Académique Documents
Professionnel Documents
Culture Documents
V200R002C00
Issue 02
Date 2012-03-30
and other Huawei trademarks are trademarks of Huawei Technologies Co., Ltd.
All other trademarks and trade names mentioned in this document are the property of their respective holders.
Notice
The purchased products, services and features are stipulated by the contract made between Huawei and the
customer. All or part of the products, services and features described in this document may not be within the
purchase scope or the usage scope. Unless otherwise specified in the contract, all statements, information,
and recommendations in this document are provided "AS IS" without warranties, guarantees or representations
of any kind, either express or implied.
The information in this document is subject to change without notice. Every effort has been made in the
preparation of this document to ensure accuracy of the contents, but all statements, information, and
recommendations in this document do not constitute the warranty of any kind, express or implied.
Website: http://www.huawei.com
Email: support@huawei.com
Intended Audience
This document provides the basic concepts, configuration procedures, and configuration
examples in different application scenarios of the IP service feature supported by the
AR150/200.
Symbol Conventions
The symbols that may be found in this document are defined as follows.
Symbol Description
Command Conventions
The command conventions that may be found in this document are defined as follows.
Convention Description
&<1-n> The parameter before the & sign can be repeated 1 to n times.
Change History
Updates between document issues are cumulative. Therefore, the latest document issue contains
all updates made in previous issues.
Contents
2 IP Address Configuration..........................................................................................................38
2.1 IP Address Overview........................................................................................................................................39
2.2 IP Addresses Supported by the AR150/200.....................................................................................................39
2.3 Configuring IP Addresses for an Interface.......................................................................................................39
2.3.1 Establishing the Configuration Task.......................................................................................................39
2.3.2 Configuring a Primary IP Address for an Interface.................................................................................40
2.3.3 (Optional) Configuring a Secondary IP Address for an Interface...........................................................41
2.3.4 Checking the Configuration.....................................................................................................................41
2.4 Configuring IP Address Unnumbered on an Interface.....................................................................................42
2.4.1 Establishing the Configuration Task.......................................................................................................42
2.4.2 Configuring a Primary IP Address for the Interface from Which an IP Address Will Be Borrowed
..........................................................................................................................................................................43
2.4.3 Configuring IP Address Unnumbered on an Interface............................................................................43
2.4.4 Checking the Configuration.....................................................................................................................44
2.5 Configuration Examples...................................................................................................................................45
2.5.1 Example for Configuring Primary and Secondary IP Addresses for an Interface...................................45
2.5.2 Example for Configuring IP Address Unnumbered on an Interface.......................................................46
4 DNS Configuration.....................................................................................................................82
4.1 DNS Overview.................................................................................................................................................83
4.2 DNS Features Supported by the AR150/200....................................................................................................83
4.3 Configuring a DNS Client................................................................................................................................84
4.3.1 Establishing the Configuration Task.......................................................................................................84
4.3.2 Configuring Static DNS...........................................................................................................................85
4.3.3 Configuring Dynamic DNS.....................................................................................................................85
4.3.4 Checking the Configuration.....................................................................................................................86
4.4 Configuring DNS Proxy or Relay....................................................................................................................87
4.4.1 Establishing the Configuration Task.......................................................................................................87
4.4.2 Configuring a DNS Server......................................................................................................................88
4.4.3 (Optional) Configuring DNS Spoofing...................................................................................................88
4.4.4 (Optional) Setting the Aging Time of DNS Entries................................................................................89
5 NAT Configuration...................................................................................................................104
5.1 NAT Overview...............................................................................................................................................105
5.2 NAT Features Supported by the AR150/200.................................................................................................106
5.3 Configuring NAT...........................................................................................................................................109
5.3.1 Establishing the Configuration Task.....................................................................................................109
5.3.2 Configuring an Address Pool................................................................................................................110
5.3.3 Associating an ACL with an Address Pool...........................................................................................111
5.3.4 Configuring Easy IP..............................................................................................................................111
5.3.5 Configuring an Internal Server..............................................................................................................112
5.3.6 Configuring Static NAT........................................................................................................................112
5.3.7 Enabling NAT ALG..............................................................................................................................113
5.3.8 Configuring NAT Filtering....................................................................................................................113
5.3.9 Configuring NAT Mapping...................................................................................................................114
5.3.10 Configuring DNS Mapping.................................................................................................................115
5.3.11 Configuring Twice NAT.....................................................................................................................115
5.3.12 Checking the Configuration.................................................................................................................116
5.4 Configuration Examples.................................................................................................................................117
5.4.1 Example for Configuring the NAT Server............................................................................................117
5.4.2 Example for Configuring Outbound NAT.............................................................................................119
5.4.3 Example for Configuring Twice NAT...................................................................................................122
6 DHCP Configuration................................................................................................................125
6.1 DHCP Overview.............................................................................................................................................127
6.2 DHCP Features Supported by the AR150/200...............................................................................................127
6.3 Configuring a DHCP Server Based on a Global Address Pool......................................................................128
6.3.1 Establishing the Configuration Task.....................................................................................................128
6.3.2 Configuring an Interface to Select a Global Address Pool for IP Address Allocation..........................130
6.3.3 Configuring Global Address Pool Attributes........................................................................................130
6.3.4 (Optional) Configuring the DNS Service and NetBIOS Service Dynamically on the DHCP Client
........................................................................................................................................................................132
6.3.5 (Optional) Configuring the Static DNS Service on a DHCP Client......................................................133
6.3.6 (Optional) Configuring the Static NetBIOS Service on a DHCP Client...............................................133
6.3.7 (Optional) Configuring User-Defined DHCP Options of the Global Address Pool.............................134
6.3.8 (Optional) Configuring the Function That Prevents Identical IP Addresses.........................................135
6.3.9 Checking the Configuration...................................................................................................................136
6.4 Configuring a DHCP Server Based on an Interface Address Pool.................................................................137
6.4.1 Establishing the Configuration Task.....................................................................................................137
6.4.2 Configuring Interface Address Pool Attributes.....................................................................................138
6.4.3 (Optional) Configuring the DNS Service and NetBIOS Service Dynamically on the DHCP Client
........................................................................................................................................................................139
6.4.4 (Optional) Configuring the Static DNS Service on a DHCP Client......................................................140
6.4.5 (Optional) Configuring the Static NetBIOS Service on a DHCP Client...............................................141
6.4.6 (Optional) Configuring User-Defined DHCP Options of the Interface Address Pool..........................142
6.4.7 (Optional) Configuring the Function That Prevents Identical IP Addresses.........................................143
6.4.8 Checking the Configuration...................................................................................................................143
6.5 Configuring a DHCP Relay Agent.................................................................................................................144
6.5.1 Establishing the Configuration Task.....................................................................................................144
6.5.2 Configuring an Interface to Function as a DHCP Relay Agent.............................................................146
6.5.3 Specifying a Server Group on the DHCP Relay Agent.........................................................................147
6.5.4 Binding a DHCP Server Group to a DHCP Relay Interface.................................................................147
6.5.5 (Optional) Configuring the DHCP Relay Agent to Instruct the DHCP Server to Reclaim the Client IP
address............................................................................................................................................................148
6.5.6 Checking the Configuration...................................................................................................................148
6.6 Configuring a DHCP/BOOTP Client.............................................................................................................149
6.6.1 Establishing the Configuration Task.....................................................................................................149
6.6.2 (Optional) Configuring the DHCP/BOOTP Client Attributes..............................................................150
6.6.3 Enabling the DHCP/BOOTP Client......................................................................................................151
6.6.4 Checking the Configuration...................................................................................................................152
6.7 Configuring the DHCP Rate Limit Function..................................................................................................153
6.8 Maintaining DHCP.........................................................................................................................................156
6.8.1 Clearing DHCP Statistics......................................................................................................................156
6.8.2 Monitoring the Operating Status of DHCP...........................................................................................156
6.9 Configuration Examples.................................................................................................................................157
6.9.1 Example for Configuring a DHCP Server Based on a Global Address Pool in the Scenario Where DHCP
Clients and the DHCP Server Are on the Same Network Segment...............................................................157
6.9.2 Example for Configuring a DHCP Server Based on an Interface Address Pool in the Scenario Where
DHCP Clients and the Server Are on the Same Network Segment...............................................................160
6.9.3 Example for Configuring a DHCP Server and a DHCP Relay Agent When the DHCP Server and Clients
Are on Different Network Segments..............................................................................................................164
6.9.4 Example for Configuring the DHCP and BOOTP Clients....................................................................167
6.9.5 Example for Configuring DHCP Rate Limit.........................................................................................172
7 IP Performance Configuration................................................................................................174
1 ARP Configuration
ARP can map an IP address to a MAC address and implements transmission of Ethernet frames.
1.1 ARP Overview
ARP dynamically maps Layer 3 IP addresses to Layer 2 MAC addresses. An Ethernet device
must support ARP.
1.2 ARP Features Supported by the AR150/200
This section describes ARP Features supported by the AR150/200.
1.3 Configuring Static ARP
Static ARP entries record fixed mappings between IP addresses and MAC addresses. They are
configured manually by network administrators.
1.4 Optimizing Dynamic ARP
If dynamic ARP is configured, the system resolves an IP address into an Ethernet MAC address.
Dynamic ARP entries are maintained dynamically by the ARP protocol. You can adjust
parameters of dynamic ARP entries such as the number of ARP probes and the aging time of
dynamic ARP entries to optimize forwarding performance of the AR150/200.
1.5 Configuring Routed Proxy ARP
Routed proxy ARP implements communication between devices on the same network segment
but on different physical networks.
1.6 Configuring Intra-VLAN Proxy ARP
Intra-VLAN proxy ARP enables hosts that are isolated at Layer 2 in a VLAN to communicate
with each other.
1.7 Configuring Inter-VLAN Proxy ARP
Inter-VLAN proxy ARP enables hosts in different sub-VLANs of a super-VLAN to
communicate with each other.
1.8 Configuring ARP-Ping IP
ARP-Ping IP checks whether an IP address on a LAN is in use by sending ARP packets.
1.9 Configuring ARP-Ping MAC
ARP-Ping MAC checks whether a MAC address on a LAN is in use by sending Internet Control
Management Protocol (ICMP) packets.
On a LAN, a host or a network device must know the IP address of another host or network
device to send data to it. In addition, the physical address of the destination device must also be
known because IP packets are encapsulated in frames for transmission across a physical network.
Therefore, the mapping from an IP address to a physical address is required. ARP maps IP
addresses to physical addresses.
The AR150/200 supports dynamic ARP, static ARP, proxy ARP, and ARPing.
ARP
ARP is classified into the following types:
l Static ARP: Mappings between IP addresses and MAC addresses are configured manually.
l Dynamic ARP: Dynamic ARP entries are maintained by the ARP protocol.
Proxy ARP
The AR150/200 supports the following types of proxy ARP:
l Routed proxy ARP
Routed proxy ARP implements communication between devices on the same network
segment but on different physical networks.
If a device connected to the AR150/200 is not configured with a default gateway address
(that is, the device does not know how to reach the intermediate system of the network),
the device cannot forward data packets.
Routed proxy ARP solves this problem. A device sends an ARP Request packet to request
the MAC address of the destination host. After receiving the packet, the AR150/200 enabled
with proxy ARP replies with its own MAC address. The AR150/200 then functions as the
gateway to route packets to the actual destination.
Proxy ARP can also shield topologies of physical networks so that internal hosts of Ethernet
A and Ethernet B on different physical networks but on the same network segment can
communicate.
l Intra-VLAN proxy ARP
If two users belong to the same VLAN but port isolation is configured in the VLAN, to
enable the two users to communicate, you must enable intra-VLAN proxy ARP on an
interface associated with the VLAN.
If an interface on the AR150/200 is enabled with intra-VLAN proxy ARP, it does not
discard the ARP request packet that is destined for another interface. Instead, it searches
for the corresponding ARP entry of the interface. If the ARP entry is found, the interface
sends the MAC address of the AR150/200 to the sender of the ARP request.
Proxy ARP within a VLAN implements the interworking between isolated users in the
same VLAN.
l Inter-VLAN proxy ARP
If two users belong to different VLANs, to implement communication between the two
users, you must enable inter-VLAN proxy ARP on an interface associated with the VLANs.
