AR150&200&1200&2200&3200 V200R003C01 Configuration Guide-IP Service 04 PDF

Huawei AR150&200&1200&2200&3200 Series
Enterprise Routers
V200R003C01
Configuration Guide - IP Service

Issue
04
Date
2014-01-16
HUAWEI TECHNOLOGIES CO., LTD.
Copyright Huawei Technologies Co., Ltd. 2014. All rights reserved.

No part of this document may be reproduced or transmitted in any form or by any means without prior written
consent of Huawei Technologies Co., Ltd.
Trademarks and Permissions

and other Huawei trademarks are trademarks of Huawei Technologies Co., Ltd.
All other trademarks and trade names mentioned in this document are the property of their respective holders.
Notice
The purchased products, services and features are stipulated by the contract made between Huawei and the
customer. All or part of the products, services and features described in this document may not be within the
purchase scope or the usage scope. Unless otherwise specified in the contract, all statements, information,
and recommendations in this document are provided "AS IS" without warranties, guarantees or representations
of any kind, either express or implied.
The information in this document is subject to change without notice. Every effort has been made in the
preparation of this document to ensure accuracy of the contents, but all statements, information, and
recommendations in this document do not constitute a warranty of any kind, express or implied.
Huawei Technologies Co., Ltd.

Address:
Huawei Industrial Base

Bantian, Longgang
Shenzhen 518129
People's Republic of China
Website:
http://enterprise.huawei.com
Issue 04 (2014-01-16)
Huawei Proprietary and Confidential

Copyright Huawei Technologies Co., Ltd.
Huawei AR150&200&1200&2200&3200 Series Enterprise

Routers
About This Document
About This Document

Intended Audience
This document describes the concepts and configuration procedures of IP Service features on
the device, and provides the configuration examples.
This document provides guidance for configuring IP Service features.
This document is intended for:
l
Data configuration engineers
Commissioning engineers
Network monitoring engineers
System maintenance engineers
Symbol Conventions
The symbols that may be found in this document are defined as follows.
Symbol
Description
Indicates an imminently hazardous situation
which, if not avoided, will result in death or
serious injury.
Indicates a potentially hazardous situation
which, if not avoided, could result in death or
serious injury.
which, if not avoided, may result in minor or
moderate injury.
which, if not avoided, could result in
equipment damage, data loss, performance
deterioration, or unanticipated results.
NOTICE is used to address practices not
related to personal injury.
Issue 04 (2014-01-16)

ii

Routers
Symbol
About This Document
Description
Calls attention to important information, best
practices and tips.
NOTE
NOTE is used to address information not

related to personal injury, equipment damage,
and environment deterioration.
Command Conventions
The command conventions that may be found in this document are defined as follows.
Convention
Description
Boldface
The keywords of a command line are in boldface.
Italic
Command arguments are in italics.
[]
Items (keywords or arguments) in brackets [ ] are optional.
{ x | y | ... }
Optional items are grouped in braces and separated by

vertical bars. One item is selected.
[ x | y | ... ]
Optional items are grouped in brackets and separated by

vertical bars. One item is selected or no item is selected.
{ x | y | ... }*
Optional items are grouped in braces and separated by

vertical bars. A minimum of one item or a maximum of all
items can be selected.
[ x | y | ... ]*
Optional items are grouped in brackets and separated by

vertical bars. Several items or no item can be selected.
&<1-n>
The parameter before the & sign can be repeated 1 to n times.
A line starting with the # sign is comments.
Interface Numbering Conventions

Interface numbers used in this manual are examples. In device configuration, use the existing
interface numbers on devices.
Change History
Updates between document issues are cumulative. Therefore, the latest document issue contains
all the updates made in previous issues.
Issue 04 (2014-01-16)

iii

Routers
About This Document
Changes in Issue 04 (2014-01-16)

This version has the following updates:
The following information is modified:
l
3.5.1.6 (Optional) Configuring Automatic Saving of DHCP Data

l
Configuring Actions of Local PBR

l
2.7.5 Example for Configuring Layer 2 Topology Detection
4.4.1.2 Configuring the Dynamic DNS

Initial commercial release.
Issue 04 (2014-01-16)

iv

Routers
Contents
Contents
About This Document.....................................................................................................................ii
1 IP Address Configuration............................................................................................................1
1.1 IPv4 Overview................................................................................................................................................................2
1.2 Principles........................................................................................................................................................................2
1.2.1 IPv4 Protocol Suite......................................................................................................................................................2
1.2.2 IPv4 Address................................................................................................................................................................3
1.2.3 IPv4 Packet Format.....................................................................................................................................................5
1.2.4 Subnetting....................................................................................................................................................................7
1.2.5 IP Address Resolution.................................................................................................................................................8
1.3 Configuring IP Address..................................................................................................................................................9
1.3.1 Configuring IP Addresses for Interfaces.....................................................................................................................9
1.3.1.1 Configuring a Primary IP Address for an Interface..................................................................................................9
1.3.1.2 (Optional) Configuring a Secondary IP Address for an Interface..........................................................................10
1.3.1.3 Checking the Configuration....................................................................................................................................10
1.3.2 Configuring an IP Unnumbered Interface.................................................................................................................11
1.3.2.1 Configuring a Primary IP Address for the IP Numbered Interface........................................................................11
1.3.2.2 Configuring an IP address Unnumbered Interface.................................................................................................11
1.4 Configuration Examples...............................................................................................................................................12
1.4.1 Example for Configuring Primary and Secondary IP Addresses for an Interface.....................................................12
1.4.2 Example for Configuring an IP Unnumbered Interface............................................................................................14
1.5 Common Configuration Errors.....................................................................................................................................18
1.5.1 IP Address Configuration Fails on an Interface........................................................................................................18
1.6 References....................................................................................................................................................................20
2 ARP Configuration......................................................................................................................21
2.1 ARP Overview..............................................................................................................................................................22
2.2 Principles......................................................................................................................................................................22
2.2.1 ARP Principles..........................................................................................................................................................22
2.2.2 Proxy ARP.................................................................................................................................................................25
2.2.3 Gratuitous ARP..........................................................................................................................................................28
2.2.4 ARP-Ping...................................................................................................................................................................28
2.3 Configuration Task Summary......................................................................................................................................29
Issue 04 (2014-01-16)


Routers
Contents
2.4 Default Configuration...................................................................................................................................................31

2.5 Configuring ARP..........................................................................................................................................................32
2.5.1 Configuring Static ARP.............................................................................................................................................32
2.5.2 Optimizing Dynamic ARP.........................................................................................................................................33
2.5.2.1 Adjusting Aging Parameters of Dynamic ARP Entries..........................................................................................34
2.5.2.2 Enabling Layer 2 Topology Detection...................................................................................................................35
2.5.3 Configuring Proxy ARP............................................................................................................................................35
2.5.3.1 Configuring Routed Proxy ARP.............................................................................................................................36
2.5.3.2 Configuring Intra-VLAN Proxy ARP....................................................................................................................37
2.5.3.3 Configuring Inter-VLAN Proxy ARP....................................................................................................................38
2.5.4 Configuring ARP-Ping..............................................................................................................................................39
2.5.4.1 Configuring ARP-Ping IP.......................................................................................................................................40
2.5.4.2 Configuring ARP-Ping MAC.................................................................................................................................40
2.6 Maintaining ARP..........................................................................................................................................................41
2.6.1 Clearing ARP Entries................................................................................................................................................41
2.6.2 Monitoring the ARP Running Status.........................................................................................................................41
2.7.1 Example for Configuring Static ARP........................................................................................................................42
2.7.2 Example for Configuring Routed Proxy ARP...........................................................................................................45
2.7.3 Example for Configuring Intra-VLAN Proxy ARP..................................................................................................47
2.7.4 Example for Configuring Inter-VLAN Proxy ARP..................................................................................................49
2.7.5 Example for Configuring Layer 2 Topology Detection............................................................................................52
2.8 FAQ..............................................................................................................................................................................54
2.8.1 How Can I Configure Static ARP Entries on an Interface?.......................................................................................54
2.8.2 Termination Sub-interfaces That Connect Two Devices Cannot Ping Each Other. Why?.......................................55
2.9 References....................................................................................................................................................................55
3 DHCP Configuration..................................................................................................................57
3.1 DHCP Overview...........................................................................................................................................................58
3.2 Principles......................................................................................................................................................................58
3.2.1 DHCP Overview........................................................................................................................................................58
3.2.2 Introduction to DHCP Messages...............................................................................................................................59
3.2.3 DHCP Options...........................................................................................................................................................62
3.2.4 DHCP Principles........................................................................................................................................................65
3.2.5 DHCP Relay Principles.............................................................................................................................................68
3.2.6 IP Address Assignment and Renewal........................................................................................................................70
3.3 Application...................................................................................................................................................................71
3.3.1 DHCP Server Application.........................................................................................................................................71
3.3.2 DHCP Relay Application..........................................................................................................................................72
3.3.3 DHCP/BOOTP Client Application............................................................................................................................72
3.4 Default Configuration...................................................................................................................................................73
Issue 04 (2014-01-16)

vi

Routers
Contents
3.5 Configuring DHCP.......................................................................................................................................................73

3.5.1 Configuring a DHCP Server Based on the Global Address Pool..............................................................................73
3.5.1.1 Configuring the Global Address Pool....................................................................................................................74
3.5.1.2 Configuring an Interface to Use the Global Address Pool.....................................................................................76
3.5.1.3 (Optional) Configuring the DNS Service and NetBIOS Service on the DHCP Client..........................................77
3.5.1.4 (Optional) Configuring a Customized DHCP Option for the Global Address Pool..............................................78
3.5.1.5 (Optional) Preventing Repeated IP Address Allocation.........................................................................................79
3.5.1.6 (Optional) Configuring Automatic Saving of DHCP Data....................................................................................80
3.5.1.7 (Optional) Configuring the DHCP Server to trust Option 82.................................................................................80
3.5.2 Configuring a DHCP Server Based on an Interface Address Pool............................................................................81
3.5.2.1 Configuring an Interface Address Pool..................................................................................................................81
3.5.2.2 (Optional) Configuring the DNS Service and NetBIOS Service on the DHCP Client..........................................83
3.5.2.3 (Optional) Configuring a Customized DHCP Option for an Interface Address Pool............................................84
3.5.2.4 (Optional) Preventing Repeated IP Address Allocation.........................................................................................85
3.5.2.5 (Optional) Configuring Automatic Saving of DHCP Data....................................................................................86
3.5.2.6 (Optional) Configuring the DHCP Server to trust Option 82.................................................................................87
3.5.3 Configuring a DHCP Relay Agent............................................................................................................................87
3.5.3.1 Configuring DHCP Relay on an Interface..............................................................................................................88
3.5.3.2 Configuring a Destination DHCP Server Group....................................................................................................89
3.5.3.3 Binding an Interface to a DHCP Server Group......................................................................................................90
3.5.3.4 (Optional) Configuring the DHCP Relay Agent to Send DHCP Release Messages..............................................91
3.5.4 Configuring the DHCP/BOOTP Client Function......................................................................................................92
3.5.4.1 (Optional) Configuring the DHCP/BOOTP Client Attributes...............................................................................92
3.5.4.2 (Optional) Configuring the DHCP Server to Deliver Routing Entries to a DHCP Client.....................................94
3.5.4.3 Enabling the DHCP/BOOTP Client Function........................................................................................................94
3.5.5 Configuring the DHCP Rate Limit Function.............................................................................................................95
3.6 Maintaining DHCP.......................................................................................................................................................98
3.6.1 Clearing DHCP Statistics..........................................................................................................................................98
3.6.2 Clearing the DHCP Address Pool.............................................................................................................................98
3.6.3 Monitoring DHCP Operation....................................................................................................................................98
3.7.1 Example for Configuring a DHCP Server Based on the Global Address Pool.........................................................99
3.7.2 Example for Configuring a DHCP Server Based on the Interface Address Pool....................................................102
3.7.3 Example for Configuring a DHCP Server and a DHCP Relay Agent.....................................................................105
3.7.4 Example for Configuring the DHCP Client and BOOTP Client.............................................................................109
3.7.5 Example for Configuring DHCP Rate Limit...........................................................................................................112
3.8 Common Configuration Errors...................................................................................................................................114
Issue 04 (2014-01-16)

vii

Routers
Contents
3.8.1 DHCP Client Cannot Obtain IP Addresses When router Functions as the DHCP Server......................................114
3.8.2 DHCP Client Cannot Obtain IP Addresses When router Functions as the DHCP Relay Agent............................116
3.9 FAQ............................................................................................................................................................................117
3.9.1 How Can I Prevent the Auto-Config Function from Periodically Clearing DHCP-related Configurations on the
Device?.............................................................................................................................................................................117
3.9.2 How Can the Device Function as a DHCP Server to Dynamically Allocate IP Addresses to Multiple DHCP Clients?
..........................................................................................................................................................................................117
3.9.3 DHCP Clients Cannot Obtain IP Addresses. How Do I Solve This Problem?.......................................................117
3.9.4 How Do I View IP Address Allocation in the DHCP Server Address Pool?..........................................................117
3.9.5 When the Device Functions as the Access Device, It Takes a Long Time for Users to Obtain IP Addresses Through
DHCP? Why?...................................................................................................................................................................118
3.10 References................................................................................................................................................................118
4 DNS Configuration...................................................................................................................119
4.1 DNS Overview...........................................................................................................................................................120
4.2 Principles....................................................................................................................................................................120
4.2.1 Working Principle of DNS......................................................................................................................................120
4.2.2 Working Principle of DNS Proxy or Relay.............................................................................................................122
4.2.3 Working Principle of DNS Spoofing.......................................................................................................................123
4.2.4 Working Principle of DDNS...................................................................................................................................125
4.3 Applications................................................................................................................................................................126
4.3.1 DNS Client Application...........................................................................................................................................126
4.3.2 DNS Proxy Application...........................................................................................................................................126
4.4 Configuring DNS........................................................................................................................................................127
4.4.1 Configuring the DNS Client....................................................................................................................................127
4.4.1.1 Configuring the Static DNS..................................................................................................................................127
4.4.1.2 Configuring the Dynamic DNS............................................................................................................................128
4.4.1.3 Checking the Configuration..................................................................................................................................129
4.4.2 Configuring DNS Proxy or Relay...........................................................................................................................130
4.4.2.1 Configuring the Destination DNS Server.............................................................................................................130
4.4.2.2 (Optional) Configuring DNS Spoofing................................................................................................................131
4.4.3 Configuring the DDNS Client.................................................................................................................................132
4.4.3.1 Configuring a DDNS Policy.................................................................................................................................132
4.4.3.2 Binding a DDNS Policy to an Interface...............................................................................................................134
4.5 Maintaining DNS........................................................................................................................................................135
4.5.1 Deleting Dynamic DNS Entries..............................................................................................................................135
4.5.2 Deleting DNS Entries of the DNS Proxy or Relay..................................................................................................136
4.5.3 Clearing Statistics on Sent and Received DNS Packets..........................................................................................136
4.5.4 Manually Updating a DDNS Policy........................................................................................................................136
4.5.5 Monitoring the Running Status of DNS..................................................................................................................137
4.6 Configuration Examples.............................................................................................................................................137
Issue 04 (2014-01-16)

viii

Routers
Contents
4.6.1 Example for Configuring the DNS Client...............................................................................................................137

4.6.2 Example for Configuring DNS Proxy.....................................................................................................................141
4.6.3 Example for Configuring the DDNS Client............................................................................................................143
4.6.4 Example for Configuring the router to Communicate with Siemens DDNS Server...............................................146
4.7.1 Dynamic Domain Name Resolution Cannot Be Implemented on a DNS Client....................................................149
4.8 FAQ............................................................................................................................................................................150
4.8.1 How Do I View the DNS Configuration of Devices?.............................................................................................150
4.8.2 When Configuring Static DNS Entries, Do I Have to Enable Dynamic DNS Resolution?....................................150
4.8.3 Are Dynamic DNS Entries Aged at Intervals of the Aging Time or Using the Command?...................................150
4.8.4 In What Scenarios Should I Use the DNS Relay Function?....................................................................................150
4.8.5 Does the Device Support DNS Proxy?....................................................................................................................150
4.8.6 Does the Device Allow a Server IP Address to Map Multiple Domain Names?....................................................150
4.9 References..................................................................................................................................................................151
5 NAT Configuration...................................................................................................................152
5.1 Introduction to NAT...................................................................................................................................................153
5.2 Principles....................................................................................................................................................................153
5.2.1 Overview.................................................................................................................................................................153
5.2.2 NAT Implementation...............................................................................................................................................155
5.2.3 NAT ALG................................................................................................................................................................158
5.2.4 DNS Mapping..........................................................................................................................................................159
5.2.5 NAT Associated with VPNs....................................................................................................................................160
5.2.6 Twice NAT..............................................................................................................................................................162
5.2.7 NAT Filtering and NAT Mapping...........................................................................................................................163
5.3 Applications................................................................................................................................................................165
5.3.1 Private Network Hosts Accessing Public Network.................................................................................................165
5.3.2 Public Network Hosts Accessing Private Network Servers....................................................................................166
5.3.3 Private Network Hosts Accessing Private Network Servers Using the Domain Name..........................................167
5.3.4 NAT Multi-instance.................................................................................................................................................167
5.4 Configuration Tasks...................................................................................................................................................168
5.5 Configuration Notes...................................................................................................................................................170
5.6 Configuring NAT.......................................................................................................................................................170
5.6.1 Configuring Dynamic NAT.....................................................................................................................................170
5.6.1.1 Configuring ACL Rules........................................................................................................................................171
5.6.1.2 Configuring Outbound NAT................................................................................................................................171
5.6.1.3 (Optional) Enabling NAT ALG............................................................................................................................172
5.6.1.4 (Optional) Configuring NAT Filtering and NAT Mapping..................................................................................173
5.6.1.5 (Optional) Configuring Twice NAT.....................................................................................................................174
5.6.1.6 (Optional) Configuring NAT Log Output............................................................................................................174
5.6.1.7 (Optional) Configuring the Aging Time of NAT Mapping Entries.....................................................................176
Issue 04 (2014-01-16)

ix

Routers
Contents
5.6.2 Configuring Static NAT..........................................................................................................................................177

5.6.2.1 Configuring Static Address Mapping...................................................................................................................177
5.6.2.3 (Optional) Configuring DNS Mapping.................................................................................................................179
5.6.3 Configuring an Internal NAT Server.......................................................................................................................183
5.6.3.1 Configuring Internal NAT Server.........................................................................................................................183
5.6.3.3 (Optional) Configuring DNS Mapping.................................................................................................................185
5.7 Maintaining NAT.......................................................................................................................................................189
5.7.1 Clearing NAT Mapping Entries..............................................................................................................................190
5.7.2 Monitoring NAT Mapping Entries..........................................................................................................................190
5.8.1 Example for Configuring Dynamic NAT................................................................................................................190
5.8.2 Example for Configuring Static One-to-One NAT.................................................................................................193
5.8.3 Example for Configuring an Internal NAT Server..................................................................................................195
5.8.4 Example for Configuring Twice NAT.....................................................................................................................197
5.8.5 Example for Configuring NAT................................................................................................................................200
5.8.6 Example for Configuring PPPoE Dialup Access in Easy IP Mode.........................................................................202
5.9.1 Internal Users Fail to Access Public Networks.......................................................................................................205
5.9.2 External Hosts Fail to Access Internal Servers.......................................................................................................206
5.9.3 Internal Hosts with an Overlapped IP Address Fail to Access External Servers....................................................208
5.10 FAQ..........................................................................................................................................................................210
5.10.1 Does NAT Support VPN Multi-Instance?.............................................................................................................210
5.10.2 How Do I View the NAT Session Table?.............................................................................................................210
5.10.3 How Do I Forcibly Age NAT Session Tables?.....................................................................................................210
5.10.4 Can the Global Address of the NAT Server Be an Address in the NAT Address Pool?......................................210
5.10.5 How Can I Enable NAT Log and Set a Log Interval?...........................................................................................211
5.10.6 How Can I Set the Aging Time of the Traffic Forwarding Table?.......................................................................211
5.10.7 Users on an Internal Network Cannot Access Internal Servers Using Domain Names. Why?.............................211
5.10.8 Private Network User and Server Are in the Same VLAN. After NAT Server Is Configured on the VLANIF Interface,
Why Cannot the User Access the Server Using Public Address?....................................................................................211
Issue 04 (2014-01-16)


Routers
Contents
5.10.9 What Is the Difference Between NAT Server and NAT Static?...........................................................................212
5.10.10 An External Phone Fails to Register With the SIP Server After a NAT Server Is Configured on the Outbound
Interfaces of the Device Functioning as a SIP Server......................................................................................................212
5.10.11 What Are Differences of Easy IP and Address Pool?.........................................................................................213
5.10.12 Which Interfaces Support NAT?.........................................................................................................................214
5.10.13 Public Address Cannot Be Pinged When NAT Is Configured on the Device as the Egress Gateway. How Do I
Solve the Problem?...........................................................................................................................................................214
5.11 References................................................................................................................................................................214
6 UDP Helper Configuration......................................................................................................216

6.1 UDP Helper Overview................................................................................................................................................217
6.2 Configuring UDP Helper............................................................................................................................................218
6.3 Maintaining UDP Helper............................................................................................................................................219
6.3.1 Displaying UDP Helper Statistics...........................................................................................................................219
6.3.2 Clearing UDP Helper Statistics...............................................................................................................................219
6.4.1 Example for Configuring UDP Helper....................................................................................................................220
7 IP Performance Configuration................................................................................................223
7.1 IP Performance Overview..........................................................................................................................................224
7.2 Default Configuration.................................................................................................................................................224
7.3 Optimizing IP Performance........................................................................................................................................224
7.3.1 Configuring Source IP Addresses Verification.......................................................................................................225
7.3.2 Configuring an Outbound Interface to Fragment IP Packets...................................................................................225
7.3.3 Configuring Unequal Cost Multiple Path................................................................................................................226
7.3.4 Configuring the Device to Process IP Packets with Options...................................................................................227
7.3.5 Configuring an Interface to Forward Broadcast Packet..........................................................................................228
7.3.6 Configuring the Enhanced Forwarding Function for Control Packets Generated by the Device...........................228
7.3.7 Disabling the Routing and Forwarding Function on High-end LAN Cards............................................................229
7.3.8 Configuring ICMP properties..................................................................................................................................230
7.3.9 Configuring TCP Properties....................................................................................................................................232
7.3.10 Checking the Configuration...................................................................................................................................233
7.4 Maintaining IP Performance.......................................................................................................................................234
7.4.1 Clearing IP Performance Statistics..........................................................................................................................234
7.5 FAQ............................................................................................................................................................................234
7.5.1 Why Do I Need to Consider the Interface MTU When Setting the MSS of TCP Packets?....................................234
7.5.2 How Can I Determine Whether a Socket is Successfully Created?........................................................................235
8 Basic IPv6 Configurations........................................................................................................236

8.1 IPv6 Overview............................................................................................................................................................237
8.2 Principles....................................................................................................................................................................239
8.2.1 IPv6 Addresses........................................................................................................................................................239
8.2.2 IPv6 Packet Format.................................................................................................................................................245
8.2.3 ICMPv6...................................................................................................................................................................249
Issue 04 (2014-01-16)

xi

Routers
Contents
8.2.4 Neighbor Discovery.................................................................................................................................................251

8.2.5 Path MTU................................................................................................................................................................257
8.4 Configuring Basic IPv6..............................................................................................................................................258
8.4.1 Configuring IPv6 Addresses for Interfaces.............................................................................................................258
8.4.1.1 Configuring Global Unicast Addresses for Interfaces..........................................................................................258
8.4.1.2 Configuring Link-local Addresses for Interfaces.................................................................................................260
8.4.1.3 Configuring Anycast Addresses for Interfaces.....................................................................................................261
8.4.2 Configuring ICMPv6 Packet Control......................................................................................................................262
8.4.3 Configuring IPv6 Neighbor Discovery....................................................................................................................264
8.4.3.1 Configuring Static Neighbors...............................................................................................................................264
8.4.3.2 Configuring Neighbor Discovery.........................................................................................................................265
8.4.4 Configuring PMTU..................................................................................................................................................267
8.4.4.1 Configuring Static PMTU....................................................................................................................................267
8.4.4.2 Setting the Aging Time of Dynamic PMTU........................................................................................................268
8.4.4.3 Enabling a Device to Add a Fragmentation Header Based on the Fragment Flag...............................................269
8.4.5 Configuring TCP6...................................................................................................................................................270
8.4.5.1 Setting TCP6 Timers............................................................................................................................................270
8.4.5.2 Setting the TCP6 Sliding Window Size...............................................................................................................271
8.5 Maintaining IPv6........................................................................................................................................................271
8.5.1 Clearing IPv6 Statistics...........................................................................................................................................272
8.5.2 Monitoring IPv6 Running Status.............................................................................................................................272
8.6.1 Example for Configuring Basic IPv6 Functions......................................................................................................273
8.7 FAQ............................................................................................................................................................................275
8.7.1 What Is the Application Scope of an IPv6 Link-Local Address? ...........................................................................275
8.8 References..................................................................................................................................................................275
9 DHCPv6 Configuration............................................................................................................278
9.1 DHCPv6 Overview.....................................................................................................................................................279
9.2 Principles....................................................................................................................................................................279
9.2.1 DHCPv6 Overview..................................................................................................................................................279
9.2.2 DHCPv6 Packets.....................................................................................................................................................282
9.2.3 DHCPv6 Working Principles..................................................................................................................................284
9.2.4 Working Principle of DHCPv6 PD.........................................................................................................................287
9.2.5 Working Principle of the DHCPv6 Relay Agent.....................................................................................................288
9.2.6 IPv6 Address/Prefix Allocation and Lease Updating..............................................................................................289
9.3 Application.................................................................................................................................................................292
9.3.1 Typical Networking of the DHCPv6 Server............................................................................................................292
Issue 04 (2014-01-16)

xii

Routers
Contents
9.3.2 Typical Networking of the DHCPv6 PD Server.....................................................................................................293

9.3.3 Typical Networking of the DHCPv6 Relay Agent..................................................................................................293
9.3.4 Typical Networking of the DHCPv6 Client............................................................................................................294
9.3.5 Typical Networking of the DHCPv6 PD Client......................................................................................................294
9.5 Configuring DHCPv6.................................................................................................................................................295
9.5.1 Configuring a DHCPv6 Server................................................................................................................................295
9.5.1.1 Configuring the DHCPv6 DUID..........................................................................................................................295
9.5.1.2 Configuring an IPv6 Address Pool.......................................................................................................................296
9.5.1.3 (Optional) Configuring Network Server Addresses for the IPv6 Address Pool...................................................297
9.5.1.4 (Optional) Configuring the Options of an IPv6 Address Pool.............................................................................298
9.5.1.5 (Optional) Configuring the DHCPv6 Data Saving Function................................................................................299
9.5.1.6 Enabling the DHCPv6 Server Function on an Interface.......................................................................................300
9.5.2 Configuring a DHCPv6 PD Server..........................................................................................................................301
9.5.2.2 Configuring an IPv6 PD Address Pool.................................................................................................................302
9.5.2.3 (Optional) Configuring Network Server Addresses for the IPv6 Address Pool...................................................303
9.5.2.4 (Optional) Configuring the Options of an IPv6 Address Pool.............................................................................304
9.5.2.5 (Optional) Configuring the DHCPv6 Data Saving Function................................................................................305
9.5.2.6 Enabling the DHCPv6 PD Server Function on an Interface................................................................................305
9.5.3 Configuring a DHCPv6 Relay Agent......................................................................................................................306
9.5.3.2 Enabling the DHCPv6 Relay Function.................................................................................................................307
9.5.3.3 (Optional) Configuring the Remote ID................................................................................................................309
9.5.3.4 (Optional) Configuring Rate Limit of DHCPv6 Messages..................................................................................310
9.5.4 Configuring the DHCPv6 Client Function..............................................................................................................311
9.5.5 Configuring the DHCPv6 PD Client Function........................................................................................................313
9.6 Maintaining DHCPv6.................................................................................................................................................315
9.6.1 Checking the Running Status of the DHCPv6 Client..............................................................................................315
9.6.2 Clearing Message Statistics on the DHCPv6 Client................................................................................................315
9.6.3 Clearing DHCPv6 Message Statistics on the DHCPv6 Relay Agent......................................................................315
9.6.4 Checking Message Statistics on the DHCPv6 Server.............................................................................................316
9.6.5 Clearing DHCPv6 Message Statistics of the DHCPv6 Server................................................................................316
9.6.6 Monitoring the Running Status of the DHCPv6 Relay Agent.................................................................................316
9.6.7 Resetting the Status of the IPv6 Address Pool........................................................................................................316
9.7.1 Example for Configuring a DHCPv6 Server...........................................................................................................317
9.7.2 Example for Configuring a DHCPv6 PD Server.....................................................................................................319
Issue 04 (2014-01-16)

xiii

Routers
Contents
9.7.3 Example for Configuring a DHCPv6 Relay to Assign IPv6 Addresses to the Clients in One Network Segment
Connected to the Relay.....................................................................................................................................................321
9.7.4 Example for Configuring a DHCPv6 PD Client.....................................................................................................323
9.7.5 Example for Configuring a DHCPv6 Client............................................................................................................325
9.8 References..................................................................................................................................................................327
10 IPv6 DNS configuration.........................................................................................................328

10.1 IPv6 DNS Overview.................................................................................................................................................329
10.2 Configuring IPv6 DNS.............................................................................................................................................330
10.2.1 Configuring the IPv6 DNS Client.........................................................................................................................330
10.2.1.1 Configuring Static IPv6 DNS Entries.................................................................................................................330
10.2.1.2 Configuring the Dynamic IPv6 DNS Service.....................................................................................................331
10.2.1.3 Checking the Configuration................................................................................................................................332
10.2.2 Configuring IPv6 DNS Proxy or Relay.................................................................................................................332
10.2.2.1 Configuring the DNS Server Address................................................................................................................333
10.2.2.2 (Optional) Configuring Static DNSv6 Entries....................................................................................................333
10.2.2.3 (Optional) Configuring IPv6 DNS Spoofing......................................................................................................334
10.3 Maintaining IPv6 DNS.............................................................................................................................................335
10.3.1 Clearing IPv6 DNS dynamic Entries.....................................................................................................................335
10.3.2 Clearing IPv6 DNS Forwarding Entries................................................................................................................335
10.3.3 Clearing Statistics on Sent and Received IPv6 DNS Packets...............................................................................335
10.3.4 Monitoring the Running Status of IPv6 DNS........................................................................................................336
10.4 Configuration Examples...........................................................................................................................................336
10.4.1 Example for Configuring IPv6 DNS.....................................................................................................................336
10.4.2 Example for Configuring IPv6 DNS Proxy...........................................................................................................339
11 IPv6 over IPv4 Tunnel Configuration.................................................................................342

11.1 IPv6 over IPv4 Tunnel Overview.............................................................................................................................343
11.2 Principles..................................................................................................................................................................343
11.2.1 Dual Protocol Stack...............................................................................................................................................343
11.2.2 IPv6 over IPv4 Tunnel...........................................................................................................................................344
11.3 Configuring IPv6 over IPv4 Tunnel.........................................................................................................................351
11.3.1 Configuring the IPv4/IPv6 Dual Stack..................................................................................................................352
11.3.1.1 Enabling IPv6 Packet Forwarding......................................................................................................................352
11.3.1.2 Configuring an IPv4 Address and an IPv6 Address for Interfaces Respectively...............................................353
11.3.2 Configuring an IPv6 over IPv4 Tunnel.................................................................................................................354
11.3.2.1 Configuring a Manual IPv6 over IPv4 Tunnel...................................................................................................355
11.3.2.2 Configuring an Automatic IPv6 over IPv4 Tunnel............................................................................................357
11.3.2.3 Configuring a 6to4 Tunnel.................................................................................................................................358
11.3.2.4 Configuring an ISATAP Tunnel.........................................................................................................................359
Issue 04 (2014-01-16)

xiv

Routers
Contents
11.4 Maintaining the IPv6 over IPv4 Tunnel...................................................................................................................360

11.4.1 Monitoring the Running Status of the IPv6 over IPv4 Tunnel..............................................................................360
11.5.1 Example for Configuring a Manual IPv6 over IPv4 Tunnel.................................................................................360
11.5.2 Example for Configuring an IPv6 over IPv4 GRE Tunnel...................................................................................364
11.5.3 Example for Configuring an Automatic IPv6 over IPv4 Tunnel...........................................................................368
11.5.4 Example for Configuring 6to4 Relay....................................................................................................................370
11.5.5 Example for Configuring an ISATAP Tunnel.......................................................................................................373
12 IPv4 over IPv6 Tunnel Configuration.................................................................................378

12.1 IPv4 over IPv6 Overview.........................................................................................................................................379
12.2 Configuring an IPv4 over IPv6 Tunnel....................................................................................................................379
12.2.1 Configuring a Tunnel Interface.............................................................................................................................380
12.2.2 Configuring a Tunnel Route..................................................................................................................................381
12.2.3 Performing Other IPv4 over IPv6 Tunnel Configurations....................................................................................381
12.2.4 Checking the Configuration...................................................................................................................................382
12.3 Maintaining the IPv4 over IPv6 Tunnel...................................................................................................................382
12.3.1 Monitoring the Running Status of the IPv4 over IPv6 Tunnel..............................................................................382
12.4.1 Example for Configuring an IPv4 over IPv6 Tunnel............................................................................................383
Issue 04 (2014-01-16)

xv

Routers
1 IP Address Configuration
IP Address Configuration
About This Chapter

Network devices can communicate at the network layer only after they are configured with IP
addresses.
1.1 IPv4 Overview
1.2 Principles
1.3 Configuring IP Address
1.4 Configuration Examples
This section provides examples to explain how to configure the primary IP address, secondary
IP addresses, and IP unnumbered on an interface.
1.5 Common Configuration Errors
This section describes common errors that may occur in IP address configuration. Learning this
section helps you avoid faults caused incorrect IP address configuration.
1.6 References
Issue 04 (2014-01-16)


Routers
1.1 IPv4 Overview

Definition
Internet Protocol Version 4 (IPv4) is the core protocol in the TCP/IP protocol suite. IPv4 works
at the network layer in the TCP/IP model. This layer corresponds to the network layer in the
Open System Interconnection Reference Model (OSI RM). The network layer provides
connectionless data transmission. Each IP datagram is transmitted independently.
Purpose
IPv4 is used on the network layer between the data link layer and the transport layer. IPv4 shields
the differences at the link layer and provides a uniform format for the data packets transmitted
at the transport layer.
1.2 Principles
1.2.1 IPv4 Protocol Suite
Internet Protocol Version 4 (IPv4) is the core protocol in the TCP/IP protocol suite. IPv4 protocol
suite includes Address Resolution Protocol (ARP), Reverse Address Resolution Protocol
(RARP), Internet Control Message Protocol (ICMP), Transmission Control Protocol (TCP), and
User Datagram Protocol (UDP).
Figure 1-1 IPv4 protocol suite
Transport
layer
Network
layer
Data link
layer
TCPUDP
ICMP
IP
RARPARP
Various network
interfaces
As shown in Figure 1-1, ARP and RARP work between the data link layer and the network
layer for address resolution. ICMP works between the network layer and the transport layer to
ensure correct forwarding of IP datagrams.
ARP
ARP maps an IP address to a MAC address. ARP can be implemented in dynamic or static mode.
ARP provides some extended functions, such as proxy ARP, gratuitous ARP, ARP security, and
ARP-Ping.
Issue 04 (2014-01-16)


Routers
RARP
RARP maps a MAC address to an IP address.
ICMP
ICMP works at the network layer to ensure correct forwarding of IP datagrams. ICMP allows
hosts and devices to report errors during packet transmission. An ICMP message is encapsulated
in an IP datagram as the data, and a header is added to the ICMP message to form an IP datagram.
1.2.2 IPv4 Address

To connect a PC to the Internet, you need to apply an IP address from the Internet Service
Provider (ISP).
An IP address is a numerical label assigned to each device on a computer network. An IPv4
address is a 32-bit binary number. IPv4 addresses are expressed in dotted decimal notation,
which helps you memorize and identify them. In dotted decimal notation, an IPv4 address is
written as four decimal numbers, one for each byte of the address. For example, the binary IPv4
address 00001010 00000001 00000001 00000010 is written as 10.1.1.2 in dotted decimal
notation.
An IPv4 address consists of two parts:
l
Network ID (Net-id).The network ID identifies a network. The leftmost several bits of the
network ID identify the class of IP addresses.
Host ID (Host-id).The host ID identifies different hosts on a network. Network devices

with the same network ID are located on the same network, regardless of their physical
locations.
Characteristics of IPv4 Addresses

IPv4 addresses have the following characteristics:
l
IP addresses do not show any geographical information. The network ID represents the
network to which a host belongs.
When a host connects to two networks simultaneously, it must have two IP addresses with
different network IDs. In this case, the host is called a multihomed host.
Networks allocated with the network ID are in the same class.
IPv4 Address Classification

As shown in Figure 1-2, IP addresses are classified into five classes to facilitate IP address
management and networking.
Issue 04 (2014-01-16)


Routers
Figure 1-2 Five classes of IP addresses
0
A 0
15
31
23
Host-id
Net-id
B 1 0
Host-id
Net-id
C 1 1 0
Host-id
Net-id
D 1 1 1 0
Multicast-address
E 1 1 1 1
Reserved
At present, most IP addresses in use belong to Class A, Class B, or Class C. Class D addresses
are multicast addresses and Class E addresses are reserved. The easiest way to determine the
class of an IP address is to check the first bits in its network ID. The class fields of Class A,
Class B, Class C, Class D, and Class E are binary digits 0, 10, 110, 1110, and 1111 respectively.
For details about IP address classification, see RFC 1166 (Internet Numbers).
Certain IP addresses are reserved, and they cannot be allocated to users. Table 1-1 lists the ranges
of IP addresses for the five classes.
Table 1-1 IP address classes and ranges
Issue 04 (2014-01-16)
Class
Range
Description
0.0.0.0 to
127.255.255.255
IP addresses with all-0 host IDs are network addresses and

are used for network routing. IP addresses with all-1 host
IDs are broadcast addresses and are used for broadcasting
packets to all hosts on the network.
128.0.0.0 to
191.255.255.255

192.0.0.0 to
223.255.255.255

224.0.0.0 to
239.255.255.255
Class D addresses are multicast addresses.
240.0.0.0 to
255.255.255.255
Reserved. The IP address 255.255.255.255 is used as a

Local Area Network (LAN) broadcast address.


Routers
Special IPv4 Addresses

Table 1-2 Special IP addresses
Networ
k ID
Host ID
Used as a
Source
Address
Used as a
Destination
Address
Description
All 0s
All 0s
Yes
No
Used by local hosts on a local

network.
All 0s
Host ID
Yes
No
Used by specified hosts on a

network.
127
Any value
except all
0s or all 1s
Yes
Yes
Used as loopback addresses.
All 1s
All 1s
No
Yes
Limited broadcast address

(packets with this IP address
will never be forwarded).
Net-id
All 1s
No
Yes
Directed broadcast address

(packets with this IP address is
broadcast on the specified
network).
NOTE
Net-id is neither all 0s nor all 1s.
Private IPv4 Addresses

Private IP addresses are used to solve the problem of IP address shortage. Private addresses are
used on internal networks or hosts, and cannot be used on the public network. RFC 1918
describes three IP address segments reserved for private networks.
Table 1-3 Private IP addresses
Class
Range
10.0.0.0 to 10.255.255.255
172.16.0.0 to 172.31.255.255
192.168.0.0 to 192.168.255.255
1.2.3 IPv4 Packet Format

Figure 1-3 shows the IPv4 packet format.
Issue 04 (2014-01-16)


Routers
Figure 1-3 IPv4 packet format

0
4
8
Version Header Length
16 19
Tos
31
Total length
identifier
Header
TTL
24
Flags
Protocol
Fragment offset
Header checksum
Source IP address
Destination IP address
Options (variable length)
Data
An IPv4 datagram consists of a header and a data field. The first 20 bytes in the header are
mandatory for all IPv4 datagrams. The Options field following the 20 bytes has a variable length.
Table 1-4 describes the meaning of each field in an IPv4 packet.
Table 1-4 Description of each field in an IPv4 packet
Issue 04 (2014-01-16)
Field
Length
Description
Version
4 bits
Specifies the IP protocol version, IPv4 or IPv6.
Header Length
4 bits
Specifies the length of the IPv4 header.
Type of Service
(ToS)
8 bits
Specifies the type of service. This field takes effect only in

the differentiated service model.
Total Length
16 bits
Specifies the length of the header and data.
Identification
16 bits
IPv4 software maintains a counter in the storage device to

record the number of IP datagrams. The counter value
increases by 1 every time a datagram is sent, and is filled in
the identification field.
Flags
3 bits
Only the rightmost two bits are valid. The rightmost bit
indicates whether the datagram is not the last data fragment.
The value 1 indicates the last fragment, and the value 0
indicates non-last fragment. The middle bit is the
fragmentation flag. The value 1 indicates that the datagram
cannot be fragmented, and the value 0 indicates that the
datagram can be fragmented.
Fragment Offset
13 bits
Specifies the location of a fragment in a packet.
Time to Live
(TTL)
8 bits
Specifies the life span of a datagram on a network. TTL is

measured by the number of hops.
Protocol
8 bits
Specifies the type of the protocol carried in the datagram.


Routers
Field
Length
Description
Header
Checksum
16 bits
A device calculates the header checksum for each datagram

received. If the checksum is 0, the device knows that the
header remains unchanged and retains the datagram. This
field checks only the header but not the data.
Source IP
Address
32 bits
Specifies the IPv4 address of a sender.
Destination IP
Address
32 bits
Specifies the IPv4 address of a receiver.
Options (variable
length)
0-40
bytes
Allows IPv4 to support various options such as fault

handling, measurement, and security. Pad bytes with a value
of 0 are added if necessary.
Data
Variable
Pads an IP datagram .
1.2.4 Subnetting
A network can be divided into multiple subnets to conserve IP address space and support flexible
IP addressing.
When many hosts are distributed on an internal network, the internal host IDs can be divided
into multiple subnet IDs to facilitate management. Then the entire network contains multiple
small networks.
Subnetting is implemented within the internal network. The internal network has only one
network ID for the external network. When packets are transmitted from the external network
to the internal network, the device on the internal network selects a route for the packets based
on the subnet ID and finds the destination host.
Figure 1-4 shows subnetting of a Class B IP address. The subnet mask consists of a string of
continuous 1s and 0s. 1s indicate the network ID and the subnet ID field, and 0s indicate the
host ID.
Figure 1-4 Subnetting of IP addresses
Class B
address
Mask
Subnet
Mask
7
Net-id
15
31
20
Host-id
1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
Net-id
Subnet-id
Host-id
1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 0 0 0 0 0 0 0 0 0 0 0
As shown in Figure 1-4, the first 5 bits of the host ID is used as the subnet ID. The subnet ID
ranges from 00000 to 11111, allowing a maximum of 32 (25) subnets. Each subnet ID has a
Issue 04 (2014-01-16)


Routers
subnet mask. For example, the subnet mask of the subnet ID 11111 is 255.255.248.0. After
performing an AND operation on the IP address and the subnet mask, you can obtain the network
address.
Subnetting reduces the available IP addresses. For example, a Class B IP address contains 65534
host IDs. After 5 bits in the host ID are used as the subnet ID, there can be a maximum of 32
subnets, each having an 11-bit host ID. Each subnet has a maximum of 2046 host IDs (211 - 2,
excluding the host IDs with all 1s and all 0s). Therefore, the IP address has a maximum of 65472
(32 x 2046) host IDs, 62 less than the maximum number of host IDs before subnetting.
To implement efficient network planning, subnetting and IP addressing should abide by the
following rules.
Hierarchy
To divide a network into multiple layers, you need to consider geographic and service factors.
Use a top-down subnetting mode to facilitate network management and simplify routing tables.
In most cases:
l
A network consisting of a backbone network and a MAN is divided into hierarchical

subnets.
An administrative network is divided into subnets based on administrative levels.
Consecutiveness
Consecutive addresses facilitate route summarization on a hierarchical network, which greatly
reduces the number of routing entries and improves route search efficiency.
l
Allocate consecutive IP addresses to each area.
Allocate consecutive IP addresses to devices that have the same services and functions.
Scalability
When allocating addresses, reserve certain addresses on each layer to ensure consecutive address
allocation in future network expansion.
A backbone network must have enough consecutive addresses for independent autonomous
systems (ASs) and further network expansion.
Efficiency
When planning subnets, fully utilize address resources to ensure that the subnets are sufficient
for hosts.
l
Allocate IP addresses by using variable-length subnet masking (VLSM) to fully use address
resources.
Consider the routing mechanisms in IP address planning to improve address utilization

efficiency in the allocated address spaces.
1.2.5 IP Address Resolution

A device that connects to multiple networks has the IP addresses of the connected networks. To
ensure that users can use the IP address normally, ensure that:
Issue 04 (2014-01-16)


Routers
An IP address is a network layer address of a host. To transmit data packets to a destination

host, the device must obtain the physical address of the host. Therefore, the IP address must
be resolved to a physical address.
A host name is easier to remember than an IP address. Therefore, the host name needs to
be resolved to the IP address.
On Ethernet, the physical address of a host is the MAC address. The DNS server resolves a host
name to an IP address. ARP resolves an IP address to a MAC address. For details, see 4 DNS
Configuration and 2 ARP Configuration.
1.3 Configuring IP Address

1.3.1 Configuring IP Addresses for Interfaces
To enable network devices to communicate at the network layer, configure interface IP addresses
on the network devices.
Pre-configuration Tasks
Before configuring IP addresses for interfaces, complete the following tasks:
l
Setting link layer parameters for the interfaces to ensure that the link layer protocol status
of the interfaces is Up
1.3.1.1 Configuring a Primary IP Address for an Interface

Context
Interfaces on the same router can be assigned IP addresses on overlapping network segments,
but the IP addresses cannot be located on the same network segment. For example, an interface
has been assigned 20.1.1.1/16. If you assign 20.1.1.2/24 to another interface on the same
router, the system displays a warning message but the configuration succeeds. If you assign
20.1.1.2/16 to another interface, the system displays an error message, indicating that the
configuration fails because of an IP address conflict.
Procedure
Step 1 Run:
system-view
The system view is displayed.

Step 2 Run:
interface interface-type interface-number
The interface view is displayed.

Step 3 Run:
ip address ip-address { mask | mask-length }
A primary IP address is configured for the interface.

Issue 04 (2014-01-16)


Routers
Each interface has only one primary IP address. If you configure multiple primary IP addresses
for an interface, the last configured IP address becomes the primary IP address of the interface.
----End
1.3.1.2 (Optional) Configuring a Secondary IP Address for an Interface

Context
Generally, an interface needs only a primary IP address. In some special scenarios, you need to
configure secondary IP addresses for an interface. For example, a router connects to a physical
network through an interface, and hosts on this network belong to two network segments. To
enable the router to communicate with all hosts on the physical network, configure a primary
IP address and a secondary IP address for this interface. You can configure multiple IP address
for a Layer 3 interface on a router, one as the primary IP address, and the others as secondary
IP addresses. Each Layer 3 interface can have a maximum of 31 secondary IP addresses.
The primary and secondary IP addresses of an interface can be located on overlapping network
segments but not the same network segment. For example, if an interface has been assigned a
primary IP address 20.1.1.1/24 and you assign secondary IP address 20.1.1.2/16 sub to this
interface, the system displays a warning message but the configuration succeeds.
The primary IP address of one interface and secondary IP address of another interface on the
same router can be located on overlapping network segments but not on the same network
segment. For example, if an interface has been assigned a primary IP address 20.1.1.1/16 and
you assign secondary IP address 20.1.1.2/24 sub to another interface on the router, the system
displays a warning message but the configuration succeeds.
Procedure
Step 1 Run:
system-view

Step 2 Run:

Step 3 Run:
ip address ip-address { mask | mask-length } sub
A secondary IP address is configured for the interface.

----End
1.3.1.3 Checking the Configuration

Procedure
l
Issue 04 (2014-01-16)
Run the display ip interface [ interface-type interface-number ] command to check the IP

address configuration of an interface.
10

Routers
Run the display ip interface brief [ interface-type [ interface-number ] ] command to check

brief information about interface IP addresses.
----End
1.3.2 Configuring an IP Unnumbered Interface

An IP unnumbered interface can borrow the IP address from another interface when the local
interface has no IP address.
Before configuring an IP unnumbered interface, complete the following tasks:
l
Setting link layer parameters for the interfaces to ensure that the link layer protocol status
of the interfaces is Up
1.3.2.1 Configuring a Primary IP Address for the IP Numbered Interface

Context
An IP unnumbered interface cannot run dynamic routing protocols because it does not have an
IP address itself. To enable the interface to communicate with a peer network segment, configure
a static route to the network segment.
Procedure
Step 1 Run:
system-view

Step 2 Run:

IP unnumbered interfaces can borrow interfaces from Ethernet, Loopback, Eth-Trunk, and
VLANIF interfaces.
Step 3 Run:
A primary IP address is configured for the interface.

Each interface has only one primary IP address. If you configure multiple primary IP addresses
for an interface, the last configured IP address becomes the primary IP address of the interface.
----End
1.3.2.2 Configuring an IP address Unnumbered Interface

Issue 04 (2014-01-16)

11

Routers
Procedure
Step 1 Run:
system-view

Step 2 Run:

l IP unnumbered can be configured on PPP, HDLC, ATM, and Tunnel interfaces.
l P2P sub-interfaces using FR as the link layer protocol can borrow IP addresses from other
interfaces.
l Ethernet interfaces can borrow IP addresses from Loopback interfaces.
Step 3 Run:
ip address unnumbered interface interface-type interface-number
The interface is configured to borrow the IP address from a specified interface.

----End

Procedure
l
Run the display ip interface [ interface-type interface-number ] command to check the IP

address configuration of an interface.
Run the display ip interface brief [ interface-type [ interface-number ] ] command to check

brief information about interface IP addresses.
----End

This section provides examples to explain how to configure the primary IP address, secondary
IP addresses, and IP unnumbered on an interface.
1.4.1 Example for Configuring Primary and Secondary IP Addresses

for an Interface
Networking Requirements
As shown in Figure 1-5, the Router has only one idle interface GE1/0/0 to connect to a LAN.
The hosts on the LAN are located on two network segments: 172.16.1.0/24 and 172.16.2.0/24.
The interface must be configured with two interfaces to provide access for hosts on the two
network segments.
Issue 04 (2014-01-16)

12

Routers
Figure 1-5 Network diagram for IP addresses configuration
172.16.1.3/24
172.16.1.2/24
Router
GE1/0/0
172.16.1.1/24
172.16.2.1/24 sub
172.16.2.3/24
172.16.2.2/24
Configuration Roadmap
The configuration roadmap is as follows:
Configure a primary IP address and a secondary IP address for the interface.
NOTE
IP addresses of the same interface must be on different network segments.
Procedure
Step 1 Configure a primary IP address and a secondary IP address for GE1/0/0.
<Huawei> system-view
[Huawei] interface gigabitethernet 1/0/0
[Huawei-GigabitEthernet1/0/0] ip address 172.16.1.1 24
[Huawei-GigabitEthernet1/0/0] ip address 172.16.2.1 24 sub
Step 2 Verify the configuration.

# Ping a host on network segment 172.16.1.0 from the Router. The ping operation succeeds.
<Huawei> ping 172.16.1.2
PING 172.16.1.2: 56 data bytes, press CTRL_C to break
Reply from 172.16.1.2: bytes=56 Sequence=1 ttl=128
--- 172.16.1.2 ping statistics --5 packet(s) transmitted
5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 25/26/27 ms
time=25
time=27
time=26
time=26
time=26
ms
ms
ms
ms
ms
# Ping a host on network segment 172.16.2.0 from the Router. The ping operation succeeds.
<Huawei> ping 172.16.2.2
Reply from 172.16.2.2: bytes=56 Sequence=1 ttl=128 time=25 ms
Issue 04 (2014-01-16)

13

Routers
Reply from 172.16.2.2: bytes=56 Sequence=2

0.00% packet loss
ttl=128
ttl=128
ttl=128
ttl=128
time=26
time=26
time=26
time=26
ms
ms
ms
ms
----End
Configuration Files
Configuration file of the Router
#
interface GigabitEthernet1/0/0
ip address 172.16.1.1 255.255.255.0
ip address 172.16.2.1 255.255.255.0 sub
#
return
1.4.2 Example for Configuring an IP Unnumbered Interface

As shown in Figure 1-6, RouterA and RouterC are interconnected through a tunnel. Tunnel
interfaces (Tunnel0/0/15) of RouterA and RouterC are seldom used, so they have no IP address
configured. IP unnumbered needs to be configured on the tunnel interfaces so that the two
switches can communicate through the tunnel.
Figure 1-6 Network diagram for IP unnumbered interface configuration
RouterB
GE2/0/0
30.1.1.1/24
RouterA GE1/0/0
GE1/0/0 RouterC
30.1.1.2/24
20.1.1.1/24
Tunnel
Tunnel
Tunnel
0/0/15
0/0/15
PC 1
Loopback 0
117.117.117.117/24
Loopback 0
116.116.116.116/24
GE1/0/0
20.1.1.2/24
PC 2
Issue 04 (2014-01-16)

14

Routers
1.
Configure OSPF to ensure that there are reachable routes between RouterA and RouterC.
2.
Create tunnel interfaces on RouterA and RouterC and configure the tunnel interfaces to
borrow IP addresses from loopback interfaces to save IP addresses.
Procedure
Step 1 Configure IP addresses for physical interfaces.
# Configure RouterA.
[Huawei] sysname RouterA
[RouterA] interface loopback 0
[RouterA-LoopBack0] ip address 116.116.116.116 255.255.255.0
[RouterA-LoopBack0] quit
[RouterA] interface gigabitethernet 1/0/0
[RouterA-GigabitEthernet1/0/0] ip address 20.1.1.1 255.255.255.0
[RouterA-GigabitEthernet1/0/0] quit
# Configure RouterB.
[Huawei] sysname RouterB
[RouterB] interface gigabitethernet 1/0/0
[RouterB-GigabitEthernet1/0/0] ip address 20.1.1.2 255.255.255.0
[RouterB-GigabitEthernet1/0/0] quit
# Configure RouterC.
[Huawei] sysname RouterC
[RouterC] interface loopback 0
[RouterC-LoopBack0] ip address 117.117.117.117 255.255.255.0
[RouterC-LoopBack0] quit
[RouterC] interface gigabitethernet 1/0/0
[RouterC-GigabitEthernet1/0/0] ip address 30.1.1.2 255.255.255.0
[RouterC-GigabitEthernet1/0/0] quit
Step 2 Configure OSPF.

[RouterA] ospf 1
[RouterA-ospf-1] area 0
[RouterA-ospf-1-area-0.0.0.0] network 20.1.1.0 0.0.0.255
[RouterA-ospf-1-area-0.0.0.0] quit
[RouterA-ospf-1] quit
[RouterB] ospf 1
[RouterB-ospf-1] area 0
[RouterB-ospf-1-area-0.0.0.0] network 20.1.1.0 0.0.0.255
[RouterB-ospf-1-area-0.0.0.0] network 30.1.1.0 0.0.0.255
[RouterB-ospf-1-area-0.0.0.0] quit
[RouterB-ospf-1] quit
[RouterC] ospf 1
[RouterC-ospf-1] area 0
[RouterC-ospf-1-area-0.0.0.0] network 30.1.1.0 0.0.0.255
[RouterC-ospf-1-area-0.0.0.0] quit
[RouterC-ospf-1] quit
Issue 04 (2014-01-16)

15

Routers
# After the preceding configurations, run the display ip routing-table command on RouterA
and RouterC. The command output shows that RouterA and RouterC have learned OSPF routes
to the network segment of the peer.
# The following uses the display on RouterA as an example.
[RouterA] display ip routing-table protocol ospf
Route Flags: R - relay, D - download to
fib
-----------------------------------------------------------------------------Public routing table :
OSPF
Destinations : 1
1
Routes :
OSPF routing table status :

<Active>
Destinations : 1
1
Destination/Mask
Interface
Proto
30.1.1.0/24 OSPF
GigabitEthernet1/0/0
OSPF routing table status :
<Inactive>
Destinations : 0
0
Routes :
Pre
Cost
10
Flags NextHop
20.1.1.2
Routes :
Step 3 Configure tunnel interfaces.

[RouterA] interface tunnel 0/0/15
[RouterA-Tunnel0/0/15] tunnel-protocol gre
[RouterA-Tunnel0/0/15] ip address unnumbered interface loopback 0
[RouterA-Tunnel0/0/15] source 20.1.1.1
[RouterA-Tunnel0/0/15] destination 30.1.1.2
[RouterA-Tunnel0/0/15] quit
[RouterC] interface tunnel 0/0/15
[RouterC-Tunnel0/0/15] tunnel-protocol gre
[RouterC-Tunnel0/0/15] ip address unnumbered interface loopback 0
[RouterC-Tunnel0/0/15] source 30.1.1.2
[RouterC-Tunnel0/0/15] destination 20.1.1.1
[RouterC-Tunnel0/0/15] quit
Step 4 Configure static routes.

[RouterA] ip route-static 117.117.117.0 24 tunnel 0/0/15
[RouterC] ip route-static 116.116.116.0 24 tunnel 0/0/15

# Ping 117.117.117.117 from RouterA.
Issue 04 (2014-01-16)

16

Routers
[RouterA] ping 117.117.117.117

Reply from 117.117.117.117: bytes=56 Sequence=1 ttl=255 time=1
ms
ms
ms
ms
ms

0.00% packet loss
----End
Configuration Files
l
Configuration file of RouterA

#
sysname RouterA
#
interface
ip address 20.1.1.1
255.255.255.0
#
interface LoopBack0
ip address 116.116.116.116 255.255.225.0
#
interface Tunnel0/0/15
ip address unnumbered interface LoopBack0
tunnel-protocol
gre
source
20.1.1.1
destination 30.1.1.2
#
ospf 1
area 0.0.0.0
network 20.1.1.0 0.0.0.255
#
ip route-static 117.117.117.0 255.255.255.0 Tunnel0/0/15
#
return
Configuration file of RouterB

#
sysname RouterB
#
interface
ip address 20.1.1.2
255.255.255.0
#
interface
ip address 30.1.1.1
255.255.255.0
#
ospf 1
area 0.0.0.0
network 20.1.1.0 0.0.0.255
network 30.1.1.0 0.0.0.255
#
return
Issue 04 (2014-01-16)

17

Routers
Configuration file of RouterC

#
sysname RouterC
#
interface
ip address 30.1.1.2 255.255.255.0
#
interface LoopBack0
ip address 117.117.117.117 255.255.225.0
#
ip address unnumbered interface LoopBack0
tunnel-protocol
gre
source
30.1.1.2
#
ospf 1
area 0.0.0.0
network 30.1.1.0 0.0.0.255
#
ip route-static 116.116.116.0 255.255.255.0 Tunnel0/0/15
#
return

This section describes common errors that may occur in IP address configuration. Learning this
section helps you avoid faults caused incorrect IP address configuration.
1.5.1 IP Address Configuration Fails on an Interface

Fault Analysis
An error occurs in IP address configuration, so the configuration fails.
Procedure
Step 1 Check the error message and rectify the fault according to Table 1-5.
Table 1-5 Error messages and ways to rectify faults
Error Message
Description
Troubleshooting Method
Error: The specified IP

address is invalid.
The IP address or subnet

mask is incorrect.
Configure the IP address or subnet

mask correctly.
l The IP address must be a Class
A, Class B, or Class C IP
address.
l The subnet mask must match
the IP address.
Issue 04 (2014-01-16)

18

Routers
Error Message
Description
Error: The specified

address conflicts with
another address.
The specified IP address is

on the same network
segment as the IP address
of another interface on the
local device.
Configure another IP address for

the interface.

primary address does not
exist.
The primary IP address to

be deleted does not exist.
You do not need to delete the IP

address.
Error: Please configure the

primary address in the
interface view first.
The secondary IP address

cannot be configured
because the primary IP
address has not been
configured for the
interface.
Configure a primary IP address for

the interface first.
Error: The number of

addresses of the specified
interface reached the
upper limit (32).
The number of secondary

IP addresses on the
interface exceeds the
maximum; therefore, no
more secondary IP address
can be configured.
NOTE
Each interface has only one
primary IP address. If you
configure multiple primary
IP addresses for an interface,
the last configured IP
address becomes the
primary IP address of the
interface.
NOTE
Each interface can have a
maximum of 32 IP
addresses, including one
primary IP address and 31
secondary IP addresses.
Issue 04 (2014-01-16)
Error: Please delete the

sub address in the
interface view first.
The primary IP address

cannot be deleted because
the interface has
secondary IP addresses.
Delete all the secondary IP

addresses from the interface, and
then delete the primary IP address.

address cannot be deleted
because it is not the
primary address of this
interface.
The command used to

delete a primary IP address
cannot delete a secondary
IP address.
Run the undo ip address ipaddress { mask | mask-length }

sub command to delete the
secondary IP address.
Error: The specified sub

address does not exist.
The secondary IP address

to be deleted does not
exist.
You do not need to delete the IP

address.

19

Routers
Error Message
Description
Error: The address already

exists.
The interface has been

configured with the same
IP address.
Configure a different IP address

for the interface.
----End
1.6 References
The following table lists the references of the IPv4 feature.
Issue 04 (2014-01-16)
Document
Description
Remarks
RFC1166
Internet Numbers
RFC1918
Address Allocation for Private

Internets

20

Routers
2 ARP Configuration
ARP Configuration
About This Chapter

The Address Resolution Protocol (ARP) maps IP addresses to MAC addresses so that Ethernet
frames can be transmitted on a physical network.
2.1 ARP Overview
2.2 Principles
2.3 Configuration Task Summary
ARP can be a dynamic ARP or a static ARP. ARP provides some extended functions, such as
proxy ARP, ARP-Ping.
2.4 Default Configuration
This section describes default ARP configurations.
2.5 Configuring ARP
2.6 Maintaining ARP
Maintaining ARP includes clearing ARP entries and monitoring ARP running status.
This section provides configuration examples including networking requirements and
configuration roadmap.
2.8 FAQ
2.9 References
Issue 04 (2014-01-16)

21

Routers
2 ARP Configuration
2.1 ARP Overview

Definition
The Address Resolution Protocol (ARP) maps IP addresses into MAC addresses.
Purpose
On a local area network (LAN), a host or a network device must learn the IP address of the
destination host or device before sending data to it. Additionally, the host or network device
must learn the physical address of the destination host or device because IP packets must be
encapsulated into frames for transmission over a physical network. Therefore, the mapping from
an IP address into a physical address is required. ARP is used to map IP addresses into physical
addresses.
2.2 Principles
2.2.1 ARP Principles
Format of ARP Packets
Figure 2-1 shows the format of an ARP Request or Reply packet.
Figure 2-1 Format of an ARP Request or Reply packet
0
15
23
31 bit
Ethernet Address of destination(0-31)

Ethernet Address of sender(0-15)

Frame Type
Hardware Type
Protocol Type
Hardware Length
OP
Protocol Length

IP Address of sender
IP Address of destination(0-15)
IP Address of destination(16-31)
Description of the main fields is as follows:

l
Issue 04 (2014-01-16)
Hardware Type: indicates the hardware address type. For an Ethernet, the value of this field
is 1.
22

Routers
2 ARP Configuration
Protocol Type: indicates the type of the protocol address to be mapped. For an IP address,
the value of this field is 0x0800.
Hardware Length: indicates the hardware address length. For an ARP Request or Reply
packet, the value of this field is 6.
Protocol Length: indicates the protocol address length. For an ARP Request or Reply
packet, the value of this field is 4.
OP: indicates the operation type. The value 1 indicates ARP requesting, and the value 2
indicates ARP replying.
Ethernet Address of sender: indicates the MAC address of the sender.
IP Address of sender: indicates the IP address of the sender.
Ethernet Address of destination: indicates the MAC address of the receiver.
IP Address of destination: indicates the IP address of the receiver.
Address Resolution Process

ARP completes address resolution through two processes: ARP request process and ARP reply
process.
Figure 2-2 ARP request process
ARP Request
HOSTA
HOSTB
As shown in Figure 2-2, HOSTA and HOSTB are on the same network segment. HOSTA needs
to send IP packets to HOSTB.
HOSTA searches the local ARP table for the ARP entry corresponding to HOSTB. If the
corresponding ARP entry is found, HOSTA encapsulates the IP packets into Ethernet frames
and forwards them to HOSTB based on its MAC address.
If the corresponding APR entry is not found, HOSTA caches the IP packets and broadcasts an
ARP Request packet. In the ARP Request packet, the IP address and MAC address of the sender
are the IP address and MAC address of HOSTA. The destination IP address is the IP address of
HOSTB, and the destination MAC address contains all 0s. All hosts on the same network
segment can receive the ARP Request packet, but only HOSTB processes the packet.
Issue 04 (2014-01-16)

23

Routers
2 ARP Configuration
Figure 2-3 ARP reply process
ARP Reply
HOSTA
HOSTB
HOSTB compares its IP address with the destination IP address in the ARP Request packet. If
HOSTB finds that its IP address is the same as the destination IP address, HOSTB adds the IP
address and MAC address of the sender (HOSTA) to the local ARP table. Then HOSTB unicasts
an ARP Reply packet, which contains its MAC address, to HOSTA, as shown in Figure 2-3.
After receiving the ARP Reply packet, HOSTA adds HOSTB's MAC address into the local ARP
table. Meanwhile, HOSTA encapsulates the IP packets and forwards them to HOSTB.
ARP Aging Mechanism

l
ARP cache (ARP table)

If HOSTA broadcasts an ARP Request packet every time it communicates with HOSTB,
the communication traffic on the network will increase. Furthermore, all hosts on the
network have to receive and process the ARP Request packet, which decreases network
efficiency.
To solve the preceding problems, each host maintains an ARP cache, which is the key to
efficient operation of ARP. This cache contains the recent mapping from IP addresses to
MAC addresses.
Before sending IP packets, a host searches the cache for the MAC address corresponding
to the destination IP address. If the cache contains the MAC address, the host does not send
an ARP Request packet but directly sends the IP packets to the destination MAC address.
If the cache does not contain the MAC address, the host broadcasts an ARP Request packet
on the network.
Aging time of dynamic ARP entries

After HOSTA receives the ARP Reply packet from HOSTB, HOSTA adds the mapping
between the IP address and the MAC address of HOSTB to the ARP cache. However, if a
fault occurs on HOSTB or the network adapter of HOSTB is replaced but HOSTA is not
notified, HOSTA still sends IP packets to HOSTB. This fault occurs because the APR entry
of HOSTB in the ARP cache on HOSTA is not updated.
To reduce address resolution errors, a timer is set for each ARP entry in an ARP cache.
When a dynamic ARP entry expires, the device sends ARP aging probe packets to the
corresponding host. If the host does not respond, the ARP entry is deleted, otherwise, the
ARP entry is saved.
Configuring the timer reduces address resolution errors but does not eliminate the problem
because of the time delay. Specifically, if the length of a dynamic APR entry timer is N
Issue 04 (2014-01-16)

24

Routers
2 ARP Configuration
seconds, the sender can detect the fault on the receiver after N seconds. During the N
seconds, the cache on the sender is not updated.
l
Number of probes for aging dynamic ARP entries

Besides setting a timer for dynamic ARP entries, you can set the number of probes for aging
dynamic ARP entries to reduce address resolution errors. Before aging a dynamic ARP
entry, a host sends ARP aging probe packets. If the host receives no ARP Reply packet
after the number of probes reaches the maximum number, the ARP entry is deleted.
Aging probe modes for dynamic ARP entries

Before a dynamic ARP entry on a device is aged out, the device sends ARP aging probe
packets to other devices on the same network segment. An ARP aging probe packet can be
a unicast or broadcast packet. By default, a device broadcasts ARP aging probe packets.
If the IP address of the peer device remains the same but the MAC address changes
frequently, it is recommended that you configure ARP aging probe packets to be broadcast.
If the MAC address of the peer device remains the same, the network bandwidth is
insufficient, and the aging time of ARP entries is short, it is recommended that you
configure ARP aging probe packets to be unicast.
When a non-Huawei device connected to a Huawei device receives an ARP aging probe
packet whose destination MAC address is a broadcast address, the non-Huawei device
checks the ARP table. If the mapping between the IP address and the MAC address of the
Huawei device exists in the ARP table, the non-Huawei device drops the ARP aging probe
packet. The Huawei device cannot receive a response and therefore deletes the
corresponding ARP entry. As a result, traffic from the network cannot be forwarded. In
this scenario, the Huawei device needs to send ARP aging probe packets in unicast mode
and the non-Huawei device needs to respond to the ARP aging probe packets.
Layer 2 topology detection

The Layer 2 topology detection function enables a device to retransmit ARP probe packets
to update ARP entries when a Layer 2 interface becomes Up and the aging time of the ARP
entries in the corresponding VLAN becomes 0.
Dynamic ARP
Dynamic ARP entries are generated and maintained dynamically by using ARP packets. They
can be aged out, updated, or overwritten by static ARP entries. When the aging time expires or
the interface is Down, the corresponding dynamic ARP entries are deleted.
Static ARP
Static ARP entries record fixed mapping between IP addresses and MAC addresses and are
configured manually by network administrators.
2.2.2 Proxy ARP

If an ARP Request packet is sent to a host on a different network, the device that connects the
two networks can reply to this packet. This function is called proxy ARP.
Proxy ARP has the following characteristics:
l
Issue 04 (2014-01-16)
Proxy ARP is implemented on the ARP subnet gateway without any modifications on any
hosts.
25

Routers
2 ARP Configuration
Proxy ARP can shield topologies of physical networks so that hosts on different physical
networks can use the same network ID to communicate. Proxy ARP enables hosts that are
on the same network segment but on different physical networks to communicate.
Proxy ARP affects only the ARP caches on hosts but does not affect the ARP cache or
routing table on the gateway.
After proxy ARP is enabled, the aging time of ARP entries on hosts should be shortened
so that invalid ARP entries can be deleted as soon as possible. Then IP packet forwarding
failures decrease on the router.
The following table shows three types of proxy ARP.

