, learning of gratuitous
ARP packets is enabled. By default, a device does not send
gratuitous ARP packets upon receiving ARP requests whose sender IP address belongs to a different subnet.
N/A
By default, periodic sending of gratuitous ARP packets is disabled.
10
You can use this command to enable the device to display error messages before sending a gratuitous ARP reply or request for conflict confirmation.
To enable IP conflict notification:
Step Command Remarks
1. Enter system view.
2. Enable IP conflict
notification.
system-view
N/A
arp ip-conflict log prompt
By default, IP conflict notification is disabled.
11

Configuring proxy ARP

Proxy ARP enables a device on one network to answer ARP requests for an IP address on another network. With proxy ARP, hosts on different broadcast domains can communi cate with each other as they would on the same broadcast domain.
Proxy ARP includes common proxy ARP and local proxy ARP.
Common proxy ARP—Allows communication between hosts that conne ct to diff erent Layer 3 interfaces and reside in different broadcast domains.
Local proxy ARP—Allows communication between hosts that connect to the same Layer 3 interface and reside in different broadcast domains.

Enabling common proxy ARP

Step Command Remarks
1. Enter system view.
2. Enter interface view.
3. Enable common
proxy ARP .
system-view
interface
interface-number
proxy-arp enable
interface-type
N/A The following interface types are supported:
VLAN interface.
Layer 3 Ethernet interface.
Layer 3 Ethernet subinterface.
Layer 3 aggregate interface.
Layer 3 aggregate subinterface.
By default, common proxy ARP is disabled.

Enabling local proxy ARP

Step Command Remarks
1. Enter system view.
2. Enter interface view.
3. Enable local proxy ARP.
system-view
interface
interface-number
local-proxy-arp enable
ip-range
[
interface-type
startIP to endIP ]
N/A The following interface types are
supported:
VLAN interface.
Layer 3 Ethernet interface.
Layer 3 Ethernet subinterface.
Layer 3 aggregate interface.
Layer 3 aggregate subinterface.
By default, local proxy ARP is disabled.
12

Displaying proxy ARP

Execute display commands in any view .
Task Command
Display common proxy ARP status.
display proxy-arp [ interface
interface-type interface-number ]
Display local proxy ARP status.
display local-proxy-arp [ interface
interface-type interface-number ]

Common proxy ARP configuration example

Network requirements

As shown in Figure 5, Host A and Host D have the same prefix and mask, but they are located on different subnets. No default gateway is configured on Host A and Host D.
Configure common proxy ARP on the router to enable communication between Host A and Host D.
Figure 5 Network diagram

Configuration procedure

# Configure the IP address of interface GigabitEthernet 2/0/2.
<Router> system-view [Router] interface gigabitethernet 2/0/2 [Router-GigabitEthernet2/0/2] ip address 192.168.10.99 255.255.255.0
# Enable common proxy ARP on interface GigabitEthernet 2/0/2.
[Router-GigabitEthernet2/0/2] proxy-arp enable [Router-GigabitEthernet2/0/2] quit
# Configure the IP address of interface GigabitEthernet 2/0/1.
[Router] interface gigabitethernet 2/0/1
13
[Router-GigabitEthernet2/0/1] ip address 192.168.20.99 255.255.255.0
# Enable common proxy ARP on interface GigabitEthernet 2/0/1.
[Router-GigabitEthernet2/0/1] proxy-arp enable [Router-GigabitEthernet2/0/1] quit

Verifying the configuration

# Verify that Host A and Host D can ping each other.
14

Configuring ARP fast-reply

Overview

ARP fast-reply enables a device to directly answer ARP requests according to DHCP snooping entries. ARP fast-reply functions in a VLAN. For information about DHCP snooping, see "Configuring
snooping."
DHCP
If the target IP address of a received ARP request is the IP address of the VLAN i nterface, the device delivers the request to the ARP module. If not, the device takes the following steps to process the packet:
1. Search the DHCP snooping table for a match by using the target IP address.
2. If a match is found, whether the device returns a reply depends on the type of interface in the
matching entry.
{ If the interface is the Ethernet interface that received the ARP request, the device does not
return a reply.
{ If the interface is a wireless interface or an Ethernet interface other than the receiving
interface, the device returns a reply according to the matching entry.
3. If no matching DHCP snooping entry is found, the ARP request is forwarded to other interfaces except the receiving interface in the VLAN, or delivered to other modules.

Configuration procedure

To configure ARP fast-reply:
Step Command Remarks
1. Enter system view.
2. Enter VLAN view.
3. Enable ARP fast-reply.
system-view vlan
vlan-id N/A
arp fast-reply enable
N/A
By default, ARP fast-reply is disabled.

ARP fast-reply configuration example

Network requirements

As shown in Figure 6, the router is a DHCP snooping device. All clients are in VLAN 2, and access the network through the router. The clients obtain IP addresses from the DHCP server through DHCP.
Enable ARP fast-reply for VLAN 2. The router directly returns an ARP reply without broadcasting received ARP requests in the VLAN.
15
Figure 6 Network diagram
Client 1
Router
Client 17
VLAN 2
……
……
VLAN 2

Configuration procedure

# Enable ARP fast-reply for VLAN 2 on the router.
[Router-vlan2] arp fast-reply enable [Router-vlan2] quit
Client 16
DHCP server
Client 32
16
Loading...
+ 437 hidden pages
Buy Points How it Works FAQ Contact Us Questions and Suggestions Privacy Policy Cookie Policy Terms of Use