If an interface on the AR150/200 is enabled with inter-VLAN proxy ARP, it does not
discard the ARP request packet that is destined for another interface. Instead, it searches
for the corresponding ARP entry of the interface. If the ARP entry is found, the interface
sends the MAC address of the AR150/200 to the sender of the ARP request.
Inter-VLAN proxy ARP implements the following functions:
– Layer 3 communication between users in different VLANs
– Communication between users in sub-VLANs (you must enable inter-VLAN proxy
ARP on the VLANIF interface corresponding to the super-VLAN)
ARPing
ARPing is classified into ARP-Ping IP and ARP-Ping MAC. ARPing facilitates maintenance of
deployed Layer 2 features.
ARP-Ping MAC checks whether a MAC address on a LAN is in use by sending Internet Control
Management Protocol (ICMP) packets.
Applicable Environment
Static ARP entries ensure communication between the local device and another specified device.
They use the specified MAC address to keep attackers from modifying mappings between IP
addresses and MAC addresses in static ARP entries.
When static ARP and the Virtual Router Redundancy Protocol (VRRP) are configured on the
router, the IP address in a static ARP entry cannot be set to the VRRP virtual IP address on a
sub-interface for dot1q VLAN tag termination, a sub-interface for VLAN tag termination, or a
VLANIF interface. Otherwise, an incorrect host route is generated, causing forwarding errors.
Pre-configuration Tasks
Before configuring static ARP, complete the following tasks:
l Connecting interfaces and setting physical parameters for the interfaces to ensure that the
physical layer status of the interfaces is Up
l Setting link layer protocol parameters for interfaces to ensure that the link layer protocol
status on the interfaces is Up
l Setting network layer protocol parameters for the interfaces to ensure that the routing
protocol status on the interfaces is Up
Data Preparation
To configure static ARP, you need the following data.
No. Data
2 Name of the VPN instance and ID of the VLAN that a static ARP entry
belongs to
Context
NOTE
To configure static ARP entries for double-tagged packets, run the arp static cevid command.
Procedure
Step 1 Run:
system-view
Step 2 Run:
arp static ip-address mac-address
----End
Context
NOTE
To configure static ARP entries for double-tagged packets, run the arp static cevid command.
Procedure
Step 1 Run:
system-view
----End
Context
NOTE
To configure static ARP entries for double-tagged packets, run the arp static cevid command.
Procedure
Step 1 Run:
system-view
----End
Procedure
l Run the display arp [ all ] command to check all ARP entries, including static ARP entries
and dynamic ARP entries.
l Run the display arp network net-number net-mask [ dynamic | static ] command to check
ARP entries on the specified network segment.
l Run the display arp static command to check static ARP entries.
l Run the display arp statistics { all | interface interface-type interface-number } command
to check statistics on ARP entries on the AR150/200 or the specified interface.
----End
Example
# Display all the static ARP entries.
<Huawei> display arp static
IP ADDRESS MAC ADDRESS EXPIRE(M) TYPE INTERFACE VPN-INSTANCE
VLAN/CEVLAN PVC
------------------------------------------------------------------------------
1.1.1.1 0efc-0505-86e3 S--
10/-
129.102.0.1 0e00-fc01-0000 S--
11.0.0.1 aa00-fcc0-1200 S--
3/-
------------------------------------------------------------------------------
Total:3 Dynamic:0 Static:3 Interface:0
Applicable Environment
Dynamic ARP entries are maintained dynamically by the ARP protocol. They can be aged out,
updated, or overridden by static ARP entries. When the aging time is reached or the interface is
Down, corresponding dynamic ARP entries are deleted.
The AR150/200 can dynamically create dynamic ARP entries. You can adjust parameters of
dynamic ARP entries to optimize forwarding performance of the AR150/200.
Pre-configuration Tasks
Before optimizing Dynamic ARP, complete the following tasks:
l Connecting interfaces and setting physical parameters for the interfaces to ensure that the
physical layer status of the interfaces is Up
l Setting link layer protocol parameters for interfaces to ensure that the link layer protocol
status on the interfaces is Up
l Configuring the network layer protocol on the interfaces
Data Preparation
To optimize Dynamic ARP, you need the following data.
No. Data
Procedure
Step 1 Run:
system-view
----End
Procedure
Step 1 Run:
system-view
Step 2 Run:
arp-suppress enable
By default, ARP suppression is disabled in the system but is enabled on VLANIF interfaces.
After ARP suppression is enabled, it takes effect for only Eth-Trunk interfaces and VLANIF
interfaces.
----End
Procedure
Step 1 Run:
system-view
Step 2 Run:
l2-topology detect enable
----End
Procedure
l Run the display arp [ all ] command to check all ARP entries, including static ARP entries
and dynamic ARP entries.
l Run the display arp interface interface-type interface-number [ vid vlan-id [ cevid cevlan-
id ] ] command to check ARP entries on the specified interface.
l Run the display arp network net-number net-mask [ dynamic | static ] command to check
ARP entries on the specified network segment.
l Run the display arp dynamic command to check dynamic ARP entries.
l Run the display arp statistics { all | interface interface-type interface-number } command
to check statistics on ARP entries on the AR150/200 or the specified interface.
----End
Example
# Run the display arp interface command, and you can view ARP entries on Eth1/0/0.
<Huawei> display arp interface ethernet 1/0/0
IP ADDRESS MAC ADDRESS EXPIRE(M) TYPE INTERFACE VPN-INSTANCE
VLAN/CEVLAN PVC
------------------------------------------------------------------------------
192.168.1.11 0000-0a41-0201 I - Eth1/0/0 r1
192.168.1.1 0000-0a41-0200 15 D-6 Eth1/0/0 r1
------------------------------------------------------------------------------
Total:2 Dynamic:1 Static:0 Interface:1
Applicable Environment
If two hosts on different network segments are not configured with the default gateways, you
can enable routed proxy ARP to on a routing device connecting the two hosts to resolve IP
addresses between the two hosts.
Pre-configuration Tasks
Before configuring routed proxy ARP, complete the following tasks:
l Connecting interfaces and setting physical parameters for the interfaces to ensure that the
physical layer status of the interfaces is Up
l Setting link layer protocol parameters for interfaces to ensure that the link layer protocol
status on the interfaces is Up
Data Preparation
To configure routed proxy ARP, you need the following data.
No. Data
Procedure
Step 1 Run:
system-view
----End
Procedure
Step 1 Run:
system-view
Step 2 Run:
interface interface-type interface-number
Routed proxy ARP can be enabled on Ethernet interfaces, Ethernet sub-interfaces, VE interfaces,
Eth-Trunk interfaces, Eth-Trunk sub-interfaces, and VLANIF interfaces. The preceding
interfaces and sub-interfaces are Layer 3 interfaces and sub-interfaces.
Step 3 Run:
arp-proxy enable
----End
Procedure
l Run the display arp interface interface-type interface-number [ vid vlan-id [ cevid cevlan-
id ] ] command to check ARP entries on the specified interface.
l Run the display arp vpn-instance vpn-instance-name [ dynamic | static ] command to
check ARP entries in the specified VPN instance.
l Run the display arp dynamic command to check dynamic ARP entries.
l Run the display arp statistics { all | interface interface-type interface-number } command
to check statistics on ARP entries on the AR150/200 or the specified interface.
----End
Example
# Run the display arp interface command, and you can view ARP entries on Eth1/0/0.
<Huawei> display arp interface ethernet 1/0/0
IP ADDRESS MAC ADDRESS EXPIRE(M) TYPE INTERFACE VPN-INSTANCE
VLAN/CEVLAN PVC
------------------------------------------------------------------------------
192.168.1.11 0000-0a41-0201 I - Eth1/0/0 r1
192.168.1.1 0000-0a41-0200 15 D-6 Eth1/0/0 r1
------------------------------------------------------------------------------
Total:2 Dynamic:1 Static:0 Interface:1
# Run the display arp vpn-instance command, and you can view all the ARP entries in the
VPN instance r1.
<Huawei> display arp vpn-instance r1
IP ADDRESS MAC ADDRESS EXPIRE(M) TYPE INTERFACE VPN-INSTANCE
VLAN/CEVLAN PVC
------------------------------------------------------------------------------
10.10.20.9 0018-2000-0083 I - Vlanif888
10.10.10.6 0018-2000-0083 I - Vlanif833
------------------------------------------------------------------------------
Total:2 Dynamic:0 Static:0 Interface:2
# Run the display arp statistics command, and you can view the statistics on ARP entries.
<Huawei> display arp statistics all
Dynamic:1 Static:0
Applicable Environment
If two users are connected to Layer 2 isolated interfaces in the same VLAN, you can enable
intra-VLAN proxy ARP to implement Layer 3 communication between the two users.
Pre-configuration Tasks
Before configuring intra-VLAN proxy ARP, complete the following tasks:
l Connecting interfaces and setting physical parameters for the interfaces to ensure that the
physical layer status of the interfaces is Up
l Configuring a VLAN
l Configuring port isolation in a VLAN
Data Preparation
To configure intra-VLAN proxy ARP, you need the following data.
No. Data
3 VLAN ID associated with the interface to be enabled with proxy ARP in a VLAN
Procedure
Step 1 Run:
system-view
----End
Context
NOTE
You must complete this task before you enable intra-VLAN proxy ARP on Ethernet sub-interfaces, or Eth-
Trunk sub-interfaces. You can skip step when you are enabling intra-VLAN proxy ARP on the VLANIF
interface.
Procedure
Step 1 Run:
system-view
Step 3 Run:
control-vid vid dot1q-termination
The control VLAN and encapsulation mode of the sub-interface are configured.
Step 4 Run:
dot1q termination vid vid
----End
Procedure
Step 1 Run:
system-view
----End
Procedure
l Run the display arp interface interface-type interface-number [ vid vlan-id [ cevid cevlan-
id ] ] command to check ARP entries on the specified interface.
l Run the display arp vpn-instance vpn-instance-name [ dynamic | static ] command to
check ARP entries in the specified VPN instance.
l Run the display arp dynamic command to check dynamic ARP entries.
l Run the display arp statistics { all | interface interface-type interface-number } command
to check statistics on ARP entries on the AR150/200 or the specified interface.
----End
Example
# Run the display arp interface command, and you can view ARP entries on Eth1/0/0.
<Huawei> display arp interface ethernet 1/0/0
IP ADDRESS MAC ADDRESS EXPIRE(M) TYPE INTERFACE VPN-INSTANCE
VLAN/CEVLAN PVC
------------------------------------------------------------------------------
192.168.1.11 0000-0a41-0201 I - Eth1/0/0 r1
192.168.1.1 0000-0a41-0200 15 D-6 Eth1/0/0 r1
------------------------------------------------------------------------------
Total:2 Dynamic:1 Static:0 Interface:1
# Run the display arp vpn-instance command, and you can view all the ARP entries in the
VPN instance r1.
<Huawei> display arp vpn-instance r1
IP ADDRESS MAC ADDRESS EXPIRE(M) TYPE INTERFACE VPN-INSTANCE
VLAN/CEVLAN PVC
------------------------------------------------------------------------------
10.10.20.9 0018-2000-0083 I - Vlanif888
10.10.10.6 0018-2000-0083 I - Vlanif833
------------------------------------------------------------------------------
Total:2 Dynamic:0 Static:0 Interface:2
# Run the display arp statistics command, and you can view the statistics on ARP entries.
<Huawei> display arp statistics all
Dynamic:1 Static:0
Applicable Environment
The VLAN aggregation technology isolates broadcast domain by using multiple VLANs on a
physical network so that different VLANs belong to the same subnet. This technology introduces
the super-VLAN and sub-VLAN. A super-VLAN contains one or more sub-VLANs in different
broadcast domains. A sub-VLAN does not occupy an independent subnet segment. In a super-
VLAN, IP addresses of hosts in different sub-VLANs are on the subnet segment corresponding
to the super-VLAN.
Sub-VLANs use the same Layer 3 interface to communicate. This reduces subnet IDs and subnet
default gateway addresses. The VLAN aggregation function allows different broadcast domains
to use the same subnet address, implements flexible addressing, and saves IP addresses.