Proxy ARP Type
Resolved Issue
Routed proxy ARP
Allows hosts on the same network segment but on different

physical networks to communicate.
Intra-VLAN proxy ARP
Allows isolated hosts in a VLAN to communicate.
Inter-VLAN proxy ARP
Allows hosts in different VLANs or hosts in different subVLANs of the same VLAN to communicate at Layer 3.
Routed Proxy ARP

Routed proxy ARP enables network devices on the same network segment but on different
physical networks to communicate.
In practice, if a host connected to a router is not configured with a default gateway address (that
is, the host does not know how to reach the intermediate system of the network), the host cannot
transmit packets.
As shown in Figure 2-4, RouterA is connected to two networks through VLAN10 and VLAN20.
The IP addresses of VLANIF10 and VLANIF20 are on different network segments. However,
the masks make HOSTA and VLANIF10 on the same network segment, HOSTB and
VLANIF20 on the same network segment, and HOSTA and HOSTB on the same network
segment.
Figure 2-4 Application of routed proxy ARP
RouterA
172.16.2.10/16
HOSTA
VLANIF10
172.16.2.9/24
172.16.1.20/16
VLANIF20
172.16.1.9/24
HOSTB
The IP addresses of HOSTA and HOSTB are on the same network segment. When HOSTA
needs to communicate with HOSTB, HOSTA broadcasts an ARP Request packet, requesting
the MAC address of HOSTB. However, HOSTA and HOSTB are on different physical networks
(in different broadcast domains). Therefore, HOSTB cannot receive the ARP Request packet
sent from HOSTA and does not respond with an ARP Reply packet.
To solve this problem, enable proxy ARP on RouterA. After receiving an ARP Request packet,
RouterA enabled with proxy ARP searches for the routing table corresponding to HOSTB. If
Issue 04 (2014-01-16)

26

Routers
2 ARP Configuration
the router corresponding to HOSTB exists, RouterA responds to the ARP Request packet with
its own MAC address. HOSTA forwards data based on the MAC address of RouterA.
RouterA functions as the proxy of HOSTB.
Intra-VLAN Proxy ARP

If two hosts belong to the same VLAN but are isolated, enable intra-VLAN proxy ARP on an
interface associated with the VLAN to allow the hosts to communicate.
As shown in Figure 2-5, HOSTA and HOSTB are connected to RouterA. The two interfaces
connected to HOSTA and HOSTB belong to VLAN10.
Figure 2-5 Application of intra-VLAN proxy ARP
RouterA
HOSTA
172.16.2.20/24
HOSTB
172.16.2.30/24
VLAN10
HOSTA and HOSTB cannot communicate at Layer 2 because interface isolation in a VLAN is
configured on RouterA.
To solve this problem, enable intra-VLAN proxy ARP on the interfaces of RouterA. After
RouterA's interface connected to HOSTA receives an ARP Request packet whose destination
address is not its own address, RouterA does not discard the packet but searches for the ARP
entry corresponding to HOSTB. If the ARP entry corresponding to HOSTB exists, RouterA
sends its MAC address to HOSTA and forwards packets sent from HOSTA to HOSTB.
Inter-VLAN Proxy ARP

If two hosts belong to different VLANs, enable inter-VLAN proxy ARP on interfaces associated
with the VLANs to implement Layer 3 communication between the two hosts.
As shown in Figure 2-6, HOSTA and HOSTB are connected to RouterA. The interface
connected to HOSTA belongs to VLAN10, and the interface connected to HOSTB belongs to
VLAN20.
Figure 2-6 Application of inter-VLAN proxy ARP
VLAN10
HOSTA
172.16.2.20/24
Issue 04 (2014-01-16)
RouterA
VLAN20
HOSTB
172.16.2.30/24

27

Routers
2 ARP Configuration
The interfaces connected to HOSTA and HOSTB belong to different VLANs. Therefore, HOST
A and HOSTB cannot communicate at Layer 2.
To solve this problem, enable inter-VLAN proxy ARP on the interfaces of RouterA. After
RouterA's interface connected to HOSTA receives an ARP Request packet whose destination
address is not its own address, RouterA does not discard the packet but searches for the ARP
entry corresponding to HOSTB. If the ARP entry corresponding to HOSTB exists, RouterA
sends its MAC address to HOSTA and forwards packets sent from HOSTA to HOSTB.
2.2.3 Gratuitous ARP

Gratuitous ARP enables a host to send an ARP Request packet using its own IP address as the
destination address. Gratuitous ARP provides the following functions:
l
Checks duplicate IP addresses: Normally, a host does not receive an ARP Reply packet
after sending an ARP Request packet with the destination address being its own IP address.
If the host receives an ARP Reply packet, another host has the same IP address.
Advertises a new MAC address. If the MAC address of a host changes because its network
adapter is replaced, the host sends a gratuitous ARP packet to notify all hosts of the change
before the ARP entry is aged out.
Notifies an active/standby switchover in a VRRP backup group: After an active/standby

switchover, the master router sends a gratuitous ARP packet in the VRRP backup group to
notify the switchover.
2.2.4 ARP-Ping
ARP-Ping includes ARP-Ping IP and ARP-Ping MAC. ARP-Ping sends ARP Request packets
or ICMP Echo Request packets to check whether a specified IP address or MAC address is used.
ARP-Ping IP
ARP-Ping IP checks whether an IP address is used by another device on the LAN by sending
ARP packets.
Before configuring an IP address for a device, configure ARP-Ping IP on the device to check
whether this IP address has been used by sending ARP Request packets.
You can also run the ping command to check whether this IP address is used by another device
on the network. However, if the router or host that uses the IP address is enabled with the firewall
function and the firewall is configured not to respond to ping packets, you may be misled into
thinking that this IP address is not used. To solve the problem, use ARP-Ping IP. ARP is a Layer
2 protocol. Therefore, ARP packets can pass through the firewall that is configured not to respond
to ping packets.
ARP-Ping IP sends ARP Request packets. ARP-Ping IP is implemented as follows:
1.
Issue 04 (2014-01-16)
After an IP address is specified for a host using the arp-ping ip command, the host sends
an ARP Request packet and starts a timer of waiting for an ARP Reply packet.
28

Routers
2 ARP Configuration
2.
After receiving the ARP Request packet, the router or host that uses this IP address in the
LAN returns an ARP Reply packet.
3.
The sender performs the following two operations based on whether it receives the ARP
packet:
l If the sender receives an ARP Reply packet, the sender compares the source IP address
carried in the ARP Reply packet with the IP address specified using the arp-ping ip
command. If the two IP addresses are the same, the MAC address corresponding to the
specified IP address is displayed and the timer is disabled.
l If the sender does not receive an ARP Reply packet before the timer of waiting for an
ARP Reply packet expires, the sender displays a message indicating that the IP address
is not used by another router device or host.
ARP-Ping MAC
The ARP-Ping MAC process is similar to the ping process. The difference is that ARP-Ping
MAC applies only to directly connected Ethernet LANs or Layer 2 VPN Ethernet networks.
ARP-Ping MAC sends ICMP Echo Request packets. ARP-Ping MAC is implemented as follows:
1.
After a MAC address is specified for a host using the arp-ping mac command, the host
sends an ICMP Echo Request packet and starts a timer of waiting for an ICMP Echo Reply
packet.
2.
After receiving the ICMP Echo Request packet, the router device or host that uses this
MAC address in the LAN returns an ICMP Echo Reply packet.
3.
The sender performs the following two operations based on whether it receives the ICMP
packet:
l If the sender receives an ICMP Echo Reply packet, the sender compares the source
MAC address carried in the ICMP Echo Reply packet with the MAC address specified
using the arp-ping mac command. If the two MAC addresses are the same, the sender
displays the source IP address of the ICMP Echo Reply packet and displays a message
indicating that the MAC address is used by another router device or host. The timer is
disabled.
l If the sender does not receive an ARP Reply packet before the timer of waiting for an
ICMP Echo Reply packet expires, the sender displays a message indicating that the
MAC address is not used by another router device or host.
2.3 Configuration Task Summary

ARP can be a dynamic ARP or a static ARP. ARP provides some extended functions, such as
proxy ARP, ARP-Ping.
Table 2-1 describes the ARP configuration tasks.
Issue 04 (2014-01-16)

29

Routers
2 ARP Configuration
Table 2-1 ARP configuration task summary

Scenario
Description
Task
Configurin
g Static
ARP
Static ARP entries

improve communication
security. However, a
large number of ARP
entries increase
configuration and
maintenance costs.
2.5.1 Configuring Static ARP
Static ARP entries can

be configured on
important network
devices such as servers
to specify member
devices that they can
communicate with. In
this way, mappings
between IP addresses
and MAC addresses of
these member devices
cannot be modified by
forged ARP packets and
illegal ARP replies can
be prevented. This
protects servers against
network attacks.
Optimizing
Dynamic
ARP
Dynamic ARP entries

are generated and
maintained
automatically using the
ARP protocol.
2.5.2 Optimizing Dynamic ARP
l They can be aged,

updated, or
overridden by static
ARP entries.
l By default, ARP
entries are
dynamically learned
and maintained.
Issue 04 (2014-01-16)

30

Routers
2 ARP Configuration
Scenario
Description
Task
Configurin
g Proxy
ARP
Proxy ARP is classified

into the following three
types:
2.5.3 Configuring Proxy ARP
l Routed Proxy ARP:

Routed Proxy ARP
enables network
devices on the same
network segment but
on different physical
networks to
communicate.
l Intra-VLAN Proxy
ARP: Intra-VLAN
Proxy ARP enables
isolated network
devices in a VLAN to
communicate.
l Inter-VLAN Proxy
ARP: Inter-VLAN
Proxy ARP enables
network devices in
different VLANs or
network devices in
different subVLANs but on the
same network
segment to
communicate.
Configurin
g ARP-Ping
l The ARP-Ping IP
function checks
whether an IP
address is used by
another device on the
network.
2.5.4 Configuring ARP-Ping
l The ARP-Ping MAC

function checks
whether a MAC
address is used or
queries the IP address
mapping the MAC
address.

This section describes default ARP configurations.
Issue 04 (2014-01-16)

31

Routers
2 ARP Configuration
Table 2-2 describes the default configuration of ARP.

Table 2-2 Default ARP configuration
Parameter
Default Configuration
Aging time of dynamic ARP entries
1200 seconds
Maximum number of probes for aging

dynamic ARP entries
3 times
Aging detection mode of dynamic ARP

entries
An interface sends ARP aging probe packets in

broadcast mode.
Layer 2 topology detection
Layer 2 topology detection is disabled.
ARP proxy
ARP proxy is disabled.
2.5 Configuring ARP

2.5.1 Configuring Static ARP
Static ARP entries improve communication security.
Context
Static ARP entries are manually configured and maintained. They cannot be aged and overridden
by dynamic ARP entries. Therefore, static ARP entries improve communication security. Static
ARP entries ensure communication between the local device and a specified device by using a
specified MAC address so that attackers cannot modify mappings between IP addresses and
MAC addresses in static ARP entries.
NOTE
Static ARP entries cannot be modified. However, the configuration workload is heavy. Static ARP entries
cannot apply to a network where IP addresses of hosts may change or a small-sized network.
Procedure
Step 1 Run:
system-view

Step 2 Run:
arp static ip-address mac-address [ vpn-instance vpn-instance-name ] [ vid vlanid ] or arp static ip-address mac-address vid vlan-id [ cevid ce-vid ] interface
interface-type interface-number
A static ARP entry is configured.

l For Layer 3 physical interfaces and Layer 3 Eth-Trunk interfaces, run the arp static ipaddress mac-address command to configure static ARPentries.
Issue 04 (2014-01-16)

32

Routers
2 ARP Configuration
l For VLANIF interfaces and Dot1q termination sub-interfaces, run the arp static ipaddress mac-address vid vlan-id interface interface-type interface-number command to
configure static ARP entries.
l For QinQ termination sub-interfaces, run the arp static ip-address mac-address vid vlanid cevid ce-vid interface interface-type interface-number command to configure static ARP
mapping entries with double tags. vid specified in this command must be the same as pevid in the qinq termination pe-vid ce-vid command, and ce-vid must be within the value
range of ce-vid in the qinq termination pe-vid ce-vid command.
l For interfaces bound to a VPN instance:
For Layer 3 physical interfaces and Layer 3 Eth-Trunk interfaces, run the arp static ipaddress mac-address vpn-instance vpn-instance-name command to configure static ARP
entries.
For VLANIF interfaces and Dot1q termination sub-interfaces, run the arp static ipaddress mac-address vid vlan-id interface interface-type interface-number command to
configure static ARP entries.
For QinQ termination sub-interfaces, run the arp static ip-address mac-address vid vlanid cevid ce-vid interface interface-type interface-number command to configure static
ARP mapping entries with double tags. vid specified in this command must be the same
as pe-vid in the qinq termination pe-vid ce-vid command, and ce-vid must be within the
value range of ce-vid in the qinq termination pe-vid ce-vid command.
----End
Checking the Configuration

After configuring the static ARP entries is complete, run the following commands to check the
configuration.
l
Run the display arp [ all | brief ] command to check all ARP mapping entries.
Run the display arp network net-number net-mask [ dynamic | static ] command to check
ARP mapping entries of a specified network segment.
Run the display arp static command to check static ARP mapping entries.
Run the display arp interface interface-type interface-number [ vid vlan-id [ cevid cevlanid ] ] command to check ARP mapping entries of a specified interface.
Run the display arp vpn-instance vpn-instance-name static command to check static ARP
mapping entries of a specified VPN instance.
2.5.2 Optimizing Dynamic ARP

By default, hosts and routers dynamically learn ARP entries. You can adjust parameters of
dynamic ARP entries based on network requirements.
Before optimizing dynamic ARP, complete the following tasks:
l
Issue 04 (2014-01-16)
Setting link layer protocol parameters for interfaces to ensure that the link layer protocol
status of the interfaces is Up
33

Routers
2 ARP Configuration
2.5.2.1 Adjusting Aging Parameters of Dynamic ARP Entries

Context
Aging parameters of ARP entries include the aging time, the number of probes, detection
intervals, and detection modes. Proper adjustment of aging parameters improves network
reliability.
You can adjust the following parameters of dynamic ARP entries:
l
Aging time of dynamic ARP entries: When the aging time of a dynamic ARP entry is
reached, the device sends an ARP Request packet to the corresponding outbound interface
and starts ARP aging detection.If the value of the aging time is set too small (for example,
1 minute), the system consumes most resources on updating dynamic ARP entries and
cannot process other services.
Number of probes to dynamic ARP entries: Before aging a dynamic ARP entry, the system
first performs probes. If no answer is received after the times of probes reach the upper
limit, the ARP entry is deleted.
Aging detection modes of dynamic ARP entries: Before an ARP entry is aged, an interface
sends an ARP aging probe packet.
NOTE
l If the IP address of the peer device remains the same but the MAC address changes frequently,
it is recommended that you configure ARP aging probe packets to be broadcast.
l If the MAC address of the peer device remains the same, and the network bandwidth is
insufficient, it is recommended that you configure ARP aging probe packets to be unicast.
Procedure
Step 1 Run:
system-view

Step 2 Run:

Step 3 Run:
arp expire-time expire-time
The aging time of dynamic ARP entries is set.

By default, the aging time of dynamic ARP entries is 1200 seconds, that is, 20 minutes.
Step 4 Run:
arp detect-times detect-times
The number of probes to dynamic ARP entries is set.

By default, the number of ARP probes is 3.
Step 5 Run:
arp detect-mode unicast
An interface is configured to send ARP aging probe packets in unicast mode.

Issue 04 (2014-01-16)

34

Routers
2 ARP Configuration
By default, an interface broadcasts ARP aging probe packets.

----End
2.5.2.2 Enabling Layer 2 Topology Detection

Context
Layer 2 topology detection enables the system to update all the ARP entries in the VLAN that
a Layer 2 interface belongs to when the Layer 2 interface status changes from Down to Up.
Procedure
Step 1 Run:
system-view

Step 2 Run:
l2-topology detect enable
Layer 2 topology detection is enabled.

By default, Layer 2 topology detection is disabled.
----End

Procedure
l
Run the display arp [ all | brief ] command to check all ARP mapping entries.
Run the display arp network net-number net-mask [ dynamic | static ] command to check
ARP mapping entries of a specified network segment.
Run the display arp dynamic command to check dynamic ARP mapping entries.
Run the display arp vpn-instance vpn-instance-name static command to check static ARP
mapping entries of a specified VPN instance.
2.5.3 Configuring Proxy ARP

The router can function as a proxy of the destination host to reply an ARP Request message.
Before configuring proxy ARP, complete the following task:
l
Issue 04 (2014-01-16)
Setting link layer protocol parameters for interfaces to ensure that the link layer protocol
status of the interfaces is Up
35

Routers
2 ARP Configuration
2.5.3.1 Configuring Routed Proxy ARP

Context
Proxy ARP enables PCs or routers on the same network segment but on different physical
networks to communicate. In actual applications, if the current host connected to the router is
not configured with a default gateway address (that is, the host does not know how to reach the
intermediate system of the network), the host cannot forward data packets. Routed proxy ARP
solves this problem.
Figure 2-7 shows the routed proxy ARP networking. RouterA uses GE1/0/0 and GE2/0/0 to
connect two networks. IP addresses of the two GE interfaces are on different network segments.
However, the masks make Host A and VLANIF10 on the same network segment, Host B and
VLANIF20 on the same network segment, and Host A and Host B on the same network segment.
Figure 2-7 Networking diagram for configuring routed proxy ARP
172.16.2.10/16
172.16.1.20/16
GE1/0/0
172.16.2.9/24
GE2/0/0
172.16.1.9/24
RouterA
HOSTB
HOST A sends an ARP Request packet, requesting the MAC address of HOST B. After receiving
the packet, RouterA uses its MAC address to reply the Request packet. HOST A then forwards
data using the MAC address of RouterA.
NOTICE
IP addresses of the STAhosts on a subnet have the same network ID. Therefore, the default
gateway address does not need to be configured on the STAhosts.
Procedure
Step 1 Run:
system-view

Step 2 Run:

The interfaces connect routing devices to the physical networks and are enabled with routed
proxy ARP.
Step 3 Run:
Issue 04 (2014-01-16)

36

Routers
2 ARP Configuration
IP addresses are configured for interfaces.

The IP address configured for the interface enabled with routed proxy ARP must be on the same
network segment as the IP address of the connected hostserver on a LAN.
Step 4 Run:
arp-proxy enable
Routed proxy ARP is enabled on the interface.

After proxy ARP is enabled, the aging time of ARP entries on hosts should be shortened so that
invalid ARP entries can be deleted as soon as possible. The number of packets received but
cannot be forwarded by the device is decreased. To set ARP aging time, run the arp expiretime expire-time command.
----End

After configuring routed proxy ARP is complete, run the following commands to check the
configuration.
l
Run the display arp vpn-instance vpn-instance-name [ dynamic | static ] command to

check ARP mapping entries of a specified VPN instance.
2.5.3.2 Configuring Intra-VLAN Proxy ARP

Context
If two hosts belong to the same VLAN but are isolated, enable intra-VLAN proxy ARP on an
interface associated with the VLAN to allow the hosts to communicate.
As shown in Figure 2-8, HOSTA and HOSTB connect to RouterA. The two interfaces that
connect HOSTA and HOSTB to RouterA belong to VLAN10.
Figure 2-8 Intra-VLAN proxy ARP application
RouterA
HOSTA
172.16.2.20/24
VLAN10
HOSTB
172.16.2.30/24
HOSTA and HOSTB cannot communicate at Layer 2 because interface isolation in a VLAN is
configured on RouterA.
To solve this problem, enable intra-VLAN proxy ARP on the interfaces of RouterA. After an
interface of RouterA receives an ARP Request packet whose destination address is not its own
address, RouterA does not discard the packet but searches for the ARP entry. If the ARP entry
matching HOSTB exists, RouterA sends its MAC address to HOSTA and forwards packets sent
from HOSTA to HOSTB. RouterA functions as the proxy of HOSTB.
Issue 04 (2014-01-16)

37

Routers
2 ARP Configuration
Procedure
Step 1 Run:
system-view

Step 2 Run:

Step 3 Run:
arp-proxy inner-sub-vlan-proxy enable
Intra-VLAN proxy ARP is enabled.

----End

After configuring intra-VLAN proxy ARP is complete, run the following commands to check
the configuration.
l

2.5.3.3 Configuring Inter-VLAN Proxy ARP

Context
If two hosts belong to different VLANs, enable inter-VLAN proxy ARP on interfaces associated
with the VLANs to implement Layer 3 communication between the two hosts.
As shown in Figure 2-9, HOSTA and HOSTB connect to RouterA. Interfaces that connect
HOSTA and HOSTB to RouterA belong to VLAN10 and VLAN20 respectively.
Figure 2-9 Inter-VLAN proxy ARP application
VLAN10
HOSTA
172.16.2.20/24
RouterA
VLAN20
HOSTB
172.16.2.30/24
Interfaces connecting HOSTA and HOSTB to RouterA belong to different VLANs. Therefore,
HOSTA and HOSTB cannot communicate at Layer 2.
Issue 04 (2014-01-16)

38

Routers
2 ARP Configuration
To solve this problem, inter-VLAN proxy ARP needs to be enabled on interfaces of RouterA.
After an interface of RouterA receives an ARP Request packet whose destination address is not
its own address, RouterA does not discard the packet but searches for the ARP entry. If the ARP
entry matching HOSTB exists, RouterA sends its MAC address to HOSTA and forwards packets
sent from HOSTA to HOSTB. RouterA functions as the proxy of HOSTB.
Inter-VLAN proxy ARP implements the following functions:
l
Allows users in different VLANs to communicate at Layer 3.
Allows users in different sub-VLANs to communicate. You need to enable inter-VLAN

proxy ARP on the VLANIF interface of the super-VLAN.
Procedure
Step 1 Run:
system-view
Enter the system view.

Step 2 Run:

Step 3 Run:
arp-proxy inter-sub-vlan-proxy enable
Inter-VLAN proxy ARP is enabled.

----End

After configuring inter-VLAN proxy ARP is complete, run the following commands to check
the configuration.
l

2.5.4 Configuring ARP-Ping

ARP-Ping includes ARP-Ping IP and ARP-Ping MAC. ARP-Ping sends ARP Request packets
or ICMP Echo Request packets to check whether a specified IP address or MAC address is used.
Before configuring ARP-Ping, complete the following task:
l
Issue 04 (2014-01-16)
Configuring link layer protocol parameters and IP addresses for interfaces to ensure that
the link layer protocol status of the interfaces is Up.
39

Routers
2 ARP Configuration
2.5.4.1 Configuring ARP-Ping IP

Context
Before configuring an IP address for a device on a LAN, run the arp-ping ip command to check
whether the IP address is used by other network devices.
The ping command can also check whether an IP address is in use. If the destination host or the
router configured with the firewall function are configured not to reply to ping packets, there is
no response to the ping packet. Consequently, the IP address is considered unused. ARP is a
Layer 2 protocol. In most cases, ARP packets can pass through the firewall that is disabled from
replying to the Ping packets to prevent the preceding situation.
Procedure
l
Run:
arp-ping ip ip-address [ interface interface-type interface-number ]
Check whether the IP address is used.

If the following information is displayed, the IP address is not used.
<Huawei> arp-ping ip 110.1.1.2
ARP-Pinging 110.1.1.2:
Request timed out
Request timed out
Request timed out
The IP address is not used by anyone!
If the following information is displayed, the IP address is used.

<Huawei> arp-ping ip 128.1.1.1
ARP-Pinging 128.1.1.1:
128.1.1.1 is used by 00e0-517d-f202
----End
2.5.4.2 Configuring ARP-Ping MAC

Context
When you know a specific MAC address but not the corresponding IP address on a network
segment, you can obtain the corresponding IP address using the arp-ping mac command to send
ICMP packets. In this way, you can obtain the IP address mapping the MAC address.
Procedure
l
Run:
arp-ping mac mac-address { ip-address [ vpn-instance vpn-instance-name ] |
interface interface-type interface-number }
Check whether the MAC address is used. If the MAC address is in use, query the IP address
mapping the MAC address.
If the following information is displayed, the MAC address is not used.
<Huawei> arp-ping mac 00e0-517d-f201 interface gigabitethernet 1/0/0
OutInterface: GigabitEthernet1/0/0 MAC[00-E0-51-7D-F2-01], press CTRL_C
to break
Request timed out
Issue 04 (2014-01-16)

40

Routers
2 ARP Configuration
Request timed out

Request timed out
----- ARP-Ping MAC statistics ----3 packet(s) transmitted
MAC[00-E0-51-7D-F2-01] not be used
If the following information is displayed, it means that the MAC address is used.
<Huawei> arp-ping mac 00e0-517d-f202 interface gigabitethernet 1/0/0
OutInterface: GigabitEthernet1/0/0 MAC[00-E0-51-7D-F2-02], press CTRL_C
to break
----- ARP-Ping MAC statistics ----1 packet(s) transmitted
IP ADDRESS
MAC ADDRESS
128.1.1.1
00-E0-51-7D-F2-02
----End
2.6 Maintaining ARP

Maintaining ARP includes clearing ARP entries and monitoring ARP running status.
2.6.1 Clearing ARP Entries

Context
NOTICE
ARP entries cannot be restored after being cleared. When you delete static ARP entries, the
( arp static ) command is also deleted. Exercise caution when you delete the ARP entries.
Procedure
l
Run the reset arp { all | dynamic | interface interface-type interface-number | packet
statistics | static } command to clear ARP entries in the ARP mapping table.
Run the reset arp packet statistics command in user view to clear ARP packet statistics.
----End
2.6.2 Monitoring the ARP Running Status

Context
Monitoring the ARP running status includes checking ARP mapping entries, strict ARP entry
learning, ARP packet statistics, ARP packet processing rate, and maximum number of ARP
entries learnt by an interface.
Procedure
l
Issue 04 (2014-01-16)
Run the display arp [ all | brief ] command in any view to check all ARP mapping entries.
41

Routers
2 ARP Configuration
Run the display arp interface interface-type interface-number [ vid vlan-id [ cevid cevlanid ] ] command in any view to check ARP mapping entries of a specified interface.
Run the display arp network net-number net-mask [ dynamic | static ] command in any
view to check ARP mapping entries of a specified network segment.
Run the display arp vpn-instance vpn-instance-name static command in any view to
check static ARP mapping entries of a specified VPN instance.
Run the display arp statistics { all | interface interface-type interface-number } command
in any view to check ARP entry statistics.
Run the display arp packet statistics command in any view to check ARP packet statistics.
----End

This section provides configuration examples including networking requirements and
2.7.1 Example for Configuring Static ARP

As shown in Figure 2-10, a router connects departments of a company and each department
joins different VLANs. Hosts in the headquarters office and the file backup server are allocated
manually configured IP addresses, and hosts in departments dynamically obtain IP addresses by
using DHCP. Hosts in the marketing department can access the Internet and are often attacked
by ARP packets. Attackers attack the router and modify dynamic ARP entries on the router. As
a result, communication between hosts in the headquarters office and external devices is
interrupted and hosts in departments fail to access the file backup server. The company requires
that static ARP entries be configured on the router so that hosts in the headquarters office can
communicate with external devices and hosts in departments can access the file backup server.
Issue 04 (2014-01-16)

42

Routers
2 ARP Configuration
Figure 2-10 Networking diagram for configuring static ARP
10.164.10.1/24
0df0-fc01-003a
GE3/0/0
10.164.10.10 /24
Etherent2/0/0
VLANIF10
10.164.1.20/24
10.164.1.1/24
00e0-fc01-0001
PC A
Router
10.164.2.0/24
10.164.1.0/24
VLAN20
VLAN10
10.164.3.0/24
VLAN30
1.
Configure static ARP entries for hosts in the headquarters office on the router to prevent
ARP entries of the hosts in the headquarters office from being modified in ARP attack
packets.
2.
Configure a static ARP entry for the file backup server on the router to prevent the ARP
entry of the file backup server from being modified in ARP attack packets.
Procedure
Step 1 Configure static ARP entries for the host in the headquarters office on the router.
# Create VLAN10.
[Huawei] sysname Router
[Router] vlan 10
[Router-vlan10] quit
# Add Ethernet2/0/0 to VLAN 10.

[Router] interface ethernet 2/0/0
[Router-Ethernet2/0/0] port hybrid tagged vlan 10
[Router-Ethernet2/0/0] quit
# Configure an IP address for VLANIF 10.

Issue 04 (2014-01-16)

43

Routers
2 ARP Configuration
[Router] interface vlanif 10

[Router-Vlanif10] ip address 10.164.1.20 255.255.255.0
[Router-Vlanif10] quit
# Configure static ARP entries for the host in the headquarters office. PC A is used as an example.
The IP address of PC A is 10.164.1.1 and maps the MAC address 00e0-fc01-0001; the VLAN
ID is 10 and the outbound interface is Ethernet2/0/0.
[Router] arp static 10.164.1.1 00e0-fc01-0001 vid 10 interface ethernet 2/0/0
# Configure static ARP entries for other hosts in the headquarters office. The configuration
method is similar to that of PC A.
Step 2 Configure a static ARP entry for the file backup server on the router.
# Configure an IP address for GE3/0/0.
[Router] interface gigabitethernet 3/0/0
[Router-GigabitEthernet3/0/0] ip address 10.164.10.10 255.255.255.0
[Router-GigabitEthernet3/0/0] quit
# Configure a static ARP entry for the file backup server: The IP address 10.164.10.1/24 maps
the MAC address 0df0-fc01-003a.
[Router] arp static 10.164.10.1 0df0-fc01-003a
[Router] quit

# Run the display current-configuration command to view static ARP entries.
<Router> display current-configuration | include arp
arp static 10.164.1.1 00e0-fc01-0001 vid 10 interface Ethernet 2/0/0
arp static 10.164.10.1 0df0-fc01-003a
----End
Configuration Files
Only the configuration file of the router is provided.
#
sysname Router
#
vlan batch 10 20 30
#
interface Ethernet2/0/0
port hybrid tagged vlan 10
#
interface Vlanif10
ip address 10.164.1.20 255.255.255.0
#
ip address 10.164.10.10 255.255.255.0
#
arp static 10.164.1.1 00e0-fc01-0001 vid 10 interface Ethernet 2/0/0
arp static 10.164.10.1 0df0-fc01-003a
#
return
Issue 04 (2014-01-16)

44

Routers
2 ARP Configuration
2.7.2 Example for Configuring Routed Proxy ARP

As shown in Figure 2-11, branch A and branch B of a company are located in different cities.
Multiple routing devices are deployed between branches, and routes are reachable. IP addresses
of the routing devices are on the same network segment 172.16.0.0/16. Branch A and branch B
belong to different broadcast domains; therefore, they cannot communicate on a LAN. Hosts of
branches are not configured with default gateways; therefore, they cannot communicate across
network segments. The company requires that branch A and branch B communicate without
changing the host configurations.
NOTE
AR150&200 functions as RouterA or RouterB.
Figure 2-11 Networking diagram for configuring routed proxy ARP
RouterA
RouterD
RouterC
RouterB
Internet
Etherent2/0/0
Etherent2/0/0
VLAN10
Branch A
VLAN20
Branch B
Host A
172.16.1.2/16
0000-5e33-ee20
Host B
172.16.2.2/16
0000-5e33-ee10
1.
Add the interface connecting RouterA and branch A to VLAN10 and add the interface
connecting RouterB and branch B to VLAN20.
2.
Enable routed proxy ARP on VLANIF interfaces of branch A and branch B to implement
communication between the two branches.
Procedure
Step 1 Configure RouterA.
# Create VLAN10.
[RouterA] vlan 10
[RouterA-vlan10] quit
Issue 04 (2014-01-16)

45

Routers
2 ARP Configuration
# Add Etherent2/0/0 to VLAN10.

[RouterA] interface ethernet 2/0/0
[RouterA-Ethernet2/0/0] port link-type access
[RouterA-Ethernet2/0/0] port default vlan 10
[RouterA-Ethernet2/0/0] quit
# Configure an IP address for VLANIF10.

[RouterA] interface vlanif 10
[RouterA-Vlanif10] ip address 172.16.1.1 255.255.255.0
# Enable routed proxy ARP on VLANIF10.

[RouterA-Vlanif10] arp-proxy enable
[RouterA-Vlanif10] quit
Step 2 Configure RouterB.

The configuration of RouterB is similar to that of RouterA.
# Select HostA at 172.16.1.2/16 in branch A and select HostB at 172.16.2.2/16 in branch B. Run
the ping command on HostA to ping the IP address of HostB.
C:\Documents and Settings\Administrator> ping 172.16.2.2
ms
ms
ms
ms
ms

0.00% packet loss
# View the ARP mapping table of HostA. You can see that the MAC address of HostB is the
MAC address of VLANIF10.
C:\Documents and Settings\Administrator> arp -a
Interface: 172.16.1.2 --- 0x2
Internet Address
Physical Address
Type
172.16.2.2
00e0-fc39-80aa
dynamic
----End
Configuration Files
l

#
sysname RouterA
#
vlan batch 10
#
interface Vlanif10
ip address 172.16.1.1 255.255.255.0
arp-proxy enable
#
Issue 04 (2014-01-16)

46

Routers
2 ARP Configuration
port link-type access

port default vlan 10
#
return

#
sysname RouterB
#
vlan batch 20
#
interface Vlanif20
ip address 172.16.2.1 255.255.255.0
arp-proxy enable
#
#
return
2.7.3 Example for Configuring Intra-VLAN Proxy ARP

As shown in Figure 2-12, hosts of the accounting department are located in a VLAN. Hosts of
the accounting department are attacked by viruses when they access the Internet. The attacked
hosts send a large number of broadcast packets, causing broadcast storms in the VLAN. Even
hosts cannot communicate. The company requires that broadcast storms be prevented to ensure
communication between hosts and information security.
Figure 2-12 Networking diagram for configuring intra-VLAN proxy ARP
Router
Ethernet2/0/0
PC B
PC A
100.1.1.100/24
100.1.1.10/24
VLAN10
Accounting department
Issue 04 (2014-01-16)

47

Routers
2 ARP Configuration
1.
Configure interface isolation on the downstream interface of the switch to forbid Layer 2
communication and remove broadcast storms.
2.
Enable intra-VLAN proxy ARP on the VLANIF interface to prevent broadcast storms and
implement Layer 3 communication between hosts in the accounting department.
Procedure
Step 1 Add Etherent2/0/0 to VLAN10.
# Create VLAN10.
[Router] vlan 10
# Add Etherent2/0/0 to VLAN10.

[Router-Ethernet2/0/0] port hybrid tagged vlan 10

Step 2 Configure the switch.

Create VLAN10 on the the switch and add all interfaces to VLAN10. Configure isolation for
downstream interfaces connected to users. The configuration details are not mentioned here.
Step 3 Configure IP addresses for PCs.
# Configure an IP address for each PC. Ensure that the IP addresses of PCs and the IP address
of VLANIF10 are on the same network segment.The configuration details are not mentioned
here.
# After the configuration is complete, each PC and the router can ping each other. PCs, however,
cannot ping each other.
Step 4 Enable intra-VLAN proxy ARP on VLANIF10.
[Router-Vlanif10] arp-proxy inner-sub-vlan-proxy enable

# Ping PC A and PC B. They can ping each other.
[Router] ping 100.1.1.100
PING 100.1.1.100: 56 data
Reply from 100.1.1.100:
Reply from 100.1.1.100:
Reply from 100.1.1.100:
Reply from 100.1.1.100:
Reply from 100.1.1.100:
bytes, press CTRL_C

bytes=56 Sequence=1
bytes=56 Sequence=2
bytes=56 Sequence=3
bytes=56 Sequence=4
bytes=56 Sequence=5
to break
ttl=255 time=10
ttl=255 time=10
ttl=255 time=10
ttl=255 time=10
ttl=255 time=10
ms
ms
ms
ms
ms

Issue 04 (2014-01-16)

48

Routers
2 ARP Configuration
0.00% packet loss

----End
Configuration Files
Configuration file of the router
#
sysname Router
#
vlan batch 10
#
interface Vlanif10
ip address 100.1.1.12 255.255.255.0
arp-proxy inner-sub-vlan-proxy enable
#
port hybrid tagged vlan 10
#
return
2.7.4 Example for Configuring Inter-VLAN Proxy ARP

In Figure 2-13, VLAN2 and VLAN3 belong to super-VLAN4. Hosts in VLAN2 and VLAN3
cannot ping each other. To implement communication between hosts in VLAN2 and VLAN3,
configure inter-VLAN proxy ARP.
Figure 2-13 Networking diagram for configuring inter-VLAN proxy ARP
Router
VLAN2
VLAN3
VLAN4
VLAN2
VLAN3
Issue 04 (2014-01-16)

49

Routers
2 ARP Configuration
1.
Configure a super-VLAN and sub-VLANs.
2.
Add interfaces to the sub-VLANs.
3.
Create a VLANIF interface corresponding to the super-VLAN and configure an IP address

for the VLANIF interface.
4.
Enable inter-VLAN proxy ARP.
Procedure
Step 1 Configure a super-VLAN and sub-VLANs.
# Configure sub-VLAN2.
[Router] vlan 2
[Router-vlan2] quit
# Add Ethernet2/0/0 and Ethernet2/0/1 to VLAN2.

[Router] interface ethernet
[Router-Ethernet2/0/0] port
2/0/0
link-type access
default vlan 2
2/0/1
link-type access
default vlan 2
# Create sub-VLAN3.
[Router] vlan 3
[Router-vlan3] quit
# Add Ethernet2/0/2 and Ethernet2/0/3 to sub-VLAN3.

2/0/2
link-type access
default vlan 3
2/0/3
link-type access
default vlan 3
# Create super-VLAN 4 and add sub-VLAN2 and sub-VLAN3 to super-VLAN4.

[Router] vlan 4
[Router-vlan4] aggregate-vlan
[Router-vlan4] access-vlan 2
[Router-vlan4] access-vlan 3
[Router-vlan4] quit
Step 2 Create and configure VLANIF4.

# Create VLANIF4.

[Router-Vlanif4] ip address 10.10.10.1 24
Step 3 Enable inter-VLAN proxy ARP on VLANIF4.

[Router-Vlanif4] arp-proxy inter-sub-vlan-proxy enable
Issue 04 (2014-01-16)

50

Routers
2 ARP Configuration

# Run the display current-configuration command to check configurations of the superVLAN, sub-VLANs, and VLANIF interface. The output of the command is displayed in the
following configuration file.
# Run the display arp command to view all the ARP entries.
<Router> display arp
IP ADDRESS
MAC ADDRESS
EXPIRE(M) TYPE
INTERFACE
VPN-INSTANCE
VLAN/CEVLAN
-----------------------------------------------------------------------------10.10.10.1
0018-2000-0083
I Vlanif4
10.10.10.2
00e0-fc00-0002 19
D-0
Ethernet2/0/0
2/10.10.10.3
00e0-fc00-0003 19
D-0
Ethernet2/0/1
2/10.10.10.4
00e0-fc00-0004 19
D-0
Ethernet2/0/2
3/10.10.10.5
00e0-fc00-0005 19
D-0
Ethernet2/0/3
3/-----------------------------------------------------------------------------Total:5
Dynamic:4
Static:0
Interface:1
----End
Configuration Files
Only the configuration file of the router is provided.
#
sysname Router
#
vlan batch 2 to 4
#
vlan 4
aggregate-vlan
access-vlan 2 to 3
#
interface Vlanif4
ip address 10.10.10.1 255.255.255.0
arp-proxy inter-sub-vlan-proxy enable
#
port default vlan 2
#
port default vlan 2
#
port default vlan 3
#
port default vlan 3
#
return
Issue 04 (2014-01-16)

51

Routers
2 ARP Configuration
2.7.5 Example for Configuring Layer 2 Topology Detection

As shown in Figure 2-14, two Ethernet interfaces are added to VLAN100 in default mode. To
view changes of ARP entries, configure Layer 2 topology detection.
Figure 2-14 Networking diagram for configuring Layer 2 topology detection
Router
Etherent 2/0/0
PC A
10.1.1.1/24
Etherent 2/0/1
VLANIF100
10.1.1.2/24
VLAN100
PC B
10.1.1.3/24
1.
Add two Ethernet interfaces to VLAN100 in default mode.
2.
Enable Layer 2 topology detection to view changes of ARP entries.
Procedure
Step 1 Create VLAN100 and add two Ethernet interfaces to VLAN100 in default mode.
# Create VLAN100 and configure an IP address for the VLANIF interface.
[Router] vlan 100
# Add two Ethernet interfaces to VLAN100 in default mode.

Issue 04 (2014-01-16)
2/0/0
link-type access
default vlan 100
2/0/1
link-type access
default vlan 100

52

Routers
2 ARP Configuration
Step 2 Enable Layer 2 topology detection.

[Router] l2-topology detect enable
Step 3 Restart Ethernet2/0/0 and view changes of ARP entries and aging time.
# View ARP entries on the router. You can find the router has learned the MAC address of the
PC.
[Router] display arp all
IP ADDRESS
MAC ADDRESS
INSTANCE
EXPIRE(M)
TYPE
INTERFACE
VPN-
VLAN/CEVLAN PVC
----------------------------------------------------------------------------10.1.1.2
00e0-c01a-4900
I Vlanif100
10.1.1.1
00e0-c01a-4901 20
D-0
Ethernet2/0/0
10.1.1.3
00e0-de24-bf04 20
D-0
Ethernet2/0/1
----------------------------------------------------------------------------Total:3
Dynamic:2
Static:0
Interface:1
After 1 minute, run the shutdown command to shut down Ethernet2/0/0, simulate an interface
fault, and check the aging time of ARP entries. The command output shows that the ARP entries
learned from Ethernet2/0/0 are deleted after Ethernet2/0/0 is shut down.
[Router-Ethernet2/0/0] shutdown
[Router-Ethernet2/0/0] display arp all
IP ADDRESS
MAC ADDRESS
EXPIRE(M) TYPE
INTERFACE
VPN-INSTANCE
VLAN/CEVLAN PVC
---------------------------------------------------------------------------10.1.1.2
00e0-c01a-4900
I Vlanif100
10.1.1.3
00e0-de24-bf04 19
D-0
Ethernet2/0/1
-----------------------------------------------------------------------------Total:2
Dynamic:1
Static:0
Interface:1
# Run the undo shutdown command to restart Ethernet2/0/0 and check the aging time of ARP
entries. The command output shows that Ethernet2/0/0 and Ethernet2/0/1 in VLAN100 update
ARP entries after Ethernet2/0/0 is restarted and becomes Up.
[Router] display arp all
IP ADDRESS
MAC ADDRESS
INSTANCE
EXPIRE(M)
TYPE
INTERFACE
VPN-
VLAN/CEVLAN PVC
----------------------------------------------------------------------------10.1.1.2
00e0-c01a-4900
I Vlanif100
10.1.1.1
00e0-c01a-4901 20
D-0
Ethernet2/0/0
10.1.1.3
00e0-de24-bf04 20
D-0
Ethernet2/0/1
----------------------------------------------------------------------------Total:3
Dynamic:2
Static:0
Interface:1
----End
Configuration Files
#
sysname Router
#
l2-topolgy detect enable
#
vlan batch 100
#
interface Vlanif100
ip address 10.1.1.2 255.255.255.0
Issue 04 (2014-01-16)

53

Routers
2 ARP Configuration
#
#
#
return
2.8 FAQ
2.8.1 How Can I Configure Static ARP Entries on an Interface?
Based on the interface type, you can configure static ARP entries in the following methods:
l
For Layer 3 physical interfaces and Layer 3 Eth-Trunk interfaces, run the arp static ipaddress mac-address command to configure static ARPentries.
For example:
[Huawei] arp static 1.1.1.1 0000-1111-1111
For Dot1q termination sub-interfaces, run the arp static ip-address mac-address vid vlanid interface interface-type interface-number command to configure static ARP entries.
For example: # Configure a static ARP entry for a sub-interface for dot1q VLAN tag
termination. The static ARP entry's IP address 2.1.1.1 maps the MAC address 0edc-15e5f7e4. GE1/0/0.1 is added to VLAN 20.
# Configure a sub-interface for dot1q VLAN tag termination and add the sub-interface
to VLAN 20.
[Huawei] interface gigabitethernet 1/0/0.1
[Huawei-GigabitEthernet1/0/0.1] control-vid 100 dot1q-termination
[Huawei-GigabitEthernet1/0/0.1] dot1q termination vid 20
[Huawei-GigabitEthernet1/0/0.1] ip address 2.1.1.2 24
[Huawei-GigabitEthernet1/0/0.1] quit
NOTE
The control-vid 100 dot1q-termination command does not need to be configured in AR

V2R2C01 or later versions.
# Configure a static ARP entry for the sub-interface for dot1q VLAN tag termination.
[Huawei] arp static 2.1.1.1 0edc-15e5-f7e4 vid 20 interface
gigabitethernet1/0/0.1
For QinQ termination sub-interfaces, run the arp static ip-address mac-address vid vlanid cevid ce-vid interface interface-type interface-number command to configure static
ARP mapping entries with double tags.
For example: # Configure a static ARP entry for a sub-interface for QinQ VLAN tag
termination. The static ARP entry's IP address 2.1.1.1 maps the MAC address 0edc-15e5f7e4. The inner and outer VLAN IDs of the outbound interface GE1/0/0.1 are 20 and 10
respectively.
# Configure a sub-interface for QinQ VLAN tag termination and the inner and outer
VLAN IDs of the outbound interface GE1/0/0.1 are 20 and 10 respectively.
Issue 04 (2014-01-16)

54

Routers
2 ARP Configuration
[Huawei] interface gigabitethernet 1/0/0.1

[Huawei-GigabitEthernet1/0/0.1] control-vid 100 qinq-termination
[Huawei-GigabitEthernet1/0/0.1] qinq termination pe-vid 10 ce-vid 20
[Huawei-GigabitEthernet1/0/0.1] ip address 2.1.1.2 24
[Huawei-GigabitEthernet1/0/0.1] quit
NOTE
The control-vid 100 qinq-termination command does not need to be configured in AR

V2R2C01 or later versions.
# Configure a static ARP entry for the sub-interface for QinQ VLAN tag termination.
[Huawei] arp static 2.1.1.1 0edc-15e5-f7e4 vid 10 cevid 20 interface
gigabitethernet1/0/0.1
For VLANIF interfaces, run the arp static ip-address mac-address vid vlan-id interface
interface-type interface-number command to configure static ARP entries.
For example:
[Huawei] arp static 192.168.1.88 0000-1111-1111 vid 4094 interface ethernet
0/0/7
NOTE
The outbound interface here indicates the Layer 2 interface bound to the VLAN.
In AR V2R2C01 or later versions, the VLANIF interface supports short ARP entries. You
can directly configure the mapping between the IP address and MAC address without
specifying the VID and outbound interface.
For example:
[Huawei] arp static 192.168.1.88 0000-1111-1111
2.8.2 Termination Sub-interfaces That Connect Two Devices

Cannot Ping Each Other. Why?
After you configure IP addresses for termination sub-interfaces that connect two devices, they
cannot ping each other. Check whether you have run the arp broadcast enable command on
the interfaces. If this command is not run, the devices fail to send ARP Request packets through
these interfaces and cannot learn ARP entries. By default, the arp broadcast enable command
is disabled in V200R003C00 and earlier versions and enabled in V200R003C01 and later
versions.
2.9 References
The following table lists the references of this document.
Issue 04 (2014-01-16)
Docume
nt
Description
Remarks
RFC826
Ethernet Address Resolution Protocol
RFC903
Reverse Address Resolution Protocol
RFC1027
Using ARP to Implement Transparent

Subnet Gateways

55

Routers
Issue 04 (2014-01-16)
2 ARP Configuration
Docume
nt
Description
Remarks
RFC1042
Standard for the Transmission of IP

Datagrams over IEEE 802 Networks

56

Routers
3 DHCP Configuration
DHCP Configuration
About This Chapter

DHCP dynamically manages and configures clients in a concentrated manner. It ensures proper
IP address allocation and improves IP address use efficiency.
3.1 DHCP Overview
3.2 Principles
3.3 Application
This section provides default DHCP configurations.
3.5 Configuring DHCP
3.6 Maintaining DHCP
After DHCP configurations are complete, you can clear DHCP statistics and monitor DHCP
operation.
This section provides DHCP configuration examples including networking requirements and
This section provides DHCP troubleshooting procedures.
3.9 FAQ
3.10 References
Issue 04 (2014-01-16)

57

Routers
3.1 DHCP Overview

Definition
The Dynamic Host Configuration Protocol (DHCP) dynamically assigns IP addresses to users
and manages user configurations in a centralized manner.
Purpose
As the network expands and becomes complex, the number of hosts often exceeds the number
of available IP addresses. As portable computers and wireless networks are widely used, the
positions of computers often change, causing IP addresses of the computers to be changed
accordingly. As a result, network configurations become increasingly complex. To properly and
dynamically assign IP addresses to hosts, DHCP is used.
DHCP is developed based on the BOOTstrap Protocol (BOOTP). BOOTP runs on networks
where each host has a fixed network connection. The administrator configures a BOOTP
parameter file for each host, and the file remains unchanged for a long period of time. DHCP
has the following new features compared with BOOTP:
l
Dynamically assigns IP addresses and configuration parameters to clients.
Enables a host to obtain an IP address dynamically, but does not specify an IP address for
each host.
DHCP rapidly and dynamically allocates IP addresses, which improves IP address usage.
3.2 Principles
3.2.1 DHCP Overview
DHCP uses the client/server model. A DHCP client sends a packet to a DHCP server to request
configuration parameters such as the IP address, subnet mask, and default gateway address. The
DHCP server responds with a packet carrying the requested configurations based on a policy.
DHCP Architecture
Figure 3-1 shows the DHCP architecture.
Figure 3-1 DHCP architecture
DHCP Client
DHCP Server
DHCP Relay
IP Network
DHCP involves the following roles:

Issue 04 (2014-01-16)

58

Routers
DHCP Client
A DHCP client exchanges messages with a DHCP server to obtain an IP address and other
configuration parameters. On the device, an interface can function as a DHCP client to
dynamically obtain configuration parameters such as an IP address from a DHCP server.
This facilitates configurations and centralized management.
DHCP Relay
A DHCP relay agent forwards DHCP packets exchanged between a DHCP client and a
DHCP server that are located on different network segments so that they can complete their
address configuration. Using a DHCP relay agent eliminates the need for deploying a DHCP
server on each network segment. This feature reduces network deployment costs and
facilitates device management.
In the DHCP architecture, the DHCP relay agent is optional. A DHCP relay agent is required
only when the server and client are located on different network segments.
DHCP Server
A DHCP server processes requests of address allocation, address lease extending, and
address releasing from a DHCP client or a DHCP relay agent, and allocates IP addresses
and other network configuration parameters to the DHCP client.
3.2.2 Introduction to DHCP Messages

DHCP Message Format
Figure 3-2 shows the format of a DHCP message.
Figure 3-2 Format of a DHCP message
0
op(1)
23
15
7
htype (1)
hlen (1)
31
hops (1)
xid (4)
secs (2)
flags (2)
ciaddr (4)
yiaddr (4)
siaddr (4)
giaddr (4)
chaddr (16)
sname (64)
file (128)
options (variable)
Issue 04 (2014-01-16)

59

Routers
In Figure 3-2, numbers in the round brackets indicate the field length, expressed in bytes.
Table 3-1 Description of each field in a DHCP message
Field
Length
Description
op(op code)
1 byte
Indicates the message type. The options are as follows:

l 1: DHCP Request message
l 2: DHCP Reply message
htype
(hardware
type)
1 byte
Indicates the hardware address type. For Ethernet, the value of this
field is 1.
hlen
(hardware
length)
1 byte
Indicates the length of a hardware address, expressed in bytes. For

Ethernet, the value of this field is 6.
hops
1 byte
Indicates the number of DHCP relay agents that a DHCP Request

message passes through. This field is set to 0 by a DHCP client or
a DHCP server. The value increases by 1 each time a DHCP Request
message passes through a DHCP relay agent. This field limits the
number of DHCP relay agents that a DHCP message can pass
through.
NOTE
A maximum of 16 DHCP relay agents are allowed between a server and a
client. That is, the number of hops must be smaller than or equal to 16.
Otherwise, DHCP messages are discarded.
xid
4 bytes
Indicates a random number chosen by a DHCP client. It is used by

the DHCP client and DHCP server to exchange messages.
secs
(seconds)
2 bytes
Indicates the time elapsed since the client obtained or renewed an

IP address, in seconds.
flags
2 bytes
Indicates the Flags field. Only the leftmost bit of the Flags field is
valid and other bits are set to 0. The leftmost bit determines whether
the DHCP server unicasts or broadcasts a DHCP Reply message.
The options are as follows:
l 0: The DHCP server unicasts a DHCP Reply message.
l 1: The DHCP server broadcasts a DHCP Reply message.
ciaddr
(client ip
address)
4 bytes
Indicates the IP address of a client. The IP address can be an existing

IP address of a DHCP client or an IP address assigned by a DHCP
server to a DHCP client. During initialization, the client has no IP
address and the value of this field is 0.0.0.0.
NOTE
The IP address 0.0.0.0 is used only for temporary communication during
system startup in DHCP mode. It is an invalid address.
yiaddr
(your client
ip address)
Issue 04 (2014-01-16)
4 bytes
Indicates the DHCP client IP address assigned by the DHCP server.

The DHCP server fills this field into a DHCP Reply message.

60

Routers
Field
Length
Description
siaddr
(server ip
address)
4 bytes
Server IP address from which a DHCP client obtains the startup

configuration file.
giaddr
(gateway ip
address)
4 bytes
Indicates the IP address of the first DHCP relay agent. If the DHCP
server and client are located on different network segments, the first
DHCP relay agent fills its IP address into this field of the DHCP
Request message sent by the client and forwards the message to the
DHCP server. The DHCP server determines the network segment
where the client resides based on this field, and assigns an IP address
on this network segment from an address pool.
The DHCP server also returns a DHCP Reply message to the first
DHCP relay agent. The DHCP relay agent then forwards the DHCP
Reply message to the client.
NOTE
If the DHCP Request message passes through multiple DHCP Relay agents
before reaching the DHCP server, the value of this field is the IP address of
the first DHCP relay agent and remains unchanged. However, the value of
the Hops field increases by 1 each time a DHCP Request message passes
through a DHCP relay agent.
chaddr
(client
hardware
address)
16 bytes Indicates the client MAC address. This field must be consistent with
the hardware type and hardware length fields. When sending a
DHCP Request message, the client fills its hardware address into
this field. For Ethernet, a 6-byte Ethernet MAC address must be
filled in this field when the hardware type and hardware length fields
are set to 1 and 6 respectively.
sname
(server host
name)
64 bytes Indicates the name of the server from which a client obtains
configuration parameters. This field is optional and is filled in by
the DHCP server. The field must be filled in with a character string
that ends with 0.
file (file
name)
128
bytes
Indicates the Bootfile name specified by the DHCP server for a

DHCP client. This field is filled in by the DHCP server and is
delivered to the client when the IP address is assigned to the client.
This field is optional. The field must be filled in with a character
string that ends with 0.
options
Variabl
e
Indicates the DHCP Options field, which has a maximum of 312

bytes. This field contains the DHCP message type and configuration
parameters assigned by a server to a client, including the gateway
IP address, DNS server IP address, and IP address lease.
For details about the Options field, see 3.2.3 DHCP Options.
DHCP Message Types

DHCP messages are classified into eight types. A DHCP server and a DHCP client communicate
by exchanging DHCP messages.
Issue 04 (2014-01-16)

61

Routers
Table 3-2 DHCP message types

Message
Name
Description
DHCP
DISCOVER
A DHCP Discover message is broadcast by a DHCP client to locate a DHCP

server when the client attempts to connect to a network for the first time.
DHCP OFFER
A DHCP Offer message is sent by a DHCP server to respond to a DHCP

Discover message. A DHCP Offer message carries various configuration
information.
DHCP
REQUEST
A DHCP Request message is sent in the following conditions:

l After a DHCP client is initialized, it broadcasts a DHCP Request
message to respond to the DHCP Offer message sent by a DHCP server.
l After a DHCP client restarts, it broadcasts a DHCP Request message to
confirm the configuration including the assigned IP address.
l After a DHCP client obtains an IP address, it unicasts or broadcasts a
DHCP Request message to update the IP address lease.
DHCP ACK
A DHCP ACK message is sent by a DHCP server to acknowledge the

DHCP Request message from a DHCP client. After receiving a DHCP ACK
message, the DHCP client obtains the configuration parameters including
the IP address.
DHCP NAK
A DHCP NAK message is sent by a DHCP server to reject the DHCP

Request message from a DHCP client. For example, after a DHCP server
receives a DHCP Request message, it cannot find matching lease records.
Then the DHCP server sends a DHCP NAK message, notifying that no IP
address is available for the DHCP client.
DHCP
DECLINE
A DHCP Decline message is sent by a DHCP client to notify the DHCP

server that the assigned IP address conflicts with another IP address. Then
the DHCP client applies to the DHCP server for another IP address.
DHCP
RELEASE
A DHCP Release message is sent by a DHCP client to release its IP address.

After receiving a DHCP Release message, the DHCP server can assign this
IP address to another DHCP client.
DHCP
INFORM
A DHCP Inform message is sent by a DHCP client to obtain other network

configuration parameters such as the gateway address and DNS server
address after the DHCP client has obtained an IP address.
3.2.3 DHCP Options

Options Field in a DHCP Packet
The Options field in a DHCP packet carries control information and parameters that are not
defined in common protocols. When a DHCP client requests an IP address from the DHCP server
configured with the Options field, the server replies a packet containing the Options field. Figure
3-3 shows the format of the Options field.
Issue 04 (2014-01-16)

62

Routers
Figure 3-3 Format of the Options field
15
Length
Type
Value
The Options field consists of Type, Length, and Value. The following table provides the details.
Table 3-3 Description of the Options field
Field
Length
Description
Type
1 byte
Indicates the type of the message

content.
Length
1 byte
Indicates the length of the message

content.
Value
Depending on the setting of the

Length field
Indicates the message content.
The value of the Options field ranges from 1 to 255. Table 3-4 lists common DHCP options.
Table 3-4 Description of the Options field in DHCP packets
Issue 04 (2014-01-16)
Options No.
Function
Specifies the subnet mask.
Specifies the gateway address.
Specifies the DNS server IP address.
12
Specifies the hostname.
15
Specifies the domain name.
33
Specifies a group of classful static routes. This option contains

a group of classful static routes. When a DHCP client receives
DHCP packets with this option, it adds the classful static routes
contained in the option to its routing table. In classful routes,
masks of destination addresses are natural masks and masks
cannot be used to divide subnets. If Option 121 exists, this
option is ignored.
44
Specifies the NetBIOS name.
46
Specifies the NetBIOS object type.
50
Specifies the requested IP address.
51
Specifies the IP address lease.

63

Routers
Options No.
Function
52
Specifies the additional option.
53
Specifies the DHCP packet type.
54
Specifies the server identifier.
55
Specifies the parameter request list. It is used by a DHCP client

to request specified configuration parameters.
58
Specifies the lease renewal time (T1), which is 50% of the lease
time.
59
Specifies the lease renewal time (T2), which is 87.5% of the

lease time.
60
Specifies the vendor classification information option, which

identifies the DHCP client type and configuration.
61
Specifies Client identifier.
66
Specifies the TFTP server name allocated to DHCP clients.
67
Specifies the Bootfile name allocated to DHCP clients.
77
Specifies the user type.
121
Specifies a group of classless routes. This option contains a

group of classless static routes. After a DHCP client receives
DHCP packets with this option, it adds the classless static routes
contained in the option to its routing table. Classless routes are
routes of which masks of destination addresses can be any
values and masks can be used to divide subnets.
The objects of this field vary with the functions of the Options field. For example, Option 77 is
used on a DHCP client to identify user types of the DHCP client. The DHCP server selects an
address pool to allocate an IP address and configuration parameters to the DHCP client based
on the User Class in the Option field. Option 77 is manually configured only on the DHCP client
but not on the server.
NOTE
When the device functions as the DHCP client, the client can identify the Option121 field describing static routes
in the DHCP packet sent by the DHCP server.
For more information about common DHCP options, see RFC 2132.
Customized DHCP Options

Some options are not defined in RFC 2132. Customized options Option 82 are described as
follows:
The Option 82 field is called the DHCP relay agent information field. It records the location of
a DHCP client. A DHCP relay agent or a device enabled with DHCP snooping appends the
Issue 04 (2014-01-16)

64

Routers
Option 82 field to a DHCP Request message sent from a DHCP client, and then forwards the
DHCP Request message to a DHCP server.
You can use the Option 82 field to locate a DHCP client and implement control security and
accounting of the DHCP client. The DHCP server that supports the Option 82 field can determine
allocation of IP addresses and other parameters according to the information in the Option 82
field. IP addresses can be assigned flexibly.
The Option 82 field contains a maximum of 255 suboptions. If the Option 82 field is defined,
at least one suboption must be defined. Currently, the device supports only two suboptions: suboption 1 (circuit ID) and suboption 2 (remote ID).
The content of the Option 82 field is not defined uniformly, and various vendors fill in the Option
82 field as required.
3.2.4 DHCP Principles

Modes for Interaction Between the DHCP Client and Server
To obtain a valid dynamic IP address, a DHCP client exchanges different messages with the
server at different stages. Generally, the DHCP client and server interact in the following modes.
l
The DHCP client dynamically obtains an IP address.

Figure 3-4 Procedure for a DHCP client to dynamically obtain an IP address
Client
Step1
Server
DHCP DISCOVER
broadcast
DHCP OFFER
Step3
Step2
DHCP REQUEST
broadcast
DHCP ACK/DHCP NAK
Step4
As shown in Figure 3-4, when a DHCP client accesses the network for the first time, the
DHCP client sets up a connection with a DHCP server through the following four stages.
Discovery stage: The DHCP client searches for the DHCP server.
In this stage, the DHCP client sends a DHCP Discover message to search for the DHCP
server. The DHCP server address is unknown to the client, so the DHCP client
broadcasts the DHCP Discover message. All the DHCP servers send Reply messages
after they receive the Discover message. In this way, the DHCP client knows locations
of the DHCP servers on the network.
Issue 04 (2014-01-16)

65

Routers
Offer stage: The DHCP server offers an IP address to the DHCP client.
The DHCP server receives the DHCP Discover message, selects an IP address from the
address pool, and sends a DHCP Offer message to the DHCP client. The Offer message
carries information such as the IP address, lease of the IP address, gateway address, and
DNS server address.
Request stage: The DHCP client selects an IP address.
If multiple DHCP servers send DHCP Offer messages to the DHCP client, the client
receives the first DHCP Offer message. Then the client broadcasts a DHCP Request
message including the information about the DHCP server address (Option 54 field).
The client broadcasts a DHCP Request message to notify all the DHCP servers that the
client uses the IP address provided by the DHCP server in the Option 54 field and that
all the other servers can use the assigned IP addresses.
Acknowledgment stage: The DHCP server acknowledges the IP address that is offered.
When the DHCP server receives the DHCP Request message from the DHCP client,
the server searches the lease record based on the MAC address in the Request message.
If there is the IP address record, the server sends a DHCP ACK message to the client,
carrying the IP address and other configurations. After receiving the DHCP ACK
message, the DHCP client broadcasts gratuitous ARP packets to detect whether any
host is using the IP address assigned by the DHCP server. If no response is received
within the specified time, the DHCP client uses the IP address.
If there is no IP address record or the server cannot assign IP addresses, the server sends
a DHCP NAK message to notify the DHCP client that the server cannot assign IP
addresses. The DHCP client needs to send a new DHCP Discover message to request
a new IP address.
After obtaining the IP address, the DHCP client checks the status of the gateway in use
before the client goes online. If the gateway address is incorrect or the gateway device
fails, the DHCP client requests a new IP address using the four modes for interaction.
l
The DHCP client uses the assigned IP address.

Figure 3-5 Procedure for the DHCP client to use the assigned IP address
Client
Step1
Server
DHCP REQUEST
broadcast
DHCP ACK/DHCP NAK
Step2
As shown in Figure 3-5, when the DHCP client accesses a network for the second time, it
set ups a connection with the DHCP server in the following procedure.
The client accesses a network for the second time with the IP address that does not
expire. The client does not need to send a DHCP Discover message again. It directly
Issue 04 (2014-01-16)

66

Routers
sends a DHCP Request message carrying the IP address assigned in the first time,
namely, the Option 50 field in the message.
After receiving the DHCP Request message, if the requested IP address is not assigned
to another DHCP client, the DHCP server sends a DHCP ACK message to instruct the
DHCP client to use the IP address again.
If the IP address cannot be assigned to the DHCP client, for example, it has been assigned
to another DHCP client, the DHCP server sends a DHCP NAK message to the DHCP
client. After receiving the DHCP NAK message, the DHCP client sends a DHCP
Discover message to request a new IP address.
l
The DHCP client renews the IP address lease.

An expected lease can be contained in the DHCP Request message sent to the server for
an IP address. The server compares the expected lease with the lease in the address pool
and assigns a shorter lease to the client.
The IP address dynamically assigned to the DHCP client usually has a validity period. The
DHCP server withdraws the IP address after the validity period expires. To keep using the
IP address, the DHCP client needs to renew the IP address lease.
When obtaining an IP address, the DHCP client enters the binding state. The client is
configured with three timers to control lease renewal, rebinding, and lease expiration
respectively. When assigning an IP address to the DHCP client, the DHCP server also
specifies values for the timers. If the server does not specify values for the timers, the client
uses the default values. Table 3-5 lists the default timer values.
Table 3-5 Default values of timers
Timer
Default Value
Lease renewal
50% of the lease
Rebinding
87.5% of the lease
Lease expiration
Overall lease
Figure 3-6 Procedure for a DHCP client to renew the IP address lease
Client
T1
T2
Server
DHCP REQUEST
unicast
DHCP REQUEST
broadcast
DHCP ACK/DHCP NAK
Issue 04 (2014-01-16)

67

Routers
As shown in Figure 3-6, when the DHCP client renews the IP address lease, it set ups a
connection with the DHCP server in the following procedures:
When 50% of the IP address lease (T1) has passed, the DHCP client unicasts a DHCP
Request message to the DHCP server to renew the lease. If the client receives a DHCP
ACK message, the address lease is successfully renewed. If the client receives a DHCP
NAK message, it sends a request again.
When 87.5% of the IP address lease (T2) has passed and the client has not received the
Reply message, the DHCP client automatically sends a broadcast message to the DHCP
server to renew the IP address lease. If the client receives a DHCP ACK message, the
address lease is successfully renewed. If the client receives a DHCP NAK message, it
sends a request again.
If the client has not received a Reply message from the server when the IP address lease
expires, the client must stop using the current IP address and send a DHCP Discover
message to request a new IP address.
l
The DHCP client releases an IP address.

When the DHCP client does not use the assigned IP address, it sends a DHCP Release
message to notify the DHCP server of releasing the IP address. The DHCP server retains
the DHCP client configurations so that the configurations can be used when the client
requests an address again.
3.2.5 DHCP Relay Principles

The DHCP relay function enables message exchanges between a DHCP server and a client on
different network segments. When the DHCP client and server are on different network
segments, the DHCP relay agent transparently transmits DHCP messages to the destination
DHCP server. In this way, DHCP clients on different network segments can communicate with
one DHCP server.
Figure 3-7 shows how a DHCP client uses the DHCP relay agent to apply for an IP address for
the first time.
Figure 3-7 Working process of a DHCP relay agent
Client
Step1
Step2
Step3
Step4
Issue 04 (2014-01-16)
DHCP Server
DHCP Relay
DHCP DISCOVER
(Broadcast)
DHCP DISCOVER
(Unicast)
DHCP OFFER
DHCP OFFER
(Unicast)
DHCP REQUEST
(Broadcast)
DHCP REQUEST
(Unicast)
DHCP ACK/DHCPNAK
DHCP ACK/DHCPNAK
(Unicast)

68

Routers
Figure 3-7 shows the working process of a DHCP relay agent. The DHCP client sends a Request
message to the DHCP server. When receiving the message, the DHCP relay agent processes and
unicasts the message to the specified DHCP server on the other network segment. The DHCP
server sends requested configurations to the client through the DHCP relay agent based on
information in the Request message.
1.
After receiving a DHCP Discover message or a Request message, the DHCP relay agent
performs the following operations:
l Discards DHCP Request messages whose number of hops is larger than the hop limit
to prevent loops. Or, increases the value of the hop by 1, indicating that the message
passes through a DHCP relay agent.
l Checks the giaddr field. If the value is 0, set the value of the giaddr field to the IP address
of the interface which receives the Request message. Selects one IP address if the
interface has multiple IP addresses. All the Request messages received by the interface
later use this IP address to fill the giaddr field. If the value is not 0, do not change the
value.
l Sets the TTL in the request packets to the default value in the DHCP relay device, not
the value calculated by decreasing the original TTL by 1. You can change the value of
the hops field to prevent loops and limit hops.
l Changes the destination IP address of the DHCP Request message to the IP address of
the DHCP server or the IP address of the next DHCP relay agent. In this way, the DHCP
Request message can be forwarded to the DHCP server or the next DHCP relay agent.
2.
The DHCP server assigns IP addresses to the client based on the Relay Agent IP Address
field and sends the DHCP Reply message to the DHCP relay agent specified in the Relay
Agent IP Address field. After receiving the DHCP Reply message, the DHCP relay agent
performs the following operations:
l The DHCP relay agent assumes that all the Reply messages are sent to the directlyconnected DHCP clients. The Relay Agent IP Address field identifies the interface
directly connected to the client. If the value of the Relay Agent IP Address field is not
the IP address of a local interface, the DHCP relay agent discards the Reply message.
l The DHCP relay agent checks the broadcast flag bit of the message. If the broadcast
flag bit is 1, the DHCP relay agent broadcasts the DHCP Reply message to the DHCP
client; otherwise, the DHCP relay agent unicasts the DHCP Reply message to the DHCP
client. The destination IP address is the value in the Your (Client) IP Address field, and
the MAC address is the value in the Client Hardware Address field.
Figure 3-8 shows how a DHCP client extends the IP address lease through the DHCP relay
agent.
Figure 3-8 Extending the IP address lease through the DHCP relay agent
DHCP Client
Step1
DHCP Relay
DHCP RESQUEST(Unicast)
DHCP ACK/DHCPNAK (Unicast)
Issue 04 (2014-01-16)
DHCP Server

Step2
69

Routers
1.
After accessing the network for the first time, the DHCP client only needs to unicast a
DHCP Request message to the DHCP server that assigned its currently-used IP address.
2.
The DHCP server then directly unicasts a DHCP ACK message or a DHCP NAK message
to the client.
DHCP Releasing
The DHCP relay agent, instead of the client, can send a Release message to the DHCP server to
release the IP addresses that assigned to the DHCP clients. You can configure a command on
the DHCP relay agent to release the IP addresses that the DHCP server assigns to the DHCP
client.
3.2.6 IP Address Assignment and Renewal

IP Address Assignment Sequence
The DHCP server assigns IP addresses to a client in the following sequence:
l
IP address that is in the database of the DHCP server and is statically bound to the MAC
address of the client
IP address that has been assigned to the client before, that is, IP address in the Requested
IP Addr Option of the DHCP Discover message sent by the client
IP address that is first found when the DHCP server searches the DHCP address pool for
available IP addresses
If the DHCP address pool has no available IP address, the DHCP server searches the expired
IP addresses and conflicting IP addresses, and then assigns a valid IP address to the client.
If all the IP addresses are in use, an error is reported.
Method of Preventing Repeated IP Address Assignment

Before assigning an IP address to a client, the DHCP server needs to ping the IP address to avoid
address conflicts.
By using the ping command, you can check whether a response to the ping packet is received
within the specified period. If no response to the ping packet is received, the DHCP server keeps
sending ping packets to the IP address to be assigned until the number of the sent ping packets
reaches the maximum value. If there is still no response, this IP address is not in use, and the
DHCP server assigns the IP address to a client. (This is implemented based on RFC 2132.)
IP Address Reservation
DHCP supports IP address reservation for clients. The reserved IP addresses can be those in the
address pool or not. If an address in the address pool is reserved, it is no longer assignable.
Addresses are usually reserved for DNS servers.
Method of IP Address Releasing and Lease Renewal on the PCs

The PCs (DHCP clients) must release the original IP addresses before obtaining new IP
addresses.
Issue 04 (2014-01-16)

70

Routers
Releasing the original IP address

Commands for renewing the lease of an IP address vary in different operating systems. You
can use either of the following methods to renew the lease of an IP address:
Run the ipconfig/release command in the Window Vista/Windows XP/Windows2000/
DOS environment of the user PC to release the IP address of the PC.
Run the winipcfg/release command in the MS-DOS interface of Windows 98 to release
the IP address of the PC.
The user PC needs to send a DHCP Release message to the DHCP server.
Renewing the IP address lease or applying for a new IP address

The same command is used to apply for a new IP address and renew the IP address in the
same operating system. Before applying for a new IP address, the PCs (DHCP clients) must
release the original IP addresses. If you want to renew the IP address lease, you do not have
to release the IP address.
Different commands are used in different operating systems. You can use either of the
following methods to apply for a new IP address:
Run the ipconfig/renew command in the Windows Vista/Windows XP/Windows2000/
DOS environment of the user PC to apply for a new IP address.
Run the winipcfg/renew command in the MS-DOS interface of Windows 98 to apply
for a new IP address.
The user PC needs to send a DHCP Discover message to the DHCP server.
3.3 Application
3.3.1 DHCP Server Application
As it is shown in Figure 3-9, a DHCP server and multiple DHCP clients (such as PCs and
portable computers) are deployed.
Figure 3-9 Typical networking of the DHCP server
DHCP Clients
DHCP Server
DHCP Clients
Generally, the DHCP server is used to assign IP addresses in the following scenarios:
Issue 04 (2014-01-16)

71

Routers
On a large network, manual configurations take a long time and bring difficulties to
centralized management over the entire network.
Hosts on the network are more than available IP addresses. Thus, not every host has a fixed
IP address. Many hosts need to dynamically obtain IP addresses through the DHCP server.
In addition, network administrators hope that there is a limit to the number of users of online at the same time.
Only a few hosts on the network require fixed IP addresses.
3.3.2 DHCP Relay Application

Figure 3-10 shows typical networking of DHCP relay.
Figure 3-10 Typical networking of DHCP relay
Internet
DHCP Relay
DHCP Server
DHCP Clients
The earlier DHCP protocol applies to only the scenario that the DHCP client and DHCP server
are on the same network segment. To dynamically assign IP addresses to hosts on network
segments, the network administrator needs to configure a DHCP server on each network
segment, which increases costs.
The DHCP relay function is introduced to solve this problem. A DHCP client can apply to the
DHCP server on another network segment to obtain a valid IP address. In this manner, DHCP
clients on multiple network segments can share one DHCP server. This reduces costs and
facilitates centralized management.
3.3.3 DHCP/BOOTP Client Application

Figure 3-11 Typical networking of the DHCP/BOOTP Client
RouterA
DHCP Client
RouterC
DHCP Server
RouterB
BOOTP Client
Issue 04 (2014-01-16)

72

Routers
As it is shown in Figure 3-11, when the DHCP/BOOTP client function is configured on the
device Layer 3 interface, the device dynamically obtains IP addresses and other network
configuration parameters from the DHCP server. This operation facilitates user configurations
and management.
The DHCP server can communicate with the BOOTP client, so you do not need to configure
the BOOTP server. The DHCP server allocates IP addresses to BOOTP clients.

This section provides default DHCP configurations.
Table 3-6 DHCP default configuration
Parameter
Default Value
Time interval at which the DHCP server waits

for the response to ping packets to avoid IP
address conflicts
500 ms
IP address lease
1 day
Interval for saving DHCP data to the storage

device
300s
Rate of sending DHCP messages to the

DHCP stack
100 pps
3.5 Configuring DHCP

3.5.1 Configuring a DHCP Server Based on the Global Address Pool
If a DHCP server based on a global address pool is configured, all online users of the server can
obtain IP addresses from this address pool.
Before configuring a DHCP server based on the global address pool, complete the following
tasks:
l
Ensuring that the link between the DHCP client and the device works properly and the
DHCP client can communicate with the device
(Optional) Configuring the DNS service for the DHCP client
(Optional) Configuring the NetBIOS service for the DHCP client
Configuring routes from the device to the DNS server and the NetBIOS server (The routes
are required only when the servers are configured.)
(Optional) Configuring the customized DHCP option
Issue 04 (2014-01-16)

73

Routers
3.5.1.1 Configuring the Global Address Pool

Context
The global address pool attributes include the IP address range, IP address lease, IP addresses
not to be automatically allocated, and IP addresses to be statically bound to MAC addresses. IP
addresses in the global address pool can be assigned dynamically or bound manually as required.
Procedure
Step 1 Run:
system-view

Step 2 Run:
ip pool ip-pool-name
A global address pool is created and the global address pool view is displayed.
By default, no global address pool exists on the router.
Step 3 Run:
network ip-address [ mask { mask | mask-length } ]
The range of IP addresses that can be allocated dynamically in the global address pool is
specified.
By default, no network segment address for a global address pool is specified.
An address pool can contain only one address segment. The address range of the address pool
is set by the mask.
NOTE
When configuring the range of dynamically assignable IP addresses in the global address pool, ensure that the
range is the same as the network segment on which the DHCP server interface address or the DHCP relay agent
interface address resides. This avoids incorrect assignment of IP addresses.
Step 4 (Optional) Run:

lease { day day [ hour hour [ minute minute ] ] | unlimited }
The IP address lease is set.

By default, the IP address lease is one day.
Different address pools on a DHCP server can be set with different IP address leases, but the IP
addresses in one address pool must be configured with the same lease.
excluded-ip-address start-ip-address [ end-ip-address ]
The IP addresses that cannot be automatically allocated in the global address pool are configured.
By default, all IP addresses in the address pool can be automatically assigned to clients.
Some IP addresses in the global address pool are reserved for other services, for example, the
IP address of the DNS server cannot be allocated to clients. If you run this command multiple
Issue 04 (2014-01-16)

74

Routers
times, you can set multiple IP address ranges that cannot be automatically allocated in the DHCP
address pool.
gateway-list ip-address &<1-8>
The egress gateway address is configured for the DHCP clients.

When a DHCP client connects to the server or host outside the network segment, data must be
forwarded through the egress gateway. Skip this step if the IP address of the interface connected
to the DHCP server or the DHCP relay agent is used as the gateway IP address.
To load balance traffic and improve network reliability, configure multiple gateways. An address
pool can be configured with a maximum of eight gateway addresses. Gateway addresses cannot
be subnet broadcast addresses.
static-bind ip-address ip-address mac-address mac-address [ option-template
template-name ]
An IP address in the global address pool is statically bound to the MAC address of a DHCP
client.
By default, the IP address in a global address pool is not bound to any MAC address.
When a client requires a fixed IP address, bind an idle IP address in the address pool to the client
MAC address.
NOTE
When the IP address in the global address pool is statically bound to a MAC address, the IP address must be in
the range of IP addresses that can be allocated dynamically.

next-server ip-address
The server IP address for DHCP clients is configured.