Hosts in different sub-VLANs of a super-VLAN cannot communicate with each other. To enable
these hosts to communicate with each other, you can enable inter-VLAN proxy ARP on the sub-
interface or VLANIF interface corresponding to the super-VLAN.
Pre-configuration Tasks
Before configuring inter-VLAN proxy ARP, complete the following tasks:
l Connecting interfaces and setting physical parameters for the interfaces to ensure that the
physical layer status of the interfaces is Up
l Configuring VLAN aggregation
Data Preparation
To configure inter-VLAN proxy ARP, you need the following data.
No. Data
3 VLAN ID associated with the interface to be enabled with proxy ARP between
VLANs
Procedure
Step 1 Run:
system-view
----End
Context
NOTE
You must complete this task before you enable inter-VLAN proxy ARP on Ethernet sub-interfaces, or Eth-
Trunk sub-interfaces. You can skip this task if you are enabling inter-VLAN proxy ARP on the VLANIF
interface.
Procedure
Step 1 Run:
system-view
Step 2 Run:
interface { ethernet | eth-trunk } interface-number.sub-interface-number
Step 3 Run:
control-vid vid dot1q-termination
The control VLAN and encapsulation mode of the sub-interface are configured.
Step 4 Run:
dot1q termination vid vid
----End
Procedure
Step 1 Run:
system-view
Step 2 Run:
interface { ethernet | eth-trunk } interface-number.sub-interface-number
Or, run:
interface vlanif vlan-id
Step 3 Run:
arp-proxy inter-sub-vlan-proxy enable
----End
Procedure
l Run the display arp interface interface-type interface-number [ vid vlan-id [ cevid cevlan-
id ] ] command to check ARP entries on the specified interface.
l Run the display arp vpn-instance vpn-instance-name [ dynamic | static ] command to
check ARP entries in the specified VPN instance.
l Run the display arp dynamic command to check dynamic ARP entries.
l Run the display arp statistics { all | interface interface-type interface-number } command
to check statistics on ARP entries on the AR150/200 or the specified interface.
----End
Example
# Run the display arp interface command, and you can view ARP entries on Eth1/0/0.
<Huawei> display arp interface ethernet 1/0/0
IP ADDRESS MAC ADDRESS EXPIRE(M) TYPE INTERFACE VPN-INSTANCE
VLAN/CEVLAN PVC
------------------------------------------------------------------------------
192.168.1.11 0000-0a41-0201 I - Eth1/0/0 r1
192.168.1.1 0000-0a41-0200 15 D-6 Eth1/0/0 r1
------------------------------------------------------------------------------
Total:2 Dynamic:1 Static:0 Interface:1
# Run the display arp vpn-instance command, and you can view all the ARP entries in the
VPN instance r1.
<Huawei> display arp vpn-instance r1
IP ADDRESS MAC ADDRESS EXPIRE(M) TYPE INTERFACE VPN-INSTANCE
VLAN/CEVLAN PVC
------------------------------------------------------------------------------
10.10.20.9 0018-2000-0083 I - Vlanif888
10.10.10.6 0018-2000-0083 I - Vlanif833
------------------------------------------------------------------------------
Total:2 Dynamic:0 Static:0 Interface:2
# Run the display arp statistics command, and you can view the statistics on ARP entries.
<Huawei> display arp statistics all
Dynamic:1 Static:0
Applicable Environment
ARP-Ping IP checks whether an IP address on a LAN is in use by sending ARP packets.
Before configuring an IP address for a device, ensure that this IP address is not in use by sending
ARP packets. You can configure ARP-Ping IP on the device.
Pre-configuration Tasks
Before configuring ARP-Ping IP, complete the following task:
l Setting link layer protocol parameters for interfaces to ensure that the link layer protocol
status on the interfaces is Up
Data Preparation
To configure ARP-Ping IP, you need the following data.
No. Data
1 IP address to be checked
Context
ARP-Ping IP checks whether an IP address on a LAN is in use by sending ARP packets. You
can also use the ping command to check whether an IP address is in use, but the result of this
method may be inaccurate. The ping command uses Layer 3 packets as ICMP Echo Request
packets. If the destination host or the routing device enabled with the firewall function is
configured not to respond to the ICMP Echo Request packets, the destination host or the routing
device does not send ICMP Reply packets. Consequently, the IP address is considered unused.
ARP packets, which are Layer 2 protocol packets, can pass through the firewall that is configured
not to reply to ICMP Echo Request packets; therefore, the result of ARP-Ping IP is accurate.
Procedure
Step 1 Run:
arp-ping ip ip-address [ interface interface-type interface-number [ vlan-id vlan-
id ] ]
----End
Example
l If the following information is displayed, the IP address is not used.
[Huawei] arp-ping ip 110.1.1.2
ARP-Pinging
110.1.1.2:
Applicable Environment
If you know the specific MAC address but not the corresponding IP address on a network
segment, you can obtain the corresponding IP address by using ARP-Ping MAC to broadcast
ICMP packets. In this way, you can obtain the IP address mapping the MAC address on the
network segment.
Pre-configuration Tasks
Before configuring ARP-Ping MAC, complete the following task:
l Setting link layer protocol parameters for interfaces to ensure that the link layer protocol
status on the interfaces is Up
Data Preparation
To configure ARP-Ping MAC, you need the following data.
No. Data
Procedure
Step 1 Run:
arp-ping mac mac-address { ip-address [ vpn-instance vpn-instance-name ] |
interface interface-type interface-number }
The AR150/200 is configured to check whether the MAC address is in use on a LAN.
----End
Example
l If the following information is displayed, the MAC address is not used.
<Huawei> arp-ping mac 0013-46e7-2ef5 interface Eth-Trunk 0
OutInterface: Eth-Trunk0 MAC[00-13-46-E7-2E-F5], press CTRL_C to
break
Error: Request timed
out
Error: Request timed
out
Error: Request timed
out
Context
CAUTION
l After ARP entries are deleted, mappings between IP addresses and MAC addresses are
deleted. As a result, users may fail to access some devices. Exercise caution when you delete
ARP entries.
l Static ARP entries cannot be restored after being deleted. Exercise caution when you delete
static ARP entries.
Procedure
Step 1 Run the reset arp { all | dynamic | interface interface-type interface-number | packet
statistics | static } command in the user view to delete ARP entries.
----End
Context
To check the ARP running status during routine maintenance, run the following display
commands in any view.
Procedure
l Run the display arp [ all ] command to check all ARP entries, including static ARP entries
and dynamic ARP entries.
l Run the display arp interface interface-type interface-number [ vid vlan-id [ cevid cevlan-
id ] ] command to check ARP entries on the specified interface.
l Run the display arp network net-number net-mask [ dynamic | static ] command to check
ARP entries on the specified network segment.
l Run the display arp static command to check static ARP entries.
l Run the display arp dynamic command to check dynamic ARP entries.
l Run the display arp statistics { all | interface interface-type interface-number } command
to check statistics on ARP entries on the AR150/200 or the specified interface.
----End
Example
# Run the display arp interface command, and you can view ARP entries on Eth1/0/0.
<Huawei> display arp interface ethernet 1/0/0
IP ADDRESS MAC ADDRESS EXPIRE(M) TYPE INTERFACE VPN-INSTANCE
VLAN/CEVLAN PVC
------------------------------------------------------------------------------
192.168.1.11 0000-0a41-0201 I - Eth1/0/0 r1
192.168.1.1 0000-0a41-0200 15 D-6 Eth1/0/0 r1
------------------------------------------------------------------------------
Total:2 Dynamic:1 Static:0 Interface:1
# Run the display arp dynamic command, and you can view all the dynamic ARP entries.
<Huawei> display arp dynamic
IP ADDRESS MAC ADDRESS EXPIRE(M) TYPE INTERFACE VPN-INSTANCE
VLAN/CEVLAN PVC
------------------------------------------------------------------------------
10.137.217.210 00e0-fc01-0203 I - Eth1/0/0
10.137.216.1 0025-9e38-a09e 20 D-0 Eth1/0/0
10.137.217.208 00e0-fc01-0205 16 D-0 Eth1/0/0
10.2.2.1 00e0-fc99-9999 I - Eth-Trunk0
10.6.3.34 00e0-fc01-0204 I - Eth2/0/0.1
192.168.20.1 00e0-fc99-9999 I - Vlanif100
10.0.0.1 00e0-fc99-9999 I - Vlanif200
------------------------------------------------------------------------------
Total:7 Dynamic:2 Static:0 Interface:5
Networking Requirements
As shown in Figure 1-1, the Router connects departments of a company and each department
joins different VLANs. Hosts in the headquarters office and the file backup server are allocated
manually configured IP addresses, and hosts in departments dynamically obtain IP addresses by
using DHCP. Hosts in the marketing department can access the Internet and are often attacked
by ARP packets. Attackers attack the Router and modify dynamic ARP entries on the Router.
As a result, communication between hosts in the headquarters office and external devices is
interrupted and hosts in departments fail to access the file backup server. The company requires
that static ARP entries be configured on the Router so that hosts in the headquarters office can
communicate with external devices and hosts in departments can access the file backup server.
Etherent0/0/1 Etherent0/0/0 PC A
Router
Etherent0/0/2
Marketing department Headquarters office
10.164.2.0/24 10.164.1.0/24
VLAN 20 VLAN 10
R&D department
10.164.3.0/24
VLAN 30
Configuration Roadmap
The configuration roadmap is as follows:
1. Configure static ARP entries for hosts in the headquarters office on the Router to prevent
ARP entries of the hosts in the headquarters office from being modified in ARP attack
packets.
2. Configure a static ARP entry for the file backup server on the Router to prevent the ARP
entry of the file backup server from being modified in ARP attack packets.
Data Preparation
To complete the configuration, you need the following data:
l Interface connecting the Router and hosts in the headquarters office: Ethernet0/0/0
l ID of the VLAN that Ethernet0/0/0 joins: VLAN 10
l IP address of VLANIF10: 10.164.1.20/24
l Network segment where the IP addresses of hosts in the headquarters office are located:
10.164.1.0/24 (PC A with IP address 10.164.1.1 is used as an example. The IP address
10.164.1.1 maps the MAC address 00e0-fc01-0001.)
l Interface connecting the Router and the file backup server: Ethernet2/0/0
l IP address of Ethernet2/0/0: 10.164.10.10/24
l IP address of the file backup server: 10.164.10.1/24 (corresponding MAC address 0df0-
fc01-003a)
Procedure
Step 1 Configure static ARP entries for the host in the headquarters office on the Router.
# Create VLAN 10.
<Huawei> system-view
[Huawei] sysname Router
[Router] vlan 10
[Router-vlan10] quit
# Configure static ARP entries for hosts in the headquarters office. Configuring a static ARP
entry for PC A is used as an example. In the static ARP entry, PCA IP address 10.164.1.1 maps
the MAC address 00e0-fc01-0001, and the VLAN ID is 10 and the outbound interface is
Ethernet0/0/0.
[Router] arp static 10.164.1.1 00e0-fc01-0001 vid 10 interface ethernet 0/0/0
# Configure static ARP entries for other hosts in the headquarters office. The configuration
method is similar to that of PC A.
Step 2 Configure a static ARP entry for the file backup server on the Router.
# Configure an IP address for Ethernet2/0/0.
[Router] interface ethernet 2/0/0
[Router-Ethernet2/0/0] ip address 10.164.10.10 255.255.255.0
[Router-Ethernet2/0/0] quit
# Configure a static ARP entry for the file backup server: The IP address 10.164.10.1/24 maps
the MAC address 0df0-fc01-003a.
[Router] arp static 10.164.10.1 0df0-fc01-003a
----End
Example
The following lists the configuration file of the Router.
#
sysname Router
#
vlan batch 10 20 30
#
interface Ethernet 0/0/0
port hybrid tagged vlan 10
#
interface Ethernet 0/0/1
port hybrid tagged vlan 20
#
interface Ethernet 0/0/2
port hybrid tagged vlan 30
##
interface Vlanif 10
ip address 10.2.2.2 255.255.255.0
#
interface Ethernet 2/0/0
ip address 10.164.10.10 255.255.255.0
#
arp static 10.164.1.1 00e0-fc01-0001 vid 10 interface ethernet 0/0/0
arp static 10.164.1.2 00e0-fc01-0002 vid 10 interface ethernet 0/0/0
arp static 10.164.1.3 00e0-fc01-0003 vid 10 interface ethernet 0/0/0
arp static 10.164.10.1 0df0-fc01-003a
#
return
Networking Requirements
As shown in Figure 1-2, branch A and branch B of a company are located in different cities;
multiple routing devices are deployed between branches and routes are reachable; IP addresses
of the routing devices are on the same network segment 172.16.0.0/16. Branch A and branch B
belong to different broadcast domains; therefore, they cannot communicate on a LAN. Hosts of
branches are not configured with default gateway addresses; therefore, they cannot communicate
across network segments. The company requires that branch A and branch B communicate
without changing the host configurations.
NOTE
AR150/200 is RouterA or RouterB.
Internet
Etherent0/0/0 Etherent0/0/0
VLAN10
Branch A VLAN20
Branch B
Host A Host B
172.16.1.2/16 172.16.2.2/16
0000-5e33-ee20 0000-5e33-ee10
Configuration Roadmap
The configuration roadmap is as follows:
1. Add the interface connecting RouterA and branch A to VLAN 10 and add the interface
connecting RouterB and branch B to VLAN 20.
2. Enable routed proxy ARP on VLANIF interfaces of branch A and branch B to implement
communication between the two branches.
Data Preparation
To complete the configuration, you need the following data:
l Ethernet0/0/0 connecting RouterA and branch A
l Ethernet0/0/0 connecting RouterB and branch B
l IP address 172.16.1.1/24 of VLANIF 10
l MAC address 00e0-fc39-80aa of VLANIF 10
l IP address 172.16.2.1/24 of VLANIF 20
l MAC address 00e0-fc39-80bb of VLANIF 20
Procedure
Step 1 Configure RouterA.
# Create VLAN 10.
<Huawei> system-view
[Huawei] sysname RouterA
[RouterA] vlan 10
[RouterA-vlan10] quit
# View the ARP table of host A. You can see that the MAC address of host B is the MAC address
of VLANIF 10.
C:\Documents and Settings\Administrator>arp -a
Interface: 172.16.1.2 --- 0x2
Internet Address Physical Address Type
172.16.2.2 00e0-fc39-80aa dynamic
----End
Configuration Files
Configuration file of RouterA
#
sysname RouterA
#
vlan batch 10
#
interface Vlanif 10
ip address 172.16.1.1 255.255.255.0
arp-proxy enable
#
interface ethernet 0/0/0
port link-type access
port default vlan 10
#
return
#
sysname RouterB
#
vlan batch 20
#
interface Vlanif 20
ip address 172.16.2.1 255.255.255.0
arp-proxy enable
#
interface ethernet 0/0/0
port link-type access
port default vlan 20
#
return
Networking Requirements
As shown in Figure 1-3, hosts of the accounting department are located in a VLAN. Hosts of
the accounting department are attacked by viruses when they access the Internet. The attacked
hosts send a large number of broadcast packets, causing broadcast storms in the VLAN. Even
hosts cannot communicate. The company requires that broadcast storms be prevented to ensure
communication between hosts and information security.
Router
Ethernet0/0/0
PC B PC A
100.1.1.100/24 100.1.1.10/24
VLAN 10
Accounting Department
Configuration Roadmap
The configuration roadmap is as follows:
1. Configure port isolation on the downstream interface of the Router to forbid Layer 2
communication and remove broadcast storms.
2. Enable intra-VLAN proxy ARP on the VLANIF interface to prevent broadcast storms and
Layer 3 communication between hosts in the accounting department.
Data Preparation
To complete the configuration, you need the following data:
l Interface connecting the Router and the accounting department: Ethernet0/0/0
l ID of the VLAN that Ethernet0/0/0 joins: VLAN 10
l IP address of VLANIF10: 100.1.1.12/24
Procedure
Step 1 Add Ethernet0/0/0 to VLAN 10.
# Create VLAN 10.
<Huawei> system-view
[Huawei] sysname Router
[Router] vlan 10
[Router-vlan10] quit
----End
Configuration Files
Configuration file of the Router
#
sysname Router
#
vlan batch 10
#
interface Vlanif 10
ip address 100.1.1.12 255.255.255.0
arp-proxy inner-sub-vlan-proxy enable
#
interface ethernet 0/0/0
port hybrid tagged vlan 10
#
return
Router
VLAN2 VLAN3
VLAN4
VLAN2 VLAN3
Configuration Roadmap
The configuration roadmap is as follows:
1. Create and configure the super-VLAN and sub-VLANs.
2. Add interfaces to the sub-VLANs.
3. Create a VLANIF interface corresponding to the super-VLAN and assign an IP address to
the VLANIF interface.
4. Enable inter-VLAN proxy ARP.
Data Preparation
To complete the configuration, you need the following data:
l IDs of the super-VLAN and sub-VLANs
l Sub-VLAN 2 that Ethernet0/0/0 and Ethernet0/0/1 belong to
l Sub-VLAN 3 that Ethernet0/0/2 and Ethernet0/0/3 belong to
Procedure
Step 1 Create and configure the super-VLAN and sub-VLANs.
# Create sub-VLAN 2.
<Huawei> system-view
[Huawei] sysname Router
[Router] vlan 2
[Router-vlan2] quit
# Create sub-VLAN 3.
[Router] vlan 3
[Router-vlan3] quit
----End
Example
The following lists only the configuration file of the Router.
#
sysname Router
#
vlan batch 2 to 4
#
vlan 4
aggregate-vlan
access-vlan 2 to 3
#
interface Vlanif4
ip address 10.10.10.1 255.255.255.0
arp-proxy inter-sub-vlan-proxy enable
#
interface ethernet 0/0/0
port link-type access
port default vlan 2
#
interface ethernet 0/0/1
port link-type access
port default vlan 2
#
interface ethernet 0/0/2
port link-type access
port default vlan 3
#
interface ethernet 0/0/3
port link-type access
port default vlan 3
#
return
Networking Requirements
As shown in Figure 1-5, two Ethernet interfaces are added to VLAN 100 in default mode. To
view changes of ARP entries, configure Layer 2 topology detection.
Router
PC A PC B
VLAN100
10.1.1.1/24 10.1.1.3/24
Configuration Roadmap
The configuration roadmap is as follows:
Data Preparation
To complete the configuration, you need the following data:
Procedure
Step 1 Create VLAN 100 and add the two Ethernet interfaces on the Router to VLAN 100 in default
mode.
# Create VLAN 100 and configure an IP addresses for the VLANIF interface.
<Huawei> system-view
[Huawei] sysname Router
[Router] vlan 100
[Router-vlan100] quit
[Router] interface vlanif 100
[Router-vlanif100] ip address 10.1.1.2 24
[Router-vlanif100] quit
Step 3 Restart Ethernet 0/0/0 and view changes of ARP entries and aging time.
# View ARP entries on the Router. You can see that the Router has learned the MAC address
of the PC.
[Router] display arp all
IP ADDRESS MAC ADDRESS EXPIRE(M) TYPE INTERFACE VPN-
INSTANCE
VLAN/CEVLAN PVC
-----------------------------------------------------------------------------
10.1.1.2 00e0-c01a-4900 I - Vlanif100
10.1.1.1 00e0-c01a-4901 20 D-0 Ethernet0/0/0
10.1.1.3 00e0-de24-bf04 20 D-0 Ethernet0/0/1
-----------------------------------------------------------------------------
Total:3 Dynamic:2 Static:0 Interface:1
# Run the shutdown and undo shutdown commands on Ethernet0/0/0 and view the aging time
of ARP entries.
[Router] interface ethernet 0/0/0
[Router-Ethernet0/0/0] shutdown
[Router-Ethernet0/0/0] undo shutdown
[Router-Ethernet0/0/0] display arp all
IP ADDRESS MAC ADDRESS EXPIRE(M) TYPE INTERFACE VPN-INSTANCE
VLAN/CEVLAN PVC
----------------------------------------------------------------------------
10.1.1.2 00e0-c01a-4900 I -
Vlanif100
10.1.1.3 00e0-de24-bf04 0 D-0 Ethernet0/0/1
------------------------------------------------------------------------------
Total:2 Dynamic:1 Static:0 Interface:1
NOTE
According to the preceding information, the ARP entries learned from Ethernet0/0/1 are deleted after
Ethernet0/0/0 is shut down. After Ethernet0/0/0 is enabled and becomes Up, the aging time of ARP entries
learned from Ethernet0/0/1 changes to 0.
# When the aging time is 0, the Router sends an ARP probe packet for updating ARP entries.
[Router-Ethernet0/0/0] display arp all
IP ADDRESS MAC ADDRESS EXPIRE(M) TYPE INTERFACE VPN-INSTANCE
VLAN/CEVLAN
----------------------------------------------------------------------------
10.1.1.2 00e0-c01a-4900 I -
Vlanif100
10.1.1.3 00e0-de24-bf04 20 D-0 Ethernet0/0/1
----------------------------------------------------------------------------
Total:2 Dynamic:1 Static:0 Interface:1
NOTE
After ARP entries are updated, the aging time is restored to be the default value, 1200s.
----End
Configuration Files
Configuration file of the Router
#
sysname Router
#
l2-topolgy detect enable
#
vlan batch 100
#
interface Vlanif100
ip address 10.1.1.2 255.255.255.0
#
interface Ethernet 0/0/0
port link-type access
port default vlan 100
#
interface Ethernet 0/0/1
port link-type access
port default vlan 100
#
return
2 IP Address Configuration
This chapter describes how to configure Internet protocol (IP) addresses for network devices so
that they can communicate.
NOTE
Applicable Environment
To run IP services on an interface, you must configure IP addresses for the interface. Each
interface of the AR150/200 can be allocated multiple IP addresses, one of which is the primary
IP address and the others are secondary IP addresses.
Generally, an interface needs only the primary IP address. In special cases, the secondary IP
addresses need to be configured for the interface. For example, an interface of the AR150/200
is connects to a physical network, and hosts on this physical network belong to two network
segments. To allow the AR150/200 to communicate with all the hosts on the physical network,
configure a primary IP address and a secondary IP address for the interface.
NOTE
Pre-configuration Tasks
Before configuring IP addresses for an interface, complete the following tasks:
l Connecting interfaces and setting physical parameters of each interface so that the physical
status of the interfaces is Up
l Setting link layer protocol parameters for interfaces to ensure that the link layer protocol
status on the interfaces is Up
Data Preparation
To configure IP addresses for an interface, you need the following data.
No. Data
Procedure
Step 1 Run:
system-view
----End
Procedure
Step 1 Run:
system-view
----End
Example
# Run the display ip interface command to view information about the IP address on
Ethernet1/0/0.
<Huawei> display ip interface ethernet 1/0/0
Ethernet1/0/0 current state : UP
Line protocol current state : UP
The Maximum Transmit Unit : 1500 bytes
input packets : 11022, bytes : 660443, multicasts : 0
output packets : 9634, bytes : 533292, multicasts : 0
Directed-broadcast packets:
received packets: 1796, sent packets: 0
forwarded packets: 0, dropped packets: 0
ARP packet input number: 52872
Request packet: 52852
Reply packet: 20
Unknown packet: 0
Internet Address is 10.137.217.210/23
Broadcast address : 10.137.217.255
# Run the display ip interface brief command to view brief information about the IP address
on Ethernet1/0/0.
<Huawei> display ip interface brief ethernet 1/0/0
*down: administratively down
(l): loopback
(s): spoofing
Interface IP Address/Mask Physical Protocol
Ethernet1/0/0 10.137.217.210/23 up up
Applicable Environment
In some application environments, an interface needs to be configured to borrow an IP address
from another interface to save IP addresses. If an interface is seldom used, a fixed IP address is
unnecessary. You can configure the interface to borrow an IP address from another interface.
Pre-configuration Tasks
Before configuring IP address unnumbered on an interface, complete the following tasks:
l Setting physical attributes of the IP unnumbered interface and the interface from which an
IP address will be borrowed
l Setting link layer protocols of the IP unnumbered interface and the interface from which
an IP address will be borrowed
Data Preparation
To configure IP address unnumbered on an interface, you need the following data.
No. Data
NOTE
Only the configurations related to IP address unnumbered are described here. The procedure for configuring
a static route to the peer device is not mentioned here.