By default, no server IP address is specified.
vpn-instance vpn-instance-name
The IP address pool is binded to a VPN instance.

By default, an IP address pool is not bound to any VPN instance.
lock
The IP address pool is locked.

By default, the IP address pool is unlocked.
Step 11 Run:
quit

dhcp server bootp
Issue 04 (2014-01-16)

75

Routers
The DHCP server is configured to respond to BOOTP requests.

By default, a DHCP server responds to BOOTP requests.
dhcp server bootp automatic
The DHCP server is configured to dynamically allocate IP addresses to BOOTP clients.

By default, the DHCP server does not dynamically allocate IP addresses to BOOTP clients.
When the device functions as the DHCP server, the device can allocate IP addresses to BOOTP
clients if the BOOTP clients reside on the same network as the DHCP server. You can run the
dhcp server bootp automatic command to dynamically allocate IP addresses. You can also run
the static-bind ip-address ip-address mac-address mac-address command to allocate IP
addresses to BOOTP clients in the static binding mode.
----End
3.5.1.2 Configuring an Interface to Use the Global Address Pool

Procedure
Step 1 Run:
system-view

Step 2 Run:
dhcp enable
DHCP is enabled.
NOTE
When the device functions as the DHCP server and the STP function is enabled, address allocation may be slow.
By default, the STP function is enabled. If the STP function is not required, run the undo stp enable command
to disable it.
Step 3 Run:
interface interface-type interface-number [.subinterface-number ]
The interface or sub-interface view is displayed.

Step 4 Run:
An IP address is assigned to the interface.

When users connected to the interface that has an IP address configured request IP addresses:
l If the router used as the DHCP server is on the same network segment as DHCP clients, and
no relay agent is deployed between them, the router assigns IP addresses on the same network
segment as the interface to users who get online from the interface. If the interface is not
configured with an IP address or no address pool is on the same network segment as the
interface address, the clients cannot go online.
l If the router used as the DHCP server and DHCP clients are on different network segments,
and a DHCP relay agent is deployed between them, the router parses the giaddr field of a
Issue 04 (2014-01-16)

76

Routers
DHCP Request message to obtain an IP address. If the IP address does not match the
corresponding address pool, the user cannot get online.
Step 5 Run:
dhcp select global
The interface is configured to use the global address pool.

After the configuration is complete, users who get online from this interface can obtain IP
addresses and other configuration parameters from the global address pool.
----End
3.5.1.3 (Optional) Configuring the DNS Service and NetBIOS Service on the DHCP
Client
Context
To ensure normal operations of DHCP clients, you can specify the DNS server address and the
NetBIOS server address when the DHCP server assigns an IP address to the DHCP client. If
you do not have the configurations assigned by the carrier, the DHCP server dynamically assigns
the DNS and NetBIOS configurations to the DHCP client.
NOTE
The configuration of the DNS server and NetBIOS server can be obtained statically or dynamically. If both
static and dynamic configurations are available, the static configurations takes effect.
NetBIOS:Network Basic Input Output System. When a DHCP client uses the NetBIOS protocol
for communication, host names must be mapped to IP addresses. Based on the modes of
obtaining mapping, NetBIOS nodes are classified into the following types:
l
b-node: indicates a node in broadcast mode. This node obtains mappings in broadcast mode.
p-node: indicates a node in peer-to-peer mode. This node obtains mappings by

communicating with the NetBIOS server.
m-node: indicates a node in mixed mode. An m-node is a p-node that has some broadcast
features.
h-node: indicates a node in hybrid mode. An h-node is a b-type node enabled with the endto-end communication mechanism.
Procedure
Step 1 Run:
system-view

Step 2 Run:
The IP address pool view is displayed.

Step 3 Run:
import all
The DNS and NetBIOS configurations used by the DHCP client are dynamically configured.
Issue 04 (2014-01-16)

77

Routers
NOTE
If you want to use a specified DNS server and NetBIOS server, you can statically configure parameters of
the DNS server and NetBIOS server for the DHCP client.
Step 4 Run:
domain-name domain-name
The DNS domain name to be assigned to a DHCP client is configured.

Step 5 Run:
dns-list ip-address &<1-8>
The IP address of the DNS server is configured for a DHCP client.

To load balance the traffic and improve network reliability, configure multiple DNS servers.
Each address pool can be configured with a maximum of eight DNS server addresses.
Step 6 Run:
nbns-list ip-address &<1-8>
The IP address of the NetBIOS server used by the DHCP client is assigned.
Each address pool can be configured with a maximum of eight NetBIOS server address.
Step 7 Run:
netbios-type { b-node | h-node | m-node | p-node }
The NetBIOS node type of the DHCP client is configured.

By default, no NetBIOS node type is specified for DHCP clients.
----End
3.5.1.4 (Optional) Configuring a Customized DHCP Option for the Global Address
Pool
Context
DHCP provides various options. To use these options, add them to the attribute list of the DHCP
server manually. If the DHCP server is configured with the Options field, the DHCP client
obtains the configuration of the Options field from the DHCP packet replied by the DHCP server
when the client requests an IP address from the server.
Procedure
Step 1 Run:
system-view

Step 2 Run:
The IP address pool view is displayed.

Step 3 Run:
Issue 04 (2014-01-16)

78

Routers
option code [ sub-option sub-code ] { ascii ascii-string | hex hex-string | ipaddress ip-address &<1-8> }
The customized DHCP option is configured.

After the option command is used, the specified option is carried by the reply message returned
by the DHCP server. Before using this command, ensure that you know the functions of the
option to be configured. For details on DHCP options, see RFC 2132.
----End
3.5.1.5 (Optional) Preventing Repeated IP Address Allocation

Context
Before assigning an address to a client, the router used as the DHCP server needs to ping the IP
address to avoid address conflicts.
After the dhcp server ping command is executed, the DHCP server can prevent repeated IP
address allocation. The DHCP server pings an IP address to be allocated. If there is no response
to the ping packet within a certain period, the DHCP server continues to send ping packets to
this IP address until the number of ping packets reaches the maximum value. If there is still no
response, this IP address is not in use, and the DHCP server allocates the IP address to a client.
Duplicate IP address detection on the DHCP server should not be too long. Otherwise, the client
cannot obtain an IP address. It is recommended that the configured total detection time
(Maximum number of send ping packets x Maximum response time) be smaller than 8s.
Procedure
Step 1 Run:
system-view

Step 2 Run:
dhcp server ping packet number
The maximum number of ping packets to be sent by the router is set.

By default, the maximum number of ping packets to be sent by the router is 0. That is, the
router does not ping the IP addresses to be allocated.
Step 3 Run:
dhcp server ping timeout milliseconds
The period in which the router waits for the response is set.
By default, the period in which the router waits for the response is 500 ms.
----End
Issue 04 (2014-01-16)

79

Routers

Context
When the device functions as the DHCP server, you can enable automatic saving of DHCP data
so that IP address information is saved to the storage device periodically.
You can configure the device to save DHCP data to the storage device. When a fault occurs,
you can restore data from the storage device.
Procedure
Step 1 Run:
system-view

Step 2 Run:
dhcp server database enable
The function that saves DHCP data to the storage device is enabled.
By default, DHCP data is not saved to the storage device.
After this command is executed, the system generates the lease.txt and conflict.txt files and
saves them in the dhcp folder of the storage device. The two files save the address lease
information and address conflict information. Run the command display dhcp server
database to check the storage device for saving DHCP data.
Step 3 Run:
dhcp server database write-delay interval
The interval for saving DHCP data is set.

After the device is configured to automatically save DHCP data, the device saves data every
300 seconds by default and the latest data overwrites the previous data.
Step 4 Run:
dhcp server database recover
The DHCP data in the storage device is restored.

After this command is executed, the device restores DHCP data from the storage device during
a restart.
----End
3.5.1.7 (Optional) Configuring the DHCP Server to trust Option 82

Procedure
Step 1 Run:
system-view

Issue 04 (2014-01-16)

80

Routers
Step 2 Run:
dhcp server trust option82
The router is configured to trust Option 82.

By default, the DHCP server trusts Option 82.
----End

Procedure
l
Run the display ip pool [ name ip-pool-name [ start-ip-address [ end-ip-address ] | all |

conflict | expired | used ] ] command to check information about the specified global
address pool.
Run the display dhcp server database command to check information about the DHCP
database.
Run the display ip pool import all command to check parameters that the DHCP server
dynamically allocates to the DHCP client, such as DNS parameters.
----End
3.5.2 Configuring a DHCP Server Based on an Interface Address

Pool
After a DHCP server based on an interface address pool is configured, only users that go online
from this interface can obtain IP addresses from this address pool.
Before configuring a DHCP server based on an interface address pool, complete the following
tasks:
l
Ensuring that the link between the DHCP client and the device works properly and the
DHCP client can communicate with the device
(Optional) Configuring the DNS server
(Optional) Configuring the NetBIOS server
Configuring routes from the device to the DNS server and the NetBIOS server (The routes
are required only when the servers are configured.)
3.5.2.1 Configuring an Interface Address Pool

Context
The interface address pool attributes include the IP address lease, IP addresses not to be
automatically allocated, and IP addresses to be statically bound to MAC addresses. IP addresses
in the interface address pool can be assigned dynamically or bound manually as required.
Issue 04 (2014-01-16)

81

Routers
Procedure
Step 1 Run:
system-view

Step 2 Run:
dhcp enable
DHCP is enabled.
NOTE
When the device functions as the DHCP server and the STP function is enabled, address allocation may be slow.
By default, the STP function is enabled. If the STP function is not required, run the undo stp enable command
to disable it.
Step 3 Run:

Step 4 Run:

Step 5 Run:
dhcp select interface
The interface is configured to use the interface address pool.

The interface address pool is actually the network segment to which the interface belongs, and
such an interface address pool only applies to this interface.
dhcp server lease { day day [ hour hour [ minute minute ] ] | unlimited }
The IP address lease is set.

By default, the IP address lease is one day.
dhcp server excluded-ip-address start-ip-address [ end-ip-address ]
The IP addresses that cannot be automatically allocated in the interface address pool are
configured.
Some IP addresses in the interface address pool are reserved for other services, for example, the
IP address of the DNS server cannot be allocated to clients. If you run this command multiple
times, you can set multiple IP address ranges that cannot be automatically allocated in the DHCP
address pool.
dhcp server static-bind ip-address ip-address mac-address mac-address
An IP address in the interface address pool is statically bound to the MAC address of a DHCP
client.
Issue 04 (2014-01-16)

82

Routers
When a client requires a fixed IP address, bind an idle IP address in the address pool to the client
MAC address.
NOTE
When the IP address in the interface address pool is statically bound to a MAC address, the IP address must be
in the range of IP addresses that can be allocated dynamically.
Step 9 Run:
dhcp server next-server ip-address
The IP address of a server is configured for the client after the client automatically obtains the
IP address.
By default, the IP address of a server is not configured for the client after the client automatically
obtains the IP address.
Step 10 Run:
quit

dhcp server bootp
The DHCP server is configured to respond to BOOTP requests.

By default, a DHCP server responds to BOOTP requests.
The DHCP server is configured to dynamically allocate IP addresses to BOOTP clients.

By default, a DHCP server does not dynamically allocate IP addresses to BOOTP clients.
When the device functions as the DHCP server, the device can allocate IP addresses to BOOTP
clients if the BOOTP clients reside on the same network as the DHCP server. You can run the
dhcp server bootp automatic command to dynamically allocate IP addresses. You can also run
the dhcp server static-bind ip-address ip-address mac-address mac-address command to
allocate IP addresses to BOOTP clients in the static binding mode.
----End
3.5.2.2 (Optional) Configuring the DNS Service and NetBIOS Service on the DHCP
Client
Context
The DNS and NetBIOS configurations must be specified before the DHPC server assigns IP
addresses to the DHCP client. If you do not have the configurations assigned by the carrier, the
DHCP server dynamically assigns the DNS and NetBIOS configurations to the DHCP client.
NOTE
When both dynamic and static configurations of DNS and NetBIOS are available in the IP address pool,
the static configurations take effect.
Issue 04 (2014-01-16)

83

Routers
Procedure
Step 1 Run:
system-view

Step 2 Run:

Step 3 Run:
dhcp server import all
The DNS and NetBIOS configurations used by the DHCP client are dynamically configured.
NOTE
If you want to use a specified DNS server and NetBIOS server, you can statically configure parameters of
the DNS server and NetBIOS server for the DHCP client.
Step 4 Run:
dhcp server domain-name domain-name
The DNS domain name is assigned to the DHCP client.

Step 5 Run:
dhcp server dns-list ip-address &<1-8>
The IP address of the DNS server is assigned to the DHCP client.

Each address pool can be configured with a maximum of eight DNS server addresses.
Step 6 Run:
dhcp server nbns-list ip-address &<1-8>
The IP address of the NetBIOS server used by the DHCP client is assigned.
Each address pool can be configured with a maximum of eight NetBIOS server addresses.
Step 7 Run:
dhcp server netbios-type { b-node | h-node | m-node | p-node }
The NetBIOS node type of the DHCP client is configured.

By default, no NetBIOS node type is specified for DHCP clients.
----End
3.5.2.3 (Optional) Configuring a Customized DHCP Option for an Interface

Address Pool
Context
DHCP provides various options. To use these options, add them to the attribute list of the DHCP
server manually.
When a DHCP client requests an IP address from the DHCP server configured with the Options
field, the server returns a DHCP Reply message containing the Options field.
Issue 04 (2014-01-16)

84

Routers
Procedure
Step 1 Run:
system-view

Step 2 Run:

Step 3 Run:
dhcp server option code [ sub-option sub-code ] { ascii ascii-string | hex hexstring | ip-address ip-address &<1-8> }
The customized DHCP option is configured.

After the dhcp server option command is run, the specified option is carried by the DHCP
Reply message returned by the DHCP server. Before using this command, ensure that you know
the functions of the option to be configured. For details on DHCP options, see RFC 2132.
----End
3.5.2.4 (Optional) Preventing Repeated IP Address Allocation

Context
Before assigning an address to a client, the router used as the DHCP server needs to ping the IP
address to avoid address conflicts.
After the dhcp server ping command is executed, the DHCP server can prevent repeated IP
address allocation. The DHCP server pings an IP address to be allocated. If there is no response
to the ping packet within a certain period, the DHCP server continues to send ping packets to
this IP address until the number of ping packets reaches the maximum value. If there is still no
response, this IP address is not in use, and the DHCP server allocates the IP address to a client.
Duplicate IP address detection on the DHCP server should not be too long. Otherwise, the client
cannot obtain an IP address. It is recommended that the configured total detection time
(Maximum number of send ping packets x Maximum response time) be smaller than 8s.
Procedure
Step 1 Run:
system-view

Step 2 Run:
dhcp server ping packet number
The maximum number of ping packets to be sent by the router is set.

By default, the maximum number of ping packets to be sent by the router is 0. That is, the
router does not ping the IP addresses to be allocated.
Issue 04 (2014-01-16)

85

Routers
Step 3 Run:
dhcp server ping timeout milliseconds
The period in which the router waits for the response is set.
By default, the period in which the router waits for the response is 500 ms.
----End

Context
When the device functions as the DHCP server, you can enable automatic saving of DHCP data
so that IP address information is saved to the storage device periodically.
You can configure the device to save DHCP data to the storage device. When a fault occurs,
you can restore data from the storage device.
Procedure
Step 1 Run:
system-view

Step 2 Run:
dhcp server database enable
The function that saves DHCP data to the storage device is enabled.
By default, DHCP data is not saved to the storage device.
After this command is executed, the system generates the lease.txt and conflict.txt files and
saves them in the dhcp folder of the storage device. The two files save the address lease
information and address conflict information. Run the command display dhcp server
database to check the storage device for saving DHCP data.
Step 3 Run:
dhcp server database write-delay interval
The interval for saving DHCP data is set.

After the device is configured to automatically save DHCP data, the device saves data every
300 seconds by default and the latest data overwrites the previous data.
Step 4 Run:
dhcp server database recover
The DHCP data in the storage device is restored.

After this command is executed, the device restores DHCP data from the storage device during
a restart.
----End
Issue 04 (2014-01-16)

86

Routers
3.5.2.6 (Optional) Configuring the DHCP Server to trust Option 82

Procedure
Step 1 Run:
system-view

Step 2 Run:
dhcp server trust option82
The router is configured to trust Option 82.

By default, the DHCP server trusts Option 82.
----End

Procedure
l
Run the display ip pool [ interface interface-pool-name [ start-ip-address [ end-ipaddress ] | all | conflict | expired | used ] ] command to view information about the IP
address pool.
----End
3.5.3 Configuring a DHCP Relay Agent

By using a DHCP relay agent, a DHCP client can communicate with a DHCP server on another
network segment to obtain an IP address and other configuration information.
Before configuring a DHCP relay agent, complete the following tasks:
l
Configuring a DHCP server
Configuring a route from the device used as the DHCP relay agent to the DHCP server
Configuration Process
Figure 3-12 shows the configuration process.
Issue 04 (2014-01-16)

87

Routers
Figure 3-12 DHCP relay agent configuration process

Configuring DHCP Relay
Configuring DHCP Relay

on an Interface
Configuring a Destination
DHCP Server Group
Binding an Interface to a
DHCP Server Group
Configure the destination

DHCP server address
3.5.3.1 Configuring DHCP Relay on an Interface

Context
When the network where a DHCP client resides does not have a DHCP server, a DHCP relay
agent can be configured to forward DHCP messages of the client to a DHCP server.
NOTE
A DHCP message is forwarded between a DHCP client and a DHCP server at most 16 times, and then the
DHCP message is discarded.
If DHCP relay is enabled in a super-VLAN, DHCP snooping cannot be enabled in this super-VLAN.
Procedure
Step 1 Run:
system-view

Step 2 Run:
dhcp enable
DHCP is enabled.
NOTE
When the device functions as a DHCP relay agent and the STP function is enabled, address allocation may be
slow. By default, the STP function is enabled. If the STP function is not required, run the undo stp enable
command to disable it.

ip relay address cycle
Issue 04 (2014-01-16)

88

Routers
The DHCP server polling function on a DHCP relay agent is enabled.

By default, the DHCP server polling function is disabled on the DHCP relay agent.
Step 4 Run:

Step 5 Run:

Step 6 Run:
dhcp select relay
The DHCP relay function is enabled on the interface.

NOTE
When the DHCP relay function is enabled on the sub-interface, run arp broadcast enable to enable the ARP
broadcast function on a sub-interface. By default, ARP broadcast is disabled on a VLAN tag termination subinterface.
Step 7 Run:
quit
Return to the system view.

dhcp relay trust option82
The device is configured to trust Option 82.

By default, the device does not discard DHCP messages with Option 82 and giaddr field of the
packet is 0.
----End
Follow-up Procedure
When the DHCP relay function is enabled on an interface, specify the DHCP server IP address
on the interface in either of the following ways:
l
Configure a destination DHCP server group and bind the group to the interface. For details,
see 3.5.3.2 Configuring a Destination DHCP Server Group and 3.5.3.3 Binding an
Interface to a DHCP Server Group.
Run the dhcp relay server-ip ip-address command in the interface view to configure the
destination DHCP server address.
3.5.3.2 Configuring a Destination DHCP Server Group

Context
After a DHCP server group is created and server IP addresses are added to the group, the
router used as the DHCP relay agent can forward messages to multiple servers.
Issue 04 (2014-01-16)

89

Routers
Procedure
Step 1 Run:
system-view

Step 2 Run:
dhcp server group group-name
A DHCP server group is created and the DHCP server group view is displayed.
You can configure a maximum of 64 DHCP server groups in the system, and a maximum of 8
DHCP servers in a DHCP server group.
Step 3 Run:
dhcp-server ip-address [ ip-address-index ]
A DHCP server is added to a DHCP server group.

A maximum of 8 DHCP servers can be added to a DHCP server group.
Step 4 (Optional)Run:
gateway ip-address
A gateway address is configured for the DHCP server.

vpn-instance vpn-instance-name
The DHCP server group is bound to the created VPN instance.

----End
3.5.3.3 Binding an Interface to a DHCP Server Group

Context
After the DHCP relay function is enabled on an interface, bind a DHCP server group to the
interface so that DHCP clients can access DHCP servers in the bound server group.
Procedure
Step 1 Run:
system-view

Step 2 Run:

Step 3 Run:
dhcp relay server-select group-name
A DHCP server group is bound to the interface.

Issue 04 (2014-01-16)

90

Routers
One interface can be configured with only one DHCP server group.
----End
3.5.3.4 (Optional) Configuring the DHCP Relay Agent to Send DHCP Release
Messages
Context
If a user is forcibly disconnected, you can manually release the IP address assigned to the user
on the DHCP server. You can configure the DHCP relay agent to actively send DHCP Release
messages to the DHCP server. The DHCP server then releases the specified IP addresses.
Procedure
Step 1 Run:
system-view


Step 3 Run:
dhcp relay release client-ip-address mac-address [ vpn-instance vpn-instance-name ]
[ server-ip-address ]
The DHCP relay agent is configured to send DHCP Release messages to the DHCP server.
l When you use the dhcp relay release command in the system view:
If no DHCP server is specified, the DHCP relay agent will send DHCP Release messages
to the servers in all DHCP server groups bound to the DHCP relay interfaces.
If a DHCP server is specified, the DHCP relay agent sends DHCP Release messages to
only the specified DHCP server.
l When you use the dhcp relay release command in the interface view:
If no DHCP server is specified, the DHCP relay agent will send DHCP Release messages
to all the servers in the DHCP server group bound to this interface.
If a DHCP server is specified, the DHCP relay agent sends DHCP Release messages to
only the specified DHCP server.
NOTE
vpn-instance is not available in interface view.
----End
Issue 04 (2014-01-16)

91

Routers

Procedure
l
Run the display dhcp relay { all | interface interface-type interface-number } command
to view the DHCP server group or the DHCP servers on the DHCP relay interface.
Run the display dhcp server group [ group-name ] command to view the DHCP server
group configuration.
----End
3.5.4 Configuring the DHCP/BOOTP Client Function

When the DHCP/BOOTP client function is configured on the router Layer 3 interface, the
router dynamically obtains IP addresses and other network configuration parameters from the
DHCP server.
Before configuring the DHCP/BOOTP client function, complete the following tasks:
l
Configuring a DHCP server
(Optional) Configuring a DHCP relay agent
Configuring a route from the router to the DHCP relay agent or server
3.5.4.1 (Optional) Configuring the DHCP/BOOTP Client Attributes

Context
The DHCP/BOOTP client attributes facilitate communication between the DHCP/BOOTP client
and the DHCP server.
Procedure
l
Configuring DHCP client attributes

1.
Run:
system-view

2.
Run:
dhcp enable
DHCP is enabled.
3.
Run:
dhcp client class-id class-id
The Option60 field in the DHCP request packet sent by the DHCP client is set.
By default, the default value of the Option60 field depends on the device type, which
is huawei-device name. The device name is configured using the sysname command.
4.
Issue 04 (2014-01-16)
Run:
92

Routers

5.
Run:
dhcp client hostname hostname
A host name for a DHCP client is configured.

6.
Run:
dhcp client client-id client-id
The identifier for a DHCP client is set.

7.
Run:
dhcp client class-id class-id
The Option60 field in the DHCP request packet sent by the DHCP client is set.
8.
Run:
dhcp client gateway-detect period period retransmit retransmit timeout time
DHCP client gateway detection is configured.

By default, gateway detection is disabled on a DHCP client.
9.
Run:
dhcp client expected-lease time
The expected lease of a DHCP client is configured.

By default, expected lease is disabled on the DHCP client.
l
Configuring BOOTP client attributes

1.
Run:
system-view

2.
Run:
dhcp enable
DHCP is enabled.
3.
Run:

4.
Run:
dhcp client hostname hostname
A host name for a BOOTP client is configured.

----End
Issue 04 (2014-01-16)

93

Routers
3.5.4.2 (Optional) Configuring the DHCP Server to Deliver Routing Entries to a

DHCP Client
Context
After a DHCP client sends a DHCP Request message, the DHCP server assigns an IP address
and other configuration parameters to the client. The DHCP server can also deliver routing
entries to a DHCP client to dynamically update the routing table on the client.
Procedure
Step 1 Run:
system-view

Step 2 Run:
ip route ip-address { mask | mask-length } interface-type interface-number dhcp
[ preference-value ]
A routing entry delivered by the DHCP server to a DHCP client is configured.

By default, no routing entry is delivered by the DHCP server to a DHCP client.
Step 3 Run:

Step 4 Run:
dhcp client default-route preference preference-value
The priority of the routing entry delivered by the DHCP server to a DHCP client is set.
By default, the priority of the routing entry delivered by the DHCP server to a DHCP client is
60.
----End
3.5.4.3 Enabling the DHCP/BOOTP Client Function

Context
The DHCP/BOOTP client function enables an interface to obtain an IP address and other
configurations from the DHCP server.
Procedure
l
Enabling the DHCP client function

1.
Run:
system-view

2.
Issue 04 (2014-01-16)
Run:
94

Routers
dhcp enable
DHCP is enabled.
3.
Run:

4.
Run:
ip address dhcp-alloc
The DHCP client function is enabled on the router.

l
The BOOTP client function is enabled.

1.
Run:
system-view

2.
Run:
dhcp enable
DHCP is enabled.
3.
Run:

4.
Run:
ip address bootp-alloc
The BOOTP client function is enabled on the router.

----End

Procedure
l
Run the display this command on the interface enabled with the DHCP client function to
view configurations of DHCP/BOOTP clients.
Run the display dhcp client command to view the DHCP/BOOTP client information.
----End
3.5.5 Configuring the DHCP Rate Limit Function

To prevent an attacker from sending a large number of DHCP messages, you can configure
DHCP rate limit function on the device to check DHCP messages and limit the rate of sending
DHCP messages. Only a certain number of DHCP messages can be sent to the protocol stack
during a certain period. Excessive DHCP messages are discarded.
Before limiting the rate of sending packets, complete the following tasks:
l
Issue 04 (2014-01-16)
Configuring the DHCP server

95

Routers
Configuring the DHCP relay agent
Configure the highest rate at which DHCP packets are sent to the protocol stack in the
system view.
Procedure
1.
Run:
system-view

2.
Run:
dhcp enable
The DHCP function is enabled.

3.
Run:
dhcp check dhcp-rate enable [ vlan { vlan-id1 [ to vlan-id2 ] } &<1-10> ]
The DHCP message checking is enabled.

By default, this function is disabled.
4.
Run:
dhcp check dhcp-rate rate [ vlan { vlan-id1 [ to vlan-id2 ] } &<1-10> ]
The checking rate of DHCP messages sent to the DHCP protocol stack is configured.
By default, the rate does not exceed 100 pps. The DHCP messages that exceed the
rate are discarded.
l
VLAN view.
1.
Run:
system-view

2.
Run:
dhcp enable
The DHCP function is enabled.

3.
Run:
vlan vlan-id
The VLAN view is displayed.

4.
Run:
dhcp check dhcp-rate enable

5.
Run:
dhcp check dhcp-rate rate
Issue 04 (2014-01-16)

96

Routers
By default, the checking rate of DHCP messages sent to the DHCP protocol stack is
not configured.
l
interface view.
1.
Run:
system-view

2.
Run:

The DHCP message checking function can only be enabled on Layer 2 interfaces,
including Layer 2 GE interfaces, Layer 2 Ethernet interfaces, and Layer 2 Eth-Trunk
interfaces.
3.
Run:

4.
Run:
dhcp check dhcp-rate rate
By default, the checking rate of DHCP messages sent to the DHCP protocol stack is
not configured.
5.
(Optional) Run:
dhcp alarm dhcp-rate enable
The DHCP message checking alarm on an interface is enabled.

6.
(Optional) Run:
dhcp alarm dhcp-rate threshold threshold
The alarm threshold for the DHCP message checking on an interface is configured.
By default, the alarm threshold for the DHCP message checking on an interface is not
configured.
NOTE
You can set the maximum rate of sending DHCP messages globally, in a VLAN, or on an interface.
If the maximum rate of sending DHCP messages is set globally, in a VLAN, and on an interface
simultaneously, the maximum rate of sending DHCP messages takes effect on an interface, in a
VLAN, and globally in descending order.
----End
Issue 04 (2014-01-16)

97

Routers
3.6 Maintaining DHCP

After DHCP configurations are complete, you can clear DHCP statistics and monitor DHCP
operation.
3.6.1 Clearing DHCP Statistics

Context
During routine maintenance, you can use the reset commands to clear DHCP statistics.
NOTICE
DHCP statistics cannot be restored after they are cleared. Exercise caution when running the
reset commands.
Procedure
l
Run the reset dhcp server statistics command in the user view to clear DHCP server
statistics.
Run the reset dhcp statistics command in the user view to clear the DHCP message
statistics.
Run the reset dhcp relay statistics [ server-group group-name ] command in the user
view to clear DHCP relay agent statistics.
Run the reset dhcp client statistics [ interface interface-type interface-number ]

command in the user view to clear DHCP client agent statistics.
----End
3.6.2 Clearing the DHCP Address Pool

Procedure
l
Run the reset ip pool { interface interface-name | name ip-pool-name } { low-ipaddress [ high-ip-address ] | all | conflict | expired | used } command to reset the configured
IP address pool on the device.
Run the reset ip pool import { all | dns | domain-name | nbns } command to clear the
configuration parameters of the DHCP address pool.
----End
3.6.3 Monitoring DHCP Operation

Context
DHCP packet statistics contain only the number of packets received and sent by the DHCP
module.
Issue 04 (2014-01-16)

98

Routers
Procedure
l
Run the display dhcp statistics command to view DHCP message statistics.
Run the display dhcp client statistics [ interface interface-type interface-number ]

command to view statistics on the DHCP Client.
Run the display dhcp relay statistics [ server-group group-name ] command to view
statistics on the DHCP Relay Agent.
Run the display dhcp server statistics command to view statistics on the DHCP Server.
----End

This section provides DHCP configuration examples including networking requirements and
3.7.1 Example for Configuring a DHCP Server Based on the Global

Address Pool
As shown in Figure 3-13, an enterprise has two offices on the same network segment. To reduce
network construction cost, the enterprise uses one DHCP server to assign IP addresses for hosts
in the two offices.
All the hosts in Office1 are on the network segment 10.1.1.0/25 and added to VLAN 10. Hosts
in Office1 only use the DNS service with a lease of ten days. All the hosts in Office2 are on the
network segment 10.1.1.128/25 and added to VLAN 20. Hosts in Office2 use the DNS service
and NetBIOS service with a lease of two days.
You can configure a global address pool on the router and enable the server to dynamically
assign IP addresses to hosts in the two offices.
Issue 04 (2014-01-16)

99

Routers
Figure 3-13 Networking diagram for configuring a DHCP server based on the global address
pool
NetBIOS Server DHCP

10.1.1.4/25
Client
DHCP
Client
Etherent2/0/0
VLANIF10
10.1.1.1/25
DHCP
Client
Etherent2/0/1
VLANIF20
10.1.1.129/25
Router
DHCP Server
DNS Server DHCP

10.1.1.2/25 Client
Network: 10.1.1.0/25
Office 1
DHCP
Client
DHCP
Client
Network: 10.1.1.128/25
Office 2
1.
Create two global address pools on the router and set attributes of the pools. Assign IP
addresses to Office1 and Office2 as required.
2.
Configure VLANIF interfaces to use the global address pool to assign IP addresses to
clients.
Procedure
Step 1 Enable DHCP.
[Router] dhcp enable
Step 2 Create address pools and set the attributes of the address pools.
# Set the attributes of IP address pool 1, including the address pool range, DNS server address,
gateway address, and address lease.
[Router] ip pool pool1
[Router-ip-pool-pool1]
network 10.1.1.0 mask 255.255.255.128

dns-list 10.1.1.2
gateway-list 10.1.1.1
excluded-ip-address 10.1.1.2
lease day 10
quit
# Set the attributes of IP address pool 2, including the address pool range, DNS server address,
egress gateway address, NetBIOS server address, and address lease.
Issue 04 (2014-01-16)

100

Routers
[Router] ip pool pool2
network 10.1.1.128 mask 255.255.255.128

dns-list 10.1.1.2
nbns-list 10.1.1.4
lease day 2
quit
Step 3 Set the address assignment mode on the VLANIF interfaces.

# Add Ethernet 2/0/0 and Ethernet 2/0/1 to the corresponding VLANs.
[Router] vlan batch 10 20
2/0/0
hybrid pvid vlan 10
hybrid untagged vlan 10
2/0/1
hybrid pvid vlan 20
# Configure clients on VLANIF 10 to obtain IP addresses from the global address pool.
[Router-Vlanif10] dhcp select global
# Configure clients on VLANIF 20 to obtain IP addresses from the global address pool.
[Router-Vlanif20] dhcp select global

# Run the display ip pool command on the router to view the IP address pool configuration.
[Router] display ip pool
----------------------------------------------------------------------Pool-name
: pool1
Pool-No
: 0
Position
: Local
Status
: Unlocked
Gateway-0
: 10.1.1.1
Mask
: 255.255.255.128
VPN instance
: -----------------------------------------------------------------------Pool-name
: pool2
Pool-No
: 1
Position
: Local
Status
: Unlocked
Gateway-0
: 10.1.1.129
Mask
: 255.255.255.128
VPN instance
: --
IP address Statistic
Total
:250
Used
:0
Expired
:0
Idle
Conflict
:248
:0
Disable
:2
----End
Issue 04 (2014-01-16)

101

Routers
Configuration Files
#
sysname Router
#
vlan batch 10 20
#
dhcp enable
#
ip pool pool1
network 10.1.1.0 mask 255.255.255.128
lease day 10 hour 0 minute 0
dns-list 10.1.1.2
#
ip pool pool2
network 10.1.1.128 mask 255.255.255.128
lease day 2 hour 0 minute 0
dns-list 10.1.1.2
nbns-list 10.1.1.4
#
interface Vlanif10
ip address 10.1.1.1 255.255.255.128
dhcp select global
#
interface Vlanif20
ip address 10.1.1.129 255.255.255.128
dhcp select global
#
interface Ethernet 2/0/0
port hybrid pvid vlan 10
port hybrid untagged vlan 10
#
#
return
3.7.2 Example for Configuring a DHCP Server Based on the

Interface Address Pool
A DHCP server can assign IP addresses for clients on the same network segment using an
interface address pool.
As shown in Figure 3-14, an enterprise has two offices on the same network segment. To reduce
network construction cost, the enterprise uses one DHCP server to assign IP addresses for hosts
in the two offices.
All the hosts in Office1 are on the network segment 10.1.1.0/24 and added to VLAN 10. Hosts
in Office1 use the DNS service and NetBIOS service with a lease of three days. All the hosts in
Office2 are on the network segment 10.1.2.0/24 and added to VLAN 20. Hosts in Office2 do
not use the DNS service or NetBIOS service. The lease of the IP address is two days.
Issue 04 (2014-01-16)

102

Routers
Figure 3-14 Networking diagram for configuring a DHCP server based on the interface address
pool
NetBIOS
Server
10.1.1.3/24
DNS
Server
10.1.1.2/24
DHCP
Client
DHCP
Client
Etherent2/0/0 DHCP Etherent2/0/1

VLANIF10 Server VLANIF20
10.1.2.1/24
10.1.1.1/24
Router
DHCP
Client
DHCP
Client
DHCP
Client
Office1
DHCP
Client
Office2
1.
Create two interface address pools on the router and set attributes of the address pool.
Configure the interface address pools to enable the DHCP server to assign IP addresses and
configuration parameters to hosts from different interface address pools.
2.
Configure VLANIF interfaces to assign IP addresses to hosts from the interface address
pool.
Procedure
Step 1 Enable DHCP.
[Router] dhcp enable
Step 2 Set the address assignment mode on the VLANIF interfaces.

# Add Ethernet 2/0/0 and Ethernet 2/0/1 to the corresponding VLANs.
[Router] vlan batch 10 20
2/0/0
hybrid pvid vlan 10
2/0/1
hybrid pvid vlan 20
# Configure clients on VLANIF 10 to obtain IP addresses from the interface address pool.
Issue 04 (2014-01-16)

103

Routers
[Router-Vlanif10] dhcp select interface

# Configure clients on VLANIF 20 to obtain IP addresses from the interface address pool.
[Router-Vlanif20] dhcp select interface
Step 3 Configure the DNS service and NetBIOS service for the interface address pool.
# Configure the DNS service and NetBIOS service for the interface address pool on VLANIF
10.
[Router-Vlanif10] dhcp server
domain-name huawei.com
dns-list 10.1.1.2
nbns-list 10.1.1.3
netbios-type b-node
Step 4 Set IP address leases of IP address pools.

# Set the IP address lease in Office1 to 3 days.
[Router-Vlanif10] dhcp server lease day 3
# Set the IP address lease in Office2 to 2 days.

[Router-Vlanif20] dhcp server lease day 2

Run the display ip pool interface command on the router to view configurations of interface
address pools.
[Router] display ip pool interface vlanif10
Pool-name
: vlanif10
Pool-No
: 0
Lease
: 3 Days 0 Hours 0 Minutes
Domain-name
: huawei.com
DNS-Server0
: 10.1.1.2
NBNS-Server0
: 10.1.1.3
Netbios-type
: b-node
Position
: Interface
Status
: Unlocked
Gateway-0
: 10.1.1.1
Mask
: 255.255.255.0
VPN instance
: -----------------------------------------------------------------------------Start
End
Total Used Idle(Expired) Conflict Disable
----------------------------------------------------------------------------10.1.1.1
10.1.1.254
253
0
251(0)
0
2
----------------------------------------------------------------------------[Router] display ip pool interface vlanif20
Pool-name
: vlanif20
Pool-No
: 1
Lease
: 2 Days 0 Hours 0 Minutes
Domain-name
: DNS-Server0
: NBNS-Server0
: Netbios-type
: -
Issue 04 (2014-01-16)

104

Routers
Position
: Interface
Status
: Unlocked
Gateway-0
: 10.1.2.1
Mask
: 255.255.255.0
VPN instance
: -----------------------------------------------------------------------------Start
End
Total Used Idle(Expired) Conflict Disable
----------------------------------------------------------------------------10.1.2.1
10.1.2.254
253
0
253(0)
0
0
-----------------------------------------------------------------------------
----End
Example
#
sysname Router
#
vlan batch 10 20
#
dhcp enable
#
interface Vlanif10
ip address 10.1.1.1 255.255.255.0
dhcp server excluded-ip-address 10.1.1.2 10.1.1.3
dhcp server lease day 3 hour 0 minute 0
dhcp server dns-list 10.1.1.2
dhcp server netbios-type b-node
dhcp server nbns-list 10.1.1.3
dhcp server domain-name huawei.com
#
interface Vlanif20
ip address 10.1.2.1 255.255.255.0
dhcp server lease day 2 hour 0 minute 0
#
#
#
return
3.7.3 Example for Configuring a DHCP Server and a DHCP Relay

Agent
When the DHCP server and clients are on different network segments, a DHCP relay agent is
required.
As shown in Figure 3-15, an enterprise has multiple offices, which are distributed in different
office buildings. The offices in different buildings belong to different VLANs. The enterprise
uses RouterB, which functions as the DHCP server, to assign IP addresses to hosts in different
offices.
Issue 04 (2014-01-16)

105

Routers
Hosts in OfficeA are on 20.20.20.0/24 and the DHCP server is on 100.10.10.0/24. By using
RouterA enabled with DHCP relay, the DHCP clients can obtain IP addresses from the DHCP
server.
On RouterA, the public address of GE1/0/0 is 100.10.20.1/24 and the interface address of
RouterA connected to the carrier device is 100.10.20.2/24.
On RouterB, the public address of GE1/0/0 is 100.10.10.1/24 and the interface address of
RouterB connected to the carrier device is 100.10.10.2/24.
Figure 3-15 DHCP relay agent
GE1/0/0 RouterB
100.10.10.1/24
DHCP Server
Internet
GE1/0/0
100.10.20.1/24
RouterA
DHCP Relay
Etherent2/0/0
VLANIF100
20.20.20.1/24
DHCP
Client
DHCP
Client
DHCP
Client
VLAN100
OfficeA
1.
Configure DHCP relay on RouterA to enable RouterA to forward DHCP messages from
different network segments.
2.
Configure a global address pool at 20.20.20.0/24 to enable the DHCP server to assign IP
address to clients on different network segments.
Issue 04 (2014-01-16)

106

Routers
Procedure
Step 1 Configure DHCP relay on RouterA.
1.
Create a DHCP server group and add DHCP servers to the group.
# Create a DHCP server group.
[RouterA] dhcp server group dhcpgroup1
# Add a DHCP server to the DHCP server group.

[RouterA-dhcp-server-group-dhcpgroup1] dhcp-server 100.10.10.1
[RouterA-dhcp-server-group-dhcpgroup1] quit
2.
Enable DHCP relay on the interface.

# Create a VLAN and add Ethernet2/0/0 to the VLAN.
[RouterA] vlan batch 100
[RouterA-Ethernet2/0/0] port hybrid pvid vlan 100
[RouterA-Ethernet2/0/0] port hybrid untagged vlan 100
[RouterA-Ethernet2/0/0] quit
# Enable DHCP globally and DHCP relay on the interface.

[RouterA] dhcp enable
[RouterA-Vlanif100] dhcp select relay
3.
Bind an interface to a DHCP server group.

# Assign IP addresses to interfaces.
[RouterA-Vlanif100] ip address 20.20.20.1 24
# Bind the interface to the DHCP server group.

[RouterA-Vlanif100] dhcp relay server-select dhcpgroup1
Step 2 Configure a default route on RouterA.

[RouterA-GigabitEthernet1/0/0] ip address 100.10.20.1 24
[RouterA] ip route-static 0.0.0.0 0.0.0.0 100.10.20.2
Step 3 Configure the DHCP server based on the global address pool on RouterB.
# Enable DHCP.
[RouterB] dhcp enable
# Configure GE1/0/0 to use the global address pool.

[RouterB-GigabitEthernet1/0/0] ip address 100.10.10.1 24
[RouterB-GigabitEthernet1/0/0] dhcp select global
# Create an address pool and set the attributes of the address pool.
Issue 04 (2014-01-16)

107

Routers
[RouterB] ip pool pool1

[RouterB-ip-pool-pool1] network 20.20.20.0 mask 24
[RouterB-ip-pool-pool1] gateway-list 20.20.20.1
[RouterB-ip-pool-pool1] quit
Step 4 Configure a default route on RouterB.

[RouterB] ip route-static 0.0.0.0 0.0.0.0 100.10.10.2

# Run the display dhcp relay interface vlanif 100 command on RouterA to view the DHCP
relay configuration on the interface.
[RouterA] display dhcp relay interface vlanif 100
DHCP relay agent running information of interface Vlanif100 :
Server group name : dhcpgroup1
Gateway address in use : 20.20.20.1
# Run the display ip pool command on RouterB to view the IP address pool configuration.
[RouterB] display ip pool
----------------------------------------------------------------------Pool-name
: pool1
Pool-No
: 0
Position
: Local
Status
: Unlocked
Gateway-0
: 20.20.20.1
Mask
: 255.255.255.0
VPN instance
: --
Total
:253
Used
:3
Expired
:0
Idle
Conflict
:250
:0
Disable
:0
----End
Configuration Files
l

#
sysname RouterA
#
vlan batch 100
#
dhcp enable
#
dhcp server group dhcpgroup1
dhcp-server 100.10.10.1 0
#
interface Vlanif100
ip address 20.20.20.1 255.255.255.0
dhcp select relay
dhcp relay server-select dhcpgroup1
#
#
ip address 100.10.20.1 255.255.255.0
#
ip route-static 0.0.0.0 0.0.0.0
100.10.20.2
Issue 04 (2014-01-16)

108

Routers
#
return

#
sysname RouterB
#
dhcp enable
#
ip pool pool1
network 20.20.20.0 mask 255.255.255.0
#
ip address 100.10.10.1 255.255.255.0
dhcp select global
#
ip route-static 0.0.0.0 0.0.0.0
100.10.10.2
#
return
3.7.4 Example for Configuring the DHCP Client and BOOTP Client
Users want to configure the DHCP/BOOTP client function on the Layer 3 interface to
dynamically obtain IP addresses and other configurations from the DHCP server using DHCP.
This facilitates user configuration and management.
As shown in Figure 3-16, RouterA functions as a DHCP client, RouterB as a BOOTP client,
and RouterC as the DHCP server. RouterA obtains the dynamically bound IP address, DNS
server address, and gateway address from RouterC, and RouterB obtains the statically bound IP
address, DNS server address, and gateway address from RouterC.
Figure 3-16 Example for configuring the DHCP client and BOOTP client
Gateway
10.1.1.126/24
Eth1/0/0
10.1.1.1/24
10.1.1.2/24
RouterC
DHCP
Server
Issue 04 (2014-01-16)
DNS Server
Eth1/0/0
Eth1/0/0
RouterB
RouterA
BOOTP Client DHCP Client

109

Routers
1.
Enable the DHCP client function on RouterA so that RouterA can dynamically obtains an
IP address from the DHCP server.
2.
Enable the BOOTP client function on RouterB so that RouterB can dynamically obtains
an IP address from the DHCP server.
3.
Create a global address pool for the DHCP server on RouterC and set attributes of the
address pool.
Procedure
Step 1 Enable the DHCP client function on RouterA.
# Enable DHCP.
# Enable the DHCP client function on Ethernet1/0/0.

[RouterA-Ethernet1/0/0] ip address dhcp-alloc
Step 2 Enable the BOOTP client function on RouterB.

# Enable DHCP.
[RouterB] dhcp enable
# Enable the BOOTP client function on Ethernet1/0/0.

[RouterB] interface ethernet 1/0/0
[RouterB-Ethernet1/0/0] ip address bootp-alloc
Step 3 Create a global address pool for the DHCP server on RouterC and set attributes of the address
pool.
1.
Enable DHCP.
[RouterC] dhcp enable
[RouterC] dhcp server bootp
[RouterC] dhcp server bootp automatic
2.
Configure Ethernet1/0/0 to use the global address pool.

[RouterC] interface ethernet 1/0/0
[RouterC-Ethernet1/0/0] ip address 10.1.1.1 24
[RouterC-Ethernet1/0/0] dhcp select global
[RouterC-Ethernet1/0/0] quit
3.
Create address pools and set the attributes of the address pools.
[RouterC] ip pool pool1
[RouterC-ip-pool-pool1]
a256
Issue 04 (2014-01-16)
network 10.1.1.0 mask 24

static-bind ip-address 10.1.1.3 mac-address a234-e211dns-list 10.1.1.2
quit

110

Routers

# Run the display current-configuration command on RouterA to view the DHCP client
configuration.
[RouterA] display current-configuration
...
#
#
...
# When the IP address is assigned to the interface, run the display dhcp client command on
RouterA to check the IP address.
[RouterA] display dhcp client
DHCP client lease information on
Current machine state
:
Internet address assigned via :
Physical address
:
IP address
:
Subnet mask
:
Gateway ip address
:
DHCP server
:
Lease obtained at
:
Lease expires at
:
Lease renews at
:
Lease rebinds at
:
DNS
:
interface Ethernet1/0/0 :
Bound
DHCP
80fb-0635-45b6
10.1.1.254
255.255.255.0
10.1.1.1
10.1.1.1
2013-12-28 10:58:07
2013-12-29 10:58:07
2013-12-28 22:58:07
2013-12-29 07:58:07
10.1.1.2
# Run the display current-configuration command on RouterB to view the BOOTP client
configuration.
[RouterB] display current-configuration
...
#
#
...
# When the IP address is assigned to the interface, run the display dhcp client command on
RouterB to check the IP address.
[RouterB] display dhcp client
BOOTP client lease information
Current machine state
Internet address assigned via
Physical address
IP address
Subnet mask
Gateway ip address
Lease obtained at
on interface Ethernet1/0/0 :
: Bound
: BOOTP
: a234-e211-a256
: 10.1.1.3
: 255.255.255.0
: 10.1.1.1
: 2013-12-28 12:53:17
# Run the display ip pool command on RouterC to view the IP address pool configuration.
[RouterC] display ip pool
----------------------------------------------------------------------Pool-name
: pool1
Pool-No
: 0
Position
: Local
Status
: Unlocked
Gateway-0
: 10.1.1.126
Mask
: 255.255.255.0
VPN instance
: --
Issue 04 (2014-01-16)

111

Routers
Total
:253
Used
:2
Expired
:0
Idle
Conflict
:250
:0
Disable
:1
----End
Example
l

#
sysname RouterA
#
dhcp enable
#
#
return

#
sysname RouterB
#
dhcp enable
#
#
return

#
sysname RouterC
#
dhcp enable
#
#
ip pool pool1
gateway-list
10.1.1.126
network 10.1.1.0 mask
255.255.255.0
excluded-ip-address
10.1.1.2
static-bind ip-address 10.1.1.3 mac-address a234-e211a256
dns-list 10.1.1.2
#
ip address 10.1.1.1 255.255.255.0
dhcp select global
#
return
3.7.5 Example for Configuring DHCP Rate Limit

As shown in Figure 3-17, a department uses RouterA to directly connect the client. Hosts in
this department function as DHCP clients and are assigned IP addresses by the DHCP server. If
Issue 04 (2014-01-16)

112

Routers
the attacker sends a large number of DHCP packets to RouterA, the CPU resources of RouterA
will become insufficient. As a result, the requests of authorized users cannot be processed in
time. To avoid this problem, network administrators limit the rate at which DHCP packets are
sent to RouterA. This allows RouterA to effectively defend against DHCP attack packets, and
to process requests of authorized users in time.
Figure 3-17 Configuring DHCP rate limit
DHCP Server
Internet
RouterB
DHCP Relay
RouterA
DHCP
Client
DHCP
Client
Attacker
l
Configure the highest rate at which DHCP packets are sent to RouterA in the system view.
This allows RouterA to limit the rate at which DHCP packets are received within a normal
range.
Procedure
Step 1 Enable the DHCP service.
Step 2 Configure the highest rate at which DHCP packets are sent to the protocol stack.
# Enable the system to check the rate at which DHCP packets are sent to the protocol stack.
[RouterA] dhcp check dhcp-rate enable
# Configure the highest rate at which DHCP packets are sent to the protocol stack.
[RouterA] dhcp check dhcp-rate 90
Issue 04 (2014-01-16)

113

Routers
Step 3 Configure the alarm function.

# Enable the alarm function.
[RouterA] dhcp alarm dhcp-rate enable
# Configure an alarm threshold.

[RouterA] dhcp alarm dhcp-rate threshold 80

# Run the display current-configuration | include dhcp command on RouterA. You can view
the DHCP function and DHCP rate limit have been enabled in the global view.
[RouterA] display current-configuration | include dhcp
dhcp enable
dhcp check dhcp-rate 90
dhcp alarm dhcp-rate enable
dhcp alarm dhcp-rate threshold 80
----End
Configuration Files
#
sysname RouterA
#
dhcp enable
dhcp check dhcp-rate
dhcp check dhcp-rate
dhcp alarm dhcp-rate
dhcp alarm dhcp-rate
#
return
enable
90
enable
threshold 80

This section provides DHCP troubleshooting procedures.
3.8.1 DHCP Client Cannot Obtain IP Addresses When router

Functions as the DHCP Server
Fault Description
When the router functions as the DHCP server, the DHCP client cannot obtain IP addresses.
Procedure
Step 1 Run the display current-configuration | include dhcp enable command to check whether
DHCP is enabled. By default, DHCP is disabled.
Issue 04 (2014-01-16)

114

Routers
l If no DHCP information is displayed, DHCP is disabled. Run the dhcp enable command to
enable DHCP.
l If dhcp enable is displayed, DHCP is enabled. Go to step 2.
Step 2 In the router interface view, run the display this command to check whether the DHCP address
assignment mode is set.
Command Output
Description
Follow-up Operation
dhcp select global
The DHCP server has

assigned IP addresses to
clients from the global
address pool.
Go to step 3.
The DHCP server has

assigned IP addresses to
clients from the interface
address pool.
Go to step 4.
The preceding information is

not displayed.
The DHCP address

assignment mode is not set on
the VLANIF interface.
Run the dhcp select global or

command to set the DHCP
address assignment mode on
the interface.
Step 3 Run the display ip pool command to check whether the global address pool has been created.
l If the global address pool has not been created, run the ip pool ip-pool-name and network
ip-address [ mask { mask | mask-length } ] commands to create a global address pool and
set the range of IP addresses that can be dynamically assigned.
l If the global address pool has been created, obtain the value of ip-pool-name. Then run the
display ip pool name ip-pool-name command to check whether the IP addresses in the global
address pool are on the same network segment with the IP address on the interface.
If the client and server are located on the same network segment and no relay agent is
deployed:
If IP addresses in the global address pool and the VLANIF interface IP address are
located on different network segments, run the ip address ip-address { mask | masklength } [ sub ] command to change the VLANIF interface IP address to be on the
same network segment as IP addresses in the global address pool.
If IP addresses in the global address pool and the router interface IP address are located
on the same network segment, go to step 4.
If the client and server are located on different network segments and a relay agent is
deployed:
If IP addresses in the global address pool and the relay agent IP address are located
on different network segments, run the ip address ip-address { mask | mask-length }
[ sub ] command to change the IP address to be on the same network segment as IP
addresses in the global address pool.
If IP addresses in the global address pool and the relay agent interface IP address are
located on the same network segment, go to step 4.
Issue 04 (2014-01-16)

115

Routers
Step 4 Run the display ip pool [ { interface interface-pool-name | name ip-pool-name } [ start-ipaddress [ end-ip-address ] | all | conflict | expired | used ] ] command to check the usage of IP
addresses in the global or interface address pool. If the value of Idle (Expired) is 0, IP addresses
in the address pool have been used up.
l If the server assigns IP addresses to clients from the global address pool on the interface, recreate a global address pool where the network segment can be connected to the previous
network segment but cannot overlap with the previous network segment.
l If the DHCP server allocates IP addresses to clients from the interface address pool, you can
reduce the mask length of IP address so that more IP addresses can be allocated.
----End
3.8.2 DHCP Client Cannot Obtain IP Addresses When router

Functions as the DHCP Relay Agent
Fault Description
When the router functions as the DHCP relay agent, the DHCP client cannot obtain IP addresses.
Procedure
Step 1 Run the display current-configuration | include dhcp enable command to check whether
DHCP is enabled. By default, DHCP is disabled.
l If no DHCP information is displayed, DHCP is disabled. Run the dhcp enable command to
enable DHCP.
l If dhcp enable is displayed, DHCP is enabled.
Step 2 In the router interface view, run the display this command to check whether the DHCP relay
function is enabled.
l If dhcp select relay is displayed, the DHCP relay function is enabled. Go to step 3.
l If no information is displayed, the DHCP relay function is disabled. Then run the dhcp select
relay command to enable the DHCP relay function.
Step 3 In the router interface view, run the display this command to check whether the DHCP server
is configured on the DHCP relay agent.
l If dhcp relay server-ip ip-address is displayed, the DHCP server IP address is configured
on the DHCP relay agent.
l If dhcp relay server-select group-name is displayed, the interface on the DHCP relay agent
is bound to a DHCP server group. Go to step 4.
l If no information is displayed, the DHCP server IP address is not configured on the DHCP
relay agent. Configure the DHCP server using either of the following methods:
Run the dhcp relay server-ip ip-address command to configure the DHCP server IP
address on the DHCP relay agent.
Run the dhcp-server command to add DHCP servers to the DHCP server group and run
the dhcp relay server-select group-name command to bind the VLANIF interface to a
DHCP server group.
Step 4 Run the display dhcp server group group-name command to check whether DHCP servers are
configured in the DHCP server group.
Issue 04 (2014-01-16)

116

Routers
l If the Server-IP field is displayed, DHCP servers are configured in the DHCP server group.
l If the Server-IP field is not displayed, DHCP servers are not configured in the DHCP server
group. Then run the dhcp-server command to add DHCP servers to the DHCP server group.
----End
3.9 FAQ
3.9.1 How Can I Prevent the Auto-Config Function from
Periodically Clearing DHCP-related Configurations on the Device?
When a device with empty configuration starts, the auto-config function allows the device to
automatically obtain the configuration file and restart for the configuration to take effect. The
device enabled with the auto-config function periodically clears all DHCP-related configurations
on the device.
To solve this problem, proceed as follows:
1.
Run the undo autoconfig enable command to disable the auto-config function.
2.
Wait 4 to 5 minutes and run the display autoconfig-status command to check the autoconfig status. If the Running status is NO, the auto-config function has been disabled.
3.
Reconfigure the device as required by the customer and save the configuration.
3.9.2 How Can the Device Function as a DHCP Server to

Dynamically Allocate IP Addresses to Multiple DHCP Clients?
When the device functions as a DHCP server, you can enlarge the address pool range and shorten
the lease of IP addresses to allow DHCP clients to quickly connect to and disconnect from the
network.
3.9.3 DHCP Clients Cannot Obtain IP Addresses. How Do I Solve

This Problem?
Ensure that the DHCP configuration is correct, and reduce the IP address lease. If a long IP
address lease is set, after all addresses in the address pool are allocated, addresses that are not
required cannot be released immediately. As a result, other DHCP clients cannot obtain IP
addresses.
3.9.4 How Do I View IP Address Allocation in the DHCP Server

Address Pool?
Run the display ip pool [ { interface interface-pool-name | name ip-pool-name } [ start-ipaddress [ end-ip-address ] | all | conflict | expired | used ] ] command to view IP address
allocation.
Issue 04 (2014-01-16)

117

Routers
3.9.5 When the Device Functions as the Access Device, It Takes a

Long Time for Users to Obtain IP Addresses Through DHCP? Why?
By default, STP is enabled on the device used as the user access device (WAN-side interface
connects to the Internet and LAN-side interface connects to the internal network). The device
interface is in Discard state 30s after users connect to the device. DHCP Request packets are
discarded. DHCP packets are processed after 30s.
It is recommended that STP be disabled to prevent network flapping caused by slow STP
convergence.
3.10 References
Issue 04 (2014-01-16)
Document
Description
Remarks
RFC951
BOOTSTRAP PROTOCOL (BOOTP)
RFC1533
DHCP Options and BOOTP Vendor

Extensions
RFC1534
Interoperation Between DHCP and

BOOTP
RFC2131
Dynamic Host Configuration Protocol
RFC2132
DHCP Options and BOOTP Vendor

Extensions
RFC3046
DHCP Relay Agent Information Option

118

Routers
4 DNS Configuration
DNS Configuration
About This Chapter

This chapter describes the principles, basic functions and configuration procedures of DNS on
the router, and provides configuration examples.
4.1 DNS Overview
4.2 Principles
4.3 Applications
4.4 Configuring DNS
4.5 Maintaining DNS
Maintaining DNS includes clearing dynamic DNS entries, clearing DNS forwarding entries,
updating DDNS policies, and monitoring DNS running status.
This section provides DNS configuration examples, including networking requirements,
configuration roadmap, and configuration procedure.
This section describes common faults caused by incorrect DNS configurations and provides the
troubleshooting procedure.
4.8 FAQ
4.9 References
Issue 04 (2014-01-16)

119

Routers
4 DNS Configuration
4.1 DNS Overview

Definition
Domain Name System (DNS) is a distributed database used in TCP and IP applications and
completes resolution between IP addresses and domain names.
Purpose
Each host on the network is identified by an IP address. To access a host, a user must obtain the
host IP address first. It is difficult for users to remember IP addresses of hosts. Therefore, host
names in the format of strings are designed. Each host name maps an IP address. In this way,
users can use the simple and meaningful domain names instead of the complicated IP addresses
to access hosts.
4.2 Principles
4.2.1 Working Principle of DNS
Domain name resolution is classified into dynamic resolution and static resolution that
complement each other. During domain name resolution, static resolution is preferentially used.
If static resolution fails, dynamic resolution is used. Dynamic DNS resolution takes a period of
time, and the cooperation of the DNS server is required. To improve the domain name resolution
efficiency, you are advised to add commonly used domain names to a static domain name
resolution table.
Static DNS
A static domain name resolution table is manually set up, describing the mappings between
domain names and IP addresses. Some common domain names are added to the table. To obtain
the IP address by resolving a domain name,domain names are resolved based on the static domain
name resolution table. In this manner, the efficiency of domain name resolution is improved.
Dynamic DNS
User programs, such as ping and tracert, access the DNS server using the resolver of the DNS
client.
Figure 4-1 shows the relationship between user programs, the resolver, the DNS server, and the
cache on the resolver.
Issue 04 (2014-01-16)

120

Routers
4 DNS Configuration
Figure 4-1 Dynamic DNS
User
program
Request
Resolver
Response
Response
Save
Local
host
DNS
Client
Request
Read
DNS
Server
Cache
The DNS client, consisting of the resolver and the cache, is used to accept and respond to the
DNS queries from user programs. Generally, user programs(ping,Tracert), the cache, and the
resolver are on the same host; whereas the DNS server is on another host.
Working Process of the Dynamic DNS

1.
When a user accesses some applications by domain name, the user program sends a request
to the resolver on the DNS client.
2.
After receiving the request, the resolver searches the local domain name cache.
l If the domain name matches an entry in the local cache, the resolver sends the
corresponding IP address to the user program.
l If the domain name matches no entry in the local cache, the resolver sends a query
message to the DNS server.
3.
When receiving the query message, the DNS server first checks whether the domain name
to be resolved is in an authorized sub-domain. Then, the DNS server sends a response packet
according to the check result.
l If the domain name is in an authorized sub-domain, the DNS server searches for the
corresponding IP address in the local database.
l If the domain name is out of authorized sub-domains, the DNS server sends a query
message to a higher-level DNS server. This process continues until the DNS server finds
the corresponding IP address or detects that the corresponding IP address of the domain
name does not exist. Then the DNS server returns a result to the DNS client.
4.
After receiving the response packet from the DNS server, the DNS client sends the
resolution result to the user program.
Mappings between domain names and IP addresses are stored in the dynamic domain name
cache. When resolving a domain name that is stored in the cache, the DNS client obtains
the corresponding IP address from the cache directly and does not send a query message
to the DNS server. Mappings stored in the cache will be deleted when the aging time expires
to ensure that the latest mappings can be obtained from the DNS server. The aging time is
set by the DNS server. The DNS client obtains the aging time from protocol packets.
Domain Name Suffix List

Dynamic domain name resolution supports the domain name suffix list. Users can preset domain
name suffixes. Users only need to enter partial content of a domain name, and the system adds
Issue 04 (2014-01-16)

121

Routers
4 DNS Configuration
a suffix to the domain name for resolution. For example, a user has set the domain name suffix
com in the suffix list. To visit huawei.com, the user only needs to enter huawei. The system
adds the suffix com to the domain name.
When the domain name suffix list is used, the resolution modes vary according to domain names
entered by users.
l
If a user enters a domain name without a dot (.), for example, huawei, the system identifies
it as a host name and adds a suffix to the domain name for resolution. If the resolution fails,
the system resolves the entered domain name.
If a user enters a domain name with a dot (.), for example, www.huawei or huawei.com.,
the system resolves the domain name. If the resolution fails, the system adds a suffix to the
domain name for resolution.
Query Type
Class-A query is a common type of query, which is used to obtain the IP address corresponding
to a specified domain name. For example, when you ping or tracert a domain name, the ping or
tracert, as a user program, sends a query to the DNS client for the IP address corresponding to
the domain name. If the corresponding IP address does not exist on the DNS client, the DNS
client sends a Class-A query to the DNS server to obtain the corresponding IP address.
4.2.2 Working Principle of DNS Proxy or Relay

DNS proxy or relay is used to forward DNS request and reply packets between the DNS client
and DNS server. The DNS client sends DNS request packets to the DNS proxy or relay. The
DNS proxy or relay forwards request packets to the DNS server and sends reply packets to the
DNS client. After DNS proxy or relay is enabled, if the IP address of the DNS server changes,
you only need to change the configuration on the DNS proxy or relay.
DNS relay is similar to DNS proxy. The difference is that the DNS proxy searches for DNS
entries saved in the local domain name cache after receiving DNS query messages from DNS
clients. If requested DNS entries are not saved in the cache, DNS query messages are forwarded
to the DNS server. The DNS relay, however, directly forwards DNS query messages to the DNS
server. This saves DNS cache resources on the DNS relay and ensures that the DNS client obtains
real-time resolution results. (The client obtains wrong resolution results if domain names and
IP addresses change on the DNS server but the cache table on the DNS proxy is not updated in
time.)
The application environments of DNS replay and DNS proxy are similar. Figure 4-2 shows the
typical networking of DNS proxy.
Issue 04 (2014-01-16)

122

Routers
4 DNS Configuration
Figure 4-2 Typical networking of DNS proxy

DNS Client
DNS
Server
DNS
Proxy
Internet
DNS Client
DNS Client
The working process of DNS proxy is as follows:

1.
The DNS client sends a request packet to the DNS proxy. The DNS proxy IP address is the
destination address of the request packet.
2.
After receiving the request packet, the DNS proxy searches for DNS entries saved in the
local domain name resolution tables. If mapping information exists, the DNS proxy sends
a reply packet carrying the resolution result to the DNS client.
3.
If no mapping information exists, the DNS proxy sends the request packet to the DNS server
for resolution.
4.
After receiving the reply packet from the DNS server, the DNS proxy records the resolution
result and forwards the reply packet to the DNS client.
Only when the IP address of the DNS server and the route to the DNS server exist on the DNS
proxy, the DNS proxy sends domain name resolution requests to the DNS server. Otherwise,
the DNS proxy neither sends any domain name resolution request to the DNS server nor replies
any request from the DNS client.
4.2.3 Working Principle of DNS Spoofing

When the DNS server IP address is not configured or the route to the DNS server does not exist
on the DNS proxy or relay that is enabled with DNS spoofing, the DNS proxy or relay sends a
spoofing IP address as the domain name resolution result to any DNS client that sends a DNS
query message.
DNS spoofing is applied to a dial-up network, as shown in Figure 4-3.
Issue 04 (2014-01-16)

123

Routers
4 DNS Configuration
Figure 4-3 DNS spoofing application scenario
Host A
DNS Client
DNS Server
Dialer Interface
ISP
DNS Proxy
DNS Spoofing
Host B
DNS Client
HTTP Server
As shown in Figure 4-3, the device functions as the DNS proxy and connects to the network
using the dial-up interface. The dial-up interface is triggered to set up a connection only when
data packets are forwarded by the dial-up interface. When the device functions as the DNS proxy,
hosts A and B consider the device as the DNS server. When the dial-up connection is set up, the
device obtains the DNS server IP address using DHCP.
When receiving a DNS query message from a DNS client, the device not enabled with DNS
spoofing sends a DNS query message to the DNS server when no matching entry is found. If
the dial-up connection is not set up, the device cannot obtain the DNS server IP address. The
device does not send a DNS query message to the DNS server or respond to the request from
the DNS client. The domain name resolution fails. No data packet traffic triggers the dial-up
interface to set up a connection.
DNS spoofing enables the device to send a spoofing IP address to the DNS client that sends a
DNS query message regardless of whether the DNS server IP address is configured or the route
to the DNS server exists on the device. Data packets sent by the DNS client triggers the dial-up
interface to set up a connection.
As shown in Figure 4-3, a DNS client wants to access the HTTP server. The process is described
as follows:
1.
A DNS client sends a DNS query message to the DNS proxy for resolving the HTTP server
domain name to an IP address.
2.
After receiving the DNS query message, the DNS proxy cannot send the correct IP address
to the DNS client because no matching entry is found locally, no dial-up connection is set
up, and the DNS server IP address is not obtained. The DNS proxy sends the spoofing IP
address as the resolution result to the DNS client. The aging time of a DNS resolution
response message is 0. A reachable route between the DNS client and the IP address in the
response message must exist. The outbound interface of the route is the dial-up interface.
3.
After receiving the response message, the host sends an HTTP request to the IP address in
the response message.
4.
The DNS proxy forwards the HTTP request using the dial-up interface. The traffic triggers
the dial-up interface to set up a connection with the DNS server. Then the DNS proxy
obtains the DNS server IP address using DHCP.
Issue 04 (2014-01-16)

124

Routers
4 DNS Configuration
5.
After the DNS resolution response message is aged, the DNS client sends a DNS query
message again.
6.
The DNS proxy sends the correct IP address to the DNS client.
7.
After obtaining the correct HTTP server IP address, the DNS client can access the HTTP
server.
4.2.4 Working Principle of DDNS

DDNS Overview
DNS resolves domain names into IP addresses so that you can access network nodes using
domain names. DNS provides static mappings between domain names and IP addresses. When
IP addresses of nodes change, DNS server cannot dynamically update mappings. If a user uses
the original domain name to access the node, the user will fail to access the node because the IP
address mapping the domain name is incorrect. The Dynamic Domain Name System (DDNS)
updates mappings between domain names and the IP addresses on the DNS server to ensure that
the IP address can be resolved correctly.
DDNS Working Mode

DDNS works in client/server mode. Figure 4-4 shows the typical networking of DDNS.
Figure 4-4 Typical networking of DDNS
DNS Server
HTTP Server
DDNS Client
2
Internet
HTTP Client
1
DDNS Server
As shown in Figure 4-4, DDNS works in client/server mode.

l
Issue 04 (2014-01-16)
When an IP address changes, the DDNS updates the mapping between the domain name
and IP address on the DNS server. Internet users use domain names to access servers that
provide application-layer services, such as HTTP and FTP servers. When the IP address of
a server changes, the server functions as a DDNS client and sends a request for updating
125

Routers
4 DNS Configuration
the mapping between the domain name and the IP address to the DDNS server. This ensures
that Internet users can still access a server when the server IP address changes.
l
The DDNS server instructs the DNS server to dynamically update the mapping between
the domain name and the IP address on the DNS server to ensure that the IP address can
be resolved correctly and Internet users can access the DDNS client using the domain name.
No unified standard is defined for the DDNS update process. DDNS update processes are
different on different DDNS servers. DDNS servers provided at www.oray.cn, www.3322.org,
and www.dyndns.com.
4.3 Applications
4.3.1 DNS Client Application
Figure 4-5 shows typical networking of a DNS client.
Figure 4-5 Typical networking of a DNS client
RouterA
DNS Client
DNS Server
RouterB
DNS Client
As shown in Figure 4-5, the device functions as a DNS client and can dynamically obtain the
corresponding IP address of a domain name from a DNS server. This facilitates user
communication.
4.3.2 DNS Proxy Application

Figure 4-6 shows the typical networking of DNS proxy.
Issue 04 (2014-01-16)

126

Routers
4 DNS Configuration
Figure 4-6 Typical networking of DNS proxy

DNS Client
DNS
Server
DNS
Proxy
Internet
DNS Client
DNS Client
The device functions as an egress router and is configured with DNS proxy in an enterprise. The
device can forward DNS request and reply packets between DNS clients in the enterprise and
DNS servers out of the enterprise. When the IP address of a DNS server changes, you only need
to change the configuration on the DNS proxy,this will be beneficial to Network management.
4.4 Configuring DNS

4.4.1 Configuring the DNS Client
This section describes how to configure the router as a DNS client to allow users to use domain
names to access other devices.
Before configuring a DNS client, complete the following tasks:
l
Configuring link layer protocol parameters for interfaces to ensure that the link layer
protocol status on the interfaces is Up
Configuring a route between the router and the DNS server
4.4.1.1 Configuring the Static DNS

Context
domain names and IP addresses. Some common domain names are added to the table. Static
domain name resolution can be performed based on the static domain name resolution table. To
obtain the IP address by resolving a domain name, the client searches the static domain name
resolution table for the specified domain name. In this manner, the efficiency of domain name
resolution is improved.
Issue 04 (2014-01-16)

127

Routers
4 DNS Configuration
Procedure
Step 1 Run:
system-view

Step 2 Run:
ip host host-name ip-address
Static DNS entries are configured.

By default, no static DNS entries are configured.
----End
Follow-up Procedure
Each host name can be mapped to only one IP address. When multiple IP addresses are mapped
to a host name, only the latest configuration takes effect. If multiple host names need to be
resolved, repeat step 2.
4.4.1.2 Configuring the Dynamic DNS

Context
To implement dynamic DNS, you need to enable dynamic DNS resolution, configure a DNS
server, and configure a source IP address for the local device and a domain name suffix. If the
local device uses an IP address allocated by the DHCP server and the information delivered by
the DHCP server to the local device contains the DNS server IP address and the domain name
suffix list, you only need to enable dynamic DNS resolution.
Procedure
Step 1 Run:
system-view

Step 2 Run:
dns resolve
Dynamic domain name resolution is enabled.

By default, dynamic DNS resolution is disabled.
Step 3 Run:
dns server ip-address
The IP address of the DNS server is configured.

By default, no IP address of the DNS server is configured.
A maximum of six DNS server IP addresses can be configured on the device.
dns server source-ip ip-address
Issue 04 (2014-01-16)

128

Routers
4 DNS Configuration
The source IP address is configured for the local device to function as the DNS client to send
and receive DNS packets.
By default, no source IP address is configured for the device.
The local device uses the specified IP address to communicate with the DNS server. This ensures
communication security.
dns-server-select-algorithm { fixed | auto }
The algorithm for selecting a destination DNS server is configured.

By default, the device uses the auto algorithm to select the DNS server.
dns forward retry-number number
The number of times for retransmitting Query packets to the destination DNS server is set.
By default, the device retransmits Query packets to the destination DNS server twice.
dns forward retry-timeout time
The retransmission timeout period that the device sends Query packets to the destination DNS
server is set.
By default, the retransmission timeout period is 3 seconds.
dns domain domain-name
A domain name suffix is configured.

By default, no domain name suffix is configured on a DNS client.
----End
Follow-up Procedure
The system supports a maximum of six DNS servers, one specified source address, and ten
domain name suffixes. If multiple DNS servers are required, repeat step 3. If multiple domain
name suffixes are required, repeat step 8.

Procedure
l
Run the display dns configuration command to display the global DNS configurations.
Run the display ip host command to check static DNS entries.
Run the display dns server [ verbose ] command to check the DNS server configuration.
Run the display dns domain [ verbose ] command to check the domain name suffix
configuration.
----End
Issue 04 (2014-01-16)

129

Routers
4 DNS Configuration
4.4.2 Configuring DNS Proxy or Relay

The device can function as a DNS proxy or relay to forward DNS request and reply packets and
provide domain name resolution for DNS clients.
Before configuring DNS proxy or relay, complete the following tasks:
l
Configuring the DNS server
Configuring routes between the device and the DNS server and between the device and the
DNS client
4.4.2.1 Configuring the Destination DNS Server

Context
DNS Relay is similar to DNS Proxy. The difference is that the DNS Proxy searches for DNS
entries saved in the domain name cache after receiving DNS query messages from DNS clients.
The DNS Relay, however, directly forwards DNS query messages to the DNS server, reducing
the cache usage.
Procedure
Step 1 Run:
system-view

Step 2 Run:
dns proxy enable or dns relay enable
DNS Proxy or Relay is enabled.

Step 3 Choose either of the following methods to configure domain name resolution.
l Configure static domain name resolution.
Run:
ip host host-name ip-address
A static DNS entry is configured.

By default, no static DNS entry is configured.
You can manually configure the mappings between domain names and IP addresses by
configuring static DNS entries. When a DNS client requests the IP address corresponding to
a domain name, the device does not forward the request to the DNS server but searches the
static domain name resolution table for the IP address and returns the IP address to the DNS
client.
l Configure dynamic domain name resolution.
1.
Run:
dns resolve
Issue 04 (2014-01-16)

130

Routers
4 DNS Configuration

After dynamic domain name resolution is enabled, the DNS proxy searches the dynamic
domain name resolution table after receiving a DNS request packet and checks whether
the requested IP address exists. If yes, the DNS proxy returns a DNS reply packet that
carries the resolution result to the DNS client. If not, the DNS proxy forwards the DNS
request packet to the DNS server.
2.
Run:
dns server ip-address
The DNS server that the DNS Proxy or Relay connects to is configured.
By default, no IP address is configured for the DNS server.
3.
(Optional) Run:
dns server source-ip ip-address
The source IP address that the device uses to exchange packets with the DNS server is
configured.
By default, no source IP address is configured for the device.
4.
(Optional) Run:
dns-server-select-algorithm { fixed | auto }
An algorithm used by the DNS Proxy or Relay to access the destination DNS server is
configured.
By default, the auto algorithm is used.
5.
(Optional) Run:
dns forward retry-number
number
The number of times for the DNS Proxy or Relay to retransmit query requests to the
destination DNS server is set.
By default, the number of times for the DNS Proxy or Relay to retransmit query requests
to the destination DNS server is 2.
6.
(Optional) Run:
dns forward retry-timeout time
The retransmission timeout period that the DNS proxy or DNS relay agent sends Query
packets to the destination DNS server is set.
By default, the retransmission timeout period is 3 seconds.
----End
4.4.2.2 (Optional) Configuring DNS Spoofing

Context
If the device is enabled with DNS proxy or relay but is not configured with a DNS server address
or has no route to the DNS server, the device does not forward or respond to DNS query messages
from DNS clients. After DNS Spoofing is enabled, the device uses the configured IP address to
respond to all DNS query messages.
In addition to enabling DNS proxy or relay, one of the following requirements must be met to
make DNS Spoofing take effect:
Issue 04 (2014-01-16)

131

Routers
4 DNS Configuration
No DNS server is configured.
A DNS server is configured, but dynamic DNS resolution is disabled.
No route is reachable to the DNS server.
No source IP address is available for the outbound interface connected to the DNS server.
If one of the preceding requirements is met, when receiving an address record query, the DNS
proxy or relay return Spoofing reply messages using the configured IP address.
Procedure
Step 1 Run:
system-view

Step 2 Run:
dns spoofing ip-address
DNS Spoofing is enabled and the IP address in response messages is specified.

By default, DNS Spoofing is disabled.
----End

Procedure
l
Run the display ip host command to check static DNS entries.
Run the display dns server [ verbose ] command to check the DNS server configuration.
----End
4.4.3 Configuring the DDNS Client

The device functions as the DDNS client. When the IP address corresponding to the domain
name changes, the DDNS client can notify the DNS server to update the mapping between the
domain name and the IP address on the DNS server. This ensures that users can successfully
access servers on the network using domain names.
Before configuring a DDNS client, complete the following tasks:
l
Registering on the DDNS server website
Configuring a route between the device and the DDNS server
4.4.3.1 Configuring a DDNS Policy

Context
The device can function as a DDNS client. When the IP address of the interface that provides
web services changes, the device notifies the DDNS server of the new IP address. The DDNS
Issue 04 (2014-01-16)

132

Routers
4 DNS Configuration
server dynamically updates the mapping between the domain name and the IP address on the
DNS server to ensure that the IP address can be resolved correctly.
After the DDNS policy is configured on an interface whose IP address changes, a DDNS update
request is sent to the destination DDNS server.
Procedure
Step 1 Run:
system-view

Step 2 Run:
ddns policy policy-name
A DDNS policy is created and the DDNS policy view is displayed.

By default, no DDNS policy is created in the system.
A maximum of 10 DDNS policies can be configured on the device.
Step 3 Run:
url request-url
The URL in DDNS update requests is specified.

After a DDNS policy is created, enter the URL and specify a DDNS server in the URL. The
processes for the device to request DDNS updates from different DDNS servers are different;
therefore, the URL configurations of DDNS servers are different.
l When the device uses HTTP to communicate with the DDNS server provided at www.
3322.org, the URL in a DDNS update request is:
http://username:password@members.3322.org/dyndns/update?
system=dyndns&hostname=<h>&myip=<a>
l When the device uses HTTP to communicate with the DDNS server provided at
www.dyndns.com, the URL in a DDNS update request is:
http://username:password@update.dyndns.com/nic/update?hostname=<h>&myip=<a>
l When the device uses TCP to communicate with the DDNS server provided at www.oray.cn,
the URL in a DDNS update request is:
oray://username:password@phddnsdev.oray.net
l When the device uses HTTPS to communicate with Siemens DDNS server, the URL in a
DDNS update request is user-defined, for example,
https://194.138.36.67/nic/update?
group=med&user=huawei_test&password=12345&myip=192.168.19.2
Issue 04 (2014-01-16)

133

Routers
4 DNS Configuration
NOTE
l Press Ctrl+T to enter the question mark (?) in the URL.

l The parameter username:password in the URL indicates the user name and password for logging in to the
DDNS server. Set this parameter based on the user registration information.
l The DDNS service is provided by DDNS servers from different vendors. When the DDNS server URL
changes or the DDNS server stops providing service, the device used as the DDNS client cannot exchange
packets with the DDNS server. The DDNS function may not take effect.If you fail to update the mapping
entries between the DDNS domain name and IP address, you are advised to upgrade the router to the latest
version.

ssl-policy policy-name
An SSL policy is bound to the DDNS policy.

NOTE
When the device functions as the DDNS client and communicates with Siemens DDNS server, the device
needs to encrypt packets using SSL. The DDNS policy needs to be bound to the SSL policy only when the
device functions as the DDNS client and communicates with Siemens DDNS server.
To configure an SSL policy, see "SSL Configuration" in the Huawei AR150&200&1200&2200&3200
Series Enterprise Routers Configuration Guide - Security.

interval interval-time
Interval for sending DDNS update requests is set.

After the interval for sending DDNS update requests is set in the configured DDNS policy, the
device sends DDNS update requests at intervals. By default, the interval for sending DDNS
update requests is 3600 seconds.
----End
4.4.3.2 Binding a DDNS Policy to an Interface

Context
You can bind a DDNS policy to an interface to update the mapping between the domain name
and an IP address and to start DDNS update.
Procedure
Step 1 Run:
system-view

Step 2 Run:

Step 3 Run:
ddns apply policy policy-name [ fqdn domain-name ]
Issue 04 (2014-01-16)

134

Routers
4 DNS Configuration
The DDNS policy is bound to the interface.

By default, no DDNS policy is bound to an interface.
A maximum of five DDNS policies can be bound to an interface.
NOTE
When the DDNS server is www.3322.org or www.dyndns.com, you must configure the fully qualified domain
name (FQDN), that is, the fqdn parameter is mandatory.
----End

Procedure
l
Run the display ddns policy policy-name command to view DDNS policy information.
Run the display ddns interface interface-type interface-number command to view DDNS
policy information on an interface.
----End
4.5 Maintaining DNS

Maintaining DNS includes clearing dynamic DNS entries, clearing DNS forwarding entries,
updating DDNS policies, and monitoring DNS running status.
4.5.1 Deleting Dynamic DNS Entries

Context
NOTICE
Dynamic DNS entries cannot be restored after being deleted. Exercise caution when you run the
command.
Procedure
l
Run the reset dns dynamic-host command to delete dynamic DNS entries.
----End
Issue 04 (2014-01-16)

135

Routers
4 DNS Configuration
4.5.2 Deleting DNS Entries of the DNS Proxy or Relay

Context
NOTICE
DNS entries of the DNS proxy or relay cannot be restored after being deleted. Exercise caution
when you run the command.
Procedure
l
Run the reset dns forward table [ source-ip ip-address ] command to delete DNS entries
of the DNS proxy or relay.
----End
4.5.3 Clearing Statistics on Sent and Received DNS Packets

Context
NOTICE
Statistics on sent and received DNS packets cannot be restored after being cleared. Exercise
caution when you run the command.
Procedure
l
Run the reset dns statistics command to clear statistics on sent and received DNS packets.
----End
4.5.4 Manually Updating a DDNS Policy

Procedure
l
Run:
reset ddns policy policy-name [ interface interface-type interface-num ]
Mappings between all the IP addresses and host names in the DDNS policy are updated.
----End
Issue 04 (2014-01-16)

136

Routers
4 DNS Configuration
4.5.5 Monitoring the Running Status of DNS

Context
In routine maintenance, you can run the following commands in any view to check the running
status of DNS.
Procedure
l
Run the display dns forward table [ source-ip ip-address ] command to check the DNS
forwarding table.
Run the display dns dynamic-host command to display dynamic DNS entries.
----End

This section provides DNS configuration examples, including networking requirements,
configuration roadmap, and configuration procedure.
4.6.1 Example for Configuring the DNS Client

Compared with an IP address, the URL is easy to remember. Users want to access network
servers using domain names. It is required that the DNS server can resolve a domain name after
a user enters some fields of the domain name. For example, when a user attempts to access the
host huawei.com, the user only needs to enter huawei. It is required that the DNS server can
fast resolve common domain names.
Figure 4-7 Networking diagram for configuring the DNS client
HostB
HostC
Loopback0
4.1.1.2/32
Loopback0
4.1.1.1/32
RouterB
GE1/0/0
GE1/0/0
1.1.1.2/16 1.1.1.1/16
DNS Client
RouterA
RouterC
GE1/0/0
3.1.1.1/16
GE2/0/0
2.1.1.1/16
GE2/0/0
2.1.1.2/16
DNS Server
3.1.1.2/16
huawei.com
2.1.1.3/16
Issue 04 (2014-01-16)

137

Routers
4 DNS Configuration
1.
Configure static DNS entries on RouterA to access host B and C.
2.
Configure the dynamic DNS resolution on RouterA to access the DNS server.
3.
Configure the domain name suffix on RouterA to support a domain name suffix list.
4.
Configure OSPF on routers to ensure routes are reachable.
Procedure
# Configure an IP address for GE1/0/0.
# Configure OSPF.
[RouterA] ospf
# Configure static DNS entries.

[RouterA] ip host hostB 4.1.1.1
[RouterA] ip host hostC 4.1.1.2
# Enable DNS resolution.

[RouterA] dns resolve
# Configure an IP address for the DNS server.

[RouterA] dns server 3.1.1.2
# Set the domain name suffix to net.

[RouterA] dns domain net
# Set the domain name suffix to com.

[RouterA] dns domain com
NOTE
You need to configure OSPF on RouterB and RouterC to ensure reachable routes between them. For details
about OSPF configurations on RouterB and RouterC, see the configuration files.

# Run the ping hostB command on RouterA. You can see that the ping operation succeeds and
the destination IP address is 4.1.1.1.
<RouterA> ping hostB
PING hostB (4.1.1.1): 56 data bytes, press CTRL_C to break
Issue 04 (2014-01-16)

138

Routers
4 DNS Configuration

--- hostB ping statistics --5 packet(s) transmitted
0.00% packet loss
# Run the ping huawei.com command on RouterA. You can see that the ping operation succeeds
and the destination IP address is 2.1.1.3.
<RouterA> ping huawei.com
Trying DNS server (3.1.1.2)
PING huawei.com (2.1.1.3): 56
Reply from 2.1.1.3: bytes=56
data bytes, press CTRL_C to break

Sequence=1 ttl=126 time=6 ms
--- huawei.com ping statistics --5 packet(s) transmitted

0.00% packet loss
# Run the ping huawei command on RouterA. You can see that the ping operation succeeds,
the domain name changes to huawei.com, and the destination IP address is 2.1.1.3.
<RouterA> ping huawei
Trying DNS server (3.1.1.2)
PING huawei.com (2.1.1.3): 56
data bytes, press CTRL_C to break

--- huawei.com ping statistics --5 packet(s) transmitted

0.00% packet loss
Run the display ip host command on RouterA. You can view mappings between host names
and IP addresses in static DNS entries.
<RouterA> display ip host
Host
Age
hostB
0
hostC
0
Flags Address
static 4.1.1.1
static 4.1.1.2
# Run the display dns dynamic-host command on RouterA. You can view information about
dynamic DNS entries saved in the cache.
<RouterA> display dns dynamic-host
Host
huawei.com
2.1.1.3
TTL
114
Type
IP
Address(es)
NOTE
The TTL field in the command output indicates the time left before a DNS entry ages out, in seconds.
----End
Issue 04 (2014-01-16)

139

Routers
4 DNS Configuration
Configuration File
#
sysname RouterA
#
ip host hostB 4.1.1.1
ip host hostC 4.1.1.2
#
dns resolve
dns server 3.1.1.2
dns domain net
dns domain com
#
interface GigabitEthernet 1/0/0
ip address 1.1.1.2 255.255.0.0
#
ospf 1
area 0.0.0.0
network 1.1.0.0 0.0.255.255
#
return

#
sysname RouterB
#
interface LoopBack0
ip address 4.1.1.1 255.255.255.255
#
ip address 1.1.1.1 255.255.0.0
#
ip address 2.1.1.1 255.255.0.0
#
ospf 1
area 0.0.0.0
network 1.1.0.0 0.0.255.255
network 2.1.0.0 0.0.255.255
network 4.1.1.1 0.0.0.0
#
return

#
sysname RouterC
#
interface LoopBack0
ip address 4.1.1.2 255.255.255.255
#
ip address 3.1.1.1 255.255.0.0
#
ip address 2.1.1.2 255.255.0.0
#
ospf 1
area 0.0.0.0
network 2.1.0.0 0.0.255.255
network 3.1.0.0 0.0.255.255
Issue 04 (2014-01-16)

140

Routers
4 DNS Configuration
network 4.1.1.2 0.0.0.0

#
return
4.6.2 Example for Configuring DNS Proxy

As shown in Figure 4-8, the enterprise deploys a DNS server only on the headquarters network
to save costs. The route between the RouterA and the DNS server or between the RouterA and
the FTP server is reachable. The mapping between the domain name (huawei.com) of the FTP
server and the IP address 2.1.1.3 is recorded on the DNS server. Enterprise users on the branch
network expect to access the FTP server through the DNS domain name. To facilitate
maintenance, the enterprise requires that users be unaware of the DNS server address change.
Figure 4-8 Network diagram for configuring DNS proxy
DNS Server
2.1.1.1/16
RouterA
DNS Proxy
Enterprise
branch
GE1/0/0
1.1.1.2/16
GE1/0/0
1.1.1.1/16
Enterprise
headquarters
HostA
FTP Server
huawei.com
2.1.1.3/16
1.
Configure DNS Proxy on the AC to implement domain name resolution for clients.
NOTE
After DNS Proxy is enabled, the RouterA can be regarded as the DNS server of HostA. You need to
configure the RouterA's IP address as the IP address of the DNS server on HostA, and configure the IP
address (2.1.1.1) of the DNS server on the headquarters network on the RouterA. In this way, when the
DNS server address changes, you only need to modify the configurations on the RouterA, which is not
detected by the users.
Procedure
Step 1 Configure an IP address for GE1/0/0.
Issue 04 (2014-01-16)

141

Routers
4 DNS Configuration
Step 2 Configure DNS Proxy.

[RouterA] dns proxy enable
Step 3 Configure the default route from the DNS proxy to the DNS server.
Assume that the IP address of the next hop from the DNS proxy to the DNS server is 1.1.1.2/16.
Step 4 Specify the IP address of the DNS server on HostA as 1.1.1.1.

# Run the display current-configuration command to view the DNS proxy configuration on
RouterA.
<RouterA> display current-configuration | include dns
dns resolve
dns server 2.1.1.1
dns proxy enable
# Run the ping huawei.com command on LAN HostA. You can see that the ping operation
succeeds
C:\Documents and Settings\HostA>ping huawei.com
PING huawei.com [2.1.1.3] with 32 bytes of data:
Reply from 2.1.1.3: bytes=32 time=16ms TTL=255
Reply from 2.1.1.3: bytes=32 time<1ms TTL=255
Ping statistics for 2.1.1.3:
Packets: Sent = 4, Received = 4, Lost = 0(0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 16ms, Average = 4ms
----End
Configuration File
#
sysname RouterA
#
ip address 1.1.1.1 255.255.0.0
#
dns resolve
dns server 2.1.1.1
dns proxy enable
#
ip route-static 0.0.0.0 0.0.0.0 1.1.1.2
#
return
Issue 04 (2014-01-16)

142

Routers
4 DNS Configuration
4.6.3 Example for Configuring the DDNS Client

As shown in Figure 4-9, RouterA can function as WEB server, the domain name of RouterA is
www.abc.com. the IP address may change. In this case, enable the DDNS client function to
obtain the latest mapping between the domain name and the IP address. The DDNS service
provider www.oray.cn is used as the DDNS server. When the IP address of RouterA changes,
RouterA functions as the DDNS client to send an update request to the DDNS server. Then the
DDNS server instructs the DNS server to reconfigure the mapping between the domain name
and the IP address.
Figure 4-9 Networking diagram for configuring the DDNS client
Loopback0
4.1.1.1/32
RouterA 1.1.1.2/16 RouterB
Loopback0
4.1.1.2/32
RouterC
GE1/0/0
DDNS Client
GE1/0/0
1.1.1.1/16
GE2/0/0
2.1.1.1/16
GE1/0/0
3.1.1.1/16
GE2/0/0
2.1.1.2/16 DNS Server
3.1.1.2/16
DDNS Server
2.1.1.3/16
1.
Create a DDNS policy on RouterA and bind the DDNS policy to an interface. When the
IP address of the interface changes, RouterA sends a request for updating DNS entries to
the DDNS server.
2.
Configure the URL of the DDNS server on RouterA so that RouterA sends a request for
updating DNS entries to the correct DDNS server.
Procedure
# Create a DDNS policy.
[RouterA] ddns policy mypolicy
# Configure the URL of the DDNS server.

[RouterA-ddns-policy-mypolicy] url oray://steven:nevets@phddnsdev.oray.net
Issue 04 (2014-01-16)

143

Routers
4 DNS Configuration
# Set the interval for sending DDNS update requests.

[RouterA-ddns-policy-mypolicy] interval 3600
[RouterA-ddns-policy-mypolicy] quit


# Bind the DDNS policy to GE1/0/0.

[RouterA-GigabitEthernet1/0/0] ddns apply policy mypolicy
NOTE
If the IP address of GE1/0/0 changes, Router A notifies the DDNS server of the change, and then the DDNS
server instructs the DNS server to reconfigure the mapping between the domain name www.abc.com and the IP
address to ensure that the IP address can be resolved correctly.
# Configure OSPF.
[RouterA] ospf
NOTE
To implement communication among the DDNS client, DDNS server, and the DNS server, configure OSPF
on RouterB and RouterC. For details about OSPF configurations on RouterB and RouterC, see the
configuration files.

# Run the display ddns policy mypolicy command on RouterA, and information about the
DDNS policy named mypolicy is displayed.
<RouterA> display ddns
Policy name
:
Policy interval time :
Policy URL
:
Policy bind count
:
policy mypolicy
mypolicy
3600
oray://steven:nevets@phddnsdev.oray.net
1
===== interface GigabitEthernet1/0/0

======
Statuses:
ESTABLISH
Refresh: enable
# Run the display ddns interface gigabitethernet 1/0/0 command on RouterA, and information
about the DDNS policy on GE1/0/0 is displayed.
<RouterA> display ddns interface gigabitethernet 1/0/0
===== Policy mypolicy =======
URL: oray://steven:nevets@phddnsdev.oray.net
Statuses:
ESTABLISH
Refresh: enable
----End
Issue 04 (2014-01-16)

144

Routers
4 DNS Configuration
Configuration File
#
sysname RouterA
#
dns resolve
dns server 3.1.1.2
ddns policy mypolicy
url oray://steven:nevets@phddnsdev.oray.net
#
ip address 1.1.1.2 255.255.0.0
ddns apply policy mypolicy
#
ospf 1
area 0.0.0.0
network 1.1.0.0 0.0.255.255
#
return

#
sysname RouterB
#
interface LoopBack0
ip address 4.1.1.1 255.255.255.255
#
ip address 1.1.1.1 255.255.0.0
#
ip address 2.1.1.1 255.255.0.0
#
ospf 1
area 0.0.0.0
network 1.1.0.0 0.0.255.255
network 2.1.0.0 0.0.255.255
network 4.1.1.1 0.0.0.0
#
return

#
sysname RouterC
#
interface LoopBack0
ip address 4.1.1.2 255.255.255.255
#
ip address 3.1.1.1 255.255.0.0
#
ip address 2.1.1.2 255.255.0.0
#
ospf 1
area 0.0.0.0
network 2.1.0.0 0.0.255.255
network 3.1.0.0 0.0.255.255
network 4.1.1.2 0.0.0.0
#
return
Issue 04 (2014-01-16)

145

Routers
4 DNS Configuration
4.6.4 Example for Configuring the router to Communicate with

Siemens DDNS Server
As shown in Figure 4-10, the domain name of RouterA is www.abc.com. the IP address may
change. In this case, you need to enable the DDNS client function to obtain the latest mapping
between the domain name and the IP address. The Siemens DDNS server is used. When the IP
address of RouterA changes, RouterA functions as the DDNS client to send a request to the
DDNS server. Then the DDNS server instructs the DNS server to reconfigure the mapping
between the domain name and the IP address.
Figure 4-10 Configuring the DDNS client
Loopback0
4.1.1.1/32
RouterA 1.1.1.2/16 RouterB
Loopback0
4.1.1.2/32
RouterC
GE1/0/0
DDNS Client
GE1/0/0
1.1.1.1/16
GE2/0/0
2.1.1.1/16
GE1/0/0
3.1.1.1/16
GE2/0/0
2.1.1.2/16 DNS Server
3.1.1.2/16
DDNS Server
2.1.1.3/16
1.
Create a DDNS policy.
2.
Configure the URL of the DDNS server.
3.
Configure a client SSL policy.
4.
Bind the SSL policy to the DDNS policy.
5.
Set the interval for sending DDNS update requests.
6.
Bind the DDNS policy to the interface.
Procedure
# Create a DDNS policy.
Issue 04 (2014-01-16)

146

Routers
4 DNS Configuration
# Configure the URL of the Siemens DDNS server.

[RouterA-ddns-policy-mypolicy] url https://2.1.1.3/nic/update?
group=med&user=huawei_test&password=12345&myip=<a>
# Configure a client SSL policy. For details about how to configure a client SSL policy, see
Example for Configuring a Client SSL Policy.
# Bind the SSL policy to the DDNS policy.
[RouterA-ddns-policy-mypolicy] ssl-policy siemens
# Set the interval for sending DDNS update requests.

[RouterA-ddns-policy-mypolicy] interval 36000
# Enable the DNS resolution function.


# Bind the DDNS policy to GE1/0/0.

[RouterA-GigabitEthernet1/0/0] ddns apply policy mypolicy
When the IP address of GigabitEthernet1/0/0 changes, RouterA notifies the DNS server to
establish the mapping between the domain name www.abc.com and the new IP address through
the DDNS server so that users on the Internet can resolve the latest IP address mapping
www.abc.com.
# Configure OSPF.
[RouterA] ospf
NOTE
To implement communication between the DDNS client, DDNS server, and the DNS server, configure
OSPF on RouterB and RouterC. For details about OSPF configurations on RouterB and RouterC, see the
configuration files.

# Run the display ddns policy mypolicy command on RouterA, and you can view information
about the DDNS policy named mypolicy.
<RouterA> display ddns policy mypolicy
Policy name
: mypolicy
Policy interval time : 36000
Policy URL
: https://2.1.1.3/nic/update?
Policy SSL
: siemens
Policy bind count
: 1
===== interface GigabitEthernet1/0/0 ======
Issue 04 (2014-01-16)

147

Routers
Statuses
Last Fresh Time
Last Fresh result
Next Fresh Time
:
:
:
:
4 DNS Configuration
ESTABLISH(2)
2012-06-13 13:06:46
Success
2012-06-13 23:06:46
# Run the display ddns interface gigabitethernet 1/0/0 command on RouterA. You can view
information about the DDNS policy on GigabitEthernet1/0/0.
<RouterA> display ddns interface gigabitethernet 1/0/0
===== Policy mypolicy =======
URL: https://2.1.1.3/nic/update?
Statuses:
ESTABLISH
Refresh: enable
----End
Configuration Files
#
sysname RouterA
#
ddns policy mypolicy
url https://2.1.1.3/nic/update?group=med&user=huawei_test&password=12345&myip=<a>
interval 36000
ssl-policy siemens
#
dns resolve
dns server 3.1.1.2
#
ip address 1.1.1.2 255.255.0.0
ddns apply policy mypolicy
#
ospf 1
area 0.0.0.0
network 1.1.0.0 0.0.255.255
#
return

#
sysname RouterB
#
interface LoopBack0
ip address 4.1.1.1 255.255.255.255
#
ip address 1.1.1.1 255.255.0.0
#
ip address 2.1.1.1 255.255.0.0
#
ospf 1
area 0.0.0.0
network 1.1.0.0 0.0.255.255
network 2.1.0.0 0.0.255.255
network 4.1.1.1 0.0.0.0
#
return
Issue 04 (2014-01-16)

148

Routers
4 DNS Configuration

#
sysname RouterC
#
interface LoopBack0
ip address 4.1.1.2 255.255.255.255
#
ip address 3.1.1.1 255.255.0.0
#
ip address 2.1.1.2 255.255.0.0
#
ospf 1
area 0.0.0.0
network 2.1.0.0 0.0.255.255
network 3.1.0.0 0.0.255.255
network 4.1.1.2 0.0.0.0
#
return

This section describes common faults caused by incorrect DNS configurations and provides the
troubleshooting procedure.
4.7.1 Dynamic Domain Name Resolution Cannot Be Implemented

on a DNS Client
Fault Description
The router functions as a DNS client that is configured with dynamic domain name resolution
but cannot resolve domain names to IP addresses correctly.
Procedure
Step 1 Run the display dns dynamic-host command check whether the specified domain name exists
in the dynamic domain name cache.
l If not, check whether the DNS client communicates with the DNS server properly, the DNS
server runs properly, and dynamic domain name resolution is enabled.
l If so, but the IP address is incorrect, go to step 2.
Step 2 Run the display dns server command to verify that the IP address of the DNS server is correct
on the DNS client.
If the DNS server IP address is incorrect, run the undo dns server ip-address command to delete
the configured DNS server IP address, and run the dns server ip-address command to
reconfigure a correct IP address for the DNS server.
----End
Issue 04 (2014-01-16)

149

Routers
4 DNS Configuration
4.8 FAQ
4.8.1 How Do I View the DNS Configuration of Devices?
Run the display current-configuration | include dns command.
4.8.2 When Configuring Static DNS Entries, Do I Have to Enable

Dynamic DNS Resolution?
No, you do not need to enable dynamic domain name service (DNS) resolution when configuring
static domain name service (DNS) entries. You must enable dynamic DNS resolution when
configuring dynamic DNS entries.
4.8.3 Are Dynamic DNS Entries Aged at Intervals of the Aging Time
or Using the Command?
Yes. Run the reset dns dynamic-host command to clear dynamic domain name service (DNS)
entries.
4.8.4 In What Scenarios Should I Use the DNS Relay Function?

The DNS proxy or relay function enables a DNS client on a LAN to connect to an external DNS
server. After the external DNS server translates the domain name of the DNS client to an IP
address, the DNS client can access the Internet.
After receiving DNS query packets from the DNS client, the device with DNS proxy enabled
searches the local cache. The device with DNS relay enabled directly forwards the DNS query
packets to the external DNS server, and does not search the local cache.
If the DNS client needs to obtain resource records on the DNS server in real time, enable the
DNS relay function on the device.
4.8.5 Does the Device Support DNS Proxy?

The device supports DNS proxy. The DNS proxy forwards DNS request and response packets
between a DNS client and DNS server. The DNS client on a LAN considers the DNS proxy as
the DNS server and sends DNS request packets to the DNS proxy. The DNS proxy forwards
DNS request packets to the DNS server, and sends DNS response packets from the DNS server
to the DNS client, to implement domain name resolution. When the DNS server's IP address
changes, you only need to change the DNS proxy configuration without changing the
configuration of each DNS client. This simplifies network management.
4.8.6 Does the Device Allow a Server IP Address to Map Multiple

Domain Names?
The device allows a server IP address to map multiple domain names.
Issue 04 (2014-01-16)

150

Routers
4 DNS Configuration
4.9 References
The following table lists the references of this document:
Issue 04 (2014-01-16)
Document
Description
Remarks
RFC1034
DOMAIN NAMES CONCEPTS AND

FACILITIES
RFC1035
DOMAIN NAMES IMPLEMENTATION AND

SPECIFICATION

151

Routers
5 NAT Configuration
NAT Configuration
About This Chapter

Network Address Translation (NAT) enables translation between private IP addresses and public
IP addresses, alleviates the IPv4 address shortage, and shields the topology of private networks,
therefore improving network security.
5.1 Introduction to NAT
5.2 Principles
5.3 Applications
5.4 Configuration Tasks
5.5 Configuration Notes
5.6 Configuring NAT
5.7 Maintaining NAT
5.10 FAQ
5.11 References
Issue 04 (2014-01-16)

152

Routers
5 NAT Configuration
5.1 Introduction to NAT

Definition
Network Address Translation (NAT) translates the IP address in an IP datagram header to
another IP address.
Purpose
The rapid development of the Internet brings an increasing number of network applications.
Exhaustion of IPv4 addresses has become a bottleneck for the network development. IPv6 can
solve the problem of IPv4 address shortage, but numerous network devices and applications are
based on IPv4. Major transitional technologies such as classless inter-domain routing (CIDR)
and private network addresses are used before the wide use of IPv6 addresses. NAT enables
users on private networks to access public networks. When a host on a private network accesses
a public network, NAT translates the host's private IP address to a public IP address. Multiple
hosts on a private network can share one public IP address. This implements network
communication while saving public IP addresses. For the classification of private IP addresses,
see 1.2.2 IPv4 Address.
Benefits
As a transitional plan, NAT enables address reuse to meet the demand for IP addresses, therefore
alleviating the IPv4 address shortage. In addition to solving the problem of IP address shortage,
NAT provides the following advantages:
l
Protects private networks against external attacks, greatly improving network security.
This function controls not only access to external networks from internal hosts, but also
access to the internal network from external users.
5.2 Principles
5.2.1 Overview
NAT translates the IP address in an IP datagram header to another IP address, allowing users on
private networks to access public networks. Basic NAT implements one-to-one translation
between one private IP address and one public IP address, whereas Network Address and Port
Translation (NAPT) implements one-to-many translation between one public IP address and
multiple private IP addresses.
Basic NAT
Basic NAT implements one-to-one IP address translation. In this mode, only the IP address is
translated, whereas the TCP/UDP port number remains unchanged. Basic NAT cannot translate
multiple private IP addresses to the same public IP address.
Issue 04 (2014-01-16)

153

Routers
5 NAT Configuration
Figure 5-1 Networking diagram for basic NAT

Address group
162.105.178.65
162.105.178.66
162.105.178.67
Host
10.1.1.100/8
Destination address
10.1.1.100
Router
Destination address
162.105.178.65
Source address
10.1.1.100
Source address
162.105.178.65
Server
211.100.7.34/24
NAT table
Internal host sends a request
External host responds to the request
Way
Outbound
Inbound
Before Router
10.1.1.100
162.105.178.65
After Router
162.105.178.65
10.1.1.100
As shown in Figure 5-1, the basic NAT process is as follows:

1.
The Router receives a request packet sent from the host on the private network for accessing
the server on the public network. The source IP address of the packet is 10.1.1.100.
2.
The Router selects an idle public IP address (162.105.178.65) from the IP address pool,
and sets up forward and reverse NAT entries that specify the mapping between the source
IP address of the packet and the public IP address. The Router translates the packet's source
IP address to the public IP address based on the forward NAT entry, and sends the packet
to the server on the public network. After the translation, the packet's source IP address is
162.105.178.65, and its destination IP address is 211.100.7.34.
3.
After receiving a response packet from the server on the public network, the Router queries
the reverse NAT entry based on the packet's destination IP address. The Router translates
the packet's destination IP address to the private IP address of the host on the private network
based on the reverse NAT entry, and sends the packet to the host. After the translation, the
packet's source IP address is 162.105.178.65, and its destination IP address is 10.1.1.100.
NOTE
Basic NAT cannot solve the problem of public IP address shortage because it cannot implement address
reuse. Therefore, basic NAT is seldom used in practice.
The number of public IP addresses owned by the NAT device is far less than the number of hosts on private
networks because not all the hosts on private networks access public networks at the same time. The number
of public IP addresses needs to be determined based on the number of hosts on private networks that access
public networks during peak hours.
NAPT
In addition to one-to-one address translation, NAPT allows multiple private IP addresses to be
mapped to the same public IP address. It is also called many-to-one address translation or address
reuse.
NAPT translates the IP address and port number of a packet so that multiple users on a private
network can use the same public IP address to access the public network.
Issue 04 (2014-01-16)

154

Routers
5 NAT Configuration
Figure 5-2 Networking diagram for NAPT

Host A
Source address
10.1.1.100:1025
10.1.1.100/8Destination address
10.1.1.100:1025
Host B
Address group
162.105.178.65
162.105.178.66
162.105.178.67
Router
Source address
162.105.178.6516384
Destination address
162.105.178.6516384
Server
Source address
162.105.178.6516400211.100.7.34/24
Source address
10.1.1.200:1028
Destination address
162.105.178.6516400
10.1.1.200/8 Destination address
10.1.1.200:1028
NAPT table
Way
Host A sends a request

Server responds to Host A
Host B sends a request
Outbound
Inbound
Outbound
Inbound
Before Router
10.1.1.100:1025
After Router
162.105.178.65:16384
162.105.178.65:16384
10.1.1.200:1028
162.105.178.65:16400
10.1.1.100:1025
162.105.178.65:16400
10.1.1.200:1028
As shown in Figure 5-2, the NAPT process is as follows:

1.
the server on the public network.For example,the packet is sent from Host A to Router, its
source IP address is 10.1.1.100, and its port number is 1025.
2.
The Router selects an idle public IP address and an idle port number from the IP address
pool, and sets up forward and reverse NAPT entries that specify the mapping between the
source IP address and port number of the packet and the public IP address and port number.
The Router translates the packet's source IP address and port number to the public IP address
and port number based on the forward NAPT entry, and sends the packet to the server on
the public network.For example, after the translation is performed on the packet of Host
A, the packet's source IP address is 162.105.178.65, and its port number is 16384.
3.
the reverse NAPT entry based on the packet's destination IP address and port number. The
Router translates the packet's destination IP address and port number to the private IP
address and port number of the host on the private network based on the reverse NAPT
entry, and sends the packet to the host.For example, after the translation is performed on
the packet sent from the server to Host A, the packet's destination IP address is 10.1.1.100,
and its destination port number is 1025.
5.2.2 NAT Implementation

Basic NAT and NAPT translate private IP addresses to public IP addresses by using NAT
devices. Basic NAT implements one-to-one address translation, and NAPT implements manyto-one address translation. On existing networks, NAT is implemented based on the principles
of basic NAT and NAPT. NAT implements multiple functions such as Easy IP, NAT address
pool, NAT server, and static NAT/NAPT.
Issue 04 (2014-01-16)

155

Routers
5 NAT Configuration
NAT address pool and Easy IP are implemented in similar ways. This section describes only
Easy IP. For the implementation of NAT address pool, see 5.2.1 Overview.
Easy IP
Easy IP uses access control lists (ACLs) to control the private IP addresses that can be translated.
Easy IP is applied to the scenario where hosts on small-scale LANs access the Internet. Smallscale LANs are usually deployed at small and medium-sized cybercafes or small-sized offices
where only a few internal hosts are used and the outbound interface obtains a temporary public
IP address through dial-up. The temporary public IP address is used by the internal hosts to
access the Internet. Easy IP allows the hosts to access the Internet using this temporary public
address.
Figure 5-3 Networking diagram for Easy IP
Host A
Source address
10.1.1.100:1540
Source address
162.10.2.85480

10.1.1.100:1540
Host B
Router
Destination address
162.10.2.85480
162.10.2.8/24
Source address
10.1.1.200:1586
Server
Source address
162.10.2.85481 211.100.7.34/24
Destination address
162.10.2.85481
10.1.1.200/8
Destination address
10.1.1.200:1586
Easy IP table
Way
Before Router
After Router
Outbound
10.1.1.1001540
162.10.2.85480
Inbound
162.10.2.85480
10.1.1.1001540
Outbound
10.1.1.2001586
162.10.2.85481
Inbound
162.10.2.85481
10.1.1.2001586

Server responds to Host B
As shown in Figure 5-3, the Easy IP process is as follows:

1.
the server on the public network. The packet's source IP address is 10.1.1.100, and its port
number is 1540.
2.
The Router sets up forward and reverse Easy IP entries that specify the mapping between
the source IP address and port number of the packet and the public IP address and port
number of the port connected to the public network. The Router translates the source IP
address and port number of the packet to the public IP address and port number based on
the forward Easy IP entry, and sends the packet to the server on the public network. After
the translation, the packet's source IP address is 162.10.2.8, and its port number is 5480.
3.
the reverse Easy IP entry based on the packet's destination IP address and port number. The
Issue 04 (2014-01-16)

156

Routers
5 NAT Configuration
Router translates the packet's destination IP address and port number to the private IP
address and port number of the host on the private network based on the reverse Easy IP
entry, and sends the packet to the host. After the translation, the packet's destination IP
address is 10.1.1.100, and its port number is 1540.
NAT Server
NAT can shield hosts on private networks from public network users. When a private network
needs to provide services such as WWW and FTP services for public network users, servers on
the private network must be accessible to public network users at any time.
The NAT server can address the preceding problem by translating the public IP address and port
number to the private IP address and port number based on the preset mapping.
Figure 5-4 Networking diagram for NAT server implementation
NAT Server
Global: 209.102.1.6880
Local: 192.168.1.6880
Internal server
192.168.1.68
Destination address
192.168.1.68:80
Router
External host
178.16.32.60
Destination address
209.102.1.68:80
Internet
Source address
192.168.1.68:80
Source address
209.102.1.68:80
NAT table
External host sends a request
Internal host responds to the request
Way
Before Router
After Router
Inbound
209.102.1.68:80
192.168.1.68:80
Outbound
192.168.1.68:80
209.102.1.68:80
As shown in Figure 5-4, the address translation process of the NAT server is as follows:
1.
Address translation entries of the NAT server are configured on the Router.
2.
The Router receives an access request sent from a host on the public network. The
Router queries the address translation entry based on the packet's destination IP address
and port number. The Router translates the packet's destination IP address and port number
to the private IP address and port number based on the address translation entry, and sends
the packet to the server on the private network. The destination IP address of the packet
sent by the host on the public network is 209.102.1.68, and its port number is 80. After the
translation by the Router, the destination IP address of the packet is 192.168.1.68, and its
port number remains unchanged.
3.
After receiving a response packet sent from the server on the private network, the Router
queries the address translation entry based on the packet's source IP address and port
number. The Router translates the packet's source IP address and port number to the public
IP address and port number based on the address translation entry, and sends the packet to
the host on the public network. The source of the response packet sent from the host on the
private network is 192.168.1.68, and its port number is 80. After translation by the
Router, the source IP address of the packet is 209.102.1.68, and its port number remains
unchanged.
Issue 04 (2014-01-16)

157

Routers
5 NAT Configuration
Static NAT/NAPT
Static NAT indicates that a private IP address is statically bound to a public IP address when
NAT is performed. Only this private IP address can be translated to this public IP address.
Static NAPT indicates that the combination of a private IP address, protocol number, and port
number is statically bound to the combination of a public IP address, protocol number, and port
number. Multiple private IP addresses can be translated to the same public IP address.
Static NAT/NAPT can also translate host IP addresses in the specified private address range to
host IP addresses in the specified public address range. When an internal host accesses the
external network, static NAT or NAPT translates the IP address of the internal host to a public
address if the IP address of the internal host is in the specified address range. An external host
can directly access an internal host if the private IP address translated from the IP address of the
external host is in the specified internal address range.
5.2.3 NAT ALG

NAT and NAPT can translate only IP addresses in IP datagram headers and port numbers in
TCP/UDP headers. For some special protocols such as FTP, IP addresses or port numbers may
be contained in the Data field of the protocol packets. Therefore, NAT cannot translate the IP
addresses or port numbers. A good way to solve the NAT issue for these special protocols is to
use the application level gateway (ALG) function. As a special translation agent for application
protocols, the ALG interacts with the NAT device to establish states. It uses NAT state
information to change the specific data in the Data field of IP datagrams and complete other
necessary work, so that application protocols can run across private and public networks.
For example, when an FTP server with a private IP address sets up a session with a host on the
public network, the server may need to send its IP address to the host. NAT cannot translate this
IP address because the IP address is carried in the Data field. When the host on the public network
attempts to use the received private IP address, it finds that the FTP server is unreachable.
DNS, FTP, SIP and RTSP support the ALG function. Table 5-1 lists the NAT fields supported
by different protocols.
Table 5-1 Fields supported by different protocols
Application Protocol
Field
DNS
IP and Port fields in a response packet
FTP
l IP and Port fields in the payload of a Port request packet

l IP and Port fields in the payload of a Passive response packet
Issue 04 (2014-01-16)

158

Routers
5 NAT Configuration
Application Protocol
Field
SIP
l Request line
l From
l To
l Contact
l Via
l O
l Connection information field (indicating an IP address) and
media description field (indicating a port) in the Message
body
Port field in a setup/reply OK packet
RTSP
5.2.4 DNS Mapping

In practice, users on a private network need to access internal servers on the same private network
using domain names, but the DNS server is located on a public network. Usually, a DNS response
packet carries the public IP address of an internal server. If the NAT device does not replace the
public IP address resolved by the DNS server with the private IP address of the internal server,
users on the private network cannot access the internal server using the domain name.
DNS mapping can solve the problem by configuring a table that specifies the mapping between
domain names, public IP addresses, public port numbers, and protocol types. In this manner, the
mapping between domain names of servers on the private network and public network
information is established.
Figure 5-5 describes the implementation of DNS mapping.
Figure 5-5 Networking diagram for DNS mapping
Web server
10.1.1.200/8
www.test.com
DNS server
Router
211.100.7.34/24
www.test.com=162.10.2.5
Host
10.1.1.100/8
DNS resquest for www.test.com

DNS response=162.10.2.5
DNS Mapping:
162.10.2.5->10.1.1.200
DNS response=10.1.1.200
Issue 04 (2014-01-16)

159

Routers
5 NAT Configuration
As shown in Figure 5-5, the host on the private network needs to access the web server using
the domain name, and the Router functions as a NAT server. After receiving a DNS response
packet, the Router searches the DNS mapping table for the information about the web server
based on the domain name carried in the response packet. Then, the Router replaces the public
IP address carried in the DNS response packet with the private IP address of the web server. In
this manner, the DNS response packet received by the host carries the private IP address of the
web server. Then, the host can access the web server using the domain name.
5.2.5 NAT Associated with VPNs

NAT allows hosts on private networks to access public networks, hosts in different virtual private
networks (VPNs) on a private network to access a public network through the same outbound
interface, and hosts with the same IP address in different VPNs to access a public network
simultaneously. The NAT also supports NAT server associated with VPNs. It allows a host on
a public network to access hosts in different VPNs on a private network, and a host on a public
network to access hosts with the IP address in different VPNs on a private network.
Source NAT Associated with VPNs

Source NAT associated with VPNs allows hosts in different VPNs on a private network to access
a public network using NAT. Figure 5-6 shows the networking for NAT associated with VPNs.
Figure 5-6 Networking diagram for source NAT associated with VPNs
Server
External
network
NAT rule
VPN 210.1.1.1-202.1.2.1
Host B
IP address10.1.1.1
VPN 2
NAT rule
VPN 110.1.1.1-202.1.1.1
Router
Private IP
addresses of VPN
1 and VPN 2 are
overlapped.
Host A
IP address10.1.1.1
VPN 1
Source NAT associated with VPNs is implemented as follows:

Issue 04 (2014-01-16)

160

Routers
5 NAT Configuration
1.
The IP addresses of host A in VPN 1 and host B in VPN 2 are 10.1.1.1. Host A and host B
want to access the same server on the public network.
2.
When a router functions as a NAT device, the router translates the source IP address of the
packet sent from host A to 202.1.1.1 and the source IP address of the packet sent from host
B to 202.1.2.1. In addition, the router records the VPN information about the hosts in the
NAT translation table.
3.
When the response packets sent from the server on the public network to host A and host
B pass through the router:
l The NAT module translates the destination IP address 202.1.1.1 of the packet sent to
host A to 10.1.1.1 based on the NAT translation table, and then sends the packet to host
A in VPN 1.
l The NAT module translates the destination IP address 202.1.2.1 of the packet sent to
host B to 10.1.1.1 based on the NAT translation table, and then sends the packet to host
B in VPN 2.
NAT Server Associated with VPNs

NAT server associated with VPNs allows hosts on a public network to access servers in different
VPNs on a private network using NAT.
Figure 5-7 Networking diagram for NAT server associated with VPNs
External
network
NAT server
LocalVPN 1 10.1.1.1
Global202.1.10.1
NAT server
LocalVPN 2 10.1.1.1
Global202.1.20.1
Router
Server A
IP address: 10.1.1.1
Server B
IP address: 10.1.1.1
VPN 2
Private IP
addresses of VPN
1 and VPN 2 are
overlapped.
VPN 1
As shown in Figure 5-7, the IP addresses of server A in VPN 1 and server B in VPN 2 are
10.1.1.1. The public address of server A is 202.1.10.1 and that of server B is 202.1.20.1. Hosts
on the public network can access server A using 202.1.10.1 and access server B using 202.1.20.1.
The NAT server associated with VPNs is implemented as follows:
Issue 04 (2014-01-16)

161

Routers
5 NAT Configuration
1.
A host on the public network sends a packet with the destination IP address as 202.1.10.1
to server A in VPN 1 and sends a packet with the destination IP address as 202.1.20.1 to
server B in VPN 2.
2.
The router functions as the NAT server. Based on the packets' destination IP addresses and
VPN information:
l The router translates the destination address 202.1.10.1 to 10.1.1.1 and sends the packet
to server A in VPN 1.
l The router translates the destination address 202.1.20.1 to 10.1.1.1 and sends the packet
to server B in VPN 2.
In addition, the router records the VPN information in the NAT translation table.
3.
When the response packets sent from server A and server B to the host on the public network
pass through the router:
l The NAT module translates the source IP address 10.1.1.1 of the packet sent from server
A to 202.1.10.1 based on the NAT translation table, and sends the packet to the host on
the public network.
l The NAT module translates the source IP address 10.1.1.1 of the packet sent from server
B to 202.1.20.1 based on the NAT translation table, and sends the packet to the host on
the public network.
5.2.6 Twice NAT

Twice NAT refers to translation of both the source and destination IP addresses of a data packet.
It is applied to the situation where a private IP address is the same as a public IP address.
Figure 5-8 Networking diagram for twice NAT
Host B
Address group
3.3.3.1
3.3.3.2
1.1.1.1
www.example.com
Host A
External
network
1.1.1.1
Router
DNS server
The process of twice NAT is described as follows:

1.
Issue 04 (2014-01-16)
Host A with the IP address 1.1.1.1 on the private network wants to access host B with the
same IP address on the public network. Host A sends a DNS request to the DNS server on
the public network. The DNS server sends a response packet containing the IP address
1.1.1.1 of host B. When the response packet passes through the router, the router performs
DNS ALG and translates host B's IP address 1.1.1.1 in the response packet to the unique
temporary IP address 3.3.3.1. Then, the router forwards the response packet to Host A.
162

Routers
5 NAT Configuration
2.
Host A sends a request packet with the destination IP address as the temporary IP address
3.3.3.1, for accessing host B. When the request packet passes through the router, the
router detects that the destination IP address is the temporary IP address, and translates the
destination IP address to host B's real IP address 1.1.1.1. Meanwhile, the router translates
the source IP address of the request packet to an address in the outbound NAT address pool
using outbound NAT. Then, the router forwards the request packet to host B.
3.
Host B sends host A a response packet with the destination IP address as the address in the
outbound NAT address pool and the source IP address as the IP address of host B 1.1.1.1.
When the response packet passes through the router, the router detects that the source IP
address is the same as the real IP address of host A, and translates the source IP address to
the temporary IP address 3.3.3.1 using NAT. Meanwhile, the router translates the
destination IP address of the response packet to the private IP address 1.1.1.1 of host A.
Then, the router forwards the response packet to host A.
Figure 5-9 Networking diagram for twice NAT when multiple VPNs are deployed on a private
network
Host B
1.1.1.1
Address group
3.3.3.1
4.4.4.1
Host B
1.1.1.1
www.example.com
VPN B
Host A
1.1.1.1
Router
VPN A
External
network
DNS server
A private network may consist of multiple VPNs and hosts in the VPNs may have the same IP
address. When configuring DNS ALG on a router, you need to add the VPN information that is
used as the condition for mapping identical IP addresses of the hosts in the VPNs to IP addresses
in the temporary address pool. Figure 5-9 shows the networking for twice NAT when multiple
VPNs are deployed on a private network. When multiple VPNs are deployed on a private
network, the twice NAT process remains unchanged. The source IP address of host A in VPN
A is translated to the temporary address 3.3.3.1, and the source IP address of host B in VPN B
is translated to the temporary address 4.4.4.1.
5.2.7 NAT Filtering and NAT Mapping

NAT filtering allows an NAT device to filter the traffic from a public network to a private
network. NAT mapping enables the IP addresses of a group of hosts on a private network to be
mapped to the same public IP address using the NAT mapping table.
NAT Filtering
A NAT device filters the traffic from external network to internal network. NAT filtering
includes the following modes:
Issue 04 (2014-01-16)

163

Routers
5 NAT Configuration
Endpoint-independent filtering
Endpoint-dependent filtering
Endpoint and port-dependent filtering
Figure 5-10 shows the NAT filtering applications.

Figure 5-10 NAT filtering applications
Data packet 1
Source IP10.1.1.1
Source port1111
Destination IP202.1.10.1
Destination port2222
Data packet 1'

Source IP202.169.10.1
Source port1111
PC 2: 202.1.10.1
Internet
PC 1
Data packet 2
Source IP202.1.20.1
Source port4444
Data packet 2'

Source IP202.1.20.1
Source port4444
Data packet 3
Source IP202.1.10.1
Source port3333
Data packet 3'

Source IP202.1.10.1
Source port3333
Data packet 4
Source IP202.1.10.1
Source port2222
Data packet 4'

Source IP202.1.10.1
Source port2222
PC 3: 202.1.20.1
As shown in the preceding figure, PC-1 on the private network communicates with PC-2 and
PC-3 on the public network using a NAT device. Datagram 1 is sent from PC-1 to PC-2. The
source port number of the datagram is 1111 and the destination port number is 2222. The NAT
device translates the source IP address to 202.169.10.1.
After PC-1 sends an access request to a PC on the public network, the PC on the public network
transmits traffic to PC-1, and the NAT device filters the traffic destined for PC-1. Datagram 2',
datagram 3', and datagram 4' are sent in three scenarios corresponding to the preceding three
NAT filtering modes.
l
Datagram 2' is sent from PC-3 to PC-1. The destination address of datagram 2 is different
from that of datagram 1, and the destination port number is 1111. Datagram 2 can pass
through the NAT device only when endpoint-independent filtering is used.
Datagram 3' is sent from PC-2 to PC-1. The destination address of datagram 3 is the same
as that of datagram 1, and the destination port number is 1111. The source port number of
datagram 3 is 3333, which is different from that of datagram 1. Datagram 3 can pass through
Issue 04 (2014-01-16)

164

Routers
5 NAT Configuration
the NAT device only when endpoint-dependent filtering or endpoint-independent filtering

is used.
l
Datagram 4' is sent from PC-2 to PC-1. The destination address of datagram 4 is the same
as that of datagram 1, and the destination port number is 1111. The source port number of
datagram 4 is 2222, which is the same as that of datagram 1. In this case, endpoint and portdependent filtering is used, which is the default one. Datagram 4 can pass through the NAT
device no matter whether a filtering mode is configured or no matter which filtering mode
is configured.
NAT Mapping
After NAT mapping is enabled on a public network, it seems that all flows from a private network
come from the same IP address because hosts on the private network share the same public IP
address. When a host on the private network initiates a session request to a host on the public
network, the NAT device searches the NAT translation table for the related session record. If
the NAT device finds the session record, it translates the private IP address and port number and
forwards the request. If the NAT device does not find the session record, it translates the private
IP address and port number and meanwhile adds a session record to the NAT translation table.
NAT mapping includes the following modes:
l
Endpoint-independent mapping: The NAT uses the same IP address and port mapping for
packets sent from the same private IP address and port to any public IP address and port.
Endpoint and port-dependent mapping: The NAT uses the same port mapping for packets
sent from the same private IP address and port to the same public IP address and port if the
mapping is still active.
5.3 Applications
5.3.1 Private Network Hosts Accessing Public Network
Private IP addresses are planned for hosts on private networks for communities, schools, and
enterprises because public IP addresses are limited. In this case, the NAT technology can be
used to implement access from hosts on the private networks to public networks. As shown in
Figure 5-11, Easy IP is configured on the Router to enable the hosts on the private network to
access the server on the public network.
Issue 04 (2014-01-16)

165

Routers
5 NAT Configuration
Figure 5-11 Networking diagram for private network hosts accessing public network servers
Host A
192.168.1.1/24
Host B
Server
Router
External
network
211.100.7.34/24
192.168.1.2/24
Host C
192.168.1.3/24
5.3.2 Public Network Hosts Accessing Private Network Servers

On private networks, some servers such as web servers and FTP servers need to provide services
for public network users. NAT supports this application. As shown in Figure 5-12, the NAT
server is configured. That is, mapping between the public IP address and port number and the
private IP address and port number is defined. As a result, the host on the public network can
access the server on the private network using the mapping.
Figure 5-12 Networking diagram for public network hosts accessing private network servers
Host A
192.168.1.1/24
Host B
Host C
Router
External
network
192.168.1.2/24
211.138.7.94/24
Server
192.168.1.100/24
Issue 04 (2014-01-16)

166

Routers
5 NAT Configuration
5.3.3 Private Network Hosts Accessing Private Network Servers

Using the Domain Name
Hosts on a private network need to access a server on the same private network using the domain
name. The DNS server, however, is located on a public network. You can configure DNS
mapping to allow the private network hosts to access the DNS server. As shown in Figure
5-13, a DNS mapping table is configured to define mapping between the domain name, public
IP address, public port number, and protocol type. The public IP address carried in the DNS
response packet is replaced by the private IP address of the server on the private network. In this
manner, hosts on the private network can access the server using the domain name.
Figure 5-13 Networking diagram for private network hosts accessing private network servers
using the domain name
Host A
192.168.1.1/24
Host B
DNS server
Router
External
network
192.168.1.2/24
Web server
210.33.5.1/24
www.test.com=211.65.3.1
192.168.1.100/24
www.test.com
5.3.4 NAT Multi-instance

NAT multi-instance allows hosts that belong to different MPLS VPNs but have the same private
IP address to access a public network through the same egress device simultaneously. As shown
in Figure 5-14, host A and host B have the same private IP address, but they belong to different
VPNs. NAT associated with VPNs is enabled to differentiate the hosts in different VPNs. In this
manner, host A and host B can access the public network server simultaneously.
Issue 04 (2014-01-16)

167

Routers
5 NAT Configuration
Figure 5-14 Networking diagram for NAT multi-instance

Server
210.33.5.1/24
External
network
211.65.3.1/24
Router
Host B
Host A
VPN A
192.168.1.1/24
VPN B
192.168.1.1/24
5.4 Configuration Tasks

As shown in Table 5-2, users can select NAT features based on usage scenarios and configure
the selected NAT features.
Issue 04 (2014-01-16)

168

Routers
5 NAT Configuration
Table 5-2 NAT configuration tasks
Issue 04 (2014-01-16)
Scenario
Description
Task
Internal
hosts use
private IP
addresses to
access
external
networks.
Internal hosts of an enterprise use

private IP addresses to communicate
with each other, but cannot access
external networks. Dynamic NAT
translates the private IP address of a
device to the public IP address and
establishes a mapping between the
private and public address. When the
response packet reaches the device,
the public IP address is translated to
the private IP address and then
forwarded to the host. In this way,
internal users can access external
networks.
5.6.1 Configuring Dynamic NAT
Important
internal
hosts use
fixed public
IP addresses
and
interface
numbers to
communica
te with
external
hosts.
During dynamic NAT, it cannot use

fixed public IP addresses and
interface numbers to replace the
private IP addresses and interface
numbers. When some important hosts
need to access the external network,
they must use fixed public IP
addresses and interface numbers.
Dynamic NAT cannot meet this
requirement.
5.6.2 Configuring Static NAT
Static NAT sets up a fixed mapping

between public and private IP
addresses. A specific private IP
address can be replaced only by the
specified public IP address. In this
way, the important hosts can access
the external network using fixed
public IP addresses.

169

Routers
5 NAT Configuration
Scenario
Description
Task
External
users access
internal
servers.
NAT can shield IP addresses off

internal hosts. When the internal
network needs to provide services
such as web and FTP services for
external users, internal servers must
be accessible to external users at any
time.
5.6.3 Configuring an Internal NAT

Server
The NAT server enables the internal

servers to be accessible at any time.
By configuring the mapping between
the public and private IP addresses
and between the public and private
interface numbers, the NAT device
can translate public IP addresses to
private IP addresses.
5.5 Configuration Notes

l
When configuring the NAT service on high-end LAN cards (8FE1GE and 24GE), run the
set workmode lan-card l3centralize command to disable the routing and forwarding
function. Then packets received on high-end LAN cards are all forwarded by the CPU of
the forwarding plane so that the NAT configuration can take effect.
When new NAT entries are added to an interface or existing NAT configuration on the
interface is modified, run the reset nat session { all | transit interface interface-type
interface-number } command to clear the session table. Then the NAT configuration takes
effect on all session entries, including the entries that are not aged out.
When interface A borrows the IP address of B1 to configure nat outbound, NAT functions
normally. However, when interface A borrows the IP address of B2, you need to configure
nat again to make the IP address take effect.
The user network route (UNR) protocol is used to advertise the corresponding routing
entries. If the number of routes on the device exceeds the upper limit, the UNR routing
entries of NAT fail to be delivered and therefore the NAT function does not take effect.
After the NAT configuration is complete, you are advised to run the display ip routingtable command to check whether the UNR routing entries of NAT exist. If the entries do
not exist, you can delete useless routing entries so that the UNR routing entries of NAT are
successfully delivered.
5.6 Configuring NAT

5.6.1 Configuring Dynamic NAT
Dynamic NAT allows dynamic establishment of the mapping between private and public IP
addresses so that internal users can access the external network.
Issue 04 (2014-01-16)

170

Routers
5 NAT Configuration
5.6.1.1 Configuring ACL Rules

Procedure
Step 1 Run:
system-view

Step 2 Run:
acl [ number ] acl-number [ match-order { auto | config } ]
An ACL with the specified number is created and the ACL view is displayed.
Step 3 Configure basic or advanced ACLs as required. For details, see rule (basic ACL view) or rule
(advanced ACL view).
NOTE
Only basic ACLs (2000 to 3999) and advanced ACLs can be used to configure the NAT function.
1. When permit is used in the ACL rule, the system uses the address pool to translate addresses for the
packets of which the source IP address is specified in the ACL rule.
2. When permit is not used in the ACL rule, the NAT policy referencing the ACL does not take effect.
That is, the system searches routes for packets, but does not translate addresses.
----End
5.6.1.2 Configuring Outbound NAT

Context
The address pool used by outbound NAT stores a set of public IP addresses used by dynamic
NAT. When dynamic NAT is performed, an address in the address pool is selected for NAT
address translation.
To access external networks through dynamic NAT, internal users can choose one of the
following modes based on their public IP address plan:
l
After users configure the IP address of outbound ports and other applications on the NAT
device, there are still some available public IP addresses. Users can choose outbound NAT
with an address pool.
After users configure the IP address of outbound ports on the NAT device and other
applications, there are no available public IP addresses. Users can choose Easy IP that uses
the IP address of outbound ports on the NAT device to implement dynamic NAT.
Procedure
Step 1 Run:
system-view

Step 2 Configure outbound NAT. Users can choose one of the following configuration methods based
on actual situations:
Issue 04 (2014-01-16)

171

Routers
5 NAT Configuration
Configure outbound NAT with an address pool.

1.
Run:
nat address-group group-index start-address end-address
A public address pool is configured.

2.
Run:

3.
Run:
nat outbound acl-number [ address-group group-index [ no-pat ] |
interface interface-type interface-number ]
Outbound NAT that references an address pool is configured.

l
Configure Easy IP without an address pool.

1.
Run:

2.
Run:
nat outbound acl-number
Easy IP is configured.
----End
5.6.1.3 (Optional) Enabling NAT ALG

Context
Generally, NAT translates only the IP address in the IP packet header and the interface number
in the TCP/UDP header. Packets of some protocols such as DNS and FTP contain the IP address
or interface number in the Data field. Such content cannot be translated using NAT. Therefore,
communication between internal and external networks will fail.
The application level gateway (ALG) function enables the NAT device to identify the IP address
or interface number in the Data field, and translate addresses based on the mapping table. In this
way, packets can traverse NAT devices. Currently, the ALG function supports DNS, FTP, SIP
and RTSP.
Procedure
Step 1 Run:
system-view

Step 2 Run:
nat alg { all | protocol-name } enable
The NAT ALG function for specified application protocols is enabled.

By default, the NAT ALG function is disabled.
port-mapping { dns | ftp | sip | rtsp } port port-number acl acl-number
Issue 04 (2014-01-16)

172

Routers
5 NAT Configuration
The port mapping is configured.

Run the port-mapping protocol to configure port mapping when the application protocol that
is enabled with the NAT ALG function uses a non-well-known port number, namely a nondefault port number.
----End
5.6.1.4 (Optional) Configuring NAT Filtering and NAT Mapping

Context
NAT conserves IPv4 addresses and improves network security. Different vendors provide
different NAT features. As a result, applications using STUN, TURN, and ICE technologies
may fail to traverse NAT devices because these technologies are implemented using SIP proxy.
SIP proxy is a multi-channel application and needs to create multiple data channels to implement
its function. To ensure connection of multiple data channels, NAT filtering and NAT mapping
must be configured to allow only packets that meet the filtering and mapping conditions to pass
through.
The device supports the following NAT mapping types:
l
Endpoint-and-port-independent mapping: The NAT reuses the interface mapping for

subsequent packets sent from the same internal IP address and interface to any external IP
address and port.
Endpoint-and-port-dependent mapping: The NAT reuses the interface mapping for

subsequent packets sent from the same internal IP address and interface to the same external
IP address and interface while the mapping is still active.
The device supports the following NAT filtering types:

l
Endpoint-and-port-independent filtering
Endpoint-dependent and port-independent filtering
Endpoint-and-port-dependent filtering
NOTE
Configure endpoint-and-port-dependent NAT mapping and filtering to enable SIP proxy to traverse NAT
devices.
Procedure
Step 1 Run:
system-view

Step 2 Run:
nat mapping-mode endpoint-independent [ protocol-name [ dest-port port-number ] ]
The NAT mapping mode is configured.

The default NAT mapping mode is endpoint-and-port-dependent.
Step 3 Run:
Issue 04 (2014-01-16)

173

Routers
nat filter-mode { endpoint-dependent
dependent }
5 NAT Configuration
| endpoint-independent | endpoint-and-port-
The NAT filtering mode is configured.

The default NAT filtering mode is endpoint-and-port-dependent.
----End
5.6.1.5 (Optional) Configuring Twice NAT

Context
If the external addresses of internal hosts overlap with addresses of external hosts, twice NAT
can be configured. The overlapping addresses are replaced with temporary addresses and then
translated by NAT so that the internal and external hosts can access each other.
l
An overlapping address pool specifies which internal IP addresses can overlap with public
IP addresses. Twice NAT is performed only on the addresses in the overlapping address
pool.
A temporary address pool specifies which temporary IP addresses can replace addresses in
the overlapping address pool.
Procedure
Step 1 Run:
system-view

Step 2 Run:
nat overlap-address map-index overlappool-startaddress temppool-startaddress poollength length [ inside-vpn-instance inside-vpn-instance-name ]
The mapping between the overlapping address pool and the temporary address pool is
configured.
NOTE
l A maximum of 255 addresses can be configured in the overlapping address pool and the temporary
address pool.
l When the VPN instance specified in the command is deleted, the configuration of twice NAT is also
deleted.
----End
5.6.1.6 (Optional) Configuring NAT Log Output

Context
NAT logs are generated when the router performs address translation. The logs record the
original source IP addresses, source ports, destination IP addresses, destination ports, and
translated source IP addresses and source ports, as well as user actions and time stamps. You
can view NAT logs to learn about information about users have accessed a network using NAT.
The router can send NAT logs to a specified log host, as shown in Figure 5-15.
Issue 04 (2014-01-16)

174

Routers
5 NAT Configuration
Figure 5-15 Sending NAT logs to a specified log host

Log Server
Host
NAT logs
Internet
NAT Device
Procedure
Step 1 Run:
system-view

Step 2 Run:
firewall log session enable
The firewall log function is enabled.

Step 3 Run:
firewall log session nat enable
The NAT session log function is enabled.

Step 4 Run the following command to output logs to the information center log host or session log host:
l Output logs to the information center log host
1.
Run:
info-center enable
The information center is enabled.

2.
Run:
info-center loghost ip-address [ channel { channel-number | channel-name }
| facility local-number | { language language-name | binary [ port ] } |
{ vpn-instance vpn-instance-name | public-net } ] *
The channel through which logs are output to the log host is configured.
The router supports a maximum of eight log hosts to implement backup among log
hosts.
NOTE
For details on how to configure the router to send logs to a log host, see Example for Outputting
Log Information to a Log Host in "Information Center Configuration" of the Huawei
AR150&200&1200&2200&3200 Series Enterprise Routers Configuration Guide - Device
Management.
l Output logs to the session log host

Run:
firewall log binary-log host host-ip-address host-port source source-ip-address
source-port [ vpn-instance vpn-instance-name ]
A session log host is configured.

Issue 04 (2014-01-16)

175

Routers
5 NAT Configuration
By default, no session log host is configured.

----End
5.6.1.7 (Optional) Configuring the Aging Time of NAT Mapping Entries

Procedure
Step 1 Run:
system-view

Step 2 Run:
firewall-nat session { dns | ftp | ftp-data | http | icmp | tcp | tcp-proxy | udp
| sip | sip-media | rtsp | rtsp-media } aging-time time-value
The aging time of NAT mapping entries is configured.

By default, the aging time of NAT mapping entries for each protocol is as follows: 120 seconds
for DNS, 120 seconds for FTP; 120 seconds for FTP-data, 120 seconds for HTTP, 20 seconds
for ICMP, 600 seconds for TCP, 10 seconds for TCP-proxy, 120 seconds for UDP, 1800 seconds
for SIP, 120 seconds for SIP-media, 60 seconds for RTSP, 120 seconds for RTSP-media.
----End

Procedure
l
Run the display nat address-group [ group-index ] [ verbose ] command to check the
configuration of a NAT address pool.
Run the display nat outbound [ acl acl-number | address-group group-index |

interface interface-type interface-number [ .subnumber ] ] command to check the
configuration of outbound NAT.
Run the display nat alg command to check the NAT ALG configuration.
Run the display nat overlap-address { map-index | all | inside-vpn-instance inside-vpninstance-name } command to check the configuration of twice NAT.
Run the display firewall-nat session aging-time command to check the aging time of NAT
mapping entries.
Run the display nat filter-mode command to check the current NAT filtering mode.
Run the display nat mapping-mode command to check the NAT mapping mode.
Run the display nat mapping table { all | number } or display nat mapping table insideaddress ip-address protocol protocol-name port port-number [ vpn-instance vpninstance-name ] command to check the NAT table information or the number of entries in
the NAT table.
----End
Issue 04 (2014-01-16)

176

Routers
5 NAT Configuration
5.6.2 Configuring Static NAT

Static NAT implements one-to-one translation between a private network address and a public
network address.
5.6.2.1 Configuring Static Address Mapping

Procedure
Step 1 You can configure static address mapping as follows:
Configuring static address mapping in the interface view:
1.
Run:
system-view

2.
Run:

3.
Run one of the following commands as required:

l nat static protocol { tcp | udp } global { global-address | current-interface } globalport inside host-address [ host-port ] [ vpn-instance vpn-instance-name ] [ netmask
mask ] [ acl acl-number ] [ description description ]
l nat static protocol { tcp | udp } global interface interface-type interface-number
global-port inside host-address [ host-port ] [ vpn-instance vpn-instance-name ]
[ netmask mask ] [ acl acl-number ] [ description description ]
l nat static [ protocol { protocol-number | icmp | tcp | udp } ] global { globaladdress | current-interface | interface interface-type interface-number } inside hostaddress [ vpn-instance vpn-instance-name ] [ netmask mask ] [ acl acl-number ]
[ description description ]
Configuring static address mapping in the system view:

1.
Run:
system-view

2.
Run one of the following commands as required:

l nat static protocol { tcp | udp } global global-address global-port inside hostaddress [ host-port ] [ vpn-instance vpn-instance-name ] [ netmask mask ]
[ description description ]
l nat static protocol { tcp | udp } global interface loopback interface-number globalport [ vpn-instance vpn-instance-name ] inside host-address [ host-port ] [ vpninstance vpn-instance-name ] [ netmask mask ] [ description description ]
l nat static [ protocol { protocol-number | icmp | tcp | udp } ] global { globaladdress | interface loopback interface-number } inside host-address [ vpn-instance
vpn-instance-name ] [ netmask mask ] [ description description ]
3.
Run:

Issue 04 (2014-01-16)

177

Routers
4.
5 NAT Configuration
Run:
nat static enable
Static NAT is enabled on the interface.