The IP unnumbered interface cannot be enabled with dynamic routing protocols because it does not have
an IP address itself. To implement communication between the AR150/200 and the peer device, configure
a static route to the peer device.
Procedure
Step 1 Run:
system-view
The view of the interface from which an IP address will be borrowed is displayed.
The interface can be an Ethernet interface, a loopback interface, an Eth-Trunk interface, or a
VLANIF interface.
Step 3 Run:
ip address ip-address { mask | mask-length }
A primary IP address is configured for the interface from which an IP address will be borrowed.
An interface has only one primary IP address. If you configure a new primary address on an
interface that already has a primary IP address, the new IP address overrides the original one.
----End
Procedure
Step 1 Run:
system-view
The IP unnumbered interface is configured to borrow an IP address from the specified interface.
----End
Procedure
l Run the display ip interface [ interface-type interface-number ] command to check
information about the interface IP address.
l Run the display ip interface brief [ interface-type [ interface-number ] ] command to check
brief information about the interface IP address.
----End
Example
# Run the display ip interface command to view information about Eth2/0/0 borrowing an IP
address from LoopBack0.
<Huawei> display ip interface ethernet 2/0/0
Ethernet2/0/0 is standby,
Line protocol current state : DOWN
The Maximum Transmit Unit : 1500 bytes
input packets : 0, bytes : 0, multicasts : 0
output packets : 0, bytes : 0, multicasts : 0
Directed-broadcast packets:
received packets: 0, sent packets: 0
forwarded packets: 0, dropped packets: 0
ARP packet input number: 0
Request packet: 0
Reply packet: 0
Unknown packet: 0
Internet Address is unnumbered, using address of LoopBack0(202.117.23.45/24)
Broadcast address : 202.117.23.255
TTL being 1 packet number: 0
TTL invalid packet number: 0
ICMP packet input number: 0
Echo reply: 0
Unreachable: 0
Source quench: 0
Routing redirect: 0
Echo request: 0
Router advert: 0
Router solicit: 0
Time exceed: 0
IP header bad: 0
Timestamp request: 0
Timestamp reply: 0
Information request: 0
Information reply: 0
Netmask request: 0
Netmask reply: 0
Unknown type: 0
Networking Requirements
As shown in Figure 2-1, Ethernet0/0/0 on the Router is connected to a LAN. On the LAN, two
hosts belong to network segment 172.16.1.0/24 and another two hosts belong to network segment
172.16.2.0/24. The Router is required to access the two network segments.
172.16.1.0/24 Router
Ethernet 0/0/0
172.16.1.1/24
172.16.2.1/24 sub
172.16.2.0/24
Configuration Roadmap
The configuration roadmap is as follows:
1. Plan IP addresses for interfaces.
2. Configure the primary and secondary IP addresses for an interface.
Data Preparation
To complete the configuration, you need the following data:
Procedure
Step 1 Configure primary and secondary IP addresses for Ethernet0/0/0 on Router.
<Huawei> system-view
[Huawei] sysname Router
[Router] interface ethernet 0/0/0
[Router-Ethernet0/0/0] ip address 172.16.1.1 24
[Router-Ethernet0/0/0] ip address 172.16.2.1 24 sub
# Ping a host on network segment 172.16.1.0 from the Router. The ping operation succeeds.
<Router> ping 172.16.1.2
PING 172.16.1.2: 56 data bytes, press CTRL_C to break
Reply from 172.16.1.2: bytes=56 Sequence=1 ttl=128 time=25 ms
Reply from 172.16.1.2: bytes=56 Sequence=2 ttl=128 time=27 ms
Reply from 172.16.1.2: bytes=56 Sequence=3 ttl=128 time=26 ms
Reply from 172.16.1.2: bytes=56 Sequence=4 ttl=128 time=26 ms
Reply from 172.16.1.2: bytes=56 Sequence=5 ttl=128 time=26 ms
--- 172.16.1.2 ping statistics ---
5 packet(s) transmitted
5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 25/26/27 ms
Ping a host on network segment 172.16.2.0 from the Router. The ping operation succeeds.
<Router> ping 172.16.2.2
PING 172.16.2.2: 56 data bytes, press CTRL_C to break
Reply from 172.16.2.2: bytes=56 Sequence=1 ttl=128 time=25 ms
Reply from 172.16.2.2: bytes=56 Sequence=2 ttl=128 time=26 ms
Reply from 172.16.2.2: bytes=56 Sequence=3 ttl=128 time=26 ms
Reply from 172.16.2.2: bytes=56 Sequence=4 ttl=128 time=26 ms
Reply from 172.16.2.2: bytes=56 Sequence=5 ttl=128 time=26 ms
--- 172.16.2.2 ping statistics ---
5 packet(s) transmitted
5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 25/25/26 ms
----End
Configuration Files
Configuration file of the Router
#
sysname Router
#
interface 0/0/0
ip address 172.16.1.1 255.255.255.0
ip address 172.16.2.1 255.255.255.0 sub
#
return
Context
As shown in Figure 2-2, Tunnel0/0/1 of RouterA connects to RouterC by a tunnel. Tunnel0/0/1
of RouterA and Tunnel0/0/1 of RouterC are seldom used. To save IP addresses, Tunnel0/0/1 of
RouterA is required to borrow the IP address of Loopback0 on RouterA, and Tunnel0/0/1 of
RouterC is required to borrow the IP address of Loopback0 on RouterC.
RouterB
RouterA RouterC
LoopBack 0
LoopBack 0
9.9.9.9/32
6.6.6.6/32
Tunnel
Tunnel 0/0/1 Tunnel 0/0/1
PC 1 PC 2
Configuration Roadmap
The configuration roadmap is as follows:
l Configure IP addresses for Loopback0 interfaces on RouterA and RouterC.
l Configure OSPF.
l On RouterA, configure Tunnel0/0/1 to borrow the IP address of Loopback0.
l On RouterC, configure Tunnel0/0/1 to borrow the IP address of Loopback0.
Data Preparation
To complete the configuration, you need the following data:
l IP address of Loopback0 on RouterA
l IP address of Loopback0 on RouterC
NOTE
Procedure
Step 1 Configure RouterA.
# Configure an IP address for Loopback0.
<Huawei> system-view
[Huawei] sysname RouterA
# Configure OSPF.
[RouterA] ospf
[RouterA-ospf-1] area 0
[RouterA-ospf-1-area-0.0.0.0] network 6.6.6.6 0.0.0.0
[RouterA-ospf-1-area-0.0.0.0] quit
[RouterA-ospf-1] quit
----End
Configuration Files
l Configuration file of RouterA
#
sysname RouterA
#
interface LoopBack0
ip address 6.6.6.6 255.255.225.255
#
interface Tunnel 0/0/1
ip address unnumbered interface LoopBack0
#
ospf 1
area 0.0.0.0
network 6.6.6.6 0.0.0.0
#
return
#
sysname RouterC
#
interface LoopBack0
ip address 9.9.9.9 255.255.225.255
#
interface Tunnel 0/0/1
ip address unnumbered interface LoopBack0
#
ospf 1
area 0.0.0.0
network 9.9.9.9 0.0.0.0
#
return
The IPv6 protocol stack is a support for routing protocols and application protocols on an IPv6
network.
Internet Protocol Version 6 (IPv6), also called IP Next Generation (IPng), is the standard network
protocol of the second generation. It is a set of specifications designed by the Internet
Engineering Task Force (IETF). IPv6 is the upgraded version of IPv4. The most remarkable
difference between IPv6 and IPv4 is that the IP address lengthens from 32 bits to 128 bits.
The AR150/200 supports the IPv6 protocol suite and TCP6 protocol suite.
IPv6 Address
A 128-bit IPv6 address has the following formats:
l X:X:X:X:X:X:X:X
In this format, a 128-bit IP address is divided into eight groups. The 16 bits of each group
are represented by four hexadecimal characters, that is, 0 to 9, and A to F. The groups are
separated by colons. Every "X" represents a group of hexadecimal values.
l X:X:X:X:X:X:d.d.d.d
This format is for the following types of addresses:
– IPv4-compatible IPv6 address
– IPv4-mapped IPv6 address
In this type of address, "X" represents the first six groups of numbers. Each "X" stands for
16 bits that are represented by hexadecimal numbers. "d" represents the subsequent four
group of numbers. Each "d" stands for eight bits that are represented by decimal numbers.
"d.d.d.d" is a standard IPv4 address.
IPv6 PMTU
Generally, the problem that different networks have different Maximum Transmission Units
(MTU) can be solved in the following ways:
l Devices fragment packets as required. The source host only needs to fragment packets;
however, the intermediate router not only needs to fragment packets, but also to reassemble
packets.
l The source host sends packets based on a proper MTU so that packets need not be
fragmented on the intermediate router. In such a case, packet processing burden on the
intermediate router can be reduced. During IPv6 packet transmission, only this way can be
adopted because IPv6 intermediate routers do not support packet fragmentation.
The Path MTU (PMTU) Discovery mechanism aims at finding a proper MTU value on the path
from the source to the destination.
IPv6 FIB
Connecting network topologies of different types needs the configuration of different routing
protocols. This brings about Routing Information Base (RIB). The RIB is a base of the
Forwarding Information Base (FIB). Guided by route management policies, a device extracts a
minimum of necessary forwarding information from RIB and adds the information to the FIB.
Through the route management module, you can also add static routes into the FIB.
A FIB contains a group of minimum information needed by a device during packet forwarding.
An FIB entry usually contains the destination address, prefix length, transport port, next-hop
address, route flag, and time stamp. A device forwards packets according to FIB entries.
The FIB mechanism consists of two parts: FIB agent (used on the control plane) and FIB
container (used on the forwarding plane). A FIB agent is responsible for interacting with the
RM module for delivering FIB entries to the forwarding engine, and to the I/O board in a
distributed system.
l Prefix length: indicates the length of the destination address prefix. From the prefix length,
you can infer that the destination address is a network address or a host address.
l Nexthop: indicates the address of the close next hop through which the packet reaches the
destination.
l Flag(s): identifies route features.
l Interface: indicates the outgoing interface of the packet.
l Timestamp: Indicates the time when an FIB entry is established.
l Tunnel ID: Indicates the ID of VPN Tunnel.
NOTE
The IPv6 function is used with a license. To use the IPv6 function, apply for and purchase the following
license from the Huawei local office:
l AR150&200 Value-Added Data Package
Applicable Environment
When a device communicates with an IPv6 device, you need to configure IPv6 address for the
interface. The AR150/200 supports configuring IPv6 addresses for the following interfaces:
You can configure 10 addresses for one interface. Addresses can be the link-local address and
the global unicast address.
The link-local address is used in ND, and in the communication between nodes on the local link
in the stateless address auto-configuration. The packets using the link-local address as the source
or destination address are not forwarded to other links.
The link-local address can be automatically generated or manually configured. After being
enable with automatic address generation capability, the system automatically generates a link-
local address. The link-local address configured manually must be a valid link-local address
(FE80::/10).
Pre-configuration Tasks
Before configuring IPv6 addresses, complete the following tasks:
l Configuring the physical features of the interface and ensuring that the status of the physical
layer of the interface is Up
l Configuring the link layer parameters for the interface and ensuring that the status of the
link layer protocol on the interface is Up
Data Preparation
To configure IPv6 addresses for an interface, you need the following data.
No. Data
Context
To enable a device to forward IPv6 packets, you must enable the IPv6 capability in both the
system view and the interface view. This is because:
l If you run the ipv6 command only in the system view, only the IPv6 packet forwarding
capability is enabled on a device. The IPv6 function, however, is not enabled on the interface
and hence you cannot perform any IPv6 configurations.
l If you run the ipv6 enable command only in the interface view, the IPv6 capability is
enabled only on an interface. Therefore, the device cannot forward IPv6 data.
Procedure
Step 1 Run:
system-view
The view of the interface to be enabled with the IPv6 capability is displayed.
Step 4 Run:
ipv6 enable
----End
Procedure
Step 1 Run:
system-view
Or
Run:
ipv6 address ipv6-address link-local
Besides configuring a link-local address through the preceding two commands, you can also
configure a global unicast IPv6 address for auto generating a link-local address. For details, see
Configuring an IPv6 Global Unicast Address for an Interface.