NOTE
l To specify a global VPN, you are advised to configure static NAT in the interface view. Then the device
can automatically obtain information about the VPN instance associated with the interface, and you
do not need to manually specify the VPN instance at the public network side (global). To associate
static NAT with a global VPN in the system view, you can specify a loopback interface as the outbound
interface at the public network side, and then specify a VPN instance.
l When configuring static NAT, ensure that global-address and host-address are different from IP
addresses of interfaces and IP addresses in the user address pool.
l If you run the undo nat static command, static mapping entries are not immediately deleted. To clear
static mapping entries, run the reset nat session command.
l You are advised to use the second method if multiple interfaces use the same static NAT mapping.
l When you configure static one-to-one NAT that borrows an interface IP address (no interface number
is specified and the IP address is mapped to a private network address), other services enabled on the
interface may become unavailable. Confirm your action before performing the configuration. If you
want to enable other applications on the interface, add an ACL rule after the configuration to filter out
the number of the interface on which the applications are enabled.
----End

Context
and RTSP.
Procedure
Step 1 Run:
system-view

Step 2 Run:


Issue 04 (2014-01-16)

178

Routers
5 NAT Configuration
----End
5.6.2.3 (Optional) Configuring DNS Mapping

Context
If an enterprise has no internal DNS server but needs to access internal servers using the domain
name, internal users of the enterprise must use DNS servers on external networks.
Internal users can use the external DNS server to access an external server by performing NAT;
however, internal users cannot use the external DNS server to access an internal server because
the IP address resolved by the external DNS server is not the real private IP address of the internal
server.
When configuring static NAT and DNS mapping at the same time, you can create a mapping
entry containing the domain name, public IP address, public interface number, and protocol type.
When receiving a DNS resolution packet, the NAT device searches the private IP address
mapped to the public address in the mapping entry. The NAT device then replaces the address
resolved by the DNS server with the private IP address and forwards the resolution result to
users.
Procedure
Step 1 Run:
system-view

Step 2 Run:
nat dns-map domain-name global-address global-port protocol-name
A mapping from a domain name to a public IP address, an interface number, and a protocol type
is configured.
NOTE
After DNS mapping is configured, the nat alg dns enable command must be run to enable the ALG DNS
function. In this way, DNS response packets can traverse NAT devices. If the ALG DNS function is
disabled, internal hosts cannot access internal servers using the domain name.
----End

Context
Issue 04 (2014-01-16)

179

Routers
5 NAT Configuration
through.
l

address and port.


l
NOTE
devices.
Procedure
Step 1 Run:
system-view

Step 2 Run:

Step 3 Run:
dependent }

----End

Context
Issue 04 (2014-01-16)

180

Routers
5 NAT Configuration
pool.
Procedure
Step 1 Run:
system-view

Step 2 Run:
configured.
NOTE
address pool.
deleted.
----End

Context
Log Server
Host
NAT logs
Internet
NAT Device
Issue 04 (2014-01-16)

181

Routers
5 NAT Configuration
Procedure
Step 1 Run:
system-view

Step 2 Run:

Step 3 Run:

1.
Run:
info-center enable

2.
Run:
hosts.
NOTE
Management.

Run:

----End

Procedure
Step 1 Run:
system-view

Issue 04 (2014-01-16)

182

Routers
5 NAT Configuration
Step 2 Run:

----End

Procedure
l
Run the display nat dns-map [ domain-name ] command to check the configuration of
DNS mapping.
mapping entries.
Run the display nat static [ global global-address | inside host-address [ vpn-instance
vpn-instance-name ] | interface interface-type interface-name | acl acl-number] command
to check the configuration of static NAT.
Run the display nat filter-mode command to check the the current NAT filtering mode.
the NAT table.
Run the display nat static interface enable command to check whether the static NAT
function is enabled.
----End
5.6.3 Configuring an Internal NAT Server

An internal NAT server allows external users to access internal servers.
5.6.3.1 Configuring Internal NAT Server

Procedure
Step 1 Run:
system-view

Issue 04 (2014-01-16)

183

Routers
5 NAT Configuration
Step 2 Run:

Step 3 Run either of the following commands to configure an internal NAT server:
l nat server protocol { tcp | udp } global { global-address | current-interface } globalport inside host-address [ host-port ] [ vpn-instance vpn-instance-name ] [ acl aclnumber ] [ description description ]
l nat server protocol { tcp | udp } global interface interface-type interface-number globalport inside host-address [ host-port ] [ vpn-instance vpn-instance-name ] [ acl aclnumber ] [ description description ]
l nat server [ protocol { protocol-number | icmp | tcp | udp } ] global { global-address |
current-interface | interface interface-type interface-number } inside host-address [ vpninstance vpn-instance-name ] [ acl acl-number ] [ description description ]
NOTE
l When configuring an internal NAT server, ensure that global-address and host-address are different
from IP addresses of ports and IP addresses in the user address pool.
l You can use the IP address of current-interface or loopback as the internal server's IP address.
l The undo nat server command does not delete mapping entries immediately. You can run the reset
nat session command to delete mapping entries.
l Compared with static NAT, NAT Server translates only the IP address, but not the port number, when
the private network initiatively accesses the public network.
l When you configure one-to-one NAT Server that borrows an interface IP address (no interface number
is specified and the IP address is mapped to a private network address), other services enabled on the
interface may become unavailable. Confirm your action before performing the configuration. If you
want to enable other applications on the interface, add an ACL rule after the configuration to filter out
the number of the interface on which the applications are enabled.
----End

Context
and RTSP.
Procedure
Step 1 Run:
system-view

Issue 04 (2014-01-16)

184

Routers
5 NAT Configuration
Step 2 Run:


----End
5.6.3.3 (Optional) Configuring DNS Mapping

Context
If an enterprise has no internal DNS server but needs to access internal servers using the domain
name, internal users of the enterprise must use DNS servers on external networks.
Internal users can use the external DNS server to access an external server by performing NAT;
however, internal users cannot use the external DNS server to access an internal server because
the IP address resolved by the external DNS server is not the real private IP address of the internal
server.
When configuring static NAT and DNS mapping at the same time, you can create a mapping
entry containing the domain name, public IP address, public interface number, and protocol type.
When receiving a DNS resolution packet, the NAT device searches the private IP address
mapped to the public address in the mapping entry. The NAT device then replaces the address
resolved by the DNS server with the private IP address and forwards the resolution result to
users.
Procedure
Step 1 Run:
system-view

Step 2 Run:
nat dns-map domain-name global-address global-port protocol-name
A mapping from a domain name to a public IP address, an interface number, and a protocol type
is configured.
NOTE
After DNS mapping is configured, the nat alg dns enable command must be run to enable the ALG DNS
function. In this way, DNS response packets can traverse NAT devices. If the ALG DNS function is
disabled, internal hosts cannot access internal servers using the domain name.
----End
Issue 04 (2014-01-16)

185

Routers
5 NAT Configuration

Context
through.
l

address and port.


l
NOTE
devices.
Procedure
Step 1 Run:
system-view

Step 2 Run:

Step 3 Run:
dependent }

----End
Issue 04 (2014-01-16)

186

Routers
5 NAT Configuration

Context
l
pool.
Procedure
Step 1 Run:
system-view

Step 2 Run:
configured.
NOTE
address pool.
deleted.
----End

Context
Issue 04 (2014-01-16)

187

Routers
5 NAT Configuration

Log Server
Host
NAT logs
Internet
NAT Device
Procedure
Step 1 Run:
system-view

Step 2 Run:

Step 3 Run:

1.
Run:
info-center enable

2.
Run:
hosts.
NOTE
Management.

Run:

Issue 04 (2014-01-16)

188

Routers
5 NAT Configuration

----End

Procedure
Step 1 Run:
system-view

Step 2 Run:

----End

Procedure
l
Run the display nat server [ global global-address | inside host-address [ vpn-instance
vpn-instance-name ] | interface interface-type interface-number | acl acl-number ]
command to check the configuration of the NAT server.
Run the display nat dns-map [ domain-name ] command to check the configuration of
DNS mapping.
mapping entries.
Run the display nat filter-mode command to check the the current NAT filtering mode.
the NAT table.
----End
5.7 Maintaining NAT

Issue 04 (2014-01-16)

189

Routers
5 NAT Configuration
You can clear and monitor NAT mapping entries.
5.7.1 Clearing NAT Mapping Entries

Context
NOTE
The cleared entries cannot be restored; therefore, confirm the action before you use the command.
Procedure
l
After you are determined to clear NAT mapping entries, run the reset nat session { all |
transit interface interface-type interface-number } command in the system view.
----End
5.7.2 Monitoring NAT Mapping Entries

Procedure
l
Run the display nat session { all [ verbose ] | number } or display nat session
{ protocol { protocol-name | protocol-number } | source source-address [ source-port ] |
destination destination-address [ destination-port ] }* [ verbose ] command to display
information about entries in the NAT mapping table.
----End

This section provides several NAT configuration examples to help you configure the NAT
function in actual scenarios.
5.8.1 Example for Configuring Dynamic NAT

As shown in Figure 5-18, private network users in Area A and Area B of a company connect
to the Internet. The public IP address of GigabitEthernet3/0/0 on the router is 202.169.10.1/24.
The IP address of the carrier device connected to the router is 202.169.10.2/24. Users in Area
A want to use addresses in the public address pool (202.169.10.100 to 202.169.10.200) to replace
IP addresses (192.168.20.0/24) of hosts in Area A in NAT mode to access the Internet. Users in
Area B want to use addresses in the public address pool (202.169.10.80 to 202.169.10.83) to
replace IP addresses (10.0.0.0/24) of hosts in Area B to access the Internet.
Issue 04 (2014-01-16)

190

Routers
5 NAT Configuration
Figure 5-18 Networking diagram for configuring dynamic NAT

Area A
PC 1...PC n
192.168.20.0/24
VLAN 100
Eth2/0/0
Router
Eth2/0/1
VLAN 200
202.169.10.2/24
GE3/0/0
202.169.10.1/24
Internet
Area B
PC 1...PC n
10.0.0.0/24
1.
Configure IP addresses for ports, default route, and outbound NAT on the WAN interface
to allow internal hosts to access external networks.
Procedure
Step 1 Configure an IP address for ports on the router.
[Router] vlan 100
[Router-Ethernet2/0/0] port link-type access
[Router-Ethernet2/0/0] port default vlan 100
[Router] vlan 200
[Router-GigabitEthernet3/0/0] ip address 202.169.10.1 24
Step 2 Configure a default route with next hop address 202.169.10.2 on the router.
[Router] ip route-static 0.0.0.0 0.0.0.0 202.169.10.2
Issue 04 (2014-01-16)

191

Routers
5 NAT Configuration
Step 3 Configure outbound NAT on the router.

[Router] nat address-group 1 202.169.10.100 202.169.10.200
[Router] acl 2000
[Router-acl-basic-2000] rule 5 permit source 192.168.20.0 0.0.0.255
[Router-acl-basic-2000] quit
[Router] acl 2001
[Router-GigabitEthernet3/0/0] nat outbound 2000 address-group 1 no-pat
[Router-GigabitEthernet3/0/0] nat outbound 2001 address-group 2
[Router] ip soft-forward enhance enable
NOTE
To run the ping -a source-ip-address command that has a source IP address specified on the router to verify that
intranet users can access the Internet, you need to run the ip soft-forward enhance enable command to enable
the enhanced forwarding function for control packets generated by the device so that the private source IP
addresses can be translated into public IP addresses by the NAT function.
Step 4 Check the configuration.

# Run the display nat outbound command on the router to check the address translation result.
<Router> display nat outbound
NAT Outbound Information:
----------------------------------------------------------------Interface
Acl
Address-group/IP/Interface Type
----------------------------------------------------------------GigabitEthernet3/0/0
2000
1
no-pat
2001
2
pat
----------------------------------------------------------------Total : 2
# Run the ping command on the router to verify that users on the internal network can access
the Internet.
<Router> ping -a 192.168.20.1 202.169.10.2
PING 202.169.10.2: 56 data bytes, press CTRL_C
-- 202.169.10.2 ping statistics --5 packet(s) transmitted
0.00% packet loss
<Router> ping -a 10.0.0.1 202.169.10.2
PING 202.169.10.2: 56 data bytes, press CTRL_C
-- 202.169.10.2 ping statistics --5 packet(s) transmitted
0.00% packet loss
to break
ttl=255 time=1
ttl=255 time=1
ttl=255 time=1
ttl=255 time=1
ttl=255 time=1
ms
ms
ms
ms
ms
to break
ttl=255 time=1
ttl=255 time=1
ttl=255 time=1
ttl=255 time=1
ttl=255 time=1
ms
ms
ms
ms
ms
----End
Issue 04 (2014-01-16)

192

Routers
5 NAT Configuration
Configuration Files
#
sysname Router
#
ip soft-forward enhance enable
#
vlan batch 100 200
#
acl number 2000
rule 5 permit source 192.168.20.0 0.0.0.255
#
acl number 2001
#
nat address-group 1 202.169.10.100 202.169.10.200
#
interface Vlanif100
ip address 192.168.20.1 255.255.255.0
#
interface Vlanif200
ip address 10.0.0.1 255.255.255.0
#
#
#
ip address 202.169.10.1
255.255.255.0
nat outbound 2000 address-group 1 no-pat
nat outbound 2001 address-group 2
#
ip route-static 0.0.0.0 0.0.0.0 202.169.10.2
#
return
5.8.2 Example for Configuring Static One-to-One NAT

As shown in Figure 5-19, the IP address of outbound interface GE2/0/0 on the router is
202.10.1.2/24 and the LAN gateway address is 192.168.0.1/24. The IP address of the carrier
device connected to the router is 202.10.1.1/24. The private IP address of the host is
192.168.0.2/24 and the fixed IP address the host needs to use is 202.10.1.3/24. In this case, the
private IP address of this company must be translated to a public IP address to allow the host to
access the WAN.
Issue 04 (2014-01-16)

193

Routers
5 NAT Configuration
Figure 5-19 Networking diagram for configuring static one-to-one NAT

Router
192.168.0.1/24
202.10.1.2/24
GE1/0/0
GE2/0/0
Internet
192.168.0.2/24
1.
Configure the IP address of ports, default route, and static NAT on the WAN interface to
implements one-to-one translation between a private IP address and a public IP address.
Procedure
Step 3 Configure one-to-one NAT mapping on uplink interface GE2/0/0 on the router.
[Router-GigabitEthernet2/0/0] nat static global 202.10.1.3 inside 192.168.0.2

Run the display nat static command on the router to check the mapping between address pools.
<Router> display nat static
Static Nat Information:
Interface :
Global IP/Port
: 202.10.1.3/---Inside IP/Port
: 192.168.0.2/---Protocol : ---VPN instance-name : ---Acl number
: ---Netmask : 255.255.255.255
Description : ---Total :
----End
Issue 04 (2014-01-16)

194

Routers
5 NAT Configuration
Configuration Files
#
sysname Router
#
interface
ip address 192.168.0.1 255.255.255.0
#
ip address 202.10.1.2 255.255.255.0
nat static global 202.10.1.3 inside 192.168.0.2 netmask 255.255.255.255
#
ip route-static 0.0.0.0 0.0.0.0 202.10.1.1
#
return
5.8.3 Example for Configuring an Internal NAT Server

As shown in Figure 5-20, the network of a company provides the WWW server and FTP server
for external network users to access the internal network. The web server uses private IP address
192.168.20.2/24, port 8080, and public address 202.169.10.5/24. The private IP address of the
FTP server is 10.0.0.3/24 and its public address is 202.169.10.33/24. The IP address of the carrier
device connected to the router is 202.169.10.2/24. In this case, the NAT function of the router
enables the internal network of the company to connect to the Internet.
Figure 5-20 Networking diagram for configuring an internal NAT server
192.168.20.2/24:8080
WWW server
Router
Eth2/0/0
GE3/0/0
Eth2/0/1
Internet
External
user
FTP server
10.0.0.3/24
Issue 04 (2014-01-16)

195

Routers
5 NAT Configuration
1.
Configure an IP address for ports on the router and configure an NAT server on
Gigabitethernet 3/0/0 to allow external users to access internal servers.
2.
Configure a default route on the router.
3.
Enable the FTP NAT ALG function to allow external FTP packets to traverse the NAT
server.
Procedure
Step 1 Configure an IP address for the ports on the router and configure a NAT server.
[Router] vlan 100
[Router] vlan 200
[Router-GigabitEthernet3/0/0] nat server protocol tcp global 202.169.10.5 www
inside 192.168.20.2 8080
[Router-GigabitEthernet3/0/0] nat server protocol tcp global 202.169.10.33 ftp
inside 10.0.0.3 ftp
Step 3 Enable the NAT ALG function for FTP packets on the router.
[Router] nat alg ftp enable
Step 4 Check the configuration

# Run the display nat server command on the router. The command output is as follows:
<Router> display nat server
Nat Server Information:
Interface : gigabitethernet 3/0/0
Global IP/Port
: 202.169.10.5/80(www)
Inside IP/Port
: 192.168.20.2/8080
Protocol : 6(tcp)
VPN instance-name : ---Acl number
: ---Description
: ---Global IP/Port
Inside IP/Port
Protocol : 6(tcp)
VPN instance-name
Acl number
Description
Issue 04 (2014-01-16)
: 202.169.10.33/21(ftp)
: 10.0.0.3/21(ftp)
: ---: ---: ----

196

Routers
Total :
5 NAT Configuration
# Run the display nat alg command on the router. The command output is as follows:
<Router> display nat alg
NAT Application Level Gateway Information:
---------------------------------Application
Status
---------------------------------dns
Disabled
ftp
Enabled
rtsp
Disabled
sip
Disabled
----------------------------------
# Verify that external users can access the WWW server and FTP server.The details are not
provided here.
----End
Configuration Files
#
sysname Router
#
vlan batch 100 200
#
nat alg ftp enable
#
#
interface Vlanif100
ip address 192.168.20.1 255.255.255.0
#
interface Vlanif200
ip address 10.0.0.1 255.255.255.0
#
#
#
interface gigabitethernet 3/0/0
ip address 202.169.10.1 255.255.255.0
nat server protocol tcp global 202.169.10.5 www inside 192.168.20.2 8080
nat server protocol tcp global 202.169.10.33 ftp inside 10.0.0.3 ftp
#
ip route-static 0.0.0.0 0.0.0.0 202.169.10.2
#
return
5.8.4 Example for Configuring Twice NAT

As shown in Figure 5-21, the IP address of the outbound interface on the router is 202.11.1.2/24.
The IP address of the LAN gateway is 202.10.0.1/24 and that of the carrier device connected to
Issue 04 (2014-01-16)

197

Routers
5 NAT Configuration
the router is 202.11.1.1/24. IP addresses of internal hosts are not assigned properly. The IP
address of PC1 on the internal network overlaps with that of Server A on the external network.
In this case, PC2 can access this server using the domain name of Server A, but PC2 may access
PC1 on the same network segment based on the DNS resolution result. Users want packets to
be forwarded correctly.
Figure 5-21 Network diagram for configuring twice NAT
202.10.0.100/24
PC 1
202.10.0.100/24
Server A
Router
202.10.0.1/24
202.11.1.2/24
GE2/0/0
GE1/0/0
Internet
DNS server
PC 2
202.10.0.16/24
1.
Configure an IP address for ports on the router.
2.
3.
Configure the DNS ALG function to enable DNS packets to traverse the NAT device.
4.
Map the overlapped address pool to the temporary address pool.
5.
Configure outbound NAT to allow internal users to access external networks.
Procedure
Issue 04 (2014-01-16)

198

Routers
5 NAT Configuration
Step 3 Configure the mapping between the overlapped address pool and the temporary address pool on
the router.
[Router] nat overlap-address 0 202.10.0.100 202.12.1.100 pool-length 254
Step 4 Configure a static route on the router from the temporary address pool to outbound interface
GE1/0/0.
[Router] ip route-static 202.12.1.100 32 gigabitethernet 1/0/0 202.11.1.1
Step 5 Configure the DNS NAT ALG function in the system view.
[Router] nat alg dns enable
Step 6 Configure outbound NAT on outbound interface GE1/0/0 of the router.

1.
Create an ACL and configure an ACL rule to permit the packets of PC1 to pass through.
[Router] acl 3180
[Router-acl-adv-3180] rule 5 permit ip source 202.10.0.0 0.0.0.255
[Router-acl-adv-3180] quit
2.
Configure the NAT address pool for outbound NAT.

3.
Configure outbound NAT on outbound interface GE1/0/0.

[Router-GigabitEthernet1/0/0] nat outbound 3180 address-group 1

# Run the display nat overlap-address all command on the router to check the mapping between
the overlapped address pool and the temporary address pool.
<Router> display nat overlap-address all
Nat Overlap Address Pool To Temp Address Pool Map Information:
------------------------------------------------------------------------------Id Overlap-Address Temp-Address
Pool-Length
Inside-VPN-Instance-Name
------------------------------------------------------------------------------0
202.10.0.100
202.12.1.100
254
------------------------------------------------------------------------------Total : 1
# Run the display nat outbound command to display the configuration of NAT.
[Router] display nat outbound
----------------------------------------------------------------Interface
Acl
Address-group/IP/Interface
Type
----------------------------------------------------------------GigabitEthernet1/0/0
3180
1
pat
----------------------------------------------------------------Total : 1
----End
Configuration Files
#
sysname Router
#
acl number 3180
rule 5 permit ip source 202.10.0.0 0.0.0.255
#
nat alg dns enable
Issue 04 (2014-01-16)

199

Routers
5 NAT Configuration
#
#
nat overlap-address 0 202.10.0.100 202.12.1.100 pool-length 254
#
ip address 202.10.0.1 255.255.255.0
#
ip address 202.11.1.2 255.255.255.0
nat outbound 3180 address-group 1
#
ip route-static 0.0.0.0 0.0.0.0 202.11.1.1
ip route-static 202.12.1.100 255.255.255.255 GigabitEthernet1/0/0 202.11.1.1
#
return
5.8.5 Example for Configuring NAT

As shown in Figure 5-22, the web server uses private IP address 192.168.0.100/24 and port
8080. The public address of the web server is 202.10.1.3/24 and its domain name is
www.TestNat.com. The IP address of outbound interface GE1/0/0 on the router is 202.10.1.2/24
and the LAN gateway address is 192.168.0.1. The company has no other public IP addresses.
The IP address of the carrier device connected to the router is 202.10.1.1/24. The internal web
server provides web services for external users. Internal users of the company can access external
networks. They can also access internal web servers using an external DNS server.
Figure 5-22 Networking diagram for configuring NAT
192.168.0.100/24
Web server
External user
Router
202.10.1.2/24
GE2/0/0
GE1/0/0
Internet
DNS server
Internal user
192.168.0.200/24
l
Issue 04 (2014-01-16)
Configure an IP address for ports on the router.

200

Routers
5 NAT Configuration
Configure Easy IP on the WAN interface to allow internal hosts to access external networks.
Configure a NAT server on the WAN interface to allow internal hosts to access external
networks.
Configure DNS mapping and DNS NAT ALG on the router to allow internal users to access
internal servers using the domain name of an external DNS server.
Procedure
Step 3 Configure outbound NAT in Easy IP mode on uplink interface GE1/0/0 of the router.
[Router] acl 2000
[Router-GigabitEthernet1/0/0] nat outbound 2000
Step 4 Configure NAT server on uplink interface GE1/0/0 of the router.

[Router-GigabitEthernet1/0/0] nat server protocol tcp global 202.10.1.3 www inside
192.168.0.100 8080
Step 5 Configure the DNS NAT ALG function and DNS mapping on the router.
[Router] nat alg dns enable
[Router] nat dns-map www.TestNat.com 202.10.1.3 80 tcp
[Router] quit

Run the display nat outbound command on the router. The command output is as follows:
----------------------------------------------------------------Interface
Acl
Type
2000
202.10.1.2
easyip
-------------------------------------------------------------------------Total : 1
Run the display nat server command on the router. The command output is as follows:
<Router> display nat server
Interface : GigabitEthernet 1/0/0
Global IP/Port
: 202.10.1.3/80(www)
Inside IP/Port
: 192.168.0.100 8080
Issue 04 (2014-01-16)

201

Routers
5 NAT Configuration
Protocol : 6(tcp)
: ---Description : ---Total :
1
Run the display nat alg command on the router. The command output is as follows:
<Router> display nat alg
---------------------------------Application
Status
---------------------------------dns
Enabled
ftp
Disabled
rtsp
Disabled
sip
Disabled
----------------------------------
----End
Configuration Files
#
sysname Router
#
acl number 2000
#
nat alg dns enable
#
nat dns-map www.testnat.com 202.10.1.3 80 tcp
#
interface
ip address 192.168.0.1 255.255.255.0
#
ip address 202.10.1.2 255.255.255.0
nat server protocol tcp global 202.10.1.3 www inside 192.168.0.100 8080
nat outbound 2000
#
ip route-static 0.0.0.0 0.0.0.0 202.10.1.1
#
return
5.8.6 Example for Configuring PPPoE Dialup Access in Easy IP

Mode
The command output is as follows: As shown in Figure 5-23, the router obtains an IP address
from the PPPoE server. The IP address of Eth2/0/1 on the router is 192.168.0.1/24 and the IP
address of the PPPoE server is 178.18.1.1/16. Internal hosts connect to the network using routers.
The router obtains a public IP address from the PPPoE server in PPPoE dialup mode. Users hope
that internal hosts can access external networks.
Issue 04 (2014-01-16)

202

Routers
5 NAT Configuration
Figure 5-23 Networking diagram for configuring PPPoE dialup access in Easy IP mode
Host 1
Host 2
Eth2/0/1
GE1/0/0
Internet
Router
PPPoE Server
Host n
Create a dialer interface and set parameters of the dialer port, establish a PPPoE session,
configure a static route on the router, and configure Easy IP on the dialer interface to implement
external network access by configuring PPPoE dialup in Easy IP mode.
Procedure
Step 1 Configure a PPPoE server.
Configure the authentication mode, IP address allocation mode, and IP address or IP address
pool for the PPPoE client. For details about the configuration procedure, see the documentation
of the PPPoE server. If the router functions as a PPPoE server, see Example for Configuring the
PPPoE Server.
Step 2 Configure a dialer port.
[Router] dialer-rule
[Router-dialer-rule] dialer-rule 1 ip permit
[Router-dialer-rule] quit
[Router] interface dialer 1
[Router-Dialer1] dialer user user2
[Router-Dialer1] dialer-group 1
[Router-Dialer1] dialer bundle 1
[Router-Dialer1] dialer timer idle 300
INFO: The configuration will become effective after link reset.
[Router-Dialer1] dialer queue-length 8
[Router-Dialer1] ip address ppp-negotiate
[Router-Dialer1] quit
Step 3 Create a PPPoE session.

[Router-GigabitEthernet1/0/0] pppoe-client dial-bundle-number 1 on-demand
Step 4 Configure a static route on the router.

[Router] ip route-static 0.0.0.0 0 dialer 1
Issue 04 (2014-01-16)

203

Routers
5 NAT Configuration
Step 5 Configure outbound NAT on the dialer interface in Easy IP mode.

[Router] acl 2000
[Router] interface dialer 1
[Router-Dialer1] nat outbound 2000
[Router-Dialer1] quit

# Run the display pppoe-client session summary command to check the PPPoE session status
and configuration. Check whether the session status is Up and whether the configuration is
consistent with the data plan and networking according to command output.
<Router> display pppoe-client session summary
PPPoE Client Session:
ID
Bundle Dialer Intf
Client-MAC
1
1
1
GE1/0/0
00e0fc030201
Server-MAC
00e0fc030206
State
PPPUP
# Run the display nat outbound command on the router. The command output is as follows:
--------------------------------------------------------------------------Interface
Acl
Type
--------------------------------------------------------------------------Dialer1
2000
178.18.1.2
easyip
--------------------------------------------------------------------------Total : 1
----End
Configuration Files
#
sysname Router
#
acl number 2000
#
dialer-rule
dialer-rule 1 ip permit
#
interface Dialer1
link-protocol ppp
ip address ppp-negotiate
dialer user user2
dialer bundle 1
dialer queue-length 8
dialer timer idle 300
dialer-group 1
nat outbound 2000
#
pppoe-client dial-bundle-number 1 on-demand
#
ip route-static 0.0.0.0 0.0.0.0 Dialer1
#
return
Issue 04 (2014-01-16)

204

Routers
5 NAT Configuration

This section describes common faults caused by incorrect NAT configurations to help you avoid
configuration errors.
5.9.1 Internal Users Fail to Access Public Networks

Fault Description
This fault is commonly caused by one of the following:
l
Outbound NAT is not properly configured on the outbound interface connected to the public
network.
The configuration of the ACL bound to outbound NAT is incorrect.
Procedure
Step 1 Check whether packets are received on interfaces of device.
Run the display interface interface-type interface-number command on the device to display
the value of the Input field.
l If the value of the Input field is 0, the device does not receive any packets. Check the interface
configuration to ensure that the interface can receive packets.
l If the value of the Input field is not 0, go to step 2.
NOTE
The device supports GE, FE, Eth-Trunk, and sub-interfaces. If an Eth-Trunk sub-interface is used, run the
display interface eth-trunk [ trunk-id [.subnumber ] ] command to check whether the Eth-Trunk subinterface receives packets.
Step 2 Check whether the ACL rule bound to outbound NAT allows NAT service packets to pass
through.
Run the display nat outbound command on the device to check whether outbound NAT is
correctly configured.
[Huawei]display nat outbound
--------------------------------------------------------------------------Interface
Acl
Type
--------------------------------------------------------------------------GigabitEthernet0/0/0
2000
1
no-pat
--------------------------------------------------------------------------Total : 1
The preceding information indicates that ACL 2000 is bound to outbound NAT on
GigabitEthernet0/0/0.
Check whether the rule of ACL 2000 is configured correctly. If the IP address, interface number,
or protocol type in the rule of ACL 2000 is configured incorrectly, packets cannot be transmitted
correctly.
Run thedisplay acl 2000 command to check the configuration of outbound NAT bound to ACL
2000.
Issue 04 (2014-01-16)

205

Routers
5 NAT Configuration
[Huawei] display acl 2000

Basic ACL2000, 1 rule
Acl's step is 5
rule 5 permit source 192.168.1.100 0
The rule of ACL 2000 matches packets with the source address 192.168.1.100.
l If the ACL rule is configured incorrectly, reconfigure the ACL rule.
l If the ACL rule is configured correctly but the fault persists, go to step 3.
Step 3 Check that the address pool configuration is correct.
Run the display nat address-group command on the device to check whether the address pool
bound to outbound NAT on the outbound interface is correct.
[Huawei] display nat address-group 1
NAT Address-Group Information:
-------------------------------------Index
Start-address
End-address
-------------------------------------1
110.0.0.100
110.0.0.110
-------------------------------------Total : 1
To check Easy IP information on the outbound port, run the display nat outbound command
on the device. For example:
[Huawei] display nat outbound
-------------------------------------------------------------------------Interface
Acl
Type
-------------------------------------------------------------------------GigabitEthernet0/0/1
2000
30.30.30.1
easyip
-------------------------------------------------------------------------Total : 1
The preceding information indicates that Easy IP is configured on GigabitEthernet0/0/1 and the
address pool 30.30.30.1 bound to the interface is the address pool advertised on the interface. If
NAT is disabled, you perform the following steps:
l If the bound IP address is the interface address, ensure that the interface address is valid.
----End
5.9.2 External Hosts Fail to Access Internal Servers

Fault Description
l
The NAT server is configured on an incorrect interface such as an outbound port or other
irrelated interfaces. The NAT server must be configured on the inbound interface of an
external host that connects to the internal network.
The NAT server configuration is incorrect. For example, the corresponding public and
private IP addresses of internal servers are incorrect, and private ports and enabled ports
of internal servers are different.
Issue 04 (2014-01-16)

206

Routers
5 NAT Configuration
Procedure
Step 1 Check whether services on the internal NAT server are running properly.
When the external network cannot access the internal NAT server, check whether services such
as HTTP server and FTP server are enabled on the internal NAT server. Access the internal NAT
server from an internal host to check whether the services are running properly.
l If services on the internal NAT server are not running properly, enable the services.
l If services on the internal NAT server are running properly but the fault persists, go to step
2.
Step 2 Check that the NAT server is configured correctly.
Run the display nat server command on the device to check that the NAT server is configured
on the correct NAT interface and the correct protocol type, interface number, and IP address are
configured.
[Huawei] display nat server
Interface : GigabitEthernet 2/0/0
Global IP/Port
: 202.10.1.3/80 (www)
Inside IP/Port
: 192.168.0.100 8080
Protocol : 6(tcp)
: ---Description : ---Total :
1
Ensure that the mapped internal address and interface are correct. When some services such as
FTP and TFTP transmit data packets, several interfaces (some of them are randomly generated)
are used. Therefore, to configure the NAT server providing such services, cancel the limitation
on the ports so that the internal server can provide services normally.
l If the NAT server is configured incorrectly, reconfigure the NAT server.
l If the NAT server is configured correctly but the fault persists, go to step 3.
Step 3 Check the connection between the external host and NAT server and the configurations of the
connected ports.
Check that the IP address of the outbound interface on the NAT server is correct and the external
IP address of the NAT server is correct. The IP addresses cannot conflict with the addresses on
other network segments. Ping the external interface of the NAT server on an external host. Ensure
that the external host can ping the NAT server successfully.
l If the external host cannot connect to the NAT server, check the connection.
l If the external host and NAT server are connected correctly but the fault persists, go to step
4.
Step 4 Check that the internal NAT server is configured with the correct gateway address or route.
The internal NAT server must be configured with the correct route or gateway address so that
packets destined for the external host can be sent to the gateway.
l If the gateway address or route on the internal NAT server is configured incorrectly,
reconfigure it.
Issue 04 (2014-01-16)

207

Routers
5 NAT Configuration
l If the gateway address or route on the internal NAT server is configured correctly but the
fault persists, contact Huawei technical support personnel.
----End
5.9.3 Internal Hosts with an Overlapped IP Address Fail to Access

External Servers
Fault Description
l
Outbound NAT is incorrectly configured on the outbound port.
NAT ALG is disabled for the DNS protocol.
The DNS mapping entry is configured incorrectly. For example, the corresponding public
address is different from the IP address of an external server.
The route between the temporary address pool and the outbound interface is not configured.
Procedure
Step 1 Check that outbound NAT is configured correctly.
Run the display nat outbound command on the device to check whether outbound NAT is
configured correctly.
[Huawei]display nat outbound
--------------------------------------------------------------------------Interface
Acl
Type
--------------------------------------------------------------------------GigabitEthernet0/0/1
3180
1
pat
--------------------------------------------------------------------------Total : 1
The preceding information indicates that ACL 3180 is bound to outbound NAT and the address
pool index is 1. Check that outbound NAT references a correct address pool. When configuring
an address pool, ensure that the destination address on the external network is different from
any address in the address pool. Run the display nat address-group command to check the
configuration of the address pool.
[Huawei]display nat address-group 1
NAT Address-Group Information:
-------------------------------------Index
Start-address
End-address
-------------------------------------1
202.10.10.10
202.10.10.100
-------------------------------------Total : 1
Check that ACL rules bound to outbound NAT are correct. Generally, incorrect addresses,
protocol types, or interface numbers are defined in ACL rules. When an ACL problem occurs,
packets on the internal network cannot be sent out or packets on the external network cannot be
sent to the internal network.
Run the display acl 3180 command to check the ACL bound to outbound NAT.
[Huawei]display acl 3180
Advanced ACL 3180, 1 rule
Acl's step is 5
rule 5 permit tcp source 1.1.1.1 0
Issue 04 (2014-01-16)

208

Routers
5 NAT Configuration
NOTE
An ACL strictly controls the permitted address segments, protocols, and ports based on the networking
requirements. If certain protocol packets are rejected by the NAT gateway, check whether the packets of
this protocol are permitted by the ACL.
l If outbound NAT is configured incorrectly, correct the configuration.

l If outbound NAT is configured correctly but the fault persists, go to step 2.
Step 2 Check that the DNS mapping entry is configured correctly.
Run the display nat dns-map command on the device to check whether the NAT server is
configured on the correct NAT interface and check whether the protocol type, interface number,
and IP address are correctly configured.
[Huawei]display nat dns-map
NAT DNS mapping information:
Domain-name : test1
Global IP
: 10.1.1.1
Global port : 2012
Protocol
: tcp
Total : 1
l If the DNS mapping entry is configured incorrectly, run the nat dns-map command in the
system view to configure a DNS mapping entry correctly.
l If the DNS mapping entry is configured correctly but the fault persists, go to step 3.
Step 3 Check that NAT ALG is enabled for the DNS protocol.
Run the display nat alg command on the device to check whether NAT ALG is enabled for the
DNS protocol.
[Huawei]display nat alg
---------------------------------Application
Status
---------------------------------dns
Disabled
ftp
Disabled
rtsp
Enabled
sip
Disabled
----------------------------------
l If NAT ALG is disabled for the DNS protocol, run the nat alg command to enable it.
l If NAT ALG is enabled for the DNS protocol but the fault persists, go to step 4.
Step 4 Check that the mappings between overlapped address pools and temporary address pools are
correct.
Run the display nat overlap-address command on the device to check whether all the mappings
between overlapped address pools and temporary address pools are correct.
[Huawei]display nat overlap-address all
Nat Overlap Address Pool To Temp Address Pool Map Information:
---------------------------------------------------------------------Id Overlap-Address Temp-Address Pool-Length Inside-VPN-Instance-Name
---------------------------------------------------------------------1
1.1.1.1
20.20.20.20
34
----------------------------------------------------------------------Total : 1
Issue 04 (2014-01-16)

209

Routers
5 NAT Configuration
NOTE
The temporary address pool contains available IP addresses on the device. The IP addresses in the address
pool cannot conflict with any interface address, VRRP address, or NAT address. In the preceding
information, Inside-VPN-Instance-Name specifies the VPN instance to which the internal interface
connected to the host belongs.
l If the mappings are incorrect, reconfigure the mappings.

l If the mappings are correct but the fault persists, go to step 5.
Step 5 Check that the route between the temporary address pool and the outbound interface is
configured.
Run the display ip routing-table command on the device to check all the routes on the public
network.
[Huawei]display ip routing-table
Route Flags: R - relay, D - download to fib
-----------------------------------------------------------------------------Routing Tables: Public
Destinations : 2
Routes : 2
Destination/Mask
Proto
Pre
10.0.0.0/8
Static
10.10.10.10/32 Direct
60
64
Cost
Flags NextHop
0
0
D
D
Interface
10.164.50.1
127.0.0.1
Ethernet1/0/0
Vlanif3
NOTE
If the name of the VPN instance where the internal interface is located has been configured, run the display
ip routing-table vpn-instance vpn-name command to check the routes.
l If there is no correct route, reconfigure a route.

l If the route is correct but the fault persists, contact Huawei technical support personnel.
----End
5.10 FAQ
5.10.1 Does NAT Support VPN Multi-Instance?
Yes. Network address translation (NAT) supports virtual private network (VPN) multi-instance.
5.10.2 How Do I View the NAT Session Table?

Run the display nat session all command to view the NAT session table.
5.10.3 How Do I Forcibly Age NAT Session Tables?

Run the reset nat session all command to forcibly age NAT session tables.
5.10.4 Can the Global Address of the NAT Server Be an Address in

the NAT Address Pool?
No.
Issue 04 (2014-01-16)

210

Routers
5 NAT Configuration
5.10.5 How Can I Enable NAT Log and Set a Log Interval?
NAT logs are generated when the device performs address translation.
Configuration Example
Configure the device to generate NAT logs at an interval of 200 seconds.
<Huawei>
[Huawei]
[Huawei]
[Huawei]
system-view
firewall log all enable
info-center enable
firewall log defend log-interval 200
5.10.6 How Can I Set the Aging Time of the Traffic Forwarding
Table?
You can use the firewall-nat session aging-time command to set the aging time of the session
entries.
Configuration Example
# Set the aging time of FTP session entries to 60 seconds.
[Huawei] firewall-nat session ftp aging-time 60
5.10.7 Users on an Internal Network Cannot Access Internal Servers

Using Domain Names. Why?
When a user device accesses the internal server using a domain name, whether the domain name
contains the host name varies. Therefore, you have to configure different DNS domain names
in the following two situations. For example, you want to access the domain name
www.hbjs.gov.cn.
l
When the DNS Request packet sent by the user device contains the host name, that is, the
user device uses the domain name www.hbjs.gov.cn to access the internal server, run the
nat dns-map www.hbjs.gov.cn global-address global-port { tcp | udp } command.
When the DNS Request packet sent by the user device does not contain the host name, that
is, the user device uses the domain name hbjs.gov.cn to access the internal server, run the
nat dns-map hbjs.gov.cn global-address global-port { tcp | udp } command.
NOTE
If you are not sure whether the DNS Request packet sent by the device contains the host name or not, it is
recommended that you configure both the preceding commands.
5.10.8 Private Network User and Server Are in the Same VLAN.
After NAT Server Is Configured on the VLANIF Interface, Why
Cannot the User Access the Server Using Public Address?
The private network user and server are connected to the same VLANIF interface and the same
subcard. After the nat server command is executed in the VLANIF interface view to map the
server IP address to a public network address, the response packet sent by the server to the user
cannot be sent to the CPU, so the packet address cannot be translated. As a result, the user cannot
connect to the server. To solve this problem, run the nat outbound command on the VLANIF
Issue 04 (2014-01-16)

211

Routers
5 NAT Configuration
interface so that the server's response packet can be sent to the router and the packet address can
be translated. The router then forwards the packet to the user. The user can connect to the server.
5.10.9 What Is the Difference Between NAT Server and NAT Static?
When internal users access the external network, NAT server translates only internal IP
addresses to external IP addresses, whereas NAT static translates both internal IP addresses and
ports to external IP addresses and ports.
The enterprise requires that its internal users can access the external server and external users
can access its internal server, as shown in Figure 5-24. If you configure both NAT server and
Easy IP on the router, it translates only internal IP addresses to external IP addresses when
internal users access the external network. This may result in a failure to set up stream tables.
In this case, you are advised to configure NAT static but not NAT server on the router.
Figure 5-24 Networking diagram of NAT server and Easy IP
192.168.0.100/24
Internal server
External user
Router
202.10.1.2/24
Internet
External server
Internal user
192.168.0.200/24
5.10.10 An External Phone Fails to Register With the SIP Server

After a NAT Server Is Configured on the Outbound Interfaces of
the Device Functioning as a SIP Server
A SIP server is deployed on an internal network and a NAT server and MTU are configured on
the outbound and inbound interfaces of a gateway router on this network. In this case, the router
sends fragmented packets to the SIP server and the server returns ICMP Error packets. An
external phone fails to register with the SIP server. Disable the MTU configuration on the
inbound interface or run the ip soft-forward enhance enable command to enable the enhanced
IP forwarding function on the router, so that the external phone can correctly register with the
SIP server to implement NAT translation.
Issue 04 (2014-01-16)

212

Routers
5 NAT Configuration
5.10.11 What Are Differences of Easy IP and Address Pool?

Easy IP uses the public IP address of an interface as the translated source address, as shown in
Figure 5-25.
Figure 5-25 Networking of Easy IP
Host A
Source address
10.1.1.100:1540
Source address
162.10.2.85480

10.1.1.100:1540
Host B
Router
Server
Destination address
162.10.2.85480
162.10.2.8/24
Source address
10.1.1.200:1586
Source address
162.10.2.85481 211.100.7.34/24
Destination address
162.10.2.85481
10.1.1.200/8
Destination address
10.1.1.200:1586
Easy IP table
Way
Before Router
After Router
Outbound
10.1.1.1001540
162.10.2.85480
Inbound
162.10.2.85480
10.1.1.1001540
Outbound
10.1.1.2001586
162.10.2.85481
Inbound
162.10.2.85481
10.1.1.2001586

Server responds to Host B
When the address pool mode is used, you need to configure a public address pool from which
public addresses mapping private addresses are selected, as shown in Figure 5-26.
Figure 5-26 Networking of an address pool
Address group
162.105.178.65
162.105.178.66
162.105.178.67
Host
10.1.1.100/8
Destination address
10.1.1.100
Router
Destination address
162.105.178.65
Source address
10.1.1.100
Source address
162.105.178.65
Server
211.100.7.34/24
NAT table
Internal host sends a request
External host responds to the request
Way
Outbound
Inbound
Before Router
10.1.1.100
162.105.178.65
After Router
162.105.178.65
10.1.1.100
Use Easy IP or address pool according to planning of public IP addresses:

Issue 04 (2014-01-16)

213

Routers
5 NAT Configuration
If there are idle public IP addresses after IP addresses of outbound interfaces on NAT
devices and other applications are configured, use the address pool mode.
If there are no idle public IP addresses after IP addresses of outbound interfaces on NAT
devices and other applications are configured, use Easy IP.
5.10.12 Which Interfaces Support NAT?

The following interfaces support NAT:
l
Physical interfaces
Layer 3 Ethernet interface, Layer 3 GE interface, G.SHDSL interface, VDSL interface,
PON interface, serial interface, POS interface, asynchronous interface, ATM interface, BRI
interface, and cellular interface
Logical interfaces
Dialer interface, tunnel interface, Layer 3 Eth-Trunk interface, VE interface, VT interface,
MP-group interface, MFR interface, and IMA-Group interface
Sub-interfaces
Ethernet sub-interface, Eth-Trunk sub-interface, ATM sub-interface, serial sub-interface,
MFR sub-interface, IMA-Group sub-interface, and POS sub-interface
5.10.13 Public Address Cannot Be Pinged When NAT Is Configured

on the Device as the Egress Gateway. How Do I Solve the Problem?
After outbound NAT is configured, run the ip soft-forward enhance enable command to enable
the enhanced IP forwarding function before running the ping -a source-ip-address host
command. The device then does not translate private source addresses into public addresses
when sending packets.
5.11 References
Issue 04 (2014-01-16)
Document
Description
RFC 1631
The IP Network Address Translator (NAT)
RFC 2663
IP Network Address Translator (NAT)

Terminology and Considerations
RFC 2709
Security Model with Tunnel-mode IPsec for

NAT Domains
RFC 2993
Architectural Implications of NAT
RFC 3022
Traditional IP Network Address Translator

(Traditional NAT)
RFC 3235
Network Address Translator (NAT)-Friendly

Application Design Guidelines
214

Routers
Issue 04 (2014-01-16)
5 NAT Configuration
Document
Description
RFC 3519
Mobile IP Traversal of Network Address

Translation (NAT) Devices
RFC 3715
IPsec-Network Address Translation (NAT)

Compatibility Requirements
RFC 3947
Negotiation of NAT-Traversal in the IKE
RFC 4008
Definitions of Managed Objects for Network

Address Translators (NAT)
RFC 4787
Network Address Translation (NAT)

Behavioral Requirements for Unicast UDP

215

Routers
6 UDP Helper Configuration
UDP Helper Configuration
About This Chapter

This chapter describes the principle and configuration of UDP helper, and provides configuration
examples.
6.1 UDP Helper Overview
6.2 Configuring UDP Helper
The UDP helper function relays the UDP broadcast packets destined for specified ports.
6.3 Maintaining UDP Helper
UDP helper maintenance includes displaying and clearing UDP helper statistics.
This example describes how to configure UDP helper on a router.
Issue 04 (2014-01-16)

216

Routers
6.1 UDP Helper Overview

Background
Hosts on a network may need to obtain the network configuration or resolve host names by
sending UDP broadcast packets to the server. If the hosts and server are located in different
broadcast domains, broadcast packets cannot reach the server and the hosts cannot obtain the
required information from the server.
The router provides the UDP helper function to solve this problem. UDP helper can relay the
UDP broadcast packets with specified destination ports. It converts the broadcast packets into
unicast packets and sends the unicast packets to the specified destination servers.
As shown in Figure 6-1, HostA uses a host name to access HostB, and the NetBIOS Name
Service (NetBIOS-NS) server resolves the host name of HostB. The NetBIOS-NS server and
HostA are in different broadcast domains, so the UDP broadcast packet with destination port
UDP 137 sent by HostA cannot reach the NetBIOS-NS server. After UDP helper is enabled on
the Router, the Router can forward the packet with destination port UDP 137 to the NetBIOSNS server through unicast so that the NetBIOS-NS server can resolve the host name of HostB.
Figure 6-1 UDP helper relays broadcast packets
UDP Broadcast
HostA
Router
UDP Unicast
NetBIOS-NS
HostB
Packets Forwarded by UDP Helper

The packets that can be forwarded by UDP helper must meet the following requirements:
l
The destination MAC address is the broadcast MAC address (ffff-ffff-ffff).
The destination IP address is the broadcast IP address (255.255.255.255) or a subnet

broadcast IP address (for example, 192.168.255.255).
The Time-to-Live (TTL) is larger than 1.
The protocol type is UDP.
The destination port is a specified UDP port.
UDP Helper Ports

After UDP helper is enabled on the router, the router relays the UDP packets with six specified
destination ports by default. Manual configuration is required if the router needs to relay the
Issue 04 (2014-01-16)

217

Routers
UDP packets with other destination ports. In addition to the 6 default ports, another 10 destination
ports can be specified.
Table 6-1 lists the default UDP ports.
Table 6-1 Default UDP ports supported by UDP helper
Protocol
UDP Port Number
Trivial File Transfer

Protocol (TFTP)
69
Domain Name
System (DNS)
53
Time Service
37
NetBIOS Name
Service (NetBIOSNS)
137
NetBIOS Datagram
Service (NetBIOSDS)
138
Terminal Access
Controller Access
Control System
(TACACS)
49
NOTE
UDP helper does not relay DHCP packets. That is, the destination port number cannot be 67 or 68. To relay
DHCP packets, enable the DHCP relay function on the router. For details about DHCP relay, see
Configuring DHCP Relay Agent.
6.2 Configuring UDP Helper

The UDP helper function relays the UDP broadcast packets destined for specified ports.
Before configuring UDP helper, complete the following task:
l
Configuring a reachable route from the router to the destination server
Procedure
Step 1 Run:
system-view

Issue 04 (2014-01-16)

218

Routers
Step 2 Run:
udp-helper enable
UDP helper is enabled.

udp-helper port { port-number | dns | netbios-ds | netbios-ns | tacacs | tftp |
time }
The UDP destination port to which UDP broadcast packets are relayed is specified.
NOTE
After UDP helper is enabled, the router relays the UDP packets with the following destination ports by
default: Time (37), TACACS (49), DNS (53), TFTP (69), NetBIOS-NS (137), and NetBIOS-DS (138). If
the UDP destination port you want to specify is among the six ports, skip this step.
Step 4 Run:

The interface must be a VLANIF interface, Layer 3 Ethernet interface, or Layer 3 Ethernet subinterface.
Step 5 Run:
udp-helper server ip-address
The destination server for UDP helper is specified.

----End

l
Run the display udp-helper port command to check the UDP port numbers of the packets
that need to be relayed.
6.3 Maintaining UDP Helper

UDP helper maintenance includes displaying and clearing UDP helper statistics.
6.3.1 Displaying UDP Helper Statistics

Procedure
l
Run the display udp-helper server command to display the packet relay interface,
destination server address, and number of forwarded packets.
----End
6.3.2 Clearing UDP Helper Statistics

Issue 04 (2014-01-16)

219

Routers
Context
NOTICE
UDP helper statistics cannot be restored after being cleared. Exercise caution when you run the
reset udp-helper packet command.
Procedure
l
Run the reset udp-helper packet command in the user view to clear UDP helper statistics.
----End

This example describes how to configure UDP helper on a router.
6.4.1 Example for Configuring UDP Helper

As shown in Figure 6-2, Router connects to a local area network (LAN) through GE1/0/0. The
IP address of GE1/0/0 is 10.110.1.1/16. NetBIOS-NS is connected to GE2/0/0 on Router. The
IP address of the NetBIOS-NS server is 202.2.1.1/16 and the IP address of GE2/0/0 is
202.2.1.2/16. PC1 and PC2 on the LAN need to access each other using host names.
Figure 6-2 UDP helper network
NetBIOS-NS
202.2.1.1/16
GE2/0/0
202.2.1.2/16
Router
GE1/0/0
10.110.1.1/16
PC1
Issue 04 (2014-01-16)
PC2

220

Routers
1.
Because the PCs on the LAN need to access each other using host names, the host names
must be resolved into IP addresses. However, the NetBIOS-NS and PCs are in different
broadcast domains. The NetBIOS-NS Register packets cannot reach the NetBIOS-NS
server. The Router must be enabled with UDP helper to forward the UDP packets with
destination port 137 (NetBIOS-NS port) to the NetBIOS-NS server.
2.
After UDP helper is enabled, specify the IP address of destination NetBIOS-NS server on
GE1/0/0 of Router.
NOTE
After UDP helper is enabled on the Router, the Router relays the broadcast packets with UDP destination port
137 by default. The UDP port number, therefore, does not need to be configured in this example.
Procedure
Step 1 Assign an IP address to GE1/0/0 on Router.
Step 2 Assign an IP address to GE2/0/0 on Router.

Step 3 Enable UDP helper.

[Router] udp-helper enable
Step 4 Configure a destination server for packet relay on GE1/0/0 of Router.

[Router-GigabitEthernet1/0/0] udp-helper server 202.2.1.1
[Router] quit

# Run the display udp-helper server command to check UDP Helper statistics.
<Router> display udp-helper server
Server-interface
Server-Ip
packet-num
-----------------------------------------------------------------------GigabitEthernet1/0/0
202.2.1.1
201
# Run the display udp-helper port command to check the configured destination port number
of UDP packets to be forwarded using the UDP Helper.
<Router> display udp-helper port
Udp-Port-Number
Description
------------------------------------------------------------37
Time
49
TAC Access Control System
53
Domain Name Server
69
Trivial File Transfer Protocol
137
NETBIOS Name Service
138
NETBIOS Datagram Service
----End
Issue 04 (2014-01-16)

221

Routers
Configuration Files
Configuration file of the Router
#
sysname Router
#
udp-helper enable
#
ip address 10.110.1.1 255.255.0.0
udp-helper server 202.2.1.1
#
ip address 202.2.1.2 255.255.0.0
#
return
Issue 04 (2014-01-16)

222

Routers
7 IP Performance Configuration
IP Performance Configuration
About This Chapter

You can optimize IP performance by adjusting parameters on the network.
7.1 IP Performance Overview
Parameters on certain networks need to be modified to optimize network performance.
This section provides the default IP performance configuration.
7.3 Optimizing IP Performance
This section describes how to optimize IP performance. You can set IP performance parameters
to achieve best network performance.
7.4 Maintaining IP Performance
This section describes how to clear IP performance statistics to maintain IP performance.
7.5 FAQ
Issue 04 (2014-01-16)

223

Routers
7.1 IP Performance Overview

Parameters on certain networks need to be modified to optimize network performance.
A large number of packets need to be forwarded on the network, which may cause network
congestion and degrade network performance.IP performance optimization can solve the
problem. You can adjust parameters or forwarding modes for IP packets to achieve optimal
network performance.

This section provides the default IP performance configuration.
Table 7-1 describes the default configuration of IP performance.
Table 7-1 Default IP performance configuration
Parameter
Source IP address verification
Disabled
IP packet fragmentation on outbound

interface
Disabled
Fast ICMP reply function
Enabled
Discarding ICMP packets whose TTL

values are 1 on an LPU
Disabled
Discarding ICMP packets that carry

options on an LPU
Disabled
Discarding ICMP destination

unreachable packets
Disabled
Sending ICMP port unreachable

packets
Enabled
Sending ICMP redirection packets
Enabled
Not sending ICMP unreachable packets
Disabled
TCP SYN-Wait timer
75s
TCP FIN-Wait timer
675s
TCP window size
8k bytes
7.3 Optimizing IP Performance

This section describes how to optimize IP performance. You can set IP performance parameters
to achieve best network performance.
Issue 04 (2014-01-16)

224

Routers
Prerequisite
Before optimizing IP performance, complete the following task:
l
Configuring IP addresses for interfaces
7.3.1 Configuring Source IP Addresses Verification

Context
Configuring source IP address verification enables an interface to check validity of source IP
addresses of received packets. Packets with invalid addresses are discarded. The interface only
check validity of source IP addresses of the packets that are forwarded to the CPU and does not
check validity of source IP addresses of the packets that will be directly forwarded according to
the FIB table.
Procedure
Step 1 Run:
system-view

Step 2 Run:
Step 3 Run:
ip verify source-address
Source IP address verification is configured.

By default, an interface does not check validity of source IP addresses of received packets.
----End
7.3.2 Configuring an Outbound Interface to Fragment IP Packets

Context
If the size of IP packets exceeds the MTU, oversized packets will be discarded. After IP packet
fragmentation is enabled, the system sets the DF field of an IP packet to 0 and fragments the IP
packet to ensure that all packets are forwarded.
Procedure
Step 1 Run:
system-view

Step 2 Run:

Issue 04 (2014-01-16)

225

Routers
NOTE
The function that clears the DF field is valid for outgoing packets; therefore, this function must be
configured on the outbound interface.
Step 3 Run:
clear ip df
The IP packet fragmentation is enabled on an outbound interface.

By default, an outbound interface does not fragment IP packets.
----End
7.3.3 Configuring Unequal Cost Multiple Path

Context
ECMP evenly load balances traffic over multiple equal-cost links, regardless of the bandwidth.
Consequently, traffic congestion may occur on low-speed links and bandwidth of high-speed
links cannot be used efficiently. To solve this problem, you can configure Unequal Cost Multiple
Path (UCMP) on an interface so that proportional traffic can be loaded over equal-cost links
based on the bandwidth. This configuration can achieve proper load balancing.
On AR150, AR200 and AR1200,Among the equal-cost links, the bandwidth of any link must
be equal to or greater than 1/4 of the total bandwidth; otherwise, the link cannot participate in
load balancing traffic by bandwidth.
On AR2200 and AR3200,Among the equal-cost links, the bandwidth of any link must be equal
to or greater than 1/8 of the total bandwidth; otherwise, the link cannot participate in load
balancing traffic by bandwidth.
Procedure
Step 1 Run:
system-view

Step 2 Run:

NOTE
To configure UCMP on a logical interface, perform step 3.

load-balance bandwidth bandwidth
The bandwidth is manually configured for the interface.

For a logical interface, the interface bandwidth is not configured by default; for a physical
interface, the actual interface bandwidth is used by default.
Issue 04 (2014-01-16)

226

Routers
Perform this step if you need to adjust the bandwidth of equal-cost links so that the equal-cost
links load balance traffic based on the configured bandwidth.
Step 4 Run:
load-balance unequal-cost enable
UCMP is enabled on the interface.

By default, UCMP is disabled on an interface.
Step 5 Run:
shutdown
The interface is shut down.

Step 6 Run:
undo shutdown
The interface is started.

Step 7 Run:
quit

To configure UCMP on other interfaces, repeat steps 2 through 7.
NOTE
Equal-cost links load balance proportional traffic based on the configured bandwidth only when UCMP is
enabled on the outbound interfaces of all equal-cost links and the shutdown and undo shutdown
commands are executed on the outbound interfaces in sequence to trigger FIB entry update. If UCMP is
not enabled on any outbound interface, the equal-cost links evenly load balance traffic even though FIB
entry update is triggered.
----End
7.3.4 Configuring the Device to Process IP Packets with Options

Context
IP packets can carry source route options. These route options are used to diagnose network
paths and temporarily transmit special services. These options, however, may be used by
attackers to spy on the network structure for initiating attacks. This degrades network security
and device performance. To solve this problem, you can perform the following configurations
to configure the device to discard the IP packets that contain the route options.
Procedure
Step 1 Run:
system-view

Step 2 Run:

Issue 04 (2014-01-16)

227

Routers
Step 3 Do as follows according to different route options in IP packets:

Run:
discard srr
The interface is configured to discard IP packets with source-route options.
By default, the IP packets carrying source route option are processed by the device.
----End
7.3.5 Configuring an Interface to Forward Broadcast Packet

Context
By controlling broadcast packet forwarding through interfaces, you can improve the security of
the network.
Procedure
Step 1 Configure the basic or advanced ACL. For details, see Configuring a Basic ACL or Configuring
an Advanced ACL.
Step 2 Run:
system-view

Step 3 Run:

Step 4 Run:
ip forward-broadcast [ acl acl-number ]
The interface is configured to forward broadcast packets.

By default, broadcast packets are not forwarded by any interface.
Only broadcast packets that match the permit action defined in the ACL are forwarded.
Broadcast packets that match the deny action defined in the ACL or do not match any ACL rules
are not forwarded.
----End
7.3.6 Configuring the Enhanced Forwarding Function for Control

Packets Generated by the Device
Context
By default, control packets generated by the device are scheduled first and can preempt all the
bandwidth. QoS policies take effect only for data packets. In certain cases, control packets need
to be managed. For example, bandwidth limitation is required for the control packets generated
Issue 04 (2014-01-16)

228

Routers
by Telnet applications. The enhanced forwarding function can meet the requirement. You can
configure this function to apply QoS policies to the control packets generated by the device.
Currently, the enhanced forwarding function is valid only for the control packets generated by
the device.
Procedure
Step 1 Run:
system-view

Step 2 Run:
ip soft-forward enhance enable
The enhanced forwarding function is enabled.

By default, the enhanced forwarding function is disabled.
Step 3 (Optional) Set the priority for control packets.
1.
Run:
set priority dot1p priority-value
The 802.1p priority is set for the control packets.

2.
Run:
set priority protocol-type protocol-type dscp dscp-value
The DSCP priority is set for the control packets.

----End
Follow-up Procedures
After the enhanced forwarding function is configured for control packets, you can only make
QoS policies take effect for the control packets. To implement differentiated services for control
packets, configure QoS policies. For details, see Huawei AR150&200&1200&2200&3200
Series Enterprise Routers Configuration Guide - QoS.
7.3.7 Disabling the Routing and Forwarding Function on High-end

LAN Cards
Context
You can enable or disable the routing and forwarding function on high-end LAN cards to redirect
the packets received on high-end LAN cards to the sub-core CPU.
By default, the routing and forwarding function is enabled on high-end LAN cards (8FE1GE
and 24GE cards) to implement IP packet routing and forwarding. Configuring ACLs on highend LAN cards (8FE1GE and 24GE cards) is complex, and ACL-based traffic policy and URPF
cannot be configured on high-end LAN cards. This restricts the use of ACLs. When the routing
and forwarding function is disabled on high-end LAN cards, you can redirect the packets
received on high-end LAN cards to the sub-core CPU for packet forwarding. In this situation,
you can configure ACL-based traffic policies and URPF and simplify the ACL configuration.
Issue 04 (2014-01-16)

229

Routers
NOTE
Only AR1200, AR2200, and AR3200 support this function.
Procedure
Step 1 Run:
system-view

Step 2 Run:
set workmode lan-card l3centralize
The routing and forwarding function is disabled on high-end LAN cards (8FE1GE and 24GE
cards).
NOTICE
l After this command is used, an interface can only be manually added to a voice VLAN.
l After this command is used, protocol packets with source or destination MAC addresses as
blackhole MAC addresses will not be discarded.
l After this command is used, the device CPU usage increases.
----End
7.3.8 Configuring ICMP properties

Context
By default, an interface is enabled to send ICMP redirection packets.
NOTICE
If an interface is not enabled to send ICMP redirection packets, the
AR150&200&1200&2200&3200 does not send ICMP redirection packets.
Procedure
Step 1 Run:
system-view

Step 2 Run:
icmp-reply fast
The fast ICMP reply function is enabled.

By default, the fast ICMP reply function is enabled on the device.
Issue 04 (2014-01-16)

230

Routers
Step 3 Run:
icmp ttl-exceeded drop
The device is configured to discard the ICMP packets whose TTL values are 1.
By default, the function of discarding ICMP packets with TTL values 1 is disabled.
Step 4 Run:
icmp with-options drop
The device is configured to discard the ICMP packets that carry options.
By default, the function of discarding ICMP packets that carry options is disabled.
Step 5 Run:
icmp unreachable drop
The function of discarding ICMP destination unreachable packets is enabled.

By default, the function of discarding ICMP destination unreachable packets is disabled.
Step 6 Run:
icmp port-unreachable send
The function of sending ICMP port unreachable packets is enabled.

The function of sending ICMP port unreachable packets is enabled.
Step 7 Run:
icmp time-exceed { extension { compliant | non-compliant } | classic }
The format of ICMP Time Exceeded packets is configured.

By default, ICMP Time Exceeded packets carry extension headers in compliant mode and
original datagrams are of variable length.
Step 8 Run:

Step 9 Run:
icmp redirect send
The function of sending ICMP redirection packets is enabled.

By default, the function of sending ICMP redirection packets is enabled..
Step 10 Run:
undo icmp ttl-exceeded send
The function to send ICMP Time Exceeded messages is enabled.
By default, an interface is enabled to send ICMP Time Exceeded messages.
Step 11 Run:
icmp host-unreachable send
The function of sending ICMP host unreachable packets is enabled.

Issue 04 (2014-01-16)

231

Routers
By default, the function of sending ICMP host unreachable packets is enabled.

----End
7.3.9 Configuring TCP Properties

Context
When a TCP connection is set up between router and other devices, TCP properties such as TCP
connection for BGP need to be configured.
The following TCP properties can be configured on router:
l
SYN-Wait timer: When SYN packets are sent, the SYN-Wait timer is started. If no response
packet is received after the SYN-Wait timer expires, the TCP connection is closed.
FIN-Wait timer: When the TCP connection status changes from FIN_WAIT_1 to
FIN_WAIT_2, the FIN-Wait timer is started. If no response packet is received after the
FIN-Wait timer expires, the TCP connection is closed.
Receive/send buffer size of connection-oriented socket window-size.
the MSS of TCP Packets on an Interface.
If you configure TCP properties in the system view for multiple times, only the last configuration
takes effect.
Procedure
Step 1 Run:
system-view

Step 2 Run:
tcp timer syn-timeout interval
The SYN-Wait timer of TCP connections is configured.

The value of the TCP SYN-Wait timer is an integer that ranges from 2 to 600, in seconds. The
default value is 75.
Step 3 Run:
tcp timer fin-timeout interval
The FIN-WAIT timer of TCP connections is configured.

The value of the TCP FIN-Wait timer is an integer that ranges from 76 to 3600, in seconds. The
default value is 675.
Step 4 Run:
tcp window window-size
The socket receive/send buffer size is configured.

The value of window-size ranges from 1k bytes to 32k bytes. The default value is 8k bytes.
Step 5 Run:
Issue 04 (2014-01-16)

232

Routers

Step 6 Run:
tcp adjust-mss value
The MSS of TCP packets is set on the interface.

By default, the MSS of TCP packets is not set on the interface.
The MSS of TCP packets is an option defined in TCP. It refers to the maximum length of a TCP
packet segment that can be received by the peer device. When establishing the TCP connection,
the local and peer ends negotiate the MSS value to determine the maximum data length of TCP
packets. If the length of a TCP packet sent by the peer device exceeds the negotiated MSS, the
TCP packet is fragmented.
When configuring the MSS of TCP packets, pay attention to the following points:
l To ensure that TCP packets are not fragmented, pay attention to the relationship between the
MSS and MTU during configuration. MTU is an option defined by the data link layer to
identify whether IP packets need to be fragmented. If the size of an IP packet sent by the peer
device exceeds the MTU, the IP packet is fragmented. To ensure that the packet transmission
is not affected, the MSS value plus the header lengths (such as the TCP header and IP header)
does not exceed the MTU value. For example, the default MTU value of an Ethernet interface
is 1500 bytes. To ensure that packets are not fragmented, the MSS value can be set to 1460
bytes. The formula is as follows: Default MTU value (1500 bytes) Minimum length of the
TCP header (20 bytes) Minimum length of the IP header (20 bytes). The recommended
MSS value is 1200 bytes.
l The tcp adjust-mss command does not only take effect for the router functioning as the
client or server used for TCP connections. When another device functions as the client to
perform MSS negotiation through the router, the negotiation result is modified based on the
MSS configured on the router. In addition, the MSS value is changed to the value configured
using the tcp adjust-mss command only when the MSS value received by the router is larger
than the value configured using the tcp adjust-mss command executed on the router.
l If you run the tcp adjust-mss multiple times in the same interface view, only the latest
configuration takes effect.
----End
7.3.10 Checking the Configuration

Procedure
l
Run the display tcp status [ [ task-id task-id ] [ socket-id socket-id ] | [ local-ip ipaddress ] [ local-port local-port-number ] [ remote-ip ip-address ] [ remote-port remoteport-number ] ] command to check the TCP connection status.
Run the display tcp statistics command to view the TCP traffic statistics.
Run the display udp statistics command to view the UDP traffic statistics.
Run the display ip statistics command to view the IP traffic statistics.
Run the display ip socket [ monitor ] [ task-id task-id socket-id socket-id | socket-type
socket-type ] command to view information about the created IPv4 socket.
Run the display icmp statistics command to view the ICMP traffic statistics.
----End
Issue 04 (2014-01-16)

233

Routers
7.4 Maintaining IP Performance

This section describes how to clear IP performance statistics to maintain IP performance.
7.4.1 Clearing IP Performance Statistics

Context
NOTICE
The IP/TCP/UDP traffic statistics cannot be restored after being cleared. Therefore, confirm
your operation before clearing the IP performance statistics.
Procedure
l
Run the reset ip statistics [ interface interface-type interface-number ] command in the

user view to clear IP statistics.
Run the reset ip socket monitor [ task-id task-id socket-id socket-id ] command in the
user view to clear information in a socket monitor.
Run the reset rawip statistics command in the user view to clear statistics about RawIP
packets.
Run the reset tcp statistics command in the user view to clear TCP statistics.
Run the reset udp statistics command in the user view to clear UDP statistics.
----End
7.5 FAQ
7.5.1 Why Do I Need to Consider the Interface MTU When Setting
the MSS of TCP Packets?
The maximum segment size (MSS) is negotiated during TCP connection setup. The MSS
determines the maximum length of a TCP packet. Some upper-layer applications such as HTTP
reset the Don't fragment (DF) field of IP packets to prevent TCP packets from being fragmented.
If the DF field is reset and the interface MTU is smaller than the MSS, the router discards TCP
packets because TCP packets cannot be fragmented.
A TCP packet has the TCP header and IP header; therefore, the MSS value plus all the header
lengths cannot exceed the MTU. The MTUs supported by Ethernet and PPPoE are 1500 bytes
and 1492 bytes respectively. You are advised to set the MSS to 1200 bytes. If the interface MTU
is changed or encapsulation packets of some special applications cannot be fragmented in
PPPoE, L3VPN, and IPSec scenarios, note the MSS setting.
Issue 04 (2014-01-16)

234

Routers
7.5.2 How Can I Determine Whether a Socket is Successfully

Created?
To determine whether a socket is successfully created, run the following commands:
[Huawei] diagnose
[Huawei-diagnose] info-center enable
[Huawei-diagnose] display ip socket
Issue 04 (2014-01-16)

235

Routers
8 Basic IPv6 Configurations
Basic IPv6 Configurations
About This Chapter

The IPv6 protocol stack supports routing protocols and application protocols on an IPv6 network.
8.1 IPv6 Overview
8.2 Principles
This section describes the default IPv6 configuration.
8.4 Configuring Basic IPv6
8.5 Maintaining IPv6
Maintaining IPv6 includes clearing IPv6 statistics and monitoring IPv6 running status.
This section provides IPv6 configuration examples, including networking requirements and
8.7 FAQ
8.8 References
Issue 04 (2014-01-16)

236

Routers
8.1 IPv6 Overview

Definition
Internet Protocol version 6 (IPv6), also called IP Next Generation (IPng), is a second-generation
network layer protocol. It was designed by the Internet Engineering Task Force (IETF) as an
upgraded version of Internet Protocol version 4 (IPv4).
Purpose
IPv4 is the widely used Internet protocol. During initial development of the Internet, IPv4 rapidly
developed because of its simplicity, ease of implementation, and good interoperability.
However, as the Internet rapidly develops, deficiency in IPv4 design becomes obvious. To
overcome the deficiency, IPv6 emerges. IPv6 has the following advantages over IPv4.
Table 8-1 Comparisons between IPv6 and IPv4
Item
Deficiency in IPv4
Advantage of IPv6
Address
space
An IPv4 address is 32 bits long. A

maximum of 4.3 billion IPv4 addresses
can be provided. Actually, less than 4.3
billion addresses are available, and IPv4
address resources are allocated
unevenly. USA address resources
account for almost half of the global
address space, with barely enough
addresses left for Europe, and still fewer
for the Asia-Pacific area. Furthermore,
the development of mobile IP and
broadband technologies still requires
more IP addresses. Currently, IPv4
addresses are being exhausted.
An IPv6 address is 128 bits long. A

128-bit address structure allows for
2128 (4.3 billion x 4.3 billion x 4.3
billion x 4.3 billion) possible
addresses. The biggest advantage of
IPv6 is its almost infinite address
space.
There are several solutions to IPv4

address exhaustion. Classless Interdomain Routing (CIDR) and Network
Address Translator (NAT) are two such
solutions. CIDR and NAT, however,
have their disadvantages and
unsolvable problems, which helped
encourage the development of IPv6.
Issue 04 (2014-01-16)

237

Routers
Issue 04 (2014-01-16)
Item
Deficiency in IPv4
Advantage of IPv6
Packet
format
The IPv4 packet header carries the

Options field, including security,
timestamp, and record route options.
The variable length of the Options field
makes the IPv4 packet header length
range from 20 bytes to 60 bytes. IPv4
packets with the Options field often
need to be forwarded by intermediate
devices, so many resources are
occupied. Therefore, these IPv4 packets
are seldom used in practice.
Compared with the IPv4 packet

header, the IPv6 packet header does
not carry IHL, identifier, flag,
fragment offset, header checksum,
option, and paddiing fields but
carries the flow label field. This
facilitates IPv6 packet processing
and improves processing efficiency.
To support various options without
changing the existing packet format,
the Extension Header information
field is added to the IPv6 packet
header. This improves IPv6
flexibility.
Autoconfig
uration and
readdressin
g
An IPv4 address is 32 bits long, and

IPv4 addresses are allocated unevenly.
IP addresses often need to be
reallocated during network expansion
or replanning. Address autoconfiguration and readdressing are required to
simplify address maintenance.
Currently, IPv4 depends on the
Dynamic Host Configuration Protocol
(DHCP) to provide address
autoconfiguration and readdressing.
IPv6 provides address

autoconfiguration to allow hosts to
automatically discover networks
and obtain IPv6 addresses. This
improves network manageability.
Route
summarizat
ion
Many non-contiguous IPv4 addresses

are allocated, so routes cannot be
summarized effectively due to incorrect
IPv4 address allocation and planning.
The increasingly large routing table
consumes a lot of memory and affects
forwarding efficiency. Device
manufacturers have to keep upgrading
devices to improve route addressing
and forwarding performance.
A huge address space allows for the

hierarchical network design in IPv6.
The hierarchical network design
facilitates route summarization and
improves forwarding efficiency.
End-to-end
security
support
Security is not fully considered in the

design of IPv4. Therefore, the original
IPv4 framework does not support endto-end security.
IPv6 supports IP Security (IPSec)

authentication and encryption at the
network layer, so it provides end-toend security.
Quality of
Service
(QoS)
support
The increasing popularity of network

conferences, network telephones, and
network TVs requires better QoS to
ensure real-time forwarding of these
voice, data, and video services.
However, IPv4 has no native
mechanism to support QoS.
IPv6 has the Flow Label field, which

guarantees QoS for voice, data, and
video services.

238

Routers
Item
Deficiency in IPv4
Advantage of IPv6
Mobility
As the Internet develops, mobile IPv4

experiences some problems, such as
triangle routing and source address
filtering.
IPv6 has the native capability to

support mobility. Compared to
mobile IPv4, mobile IPv6 uses the
neighbor discovery function to
discover a foreign network and
obtain a care-of address without
using any foreign agent. The mobile
node and peer node can
communicate using the routing
header and destination options
header. This function solves the
problems of triangle routing and
source address filtering in mobile
IPv4. Mobile IPv6 improves mobile
communication efficiency and is
transparent to the application layer.
8.2 Principles
8.2.1 IPv6 Addresses
IPv6 Address Formats
An IPv6 address is 128 bits long. It is written as eight groups of four hexadecimal digits (0 to
9, A to F), where each group is separated by a colon (:). For example, 2031:0000:130F:
0000:0000:09C0:876A:130B is a valid IPv6 address. This IPv6 address format is the preferred
format.
For convenience, IPv6 provides the compressed format. The following uses IPv6 address
2031:0000:130F:0000:0000:09C0:876A:130B as an example to describe the compressed
format:
l
Any zeros at the beginning of a group can be omitted. Then the given example becomes
2031:0:130F:0:0:9C0:876A:130B.
A double colon (::) can be used in an IPv6 address when two or more consecutive groups
contain all zeros. Then the given example can be written as 2031:0:130F::9C0:876A:130B.
NOTE
An IPv6 address can contain only one double colon (::). Otherwise, a computer cannot determine the number
of zeros in a group when restoring the compressed address to the original 128-bit address.
IPv6 Address Structure

An IPv6 address has two parts:
l
Issue 04 (2014-01-16)
Network prefix: corresponds to the network ID of an IPv4 address. It is of n bits.

239

Routers
Interface identifier (interface ID): corresponds to the host ID of an IPv4 address. It is of

128-n bits.
NOTE
If the first 3 bits of an IPv6 unicast address are not 000, the interface ID must be of 64 bits. If the first 3
bits are 000, there is no such limitation.
The interface ID can be manually configured, generated through the system software, or
generated in IEEE 64-bit Extended Unique Identifier (EUI-64) format. It is most common to
generate the interface ID in EUI-64 format.
IEEE EUI-64 standards convert an interface MAC address into an IPv6 interface ID. As shown
in Figure 8-1, if a 48-bit MAC address is used as an interface ID, the first 24 bits (expressed by
c) is a vendor identifier, and the last 24 bits (expressed by m) is an extension identifier. If the
higher seventh bit is 0, the MAC address is locally unique. During conversion, EUI-64 inserts
FFFE between the vendor identifier and extension identifier of the MAC address, and then the
higher seventh bit 0 is changed to 1 to indicate that the interface ID is globally unique.
Figure 8-1 EUI-64 format
MAC address cccccc 0 ccccccccccccccccc mmmmmmmmmmmmmmmmmmmmmmmm
1111111111111110
Insert FFFE
cccccc 0ccccccccccccccccc 1111111111111110mmmm. .. mmmm
Change the
seventh high
cccccc 1ccccccccccccccccc 1111111111111110mmm m... mmmm
bit to 1
For example, if the MAC address is 000E-0C82-C4D4, the interface ID is 020E:

0CFF:FE82:C4D4 after the conversion.
The method for converting MAC addresses into IPv6 interface IDs reduces the configuration
workload. When stateless address autoconfiguration is used, you only need an IPv6 network
prefix before obtaining an IPv6 address. The defect of this method is that an IPv6 address can
be easily calculated based on a MAC address.
IPv6 Address Types

IPv6 addresses are classified into unicast, anycast, and multicast addresses. Compared to IPv4,
IPv6 has no broadcast address, uses multicast addresses as broadcast addresses, and introduces
a new address type anycast address.
IPv6 Unicast Address
An IPv6 unicast address identifies an interface. Each interface belongs to a node. Therefore, the
IPv6 unicast address of any interface on a node can identify the node. Packets sent to an IPv6
unicast address are delivered to the interface identified by the unicast address.
IPv6 defines multiple unicast addresses, including unspecified address, loopback address, global
unicast address, link-local address, and unique local address.
Issue 04 (2014-01-16)

240

Routers
Unspecified address
An IPv6 unspecified address is 0:0:0:0:0:0:0:0/128 or ::/128, indicating that an interface or
a node does not have an IP address. It can be used as the source IP address of some packets,
such as Neighbor Solicitation (NS) message in duplicate address detection. Devices do not
forward the packets with the source IP address as an unspecified address.
Loopback address
An IPv6 loopback address is 0:0:0:0:0:0:0:1/128 or ::1/128. Similar to IPv4 loopback
address 127.0.0.1, IPv6 loopback address is used when a node needs to send IPv6 packets
to itself. This IPv6 loopback address is usually used as the IP address of a virtual interface
(a loopback interface for example). The loopback address cannot be used as the source or
destination IP address of packets that need to be forwarded.
Global unicast address

An IPv6 global unicast address is an IPv6 address with a global unicast prefix, which is
similar to an IPv4 public address. IPv6 global unicast addresses support route prefix
summarization, helping limit the number of global routing entries.
A global unicast address consists of a global routing prefix, subnet ID, and interface ID, as
shown in Figure 8-2.
Figure 8-2 Global unicast address format
Provider
Site
Host
m bit
n bit
128-m-n bit
Subnet ID
Interface ID
Global routing prefix
001
Global routing prefix: is assigned by a service provider to an organization. A global routing

prefix is of at least 48 bits. Currently, the first 3 bits of all the assigned global routing
prefixes are 001.
Subnet ID: is used by organizations to construct a local network (site). There are a maximum
of 64 bits for both the global routing prefix and subnet ID. It is similar to an IPv4 subnet
number.
Interface ID: identifies a device (host).
l
Link-local address
Link-local addresses are used only in communication between nodes on the same local link.
A link-local address uses a link-local prefix FE80::/10 as the first 10 bits (1111111010 in
binary) and an interface ID as the last 64 bits.
When IPv6 runs on a node, each interface of the node is automatically assigned a link-local
address that consists of a fixed prefix and an interface ID in EUI-64 format. This mechanism
enables two IPv6 nodes on the same link to communicate without any configuration.
Therefore, link-local addresses are widely used in neighbor discovery and stateless address
configuration.
Devices do not forward IPv6 packets with the link-local address as a source or destination
address to devices on different links.
Issue 04 (2014-01-16)

241

Routers
Figure 8-3 shows the link-local address format.

Figure 8-3 Link-local address format
64 bit
64 bit
Interface ID
1111 1110 10
FE80::/10
10 bit
Unique local address

Unique local addresses are used only within a site. Site-local addresses are deprecated in
RFC 3879 and replaced by unique local addresses in RFC 4193.
Unique local addresses are similar to IPv4 private addresses. Any organization that does
not obtain a global unicast address from a service provider can use a unique local address.
Unique local addresses are routable only within a local network but not the Internet.
Figure 8-4 shows the unique local address format.
Figure 8-4 Unique local address format
7 bit
1 bit
40 bit
16 bit
64 bit
Prefix
Global ID
Subnet ID
Interface ID
1111 110
FC00::/7
Prefix: is fixed as FC00::/7.

L: is set to 1 if the address is valid within a local network. The value 0 is reserved for future
expansion.
Global ID: indicates a globally unique prefix, which is pseudo-randomly allocated (for
details, see RFC 4193).
Subnet ID: identifies a subnet within the site.
Interface ID: identifies an interface.
A unique local address has the following characteristics:
Has a globally unique prefix. The prefix is pseudo-randomly allocated and has a high
probability of uniqueness.
Allows private connections between sites without creating address conflicts.
Issue 04 (2014-01-16)

242

Routers
Has a well-known prefix (FC00::/7) that allows for easy route filtering at site boundaries.
Does not conflict with any other addresses if it is leaked outside of the site through
routing.
Functions as a global unicast address to applications.
Is independent of the Internet Service Provider (ISP).
IPv6 Multicast Address
Like an IPv4 multicast address, an IPv6 multicast address identifies a group of interfaces, which
usually belong to different nodes. A node may belong to any number of multicast groups. Packets
sent to an IPv6 multicast address are delivered to all the interfaces identified by the multicast
address. For example, the multicast address FF02::1 indicates all nodes within the link-local
scope and FF02::2 indicates all routers within the link-local scope.
An IPv6 multicast address is composed of a prefix, flag, scope, and group ID (global ID):
l
Prefix: is fixed as FF00::/8.
Flag: is 4 bits long. The high-order 3 bits are reserved and must be set to 0s. The last bit 0
indicates a permanently-assigned (well-known) multicast address allocated by the Internet
Assigned Numbers Authority (IANA). The last bit 1 indicates a non-permanently-assigned
(transient) multicast address.
Scope: is 4 bits long. It limits the scope where multicast data flows are sent on the network.
Figure 8-5 shows the field values and meanings.
Group ID (global ID): is 112 bits long. It identifies a multicast group. RFC 2373 does not
define all the 112 bits as a group ID but recommends using the low-order 32 bits as the
group ID and setting all the remaining 80 bits to 0s. In this case, each multicast group ID
maps to a unique Ethernet multicast MAC address (for details, see RFC 2464).
Figure 8-5 shows the IPv6 multicast address format.
Figure 8-5 IPv6 multicast address format

80 bit
32 bit
Reserved must be zero
Group ID
l
Issue 04 (2014-01-16)
value
1
Flag
0
1
2
4
Scope
5
8
E
field
1111 1111
FF
Flag
Scope
8 bit
4 bit
4 bit
description
temporary multicast address
permanent multicast address
node
link
management
site
organization
global
the rest unsigned or reserved
Solicited-node multicast address

243

Routers
A solicited-node multicast address is generated using an IPv6 unicast or anycast address

of a node. When a node has an IPv6 unicast or anycast address, a solicited-node multicast
address is generated for the node, and the node joins the multicast group that corresponds
to the IPv6 unicast or anycast address. A unicast or anycast address corresponds to a
solicited-node multicast address, which is often used in neighbor discovery and duplicate
address detection.
IPv6 does not support broadcast addresses or Address Resolution Protocol (ARP). In IPv6,
Neighbor Solicitation (NS) packets are used to resolve IP addresses to MAC addresses.
When a node needs to resolve an IPv6 address to a MAC address, it sends an NS packet in
which the destination IP address is the solicited-node multicast address corresponding to
the IPv6 address.
The solicited-node multicast address consists of the prefix FF02::1:FF00:0/104 and the last
24 bits of the corresponding unicast address.
IPv6 Anycast Address
An anycast address identifies a group of network interfaces, which usually belong to different
nodes. Packets sent to an anycast address are delivered to the nearest interface that is identified
by the anycast address, depending on the routing protocols.
Anycast addresses are designed to implement the redundancy and load balancing functions when
multiple hosts or nodes are provided with the same services. Currently, a unicast address is
assigned to more than one interface to make a unicast address become an anycast address. When
a unicast address is assigned to multiple hosts or nodes, the sender cannot determine which
device can receive the sent data packets with the destination IP address as the anycast address,
if there are multiple routes to the anycast address. This depends on the routing protocols running
on the network. Anycast addresses are used in stateless applications, such as Domain Name
Service (DNS).
IPv6 anycast addresses are allocated from the unicast address space. Anycast addresses are used
in mobile IPv6 applications.
NOTE
IPv6 anycast addresses can be assigned only to devices but not hosts. Anycast addresses cannot be used as
the source IP addresses of IPv6 packets.
Subnet-router anycast address

A subnet-router anycast address is predefined in RFC 3513. Packets sent to a subnet-router
anycast address are delivered to the nearest device on the subnet identified by the anycast
address, depending on the routing protocols. All devices must support subnet-router anycast
addresses. A subnet-router anycast address is used when a node needs to communicate with
any of the devices on the subnet identified by the anycast address. For example, a mobile
node needs to communicate with one of the mobile agents on the home subnet.
In a subnet-router anycast address, the n-bit subnet prefix identifies a subnet and the
remaining bits are padded with 0s. Figure 8-6 shows the subnet-router anycast address
format.
Figure 8-6 Subnet-router anycast address format
n bit
Subnet prefix
Issue 04 (2014-01-16)

128-n bit
0
244

Routers
8.2.2 IPv6 Packet Format

An IPv6 packet has three parts: an IPv6 basic header, one or more IPv6 extension headers, and
an upper-layer protocol data unit (PDU).
An upper-layer PDU is composed of the upper-layer protocol header and its payload such as an
ICMPv6 packet, a TCP packet, or a UDP packet.
IPv6 Basic Header

An IPv6 basic header is fixed as 40 bytes long and has eight fields. Each IPv6 packet must have
an IPv6 basic header. The IPv6 basic header provides basic packet forwarding information and
will be parsed by all devices on the forwarding path.
Figure 8-7 shows the IPv6 basic header.
Figure 8-7 IPv6 basic header
Version
Traffic Class
Flow Label
Payload Length
Next Header
Hop Limit
Source
Address
40 octets
Basic Header
Destination
Address
Next Header
Extension Header information

32 bit
Variable length
Extension Header
An IPv6 basic header contains the following fields:

l
Version: is 4 bits long. In IPv6, the Version field value is 6.
Traffic Class: is 8 bits long. It indicates the class or priority of an IPv6 packet. The Traffic
Class field is similar to the TOS field in an IPv4 packet and is mainly used in QoS control.
Flow Label: is 20 bits long. This field is added in IPv6 to differentiate traffic. A flow label
and source IP address identify a data flow. Intermediate network devices can effectively
differentiate data flows based on this field.
Payload Length: is 16 bits long, which indicates the length of the IPv6 payload. The payload
is the rest of the IPv6 packet following this basic header, including the extension header
and upper-layer PDU. This field indicates only the payload with the maximum length of
Issue 04 (2014-01-16)

245

Routers
65535 bytes. If the payload length exceeds 65535 bytes, the field is set to 0. The payload
length is expressed by the Jumbo Payload option in the Hop-by-Hop Options header.
l
Next Header: is 8 bits long. This field identifies the type of the first extension header that
follows the IPv6 basic header or the protocol type in the upper-layer PDU.
Hop Limit: is 8 bits long. This field is similar to the Time to Live field in an IPv4 packet,
defining the maximum number of hops that an IP packet can pass through. The field value
is decremented by 1 by each device that forwards the IP packet. When the field value
becomes 0, the packet is discarded.
Source Address: is 128 bits long, which indicates the address of the packet originator.
Destination Address: is 128 bits long, which indicates the address of the packet recipient.
Compared with the IPv4 packet header, the IPv6 packet header does not carry IHL, identifier,
flag, fragment offset, header checksum, option, and paddiing fields but carries the flow label
field. This facilitates IPv6 packet processing and improves processing efficiency. To support
various options without changing the existing packet format, the Extension Header information
field is added to the IPv6 packet header. This improves IPv6 flexibility. The following describes
IPv6 extension headers.
IPv6 Extension Header

An IPv4 packet header has an optional field (Options), which includes security, timestamp, and
record route options. The variable length of the Options field makes the IPv4 packet header
length range from 20 bytes to 60 bytes. When devices forward IPv4 packets with the Options
field, many resources need to be used. Therefore, these IPv4 packets are rarely used in practice.
To improve packet processing efficiency, IPv6 uses extension headers to replace the Options
field in the IPv4 header. Extension headers are placed between the IPv6 basic header and upperlayer PDU. An IPv6 packet may carry zero, one, or more extension headers. The sender of a
packet adds one or more extension headers to the packet only when the sender requests other
devices or the destination device to perform special handling. Unlike IPv4, IPv6 has variablelength extension headers, which are not limited to 40 bytes. This facilitates further extension.
To improve extension header processing efficiency and transport protocol performance, IPv6
requires that the extension header length be an integer multiple of 8 bytes.
When multiple extension headers are used, the Next Header field of an extension header indicates
the type of the next header following this extension header. As shown in Figure 8-8, the Next
Header field in the IPv6 basic header indicates the type of the first extension header, and the
Next Header field in the first extension header indicates the type of the next extension header.
If the next extension header does not exist, the Next Header field indicates the upper-layer
protocol type. Figure 8-8 shows the IPv6 extension header format.
Issue 04 (2014-01-16)

246

Routers
Figure 8-8 IPv6 extension header format

Version
Traffic Class
Payload Length
Flow Label
Hop Limit
Next Header
Source
Address
40 octets
Basic
Header
Destination
Address
Next Header Extension Header Len
Extension Head Data
Extension Head Data
Variable
Length
...
Extension
Header

Extension Head Data(last)
...
Data
An IPv6 extension header contains the following fields:

l
Next Header: is 8 bits long. It is similar to the Next Header field in the IPv6 basic header,
indicating the type of the next extension header (if existing) or the upper-layer protocol
type.
Extension Header Len: is 8 bits long, which indicates the extension header length excluding
the Next Header field.
Extension Head Data: is of variable length. It includes a series of options and the padding
field.
RFC 2460 defines six IPv6 extension headers: Hop-by-Hop Options header, Destination Options
header, Routing header, Fragment header, Authentication header, and Encapsulating Security
Payload header.
Issue 04 (2014-01-16)

247

Routers
Table 8-2 IPv6 extension headers

Heade
r Type
Next
Head
er
Field
Value
Description
HopbyHop
Option
s
header
This header carries information that must be examined by every node

along the delivery path of a packet. This header is used in the following
applications:
l Jumbo payload (the payload length exceeds 65535 bytes)
l Prompting devices to check this option before the devices forward
packets.
l Resource Reservation Protocol (RSVP)
Destin
ation
Option
s
header
60
This header carries information that needs to be examined only by the

destination node of a packet. Currently, this header is used in mobile IPv6.
Routin
g
header
43
Similar to the Loose Source and Record Route option in IPv4, this header
is used by an IPv6 source node to specify the intermediate nodes that a
packet must pass through on the way to the destination of the packet.
Fragm
ent
header
44
Like IPv4 packets, IPv6 packets to be forwarded cannot exceed the MTU.
When the packet length exceeds the MTU, the packet needs to be
fragmented. In IPv6, the Fragment header is used by an IPv6 source node
to send a packet larger than the MTU.
Authen
tication
header
51
This header is used in IPSec to provide data origin authentication, data

integrity check, and packet anti-replay. It also protects some fields in the
IPv6 basic header.
Encaps
ulating
Securit
y
Payloa
d
header
50
Similar to the Authentication header, this header is used in IPSec to

provide data origin authentication, data integrity check, packet antireplay, and IPv6 packet encryption.
Conventions on IPv6 extension headers

When more than one extension header is used in the same packet, the headers must be listed in
the following order:
l
IPv6 basic header
Hop-by-Hop Options header
Issue 04 (2014-01-16)

248

Routers
Destination Options header
Routing header
Fragment header
Authentication header
Encapsulating Security Payload header
Destination Options header
Upper-layer header
Intermediate devices determine whether to process extension headers according to the Next
Header field value in the IPv6 basic header. Not all extension headers need to be examined and
processed by intermediate devices.
Each extension header can only occur once in an IPv6 packet, except for the Destination Options
header. The Destination Options header may occur at most twice (once before a Routing header
and once before the upper-layer header).
8.2.3 ICMPv6
The Internet Control Message Protocol version 6 (ICMPv6) is one of the basic IPv6 protocols.
In IPv4, ICMP reports IP packet forwarding information and errors to the source node. ICMP
defines certain messages such as Destination Unreachable, Packet Too Big, Time Exceeded, and
Echo Request or Echo Reply to facilitate fault diagnosis and information management. In
addition to the common functions provided by ICMPv4, ICMPv6 provides mechanisms such as
Neighbor Discovery (ID), stateless address configuration including duplicate address detection,
and Path Maximum Transmission Unit (PMTU) discovery.
The protocol number of ICMPv6, namely, the value of the Next Header field in an IPv6 packet
is 58. Figure 8-9 shows the ICMPv6 packet format.
Figure 8-9 Format of an ICMPv6 packet
IPv6 basic
header
Next header = 58
ICMPv6 packet
ICMPv6 packet
Type
Code
Checksum
ICMPv6 Data
Issue 04 (2014-01-16)

249

Routers
Some fields in the packet are described as follows:

l
Type: specifies the message type. Values 0 to 127 indicate the error message type, and
values 128 to 255 indicate the informational message type.
Code: indicates a specific message type.
Checksum: indicates the checksum of an ICMPv6 packet.
Classification of ICMPv6 Error Messages

Error messages report errors generated during IPv6 packet forwarding. ICMPv6 error messages
are classified into the following four types:
l
Destination Unreachable message

During IPv6 packet forwarding, if an IPv6 node detects that the destination address of a
packet is unreachable, it sends an ICMPv6 Destination Unreachable message to the source
node. Information about the causes for the error message is carried in the message.
In an ICMPv6 Destination Unreachable message, the value of the Type field is 1. Based
on different causes, the value of the Code field can be:
Code=0: No route to the destination device.
Code=1: Communication with the destination device is administratively prohibited.
Code=2: Not assigned.
Code=3: Destination IP address is unreachable.
Code=4: Destination port is unreachable.
Packet Too Big message

During IPv6 packet forwarding, if an IPv6 node detects that the size of a packet exceeds
the link MTU of the outbound interface, it sends an ICMPv6 Packet Too Big message to
the source node. The link MTU of the outbound interface is carried in the message. PMTU
discovery is implemented based on Packet Too Big messages.
In a Packet Too Big message, the value of the Type field is 2 and the value of the Code
field is 0.
Time Exceeded message

During the transmission of IPv6 packets, when a device receives a packet with the hop limit
being 0 or a device reduces the hop limit to 0, it sends an ICMPv6 Time Exceeded message
to the source node. During the processing of a packet to be fragmented and reassembled,
an ICMPv6 Time Exceeded message is also generated when the reassembly time is longer
than the specified period.
In a Time Exceeded message, the value of the Type field is 3. Based on different causes,
the value of the Code field can be:
Code=0: Hop limit exceeded in packet transmission.
Code=1: Fragment reassembly timeout.
Parameter Problem message

When a destination node receives an IPv6 packet, it checks the validity of the packet. If an
error is detected, it sends an ICMPv6 Parameter Problem message to the source node.
In a Parameter Problem message, the value of the Type field is 4. Based on different causes,
the value of the Code field can be:
Issue 04 (2014-01-16)

250

Routers
Code=0: A field in the IPv6 basic header or extension header is incorrect.

Code=1: The Next Header field in the IPv6 basic header or extension header cannot be
identified.
Code=2: Unknown options exist in the extension header.
Classification of ICMPv6 Information Messages

ICMPv6 information messages provide the diagnosis and additional host functions such as
Multicast Listener Discovery (MLD) and ND. Common ICMPv6 information messages include
Ping messages that consist of Echo Request and Echo Reply messages.
l
Echo Request messages: Echo Request messages are sent to destination nodes. After
receiving an Echo Request message, the destination node responds with an Echo Reply
message. In an Echo Request message, the value of the Type field is 128 and the value of
the Code field is 0.
Echo Reply messages: After receiving an Echo Request message, the destination node
responds with an Echo Reply message. In an Echo Reply message, the value of the Type
field is 129 and the value of the Code field is 0.
8.2.4 Neighbor Discovery

The Neighbor Discovery Protocol (NDP) is one important IPv6 basic protocol. It is an
enhancement of the Address Resolution Protocol (ARP) and Internet Control Management
Protocol (ICMP) router discovery in IPv4. In addition to the function of ICMPv6 address
resolution, NDP also provides the following functions: neighbor tracking, duplicate address
detection, router discovery, and redirection.
Address Resolution
In IPv4, a host needs to obtain the link-layer address of the destination host through the ARP
protocol for communication. Similar to IPv4, the IPv6 NDP protocol parses the IP address to
obtain the link-layer address.
ARP packets are encapsulated in Ethernet packets. The Ethernet type value is 0x0806. ARP is
defined as a protocol that runs between Layer 2 and Layer 3. ND is implemented through
ICMPv6 packets. The Ethernet type value is 0x86dd. The Next Header value in the IPv6 header
is 58, indicating that the packets are ICMPv6 packets. NDP packets are encapsulated in ICMPv6
packets. Therefore, NDP is taken as a Layer 3 protocol. Layer 3 address resolution brings the
following advantages:
l
Layer 3 address resolution enables Layer 2 devices to use the same address resolution
protocol.
Layer 3 security mechanisms such as IPSec are used to prevent address resolution attacks.
Request packets are sent in multicast mode, reducing performance requirements on Layer
2 networks.
Neighbor Solicitation (NS) packets and Neighbor Advertisement (NA) packets are used during
address resolution.
l
Issue 04 (2014-01-16)
In an NS packet, the value of the Type field is 135 and the value of the Code field is 0. An
NS packet is similar to the ARP Request packet in IPv4.
251

Routers
In an NA packet, the value of the Type field is 136 and the value of the Code field is 0. An
NA packet is similar to the ARP Reply packet in IPv4.
Figure 8-10 shows the process of address resolution.

Figure 8-10 IPv6 address resolution
Host A
Host B
ICMP Type = 135

Src = IPv6-Addr of A
Dst = solicited-node multicast of B
Data = link-layer address of A
Query = What is your link address?
NA
NS
ICMP Type = 136

Src = IPv6-Addr of B
Dst = IPv6-Addr of A
Data = link-layer address of B
A and B can now exchange packets on this link
Host A needs to parse the link-layer address of Host B before sending packets to Host B.
Therefore, Host A sends an NS message on the network. In the NS message, the source IP address
is the IPv6 address of Host A, and the destination IP address is the solicited-node multicast
address of Host B. The destination IP address to be parsed is the IPv6 address of Host B. This
indicates that Host A wants to know the link-layer address of Host B. The Options field in the
NS message carries the link-layer address of Host A.
After receiving the NS message, Host B replies with an NA Reply message. In the NA reply
message, the source address is the IPv6 address of Host B, and the destination address is the
IPv6 address of Host A (the NS message is sent to Host A in unicast mode using the link-layer
address of Host A). The Options field carries the link-layer address of Host B. This is the whole
address resolution process.
Neighbor Tracking
Communication with neighboring devices will be interrupted because of various reasons such
as hardware fault and hot swapping of interface cards. If the destination address of a neighboring
device becomes invalid, communication cannot be restored. If the path fails, communication
can be restored. Therefore, nodes need to maintain the neighbor table to monitor the status of
each neighboring device. A neighbor state can transit from one to another.
Five neighbor states are defined in RFC2461: Incomplete, Reachable, Stale, Delay, and Probe.
Figure 8-11 shows the transition of neighbor states. The Empty state indicates that the neighbor
table is empty.
Issue 04 (2014-01-16)

252

Routers
Figure 8-11 Neighbor state transition
Empty
Incomplete
Reachable
Probe
Delay
Stale
The following example describes the neighbor state changes of node A during the first
communication with node B.
1.
Node A sends an NS message and generates a cache entry. The neighbor state of node A
is Incomplete.
2.
If node B replies with an NA message, the neighbor state of node A changes from
Incomplete to Reachable; otherwise, the neighbor state changes from Incomplete to Empty
after a certain period of time. Node A deletes this entry.
3.
After the neighbor reachable time times out, the neighbor state changes from Reachable to
Stale, indicating that whether the neighbor is reachable is unknown.
4.
If node A in the Reachable state receives a non-NA Request message from node B, and the
link-layer address of node B carried in the message is different from that learned by node
A, the neighbor state of node A immediately goes to Stale.
5.
If node A in the Stale state sends data to node B, the state of node A changes from Stale to
Delay. Node A sends an NS Request message.
6.
After a certain period of time, the neighbor state changes from Delay to Probe. During this
time, if node A receives an NA Reply message, the neighbor state of node A changes to
Reachable.
7.
Node A in the Probe state sends unicast NS messages at the configured interval for several
times. If node A receives a Reply message, the neighbor state of node A changes from
Probe to Reachable; otherwise, the state changes to Empty. Node A deletes this entry.
Duplicate Address Detection

Before an IPv6 unicast address is assigned to an interface, duplicate address detection (DAD)
is performed to check whether the address is used by another node. DAD is required if IP
addresses are configured automatically. An IPv6 unicast address that is assigned to an interface
but has not been verified by DAD is called a tentative address. An interface cannot use the
tentative address for unicast communication but will join two multicast groups: ALL-nodes
multicast group and Solicited-node multicast group.
IPv6 DAD is similar to IPv4 free ARP. A node sends an NS message that requests the tentative
address as the destination address to the Solicited-node multicast group. If the node receives an
NA Reply message, the tentative address is being used by another node. This node will not use
this tentative address for communication.
Figure 8-12 shows the DAD working principle.
Issue 04 (2014-01-16)

253

Routers
Figure 8-12 DAD example

Host A
tentative address: 2000::1
Host B
2000::1
ICMP Type = 135

Src = ::
Dst = FF02::1:FF00:1
Data = 2000::1
Query = Anyone has this address?
NS
NA
ICMP Type = 136

Src = 2000::1
Dst = FF02::1
Data = 2000::1
Answer = I have this address.
An IPv6 address 2000::1 is assigned to Host A as a tentative IPv6 address. To check the validity
of 2000::1, Host A sends an NS message to the Solicited-node multicast group to which 2000::1
belongs. The NS message contains the requested address 2000::1. Since 2000::1 is not specified,
the source address of the NS message is an unspecified address. After receiving the NS message,
Host B processes the message in the following ways:
l
If 2000::1 is one tentative address of Host B, Host B will not use this address as an interface
address and not send the NA message.
If 2000::1 is being used on Host B, Host B sends an NA message to FF02::1. The NA

message carries IP address 2000::1. In this way, Host A can find that the tentative address
is duplicated after receiving the message. The tentative address then does not take effect
on Host A and is marked as duplicated.
Router Discovery
Router discovery is used to locate a neighboring device and learn the address prefix and
configuration parameters for address autoconfiguration.
IPv6 supports stateless address autoconfiguration. Hosts obtain IPv6 prefixes and automatically
generate interface IDs. Router Discovery is the basics for IPv6 address autoconfiguration and
is implemented through the following two packets:
l
Router Advertisement (RA) message: Each router periodically sends multicast RA

messages that carry network prefixes and identifiers on the network to declare its existence
to Layer 2 hosts and devices. An RA message has a value of 134 in the Type field.
Router Solicitation (RS) message: After being connected to the network, a host immediately
sends an RS message to obtain network prefixes. Devices on the network reply with an RA
message. An RS message has a value of 133 in the Type field.
Figure 8-13 shows the router discovery function.

Issue 04 (2014-01-16)

254

Routers
Figure 8-13 Router discovery example
RA
RS
ICMP Type = 133

Src = self interface
address
Dst = all-router multicast
address (FF02::2)
RA
ICMP Type = 134

Src = router link-local address
Dst = all-nodes multicast
address (FF02::1)
Data = Router lifetime, Cur hop
limit, Autoconfig flag,
options(prefixMTU)...
Address Autoconfiguration
IPv4 uses DHCP to automatically configure IP addresses and default gateways. This simplifies
network management. The length of an IPv6 address is increased to 128 bits. Multiple terminal
nodes require the function of automatic configuration. IPv6 allows both stateful and stateless
address autoconfiguration. Stateless autoconfiguration enables hosts to automatically generate
link-local addresses. Based on the prefixes in the RA message, hosts automatically configure
global unicast addresses and obtain other information.
The process of IPv6 stateless autoconfiguration is as follows:
1.
A host automatically configures the link-local address based on the interface ID.
2.
The host sends an NS message for duplicate address detection.
3.
If address conflict occurs, the host stops address autoconfiguration. Then addresses need
to be configured manually.
4.
If addresses do not conflict, the link-local address takes effect. The host is connected to the
network and can communicate with the local node.
5.
The host sends an RS message or receives RA messages devices periodically send.
6.
The host obtains the IPv6 address based on the prefixes carried in the RA message and the
interface ID.
Default Router Priority and Route Information Discovery

If multiple devices exist on the Internet where hosts reside, hosts need to select forwarding
devices based on the destination address of the packet. In such a case, devices advertise default
router priorities and route information, which allows hosts to select the optimal forwarding
device based on the packet destination address.
The fields of default router priority and route information are defined in an RA message. These
two fields enable hosts to select the optimal forwarding device.
After receiving an RA message that contains route information, hosts update their routing tables.
When sending packets to other devices, hosts check the route in the routing table and select the
optimal route.
When receiving an RA message that carries default router priorities, hosts update their default
router lists. When sending packets to other devices, hosts check the router list to select the device
Issue 04 (2014-01-16)

255

Routers
with the highest priority to forward packets. If the selected router does not work, hosts select
the device in descending order of priorities.
Redirection
To choose an optimal gateway device, the gateway device sends a Redirection message to notify
the sender that packets can be sent from another gateway device. A Redirection message is
contained in an ICMPv6 message. A Redirection message has the value of 137 in the Type field
and carries a better next hop address and destination address of packets that need to be redirected.
Figure 8-14 shows the process of redirecting packets.
Figure 8-14 Packet redirection example
Host B
Router B
Host A
Router A
IPv6 packet
Neighbor redirect packet definitions:
ICMPv6 Type = 137
Src = link-local address of Router A
Dst = link-local address of Host
Data = target address (link-local
address of Router B), options
(header of redirected packet)
Note: If the target is a host, the target
address is equal to the destination
address of the redirect packet and
the options include the link-layer
address of the target host (if known).
Subsequent IPv6 packets
Host A needs to communicate with Host B. By default, packets sent from Host A to Host B are
sent through Router A. After receiving packets from Host A, Router A finds that sending packets
to Router B is much better. Router A sends a Redirection message to Host A to notify Host A
that Router B is a better next hop address. The destination address of Host B is carried in the
Redirection message. After receiving the Redirection message, Host A adds a host route to the
default routing table. Packets sent to Host B will be directly sent to Router B.
A device sends a Redirection message in the following situations:
l
The destination address of the packet is not a multicast address.
Packets are not forwarded to the device through the route.
Issue 04 (2014-01-16)

256

Routers
After route calculation, the outbound interface of the next hop is the interface that receives
the packets.
The device finds that a better next hop IP address of the packet is on the same network
segment as the source IP address of the packet.
After checking the source address of the packet, the device finds a neighboring device in
the neighbor entries that uses this address as the global unicast address or the link-local
unicast address.
8.2.5 Path MTU

In IPv4, a packet needs to be fragmented if it is oversized. When the transit device receives from
a source node a packet whose size exceeds the maximum transmission unit (MTU) of its
outbound interface, the transit device fragments the packet before forwarding it to the destination
node. In IPv6, however, packets are fragmented on the source node to reduce the pressure on
the transit device. When an interface on the transit device receives a packet whose size exceeds
the MTU, the transit device discards the packet and sends an ICMPv6 Packet Too Big message
to the source node. The ICMPv6 Packet Too Big message contains the MTU value of the
outbound interface. The source node fragments the packet based on the MTU and sends the
packet again. This increases traffic overhead. The Path MTU Discovery (PMTUD) protocol
dynamically discovers the MTU value of each link on the transmission path, reducing excessive
traffic overhead.
The PMTU protocol is implemented through ICMPv6 Packet Too Big messages. A source node
first uses the MTU of its outbound interface as the PMTU and sends a probe packet. If a smaller
PMTU exists on the transmission path, the transit device sends a Packet Too Big message to the
source node. The Packet Too Big message contains the MTU value of the outbound interface
on the transit device. After receiving the message, the source node changes the PMTU value to
the received MTU value and sends packets based on the new MTU. This process is repeated
until packets are sent to the destination address. Then the source node obtains the PMTU of the
destination address.
Figure 8-15 shows the process of PMTU discovery.
Figure 8-15 PMTU discovery
MTU=1500
MTU=1500
MTU=1400
MTU=1300
Packet with MTU=1500

ICMP errorpacket too big,use MTU 1400
ICMP errorpacket too big,use MTU 1300
Packet received
Path MTU=1300
Issue 04 (2014-01-16)

257

Routers
Packets are transmitted through four links. The MTU values of the four links are 1500, 1500,
1400, and 1300 bytes respectively. Before sending a packet, the source node fragments the packet
based on PMTU 1500. When the packet is sent to the outbound interface with MTU 1400, the
device returns a Packet Too Big message that carries MTU 1400. After receiving the message,
the source node fragments the packet based on MTU 1400 and sends the fragmented packet
again. When the packet is sent to the outbound interface with MTU 1300, the device returns
another Packet Too Big message that carries MTU 1300. The source node receives the message
and fragments the packet based on MTU 1300. In this way, the source node sends the packet to
the destination address and discovers the PMTU of the transmission path.
NOTE
IPv6 allows a minimum MTU of 1280 bytes. Therefore, the PMTU must be greater than 1280 bytes. PMTU
of 1500 bytes is recommended.

This section describes the default IPv6 configuration.
Parameter
IPv6 packet forwarding
Disabled
Interval for sending RA packets
Maximum interval: 600s; minimum interval: 200s
Neighbor reachable time
30000 ms
8.4 Configuring Basic IPv6

8.4.1 Configuring IPv6 Addresses for Interfaces
To enable network devices to communicate at the network layer, configure interface IPv6
addresses on the network devices.
Before configuring IPv6 addresses for interfaces, complete the following task:
l
8.4.1.1 Configuring Global Unicast Addresses for Interfaces

Context
A global unicast address is similar to an IPv4 public address and provided for the Internet Service
Provider (ISP). A global unicast address can be generated using either of the following methods:
Issue 04 (2014-01-16)

258

Routers
Generated in the EUI-64 format: An IPv6 global unicast address in the EUI-64 format
contains a manually configured prefix and an automatically generated interface identifier.
Configured manually: An IPv6 global unicast address can be manually configured.

NOTE
l An interface can be configured with multiple global unicast addresses with different network prefixes.
l Manually configured global unicast addresses have higher priority than automatically generated ones.
Manually configured addresses can overwrite automatically generated ones with the same prefix. The
overwritten automatically generated addresses do not take effect even if manually configured addresses
are deleted. A device needs to generate a new global unicast address based on the IP prefix carried in
the received RA packet.
Procedure
Step 1 Run:
system-view

Step 2 Run:
ipv6
IPv6 packet forwarding is enabled.

By default, IPv6 packet forwarding is disabled.
Step 3 Run:

Step 4 Run:
ipv6 enable
The IPv6 function is enabled on the interface.

By default, the IPv6 function is disabled on an interface.
Step 5 You can run either of the following commands to configure an IPv6 global unicast address for
an interface:
l Run:
ipv6 address { ipv6-address prefix-length | ipv6-address/prefix-length }
An IPv6 global unicast address is manually configured.

l Run:
ipv6 address { ipv6-address prefix-length | ipv6-address/prefix-length } eui-64
An IPv6 global unicast address is generated in the EUI-64 format.

A maximum of 10 global unicast addresses can be configured on an interface.
----End

l
Issue 04 (2014-01-16)
Run the display ipv6 interface [ interface-type interface-number | brief ] command in any
view to check IPv6 information on an interface.
259

Routers
Run the display this ipv6 interface command in the interface view to check IPv6
information on the interface.
8.4.1.2 Configuring Link-local Addresses for Interfaces

Context
Link-local addresses are used in neighbor discovery or stateless autoconfiguration. An IPv6 linklocal address can be obtained using either of the following methods:
l
Automatically generated: A device automatically generates a link-local address for an

interface based on the link-local prefix (FE80::/10) and link layer address of the interface.
Manually configured: You can manually configure an IPv6 link-local address for an
interface.
NOTE
l Each interface can be configured with only one link-local address. To prevent link-local address
conflict, automatically generated link-local addresses are recommended. After an interface is
configured with an IPv6 global unicast address, it automatically generates a link-local address.
l Manually configured link-local addresses have higher priority than automatically generated ones.
Manually configured addresses can overwrite automatically generated ones, but automatically
generated addresses cannot overwrite manually configured ones. If manually configured addresses are
deleted, the overwritten automatically generated ones take effect.
Procedure
Step 1 Run:
system-view

Step 2 Run:
ipv6

Step 3 Run:

Step 4 Run:
ipv6 enable

Step 5 You can run either of the following commands to configure a link-local address for an interface:
l Run:
ipv6 address ipv6-address link-local
A link-local address is configured for an interface.

Issue 04 (2014-01-16)

260

Routers
l Run:
ipv6 address auto link-local
A link-local address is automatically generated.

----End

l
8.4.1.3 Configuring Anycast Addresses for Interfaces

Context
IPv6 anycast addresses are allocated from the unicast address space. An anycast address
identifies a group of interfaces, which usually belong to different nodes. When using anycast
addresses, pay attention to the following points:
l
Anycast addresses can only be used as destination addresses.
Packets addressed to an anycast address are delivered to the nearest interface that is
identified by the anycast address, depending on the routing protocols.
Procedure
Step 1 Run:
system-view

Step 2 Run:
ipv6
IPv6 packet forwarding is enabled on the router.

Step 3 Run:

Step 4 Run:
ipv6 enable

Step 5 Run:
ipv6 address { ipv6-address prefix-length | ipv6-address/prefix-length } anycast
Issue 04 (2014-01-16)

261

Routers
An IPv6 anycast address is configured for the interface.

----End

l
8.4.2 Configuring ICMPv6 Packet Control

Configuring ICMPv6 packet control reduces network traffic and prevents malicious attacks.
Context
If a large number of ICMPv6 error packets are sent on the network in a short period, network
congestion may occur. To prevent network congestion, you can limit the maximum number of
ICMPv6 error packets sent in a specified period using the token bucket algorithm.
You can set the bucket size and interval for placing tokens into the bucket. The bucket size
indicates the maximum number of tokens that a bucket can hold. One token represents an
ICMPv6 error packet. When an ICMPv6 error packet is sent, one token is taken out of the token
bucket. When there is no token, ICMPv6 error packets cannot be sent until new tokens are placed
into the token bucket after the interval.
If transmission of too many ICMPv6 error packets causes network congestion or the network is
attacked by forged ICMPv6 error packets, you can disable the system from ICMPv6 error
packets, Host Unreachable packets, and Port Unreachable packets.
Before setting rate limit for sending ICMPv6 error packets, complete the following task:
l
Control ICMPv6 error messages in the system view.
Procedure
1.
Run:
system-view

2.
Run:
ipv6

By default, a device is disabled from forwarding IPv6 unicast packets.
3.
Run:
ipv6 icmp-error { bucket bucket-size | ratelimit interval }
Rate limit for sending ICMPv6 error packets is set.

Issue 04 (2014-01-16)

262

Routers
By default, a token bucket can hold a maximum of 10 tokens and the interval for
placing tokens into the bucket is 100 ms.
4.
Run:
ipv6 icmp too-big-rate-limit
The device is enabled to reject jumbo ICMPv6 error messages.

By default, the device is disabled from rejecting jumbo ICMPv6 error messages.
5.
Run:
undo ipv6 icmp { icmpv6-type icmpv6-code | icmpv6-name | all } receive
The system is disabled from receiving ICMPv6 messages.

By default, the system is enabled to receive ICMPv6 messages.
6.
Run:
undo ipv6 icmp { icmpv6-type icmpv6-code | icmpv6-name | all } send
The system is disabled from sending ICMPv6 messages.

By default, the system is enabled to send ICMPv6 messages.
7.
Run:
undo ipv6 icmp redirect send
The system is disabled from sending ICMPv6 redirect messages.

By default, the system is enabled to send ICMPv6 redirect messages.
l
Control ICMPv6 messages in the interface view.

1.
Run:
system-view

2.
Run:

3.
Run:
ipv6 enable

4.
Run:
undo ipv6 icmp port-unreachable send
The interface is disabled from sending ICMPv6 port Unreachable messages.

By default, the transmission of ICMPv6 Port Unreachable messages configured
globally also takes effect on an interface.
5.
Run:
undo ipv6 icmp hop-limit-exceeded send
The interface is disabled from sending ICMPv6 hop-limit-exceeded messages.

Issue 04 (2014-01-16)

263

Routers
By default, the transmission of ICMPv6 Hop Limit Exceeded messages configured

globally also takes effect on an interface.
----End

l
Run the display ipv6 interface [ interface-type interface-number | brief ] command to

check IPv6 information on an interface.
Run the display icmpv6 statistics [ interface interface-type interface-number ] command

to check ICMPv6 traffic statistics.
8.4.3 Configuring IPv6 Neighbor Discovery

The Neighbor Discovery Protocol (NDP) is a basic IPv6 protocol. It replaces the Address
Resolution Protocol (ARP) and ICMP Router Discovery on an IPv4 network. Additionally, IPv6
ND provides redirection and neighbor unreachability detection.
Before configuring IPv6 ND, complete the following task:
l
8.4.3.1 Configuring Static Neighbors

Context
To communicate with a destination host, a host needs to obtain the link-layer address of the
destination host. The link-layer address of a neighbor node can be obtained using the neighbor
discovery mechanism or by manually configuring static neighbor entries. A device identifies a
static neighbor entry based on the IPv6 address of this neighbor and number of the Layer 3
interface connected to this neighbor. To filter invalid packets, you can create static neighbor
entries, binding the destination IPv6 addresses of these packets to nonexistent MAC addresses.
Procedure
Step 1 Run:
system-view

Step 2 Run:

Step 3 Run one of the following commands based on the interface type:
l Run:
ipv6 neighbor ipv6-address mac-address
Static neighbor entries are configured on common Layer 3 interfaces.

l Run:
Issue 04 (2014-01-16)

264

Routers
ipv6 neighbor ipv6-address mac-address vid vlan-id interface-type interfacenumber
Static neighbor entries are configured on VLANIF interfaces.

l Run:
ipv6 neighbor ipv6-address mac-address vid vid [ cevid cevid ]
Static neighbor entries are configured on a QinQ or Dot1q termination sub-interface.

NOTE
If dynamic QinQ is enabled, static neighbor entries cannot be configured.
A maximum of 300 static neighbor entries can be configured on an interface.

----End
8.4.3.2 Configuring Neighbor Discovery

Context
IPv6 NDP provides the following functions: address resolution, neighbor unreachability
detection, DAD, router/prefix discovery, address autoconfiguration, and redirection.
NOTE
After the IPv6 function is enabled on the router, the router automatically implements address resolution,
DAD, and redirection. Neighbor unreachability detection, router/prefix discovery, and address
autoconfiguration need to be manually configured. You can also configure the router to send RA packets
to enable router/prefix discovery and address autoconfiguration, and enable the automatic detection of ND
entries to check whether neighbors are reachable.
After the automatic detection of ND entries is enabled on the router, the router can send NS
packets to check whether neighbors are reachable before aging ND entries. If neighbors are
reachable, the router updates ND entries; otherwise, the router ages ND entries.
You can enable the router to send RA packets. After receiving the RA packets, network nodes
perform address autoconfiguration and router/prefix discovery based on the prefix and other
configuration information in the RA packets.
After the preceding configurations are complete, NDP functions work properly. You can also
adjust ND parameters based on service requirements.
Procedure
Step 1 You can run the following commands to enable NDP functions to work properly.
1.
Run:
system-view

2.
Run:

3.
Run:
undo ipv6 nd ra halt
The device is enabled to send RA packets.

Issue 04 (2014-01-16)

265

Routers
By default, the device is disabled from sending RA packets.

Step 2 (Optional) After completing the preceding configurations, adjust ND parameters to meet service
requirements.
l In the system view, run:
ipv6 nd hop-limit limit
Hop limit is set.

By default, the number of hops is limited to 64.
Perform the following operations on interfaces.
Run:

l Run:
ipv6 nd ns retrans-timer interval
The interval for sending NS packets is set.

By default, the interval for sending NS packets is 1000 ms.
l Run:
ipv6 nd ra { max-interval maximum-interval | min-interval minimum-interval }
The interval for sending RA packets is set.

By default, the maximum interval for sending RA packets is 600s and the minimum interval
is 200s.
l Run:
ipv6 nd ra prefix ipv6-address prefix-length valid-lifetime preferred-lifetime
[ no-autoconfig ] [ off-link ]
Prefix information in RA packets is configured.

By default, the prefix in RA packets is the network prefix of the link where the interface
sending RA packets resides.
l Run:
ipv6 nd autoconfig managed-address-flag
The managed address configuration flag (M flag) for stateful autoconfiguration in RA packets
is set.
By default, the M flag in an RA packet is not set.
l Run:
ipv6 nd autoconfig other-flag
The other configuration flag (O flag) for stateful autoconfiguration in RA packets is set.
By default, the O flag in an RA packet is not set.
NOTE
If the M flag in an RA packet is set to 1, the O flag must be set to 1.
l Run:
ipv6 nd nud reachable-time value
The neighbor reachable time is set.

By default, the neighbor reachable time is 1200000 ms.
Issue 04 (2014-01-16)

266

Routers
l Run:
ipv6 nd ra router-lifetime ra-lifetime
The time to live (TTL) is set for RA packets.

By default, the TTL of an RA packet is 1800s.
l Run:
ipv6 nd ra preference { high | medium | low }
The priority of the default router in RA packets is set.

l Run:
ipv6 nd ra route-information ipv6-address prefix-length lifetime route-lifetime
[ preference { high | medium | low } ]
Route option information in RA packets is set.

l Run:
ipv6 nd dad attempts value
The number of times NS packets are sent when the system performs Duplicate Address
Detection is set.
By default, the number of times NS packets are sent when the system performs DAD is 1.
----End

Procedure
l

Run the display ipv6 neighbors [ ipv6-address | [ vid vid ] interface-type interfacenumber | vpn-instance vpn-instance-name ] command to check information about neighbor
entries.
8.4.4 Configuring PMTU

When the device functions as the source node and sends IPv6 packets to the destination node,
the device fragments packets based on PMTU. The intermediate device does not need to fragment
packets. This reduces the burden of the intermediate device to effectively use network resources
and obtain the maximum throughput.
Before configuring PMTU, complete the following tasks:
l
8.4.4.1 Configuring Static PMTU

Context
Generally, the PMTU is dynamically negotiated according to the IPv6 MTU value of an
interface. In special situations, to protect devices on the network and avoid attacks from largeIssue 04 (2014-01-16)

267

Routers
sized packets, you can manually configure the PMTU to a specified destination node to control
the maximum length of packets forwarded from the device to the destination node.
NOTE
When the PMTU from the device to a specified destination node is set, the IPv6 MTU values for interfaces on
all intermediate devices cannot be smaller than the configured PMTU value. Otherwise, packets are discarded.
Procedure
Step 1 Run:
system-view

Step 2 (Optional) Configure the IPv6 MTU for an interface.
1.
Run:

2.
Run:
ipv6 mtu mtu
The MTU of IPv6 packets on an interface is set.

By default, the MTU of IPv6 packets on an interface is 1500 bytes.
NOTE
After the MTU value is changed, run the shutdown and undo shutdown or restart (interface view)
commands to restart the interface to make the changed MTU take effect.
3.
Run:
quit

Step 3 Run:
ipv6 pathmtu ipv6-address [ vpn-instance vpn-instance-name ] [ path-mtu ]
The PMTU is set for a specified IPv6 address.

By default, the PMTU for a specified IPv6 address is not set.
If the parameter path-mtu is not specified, the PMTU for a specified IPv6 address is 1500 bytes.
----End
8.4.4.2 Setting the Aging Time of Dynamic PMTU

Context
When the device functions as the source node and sends packets to the destination node, the
device dynamically negotiates the PMTU with the destination node according to the IPv6 MTU
values of interfaces and fragments packets based on the PMTU. After the PMTU ages out, the
dynamic PMTU is deleted. The source node dynamically renegotiates the PMTU with the
destination node.
Issue 04 (2014-01-16)

268

Routers
NOTE
When both static PMTU and dynamic PMTU are configured, only static PMTU takes effect. Static PMTU
entries never age.
The interface MTU, IPv6 interface MTU, and PMTU are valid only for the packets generated on the device
but not for the packets forwarded by the host.
Procedure
Step 1 Run:
system-view

Step 2 (Optional) Configure the IPv6 MTU for an interface.
1.
Run:

2.
Run:
ipv6 mtu mtu
The MTU of IPv6 packets on an interface is set.

By default, the MTU of IPv6 packets on an interface is 1500 bytes.
The dynamic PMTU is negotiated based on the IPv6 MTU on an interface.
NOTE
After the MTU value is changed, run the shutdown and undo shutdown or restart (interface view)
commands to restart the interface to make the changed MTU take effect.
3.
Run:
quit

Step 3 Run:
ipv6 pathmtu age age-time
The aging time is set for dynamic PMTU entries.

By default, the aging time of dynamic PMTU entries is 10 minutes.
----End
8.4.4.3 Enabling a Device to Add a Fragmentation Header Based on the Fragment

Flag
Procedure
Step 1 Run:
system-view

Step 2 Run:
ipv6 pmtu-fragment-flag enable
Issue 04 (2014-01-16)

269

Routers
The device is enabled to add a fragmentation header to a Packet Too Big message based on the
fragment flag in a PMTU entry.
By default, a device is disabled from adding a fragmentation header to a Packet Too Big message
based on the fragment flag in a PMTU entry.
----End

Procedure
l
Run the display ipv6 pathmtu [ vpn-instance vpn-instance-name ]{ ipv6-address | all |

dynamic | static } command to check all PMTU entries.

check the IPv6 information on the interface.
8.4.5 Configuring TCP6

You can configure TCP6 attributes to improve network performance.
Before configuring TCP6, complete the following task:
l
8.4.5.1 Setting TCP6 Timers

Context
You need to set the following TCP6 timers:
l
SYN-Wait timer: When SYN packets are sent, the SYN-Wait timer is started. If no response
packet is received after the SYN-Wait timer expires, the TCP6 connection is terminated.
FIN-Wait timer: When the TCP connection status changes from FIN_WAIT_1 to
FIN_WAIT_2, the FIN-Wait timer is started. If no response packet is received after the
FIN-Wait timer expires, the TCP6 connection is terminated.
Procedure
Step 1 Run:
system-view

Step 2 Run:
tcp ipv6 timer syn-timeout interval
The SYN-Wait timer is set for TCP6 connections.

By default, the value of the SYN-Wait timer is set to 75s.
Issue 04 (2014-01-16)

270

Routers
Step 3 Run:
tcp ipv6 timer fin-timeout interval
The FIN-Wait timer is set for TCP6 connections.

By default, the value of the FIN-Wait timer is set to 600s.
----End
8.4.5.2 Setting the TCP6 Sliding Window Size

Context
You can set the TCP6 sliding window size to improve network performance. The sliding window
size indicates the receive or send buffer size of a TCP6 socket.
Procedure
Step 1 Run:
system-view

Step 2 Run:
tcp ipv6 window window-size
The receive and send buffer sizes of a TCP6 socket are set.
The receive or send buffer size of a TCP6 socket ranges from 1 KB to 32 KB. By default, the
receive or send buffer size of a TCP6 socket is 8 KB.
----End

Procedure
l
Run the display tcp ipv6 status [ [ task-id task-id ] [ socket-id socket-id ] | [ local-ip ipv6address ] [ local-port local-port-number ] [ remote-ip ipv6-address ] [ remote-port
remote-port-number ] ] command to check the TCP6 connection status.
Run the display tcp ipv6 statistics command to check TCP6 traffic statistics.
Run the display ipv6 socket [ socketype socket-type | task-id task-id socket-id socketid ] command to check information about a specified socket.
----End
8.5 Maintaining IPv6

Maintaining IPv6 includes clearing IPv6 statistics and monitoring IPv6 running status.
Issue 04 (2014-01-16)

271

Routers
8.5.1 Clearing IPv6 Statistics

Context
NOTICE
IPv6 statistics cannot be restored after being cleared. Therefore, exercise caution before clearing
IPv6 statistics.
Procedure
l
Run the reset ipv6 statistics command in the user view to clear IPv6 traffic statistics.
Run the reset tcp ipv6 statistics command in the user view to clear TCP6 statistics.
Run the reset udp ipv6 statistics command in the user view to clear UDP6 statistics.
Run the reset ipv6 pathmtu [ vpn-instance vpn-instance-name ] { all | dynamic |

static } command in the user view to clear PMTU entries.
Run the reset ipv6 neighbors { all | dynamic | static | vid vlan-id [ interface-type interfacenumber] | interface-type interface-number [ dynamic | static ] } command in the user view
to clear IPv6 neighbor entries.
----End
8.5.2 Monitoring IPv6 Running Status

Context
In routine maintenance, you can run the following commands in any view to view the IPv6
running status.
Procedure
l

Run the display ipv6 statistics [ interface interface-type interface-number ] command to

check IPv6 packet statistics.
Run the display icmpv6 statistics [ interface interface-type interface-number ] command

to check ICMPv6 packet statistics.
Run the display tcp ipv6 statistics command to check TCP6 statistics.
Run the display ipv6 neighbors [ ipv6-address | [ vid vid ] interface-type interfacenumber | vpn-instance vpn-instance-name ] command to check neighbor entries.
Run the display ipv6 pathmtu [ vpn-instance vpn-instance-name ] { ipv6-address | all |

dynamic | static } command to check all PMTU entries.
----End
Issue 04 (2014-01-16)

272

Routers

This section provides IPv6 configuration examples, including networking requirements and
8.6.1 Example for Configuring Basic IPv6 Functions

As shown in Figure 8-16, RouterA and RouterB are connected using GE1/0/0. RouterA and
RouterB need to establish a neighbor relationship, and RouterB can obtain an IPv6 address using
the neighbor discovery function.
Figure 8-16 Networking diagram for configuring basic IPv6 functions
GE1/0/0
3001::1/64
RouterA
GE1/0/0
RouterB
1.
Enable the IPv6 forwarding function on RouterA and configure an IPv6 address for
RouterA so that RouterA can forward IPv6 packets.
2.
Configure RouterA to send RA packets and allow GE1/0/0 of RouterB to automatically

configure an IPv6 address based on the route prefix carried in the received RA packets.
Procedure
# Configure an IPv6 address for GE1/0/0 of RouterA.
[RouterA] ipv6
[RouterA-GigabitEthernet1/0/0] ipv6 enable
[RouterA-GigabitEthernet1/0/0] ipv6 address 3001::1/64
# Configure the neighbor discovery function on RouterA.

[RouterA-GigabitEthernet1/0/0] undo ipv6 nd ra halt
Step 2 # Configure RouterB.

# Configure GE1/0/0 of RouterB to automatically generate an IPv6 address through stateless
autoconfiguration.
Issue 04 (2014-01-16)

273

Routers
[RouterB] ipv6
[RouterB] interface gigabitethernet
[RouterB-GigabitEthernet1/0/0] ipv6
1/0/0
enable
address auto link-local
address auto global

If the preceding configurations are successful, you can view the configured global unicast
addresses. The interface status and the IPv6 protocol are Up. You can also check the neighbor
of the interfaces.
# Check interface information on RouterA.
<RouterA> display ipv6 interface gigabitethernet 1/0/0
GigabitEthernet1/0/0 current state : UP
IPv6 protocol current state : UP
IPv6 is enabled, link-local address is FE80::A19:A6FF:FECD:A897
Global unicast address(es):
3000::1, subnet is 3000::/64
Joined group address(es):
FF02::1:2
FF02::1:FF00:1
FF02::2
FF02::1
FF02::1:FFCD:A897
MTU is 1500 bytes
ND DAD is enabled, number of DAD attempts: 1
ND reachable time is 30000 milliseconds
ND retransmit interval is 1000 milliseconds
ND advertised reachable time is 0 milliseconds
ND advertised retransmit interval is 0 milliseconds
ND router advertisement max interval 600 seconds, min interval 200 seconds
ND router advertisements live for 1800 seconds
ND router advertisements hop-limit 64
ND default router preference medium
Hosts use stateless autoconfig for addresses
# Check interface information on RouterB.

<RouterB> display ipv6 interface gigabitethernet 1/0/0
GigabitEthernet1/0/0 current state : UP
IPv6 is enabled, link-local address is FE80::2D6F:0:7AF3:1
3001::15B:E0EA:3524:E791
subnet is 3001::/64 [SLAAC 2012-07-19 17:30:55 2592000S]
FF02::1:FF00:2
FF02::1:FFF3:1
FF02::2
FF02::1
MTU is 1500 bytes
ND DAD is enabled, number of DAD attempts: 1
# Check neighbor information on GE1/0/0 of RouterA.

<RouterA> display ipv6 neighbors gigabitethernet 1/0/0
--------------------------------------------------------IPv6 Address : 3001::15B:E0EA:3524:E791
Link-layer
: 00e0-fc89-fe6e
State : STALE
Issue 04 (2014-01-16)

274

Routers
Interface
: GigabitEthernet1/0/0
Age
: 7
VLAN
: CEVLAN: VPN name
:
Is Router
: TRUE
Secure FLAG : UN-SECURE
--------------------------------------------------------Total: 1
Dynamic: 1
Static: 0
----End
Configuration File
l

#
sysname RouterA
#
ipv6
#
ipv6 enable
ipv6 address 3001::1/64
#
return

#
sysname RouterB
#
ipv6
#
ipv6 enable
ipv6 address auto global
#
return
8.7 FAQ
8.7.1 What Is the Application Scope of an IPv6 Link-Local Address?
An IPv6 link-local address can be used for communication between nodes on the same link.
Packets with IPv6 link-local addresses can be forwarded only through a local link.
8.8 References
Issue 04 (2014-01-16)
Document
Description
Remarks
RFC1887
An Architecture for IPv6 Unicast Address

Allocation
RFC1970
Neighbor Discovery for IP Version 6

(IPv6)

275

Routers
Issue 04 (2014-01-16)
Document
Description
Remarks
RFC1981
Path MTU Discovery for IP version 6
RFC2375
IPv6 Multicast Address Assignments
RFC2147
TCP and UDP over IPv6 Jumbograms
RFC2460
Internet Protocol, Version 6 (IPv6)

Specification
RFC2461

(IPv6)
RFC2462
IPv6 Stateless Address Auto

configuration
RFC2463
Internet Control Message Protocol for the

Internet Protocol Version 6 Specification
RFC2464
Transmission of IPv6 Packets over

Ethernet Networks
RFC2473
Generic Packet Tunneling in IPv6

Specification
RFC2529
Transmission of IPv6 over IPv4 Domains

without Explicit Tunnels
RFC2711
IPv6 Router Alert Option
RFC2893
Transition Mechanisms for IPv6 Hosts

and Routers
RFC3056
Connection of IPv6 Domains via IPv4

Clouds
RFC3068
An Anycast Prefix for 6to4 Relay Routers
RFC3484
Default Address Selection for Internet

Protocol version 6 (IPv6)
RFC3493
Basic Socket Interface Extensions for

IPv6
RFC3513
IP Version 6 Addressing Architecture
RFC3542
Advanced Sockets API for IPv6
RFC3587
An Aggregatable Global Unicast Address

Format
RFC3879
Deprecating Site Local Addresses
RFC4007
IPv6 Scoped Address Architecture

276

Routers
Issue 04 (2014-01-16)
Document
Description
Remarks
RFC4193
Unique Local IPv6 Unicast Addresses
Currently, the part relating

to DNS cannot be
implemented.
RFC4213
Basic Transition Mechanisms for IPv6

Hosts and Routers
RFC4291
Internet Protocol Version 6 (IPv6)

Addressing Architecture
RFC4443
Internet Control Message Protocol

(ICMPv6) for the Internet Protocol
Version 6 (IPv6) Specification
RFC4861

(IPv6)
Currently, the part relating

to ND proxy and ND
security cannot be
implemented.
RFC4862
IPv6 Stateless Address Auto

configuration
Currently, RFC4862 cannot

be implemented on hosts.
RFC5095
Deprecation of Type 0 Routing Headers

in IPv6

277

Routers
9 DHCPv6 Configuration
DHCPv6 Configuration
About This Chapter

This section describes how to configure the DHCPv6 function. Currently, the router can function
as the DHCPv6 server, DHCPv6 PD server, DHCPv6 relay, DHCPv6 client, and DHCPv6 PD
client on the IPv6 network.
9.1 DHCPv6 Overview
9.2 Principles
9.3 Application
This section provides default DHCPv6 configurations.
9.5 Configuring DHCPv6
9.6 Maintaining DHCPv6
9.8 References
Issue 04 (2014-01-16)

278

Routers
9.1 DHCPv6 Overview

Definition
Dynamic Host Configuration Protocol for IPv6 (DHCPv6) is designed to assign IPv6 addresses,
prefixes, and other network configuration parameters to hosts.
Purpose
The IPv6 protocol provides huge address space formed by 128-bit IPv6 addresses that require
proper and efficient assignment and management policies. IPv6 stateless address
autoconfiguration defined in RFC2462 is widely used. Hosts configured with the stateless
address autoconfiguration function automatically configure IPv6 addresses based on prefixes
carried in Route Advertisement (RA) packets sent from a neighboring device.
When stateless address autoconfiguration is used, devices do not record IPv6 addresses of hosts.
Therefore, stateless address autoconfiguration has poor manageability. In addition, hosts
configured with stateless address autoconfiguration cannot obtain other configuration
parameters such as the DNS server address. Internet service providers (ISPs) do not provide
instructions for automatic allocation of IPv6 prefixes for devices. Therefore, users need to
manually configure IPv6 addresses for devices during IPv6 network deployment.
DHCPv6 solves this problem. DHCPv6 is a stateful protocol for configuring IPv6 addresses
automatically.
Compared with manual address configuration and IPv6 stateless address autoconfiguration that
uses network prefixes in RA packets, DHCPv6 has the following advantages:
l
Controls IPv6 address assignment better. A DHCPv6 device can record addresses assigned
to hosts and assign requested addresses. This function facilitates network management.
Assigns IPv6 address prefixes to network devices. This function facilitates automatic
configuration and hierarchical network management.
Provides other network configuration parameters such as the DNS server address.
9.2 Principles
9.2.1 DHCPv6 Overview
DHCPv6 runs between a client and a server. Similar to DHCP for IPv4, DHCPv6 clients and
DHCPv6 servers exchange DHCPv6 packets using the User Datagram Protocol (UDP). In IPv6,
packets cannot be broadcast; therefore, DHCPv6 uses multicast packets. In this case, DHCPv6
clients do not need to be configured with IPv6 addresses of DHCPv6 servers.
IPv6 Address Allocation Methods

The IPv6 protocol provides huge address space formed by 128-bit IPv6 addresses that require
proper and efficient assignment and management policies.
Issue 04 (2014-01-16)

279

Routers
Currently, the following methods are available to allocate IPv6 addresses:

l
Manual configuration: You can manually configure IPv6 addresses, prefixes, and other
network configuration parameter, such as addresses of the Domain Name System (DNS),
Network Information Service (NIS), and Simple Network Time Protocol (SNTP) servers.
Stateless address autoconfiguration: Hosts generate a link-local address based on the

interface ID and automatically configure IPv6 addresses based on prefixes carried in Router
Advertisement (RA) packets.
Stateful autoconfiguration,that is DHCPv6,DCHPv6 allocation has the following two

methods:
DHCPv6 stateful autoconfiguration: DHCPv6 servers automatically provide IPv6
addresses, PD prefixes, and other network configuration parameters, such as addresses
of the DNS, NIS, and SNTP servers.
DHCPv6 stateless autoconfiguration: IPv6 addresses are generated based on RA
packets. A DHCPv6 server does not provide IPv6 addresses but provides other
configuration parameters about the DNS, NIS, and SNTP servers.
DHCPv6 Architecture
Figure 9-1 shows the DHCPv6 architecture.
Figure 9-1 DHCPv6 architecture
DHCPv6 Clients
IPv6
Network
DHCPv6 Relay
DHCPv6 Clients
DHCPv6 Server
DHCPv6 involves the following roles:

l
DHCPv6 client
A DHCPv6 client applies to a DHCPv6 server for IPv6 addresses, prefixes, and network
configuration parameters to complete its address configuration.
DHCPv6 relay
A DHCPv6 relay agent relays DHCPv6 packets between a DHCPv6 client and a DHCPv6
server to help the DHCPv6 client complete its address configuration. Generally, a DHCPv6
client communicates with a DHCPv6 server through the link-local multicast address to
obtain IPv6 addresses, prefixes, and other network configuration parameters. If a DHCPv6
server and a DHCPv6 client are on different links, a DHCPv6 relay agent is required to
Issue 04 (2014-01-16)

280

Routers
forward DHCPv6 packets. In this case, you do not need to deploy a DHCPv6 server on
each link, which saves costs and facilitates centralized management.
A DHCPv6 relay agent is optional. If a DHCPv6 client and a DHCPv6 server are on the
same link or a DHCPv6 client communicates with a DHCPv6 server in unicast mode to
complete address allocation or information configuration, you do not need to deploy a
DHCPv6 relay agent. A DHCPv6 relay agent is required only when a DHCPv6 client and
a DHCPv6 server are located on different links or a DHCPv6 client cannot communicate
with a DHCPv6 server in unicast mode.
l
DHCPv6 server
A DHCPv6 server processes requests of address allocation, address lease extension, and
address release from a DHCPv6 client or a DHCPv6 relay agent, and assigns IPv6 addresses
and other network configuration parameters to the DHCPv6 client.
Basic DHCPv6 Concepts

1.
Multicast address
l In DHCPv6, a DHCPv6 client does not need to be configured with the IPv6 address of
a DHCPv6 server. Instead, the DHCPv6 client locates DHCPv6 servers by sending
Solicit packets with multicast addresses as destination addresses.
l In DHCPv4, a DHCP client locates DHCP servers by broadcasting DHCP packets. To
prevent broadcast storms, IPv6 does not use broadcast packets. Instead, IPv6 uses
multicast packets. DHCPv6 uses the following two multicast addresses:
FF02::1:2 (All DHCP Relay Agents and Servers): indicates the multicast address of
all the DHCPv6 servers and DHCPv6 relay agents. The address is a link-local
multicast address and is used for communication between a DHCPv6 client and its
neighboring servers or between a DHCPv6 client and DHCPv6 relay agents. All
DHCPv6 servers and relay agents are members of this multicast group.
FF05::1:3 (All DHCP Servers): indicates the multicast address of all the DHCPv6
servers. The address is a site-local address and is used for communication between
DHCPv6 relay agents and DHCPv6 servers within a site. All DHCPv6 servers within
a site are members of this multicast group.
2.
UDP port number

l DHCPv6 packets are transmitted through UDPv6.
l DHCPv6 clients only process DHCPv6 packets with UDP port number 546.
l DHCPv6 servers and relay agents only process DHCPv6 packets with UDP port number
547.
3.
DHCPv6 Unique Identifier (DUID)

l A DUID identifies a DHCPv6 device. Each DHCPv6 server or client has a unique
DUID. DHCPv6 servers use DUIDs to identify DHCPv6 clients and DHCPv6 clients
use DUIDs to identify DHCPv6 servers.
l The DUIDs of a DHCPv6 client and a DHCPv6 server are carried in the Client Identifier
option and the Server Identifier option respectively. The Client Identifier option and the
Server Identifier option have the same format and are distinguished by the option-code
field value.
4.
Issue 04 (2014-01-16)
Identity association (IA)

281

Routers
l An IA enables a DHCPv6 server and a DHCPv6 client to identify, group, and manage
IPv6 addresses. Each IA consists of an identity association identifier (IAID) and
associated configuration information.
l A DHCPv6 client must associate at least one IA with each of its network interfaces for
which the DHCPv6 client requests IPv6 addresses from a DHCP server. The DHCPv6
client uses IAs associated with network interfaces to obtain configuration information
from a DHCPv6 server. Each IA must be associated with at least one interface.
l The IAID identifies an IA, and IAIDs on the same DHCPv6 client must be unique. The
IAID is not lost or changed because of factors such as DHCPv6 client reboot.
l The configuration information in an IA consists of one or more IPv6 addresses along
with the lifetimes T1 and T2. Each address in an IA has a preferred lifetime and a valid
lifetime.
l An interface must be associated with at least one IA; an IA can contain information
about one or more addresses.
9.2.2 DHCPv6 Packets

DHCPv6 Packet Format
Figure 9-2 shows the DHCPv6 packet format.
Figure 9-2 DHCPv6 packet format
31
7
msg-type
transaction-ID
options (variable)
Table 9-1 Description of each field in a DHCPv6 packet

Field
Length
Description
msg-type
1 byte
Indicates the packet type. The value ranges from 1 to 13. For details,
see the DHCPv6 Packet Type.
transactionID
3 bytes
Identifies packet transaction between DHCPv6 clients and servers.

For example, a DHCPv6 client initiates a Solicit/Advertise
transaction or a Request/Reply transaction. Their transaction IDs are
different. Transaction IDs have the following characteristics:
l The transaction ID is randomly generated by a DHCPv6 client.
l Transaction IDs of request and reply packets must be the same.
l The transaction ID of a packet initiated by a DHCPv6 server is
0.
Options
Issue 04 (2014-01-16)
Variabl
e
Indicates the option field in a DHCPv6 packet. The option field

contains configurations that the DHCPv6 server assigns to IPv6
hosts, such as the IPv6 address of the DNS server.

282

Routers
DHCPv6 Packet Type

DHCPv6 defines 13 types of packets. A DHCPv6 server and a DHCPv6 client communicate by
exchanging these types of packets. Table 9-2 lists DHCPv6 packets and their corresponding
DHCPv4 packets and describes the DHCPv6 packets.
Table 9-2 Comparisons between DHCPv6 packets and DHCPv4 packets
Issue 04 (2014-01-16)
DHC
P
Pack
et
Type
DHCPv6
Packet
DHCPv4
Packet
Description
SOLICIT
DHCP
DISCOVE
R
A DHCPv6 client sends a Solicit packet to locate

DHCPv6 servers.
ADVERTI
SE
DHCP
OFFER
A DHCPv6 server sends an Advertise packet in response

to a Solicit packet to declare that it can provide DHCPv6
services.
REQUES
T
DHCP
REQUES
T
A DHCPv6 client sends a Request packet to request IPv6

addresses and other configuration parameters from a
DHCPv6 server.
CONFIR
M
A DHCPv6 client sends a Confirm packet to any

available DHCPv6 server to check whether the obtained
IPv6 address applies to the link that the DHCPv6 client
is connected to.
RENEW
DHCP
REQUES
T
A DHCPv6 client sends a Renew packet to the DHCPv6

server that provides the IPv6 addresses and other
configuration parameters to extend the lifetime of the
addresses and to update configuration parameters.
REBIND
DHCP
REQUES
T
A DHCPv6 client sends a Rebind packet to any available

DHCPv6 server to extend the lifetime of the assigned
IPv6 address and to update configuration parameters
when the client does not receive a response to its Renew
packet.