----End
Procedure
Step 1 Run:
system-view
Step 2 Run:
interface interface-type interface-number
Step 3 Run:
ipv6 address { ipv6-address prefix-length | ipv6-address/prefix-length } or ipv6
address { ipv6-address prefix-length | ipv6-address/prefix-length } eui-64
----End
Context
Anycast addresses and unicast addresses are in the same address range. An anycast address is
used to identify a group of interfaces on different nodes.
protocol). The packets destined for a multicast address are transmitted to a group of
interfaces with the multicast address.
When the 6to4 tunnel is used for the communication between the 6to4 network and the native
IPv6 network, the AR150/200 supports the configuration of an anycast address with the prefix
of 2002:c058:6301:: on the tunnel interface of the 6to4 relay route device.
Alternatively, you can configure a 6to4 address on the tunnel interface of the 6to4 relay route
device. When multiple 6to4 relay route devices are configured on the network, the difference
between the two methods is as follows:
l If an 6to4 address is used, you need to configure different addresses for tunnel interfaces
of all devices.
l If an anycast address is used, you need to configure the same address for the tunnel
interfaces of all devices. In this manner, the number of addresses is reduced.
Procedure
Step 1 Run:
system-view
----End
Prerequisites
The configurations of the IPv6 addresses are complete.
Procedure
l Run the display ipv6 interface [ interface-type interface-number | brief ] command to
check the IPv6 information of an interface.
l Run the display ipv6 statistics command to check the IPv6 packet statistics.
----End
Example
Run the display ipv6 interface command. If the IPv6 address of the interface is displayed, it
means that the configuration succeeds. For example:
<Huawei> display ipv6 interface ethernet 1/0/0
Run the display ipv6 interface command. If the configured IPv6 address and interface status
are displayed, it means that the configuration succeeds.
<Huawei> display ipv6 interface brief
*down: administratively down
(l): loopback
(s): spoofing
Interface Physical Protocol
Ethernet2/0/0 up up
[IPv6 Address] 2030::101:101
Ethernet2/0/1 up up
[IPv6 Address] 2001::1
LoopBack0 up up(s)
[IPv6 Address] Unassigned
Run the display ipv6 statistics command. If the statistics on IPv6 packets is displayed, it means
that the configuration succeeds.
<Huawei> display ipv6 statistics
IPv6 Protocol:
Sent packets:
Total : 3630
Local sent out : 3630 Forwarded : 0
Raw packets : 0 Discarded : 0
Fragmented : 0 Fragments : 0
Fragments failed : 0 Multicast : 0
Received packets:
Total : 3630 Local host : 3630
Hop count exceeded : 0 Header error : 0
Too big : 0 Routing failed : 0
Address error : 0 Protocol error : 0
Truncated : 0 Option error : 0
Fragments : 0 Reassembled : 0
Reassembly timeout : 0 Multicast : 0
Applicable Environment
After an IPv6 address is configured for a node, the node checks whether this address can be used
and does not conflict with any other address. If a node is a host, a router needs to notify the host
of the optimal next hop address of a packet to be sent by the host to a specific destination. If a
node is a router, it needs to advertise its address, address prefix, and other configuration
parameters to instruct hosts to configure parameters. During IPv6 packet forwarding, a node
needs to know the neighboring nodes' link-layer addresses and check their reachability. The
Neighbor Discovery (ND) function can be used to meet the requirements.
Pre-configuration Tasks
Before configuring IPv6 neighbor discovery, complete the following tasks:
l Configuring the physical features for the interface and ensuring that the status of the
physical layer of the interface is Up
l Configuring link layer parameters for the interface
l Configuring the IPv6 address for the interface
Data Preparation
To configure IPv6 neighbor discovery, you need the following data.
No. Data
5 Hop limit of ND
No. Data
9 Interface MTU
Procedure
Step 1 Run:
system-view
Static neighbors can be configured for interfaces and their sub-interfaces. You can configure up
to 300 neighbors on each interface.
----End
Procedure
Step 1 Run:
system-view
Step 3 Run:
(Optional)undo ipv6 nd ra halt
----End
Procedure
Step 1 Run:
system-view
----End
Procedure
Step 1 Run:
system-view
----End
Context
Duplicate Address Detect (DAD) is a process of IPv6 automatic address configuration. You can
configure the number of DAD messages which are sent continuously.
Set the interval of sending Neighbor Solicitation (NS) messages on the device. By default, NS
re-transmitting time interval is 1000ms.
Neighbor Unreachability Detection (NUD) checks the reachability of neighbors. By default,
NUD value is 30000ms.
The MTU of the interface determines whether to fragment IP packets on the interface. Default
MTUs vary with interface types. The MTU on an Ethernet defaults to be 1500 bytes.
Procedure
Step 1 Run:
system-view
NOTE
l If the ipv6 nd ra hop-limit command has been run on an interface, the hop limit for an RA message
uses the value configured on the interface.
l If the ipv6 nd ra hop-limit command has not been run on an interface, the hop limit for an RA message
uses the value configured globally, that is, the value configured in the ipv6 nd hop-limit command.
Step 5 Run:
ipv6 nd ra router-lifetime ra-lifetime
NOTE
l When the ipv6 nd ra command is run to set the interval for advertising RA messages, the interval must
be less than or equal to the life duration.
l By default, the maximum interval is 600 seconds, and the minimum interval is 200 seconds.
l By default, the life duration of RA messages is 1800 seconds. If the prefix is configured, the duration
is still 1800 seconds.
Step 6 Run:
ipv6 nd dad attempts value
----End
Follow-up Procedure
If the IPv6 MTU value is changed, run the shutdown command and the undo shutdown
command orderly in the interface view to validate the configuration.
Context
If a host is connected to multiple routers, the host must select a router to forward packets based
on the destination addresses of packets. The router can advertise the default router priority and
specified route information to the host so that the host can select a proper forwarding router
based on the destination addresses of packets.
After receiving the RA packets carrying the route information, the host updates its routing table.
When sending packets to another device, the host queries the routing table and selects a proper
route to send packets.
When receiving the RA packets that carry the priority of default routers, the host updates its
default router table. When sending packets to another device, if there is no route to be selected,
the host queries the default router table. Then, the host selects a router with the highest priority
on the local link to send packets. If the router is faulty, the host selects another router in
descending order of priority.
Procedure
Step 1 Run:
system-view
----End
Prerequisites
The configurations of the IPv6 neighbor discovery function are complete.
Procedure
l Run the display ipv6 neighbors [ ipv6-address | [ vid vlan-id ] interface-type interface-
number | vpn-instance vpn-instance-name ]display ipv6 neighbors interface-type
interface-number| [vid vid ] | [cevid cevid] command to check the neighbor information in
the cache.
l Run the display ipv6 interface [ interface-type interface-number | brief ] command to
check the IPv6 information of an interface. If the interface is in the Up state, the
configuration is successful.
----End
Example
Run the display ipv6 neighbors command. If the cache of the neighbor information contains
neighbors' IPv6 addresses and the specified interfaces, it means that the configuration succeeds.
<Huawei> display ipv6 neighbors ethernet 1/0/0
--------------------------------------------------------
IPv6 Address : 3003::2
Link-layer : 00e0-fc89-fe6e State : STALE
Interface : Eth1/0/0 Age : 7
VLAN : 10 CEVLAN: -
VPN name : vpn1 Is Router: TRUE
Secure FLAG : UN-SECURE
Run the display ipv6 interface command. If information about the IPv6 address on the interface
is displayed, it means that the configuration succeeds.
<Huawei> display ipv6 interface ethernet 1/0/0
Ethernet1/0/0 current state : UP
IPv6 protocol current state : UP
IPv6 is enabled, link-local address is FE80::1
Global unicast address(es):
2001::1, subnet is 2001::/64
5000::A19:A6FF:FECE:7D4B, subnet is 5000::/63
Joined group address(es):
FF02::1:FFCE:7D4B
FF02::2
FF02::1
FF02::1:FF00:1
MTU is 1280 bytes
ND DAD is disabled
ND reachable time is 10000 milliseconds
ND retransmit interval is 10000 milliseconds
Hosts use DHCP to obtain routable addresses.
Run the display ipv6 interface brief command. If information about the IPv6 address on the
interface and interface status are displayed, it means that the configuration succeeds.
<Huawei> display ipv6 interface brief
*down: administratively down
(l): loopback
(s): spoofing
Interface Physical Protocol
Ethernet2/0/2 up up
[IPv6 Address] 2030::101:101
Ethernet2/0/3 up up
[IPv6 Address] 2001::1
LoopBack0 up up(s)
[IPv6 Address] Unassigned
Applicable Environment
If a device has both IPv4 and IPv6 connections, the IPv4/IPv6 dual protocol stacks need to be
enabled on the device.
Enabling the IPv4/IPv6 dual protocol stacks on the AR150/200 is a simple process. Enable the
IPv6 packet forwarding capacity in the system view and configure an IPv4 address or IPv6
address on the corresponding interface. The device can then forward IPv4 and IPv6 packets on
the corresponding interface.
Pre-configuration Tasks
Before configuring IPv6 tunnels, complete the following tasks:
l Configuring the physical parameters for the interface and ensuring that the status of the
physical layer of the interface is Up
l Configuring the link layer parameters for the interface
Data Preparation
To configure IPv4/IPv6 dual stacks, you need the following data.
No. Data
1 Type and number of the interface connected with the IPv4 network
2 IPv4 address and mask of the interface connected with the IPv4 network
3 Type and number of the interface connected with the IPv6 network
4 IPv6 address and prefix of the interface connected with the IPv6 network
Context
To enable a device to forward IPv6 packets, you must enable the IPv6 capability in both the
system view and the interface view. This is because:
l If you run the ipv6 command only in the system view, only the IPv6 packet forwarding
capability is enabled on a device. The interface on the device is not of the IPv6 capability
and hence you cannot perform any IPv6 configurations.
l If you run the ipv6 enable command only in the interface view, the IPv6 capability is
enabled only on an interface but the device cannot forward IPv6 data.
Procedure
Step 1 Run:
system-view
Step 2 Run:
ipv6
To enable a device to forward IPv6 packets, you must run this command in the system view;
otherwise, the device cannot forward IPv6 packets although the interface is configured with an
IPv6 address.
Step 3 Run:
interface interface-type interface-number
The view of the interface to be enabled with the IPv6 capability is displayed.
Step 4 Run:
ipv6 enable
Before performing IPv6 configurations in the interface view, you must enable the IPv6 capability
in the interface view.
----End
Procedure
Step 1 Run:
system-view
Step 2 Run:
interface interface-type interface-number
Step 3 Run:
ip address ip-address { mask | mask-length }
Step 4 Run:
quit
Step 5 Run:
interface interface-type interface-number
l Run:
ipv6 address ipv6-address link-local
----End
Prerequisites
The IPv4/IPv6 stack has been configured.
Procedure
l Run the display this command in the interface view to view the information about the IPv4/
IPv6 stack.
----End
Example
EthRun the display this command to view information about the IPv4/IPv6 stack.
[Huawei-Ethernet1/0/0] display this
[V200R002C00]
#
interface GigabitEthernet0/0/1
ipv6 enable
ip address 20.1.1.1 255.255.255.0
ipv6 address 1002::1/64
ospfv3 1 area 0.0.0.0
#
return
Applicable Environment
By setting PMTUs on interfaces, you can enable devices to send packets based on proper MTUs
across the network. This avoids packet fragmentation, reduces the burden of the devices,
implements efficient usage of network resources and achieves the best throughput.
Pre-configuration Tasks
Before configuring PMTUs, complete the following tasks:
l Configuring the physical features for the interface and ensuring that the status of the
physical layer of the interface is Up
l Configuring the link layer protocol for the interface
Data Preparation
To configure PMTUs, you need the following data.
No. Data
Procedure
Step 1 Run:
system-view
----End
Procedure
Step 1 Run:
system-view
----End
Prerequisites
The configurations of the PMTU are complete.
Procedure
l Run the display ipv6 pathmtu { ipv6-address | all | dynamic | static } command to check
all PMTU items.
l Run the display ipv6 interface [ interface-type interface-number | brief ] command to
check the current MTU of the interface.