283

Routers
DHC
P
Pack
et
Type
DHCPv6
Packet
DHCPv4
Packet
Description
REPLY
DHCP
ACK/
NAK
A DHCPv6 server sends a Reply packet in the following

situations:
1. A DHCPv6 server sends a Reply packet containing
IPv6 addresses and configuration parameters in
response to a Solicit, Request, Renew or Rebind
packet received from a DHCPv6 client.
2. A DHCPv6 server sends a Reply packet containing
configuration parameters in response to an
Information-Request packet.
3. A DHCPv6 server sends a Reply packet in response
to a Confirm, Release, or Decline packet received
from a DHCPv6 client.
RELEASE
DHCP
RELEASE
A DHCPv6 client sends a Release packet to the DHCPv6

server that assigns IPv6 addresses to the DHCPv6 client,
indicating that the DHCPv6 client will no longer use the
obtained addresses.
DECLINE
DHCP
DECLINE
A DHCPv6 client sends a Decline packet to a DHCPv6

server, indicating that the IPv6 addresses assigned by the
DHCPv6 server are already in use on the link to which
the DHCPv6 client is connected.
10
RECONFI
GURE
A DHCPv6 server sends a Reconfigure packet to a

DHCPv6 client, informing the DHCPv6 client that the
DHCPv6 server has new addresses or updated
configuration parameters.
11
INFORM
ATIONREQUES
T
DHCP
INFORM
A DHCPv6 client sends an Information-Request packet

to a DHCPv6 server to request configuration parameters
except for IPv6 addresses.
12
RELAYFORW
A DHCPv6 relay agent sends a Relay-Forward packet to

relay Request packets to DHCPv6 servers.
13
RELAYREPL
A DHCPv6 server sends a Relay-Reply packet to a

DHCPv6 relay agent. The Relay-Reply packet carries a
packet that the DHCPv6 relay agent needs to deliver to
a DHCPv6 client.
9.2.3 DHCPv6 Working Principles

DHCPv6 autoconfiguration is classified as stateful or stateless.
Issue 04 (2014-01-16)

284

Routers
DHCPv6 stateful autoconfiguration: A DHCPv6 server automatically configures IPv6

addresses, prefixes, and network configuration parameters of the DNS, NIS, and SNTP
servers.
DHCPv6 stateless autoconfiguration: IPv6 addresses are generated based on the Route
Advertisement (RA) packets. A DHCPv6 server provides other configuration parameters
such as addresses of the DNS, NIS, and SNTP servers except for IPv6 addresses.
DHCPv6 Stateful Autoconfiguration

The IPv6 node obtains addresses and other configuration parameters (such as the IPv6 address
of the DNS server) through stateful DHCPv6 autoconfiguration.
A DHCPv6 server assigns addresses and prefixes to a DHCPv6 client in the following ways:
l
DHCPv6 four-message exchange
DHCPv6 two-message exchange
DHCPv6 Four-Message Exchange

Four-message exchange applies to a network where multiple DHCPv6 servers are available. A
DHCPv6 client first multicasts a Solicit packet to locate DHCPv6 servers that can provide
DHCPv6 services. After receiving Advertise packets from multiple DHCPv6 servers, the
DHCPv6 client selects one of the DHCPv6 servers according to priorities of DHCPv6 servers.
Then the DHCPv6 client and the selected DHCPv6 server complete address application and
allocation by exchanging Request and Reply packets.
If a DHCPv6 server does not have two-message exchange enabled, the DHCPv6 server allocates
addresses and configuration parameters through four-message exchange, regardless of whether
the Solicit packet contains the Rapid Commit option.
Figure 9-3 shows the process of address allocation using four-message exchange.
Figure 9-3 Process of address allocation using four-message exchange
DHCPv6
Server
DHCPv6
Client
(1)Solicit
(2)Advertise
(3)Request
(4)Reply
The process of address allocation using four-message exchange is as follows:

Issue 04 (2014-01-16)

285

Routers
1.
A DHCPv6 client sends a Solicit packet to request a DHCPv6 server to allocate IPv6
addresses and network configuration parameters.
2.
If the DHCPv6 server does not support fast address allocation, the DHCPv6 server returns
an Advertise packet containing the allocated addresses and network configuration
parameters regardless of whether the Solicit packet contains the Rapid Commit option.
3.
If receiving Advertise packets from multiple DHCPv6 servers, the DHCPv6 client selects
the DHCPv6 server with the highest priority and sends Request multicast packets to all
DHCPv6 servers. The Request multicast packets carry the DUID of the selected DHCPv6
server.
4.
The DHCPv6 server responds with a Reply packet that contains the addresses and network
configuration parameters allocated to the client.
DHCPv6 Two-Message Exchange

Two-message exchange applies to a network where only one DHCPv6 server is available. A
DHCPv6 client multicasts a Solicit packet to locate the DHCPv6 server that can allocate
addresses and configuration parameters. After receiving the Solicit packet, the DHCPv6 server
responds with a Reply packet carrying addresses and configuration parameters allocated to the
DHCPv6 client.
This packet exchange improves address allocation efficiency. On the network where multiple
DHCPv6 servers are available, multiple DHCPv6 servers can allocate addresses to DHCPv6
clients and respond with Reply packets. The DHCPv6 clients, however, use the addresses and
configuration parameters allocated by one DHCPv6 server. To prevent the preceding situation,
the administrator can configure only one DHCPv6 server to support two-message exchange.
NOTE
l If a DHCPv6 server is configured with two-message exchange and the Solicit packet from a DHCPv6
client contains the Rapid Commit option, the DHCPv6 server allocates IPv6 addresses and
configuration parameters in two-message exchange mode.
l If a DHCPv6 server does not support fast address allocation, the DHCPv6 server allocates IPv6
addresses and other network configuration parameters to clients using four-message exchange.
Figure 9-4 shows the process of address allocation using two-message exchange.
Figure 9-4 Process of address allocation using two-message exchange
DHCPv6
Client
DHCPv6
Server
(1)Solicit (contains a Rapid Commit option)

(2)Reply
The process of address allocation using two-message exchange is as follows:

Issue 04 (2014-01-16)

286

Routers
1.
A DHCPv6 client sends a Solicit packet carrying the Rapid Commit option, indicating that
the DHCPv6 client requires fast address allocation and network configuration parameters
from a DHCPv6 server.
2.
DHCPv6 server receives the Solicit message, it will processed as follows:

l If the DHCPv6 server supports fast address allocation, it returns a Reply packet and
allocates IPv6 addresses and other network configuration parameters to the DHCPv6
client.
l If the DHCPv6 server does not support fast address allocation, the DHCPv6 server uses
four-message exchange to allocate IPv6 addresses, prefixes, and other network
configuration parameters.
DHCPv6 Stateless Autoconfiguration

The IPv6 node obtains network configuration parameters (including configuration parameters
of DNS, SIP, and SNTP servers, without IPv6 addresses) through DHCPv6 stateless
autoconfiguration.
Figure 9-5 shows the working process of DHCPv6 stateless autoconfiguration.
Figure 9-5 Working process of DHCPv6 stateless autoconfiguration
DHCPv6
Client
DHCPv6
Server
Information-request:
includes an Option Request option
Reply:
includes the requested options
The working process of DHCPv6 stateless autoconfiguration is as follows:

1.
A DHCPv6 client multicasts an Information-Request packet with the Option Request option
to DHCPv6 servers. The Option Request option specifies the configuration parameters that
the DHCPv6 client needs to obtain from a DHCPv6 server.
2.
After receiving the Information-Request packet, the DHCPv6 server sends a Reply packet
to the client in unicast mode. The Reply packet carries the allocated network configuration
parameters. The DHCPv6 client performs stateless autoconfiguration based on parameters
carried in the Reply packet.
9.2.4 Working Principle of DHCPv6 PD

DHCPv6 prefix delegation (PD) is a prefix allocation mechanism proposed by Cisco and defined
in RFC 3633. On a layered network, IPv6 addresses of different layers are configured manually.
Manually configured IPv6 addresses have poor extensibility and cannot be planned and managed
in a centralized manner.
Issue 04 (2014-01-16)

287

Routers
The DHCPv6 PD mechanism allows a downstream device to request IPv6 prefixes from the
upstream device and an upstream device to assign appropriate prefixes for the downstream
device. In this way, you do not need to configure IPv6 prefixes for user-side links on the
downstream device. The downstream device divides the obtained prefix (the length of the
obtained prefix is smaller than 64 bits) into 64-bit prefix of subnet segments and sends a Route
Advertisement (RA) packet on the link that IPv6 hosts directly connect to. This enables hosts
to automatically configure addresses, completing IPv6 network deployment.
Figure 9-6 shows the working process of DHCPv6 PD.
Figure 9-6 Working principle of DHCPv6 PD
IPv6 HostC
Router B
Router A
DHCPv6 PD Client
IPv6 HostA
DHCPv6 PD Server
IPv6 HostB
The process of DHCPv6 PD using four-message exchange is as follows:

1.
A DHCPv6 PD client sends a Solicit packet, requesting an IPv6 address prefix from a
DHCPv6 PD server.
2.
If the DHCPv6 PD server does not support fast address allocation, the DHCPv6 PD server
returns an Advertise packet containing the allocated address prefixes regardless of whether
the Solicit packet contains the Rapid Commit option.
3.
If receiving Advertise packets from multiple DHCPv6 PD servers, the DHCPv6 PD client
selects the DHCPv6 PD server with the highest priority and sends a Request packet to this
DHCPv6 PD server to request address prefixes.
4.
The DHCPv6 PD server responds with a Reply packet to assign an IPv6 address prefix to
the DHCPv6 PD client.
DHCPv6 PD also supports two-message exchange using packets carrying the Rapid Commit
option. For details, see DHCPv6 Two-Message Exchange
9.2.5 Working Principle of the DHCPv6 Relay Agent

Figure 9-7 shows the working process of a DHCPv6 relay agent. A DHCPv6 client sends packets
to a DHCPv6 server through a DHCPv6 relay agent to obtain IPv6 addresses, prefixes, and other
network configuration parameters, such as IPv6 addresses of DNS servers.
Issue 04 (2014-01-16)

288

Routers
Figure 9-7 Working principle of a DHCPv6 relay agent

DHCPv6 Client
DHCPv6 Relay
DHCPv6 Server
(1)DHCPv6 message from client

(2)Relay-forward
(3)Relay-reply
(4)DHCPv6 message to client
The working process of a DHCPv6 relay agent is as follows:

1.
A DHCPv6 client sends DHCPv6 Request packets with the destination multicast address
FF02::1:2 to all DHCPv6 servers and DHCPv6 relay agents.
2.
A DHCPv6 relay agent processes packets in the following two ways:

l If a DHCPv6 relay agent and a DHCPv6 client are located on the same link, that is, the
DHCPv6 relay agent is the first-hop relay agent of the DHCPv6 client, the DHCPv6
relay agent is the IPv6 gateway of the DHCPv6 client. After receiving a packet from
the DHCPv6 client, the DHCPv6 relay agent encapsulates the packet in the Relay
Message option of a Relay-Forward packet. Then the DHCPv6 relay agent sends the
Relay-forward packet to a DHCPv6 server or the next hop relay agent.
l If the DHCPv6 relay agent and DHCPv6 client are on different links, the DHCPv6 relay
agent receives Relay-Forward packets sent from other relay agents. The DHCPv6 relay
agent constructs a new Relay-Forward packet and sends the packet to the DHCPv6
server or the next hop relay agent.
3.
The DHCPv6 server parses the request of the DHCPv6 client in the Relay-Forward packet
and selects IPv6 addresses and other network configuration parameters to construct a reply
packet. Then the DHCPv6 server encapsulates the reply packet in the Relay Message option
in a Relay-Reply packet and sends the Relay-reply packet to the DHCPv6 relay agent.
4.
The DHCPv6 relay agent parses the reply packet of the DHCPv6 server in the Relay-Reply
packet and forwards the reply packet to the DHCPv6 client. If the DHCPv6 client receives
reply packets from multiple DHCPv6 servers, the DHCPv6 client selects the DHCPv6
server with the highest priority, and obtains the IPv6 address and other network
configuration parameters from the DHCPv6 server.
9.2.6 IPv6 Address/Prefix Allocation and Lease Updating
Issue 04 (2014-01-16)

289

Routers
IPv6 Address Allocation Sequence

The DHCPv6 server allocates an IPv6 address or prefix to a DHCPv6 client in the following
sequence:
1.
Select an IPv6 address pool.

An IPv6 address pool can be bound to an interface of the DHCPv6 server. The DHCPv6
server assigns an address or prefix to the DHCPv6 client from the IPv6 address pool. If an
relay exists, the IPv6 address pool cannot be bound to the interface of the DHCPv6 server.
Based on the first link-address field (identifies the link range of the DHCPv6 clients) whose
value is not 0 in the packet, the address pool that can be bound must be in the same link
range with the network prefixes or IPv6 address prefixes in the configured address pools.
2.
Select an IPv6 address or prefix.

After the address pool is configured, the DHCPv6 server assigns IPv6 addresses or prefixes
to DHCPv6 clients in the following procedures:
a.
If IPv6 addresses or prefixes have been specified in the address pool, these addresses
and prefixes matching the client DUIDs are preferentially assigned to clients.
b.
If the IA option in the packet sent from the client carries valid addresses or prefixes,
these addresses or prefixes are preferentially assigned to clients from the address pool.
If these addresses or prefixes are unavailable in the address pool, other idle addresses
or prefixes are assigned to clients. If the IPv6 prefix length exceeds the assigned length,
the IPv6 prefix of the assigned length is assigned.
c.
Idle addresses and prefixes are assigned to clients from the address pool. Reserved
addresses (For example, anycast addresses defined in RFC 2526), conflicted
addresses, and used addresses cannot be assigned to clients.
d.
If no IPv6 address or prefix can be assigned, address or prefix allocation fails.
DHCPv6 Address Lease Updating

The addresses allocated by DHCPv6 servers to DHCPv6 clients have leases. A lease is composed
of the lifetime (including the preferred lifetime and valid lifetime) and lease extension time (T1
and T2 in an IA). After the valid lifetime of an address is reached, a DHCPv6 client can no longer
use this address. Before the valid lifetime is reached, a DHCPv6 client needs to update the address
lease if it needs to continue to use this address.
To extend the valid lifetime and preferred lifetime for the addresses associated with an IA, a
DHCPv6 client sends a Renew packet to the DHCPv6 server at T1. The IA option in the Renew
packet carries the addresses whose leases need to be extended. If the DHCPv6 client does not
receive a response packet, it sends a Rebind packet at T2 to the DHCPv6 server to continue to
extend the address lease.
Figure 9-8 shows the process of updating the address lease at T1.
Issue 04 (2014-01-16)

290

Routers
Figure 9-8 Process of updating the address lease at T1

DHCPv6
Client
DHCPv6
Server
(1)Renew
T1
(2)Reply
The process of updating the address lease at T1 is as follows:

1.
A DHCPv6 client sends a Renew packet to request to update the address lease at T1 (the
recommended value of T1 is half the preferred lifetime).
2.
A DHCPv6 server responds with a Reply packet.

l If the DHCPv6 client can continue to use the address, the DHCPv6 server responds with
a Reply packet indicating that the address lease is extended successfully. In addition,
the DHCPv6 server informs the DHCPv6 client that the address lease is updated
successfully.
l If the DHCPv6 client cannot use the address, the DHCPv6 server responds with a Reply
packet indicating that address lease extension fails. In addition, the DHCPv6 server
informs the DHCPv6 client that the DHCPv6 client cannot obtain a new address lease.
Figure 9-9 shows the process of updating the address lease at T2.
Figure 9-9 Process of updating the address lease at T2
DHCPv6
Client
T1
T2
DHCPv6
Server
(1)Renew
(2)Rebind
(3)Reply
The process of updating the address lease at T2 is as follows:

Issue 04 (2014-01-16)

291

Routers
1.
A DHCPv6 client sends a Renew packet to request to update the address lease at T1, but
does not receive a response packet from a DHCPv6 server.
2.
The DHCPv6 client multicasts a Rebind packet to all the DHCPv6 servers to request them
to update the address lease at T2 (the recommended value of T2 is 0.8 times the preferred
lifetime).
3.
A DHCPv6 server responds with a Reply packet.

l If the DHCPv6 client can continue to use the address, the DHCPv6 server responds with
a Reply packet indicating that the address lease is extended successfully. In addition,
the DHCPv6 server informs the DHCPv6 client that the address or prefix lease is
updated successfully.
l If the DHCPv6 client cannot use the address, the DHCPv6 server responds with a Reply
packet indicating that address lease extension fails. In addition, the DHCPv6 server
informs the DHCPv6 client that the DHCPv6 client cannot obtain a new address lease.
NOTE
If the DHCPv6 client does not receive a response packet from the DHCPv6 server, the DHCPv6
client stops using this address after the valid lifetime is reached.
IP Address Reservation
The DHCPv6 server supports reserved IPv6 addresses that cannot be dynamically allocated. For
example, an IPv6 address can be reserved for a DNS server.
9.3 Application
9.3.1 Typical Networking of the DHCPv6 Server
Figure 9-10 shows a typical networking of the DHCPv6 server.
Figure 9-10 Networking of the DHCPv6 server
DHCPv6 Client
DHCPv6 Server
The device functions as the DHCPv6 server to assign IPv6 addresses to clients. The DHCPv6
client applies to the DHCPv6 server for configurations including an IPv6 address and DNS server
address. The DHCPv6 server replies with related configurations according to policies.
The DHCPv6 server assigns a complete IPv6 address to a host and provides other configuration
parameters such as the DNS server address. The DHCPv6 server also provides stateless DHCPv6
services. That is, the DHCPv6 server does not assign IPv6 addresses but provides hosts with
Issue 04 (2014-01-16)

292

Routers
configuration parameters such as the DNS server address and domain name. Hosts automatically
configure IPv6 addresses based on RA messages. This overcomes the limitations of IPv6
stateless address autoconfiguration.
9.3.2 Typical Networking of the DHCPv6 PD Server

Figure 9-11 shows a typical networking of the DHCPv6 PD server.
Figure 9-11 Networking of the DHCPv6 PD server
IPv6 HostC
RouterB
DHCPv6 PD Client
IPv6 HostA
RouterA
DHCPv6 PD Server
IPv6 HostB
The device functions as the DHCPv6 PD server to assign IPv6 address prefixes to DHCPv6 PD
clients.
The DHCPv6 PD mechanism allows RouterB to function as a DHCPv6 PD client to request
IPv6 prefixes from the DHCPv6 PD server and allows the DHCPv6 PD server to assign prefixes
to RouterB. In this way, RouterB does not need to assign IPv6 prefixes for user-side links.
RouterB divides the obtained prefix (the length of the obtained prefix is smaller than 64 bits)
into 64-bit prefix of subnet segments and sends an RA message on the link that hosts directly
connect to. The RA message contains 64-bit prefix of subnet segments. This enables hosts to
automatically configure addresses.
9.3.3 Typical Networking of the DHCPv6 Relay Agent

Figure 9-12 shows a typical networking of the DHCPv6 relay agent.
Figure 9-12 Networking of the DHCPv6 relay agent
Internet
DHCPv6 Relay
DHCPv6 Server
DHCPv6 Client
Issue 04 (2014-01-16)

293

Routers
The device functions as a DHCPv6 relay agent, the client can communicate with a DHCPv6
server on another network segment through the DHCPv6 relay agent, and obtain an IPv6 address
and other configuration parameters from the global address pool on the DHCP server. In this
manner, DHCPv6 clients on multiple network segments can share one DHCPv6 server. This
reduces costs and facilitates centralized management.
9.3.4 Typical Networking of the DHCPv6 Client

Figure 9-13 shows a typical networking of the DHCPv6 client.
Figure 9-13 Networking of the DHCPv6 client
RouterA
DHCPv6 Client
RouterC
DHCPv6 Server
RouterB
DHCPv6 Client
When the DHCPv6 client function is configured on the Layer 3 interface of the device, the device
dynamically obtains IPv6 addresses and other network configuration parameters from the
DHCPv6 server. This operation facilitates user configurations and centralized management.
9.3.5 Typical Networking of the DHCPv6 PD Client

Figure 9-14 shows a typical networking of the DHCPv6 PD client.
Figure 9-14 Networking of the DHCPv6 PD client
IPv6 HostC
Router A
Router B
GE0/0/1
DHCPv6 PD Client
IPv6 HostA
Issue 04 (2014-01-16)
GE0/0/1
DHCPv6 PD Server
IPv6 HostB
294

Routers
The DHCPv6 PD client function is configured on the Layer 3 interface of the device, the device
dynamically obtains IPv6 addresses and other network configuration parameters from the
DHCPv6 PD server. This operation facilitates user configurations and centralized management.
The device divides the obtained IPv6 prefix (the length of the obtained prefix is smaller than 64
bits) into 64-bit prefix of subnet segments and sends an RA message on the link that hosts directly
connect to. The RA message contains 64-bit prefix of subnet segments. This enables hosts to
automatically configure addresses.

This section provides default DHCPv6 configurations.
Table 1 DHCPv6 default configuration

Parameter
Default Value
DHCPv6 Function
disabled
DHCPv6 DUID
based on the link-layer (LL) address
the time for updating IPv6 address pool

configurations
86400s (24 hours).
9.5 Configuring DHCPv6

9.5.1 Configuring a DHCPv6 Server
You can configure a DHCPv6 server to dynamically assign configuration information such as
IPv6 addresses to DHCPv6 clients.
Before configuring the DHCPv6 server, complete the following tasks:
l
Ensuring that the link between the DHCPv6 client and the router works properly and the
DHCPv6 client can communicate with the router
(Optional) In the scenario where the DHCPv6 relay exists, configuring the route between
the router and DHCPv6 relay agent or client
The configuration tasks are performed in sequence.
9.5.1.1 Configuring the DHCPv6 DUID

Issue 04 (2014-01-16)

295

Routers
Context
The DUID identifies a DHCPv6 device. Each DHCPv6 server or client has a unique DUID.
DHCPv6 servers use DUIDs to identify DHCPv6 clients and DHCPv6 clients use DUIDs to
identify DHCPv6 servers.
Procedure
Step 1 Run:
system-view

Step 2 Run:
dhcpv6 duid { ll | llt }
A DUID is configured for the device.

By default, the device generates a DUID based on the link-layer (LL) address.
----End
9.5.1.2 Configuring an IPv6 Address Pool

Context
To implement the DHCPv6 function, you need to create an IPv6 address pool and configure its
attributes including the IPv6 address range, IPv6 configuration update time, IPv6 addresses not
to be automatically allocated, and IP addresses to be statically bound to clients. IPv6 addresses
can be dynamically assigned or statically bound to clients based on client requirements.
Procedure
Step 1 Run:
system-view

Step 2 Run:
dhcpv6 pool pool-name
An IPv6 address pool is created and the address pool view is displayed.
By default, no IPv6 address pool is created on the device.
Step 3 Run:
address prefix ipv6-prefix/ipv6-prefix-length [ life-time { valid-lifetime |
infinite } { preferred-lifetime |
infinite } ]
An IPv6 address prefix is bound to the address pool.

By default, no IPv6 address prefix is bound to the address pool.
static-bind address ipv6-address duid client-duid [ iaid iaid ] [ life-time { validlifetime | infinite } { preferred-lifetime | infinite } ]
Issue 04 (2014-01-16)

296

Routers
The IPv6 address is statically bound to the client DUID.

By default, no IPv6 address is bound to client DUID in the address pool view.
To statically assign specified IPv6 addresses to some specific clients, specify the mapping
between IPv6 addresses and client DUIDs. When such a client requests an IPv6 address from
the DHCPv6 server, the device functioning as the DHCPv6 server assigns the specified IPv6
address to the client.
Configure the specified IPv6 addresses to be assigned only to the clients with specified DUIDs.
excluded-address
start-ipv6-address [ to end-ipv6-address ]
The range of the IPv6 addresses that cannot be automatically assigned is specified in the IPv6
address pool. If only one IPv6 address is not automatically assigned, you can specify only the
value of start-ipv6-address.
By default, all IPv6 addresses in the address pool can be automatically assigned to clients.
information-refresh time
The time is configured for updating configuration parameters assigned to clients through
stateless DHCPv6 address autoconfiguration.
By default, the time for updating IPv6 address pool configuration is 86400s (24 hours).
----End
9.5.1.3 (Optional) Configuring Network Server Addresses for the IPv6 Address
Pool
Context
To successfully connect DHCPv6 clients to the Internet, the DHCPv6 server needs to specify
network service configurations such as the DNS server address and SIP server address when
assigning IPv6 addresses to the clients. The DHCPv6 server dynamically allocates carrierassigned configurations such as the DNS server address and SIP server address to DHCPv6
clients.
Procedure
Step 1 Run:
system-view

Step 2 Run:
Step 3 In the IPv6 address pool view, you can run one or multiple following commands to configure
network server addresses.
Issue 04 (2014-01-16)

297

Routers
1.
Run:
dns-server ipv6-address
The DNS server address is configured for the DHCPv6 address pool.
2.
Run:
dns-domain-name dns-domain-name
The DNS domain name suffix allocated by the DHCPv6 server to the client is configured.
3.
Run:
sip-server ipv6-address
The SIP server IPv6 address is configured for the DHCPv6 address pool.
4.
Run:
sip-domain-name sip-domain-name
The SIP domain name suffix allocated by the DHCPv6 server to the client is configured.
5.
Run:
nis-server ipv6-address
The NIS server IPv6 address is configured for the DHCPv6 address pool.
6.
Run:
nis-domain-name nis-domain-name
The NIS domain name suffix allocated by the DHCPv6 server to the client is configured.
7.
Run:
nisp-server ipv6-address
The NISP server IPv6 address is configured for the DHCPv6 address pool.
8.
Run:
nisp-domain-name nisp-domain-name
The NISP domain name suffix allocated by the DHCPv6 server to the client is configured.
9.
Run:
sntp-server ipv6-address
The SNTP server IPv6 address is configured for the DHCPv6 address pool.
NOTE
By default, DNS, SIP, NIS, NISP, and SNTP server addresses are not configured for the IPv6 address
pool.
----End
9.5.1.4 (Optional) Configuring the Options of an IPv6 Address Pool

Context
DHCPv6 provides various options. To use these options, add them to the attribute list of the
DHCPv6 server manually. If the DHCPv6 server is configured with the vendor-defined Option
field, the client can obtain the configuration information in the Option field of the DHCPv6 reply
packet from the server when a DHCPv6 client applies for an IPv6 address.
Issue 04 (2014-01-16)

298

Routers
Procedure
Step 1 Run:
system-view

Step 2 Run:
Step 3 Run:
vendor-specific vendor-id
Vendor-defined options are configured for the IPv6 address pool and the vendor-defined mode
view is displayed.
By default, no vendor-defined option is configured. A maximum of eight vendor-defined options
can be configured for one IPv6 address pool.
vendor-id indicates the vendor identifier ID, which is assigned by the IANA. The identifier ID
of Huawei is 2011.
Step 4 Run:
suboption suboption-code
hex hex-string }
{ address ipv6-address &<1-4> | ascii ascii-string
Vendor-defined DHCPv6 sub-options are configured in the vendor-defined mode view.

A maximum of 16 vendor-defined sub-options can be configured in the vendor-defined mode
view.
----End
9.5.1.5 (Optional) Configuring the DHCPv6 Data Saving Function

Context
When the device functions as a DHCPv6 or DHCPv6 PD server, you can configure the DHCPv6
data saving function to prevent data loss caused by device faults. After the DHCPv6 data saving
function is enabled, the device periodically saves DHCPv6 data. The data includes the last data
recording time, address pool name, client DUID, IAID, address and prefix bound to the client
DUID and IAID, conflicted address, and address detection time.
Procedure
Step 1 Run:
system-view

Step 2 Run:
dhcpv6 server database url [ write-delay interval ]
Issue 04 (2014-01-16)

299

Routers
The DHCPv6 data saving function is configured.

By default, the DHCPv6 data saving function is disabled.
You can specify write-delay to modify the DHCPv6 data saving interval. By default, the device
saves DHCPv6 data every 86400 seconds.
----End
9.5.1.6 Enabling the DHCPv6 Server Function on an Interface

Context
The DHCPv6 server function is enabled on an interface after an IPv6 address pool is bound to
the interface. When the DHCPv6 server receives a DHCPv6 request from a DHCPv6 client, it
selects an idle IPv6 address from the bound IPv6 address pool and allocates the IPv6 address to
the client.
Procedure
Step 1 Run:
system-view

Step 2 Run:
dhcp enable
DHCP is enabled.
Step 3 Run:
ipv6
IPv6 is enabled in the system view.

Step 4 Run:

Layer 3 GE interfaces and sub-interfaces,Layer 3 Ethernet interfaces and sub-interfaces, Layer
3 Eth-Trunk interfaces and sub-interfaces,VLANIF interfaces on the router can work in DHCPv6
server mode.
Step 5 Run:
ipv6 enable
IPv6 is enabled on the interface.

Step 6 Run:
ipv6 address { ipv6-address prefix-length |ipv6-address/prefix-length }
A global unicast IPv6 address is configured for the interface.

Step 7 Run:
dhcpv6 server pool-name [ allow-hint
commit | unicast ] *
Issue 04 (2014-01-16)
| preference

preference-value
| rapid-
300

Routers
The DHCPv6 server function is enabled on the interface.

----End

Procedure
l
Run the display dhcpv6 duid command to check the DUID of the DHCPv6 device on the
network.
Run the display dhcpv6 pool pool-name [ allocated { address | prefix } | binding
[ duid ] | conflict address | ipv6-address | ipv6-prefix/prefix-length ] command to check
IPv6 address pool configurations.
Run the display dhcpv6 server [ database | [ statistics ] [ interface interface-type

interface-number ] ] command to check information about the DHCPv6 server function.
----End
9.5.2 Configuring a DHCPv6 PD Server

You can configure a DHCPv6 PD server to dynamically assign configuration information such
as IPv6 addresses to DHCPv6 PD clients.
Before configuring the DHCPv6 PD server, complete the following tasks:
l
Ensuring that the link between the DHCPv6 client and the router works properly and the
DHCPv6 client can communicate with the router
(Optional) In the scenario where the DHCPv6 relay exists, configuring the route between
the router and DHCPv6 relay agent or client
Configuration Logic
The configuration tasks are performed in sequence.

Context
Procedure
Step 1 Run:
system-view

Issue 04 (2014-01-16)

301

Routers
Step 2 Run:

----End
9.5.2.2 Configuring an IPv6 PD Address Pool

Context
IPv6 PD address pool refers to an IPv6 address pool used by a DHCPv6 server to assign IPv6
address prefixes to DHCPv6 clients.
Procedure
Step 1 Run:
system-view

Step 2 Run:
An IPv6 PD address pool is created and the address pool view is displayed.
By default, no IPv6 PD address pool is created on the device.
Step 3 Run:
prefix-delegation ipv6-prefix/ipv6-prefix-length assign-prefix-length [ life-time
{ valid-lifetime | infinite } { preferred-lifetime | infinite }]
An IPv6 address prefix agent is bound to the IPv6 address pool.

By default, no IPv6 address prefix agent is bound to the IPv6 address pool.
static-bind prefix ipv6-prefix/ipv6-prefix-length duid client-duid [ iaid iaidvalue ] [ life-time { valid-lifetime | infinite } { preferred-lifetime |
infinite } ]
An IPv6 address prefix agent is statically bound to the DHCPv6 PD client in the address pool
view.
By default, no IPv6 address prefix agent is bound to the DHCPv6 PD client.
To statically assign specified IPv6 address prefixes to some specific clients, specify the mapping
between IPv6 address prefixes and client DUIDs. When such a client requests an IPv6 address
from the DHCPv6 PD server, the device functioning as the DHCPv6 PD server assigns the
specified IPv6 address to the client.
Configure the specified IPv6 address prefixes to be assigned only to the clients with specified
DUIDs.
----End
Issue 04 (2014-01-16)

302

Routers
9.5.2.3 (Optional) Configuring Network Server Addresses for the IPv6 Address
Pool
Context
To successfully connect DHCPv6 clients to the Internet, the DHCPv6 server needs to specify
network service configurations such as the DNS server address and SIP server address when
assigning IPv6 addresses to the clients. The DHCPv6 server dynamically allocates carrierassigned configurations such as the DNS server address and SIP server address to DHCPv6
clients.
Procedure
Step 1 Run:
system-view

Step 2 Run:
Step 3 In the IPv6 address pool view, you can run one or multiple following commands to configure
network server addresses.
1.
Run:
dns-server ipv6-address
The DNS server address is configured for the DHCPv6 address pool.
2.
Run:
dns-domain-name dns-domain-name
The DNS domain name suffix allocated by the DHCPv6 server to the client is configured.
3.
Run:
sip-server ipv6-address
The SIP server IPv6 address is configured for the DHCPv6 address pool.
4.
Run:
sip-domain-name sip-domain-name
The SIP domain name suffix allocated by the DHCPv6 server to the client is configured.
5.
Run:
nis-server ipv6-address
The NIS server IPv6 address is configured for the DHCPv6 address pool.
6.
Run:
nis-domain-name nis-domain-name
The NIS domain name suffix allocated by the DHCPv6 server to the client is configured.
7.
Run:
nisp-server ipv6-address
Issue 04 (2014-01-16)

303

Routers
The NISP server IPv6 address is configured for the DHCPv6 address pool.
8.
Run:
nisp-domain-name nisp-domain-name
The NISP domain name suffix allocated by the DHCPv6 server to the client is configured.
9.
Run:
sntp-server ipv6-address
The SNTP server IPv6 address is configured for the DHCPv6 address pool.
NOTE
By default, DNS, SIP, NIS, NISP, and SNTP server addresses are not configured for the IPv6 address
pool.
----End
9.5.2.4 (Optional) Configuring the Options of an IPv6 Address Pool

Context
DHCPv6 provides various options. To use these options, add them to the attribute list of the
DHCPv6 server manually. If the DHCPv6 server is configured with the vendor-defined Option
field, the client can obtain the configuration information in the Option field of the DHCPv6 reply
packet from the server when a DHCPv6 client applies for an IPv6 address.
Procedure
Step 1 Run:
system-view

Step 2 Run:
Step 3 Run:
vendor-specific vendor-id
Vendor-defined options are configured for the IPv6 address pool and the vendor-defined mode
view is displayed.
By default, no vendor-defined option is configured. A maximum of eight vendor-defined options
can be configured for one IPv6 address pool.
vendor-id indicates the vendor identifier ID, which is assigned by the IANA. The identifier ID
of Huawei is 2011.
Step 4 Run:
suboption suboption-code
hex hex-string }
{ address ipv6-address &<1-4> | ascii ascii-string
Vendor-defined DHCPv6 sub-options are configured in the vendor-defined mode view.

Issue 04 (2014-01-16)

304

Routers
A maximum of 16 vendor-defined sub-options can be configured in the vendor-defined mode

view.
----End
9.5.2.5 (Optional) Configuring the DHCPv6 Data Saving Function

Context
When the device functions as a DHCPv6 or DHCPv6 PD server, you can configure the DHCPv6
data saving function to prevent data loss caused by device faults. After the DHCPv6 data saving
function is enabled, the device periodically saves DHCPv6 data. The data includes the last data
recording time, address pool name, client DUID, IAID, address and prefix bound to the client
DUID and IAID, conflicted address, and address detection time.
Procedure
Step 1 Run:
system-view

Step 2 Run:
dhcpv6 server database url [ write-delay interval ]
The DHCPv6 data saving function is configured.

By default, the DHCPv6 data saving function is disabled.
You can specify write-delay to modify the DHCPv6 data saving interval. By default, the device
saves DHCPv6 data every 86400 seconds.
----End
9.5.2.6 Enabling the DHCPv6 PD Server Function on an Interface

Context
Enabling the DHCPv6 PD server function on an interface is to bind an IPv6 PD address pool to
the interface. When the DHCPv6 PD server receives a DHCPv6 request packet from a DHCPv6
PD client, it selects an appropriate address prefix and allocates the address prefix to the client.
Procedure
Step 1 Run:
system-view

Step 2 Run:
dhcp enable
DHCP is enabled.
Issue 04 (2014-01-16)

305

Routers
Step 3 Run:
ipv6
IPv6 is enabled in the system view.

Step 4 Run:

Layer 3 GE interfaces and sub-interfaces, VLANIF interfaces,Layer 3 Ethernet interfaces and
sub-interfaces, Layer 3 Eth-Trunk interfaces and sub-interfaces on the router can work in
DHCPv6 PD server mode.
Step 5 Run:
ipv6 enable

Step 6 Run:
ipv6 address { ipv6-address prefix-length |ipv6-address/prefix-length }
A global unicast IPv6 address is configured for the interface.

Step 7 Run:
dhcpv6 server pool-name [ allow-hint
commit | unicast ] *
| preference
preference-value
| rapid-
The DHCPv6 PD server function is enabled on the interface.

----End

Procedure
l
Run the display dhcpv6 duid command to check the DUID of the DHCPv6 device on the
network.
Run the display dhcpv6 pool pool-name [ allocated { address | prefix } | binding
[ duid ] | conflict address | ipv6-address | ipv6-prefix/prefix-length ] command to check
IPv6 address pool configurations.

interface-number ] ] command to check information about the DHCPv6 server function.
----End
9.5.3 Configuring a DHCPv6 Relay Agent

A DHCPv6 relay agent enables the DHCPv6 client and server on different links to exchange
DHCPv6 messages. The DHCPv6 relay agent forwards DHCP messages to the destination
DHCPv6 server on a different network segment. DHCPv6 clients on multiple networks can share
one DHCPv6 server.
Before configuring the DHCPv6 relay agent, complete the following tasks:
Issue 04 (2014-01-16)

306

Routers
Configuring the peer DHCPv6 server

NOTE
If the router functions as a DHCPv6 server, see 9.5.1 Configuring a DHCPv6 Server for detailed
configurations.
Configuring a route from the router to the DHCPv6 server

Context
Procedure
Step 1 Run:
system-view

Step 2 Run:

----End
9.5.3.2 Enabling the DHCPv6 Relay Function

Context
You can enable the DHCPv6 relay function on an interface of the router, set the IPv6 address
of the DHCPv6 server or the next hop relay agent.
Multiple DHCPv6 relays can be connected between the DHCPv6 client and server. If the device
functions as a DHCPv6 relay and the peer is connected to the DHCPv6 server, you must specify
the IPv6 address for the DHCPv6 server when enabling the DHCPv6 relay. If the peer is
connected to the next-hop relay, you must specify the IPv6 address for the next-hop relay and
specify the IPv6 address for the peer DHCPv6 server or next-hop relay on the next-hop relay.
Procedure
Step 1 Run:
system-view

Step 2 Run:
dhcp enable
Issue 04 (2014-01-16)

307

Routers
DHCP is enabled.
Step 3 Run:
ipv6
The IPv6 packet forwarding function is enabled.

Step 4 Run:

Layer 3 GE interfaces and sub-interfaces, VLANIF interfaces,Layer 3 Ethernet interfaces and
DHCPv6 relay mode.
Step 5 Run:
ipv6 enable
The IPv6 packet forwarding function is enabled.

Step 6 Run:
An IPv6 address is configured for the interface.

Step 7 Run:
dhcpv6 relay destination ipv6-address
The DHCPv6 relay function is enabled on the interface and the IPv6 address of the DHCPv6
server or next-hop relay agent is configured.
By default, the DHCPv6 relay function is disabled on an interface.
The configured IPv6 address must be a global unicast IPv6 address or a unique local IPv6
address. The DHCPv6 relay sends relay packets to the configured IPv6 address by searching for
a route.
If the peer of the DHCPv6 relay is connected to multiple DHCPv6 servers or next-hop relays,
you must repeat this step. The device supports a maximum of eight DHCPv6 servers or nexthop relays.
----End
Follow-up Procedure
For clients (such as PCs) that automatically obtain IPv6 addresses based on IPv6 RA packets by
default, flags in RA messages need to be configured on the client gateways so that the clients
can obtain IPv6 addresses using DHCPv6. When the device functions as the client gateway,
perform the following steps:
1.
Run:
system-view

2.
Run:
Issue 04 (2014-01-16)

308

Routers

3.
Run:
The RA packet sending function is enabled on the device.

By default, the switch for sending the RA packets is disabled.
4.
Run:
The managed address configuration flag (M flag) of stateful autoconfiguration in an RA

packet is configured.
By default, the M flag in the RA packet is not configured.
5.
Run:
The other flag (O flag) of stateful autoconfiguration in an RA packet is configured.

By default, the O flag in the RA packet is not configured.
After the M flag and O flag of stateful autoconfiguration in the RA packet are configured,
the client can obtain an IPv6 address using DHCPv6.
NOTE
When the Huawei AR150&200&1200&2200&3200 Series functions as the DHCPv6 client, flags in RA
messages do not need to be configured on gateways. You can run the ipv6 address auto dhcp command
to configure the clients to automatically obtain IPv6 addresses and other network configuration parameters
using DHCPv6.
9.5.3.3 (Optional) Configuring the Remote ID

Context
The remote ID carries information about a client and identifies a client. The DHCPv6 server can
determine address allocation, parameter setting, prefix agent according to the remote ID. The
format of the remote ID is defined by the vendor. Usually, the remote ID carries the phone
number of the caller in a dialup connection, user name, IP address of the peer in a point-to-point
connection, and access interface. The maximum length of the remote ID is 247 bytes.
When functioning as the DHCPv6 relay, the router processes the remote ID in the following
way:
l
When receiving a message from a DHCPv6 client, the router adds the Remote-ID option
in the Relay-forward message.
If the Relay-Reply message received by the router from the DHCPv6 server contains the
remote ID, the router removes the remote ID from the Relay-Reply message before
forwarding it to DHCPv6 clients or other relay agents.
Procedure
Step 1 Run:
system-view

Issue 04 (2014-01-16)

309

Routers
Step 2 Run:
dhcpv6 remote-id format { default | user-defined text }
The format of the remote ID in DHCPv6 messages is set.

By default, the remote ID in DHCPv6 messages is in default format.
Step 3 Run:

Layer 3 GE interfaces and sub-interfaces, VLANIF interfaces, Layer 3 Ethernet interfaces and
DHCPv6 relay mode.
Step 4 Run:
dhcpv6 remote-id insert enable
The function of appending the remote ID to DHCPv6 relay packets is enabled.

----End
9.5.3.4 (Optional) Configuring Rate Limit of DHCPv6 Messages

Context
To prevent clients or relay agents from sending a large number of messages to attack the
router, the router limits the rate of DHCPv6 messages to be forwarded.
After rate limit of DHCPv6 messages is enabled, DHCPv6 messages are discarded when the
rate of DHCPv6 messages exceeds the limit. When the number of discarded DHCPv6 messages
exceeds the threshold, the router supports the alarm function.
Procedure
Step 1 Run:
system-view

Step 2 Run:
dhcp enable
DHCP is enabled.
Step 3 Run:
dhcpv6 packet-rate packet-rate
Rate limit of DHCPv6 packets is enabled and the rate threshold is configured.
By default, rate limit of DHCPv6 messages is disabled on the router.
Step 4 Run:
dhcpv6 packet-rate drop-alarm enable
The function of generating logs is enabled on the device.

Issue 04 (2014-01-16)

310

Routers
After the function of generating logs is enabled, if the number of DHCPv6 messages that pass
through the router every second exceeds the rate limit, they are discarded. By default, the device
generates a log when the number of discarded DHCPv6 messages exceeds 100.
Step 5 Run:
dhcpv6 packet-rate drop-alarm threshold threshold
A log threshold for the number of discarded DHCPv6 messages when the DHCPv6 message
rate exceeds the rate threshold is set.
----End

Procedure
l
Run the display dhcpv6 relay [ statistics ] [ interface interface-type interface-number ]

command to check the interface configuration of the DHCPv6 relay agent function.
Run the display dhcpv6 relay statistics [ interface interface-type interface-number ]

command to check the packet statistics of the DHCPv6 relay agent function.
----End
9.5.4 Configuring the DHCPv6 Client Function

When the DHCPv6 client function is configured on the WAN-side Layer 3 interface or subinterface of the router, the router dynamically obtains IPv6 addresses and other configuration
parameters from the DHCPv6 server. This operation facilitates user configurations and
management.
Before configuring the DHCPv6 client function, complete the following tasks:
l
Configuring a DHCPv6 server
Configuring the DHCPv6 relay agent as service requires
Configuring the route between the router and DHCPv6 relay agent or server
Configure IPv6 functions on interfaces.
Procedure
1.
Run:
system-view

2.
Run:
ipv6
The device is enabled to forward IPv6 unicast packets.

3.
Run:

Issue 04 (2014-01-16)

311

Routers
4.
Run:
ipv6 enable

5.
Run:
The link-local address is manually configured for a specified interface.

6.
Run:
ipv6 address auto global default
the device learns the default route by RA packets.

By default, the device is disabled from learning the default route by RA packets.
l
Configure the DHCPv6 client to request an IPv6 address

1.
Run:
system-view

2.
Run:

3.
Run:
dhcp enable
The DHCP function is enabled on the device.

4.
Run:

WAN-side Layer 3 interfaces and Layer 3 sub-interfaces on the router can work in
DHCP client mode.
5.
Run:
ipv6 address auto dhcp [ rapid-commit ]
The DHCPv6 client is enabled and stateful DHCPv6 address autoconfiguration is used
to assign an IPv6 address and other configuration parameters (IPv6 addresses of the
DNS server and SNTP server) to the client.
Or run:
dhcpv6 client
information-request
The DHCPv6 client is enabled and stateless DHCPv6 address autoconfiguration is

used to assign configuration parameters (not including IPv6 addresses) to the client.
If two-message exchange is enabled on the DHCPv6 client and server, the server
assigns an IPv6 address and other configuration parameters to the client using the twomessage exchange method. Otherwise, the server assigns an IP address and other
configuration parameters to the client using the four-message exchange method.
Issue 04 (2014-01-16)

312

Routers
NOTE
To modify the DHCPv6 address autoconfiguration mode, you must disable the original mode. For
example, the DHCPv6 client is enabled to use the stateful DHCPv6 address autoconfiguration mode
to obtain an IPv6 address and other network configuration parameters including the IPv6 addresses
of the DNS and SNTP servers. To enable the DHCPv6 client to use the stateless DHCPv6 address
autoconfiguration mode to obtain network configuration parameters (excluding IPv6 addresses), run
the undo ipv6 address auto dhcp command to disable stateful DHCPv6 address autoconfiguration
and then run the dhcpv6 client information-request command to enable stateless DHCPv6 address
autoconfiguration.
----End

After configuring the DHCPv6 client functions is complete, run the following command to check
the configuration.
l
Run the display dhcpv6 client [ interface interface-type interface-number ] command to

check the DHCPv6 client configurations.
9.5.5 Configuring the DHCPv6 PD Client Function

When the DHCPv6 client function is configured on the WAN-side Layer 3 interface or subinterface of the router, the router dynamically obtains IPv6 addresses and other network
configuration parameters from the DHCPv6 PD server. This operation facilitates user
configurations and management.
Before configuring the DHCPv6 PD client function, complete the following tasks:
l
Configuring a DHCPv6 PD server
Configuring the DHCPv6 relay agent as service requires
Configuring the route between the router and DHCPv6 relay agent or DHCPv6 PD server
Configure IPv6 functions on interfaces.
Procedure
1.
Run:
system-view

2.
Run:
ipv6
The device is enabled to forward IPv6 unicast packets.

3.
Run:

4.
Run:
ipv6 enable
Issue 04 (2014-01-16)

313

Routers

5.
Run:
The link-local address is manually configured for a specified interface.

6.
Run:
the device learns the default route by RA packets.

By default, the device is disabled from learning the default route by RA packets.
l
Configure the DHCPv6 PD client to request an IPv6 address

1.
Run:
system-view

2.
Run:

3.
Run:
dhcp enable
The DHCP function is enabled on the device.

4.
Run:

WAN-side Layer 3 interfaces and Layer 3 sub-interfaces on the router can work in
DHCP client mode.
5.
Run:
dhcpv6 client pd
prefix-name [ hint ipv6-prefix-value ] [ rapid-commit
The DHCPv6 PD client is enabled to request an IPv6 address prefix.

If two-message exchange is enabled on the DHCPv6 PD client and server, the server
assigns an IPv6 address and other configuration parameters to the client using the twomessage exchange method. Otherwise, the DHCPv6 PD server assigns an IP address
and other configuration parameters to the client using the four-message exchange
method.
----End

After configuring the DHCPv6 PD client functions is complete, run the following command to
check the configuration.
l
Issue 04 (2014-01-16)
Run the display dhcpv6 client prefix [ name prefix-name ] command to check IPv6
prefixes on the device that functions as the DHCPv6 client.
314

Routers
9.6 Maintaining DHCPv6

9.6.1 Checking the Running Status of the DHCPv6 Client
Procedure
l
Run the display dhcpv6 client statistics [ interface interface-type interface-number ]

command to check message statistics on the DHCPv6 client.
----End
9.6.2 Clearing Message Statistics on the DHCPv6 Client

Context
If the DHCPv6 client function is enabled on the router, the system collects DHCPv6 message
statistics. Run the reset dhcpv6 client statistics command in the user view or system view to
clear message statistics on the DHCPv6 client.
NOTICE
DHCPv6 message statistics cannot be restored after being cleared. Confirm your operation
before clearing them.
Procedure
l
Run the reset dhcpv6 client statistics [ interface interface-type interface-number ]

command to clear message statistics on the DHCPv6 client.
The interface type in the command is WAN-side Layer 3 Ethernet interface or Ethernet
sub-interface. If no interface is specified, all the DHCPv6 message statistics are cleared. If
an interface is specified, DHCPv6 message statistics on the specified interface are cleared.
----End
9.6.3 Clearing DHCPv6 Message Statistics on the DHCPv6 Relay

Agent
Issue 04 (2014-01-16)

315

Routers
Context
NOTICE
DHCPv6 message statistics cannot be restored after being cleared. Confirm your operation
before clearing them.
Procedure
l
Run the reset dhcpv6 relay statistics [ interface interface-type interface-number ]

command to clear DHCPv6 message statistics on the DHCPv6 relay agent.
If no interface is specified, all the DHCPv6 message statistics are cleared. If an interface
is specified, DHCPv6 message statistics on the specified interface are cleared.
----End
9.6.4 Checking Message Statistics on the DHCPv6 Server

Procedure
l

interface-number ] ] command to check message statistics on the DHCPv6 server.
----End
9.6.5 Clearing DHCPv6 Message Statistics of the DHCPv6 Server

Procedure
l
Run the reset dhcpv6 server statistics [ interface interface-type interface-number ]

command to clear DHCPv6 message statistics of the DHCPv6 server.
----End
9.6.6 Monitoring the Running Status of the DHCPv6 Relay Agent

Procedure
l
Run the display dhcpv6 relay [ interface interface-type interface-number ] command to

check the configuration of the interface where the DHCPv6 relay function is configured.
Run the display dhcpv6 relay statistics [ interface interface-type interface-number ]

command to check DHCPv6 message statistics on the DHCPv6 relay agent.
----End
9.6.7 Resetting the Status of the IPv6 Address Pool

Context
When the client addresses conflict due to repeated IPv6 address assignment or IPv6 addresses
need to be re-assigned to clients based on the network plan, you can reset the status of the IPv6
Issue 04 (2014-01-16)

316

Routers
address pool. In this way, the IPv6 addresses in the address pool return to the idle state and the
clients can re-apply for these IPv6 addresses.
Procedure
l
Run the reset dhcpv6 pool pool-name [ allocated { address | prefix } | binding [ duid ]
| conflict address | ipv6-address [ to ipv6-address ] | ipv6-prefix/prefix-length ] command
to clear IPv6 address pool configurations.
----End

9.7.1 Example for Configuring a DHCPv6 Server
If a large number of IPv6 addresses need to be manually configured, the workload on
configuration will be huge, and the manually configured addresses have poor manageability.
The administrator requires that IPv6 addresses and network configuration parameters be
obtained automatically to facilitate centralized management and hierarchical IPv6 network
deployment.
Figure 9-15 Networking diagram for configuring the DHCPv6 server
Router A
Router B
3000::1/64
GE0/0/1
GE0/0/1
DHCPv6 Client
DHCPv6 Server
1.
Enable IPv6 functions on the interface so that devices can communicate using IPv6.
2.
Enable the DHCPv6 Server function so that devices can assign IPv6 addresses using
DHCPv6.
Procedure
[Huawei] sysname Router A
[Router A] dhcp enable
Step 2 Configure a DHCPv6 server.

[Huawei] dhcpv6 pool pool1
[Router A-dhcpv6-pool-pool1] address prefix 3000::/64
[Router A-dhcpv6-pool-pool1] dns-server 4000::1
Issue 04 (2014-01-16)

317

Routers
[Router A-dhcpv6-pool-pool1] excluded-address 3000::1

[Router A-dhcpv6-pool-pool1] quit
Step 3 Configure IPv6 functions on an interface.

[Router
[Router
[Router
[Router
A] ipv6
A] interface gigabitethernet 0/0/1
A-GigabitEthernet0/0/1] ipv6 enable
A-GigabitEthernet0/0/1] ipv6 address 3000::1/64
Step 4 Enable the DHCPv6 server function on the interface.

# Enable the DHCPv6 server function on GE0/0/1.
[Router A-GigabitEthernet0/0/1] dhcpv6 server pool1

Run the display dhcpv6 pool command on the router to check information about the DHCPv6
address pool.
<Router A> display dhcpv6 pool
Address prefix: 3000::/64
Lifetime valid 172800 seconds, preferred 86400 seconds
0 in use, 0 conflicts
Excluded-address 3000::1
1 excluded addresses
Information refresh time: 86400
DNS server address: 4000::1
Conflict-address expire-time: 172800
Active normal clients: 0
Run the display dhcpv6 server command on the router to check information about the DHCPv6
server.
<Router A> display dhcpv6
Interface
server
DHCPv6 pool
pool1
----End
Configuration File
Configuration file of Router A
#
sysname Router A
#
ipv6
#
dhcp enable
#
dhcpv6 pool pool1
address prefix 3000::/64
excluded-address 3000::1
dns-server 4000::1
#
ipv6 enable
dhcpv6 server pool1
#
return
Issue 04 (2014-01-16)

318

Routers
9.7.2 Example for Configuring a DHCPv6 PD Server

In Figure 9-16, the router is required to function as a DHCPv6 PD server and assign an IPv6
address prefix to the DHCPv6 PD client. Configure the router as a DHCPv6 PD server to assign
IPv6 addresses and other network configuration parameters to DHCPv6 clients. This facilitates
centralized management and layered IPv6 network deployment. The DHCPv6 PD server assigns
DNS server address 4000::1/64 to a client. The DHCPv6 PD server and client are on the same
link.
Figure 9-16 Networking diagram for configuring DHCPv6 PD server
IPv6 HostC
Router B
GE0/0/1
DHCPv6 PD Client
Router A
3000::1/64
GE0/0/1
DHCPv6 PD Server
IPv6 HostA
IPv6 HostB
1.
2.
Enable the DHCPv6 PD server function so that DHCPv6 PD server can assign IPv6 address
using DHCPv6.
Procedure
Step 2 Configure a DHCPv6 PD server

[Huawei] dhcpv6 pool pool1
[Router A-dhcpv6-pool-pool1] prefix-delegation 3000::/60 63
[Router A-dhcpv6-pool-pool1] dns-server 4000::1
[Router A-dhcpv6-pool-pool1] quit

[Router A] ipv6
[Router A] interface gigabitethernet 0/0/1
Issue 04 (2014-01-16)

319

Routers
[Router A-GigabitEthernet0/0/1] ipv6 enable

[Router A-GigabitEthernet0/0/1] ipv6 address 3000::1/64
Step 4 Enable the DHCPv6 PD server function on an interface.

# Enable the DHCPv6 PD server function on GE0/0/1.
[Router A-GigabitEthernet0/0/1] dhcpv6 server pool1

# Run the display dhcpv6 pool command on the router to check information about the DHCPv6
address pool.
<Router A> display dhcpv6 pool
DHCPv6 pool: pool1
Prefix delegation: 3000::/60 63
0 in use
Information refresh time: 86400
DNS server address: 4000::1
Conflict-address expire-time: 172800
Active pd clients: 0
# Run the display dhcpv6 server command on the router to check information about the
DHCPv6 server.
<Router A> display dhcpv6
Interface
server
DHCPv6 pool
pool1
----End
Configuration File
#
sysname Router A
#
ipv6
#
dhcp enable
#
dhcpv6 pool pool1
prefix-delegation 3000::/60 63
dns-server 4000::1
#
ipv6 enable
dhcpv6 server pool1
#
return
Issue 04 (2014-01-16)

320

Routers
9.7.3 Example for Configuring a DHCPv6 Relay to Assign IPv6

Addresses to the Clients in One Network Segment Connected to
the Relay
As shown in Figure 9-17, the IPv6 network segment address is 2000::/64 and the DHCPv6
server address is 3000::3/64. Users expect to obtain IPv6 addresses using DHCPv6. The
DHCPv6 client and server are on different network segments; therefore, a DHCPv6 relay agent
is required to forward DHCPv6 messages.
It is required that the router should function as the DHCPv6 relay agent to forward DHCPv6
messages between the DHCPv6 client and the DHCPv6 server. In addition, the router functions
as the gateway device of the network at 2000::/64. The M flag bit and O flag bit in RA messages
allow hosts on the network to obtain IPv6 addresses and other network configuration parameters
through DHCPv6.
Figure 9-17 Networking diagram for configuring a DHCPv6 relay
DHCPv6 client
DHCPv6 client
GE1/0/0 RouterA GE2/0/0

3000::1/64
2000::1/64
DHCPv6 Relay
RouterB
3000::3/64
DHCPv6 server
DHCPv6 client
DHCPv6 client
1.
Enable IPv6 functions on the interface so that devices can implement IPv6 communication.
2.
Enable the DHCPv6 relay function so that the DHCPv6 server and client on different links
can transmit packets.
Procedure

[Router A] ipv6
Issue 04 (2014-01-16)

321

Routers
[Router
[Router
[Router
[Router
[Router
[Router
[Router

A-GigabitEthernet1/0/0] ipv6 address 2000::1 64
A-GigabitEthernet1/0/0] quit
A-GigabitEthernet2/0/0] ipv6 address 3000::1 64
Step 3 Enable the DHCPv6 relay function.

[Router A-GigabitEthernet1/0/0] dhcpv6 relay destination 3000::3
Step 4 Configure RouterA as a gateway device.

# Configure RouterA to send RA messages and configure M and O flag bits.
[Router
[Router
[Router
[Router
A-GigabitEthernet1/0/0]

quit

Run the display dhcpv6 relay command on RouterA to check configurations of DHCPv6 relay
agent.
[Router A] display dhcpv6 relay
Interface
Mode
Destination
-----------------------------------------------------------------GigabitEthernet1/0/0
Relay
3000::3
------------------------------------------------------------------
Run the display dhcpv6 relay statistics on RouterA to check DHCP message statistics on the
DHCPv6 relay agent.
[Router A] display dhcpv6 relay statistics
MessageType
Receive
Send
Solicit
0
0
Advertise
0
0
Request
0
0
Confirm
0
0
Renew
0
0
Rebind
0
0
Reply
0
0
Release
0
0
Decline
0
0
Reconfigure
0
0
Information-request
0
0
Relay-forward
0
0
Relay-reply
0
0
UnknownType
0
0
Error
0
0
0
0
0
0
0
0
0
0
0
0
0
0
----End
Configuration File
#
sysname Router A
#
ipv6
#
dhcp enable
#
Issue 04 (2014-01-16)

322

Routers
ipv6 enable
dhcpv6 relay destination 3000::3
#
ipv6 enable
#
return
9.7.4 Example for Configuring a DHCPv6 PD Client

In Figure 9-18, the router is required to function as a DHCPv6 PD client and obtain an IPv6
address prefix from the DHCPv6 PD server. Configure the router as a DHCPv6 PD client to
assign IPv6 addresses and other network configuration parameters to DHCPv6 clients. This
reduces pressure on the DHCPv6 server and facilitates layered IPv6 network deployment. The
address of the DHCPv6 PD server is 3000::1/64. The DHCPv6 PD server and client are on the
same link.
Figure 9-18 Networking diagram for configuring a DHCPv6 PD client
IPv6 hostC
Router A
GE0/0/2
GE0/0/1
Router B
3000::1/64
GE0/0/1
DHCPv6 PD Client
IPv6 hostA
DHCPv6 PD Server
IPv6 hostB
1.
2.
Enable the DHCPv6 PD client function so that devices can obtain IPv6 address prefixes
using DHCPv6.
Procedure
Issue 04 (2014-01-16)

323

Routers

[Router
[Router
[Router
[Router
A] ipv6
A-GigabitEthernet0/0/1] ipv6 address auto link-local
Step 3 Enable the DHCPv6 PD client function.

# Enable the DHCPv6 PD client function on GE0/0/1.
[Router A-GigabitEthernet0/0/1] dhcpv6 client pd myprefix
[Router A-GigabitEthernet0/0/1] quit
Step 4 Configure Router A to send an RA message to assign address prefixes to hosts.

# Configure the device to send RA messages and configure M and O flag bits.
[Router
[Router
[Router
[Router
[Router
[Router
[Router
A] interface gigabitethernet
A-GigabitEthernet0/0/2] ipv6
A-GigabitEthernet0/0/2] undo
0/0/2
enable
ipv6 nd ra halt
nd autoconfig other-flag
address myprefix ::1:0:0:0:1/64

Run the display dhcpv6 client command on the Router A to check the DHCPv6 client
configurations.
<Router A> display dhcpv6 client
GigabitEthernet0/0/1 is in DHCPv6-PD client mode.
State is BOUND.
Preferred server DUID
: 000300060819A6CDA894
Reachable via address : FE80::A19:A6FF:FECD:A897
IA PD IA ID 0x00000051 T1 43200 T2 69120
Prefix name : myprefix
Obtained
: 2012-12-22 09:33:09
Renews
: 2012-12-22 21:33:09
Rebinds
: 2012-12-23 04:45:09
Prefix
: 3000::/48
Expires at 2012-12-24 09:33:09(172792 seconds left)
DNS server
: 4000::1
Run the display dhcpv6 client statistics on the Router A to check DHCPv6 message statistics
on the DHCPv6 client.
<Router A> display dhcpv6 client statistics
Message statistics of interface GigabitEthernet0/0/1:
Message
Received
Advertise
1
Reply
1
Reconfigure
0
Invalid
0
Message
Solicit
Request
Confirm
Renew
Issue 04 (2014-01-16)
Sent
1
1
0
0

324

Routers
Rebind
Release
Decline
Information-request
0
0
0
0
----End
Configuration File
#
sysname Router A
#
ipv6
#
dhcp enable
#
ipv6 enable
dhcpv6 client pd
myprefix
#
ipv6 enable
ipv6 address myprefix ::
1:0:0:0:1/64
#
return
9.7.5 Example for Configuring a DHCPv6 Client

In Figure 9-19, the router is required to function as a DHCPv6 client and obtain an IPv6 address
and other configuration parameters from the DHCPv6 server. The address of the DHCPv6 server
is 3000::1/64. The DHCPv6 server and client are on the same link.
Figure 9-19 Networking diagram for configuring a DHCPv6 client
Router B
Router A
3000::1/64
GE0/0/1
GE0/0/1
DHCPv6 Client
DHCPv6 Server
1.
Issue 04 (2014-01-16)
325

Routers
2.
Enable the DHCPv6 client function so that devices can obtain IPv6 addresses using
DHCPv6.
Procedure

[Router
[Router
[Router
[Router
[Router
A] ipv6
A] interface gigabitethernet
0/0/1
enable
address auto global default
Step 3 Enable the DHCPv6 client function.

# Enable the DHCPv6 client function on GE 0/0/1.
[Router A-GigabitEthernet0/0/1] ipv6 address auto dhcp

Run the display dhcpv6 client command on the Router A to check the DHCPv6 client
configurations.
<Router A> display dhcpv6 client
GigabitEthernet0/0/1 is in stateful DHCPv6 client mode.
State is BOUND.
Preferred server DUID
: 000300060819A6CDA894
Reachable via address : FE80::A19:A6FF:FECD:A897
IA NA IA ID 0x00000051 T1 43200 T2 69120
Obtained
: 2012-12-22 09:15:54
Renews
: 2012-12-22 21:15:54
Rebinds
: 2012-12-23 04:27:54
Address
: 3000::2
Expires at 2012-12-24 09:15:54(172795 seconds left)
Run the display dhcpv6 client statistics command on the Router A to check message statistics
on the DHCPv6 client.
<Router A> display dhcpv6 client statistics
Message statistics of interface GigabitEthernet0/0/1:
Message
Received
Advertise
1
Reply
1
Reconfigure
0
Invalid
0
Message
Solicit
Request
Confirm
Renew
Rebind
Release
Decline
Information-request
Sent
1
1
0
0
0
0
0
0
----End
Issue 04 (2014-01-16)

326

Routers
Configuration File
#
sysname Router A
#
ipv6
#
dhcp enable
#
ipv6 enable
ipv6 address auto
dhcp
#
return
9.8 References
Table 1 RFCs related to DHCPv6 features
Issue 04 (2014-01-16)
Document
Description
Remarks
RFC2460
Internet Protocol, Version 6 (IPv6) Specification
RFC3315
Dynamic Host Configuration Protocol for IPv6

(DHCPv6)
RFC3319
Dynamic Host Configuration Protocol (DHCPv6)

Options for Session Initiation Protocol (SIP) Servers
RFC3633
IPv6 Prefix Options for Dynamic Host Configuration

Protocol (DHCP) version 6
RFC3646
DNS Configuration options for Dynamic Host

Configuration Protocol for IPv6 (DHCPv6)
RFC3736
Stateless Dynamic Host Configuration Protocol

(DHCP) Service for IPv6
RFC3898
Network Information Service (NIS) Configuration

Options for Dynamic Host Configuration Protocol for
IPv6 (DHCPv6)
RFC2462
IPv6 Stateless Address Autoconfiguration
RFC4075
Simple Network Time Protocol (SNTP) Configuration

Option for DHCPv6
RFC4242
Information Refresh Time Option for Dynamic Host

Configuration Protocol for IPv6 (DHCPv6)
RFC4649
Dynamic Host Configuration Protocol for IPv6

(DHCPv6) Relay Agent Remote-ID Option

327

Routers
10
10 IPv6 DNS configuration
IPv6 DNS configuration
About This Chapter

10.1 IPv6 DNS Overview
IPv6 DNS is a distributed database used in TCP and IP applications and completes resolution
between IPv6 addresses and domain names.
10.2 Configuring IPv6 DNS
This section describes how to configure IPv6 DNS so that devices can use domain names to
communicate.
10.3 Maintaining IPv6 DNS
IPv6 DNS maintenance includes clearing IPv6 DNS entries, clearing statistics on sent and
received IPv6 DNS packets and monitoring IPv6 DNS running status.
This section describes configuration examples of IPv6 DNS.
Issue 04 (2014-01-16)

328

Routers
10.1 IPv6 DNS Overview

IPv6 DNS is a distributed database used in TCP and IP applications and completes resolution
between IPv6 addresses and domain names.
Each host on the IPv6 network is identified by an IPv6 address. To access a host, a user must
obtain the host IPv6 address first. It is difficult for users to remember IPv6 addresses of hosts.
Therefore, host names in the format of strings are designed. Each host name maps an IPv6
address. In this way, users can use the simple and meaningful domain names instead of the
complicated IPv6 addresses to access hosts by resolution of the IPv6 DNS server on the network.
The device can function as an IPv6 DNS client and IPv6 DNS proxy or relay.
Functioning as an IPv6 DNS Client

Figure 10-1 Functioning as an IPv6 DNS client
RouterA
IPv6 DNS Client
IPv6 DNS Server
RouterB
IPv6 DNS Client
As shown in Figure 10-1, the router functions as an IPv6 DNS client and supports static and
dynamic domain name resolution.
l
Static domain name resolution: Mappings between domain names and IPv6 addresses are
configured manually. To obtain the IPv6 address by resolving a domain name, the client
searches the static domain name resolution table for the specified domain name.
Dynamic DNS resolution: Dynamic DNS resolution is implemented by a DNS server. The
DNS server receives domain name resolution requests from DNS clients. The DNS server
searches for the corresponding IPv6 address of the domain name in its DNS database. If
no matching entry is found, it sends a query message to a higher-level DNS server. This
process continues until the DNS server finds the corresponding IPv6 address or detects that
the corresponding IPv6 address of the domain name does not exist. Then the DNS server
returns a result to the DNS client.
The router IPv6 domain name resolution system must support the following DNS query
modes:
AAAA query
A6 query
IPv6 PTR query
Issue 04 (2014-01-16)

329

Routers
Functioning as the DNS Proxy or Relay

Figure 10-2 Functioning as the DNS proxy
IPv6 DNS Client
DNS
Server
IPv6 DNS Proxy

Internet
IPv6 DNS Client
IPv6 DNS Client
As shown in Figure 10-2, an IPv6 DNS client on the LAN can connect to an external IPv6 DNS
server through the router enabled with IPv6 DNS proxy or relay. After the external DNS server
translates the domain name of the IPv6 DNS client to an IP address, the IPv6 DNS client can
access the Internet.
IPv6 DNS relay is similar to IPv6 DNS proxy. The difference is that the IPv6 DNS proxy searches
for DNS entries saved in the domain name cache after receiving DNS query messages from DNS
clients. The IPv6 DNS relay, however, directly forwards DNS query messages to the DNS server,
reducing the cache usage.
10.2 Configuring IPv6 DNS

This section describes how to configure IPv6 DNS so that devices can use domain names to
communicate.
10.2.1 Configuring the IPv6 DNS Client

This section describes how to configure the IPv6 DNS client and the mapping between a domain
name and IPv6 address on a device, so that the device can communicate with other devices using
the domain name.
10.2.1.1 Configuring Static IPv6 DNS Entries

Context
domain names and IPv6 addresses. Some common domain names are added to the table. Static
obtain the IPv6 address by resolving a domain name, the client searches the static domain name
resolution table for the specified domain name. In this manner, the efficiency of domain name
resolution is improved.
Issue 04 (2014-01-16)

330

Routers
Procedure
Step 1 Run:
system-view

Step 2 Run:
ipv6
The IPv6 function is enabled.

By default, a device is disabled from forwarding IPv6 unicast packets.
Step 3 Run:
ipv6 host host-name ipv6-address
The IPv6 static DNS entry are configured.

By default, no IPv6 static DNS entry is configured.
If multiple IPv6 addresses (a maximum of eight IPv6 addresses) are configured to map a domain
name, the DNS client preferentially resolves the domain name to the first IPv6 address.
----End
10.2.1.2 Configuring the Dynamic IPv6 DNS Service

Context
Dynamic domain name resolution requires a special DNS server. This server provides mappings
between domain names and IPv6 addresses, and processes DNS client's request for domain name
resolution.
To implement dynamic DNS, you need to enable dynamic DNS resolution, configure a DNS
server, and configure a source IPv6 address for the local device and a domain name suffix. If
the local device uses an IPv6 address allocated by the DHCPv6 server and the information
delivered by the DHCPv6 server to the local device contains the DNS server IPv6 address and
the domain name suffix list, you only need to enable dynamic DNS resolution.
NOTICE
If multiple DNS servers are configured, query messages are sent to the DNS servers according
to the order in which they are configured till correct reply packets are received.
Procedure
Step 1 Run:
system-view

Issue 04 (2014-01-16)

331

Routers
Step 2 Run:
dns resolve

Step 3 Run:
dns server ipv6 ipv6-address [ interface-type interface-number ]
The IPv6 DNS server is configured.

By default, no IPv6 address is configured for the DNS server.
A maximum of six DNS server IPv6 addresses can be configured on the device.
dns server ipv6 source-ip ipv6-address
By default, the source IPv6 address is not configured on the device.

The IPv6 address of the local router is specified.
After the IPv6 address of the local router is specified, the router uses the specified IPv6 address
to communicate with the DNS server to ensure the security check.
dns domain domain-name
A suffix of a domain name is added.

By default, no domain name suffix is configured on a DNS client.
----End

Procedure
l
Run the display ipv6 host command to view the static IPv6 DNS table.
Run the display dns server command to check the DNS server configuration.
Run the display dns domain command to check the domain name suffix configuration.
----End
10.2.2 Configuring IPv6 DNS Proxy or Relay

When the DNS client and DNS server are on different LANs, the device enabled with IPv6 DNS
proxy or relay can forward DNS request and reply packets.
Before configuring IPv6 DNS proxy or relay, complete the following tasks:
l
Issue 04 (2014-01-16)
Connecting interfaces and setting physical parameters for the interfaces to ensure that the
physical status of the interfaces is Up
332

Routers
Configuring a DNS server
Configuring routes between the local routing device and the DNS server and between the
local routing device and the IPv6 DNS client
10.2.2.1 Configuring the DNS Server Address

Context
IPv6 DNS relay is similar to IPv6 DNS proxy. The IPv6 DNS proxy searches for DNS entries
saved in the domain name cache after receiving IPv6 DNS query packets from IPv6 DNS clients.
The IPv6 DNS relay, however, directly forwards IPv6 DNS query packets to the DNS server,
reducing the cache usage.
Procedure
Step 1 Run:
system-view

Step 2 Run:
dns proxy enable or dns relay enable
IPv6 DNS proxy or relay is enabled.

Step 3 Run:
dns resolve

Step 4 Run:
dns server ipv6 ipv6-address [ interface-type interface-number ]
The DNS server that the IPv6 DNS proxy or relay connects to is configured.
----End
10.2.2.2 (Optional) Configuring Static DNSv6 Entries

Context
domain names and IPv6 addresses. Some common domain names are added to the table. Static
obtain the IPv6 address by resolving a domain name, the DNS server searches the static domain
name resolution table. In this manner, the efficiency of domain name resolution is improved.
Procedure
Step 1 Run:
system-view
Issue 04 (2014-01-16)

333

Routers

Step 2 Run:
ipv6 host host-name ipv6-address
The domain name and mapping IPv6 address are configured.

----End
10.2.2.3 (Optional) Configuring IPv6 DNS Spoofing

Context
If the device is enabled with IPv6 DNS proxy or relay but is not configured with a DNS server
address or has no route to the DNS server, the device does not forward or respond to DNS query
messages from DNS clients. If IPv6 DNS spoofing is enabled, the device uses the configured
IPv6 address to respond to all DNS query messages.
In addition to enabling IPv6 DNS proxy or relay, one of the following requirements must be met
to make IPv6 DNS spoofing take effect:
l
No DNS server is configured.
A DNS server is configured, but dynamic DNS resolution is disabled.
No route is reachable to the DNS server.
No source IPv6 address is available for the outbound interface connected to the DNS server.
If one of the preceding requirements is met, when receiving an AAAA or A6 query, the IPv6
DNS proxy or relay return spoofing reply messages using the configured IPv6 address.
Procedure
Step 1 Run:
system-view

Step 2 Run:
dns spoofing ipv6 ipv6-address
IPv6 DNS spoofing is enabled and the IPv6 address in response packets is specified.
By default, IPv6 DNS spoofing is disabled.
----End

Procedure
l
Run the display ipv6 host command to view the static IPv6 DNS table.
Issue 04 (2014-01-16)

334

Routers
Run the display dns server command to check the DNS server configuration.
----End
10.3 Maintaining IPv6 DNS

IPv6 DNS maintenance includes clearing IPv6 DNS entries, clearing statistics on sent and
received IPv6 DNS packets and monitoring IPv6 DNS running status.
10.3.1 Clearing IPv6 DNS dynamic Entries

Context
NOTICE
IPv6 DNS entries cannot be restored after being cleared. Exercise caution when you run the
command.
Procedure
l
Run the reset dns ipv6 dynamic-host to clear IPv6 DNS entries in the domain name cache.
----End
10.3.2 Clearing IPv6 DNS Forwarding Entries

Context
NOTICE
IPv6 DNS forwarding entries cannot be restored after being cleared. Exercise caution when you
run the command.
Procedure
l
Run the reset dns ipv6 forward table [ source-ip ipv6-address ]command in the user
view to clear IPv6 DNS forwarding entries.
----End
10.3.3 Clearing Statistics on Sent and Received IPv6 DNS Packets

Issue 04 (2014-01-16)

335

Routers
Context
NOTICE
Statistics on sent and received IPv6 DNS packets cannot be restored after being cleared. Exercise
caution when you run the command.
Procedure
l
Run the reset dns statistics command to clear statistics on sent and received IPv6 DNS
packets.
----End
10.3.4 Monitoring the Running Status of IPv6 DNS

Context
In routine maintenance, you can run the following commands in any view to check the running
status of IPv6 DNS.
Procedure
l
Run the display dns ipv6 dynamic-host [ domain-name | a6 ] command to check IPv6
dynamic DNS entries saved in the cache.
----End

This section describes configuration examples of IPv6 DNS.
10.4.1 Example for Configuring IPv6 DNS

As shown in Figure 10-3, RouterA functions as a DNS client and cooperates with a DNS server
so that RouterA can access the host at 2002::1/64 using the domain name huawei.com.
Static IPv6 DNS entries of RouterB and RouterC are configured on RouterA so that RouterA
can manage RouterB and RouterC.
Issue 04 (2014-01-16)

336

Routers
Figure 10-3 Networking diagram for configuring IPv6 DNS
IPv6 DNS client

RouterA
RouterC
RouterB
GE1/0/0
2001::1/64
GE1/0/0
2003::1/64
GE1/0/0
2001::2/64
GE2/0/0
2002::2/64
GE2/0/0
2002::3/64
DNS server
2003::2/64
huawei.com
2002::1/64
1.
Configure static DNS entries on RouterA to access host B and C.
2.
Configure the dynamic DNS resolution on RouterA to access the DNS server.
Procedure
# Configure IPv6 function.
[RouterA] ipv6
[RouterA-GigabitEthernet1/0/0] ipv6 address 2001::1/64
# Configure static IPv6 DNS entries.