----End
Example
Run the display ipv6 pathmtu command. If the destination IPv6 address, the PMTU value, the
aging time and type are displayed, it means that the configuration succeeds.
<Huawei> display ipv6 pathmtu all
IPv6 Destination Address ZoneID PathMTU LifeTime(M) Type
fe80::12 0 1300 40 Dynamic
2222::3 0 1280 -- Static
-------------------------------------------------------------------------------
Total: 2 Dynamic: 1 Static: 1
Run the display ipv6 interface command. If the current MTU of the interface is displayed, it
means that the configuration succeeds.
<Huawei> display ipv6 interface ethernet 1/0/0
Ethernet1/0/0 current state : UP
IPv6 protocol current state : UP
IPv6 is enabled, link-local address is FE80::200:1FF:FE04:5D00
Global unicast address(es):
2001::1, subnet is 2001::/64
Joined group address(es):
FF02::1:FF00:1
FF02::1:FF04:5D00
FF02::2
FF02::1
Applicable Environment
To optimize network performance, you need to adjust the TCP6 parameters.
Pre-configuration Tasks
Before configuring TCP6, complete the following tasks:
l Connecting and configuring the physical features for the interface and ensuring that the
status of the physical layer of the interface is Up
l Configuring the link layer protocol parameters for the interface and ensuring that the status
of the link layer protocol on the interface is Up
Data Preparation
To configure TCP6, you need the following data.
No. Data
Procedure
Step 1 Run:
system-view
Step 2 Run:
tcp ipv6 timer syn-timeout timer-value
Step 3 Run:
tcp ipv6 timer fin-timeout timer-value
----End
Procedure
Step 1 Run:
system-view
Step 2 Run:
tcp ipv6 window window-size
The size of the TCP6 sliding window ranges from 1 KB to 32 KB. By default, the size of the
TCP6 sliding window is 8 KB.
----End
Prerequisites
The configurations of the TCP6 function are complete.
Procedure
l Run the display tcp ipv6 statistics command to check related TCP6 statistics.
l Run the display tcp ipv6 status command to check the TCP6 connection status.
l Run the display udp ipv6 statistics command to check related UDP6 statistics.
l Run the display ipv6 socket [ socktype socket-type | task-id task-id socket-id socket-id ]
command to check the information of the specified socket.
----End
Example
Run the display tcp ipv6 statistics, display tcp ipv6 status, and display udp ipv6 statistics
commands. If the connection status and statistic of TCP6 and UDP6 are displayed, it means that
the configuration succeeds.
<Huawei> display tcp ipv6 statistics
Received packets:
total: 0
total(64bit high-capacity counter): 0
packets in sequence: 0 (0 bytes)
window probe packets: 0
window update packets: 0
checksum error: 0
offset error: 0
short error: 0
duplicate packets: 0 (0 bytes)
partially duplicate packets: 0 (0 bytes)
out-of-order packets: 0 (0 bytes)
packets with data after window: 0 (0 bytes)
packets after close: 0
ACK packets: 0 (0 bytes)
duplicate ACK packets: 0
too much ACK packets: 0
packets dropped due to MD5 authentication failure: 0
packets dropped due to absence of MSO: 0
packets dropped due to presence of MSO: 0
packets received with MD5 Signature Option: 0
Sent packets:
total: 0
urgent packets: 0
total(64bit high-capacity counter): 0
control packets: 0 (including 0 RST)
window probe packets: 0
window update packets: 0
data packets: 0 (0 bytes)
data packets retransmitted: 0 (0 bytes)
ACK only packets: 0 (0 delayed)
packets sent with MD5 Signature Option: 0
Other Statistics:
retransmitted timeout: 0
connections dropped in retransmitted timeout: 0
keepalive timeout: 0
keepalive probe: 0
keepalive timeout, so connections disconnected: 0
initiated connections: 0
accepted connections: 0
established connections: 0
closed connections: 0 (dropped: 0, initiated dropped: 0)
Sent packets:
total: 0
total(64bit high-capacity counter): 0
Run the display ipv6 socket command. If the related socket information is displayed, it means
that the configuration succeeds.
<Huawei> display ipv6 socket
SOCK_STREAM:
Task = VTYD(14), socketid = 4, Proto = 6,
LA = ::->22, FA = ::->0,
sndbuf = 8192, rcvbuf = 8192, sb_cc = 0, rb_cc = 0,
socket option = SO_ACCEPTCONN SO_REUSEPORT SO_SENDVPNID,
socket state = SS_PRIV SS_ASYNC
SOCK_DGRAM:
Task = VTYD(14), socketid = 3, Proto = 6,
LA = ::->23, FA = ::->0,
sndbuf = 8192, rcvbuf = 8192, sb_cc = 0, rb_cc = 0,
socket option = SO_ACCEPTCONN SO_REUSEPORT SO_SENDVPNID,
socket state = SS_PRIV SS_ASYNC
SOCK_RAW:
Context
CAUTION
IPv6 statistics cannot restore after you clear it. So, confirm the action before you use the
command.
Procedure
l Run the reset ipv6 statistics command in the user view to clear statistics of processing
IPv6 packets after you confirm it.
l Run the reset ipv6 pathmtu { all | dynamic | static } command in the user view to clear
PMTU entries in the cache after you confirm it.
l Run the reset ipv6 neighbors { all | dynamic | static | vid vlan-id [ interface-type interface-
number] | interface-type interface-number [ dynamic | static ] } command in the user view
to clear IPv6 neighbor entries in the cache after you confirm it.
l Run the reset ipv6 address-policy command in the user view to clear address selection
policy entries.
l Run the reset tcp ipv6 statistics command in the user view to clear all TCP6 statistics after
you confirm it.
l Run the reset udp ipv6 statistics command in the user view to clear all UDP6 statistics
after you confirm it.
----End
Networking Requirement
As shown in Figure 3-1, Router A and Router B are connected through GE interfaces. It is
required to configure IPv6 global unicast addresses for the interfaces and test the connectivity
between them.
The IPv6 global unicast addresses to be configured for the interfaces are 3001::1/64 and
3001::2/64.
RouterA RouterB
Configuration Roadmap
The configuration roadmap is as follows:
Data Preparation
To complement the configuration, you need the following data:
Procedure
Step 1 Enable IPv6 packet forwarding on Router A and Router B.
# Configure Router A
<Huawei> system-view
[Huawei] sysname RouterA
[RouterA] ipv6
# Configure Router B
<Huawei> system-view
[Huawei] sysname RouterB
[RouterB] ipv6
# Configure Router B.
[RouterB] interface ethernet 1/0/0
[RouterB-Ethernet1/0/0] ipv6 enable
[RouterB-Ethernet1/0/0] ipv6 address 3001::2/64
[RouterB-Ethernet1/0/0] quit
FF02::1:FF9B:6D3B
MTU is 1500 bytes
ND DAD is enabled, number of DAD attempts: 1
ND reachable time is 30000 milliseconds
ND retransmit interval is 1000 milliseconds
Hosts use stateless autoconfig for addresses
----End
Configuration Files
l Configuration file of Router A
#
sysname RouterA
#
ipv6
#
interface ethernet1/0/0
ipv6 enable
ipv6 address 3001::1/64
#
return
Networking Requirements
As shown in Figure 3-2, two routers are connected through GE interfaces. Configure IPv6 link-
local address for the GE interfaces and enable the routers to send RA messages.
RouterA RouterB
Configuration Roadmap
The configuration roadmap is as follows:
1. Enable IPv6 forwarding capability on the router.
2. Configure the link-local unicast address on Ethernet 1/0/0.
3. Enable the routers to send RA messages on Ethernet 1/0/0.
Data Preparation
To complete the configuration, you need the following data:
l IPv6 link-local address for an interface.
Procedure
Step 1 Enable the IPv6 forwarding capability on the routers.
# Configure RouterA.
<Huawei> system-view
[Huawei] sysname RouterA
[RouterA] ipv6
# Configure RouterB.
<Huawei> system-view
[Huawei] sysname RouterB
[RouterB] ipv6
# Configure RouterB.
[RouterB] interface ethernet 1/0/0
[RouterB-Ethernet1/0/0] ipv6 enable
[RouterB-Ethernet1/0/0] ipv6 address auto link-local
-----------------------------------------------------------------------------
Total: 1 Dynamic: 1 Static: 0
-----------------------------------------------------------------------------
Total: 1 Dynamic: 1 Static: 0
----End
Configuration Files
l Configuration file of RouterA
#
sysname RouterA
#
ipv6
#
interface Ethernet1/0/0
ipv6 enable
ipv6 address auto link-local
undo ipv6 nd ra halt
#
return
4 DNS Configuration
This chapter describes the principles and configuration procedures of the Domain Name System
(DNS) on the AR150/200, and provides configuration examples.
l Static DNS resolution. Mappings between domain names and IP addresses are configured
manually. When a DNS client requests the IP address mapping a domain name, it searches
for the specified domain name in the static DNS table to obtain the mapping IP address.
l Dynamic DNS resolution. A DNS server searches for the IP address mapping a domain
name. When the DNS server receives a query message from a DNS client, it searches for
the IP address mapping the domain name in its DNS database. If no matching entry is found,
it sends a query message to an upper-level DNS server. This process continues until the
DNS server finds the corresponding IP address or detecting that the domain name does not
exist. The DNS server then sends a response to the DNS client.
Applicable Environment
IP addresses such as 202.112.131.109 are difficult to remember; therefore, most organizations
use abbreviations or meaningful names (also called domain names) such as www.sina.com.cn
to identify devices. Name resolvers or domain servers resolve mappings between IP addresses
and domain names.
A DNS client provides functions of a name resolver and completes resolution between IP
addresses and domain names.
If your organization seldom uses domain names to access other devices or there are no available
DNS servers, you must configure static DNS entries. To configure static DNS entries, you must
know mappings between domain names and IP addresses. When mappings between domain
names and IP addresses change, you must manually modify DNS entries.
If your organization uses domain names to access many devices and DNS servers are available,
you can configure dynamic DNS entries.
Pre-configuration Tasks
Before configuring a DNS client, complete the following tasks:
l Connecting interfaces and setting physical parameters for the interfaces to ensure that the
physical layer status of the interfaces is Up
l Setting link layer protocol parameters for interfaces to ensure that the link layer protocol
status on the interfaces is Up
l Configuring a DNS server
l Configuring a route between the local routing device and the DNS server
Data Preparation
To configure a DNS client, you need the following data.
No. Data
Procedure
Step 1 Run:
system-view
Step 2 Run:
ip host host-name ip-address
Each host name can be mapped to only one IP address. When multiple IP addresses are mapped
to a host name, only the latest configuration takes effect. If multiple host names need to be
resolved, repeat step 2.
----End
Context
To implement dynamic DNS, you need to enable dynamic DNS resolution, configure a DNS
server, and configure a source IP address for the local routing device and a domain name suffix.
If the local routing device uses an IP address allocated by the DHCP server and the information
delivered by the DHCP server to the local routing device contains the DNS server address and
the domain name suffix list, you only need to enable dynamic DNS resolution.
Procedure
Step 1 Run:
system-view
Step 2 Run:
dns resolve
The source IP address is specified for the local routing device to communicate with the DNS
client.
The local routing device uses the specified address to communicate with the DNS server. This
ensures communication security.
----End
Follow-up Procedure
The system supports a maximum of six DNS servers, one specified source address, and 10
domain name suffixes. If multiple DNS servers are required, repeat step 3. If multiple domain
name suffixes are required, repeat step 5.
Procedure
l Run the display ip host command to check static DNS entries.
l Run the display dns server command to check the DNS server configuration.
l Run the display dns domain command to check the domain name suffix configuration.
l Run the display dns dynamic-host command to check dynamic DNS entries.
----End
Example
# Run the display ip host command to view static DNS entries.
<Huawei> display ip host
Host Age Flags Address
www.3322.org 0 static 10.138.90.34
members.3322.org 0 static 10.138.90.51
checkip.dyndns.com 0 static 10.138.90.51
members.dyndns.org 0 static 10.138.90.51
# Run the display dns server command to view the DNS server configuration.
<Huawei> display dns server
Type:
D:Dynamic S:Static
# Run the display dns domain command to view the domain name suffix configuration.
<Huawei> display dns domain
No Domain-name
1 com
2 net
# Run the display dns dynamic-host command to view dynamic DNS entries saved in the
domain name cache.