[RouterA] ipv6 host RouterB 2001::2
[RouterA] ipv6 host RouterC 2002::3


[RouterA] dns server ipv6 2003::2
# Set the domain name suffix to net.

[RouterA] dns domain net
# Set the domain name suffix to com.

[RouterA] dns domain com
[RouterA] quit
Issue 04 (2014-01-16)

337

Routers
NOTE
To resolve the domain name, you need to configure the route from RouterA to the IPv6 DNS server. For
details on how to configure the route, see Configure static route example in the Configuration GuideIP Routing.

# Run the ping ipv6 huawei.com command on RouterA. You can find that the ping operation
succeeds, and the destination IPv6 address is 2002::1.
<RouterA> ping ipv6 huawei.com
Resolved Host ( huawei.com -> 2002::1)
PING huawei.com : 56 data bytes, press CTRL_C to break
Reply from 2002::1
bytes=56 Sequence=1 hop limit=64 time = 1 ms
Reply from 2002::1
Reply from 2002::1
Reply from 2002::1
Reply from 2002::1
--- huawei.com ping statistics
--5 packet(s) transmitted
0.00% packet loss
# Run the display ipv6 host command on RouterA. You can view mappings between host names
and IPv6 addresses in static DNS entries.
<RouterA> display ipv6 host
Host
Age
RouterB
0
RouterC
0
Flags
static
static
IPv6Address (es)
2001::2
2002::3
Run the display dns ipv6 dynamic-host command on RouterA. You can view information about
dynamic IPv6 DNS entries saved in the cache.
<RouterA> display dns ipv6 dynamic-host
Host
TTL
Type
Address(es)
huawei.com
3579
IPv6
2002::1
NOTE
The TTL field in the command output indicates the lifetime of a DNS entry, in seconds.
----End
Configuration File
l

#
sysname RouterA
#
ipv6
#
ipv6 host RouterB 2001::2
ipv6 host RouterC 2002::3
#
dns resolve
dns server ipv6 2003::2
Issue 04 (2014-01-16)

338

Routers
dns domain net

dns domain com
#
ipv6 enable
#
return

#
sysname RouterB
#
ipv6
#
ipv6 enable
#
ipv6 enable
#
return

#
sysname RouterC
#
ipv6
#
ipv6 enable
#
ipv6 enable
#
return
10.4.2 Example for Configuring IPv6 DNS Proxy

As shown in Figure 10-4, no DNS server is deployed on NetworkA. Users on NetworkA access
the external DNS server to resolve domain names through RouterA enabled with DNS proxy.
If the route from RouterA to the DNS server is unreachable, the IPv6 address configured for
DNS spoofing is used to respond to the DNS query packets.
NOTE
AR150&200 can function only as RouterA in this scenario.
Issue 04 (2014-01-16)

339

Routers
Figure 10-4 Network diagram for configuring IPv6 DNS proxy
RouterA
DNS Proxy
NetworkA
GE1/0/0
2001::2/64
GE1/0/0
2001::1/64
GE2/0/0
2002::1/64
RouterB
DNS Server
2002::2/64
1.
Configure the IPv6 address for the DNS server on RouterA to forward DNS packets.
2.
Configure IPv6 DNS spoofing on RouterA.
Procedure
Step 1 Configure an IPv6 address for GE1/0/0.
[RouterA] ipv6
[RouterA-GigabitEthernet1/0/0] ipv6 address 2001::1 64
Step 2 Configure a DNS server.

# Enable dynamic DNS resolution.
# Configure a DNS server that the DNS proxy or relay connects to.
[RouterA] dns server ipv6 2002::2
# Enable IPv6 DNS proxy.

[RouterA] dns proxy enable
Step 3 Configure DNS spoofing and specify the IPv6 address in response messages as 2003::3.
[RouterA] dns spoofing ipv6 2003::3
Step 4 Configure a static route.

[RouterA] ipv6 route-static 2002:: 64 2001::2
NOTE
You need to configure a static IPv6 route on the DNS server so that DNS packets can be sent and received
properly.

Issue 04 (2014-01-16)

340

Routers
# Run the display current-configuration command to view the DNS proxy configuration on
RouterA.
<RouterA> display current-configuration | include dns
dns resolve
dns Proxy enable
dns Spoofing ipv6
2003::3
----End
Configuration File
#
sysname RouterA
#
ipv6
#
ipv6 enable
#
dns resolve
dns proxy enable
dns spoofing ipv6 2003::3
#
ipv6 route-static 2002:: 64 2001::2
#
return

#
sysname RouterB
#
ipv6
#
ipv6 enable
#
ipv6 enable
#
return
Issue 04 (2014-01-16)

341

Routers
11
11 IPv6 over IPv4 Tunnel Configuration
IPv6 over IPv4 Tunnel Configuration
About This Chapter

IPv6 over IPv4 tunnel technology enables transition from the IPv4 network to the IPv6 network.
11.1 IPv6 over IPv4 Tunnel Overview
An IPv6 over IPv4 tunnel connects isolated IPv6 sites through an IPv4 network.
11.2 Principles
11.3 Configuring IPv6 over IPv4 Tunnel
11.4 Maintaining the IPv6 over IPv4 Tunnel
IPv6 over IPv4 tunnel maintenance includes monitoring the running status of the IPv6 over IPv4
tunnel.
Issue 04 (2014-01-16)

342

Routers
11.1 IPv6 over IPv4 Tunnel Overview

An IPv6 over IPv4 tunnel connects isolated IPv6 sites through an IPv4 network.
Exhaustion of IPv4 addresses urgently requires IPv4 to IPv6 transition. IPv6 is incompatible
with IPv4, so original IPv4 devices need to be replaced. This solution is infeasible because the
replacement requires huge capital expenditures, and will interrupt services on the live network.
In this situation, IPv4 needs to transit to IPv6 gradually. During early transition, IPv4 networks
are widely deployed and IPv6 networks are isolated sites. An IPv6 over IPv4 tunnel allows IPv6
packets to be transmitted on an IPv4 network and connects all IPv6 sites.
11.2 Principles
11.2.1 Dual Protocol Stack
Dual protocol stack is a technology used for the transition from the IPv4 to IPv6 network. Nodes
on a dual stack network support both IPv4 and IPv6 protocol stacks. A source node and a
destination node use the same protocol stack. Network devices use protocol stacks to process
and forward packets based on the protocol type of packets. You can implement a dual protocol
stack on a unique device or a dual stack backbone network. On the dual stack backbone network,
all devices must support both IPv4 and IPv6 protocol stacks. Interfaces connecting to the dual
stack network must be configured with both IPv4 and IPv6 addresses. Figure 11-1 shows the
structures of a single protocol stack and a dual protocol stack.
Figure 11-1 Dual protocol stack
IPv4 Application
UDP
TCP
IPv4/IPv6 Application
TCP
UDP
IPv4
IPv4
Protocol ID:
0x0800
Ethernet
IPv4 Stack
IPv6
Protocol ID: Protocol ID:
0x86DD
0x0800
Ethernet
Dual Stack
A dual protocol stack has the following advantages:

l
Supported by multiple link protocols.

Multiple link protocols, such as Ethernet, support dual protocol stacks. In Figure 11-1, the
link protocol is Ethernet. In an Ethernet frame, if the value of the Protocol ID field is 0x0800,
the network layer receives IPv4 packets. If the value of the Protocol ID field is 0x86DD,
the network layer receives IPv6 packets.
Issue 04 (2014-01-16)

343

Routers
Supported by multiple applications.

Multiple applications, such as the DNS, FTP, and Telnet, support dual protocol stacks. The
upper layer applications, such as the DNS, can use TCP or UDP as the transport layer
protocol. However, they prefer the IPv6 protocol stack rather than the IPv4 protocol stack
as the network layer protocol.
Figure 11-2 shows a typical application of the dual IPv4/IPv6 protocol stack.
Figure 11-2 Networking diagram for applying a dual protocol stack
www.example.com=?
IPv4
10.1.1.1
DNS
Server
Network
10.1.1.1 or
3ffe:yyyy::1
Router
IPv6
3ffe:yyyy::1
As shown in Figure 11-2, an application that supports dual protocol stack requests an IP address
corresponding to the domain name www.example.com from the DNS server. As shown in the
figure, a host sends a DNS request packet to the DNS server, requesting the IP address
corresponding to the domain name www.example.com. The DNS server responds with the
requested IP address. The IP address can be 10.1.1.1 or 3ffe:yyyy::1. If the host sends a class A
query packet, it requests the IPv4 address from the DNS server. If the host sends a class AAAA
query packet, it requests the IPv6 address from the DNS server.
Router in the figure supports the dual protocol stack. Router uses the IPv4 protocol stack to
connect the host to the network server with the IPv4 address 10.1.1.1. Router uses the IPv6
protocol stack to connect the host to the network server with the IPv6 address 3ffe:yyyy::1.
11.2.2 IPv6 over IPv4 Tunnel

Tunnel is an encapsulation technology. Tunnel technology encapsulates packets of a network
layer protocol as packets of another one for transmission. A tunnel is a virtual point-to-point
(P2P) connection. It provides a path through which encapsulated packets are transmitted.
Datagrams are encapsulated at one end and then decapsulated at the other end of the tunnel.
Tunnel technology refers to the process that datagrams are encapsulated, transmitted, and
decapsulated. It is of great importance for the transition from IPv4 to IPv6.
Exhaustion of IPv4 addresses brings an urgent demand for transition to IPv6. As IPv6 is not
compatible with IPv4, you need to replace devices on the original IPv4 network. Replacing a
large number of devices on the IPv4 network costs a lot and causes service interruption of the
current network. Therefore, transition from IPv4 networks to IPv6 networks must be performed
step by step. During the early transition, a large number of IPv4 networks have been deployed,
Issue 04 (2014-01-16)

344

Routers
whereas IPv6 networks are isolated sites over the world. You can create tunnels on the IPv4
networks to connect to IPv6 isolated sites. These tunnels are called IPv6 over IPv4 tunnels.
Figure 11-3 shows how to apply the IPv6 over IPv4 tunnel.
Figure 11-3 Networking diagram for applying the IPv6 over IPv4 tunnel
Dual Stack
Router
IPv6
IPv4
Dual Stack
Router
IPv6 over
IPv4 Tunnel
Tunnel
IPv6
IPv6 host
IPv6 Header
IPv6 host
IPv6 Data
IPv4 Header
IPv6 Header
IPv6 Header
IPv6 Data
IPv6 Data
1.
On the border device, the dual IPv4/IPv6 protocol stack is enabled, and an IPv6 over IPv4
tunnel is configured.
2.
After the border device receives a packet from the IPv6 network, the device appends an
IPv4 header to the IPv6 packet to encapsulate the IPv6 packet as an IPv4 packet if the
destination address of the IPv6 packet is not the device and the outbound interface of the
next hop is the tunnel interface.
3.
On the IPv4 network, the encapsulated packet is transmitted to the remote border device.
4.
The remote border device decapsulates the packet, removes the IPv4 header, and sends the
decapsulated IPv6 packet to the IPv6 network.
A tunnel is established when its start and end points are determined. You must manually
configure an IPv4 address at the start point of an IPv6 over IPv4 tunnel. The IPv4 address at the
end point of the tunnel can be determined manually or automatically. Based on the mode in
which the end point IPv4 address is obtained, IPv6 over IPv4 tunnels are classified into manual
tunnels and automatic tunnels.
l
Manual tunnel: If a tunnel is created manually, a border router cannot automatically obtain
an IPv4 address at the end point. You must manually configure an end point IPv4 address
before packets can be transmitted to the remote border router.
Automatic tunnel: If a tunnel is created automatically, a border router can automatically

obtain an IPv4 address at the end point. The addresses of two interfaces on both ends of
the tunnel are IPv6 addresses with IPv4 addresses embedded. The border router extracts
IPv4 addresses from destination IPv6 addresses.
Manual Tunnel
Based on encapsulation modes of IPv6 packets, manual tunnels are classified into IPv6 over
IPv4 manual tunnels and IPv6 over IPv4 Generic Routing Encapsulation (GRE) tunnels.
IPv6 over IPv4 Manual Tunnel
The border router uses the received IPv6 packet as the payload and encapsulates the IPv6 packet
as an IPv4 packet. You must manually specify the source and destination addresses of a manual
Issue 04 (2014-01-16)

345

Routers
tunnel. A manual tunnel is a P2P connection. It can be created between two border routers to
connect IPv4 isolated IPv6 sites, or created between a border router and a host to enable the host
to access an IPv6 network. Hosts and border routers on both ends of a manual tunnel must support
the IPv4/IPv6 dual protocol stack. Other devices only need to support a single protocol stack. If
you create multiple IPv6 over IPv4 manual tunnels between one border router and multiple hosts,
the configuration workload is heavy. Therefore, an IPv6 over IPv4 manual tunnel is commonly
created between two border routers to connect IPv6 networks.
Figure 11-4 shows the encapsulation format of an IPv6 over IPv4 packet.
Figure 11-4 Encapsulation format of an IPv6 over IPv4 packet
IPv4 Header
IPv6 Header
IPv6 Data
The forwarding mechanism of an IPv6 over IPv4 manual tunnel is as follows: After a border
router receives an packet from the IPv6 network, it searches the destination address of the IPv6
packet in the routing and forwarding table. If the packet is forwarded from this virtual tunnel
interface, the router encapsulates the packet based on the source and destination IPv4 addresses
configured on the interface. The IPv6 packet is encapsulated as an IPv4 packet and processed
by the IPv4 protocol stack. The encapsulated packet is forwarded through the IPv4 network to
the remote end of the tunnel. After the border router on the remote end of the tunnel receives
the encapsulated packet, it decapsulates the packet and processes the packet using the IPv6
protocol stack.
IPv6 over IPv4 GRE Tunnel
An IPv6 over IPv4 GRE tunnel uses the standard GRE tunnel technology to provide P2P
connections. You must manually specify addresses for both ends of the tunnel. Any types of
protocol packets that GRE supports can be encapsulated and transmitted through a GRE tunnel.
The protocols may include IPv4, IPv6, Open Systems Interconnection (OSI), and Multiprotocol
Label Switching (MPLS).
Figure 11-5 shows the encapsulation and transmission process on an IPv6 over IPv4 GRE tunnel.
Figure 11-5 IPv6 over IPv4 GRE tunnel
IPv6 Header
IPv6 Header Data
Data
IPv4
IPv6
GRE Tunnel
IPv4 Header GRE Header IPv6 Header
Issue 04 (2014-01-16)

IPv6
Data
346

Routers
The forwarding mechanism of an IPv6 over IPv4 GRE tunnel is the same as that of an IPv6 over
IPv4 manual tunnel. For details, see the Configuration Guide - VPN.
Automatic Tunnel
You only need to configure the start point of an automatic tunnel, and the device automatically
obtains the end point of the tunnel. The tunnel interface uses a special form of IPv6 address with
an IPv4 address embedded. The device obtains the IPv4 address from the destination IPv6
address and uses the IPv4 address as the end point address of the tunnel.
Based on the encapsulation modes of IPv6 packets, automatic tunnels are classified into IPv4compatible IPv6 automatic tunnels, IPv6-to-IPv4 tunnels, and Intra-Site Automatic Tunnel
Addressing Protocol (ISATAP) tunnels.
IPv4-compatible IPv6 Automatic Tunnel
For an IPv4-compatible IPv6 automatic tunnel, the destination address contained in an IPv6
packet is an IPv4-compatible IPv6 address. The first 96 bits of an IPv4-compatible IPv6 address
are all 0s and the last 32 bits are the IPv4 address. Figure 11-6 shows the format of an IPv4compatible IPv6 address.
Figure 11-6 IPv4-compatible IPv6 address
0
IPv4 address
96 bit
32 bit
Figure 11-7 shows the forwarding mechanism of an IPv4-compatible IPv6 automatic tunnel.
Figure 11-7 Forwarding mechanism of an IPv4-compatible IPv6 automatic tunnel
IPv4
1.1.1.1/24
2.1.1.1/24
IPv4-Compatible IPv6 Tunnel
::1.1.1.1/96
Router A
::2.1.1.1/96
Router B
After receiving an IPv6 packet, Router A searches the routing table for the destination address ::
2.1.1.1 and finds that the next hop address is a virtual tunnel interface address. Router A then
encapsulates the IPv6 packet as an IPv4 address because the tunnel configured on Router A is
an IPv4-compatible IPv6 automatic tunnel. The source address of the encapsulated IPv4 address
is the start point address of the tunnel 1.1.1.1, and the destination address is 2.1.1.1, which is the
last 32 bits of the IPv4-compatible IPv6 address. Router A sends the packet through the tunnel
interface and forwards it on an IPv4 network to the destination address 2.1.1.1 (Router B). Router
Issue 04 (2014-01-16)

347

Routers
B receives the packet, obtains the IPv6 packet, and processes the IPv6 packet using the IPv6
protocol stack. Router B returns packets to Router A in the same way.
NOTE
If the IPv4 address contained in an IPv4-compatible IPv6 address is a broadcast address, multicast address,
network broadcast address, subnet broadcast address of an outbound interface, address of all 0s, or loopback
address, the IPv6 packet will be discarded.
To deploy an IPv4-compatible IPv6 tunnel, each host must have a valid IP address, and hosts
that communicate with each other must support dual protocol stacks and IPv4-compatible IPv6
tunnels. Therefore, it is unsuitable for large-scale networks. Currently, the IPv4-compatible IPv6
tunnel has been replaced by the IPv6-to-IPv4 tunnel.
IPv6-to-IPv4 Tunnel
An IPv6-to-IPv4 tunnel also uses an IPv4 address that is embedded in an IPv6 address. Unlike
IPv4-compatible IPv6 tunnels, you can create IPv6-to-IPv4 tunnels between two routers, a router
and a host, and two hosts. An IPv6-to-IPv4 address uses the IPv4 address as the network ID.
Figure 11-8 shows the format of an IPv6-to-IPv4 address.
Figure 11-8 Format of an IPv6-to-IPv4 address
FP
001
TLA
0x0002
IPv4 address
SLA ID
Interface ID
3 bit
13 bit
32 bit
16 bit
64 bit
FP: format prefix of a global unicast address. The value is 001.
TLA ID: top level aggregation identifier. The value is 0x0002.
SLA ID: site level aggregation identifier.
An IPv6-to-IPv4 address is expressed in the format of 2002::/16. An IPv6-to-IPv4 network is

expressed as 2002:IPv4 address::/48. An IPv6-to-IPv4 address has a 64-bit prefix composed of
48-bit 2002:IPv4 address and 16-bit SLA. 2002:IPv4 address in the format of 2002:a.b.c.d is
determined by the IPv4 address allocated to the router and the SLA is defined by the user. Figure
11-9 shows the encapsulation and forwarding process of the IPv6-to-IPv4 tunnel.
Issue 04 (2014-01-16)

348

Routers
Figure 11-9 Example of an IPv6-to-IPv4 tunnel (1)
IPv4-Addr 1
IPv6 Header
IPv4-Addr 2
Data
IPv6 Header
Data
IPv4
6to4 tunnel
6to4
6to4 Router
2002:IPv4-Addr1::/48
6to4
6to4 Router
2002:IPv4-Addr2::/48
IPv4 Header IPv6 Header
Data
One IPv4 address can be used as the source address of only one IPv6-to-IPv4 tunnel. When a
border device is connected to multiple IPv6-to-IPv4 networks that use the same IPv4 address as
the source address of the tunnel, the IPv6-to-IPv4 networks share a tunnel and are identified by
SLA ID in the IPv6-to-IPv4 address. Figure 11-10 shows the case.
Figure 11-10 Example of an IPv6-to-IPv4 tunnel (2)
2002:IPv4-Addr1:1::/64
IPv4-Addr 1
IPv4-Addr 2
6to4
IPv4
6to4
6to4 tunnel
6to4 Router
6to4 Router
2002:IPv4-Addr2::/48
6to4
Data
2002:IPv4-Addr1:2::/64
Backed by the advance of IPv6 networks, IPv6 hosts need to communicate with IPv4 hosts
through IPv6-to-IPv4 networks. It can be implemented by deploying IPv6-to-IPv4 relays. When
the destination address of an IPv6 packet forwarded through an IPv6-to-IPv4 tunnel is not an
IPv6-to-IPv4 address, but the next hop address is an IPv6-to-IPv4 address, the next hop router
is an IPv6-to-IPv4 relay. The device obtains the destination IPv4 address from the next hop IPv6to-IPv4 address. Figure 11-11 shows an IPv6-to-IPv4 relay.
Issue 04 (2014-01-16)

349

Routers
Figure 11-11 IPv6-to-IPv4 relay

IPv4-Addr 1
IPv4-Addr 2
IPv6 Network
IPv4
6to4 Net-2
6to4 tunnel
6to4 Relay
6to4 Router
2002:IPv4-Addr2::/48
6to4 Net-1
Data
2002:IPv4-Addr1::/48
When hosts on IPv6-to-IPv4 network 2 want to communicate with hosts on the IPv6 network,
configure the next hop address as the IPv6-to-IPv4 address of the IPv6-to-IPv4 relay on the
border router. The IPv6-to-IPv4 address matches the source address of the IPv6-to-IPv4 tunnel.
Packets sent from IPv6-to-IPv4 network 2 to the IPv6 network are sent to the IPv6-to-IPv4 relay
router according to the routing table. The IPv6-to-IPv4 relay router then forwards packets to the
pure IPv6 network. When hosts on the IPv6 network send packets to IPv6-to-IPv4 network 2,
the IPv6-to-IPv4 relay router appends IPv4 headers to the packets and forwards the packets to
the destination addresses (IPv6-to-IPv4 addresses).
ISATAP Tunnel
ISATAP is another automatic tunnel technology. The ISATAP tunnel uses a special format of
IPv6 address with an IPv4 address embedded. Different from the IPv6-to-IPv4 address that uses
the IPv4 address as the network prefix, the ISATAP address uses the IPv4 address as the interface
ID. Figure 11-12 shows the format of the interface ID of an ISATAP address.
Figure 11-12 Format of the interface ID of an ISATAP address
000000ug00000000 0101111011111110
16 bit
16 bit
IPv4 address
32 bit
The "u" bit in the IPv4 address that is globally unique is set to 1. Otherwise, the "u" bit is set to
0. "g" is the individual/group bit. An ISATAP address contains an interface ID and it can be a
global unicast address, link-local address, ULA address, or multicast address. The device obtains
the first 64 bits of an ISATAP address by sending Request packets to the ISATAP router. Devices
on both ends of the ISATAP tunnel run the Neighbor Discovery (ND) protocol. The ISATAP
tunnel considers the IPv4 network as a non-broadcast multiple access (NBMA) network.
ISATAP allows IPv6 networks to be deployed within existing IPv4 networks. The deployment
is simple and networks can be easily expanded. Therefore, ISATAP is suitable for transition of
Issue 04 (2014-01-16)

350

Routers
local sites. ISATAP supports local routing within IPv6 sites, global IPv6 routing domains, and
automatic IPv6 tunnels. ISATAP can be used together with NAT to allow the use of an IPv4
address that is not globally unique within the site. Typically, an ISATAP tunnel is used within
the site, and does not require a globally unique IPv4 address embedded.
Figure 11-13 shows a typical application of the ISATAP tunnel.
Figure 11-13 Typical application of the ISATAP tunnel
Host B
10.1.2.5
FE80::5EFE:0A01:0205
1::5EFE:0A01:0205
T
I SA
AP
el
nn
u
T
IPv4
IPv6
ISATAP Tunnel
Host A
3::8
GE1/0/0
10.1.2.1
ISATAP Router
Tunnel 1
FE80::5EFE:0A01:0201
1::5EFE:0A01:0201
Host C
10.1.2.6
FE80::5EFE:0A01:0206
1::5EFE:0A01:0206
As shown in Figure 11-13, Host B and Host C are located on an IPv4 network. They both support
dual protocol stacks and have private IPv4 addresses. Perform the following operations to enable
the ISATAP function on Host B and Host C:
1.
Configure an ISATAP tunnel interface to generate an interface ID based on the IPv4

address.
2.
Encapsulate a link-local IPv6 address based on the interface ID. When a host obtains the
link-local IPv6 address, it can access the IPv6 network on the local link.
3.
The host automatically obtains a global unicast IPv6 address and ULA address.
4.
The host obtains an IPv4 address from the next hop IPv6 address as the destination address,
and forwards packets through the tunnel interface to communicate with another IPv6 host.
When the destination host is located on the same site as the source host, the next hop address
is the address of the source host. When the destination host is not located on the local site,
the next hop address is the address of the ISATAP device.
11.3 Configuring IPv6 over IPv4 Tunnel
Issue 04 (2014-01-16)

351

Routers
11.3.1 Configuring the IPv4/IPv6 Dual Stack

To establish IPv6 over IPv4 tunnels, you need to enable the IPv4/IPv6 dual stack on devices at
the edge of the IPv6 network and the IPv4 network.
Before configuring an IPv4/IPv6 dual stack, complete the following tasks:
l
11.3.1.1 Enabling IPv6 Packet Forwarding

Context
To enable an interface to forward IPv6 packets, enable IPv6 packet forwarding in the system
view and in the interface view.
Procedure
Step 1 Run:
system-view

Step 2 Run:
ipv6

By default, IPv6 packet forwarding is disabled on the device.
To enable a device to forward IPv6 packets, enable IPv6 packet forwarding in the system view;
otherwise, the device fails to forward IPv6 packets even if an IPv6 address is configured for an
interface on the device.
Step 3 Run:
The view of the interface to be enabled with IPv6 is displayed.

Step 4 Run:
ipv6 enable

Before performing IPv6 configurations in the interface view, enable the IPv6 function in the
interface view.
----End
Issue 04 (2014-01-16)

352

Routers
11.3.1.2 Configuring an IPv4 Address and an IPv6 Address for Interfaces

Respectively
Context
The device to be enabled with the dual stack must be configured with an IPv4 address on the
IPv4 network-side interface and an IPv6 address on the IPv6 network-side interface.
Procedure
Step 1 Run:
system-view

Step 2 Run:
The IPv4 network-side interface view is displayed.

Step 3 Run:
An IPv4 address is configured for the interface.

Step 4 Run:
quit

Step 5 Run:
The IPv6 network-side interface view is displayed.

Step 6 Run the following commands as required.
l Run:
The interface is configured to automatically generate a link-local address.

l Run:
ipv6 address ipv6-address link-local
A link-local ipv6 address is manually configured for the interface.

l Run:
ipv6 address { ipv6-address prefix-length | ipv6-address/prefix-length
A global unicast ipv6 address is configured for the interface.

l Run:
ipv6 address { ipv6-address prefix-length | ipv6-address/prefix-length
} eui-64
An IPv6 address in EUI-64 format is configured for the interface.

----End
Issue 04 (2014-01-16)

353

Routers

Prerequisites
All configurations of the IPv4/IPv6 dual stack are complete.
Procedure
l

check IPv6 attributes of an interface.
----End
11.3.2 Configuring an IPv6 over IPv4 Tunnel

An IPv6 over IPv4 tunnel connects IPv6 networks through an IPv4 network.
Prerequisites
Source and destination devices of an IPv6 over IPv4 tunnel have forwarding routes.
Before configuring an IPv6 over IPv4 tunnel, complete the following task:
l
You can perform the following configuration tasks in any sequence according to usage scenarios
shown in Table 11-1.
Table 11-1 Usage scenarios of IPv6 over IPv4 tunnels
Issue 04 (2014-01-16)
Category
Subcategory
Tunnel Source/
Destination IP
Address
Tunnel
Interface IP
Address
Usage Scenario
Manual
tunnel
Manual IPv6 over

IPv4 tunnel
Source and
destination IP
addresses use
manually
configured IPv4
addresses.
IPv6 address
Applies to simple
IPv6 networks or
point-to-point
connections.
Only IPv6
packets can be
transmitted over
the manual IPv6
over IPv4 tunnel.

354

Routers
Category
Automati
c tunnel
Subcategory
Tunnel Source/
Destination IP
Address
Tunnel
Interface IP
Address
Usage Scenario
IPv6 over IPv4

GRE tunnel
Source and
destination IP
addresses use
manually
configured IPv4
addresses.
IPv6 address
Applies to simple
IPv6 networks or
point-to-point
connections. The
IPv6 over IPv4
GRE tunnel
supports multiple
upper-layer
protocols
including IPv6.
Automatic IPv6
over IPv4 tunnel
The source IP
address uses a
manually
configured IPv4
address, and the
destination
address is
automatically
generated.
IPv6 address that

is compatible
with an IPv4
address in the
format of ::IPv4source-address/
96
Applies to pointto-multipoint
connections of
IPv6 hosts.
6to4 tunnel
The source IP
address uses a
manually
configured IPv4
address, and the
destination
address is
automatically
generated.
6to4 address in
the format of
2002:IPv4source-address::/
48
Applies to pointto-multipoint
connections on
IPv6 networks.
ISATAP tunnel
The source IP
address uses a
manually
configured IPv4
address, and the
destination
address is
automatically
generated.
ISATAP address
in the format of
Prefix:0
Applies to
connections of
IPv6 nodes on an
IPv4 network.
11.3.2.1 Configuring a Manual IPv6 over IPv4 Tunnel

Context
When configuring a manual IPv6 over IPv4 tunnel, pay attention to the following points:
Issue 04 (2014-01-16)

355

Routers
You must create a tunnel interface before setting tunnel parameters.
When the specified tunnel source interface is a physical interface, you are advised to set
the tunnel number to be the same as the tunnel source interface number.
The following configurations must be performed on devices at both ends of the tunnel.
To support a dynamic routing protocol, configure a network address for the tunnel interface.
Procedure
Step 1 Run:
system-view

Step 2 Run:
interface tunnel interface-number
A tunnel interface is created.

Step 3 Run:
tunnel-protocol ipv6-ipv4
The tunnel mode is set to manual.

Step 4 Run:
source { ip-address | interface-type interface-number }
A source address or source interface is specified for the tunnel.

NOTE
You can specify a physical interface or a loopback interface as the source interface of a tunnel. Similarly,
you can specify the IP address of a physical interface or loopback interface as the source address of the
tunnel.
Step 5 Run:
destination dest-ip-address
A destination address is specified for the tunnel.

NOTE
The destination address of a tunnel can be the IP address of a physical interface or loopback interface.
Step 6 Run:
ipv6 enable

Step 7 Run:
An IPv6 address is configured for the tunnel interface.

----End
Issue 04 (2014-01-16)

356

Routers
11.3.2.2 Configuring an Automatic IPv6 over IPv4 Tunnel

Context
When configuring an automatic IPv6 over IPv4 tunnel, pay attention to the following points:
l
You are advised to set the tunnel number to be the same as the number of the source physical
interface of the tunnel when the source interface of the tunnel is specified as a physical
interface.
You only need to specify the source address of the tunnel when an automatic tunnel is
configured. The destination address of the tunnel is obtained from the destination address
of the original IPv6 packet. In addition, the source addresses of an automatic tunnel must
be unique.
Ensure that the IPv6 address configured for the tunnel interface is compatible with an IPv4
address. In the IPv6 address, the high-order 96 bits are all 0s, and last 32 bits are the IPv4
address configured for the IPv4 network-side interface.
Procedure
Step 1 Run:
system-view

Step 2 Run:

Step 3 Run:
tunnel-protocol ipv6-ipv4 auto-tunnel
The tunnel mode is set to automatic.

Step 4 Run:
source { ip-address | interface-type interface-number }

Step 5 Run:
ipv6 enable

Step 6 Run:

----End
Issue 04 (2014-01-16)

357

Routers
11.3.2.3 Configuring a 6to4 Tunnel

Context
When configuring a 6to4 tunnel, pay attention to the following points:
l
interface of the tunnel.
You only need to specify the source address of the tunnel when a 6to4 tunnel is configured.
The destination address of the tunnel is obtained from the destination address of the original
IPv6 packet. In addition, the source address of a 6to4 tunnel must be unique.
You need to configure a 6to4 address for the interface that connects a border device to the
6to4 network, and an IPv4 address for the interface that connects a border device to the
IPv4 network. You also need to configure a network address for the tunnel interface to
support a dynamic routing protocol.
Procedure
Step 1 Run:
system-view

Step 2 Run:

Step 3 Run:
tunnel-protocol ipv6-ipv4 6to4
The tunnel mode is set to 6to4.

Step 4 Run:
source { source-ip-address | interface-type interface-number }

Step 5 Run:
ipv6 enable

Step 6 Run:

NOTE
The IPv6 address prefix of the specified tunnel interface must be the same as the address prefix of the 6to4
network that the device belongs to.
----End
Issue 04 (2014-01-16)

358

Routers
Follow-up Procedure
Connect to an IPv6 network through a 6to4 relay agent. The procedure for connecting to an IPv6
network through a 6to4 relay agent is similar to the procedure for configuring a 6to4 tunnel. For
details, see Example for Configuring 6to4 Relay.
11.3.2.4 Configuring an ISATAP Tunnel

Context
When configuring an ISATAP tunnel, pay attention to the following points:
l
interface of the tunnel.
The source interface of a tunnel is the physical interface that forwards tunnel packets. You
can specify an IP address or interface name for the source interface.
You need to configure an ISATAP address with a 64-bit prefix-length as the IPv6 address
of a tunnel interface.
Procedure
Step 1 Run:
system-view

Step 2 Run:

Step 3 Run:
tunnel-protocol ipv6-ipv4 isatap
The tunnel mode is set to ISATAP.

Step 4 Run:

Step 5 Run:
ipv6 enable

Step 6 Run:

Step 7 Run:
Issue 04 (2014-01-16)

359

Routers
The device is enabled to send router advertisement (RA) packets.

----End

Prerequisites
All configurations of the IPv6 over IPv4 tunnel are complete.
Procedure
l
Run the display ipv6 interface tunnel interface-number command to check IPv6 attributes
of a tunnel interface.
----End

IPv6 over IPv4 tunnel maintenance includes monitoring the running status of the IPv6 over IPv4
tunnel.
11.4.1 Monitoring the Running Status of the IPv6 over IPv4 Tunnel
Context
In routine maintenance, you can run the following command in any view to monitor the running
status of the IPv6 over IPv4 tunnel.
Procedure
l
Run the display ipv6 interface tunnel interface-number command in any view to view
the running status of the tunnel interface.
----End

11.5.1 Example for Configuring a Manual IPv6 over IPv4 Tunnel
As shown in Figure 11-14, two IPv6 networks connect to RouterB on an IPv4 backbone network
through RouterA and RouterC respectively. Hosts on the two IPv6 networks are required to
communicate through the IPv4 backbone network.
Issue 04 (2014-01-16)

360

Routers
Figure 11-14 Networking diagram for configuring a manual IPv6 over IPv4 tunnel
IPv4
network
GE1/0/0
192.168.50.1/24
GE2/0/0
192.168.51.1/24
Router B
GE1/0/0
192.168.50.2/24
IPv6
GE1/0/0
192.168.51.2/24
Dual
Stack
RouterA
Dual
Stack
RouterC
IPv6
1.
Configure IP addresses for physical interfaces so that devices can communicate on the IPv4
backbone network.
2.
Configure IPv6 addresses, source interfaces, and destination addresses for tunnel interfaces
so that devices can communicate with hosts on the two IPv6 networks.
3.
Set the tunnel protocol to IPv6-IPv4 so that hosts on the two IPv6 networks can
communicate through the IPv4 backbone network.
Procedure
# Configure an IP address for an interface.
<Huawei>system-view
[RouterA] ipv6
# Set the tunnel protocol to IPv6-IPv4.

[RouterA-Tunnel0/0/1] tunnel-protocol ipv6-ipv4
# Configure an IPv6 address, a source interface, and a destination address for the tunnel interface.
[RouterA-Tunnel0/0/1]
ipv6 enable
source gigabitethernet 1/0/0
quit
# Configure a static route.

Issue 04 (2014-01-16)

361

Routers

# Configure IP addresses for interfaces.
Step 3 Configure RouterC.

# Configure an IP address for an interface.
[RouterC] ipv6
# Set the tunnel protocol to IPv6-IPv4.

[RouterC-Tunnel0/0/1] tunnel-protocol ipv6-ipv4
# Configure an IPv6 address, a source interface, and a destination address for the tunnel interface.
[RouterC-Tunnel0/0/1]
ipv6 enable
quit
# Configure a static route.

[RouterC] ip route-static 192.168.50.2 255.255.255.0 192.168.51.1

# Ping the IPv4 address of GE1/0/0 on RouterA from RouterC. RouterC can receive a Reply
packet from RouterA.
[RouterC] ping 192.168.50.2
0.00% packet loss
# Ping the IPv6 address of Tunnel0/0/1 on RouterA from RouterC. RouterC can receive a Reply
packet from RouterA.
[RouterC] ping ipv6 3001::1
PING 3001::1 : 56 data bytes, press CTRL_C to break
Reply from 3001::1
Issue 04 (2014-01-16)

362

Routers
bytes=56 Sequence=1 hop limit=64
Reply from 3001::1
Reply from 3001::1
Reply from 3001::1
Reply from 3001::1
--- 3001::1 ping statistics --5 packet(s) transmitted
0.00% packet loss

time = 28 ms
time = 27 ms
time = 26 ms
time = 27 ms
time = 26 ms
----End
Configuration Files
l

#
sysname RouterA
#
ipv6
#
ip address 192.168.50.2 255.255.255.0
#
ipv6 enable
source GigabitEthernet1/0/0
#
ip route-static 192.168.51.0 255.255.255.0 192.168.50.1
#
return

#
sysname RouterB
#
ip address 192.168.50.1 255.255.255.0
#
ip address 192.168.51.1 255.255.255.0
#
return

#
sysname RouterC
#
ipv6
#
ip address 192.168.51.2 255.255.255.0
#
ipv6 enable
Issue 04 (2014-01-16)

363

Routers
#
ip route-static 192.168.50.0 255.255.255.0 192.168.51.1
#
return
11.5.2 Example for Configuring an IPv6 over IPv4 GRE Tunnel

As shown in Figure 11-15, two IPv6 networks connect to RouterB on an IPv4 backbone network
respectively through RouterA and RouterC. An IPv6 over IPv4 GRE tunnel needs to be set up
between RouterA and RouterC so that hosts on the two IPv6 networks can communicate.
Figure 11-15 Networking diagram for configuring an IPv6 over IPv4 GRE tunnel
RouterB
GE1/0/0
20.1.1.2/24
RouterA
GE2/0/0
30.1.1.1/24
GE1/0/0
GE1/0/0
30.1.1.2/24
20.1.1.1/24
GRE Tunnel
GE2/0/0 Tunnel0/0/1
10.1.1.2/24 40.1.1.1/24
PC1
10.1.1.1/24
RouterC
Tunnel0/0/1 GE2/0/0
40.1.1.2/24 10.2.1.2/24
PC2
10.2.1.1/24
1.
network.
2.
Create tunnel interfaces on RouterA and RouterC, set up a GRE tunnel between them, and
specify the source and destination addresses of the tunnel interfaces, so that encapsulated
packets can be forwarded using OSPF routes. The source address is the IP address of the
interface sending packets, and the destination address is the IP address of the interface
receiving packets.
3.
Configure static routes on RouterA and RouterC, so that traffic between PC1 and PC2 can
be forwarded through the GRE tunnel. Set the destination address to the network segment
connected to the peer PC and the outbound interface to the tunnel interface on the local
device.
Issue 04 (2014-01-16)

364

Routers
Procedure
Step 1 Configure an IP address for each physical interface.
[RouterA] ipv6
[RouterA-GigabitEthernet2/0/0] ipv6 address 2001::1 64
[RouterC] ipv6
[RouterC-GigabitEthernet2/0/0] ipv6 enable
[RouterC-GigabitEthernet2/0/0] ipv6 address 4001::1 64
Step 2 Configure IPv4 static routes.

[RouterC] ip route-static 20.1.1.1 255.255.255.0 30.1.1.1
Step 3 Configure tunnel interfaces.

[RouterA-Tunnel0/0/1] tunnel-protocol gre
[RouterA-Tunnel0/0/1] ipv6 enable
[RouterA-Tunnel0/0/1] ipv6 address 3001::1 64
[RouterA-Tunnel0/0/1] source 20.1.1.1
[RouterA-Tunnel0/0/1] destination 30.1.1.2
[RouterC-Tunnel0/0/1] tunnel-protocol gre
Issue 04 (2014-01-16)

365

Routers
ipv6 enable
ipv6 address 3001::2 64
source 30.1.1.2
quit
Step 4 Configure tunnel static routes.

[RouterA] ipv6 route-static 4001::1 64 tunnel 0/0/1
[RouterC] ipv6 route-static 2001::1 64 tunnel 0/0/1

# Ping the IPv4 address of RouterA from RouterC. RouterC can receive a Reply packet from
RouterA.
[RouterC] ping 20.1.1.1
0.00% packet loss
# Ping the IPv6 address of RouterA from RouterC. RouterC can receive a Reply packet from
RouterA.
[RouterC] ping ipv6 2001::1
Reply from 2001::1
Reply from 2001::1
Reply from 2001::1
Reply from 2001::1
Reply from 2001::1
0.00% packet loss
----End
Configuration Files
l

#
sysname RouterA
#
ipv6
#
Issue 04 (2014-01-16)

366

Routers
ip address 20.1.1.1 255.255.255.0

#
ipv6 enable
#
ipv6 enable
tunnel-protocol gre
source 20.1.1.1
#
ip route-static 30.1.1.0 255.255.255.0 20.1.1.2
#
ipv6 route-static 4001:: 64 Tunnel0/0/1
#
return

#
sysname RouterB
#
ip address 20.1.1.2 255.255.255.0
#
ip address 30.1.1.1 255.255.255.0
#
return

#
sysname RouterC
#
ipv6
#
ip address 30.1.1.2 255.255.255.0
#
ipv6 enable
#
ipv6 enable
tunnel-protocol gre
source 30.1.1.2
#
ip route-static 20.1.1.0 255.255.255.0 30.1.1.1
#
ipv6 route-static 2001:: 64 Tunnel0/0/1
#
return
Issue 04 (2014-01-16)

367

Routers
11.5.3 Example for Configuring an Automatic IPv6 over IPv4

Tunnel
As shown in Figure 11-16, two IPv6 networks connect to an IPv4 backbone network through
RouterA and RouterB respectively. An automatic IPv6 over IPv4 tunnel needs to be set up
between RouterA and RouterB so that devices on the two IPv6 networks can communicate.
Figure 11-16 Networking diagram for configuring an automatic IPv6 over IPv4 tunnel
IPv4
RouterA
Dual
Stack
GE1/0/0
2.1.1.1/8
Tunnel0/0/1
::2.1.1.1/96
IPv6
GE1/0/0
2.1.1.2/8
Tunnel0/0/1
::2.1.1.2/96
Dual
Stack
RouterB
IPv6
1.
backbone network.
2.
Configure IPv6 addresses and source interfaces for tunnel interfaces so that devices can
communicate with hosts on the two IPv6 networks.
3.
Set the tunnel protocol to automatic so that hosts on the two IPv6 networks can
communicate through the IPv4 network.
Procedure
# Configure an IPv4/IPv6 dual stack.
[RouterA] ipv6
# Configure an automatic IPv6 over IPv4 tunnel.

[RouterA-Tunnel0/0/1] tunnel-protocol ipv6-ipv4 auto-tunnel
Issue 04 (2014-01-16)

368

Routers
ipv6 enable
ipv6 address ::2.1.1.1/96
quit

[RouterB] ipv6
# Configure an automatic IPv6 over IPv4 tunnel.

[RouterB] interface tunnel 0/0/1
[RouterB-Tunnel0/0/1] tunnel-protocol ipv6-ipv4 auto-tunnel
[RouterB-Tunnel0/0/1] ipv6 enable
[RouterB-Tunnel0/0/1] ipv6 address ::2.1.1.2/96
[RouterB-Tunnel0/0/1] source gigabitethernet 1/0/0
[RouterB-Tunnel0/0/1] quit

# View the IPv6 status of tunnel0/0/1 on RouterA. You can see that the tunnel status is Up.
[RouterA] display ipv6 interface tunnel 0/0/1
Tunnel0/0/1 current state : UP
IPv6 is enabled, link-local address is FE80::201:101
::2.1.1.1, subnet is ::/96
FF02::1:FF01:101
FF02::2
FF02::1
MTU is 1500 bytes
# Ping the IPv6 address of the peer device that is compatible with the IPv4 address from RouterA.
The IPv6 address is pinged successfully.
[RouterA] ping ipv6 ::2.1.1.2
PING ::2.1.1.2 : 56 data bytes, press CTRL_C to break
Reply from ::2.1.1.2
--- ::2.1.1.2 ping statistics --5 packet(s) transmitted
0.00% packet loss
----End
Issue 04 (2014-01-16)

369

Routers
Configuration Files
l

#
sysname RouterA
#
ipv6
#
ip address 2.1.1.1 255.0.0.0
#
interface Tunnel 0/0/1
ipv6 enable
#
return

#
sysname RouterB
#
ipv6
#
ip address 2.1.1.2 255.0.0.0
#
ipv6 enable
#
return
11.5.4 Example for Configuring 6to4 Relay

As shown in Figure 11-17, the IPv6 network-side interface of 6to4 router RouterA connects to
a 6to4 network. RouterB is a 6to4 relay agent and connects to the IPv6 Internet (2001::/64).
RouterA and RouterB are connected through an IPv4 backbone network. A 6to4 tunnel needs
to be set up between RouterA and RouterB so that hosts on the 6to4 network and the IPv6 network
can communicate.
Issue 04 (2014-01-16)

370

Routers
Figure 11-17 Networking diagram for configuring 6to4 relay.
IPv4
GE1/0/0
2.1.1.1
RouterA
GE1/0/0
2.1.1.2
RouterB
GE2/0/0
2002:201:101:1::1/64
Tunnel 0/0/1
2002:201:101::1/64
2002:201:101:1::2
PC1
IPv6
GE2/0/0
2001::1/64
Tunnel0/0/1
2002:201:102::1/64
2002:201:102:1::2
PC2
IPv6
1.
Configure an IPv4/IPv6 dual stack on routers so that they can access the IPv4 network and
the IPv6 network.
2.
Configure a 6to4 tunnel on routers to connect IPv6 networks through the IPv4 backbone
network.
3.
Configure a static route between RouterA and RouterB so that they can communicate
through the IPv4 backbone network.
Procedure
[RouterA] ipv6
[RouterA-GigabitEthernet2/0/0] ipv6 address 2002:0201:0101:1::1/64
# Configure a 6to4 tunnel.

[RouterA-Tunnel0/0/1] tunnel-protocol ipv6-ipv4 6to4
[RouterA-Tunnel0/0/1] ipv6 enable
[RouterA-Tunnel0/0/1] ipv6 address 2002:0201:0101::1/64
[RouterA-Tunnel0/0/1] source gigabitethernet 1/0/0
Issue 04 (2014-01-16)

371

Routers
# Configure a static route to 2002::/16.

[RouterA] ipv6 route-static 2002:: 16 tunnel 0/0/1
# Configure a default route to the IPv6 network.

[RouterA] ipv6 route-static :: 0 2002:0201:0102::1

[RouterB] ipv6
[RouterB-GigabitEthernet2/0/0] ipv6 enable
[RouterB-GigabitEthernet2/0/0] ipv6 address 2001::1/64
# Configure a 6to4 tunnel.

[RouterB] interface tunnel 0/0/1
[RouterB-Tunnel0/0/1] tunnel-protocol ipv6-ipv4 6to4
[RouterB-Tunnel0/0/1] ipv6 enable
[RouterB-Tunnel0/0/1] ipv6 address 2002:0201:0102::1/64
[RouterB-Tunnel0/0/1] source gigabitethernet 1/0/0
[RouterB-Tunnel0/0/1] quit
# Configure a static route to 2002::/16.

[RouterB] ipv6 route-static 2002:: 16 tunnel 0/0/1

# Ping the IPv6 address of GE2/0/0 on RouterB from RouterA. The IPv6 address is pinged
successfully.
[RouterA] ping ipv6 2001::1
Reply from 2001::1
Reply from 2001::1
Reply from 2001::1
Reply from 2001::1
Reply from 2001::1
0.00% packet loss
----End
Configuration Files
l

#
sysname RouterA
Issue 04 (2014-01-16)

372

Routers
#
ipv6
#
ip address 2.1.1.1 255.0.0.0
#
ipv6 enable
ipv6 address 2002:201:101:1::1/64
#
ipv6 enable
ipv6 address 2002:201:101::1/64
source pos1/0/0
#
ipv6 route-static :: 0 2002:201:102::1
#
ipv6 route-static 2002:: 16 Tunnel 0/0/1
#
return

#
sysname RouterB
#
ipv6
#
ip address 2.1.1.2 255.0.0.0
#
ipv6 enable
#
ipv6 enable
ipv6 address 2002:201:102::1/64
#
ipv6 route-static 2002:: 16 Tunnel 0/0/1
#
return
11.5.5 Example for Configuring an ISATAP Tunnel

As shown in Figure 11-18, The IPv6 host needs to be connected to the IPv6 network through a
border router. The IPv6 host and border router support ISATAP. An ISATAP tunnel needs to
be set up between the IPv6 host and the border router.
Issue 04 (2014-01-16)

373

Routers
Figure 11-18 Networking diagram for configuring an ISATAP tunnel
IPv6
network
IPv6 Host
3001::2
ISATAP
Router
IPv4
network
GE1/0/0 GE2/0/0
3001::1/64 2.1.1.1/8
ISATAP Host
FE80::5EFE:0201:0102
2.1.1.2
2001::5EFE:0201:0102
1.
Configure an IPv4/IPv6 dual stack on the router so that the router can communicate with
devices on the IPv4 network and the IPv6 network.
2.
Configure an ISATAP tunnel on the router so that IPv6 hosts on the IPv4 network can
communicate with IPv6 hosts on the IPv6 network.
3.
Configure a static route.
Procedure
Step 1 Configure the ISATAP router.
# Enable the IPv4/IPv6 dual stack and configure an IP address for each interface.
[Router] ipv6
[Router-GigabitEthernet1/0/0] ipv6 enable
[Router-GigabitEthernet1/0/0] ipv6 address 3001::1/64
[Router-GigabitEthernet2/0/0] ip address 2.1.1.1 255.0.0.0
# Configure an ISATAP tunnel.

[Router] interface tunnel 0/0/2
[Router-Tunnel0/0/2] tunnel-protocol ipv6-ipv4 isatap
[Router-Tunnel0/0/2] ipv6 enable
[Router-Tunnel0/0/2] ipv6 address 2001::/64 eui-64
[Router-Tunnel0/0/2] source gigabitethernet 2/0/0
[Router-Tunnel0/0/2] undo ipv6 nd ra halt
[Router-Tunnel0/0/2] quit
Step 2 Configure the ISATAP host.

The ISATAP host is relevant to the operating system.
l When the ISATAP host runs Windows XP operating system, perform the following
operations:
# Configure the IPv6 protocol.
Issue 04 (2014-01-16)

374

Routers
C:\> ipv6 install
# Run the following command to add a static route to the border router. The number of the
pseudo interface on the host is 2. You can run the ipv6 if command to check the interface
corresponding to Automatic Tunneling Pseudo-Interface.
C:\> netsh interface ipv6 isatap set router 2.1.1.1
# Check ISATAP interface information on the host.

C:\>ipv6 if
Interface 2: Automatic Tunneling Pseudo-Interface
Guid {48FCE3FC-EC30-E50E-F1A7-71172AEEE3AE}
does not use Neighbor Discovery
uses Router Discovery
routing preference 1
EUI-64 embedded IPv4 address: 2.1.1.2
router link-layer address: 2.1.1.1
preferred global 2001::5efe:2.1.1.2, life 29d23h59m50s/6d23h59m50s (pu
blic)
preferred link-local fe80::5efe:2.1.1.2, life infinite
link MTU 1280 (true link MTU 65515)
current hop limit 64
reachable time 16500ms (base 30000ms)
retransmission interval 1000ms
DAD transmits 0
default site prefix length 48
The preceding information shows that the host obtains the prefix 2001::/64 and generates the
address 2001::5efe:2.1.1.2, router discovery has been enabled, and the ISATAP tunnel has
been set up successfully.
l When the ISATAP host runs Windows 7 operating system, perform the following operations:
# Run the following command to add a static route to the border router. IPv6 has been installed
by default in Windows 7 operating system.
C:\> netsh interface ipv6 isatap set router 2.1.1.1
C:\> netsh interface ipv6 isatap set router 2.1.1.1 enabled
# Check ISATAP interface information on the host.

C:\>ipconfig/all
Tunnel adapter Automatic Tunneling Pseudo-Interface isatap.
{895CA398-8C4F-4332-9558-642844FCB01B}:
Connection-specific DNS Suffix . . . . . . . :
Description . . . . . . . . . . . . . . . : Microsoft ISATAP Adapter #5
Physical Address. . . . . . . . . . . . . : 00-00-00-00-00-00-00-E0
Dhcp Enabled . . . . . . . . . . . :No
Automatic configuration. . . . . . . . . . : YES
IP Address . . . . . . . . . . . . : 2001::200:5efe:2.1.1.2
IP Address. . . . . . . . : fe80::200:5efe:2.1.1.2%30
Default Gateway. . . . . . . . . . . . . : fe80::5efe:2.1.1.1%30
DNS Servers . . . . . . . . . . . : fec0:0:0:ffff::1%1
fec0:0:0:ffff::2%1
fec0:0:0:ffff::3%1
NetBIOS over Tcpip . . . . . . . : Disabled
The preceding information shows that the host obtains the prefix 2001::/64 and generates the
address 2001::200:5efe:2.1.1.2, and the ISATAP tunnel has been set up successfully.
Step 3 Configure the IPv6 host.
# Configure a static route to the border router tunnel on the IPv6 host so that PCs on two different
networks can communicate through the ISATAP tunnel.
C:\> netsh interface ipv6 set route 2001::/64 3001::1

Issue 04 (2014-01-16)

375

Routers
# View the IPv6 status of Tunnel0/0/2 on the ISATAP router. You can see that the tunnel status
is Up.
[Router] display ipv6 interface Tunnel 0/0/2
IPv6 is enabled, link-local address is FE80::5EFE:201:101
2001::5EFE:201:101, subnet is 2001::/64
FF02::1:FF01:101
FF02::2
FF02::1
MTU is 1500 bytes
ND advertised reachable time is 0 milliseconds
ND advertised retransmit interval is 0 milliseconds
ND router advertisement max interval 600 seconds, min interval 200 seconds
ND router advertisements live for 1800 seconds
# Ping the global unicast address of the tunnel interface on the ISATAP host running Windows
XP operating system from the ISATAP router.
[Router] ping ipv6 2001::5efe:2.1.1.2
PING 2001::5efe:2.1.1.2 : 56 data bytes, press CTRL_C to break
Reply from 2001::5EFE:201:102
--- 2001::5efe:2.1.1.2 ping statistics --5 packet(s) transmitted
0.00% packet loss
# Ping the global unicast address of the ISATAP router from the ISATAP host running Windows
XP operating system.
C:\> ping6 2001::5efe:2.1.1.1
Pinging 2001::5efe:2.1.1.1
from 2001::5efe:2.1.1.2 with 32 bytes of data:
Reply from 2001::5efe:2.1.1.1: bytes=32 time=1ms
Ping statistics for 2001::5efe:2.1.1.1:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
# Ping the IPv6 host from the ISATAP host running Windows XP operating system. They can
ping each other.
C:\> ping6 3001::2
Pinging 3001::2 with 32 bytes of data:
Reply from 3001::2: time<1ms
Issue 04 (2014-01-16)

376

Routers

Ping statistics for 3001::2:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
----End
Configuration Files
Configuration file of the ISATAP router
#
sysname ISATAP
#
ipv6
#
ipv6 enable
#
ip address 2.1.1.1 255.0.0.0
#
ipv6 enable
ipv6 address 2001::/64 eui-64
tunnel-protocol ipv6-ipv4 isatap
#
return
Issue 04 (2014-01-16)

377

Routers
12
IPv4 over IPv6 Tunnel Configuration
About This Chapter

During the later stage of IPv4 to IPv6 transition, the IPv4 over IPv6 tunnel is used to connect
isolated IPv4 sites.
12.1 IPv4 over IPv6 Overview
You can create a tunnel on an IPv6 network to connect isolated IPv4 sites so that isolated IPv4
sites can access other IPv4 networks through the IPv6 public network.
12.2 Configuring an IPv4 over IPv6 Tunnel
To establish IPv4 over IPv6 tunnels, you need to enable the IPv4/IPv6 dual stack on border
devices to forward IPv4 packets with the IPv6 header.
Maintaining the IPv4 over IPv6 tunnel includes monitoring the running status of the IPv4 over
IPv6 tunnel.
This section provides configuration examples of the IPv4 over IPv6 tunnel.
Issue 04 (2014-01-16)

378

Routers
12.1 IPv4 over IPv6 Overview

You can create a tunnel on an IPv6 network to connect isolated IPv4 sites so that isolated IPv4
sites can access other IPv4 networks through the IPv6 public network.
During the later stage of IPv4 to IPv6 transition, a large number of IPv6 networks have been
deployed and isolated IPv4 sites may exist. You can create a tunnel on an IPv6 network to connect
isolated IPv4 sites, which is similar to deploying the VPN on the IP network using tunnel
technology. The tunnel connecting IPv4 isolated sites on the IPv6 network is called an IPv4 over
IPv6 tunnel.
Figure 12-1 shows how to apply the IPv4 over IPv6 tunnel.
Figure 12-1 Networking diagram for applying the IPv4 over IPv6 tunnel
Dual Stack
Router
IPv4
network
IPv6
network
Dual Stack
Router
IPv4 over IPv6 Tunnel
IPv4
network
IPv4
Host
IPv4
Host
IPv4 Header IPv4 Payload
IPv6 Header
IPv4 Header IPv4 Payload
IPv4 Header
IPv4 Payload
1.
On the border device, the IPv4/IPv6 dual protocol stack is enabled and the IPv4 over IPv6
tunnel is configured.
2.
After the border device receives a packet not destined for the device from the IPv4 network,
the device appends an IPv6 header to the IPv4 packet and encapsulates the IPv4 packet as
an IPv6 packet.
3.
On the IPv6 network, the encapsulated packet is transmitted to the remote border device.
4.
The remote border device decapsulates the packet, removes the IPv6 header, and sends the
decapsulated IPv4 packet to the IPv4 network.
12.2 Configuring an IPv4 over IPv6 Tunnel

To establish IPv4 over IPv6 tunnels, you need to enable the IPv4/IPv6 dual stack on border
devices to forward IPv4 packets with the IPv6 header.
Before configuring an IPv4 over IPv6 tunnel, complete the following task:
Issue 04 (2014-01-16)

379

Routers
12.2.1 Configuring a Tunnel Interface

Context
Configuring a tunnel interface includes configuring the protocol type, source address, and
destination address and IP address.
NOTE
The device does not support fragmentation of packets that are transmitted over the IPv4 over IPv6 tunnel.
Therefore, the IPv4 MTU of the tunnel interface must meet the following conditions:
IPv4 MTU of the tunnel interface < ( IPv6 MTU of the physical interface - Header length of IPv6 packets
on the IPv4 over IPv6 tunnel )
Procedure
Step 1 Run:
system-view

Step 2 Run:

Step 3 Run:
The tunnel type is set to IPv4 over IPv6.

Step 4 Run:
A source IPv6 address or source interface is configured.

Step 5 Run:
destination dest-ip-address
The destination address is configured.

Step 6 Run the following commands as required.
l Run:
ip address ip-address { mask | mask-length } [ sub ]

l Run:
ip address unnumbered interface interface-type interface-number
The tunnel interface is configured to borrow an IPv4 address.

----End
Issue 04 (2014-01-16)

380

Routers
12.2.2 Configuring a Tunnel Route

Context
Packets can be forwarded correctly only when devices at the two ends of a tunnel are configured
with forwarding routes. Perform the following configurations on devices at the two ends of the
tunnel.
Procedure
Step 1 Run:
system-view

Step 2 Use either of the following methods to configure routes passing through a tunnel interface.
l Run:
ip route-static ip-address { mask | mask-length } tunnel interface-number
A static route is configured.

The static route must be configured on both ends of the tunnel. The destination address is
the destination IPv4 address of the packets that are not encapsulated into IPv6 packets, and
the next hop is the local tunnel interface.
l Configure a dynamic route. Dynamic routes can be configured using IGP (excluding IS-IS)
or BGP. The configuration method is not mentioned here.
When configuring a dynamic routing protocol, enable the protocol on the tunnel interface
and the interface on the link connecting the IPv4 network and IPv6 network.
----End
12.2.3 Performing Other IPv4 over IPv6 Tunnel Configurations

Context
You can perform one or more following configurations to optimize IPv4 over IPv6 tunnel
performance.
Procedure
Step 1 Run:
system-view

Step 2 Run:
The tunnel interface view is displayed.

Step 3 Run:
tunnel ipv4-ipv6 encapsulation-limit encapsulation-limit
The maximum encapsulation count of an IPv6 packet is specified.

Issue 04 (2014-01-16)

381

Routers
By default, an IPv4-over-IPv6 packet can be encapsulated four times.

Step 4 Run:
tunnel ipv4-ipv6 flow-label label-value
The flow label value is set.

By default, the flow label value is 0.
Step 5 Run:
tunnel ipv4-ipv6 hop-limit hop-limit
The maximum number of hops is set.

By default, the maximum number of hops is 64.
Step 6 Run:
tunnel ipv4-ipv6 traffic-class { original | class-value }
The traffic class is set.

By default, the traffic class is 0.
----End
12.2.4 Checking the Configuration

Prerequisites
All configurations of the IPv4 over IPv6 tunnel are complete.
Procedure
l
Run the display interface tunnel [ interface-number ] command to check the running status
of the tunnel interface.
Run the display ip routing-table command to check the routing table.
----End

Maintaining the IPv4 over IPv6 tunnel includes monitoring the running status of the IPv4 over
IPv6 tunnel.
12.3.1 Monitoring the Running Status of the IPv4 over IPv6 Tunnel
Context
In routine maintenance, you can run the following commands in any view to monitor the running
status of the IPv4 over IPv6 tunnel.
Issue 04 (2014-01-16)

382

Routers
Procedure
l
Run the display interface tunnel [ interface-number ] command in any view to view the
running status of the tunnel interface.
Run the display interface tunnel interface-number command in any view to view IPv4
attributes of the tunnel interface.
----End

This section provides configuration examples of the IPv4 over IPv6 tunnel.
12.4.1 Example for Configuring an IPv4 over IPv6 Tunnel

As shown in Figure 12-2, two IPv4 networks are connected to an IPv6 network through RT1
and RT5. Border devices RT2 and RT4 on the IPv6 network support the IPv4/IPv6 dual stack.
An IPv4 over IPv6 tunnel needs to be set up between RT2 and RT4 so that physically isolated
IPv4 networks can communicate.
Figure 12-2 Networking diagram for configuring an IPv4 over IPv6 tunnel
IPv4
network
IPv6
network
GE1/0/0
10.1.2.1/30
GE1/0/0
RT1 10.1.2.2/30
RT2
GE1/0/0
GE1/0/0
2001::2/64 RT3 2002::2/64
GE2/0/0
2001::1/64
GE2/0/0
2002::1/64
RT4
GE2/0/0
10.1.3.1/30
GE1/0/0
10.1.3.2/30
RT5
IPv4
network
1.
Issue 04 (2014-01-16)
Configure an IPv4 over IPv6 tunnel on the border devices at both ends of the IPv6 network.
383

Routers
2.
Use a dynamic routing protocol to configure a route for the tunnel interface to forward
packets.
Configuration Procedures
1.
Configure an IPv6 address for the physical interface and enable IPv6 capability for IS-IS
on the IPv6 network to implement IP connectivity of the IPv6 network.
# Configure RT2.
[Huawei] sysname RT2
[RT2] ipv6
[RT2] interface gigabitethernet 2/0/0
[RT2-GigabitEthernet2/0/0] ipv6 enable
[RT2-GigabitEthernet2/0/0] ipv6 address 2001::1 64
[RT2-GigabitEthernet2/0/0] quit
[RT2] isis 1
[RT2-isis-1] network-entity 10.0000.0000.0001.00
[RT2-isis-1] ipv6 enable topology standard
[RT2-isis-1] quit
[RT2-GigabitEthernet2/0/0] isis ipv6 enable 1
# Configure RT3.
[RT3] ipv6
[RT3] isis 1
[RT3-isis-1] quit
# Configure RT4.
[RT4] ipv6
[RT4] isis 1
[RT4-isis-1] quit
2.
Issue 04 (2014-01-16)
Configure an IPv4 address for the physical interface and configure OSPF on the IPv4
network to implement IP connectivity of the IPv4 network.
384

Routers
# Configure RT1.
[RT1-GigabitEthernet1/0/0] ip address 10.1.2.2 30
[RT1] ospf 1
[RT1-ospf-1] area 0
[RT1-ospf-1-area-0.0.0.0] network 10.1.2.0 0.0.0.3
# Configure RT2.
[RT2] ospf 1
[RT2-ospf-1] area 0
# Configure RT4.
[RT4] ospf 1
[RT4-ospf-1] area 0
# Configure RT5.
[RT5] ospf 1
[RT5-ospf-1] area 0
3.
Configure a tunnel interface.

# Create a tunnel interface, and configure an IPv4 address, a source IPv6 address (or source
interface), and a destination IPv6 address for the tunnel interface.
# Configure RT2.
[RT2] interface tunnel 0/0/2
[RT2-Tunnel0/0/2] tunnel-protocol ipv4-ipv6
[RT2-Tunnel0/0/2] ip address 10.1.1.1 30
[RT2-Tunnel0/0/2] source gigabitethernet 2/0/0
[ET2-Tunnel0/0/2] destination 2002::2
# Configure RT4.
[RT4] interface tunnel 0/0/1
[RT4-Tunnel0/0/1] tunnel-protocol ipv4-ipv6
[RT4-Tunnel0/0/1] ip address 10.1.1.2 30
[RT4-Tunnel0/0/1] source gigabitethernet 1/0/0
[ET4-Tunnel0/0/1] destination 2001::1
4.
Use a dynamic routing protocol to configure a route for the tunnel interface to forward
packets.
# Configure RT2.
[RT2] ospf 1
[RT2-ospf-1] area 0
[RT2-ospf-1-area-0.0.0.0] quit
[RT2-ospf-1] quit
# Configure RT4.
[RT4] ospf 1
Issue 04 (2014-01-16)

385

Routers
[RT4-ospf-1] area 0
5.
Verify the configuration.

After the preceding configurations are complete, check the tunnel interface status on RT2
and RT4. You can see that the protocol status of the tunnel interface is Up.
[RT2] display interface tunnel 0/0/2
Line protocol current state : UP
Last line protocol up time: 2010-06-22, 19:33:19
Description : HUAWEI, AR Series, Tunnel0/0/2 Interface
Route Port,The Maximum Transmit Unit is 1500
Internet Address is 10.1.1.1/30
Encapsulation is TUNNEL6, loopback not set
Tunnel protocol/transport (IPv6 or IPV4) over IPv6
Tunnel Source 2001::1 (GigabitEthernet2/0/0)
Tunnel Destination 2002::2
Tunnel Encapsulation limit 4
Tunnel Traffic class not set
Tunnel Flow label not set
Tunnel Hop limit 64
Current system time: 2012-09-05
10:28:33
300 seconds input rate 0 bits/sec, 0 packets/
sec
300 seconds output rate 0 bits/sec, 0 packets/
sec
102 seconds input rate 0 bits/sec, 0 packets/
sec
102 seconds output rate 0 bits/sec, 0 packets/
sec
0 packets input, 0
bytes
0 input
error
0 packets output, 0
bytes
0 output
error
Input bandwidth utilization :
-Output bandwidth utilization : --
Check the IPv4 routing table on RT2 and RT4. You can see that the outbound interface of
the route to the remote IPv4 network is a tunnel interface.
[RT2] display ip routing-table
Routing Tables: Public
Destinations : 9
Destination/Mask
Proto Pre
1.1.1.1/32 Direct 0
10.1.1.0/30 Direct 0
10.1.1.1/32 Direct 0
10.1.2.0/30 Direct 0
10.1.2.1/32 Direct 0
10.1.2.2/32 Direct 0
10.1.3.0/24 OSPF
10
127.0.0.0/8
Direct 0
127.0.0.1/32 Direct 0
Routes : 9
Cost
NextHop
0
127.0.0.1
0
10.1.1.1
0
127.0.0.1
0
10.1.2.1
0
127.0.0.1
0
10.1.2.2
2
10.1.1.2
0
127.0.0.1
0
127.0.0.1
Interface
InLoopBack0
Tunnel0/0/2
Tunnel2/0/0
Tunnel0/0/2
InLoopBack0
InLoopBack0
RT1 and RT5 can ping each other.
Configuration Files
l
Configuration file of RT1

#
Issue 04 (2014-01-16)

386

Routers
sysname RT1
#
ip address 10.1.2.2 255.255.255.252
#
ospf 1
area 0.0.0.0
network 10.1.2.0 0.0.0.3
#
return

#
sysname RT2
#
ipv6
#
isis 1
network-entity 10.0000.0000.0001.00
#
ipv6 enable topology standard
#
#
ip address 10.1.2.1 255.255.255.252
#
ipv6 enable
isis ipv6 enable 1
#
ip address 10.1.1.1 255.255.255.252
destination 2002::2
#
ospf 1
area 0.0.0.0
network 10.1.2.0 0.0.0.3
network 10.1.1.0 0.0.0.3
#
return

#
sysname RT3
#
ipv6
#
isis 1
network-entity 10.0000.0000.0002.00
#
#
#
ivp6 enable
isis ipv6 enable 1
#
ipv6 enable
isis ipv6 enable 1
#
return
Issue 04 (2014-01-16)

387

Routers

#
sysname RT4
#
ipv6
#
isis 1
network-entity 10.0000.0000.0003.00
#
#
#
ipv6 enable
isis ipv6 enable 1
#
ip address 10.1.3.1 255.255.255.252
#
ip address 10.1.1.2 255.255.255.252
destination 2001::1
#
ospf 1
area 0.0.0.0
network 10.1.1.0 0.0.0.3
network 10.1.3.0 0.0.0.3
#
return

#
sysname RT1
#
ip address 10.1.3.2 255.255.255.252
#
ospf 1
area 0.0.0.0
network 10.1.3.0 0.0.0.3
#
return
Issue 04 (2014-01-16)

388

AR150&200&1200&2200&3200 V200R003C01 Configuration Guide-IP Service 04 PDF

Caricato da

Informazioni sul documento

Titolo originale

Copyright

Formati disponibili

Condividi questo documento

Condividi o incorpora il documento

Opzioni di condivisione

Hai trovato utile questo documento?

Questo contenuto è inappropriato?

Copyright:

Formati disponibili

AR150&200&1200&2200&3200 V200R003C01 Configuration Guide-IP Service 04 PDF

Caricato da

Copyright:

Formati disponibili

Huawei AR150&200&1200&2200&3200 Series

Configuration Guide - IP Service

HUAWEI TECHNOLOGIES CO., LTD.

Copyright Huawei Technologies Co., Ltd. 2014. All rights reserved.

Trademarks and Permissions

Huawei Technologies Co., Ltd.

Huawei Industrial Base

Huawei Proprietary and Confidential

Huawei AR150&200&1200&2200&3200 Series Enterprise

About This Document

About This Document

Data configuration engineers

Network monitoring engineers

System maintenance engineers

Huawei Proprietary and Confidential

Huawei AR150&200&1200&2200&3200 Series Enterprise

About This Document

NOTE is used to address information not

The keywords of a command line are in boldface.

Command arguments are in italics.

Items (keywords or arguments) in brackets [ ] are optional.

Optional items are grouped in braces and separated by

Optional items are grouped in brackets and separated by

Optional items are grouped in braces and separated by

Optional items are grouped in brackets and separated by

The parameter before the & sign can be repeated 1 to n times.

A line starting with the # sign is comments.

Interface Numbering Conventions

Huawei Proprietary and Confidential

Huawei AR150&200&1200&2200&3200 Series Enterprise

About This Document

Changes in Issue 04 (2014-01-16)

3.5.1.6 (Optional) Configuring Automatic Saving of DHCP Data

Changes in Issue 03 (2013-08-15)

Configuring Actions of Local PBR

Changes in Issue 02 (2013-04-15)

2.7.5 Example for Configuring Layer 2 Topology Detection

4.4.1.2 Configuring the Dynamic DNS

Changes in Issue 01 (2013-01-31)

Huawei Proprietary and Confidential

Huawei AR150&200&1200&2200&3200 Series Enterprise

Huawei Proprietary and Confidential

Huawei AR150&200&1200&2200&3200 Series Enterprise

2.4 Default Configuration...................................................................................................................................................31

Huawei Proprietary and Confidential

Huawei AR150&200&1200&2200&3200 Series Enterprise

3.5 Configuring DHCP.......................................................................................................................................................73

Huawei Proprietary and Confidential

Huawei AR150&200&1200&2200&3200 Series Enterprise

Huawei Proprietary and Confidential

Huawei AR150&200&1200&2200&3200 Series Enterprise

4.6.1 Example for Configuring the DNS Client...............................................................................................................137

Huawei Proprietary and Confidential

Huawei AR150&200&1200&2200&3200 Series Enterprise

5.6.2 Configuring Static NAT..........................................................................................................................................177

Huawei Proprietary and Confidential

Huawei AR150&200&1200&2200&3200 Series Enterprise

6 UDP Helper Configuration......................................................................................................216

8 Basic IPv6 Configurations........................................................................................................236

Huawei Proprietary and Confidential

Huawei AR150&200&1200&2200&3200 Series Enterprise

8.2.4 Neighbor Discovery.................................................................................................................................................251

Huawei Proprietary and Confidential