<Huawei> display dns dynamic-host
Host TTL Type Address(es)
sipx.autosrv.com 114 IP
192.168.2.18
sip.autosrv.com 237 IP
192.168.2.61
sip.autonaptr.com 117 IP
192.168.2.19
_sip._tcp.autosrv.com 55 SRV 0 0 0 sipx.autosrv.com
0 0 0 sip.autosrv.com
autonaptr.com 0 NAPTR 101 10 A SIP+D2T sip.autona
Applicable Environment
If no DNS server is deployed on a LAN, a DNS client on the LAN can connect to an external
DNS server through the AR150/200 enabled with DNS proxy or relay. After the external DNS
server translates the domain name of the DNS client to an IP address, the DNS client can access
the Internet.
DNS proxy or relay reduces network management costs. Changing the IP address of the DNS
server requires that you change only the configuration on the DNS proxy or relay.
Pre-configuration Tasks
Before configuring DNS proxy or relay, complete the following tasks:
l Connecting interfaces and setting physical parameters for the interfaces to ensure that the
physical layer status of the interfaces is Up
l Setting link layer protocol parameters for interfaces to ensure that the link layer protocol
status on the interfaces is Up
l Configuring a DNS server
l Configuring routes between the local routing device and the DNS client and between the
local routing device and the DNS server
Data Preparation
No. Data
No. Data
Procedure
Step 1 Run:
system-view
The IP address of the DNS server that the DNS proxy or relay access is configured.
----End
Context
If the AR150/200 is enabled with DNS proxy or relay but is not configured with a DNS server
address or has no route to the DNS server, it does not forward or respond to DNS query messages
from DNS clients. If DNS spoofing is enabled, the AR150/200 uses the configured IP address
to respond to all DNS query messages.
In addition to enabling DNS proxy or relay, one of the following conditions must be met to make
DNS spoofing take effect:
l No DNS server is configured.
l A DNS server is configured, but dynamic DNS resolution is disabled.
l There is no route to the DNS server.
l There is no source IP address on the outbound interface connected to the DNS server.
If one of the preceding conditions is met, when the DNS proxy or relay receives an address
record query, it spoofs reply messages to any DNS query messages using the configured IP
address.
Procedure
Step 1 Run:
system-view
----End
Context
When the DNS proxy or relay is attacked, the DNS table becomes full. As a result, the DNS
proxy or relay cannot resolve new domain names into IP addresses. To solve the problem, you
can set the aging time of DNS entries so that the local routing device can delete expired DNS
entries.
Procedure
Step 1 Run:
system-view
Step 3 Run:
dns forward expire-time time
The aging time is set for DNS entries on the DNS proxy or relay.
By default, the aging time of DNS entries is 60s.
----End
Procedure
l Run the display dns forward table [ source-ip ip-address ] command to check the DNS
table.
----End
Example
# Run the display dns forward table [ source-ip ip-address ] command to view the DNS table
of the DNS proxy or relay.
<Huawei> display dns forward table
Domain name : ma.huawei.com
Source IP : 1.1.1.3
Source port : 33025
Source packet id : 42564
Forward packet id : 1
Retry count : 2
Query type : 1
Applicable Environment
DNS can resolve domain names into IP addresses so that you can use domain names to access
network nodes. DNS just provides static mappings between domain names and IP addresses. It
cannot dynamically update the mapping when the IP address of a node changes. If you use the
original domain name to access the node, you cannot access the node because the IP address
mapping the domain name is incorrect.
The AR150/200 can function as the DDNS client. The AR150/200 notifies the DDNS server
about the new IP address when the IP address of the interface that provides web services changes.
The DDNS server dynamically updates the mapping between the domain name and the IP
address on the DNS server to ensure that the IP address can be resolved correctly.
Pre-configuration Tasks
Before configuring a DDNS client, complete the following tasks:
l Connecting interfaces and setting physical parameters for the interfaces to ensure that the
physical layer status of the interfaces is Up
l Setting link layer protocol parameters for interfaces to ensure that the link layer protocol
status on the interfaces is Up
l Registering routes on the DDNS server Web site
l Configuring a route between the local routing device and the DDNS server
Data Preparation
No. Data
Procedure
Step 1 Run:
system-view
Step 2 Run:
ddns policy policy-name
----End
Procedure
Step 1 Run:
system-view
Step 2 Run:
ddns policy policy-name
Step 3 Run:
url request-url
After a DDNS policy is created, enter the URL and specify a DDNS server in the URL. The
processes for the AR150/200 to request DDNS updates from different DDNS servers are
different; therefore, the URL configuration of DDNS servers is different.
l When the AR150/200 uses HTTP to communicate with the DDNS server provided by the
vendor at www.3322.org, the URL in a DDNS update request is:
http://username:password@members.3322.org/dyndns/
update'system=dyndns&hostname=<h>&ip=<a>
l When the AR150/200 uses TCP to communicate with the DDNS server provided by the
vendor at www.oray.cn, the URL in a DDNS update request is:
oray://username:password@phddnsdev.oray.net
Step 4 Run:
interval interval-time
After the interval for sending DDNS update requests is set in the configured DDNS policy, the
AR150/200 sends DDNS update requests at intervals. By default, the interval for sending DDNS
update requests is 3600s.
----End
Procedure
Step 1 Run:
system-view
Step 2 Run:
interface interface-type interface-number
Step 3 Run:
ddns apply policy policy-name fqdn domain-name
On the AR150/200, DDNS policies can only be bound to Layer 3 interfaces and VLANIF
interfaces.
----End
Procedure
l Run the display ddns policy policy-name command to view DDNS policy information.
l Run the display ddns interface interface-type interface-number command to view DDNS
policy information on the interface.
----End
Example
# Run the display ddns policy command to view information about the DDNS policy
JackPolicy.
<Huawei> display ddns policy JackPolicy
Policy name : JackPolicy
Policy interval time : 3600
Policy URL : oray://Jack:Jack2010@phddnsdev.oray.net
Policy bind count : 1
# Run the display ddns interface command to view the DDNS policy information on VLANIF
100.
<Huawei> display ddns interface Vlanif 100
===== Policy JackPolicy =======
URL: oray://Jack:Jack2010@phddnsdev.oray.net
Statuses: START
Refresh: enable
Procedure
Step 1 Run the reset dns dynamic-host command to delete dynamic DNS entries of DNS clients.
Dynamic DNS entries cannot be restored after being deleted. Exercise caution when you run the
command.
----End
Procedure
Step 1 Run the reset dns forward table [ ip-address ] command to delete DNS entries of the DNS
proxy or relay.
----End
Procedure
Step 1 Run the reset ddns policy policy-name [ interface-type interface-num ] command to update
mappings between all the IP addresses and host names in the DDNS policy are updated.
----End
NOTE
AR150/200 is RouterA.
RouterB RouterC
Eth1/0/0
1.1.1.2/16 3.1.1.1/16
Eth1/0/0 Eth2/0/0 Eth2/0/0
DNS Client 1.1.1.1/16 2.1.1.1/16 2.1.1.2/16 DNS Server
RouterA 3.1.1.2/16
huawei.com
2.1.1.3/16
Configuration Roadmap
The configuration roadmap is as follows:
1. Create static DNS entries.
2. Enable DNS resolution.
3. Configure an IP address for the DNS server.
4. Configure a domain name suffix.
5. Configure OSPF.
Data Preparation
To complete the configuration, you need the following data:
l Number and IP address of the interface connecting RouterA and RouterB.
l Domain names of RouterB and RouterC.
l IP address of the DNS server.
l Domain name suffix.
Procedure
Step 1 Configure RouterA.
# Configure an IP address for Eth1/0/0.
<Huawei> system-view
[Huawei] sysname RouterA
[RouterA] interface Ethernet 1/0/0
[RouterA-Ethernet1/0/0] ip address 1.1.1.2 255.255.0.0
[RouterA-Ethernet1/0/0] quit
# Configure OSPF.
[RouterA] ospf
[RouterA-ospf-1] area 0
[RouterA-ospf-1-area-0.0.0.0] network 1.1.0.0 0.0.255.255
[RouterA-ospf-1-area-0.0.0.0] quit
[RouterA-ospf-1] quit
NOTE
You must configure OSPF on RouterB and RouterC so that a route between RouterA and the DNS server
can be generated. For details about OSPF configurations on RouterB and RouterC, see the configuration
files.
# Run the ping huawei.com command on RouterA. You can see that the ping operation succeeds
and the destination IP address is 2.1.1.3.
<RouterA> ping huawei.com
Trying DNS server (3.1.1.2)
PING huawei.com (2.1.1.3): 56 data bytes, press CTRL_C to break
Reply from 2.1.1.3: bytes=56 Sequence=1 ttl=126 time=6 ms
Reply from 2.1.1.3: bytes=56 Sequence=2 ttl=126 time=4 ms
Reply from 2.1.1.3: bytes=56 Sequence=3 ttl=126 time=4 ms
Reply from 2.1.1.3: bytes=56 Sequence=4 ttl=126 time=4 ms
Reply from 2.1.1.3: bytes=56 Sequence=5 ttl=126 time=4 ms
Run the display ip host command on RouterA. You can view mappings between host names
and IP addresses in static DNS entries.
<RouterA> display ip host
Host Age Flags Address
DeviceB 0 static 4.1.1.1
DeviceC 0 static 4.1.1.2
# Run the display dns dynamic-host command on RouterA. You can view information about
dynamic DNS entries in the domain name cache.
<RouterA> display dns dynamic-host
Host TTL Type Address(es)
huawei.com 114 IP
2.1.1.3
NOTE
The TTL field in the command output indicates the time left before a DNS entry is aged out, in seconds.
----End
Configuration Files
Configuration file of RouterA
#
sysname RouterA
#
ip host DeviceB 4.1.1.1
ip host DeviceC 4.1.1.2
#
dns resolve
dns server 3.1.1.2
dns domain net
dns domain com
#
interface Ethernet 1/0/0
ip address 1.1.1.2 255.255.0.0
#
ospf 1
area 0.0.0.0
network 1.1.0.0 0.0.255.255
#
return
#
sysname RouterB
#
interface LoopBack0
ip address 4.1.1.1 255.255.255.255
#
interface Ethernet 1/0/0
ip address 1.1.1.1 255.255.0.0
#
interface Ethernet 2/0/0
ip address 2.1.1.1 255.255.0.0
#
ospf 1
area 0.0.0.0
network 1.1.0.0 0.0.255.255
network 2.1.0.0 0.0.255.255
network 4.1.1.1 0.0.0.0
#
return
#
sysname RouterC
#
interface LoopBack0
ip address 4.1.1.2 255.255.255.255
#
interface Ethernet 1/0/0
ip address 3.1.1.1 255.255.0.0
#
interface Ethernet 2/0/0
ip address 2.1.1.2 255.255.0.0
#
ospf 1
area 0.0.0.0
network 2.1.0.0 0.0.255.255
network 3.1.0.0 0.0.255.255
network 4.1.1.2 0.0.0.0
#
return
NOTE
AR150/200 is RouterA.
RouterA
DNS Proxy Eth1/0/0 Eth2/0/0
1.1.1.2/16 2.1.1.2/16
NetworkA
Eth1/0/0
1.1.1.1/16 RouterB DNS Server
2.1.1.1/16
Configuration Roadmap
The configuration roadmap is as follows:
1. Configure a DNS server.
2. Configure DNS spoofing.
Data Preparation
To complete the configuration, you need the following data:
l IP address of the DNS server.
l Aging time of DNS entries.
l IP address configured by DNS spoofing.
Procedure
Step 1 Configure an IP address for Eth1/0/0.
<Huawei> system-view
[Huawei] sysname RouterA
[RouterA] interface ethernet 1/0/0
# Set the aging time of DNS entries to 150s on the DNS proxy or relay.
[RouterA] dns forward expire-time 150
Step 3 Enable DNS spoofing and specify the IP address in response messages as 10.1.1.3.
[RouterA] dns spoofing 10.1.1.3
NOTE
You must configure OSPF on RouterB so that a route between RouterA and the DNS server can be
generated. For details about OSPF configurations on RouterB, see the configuration file.
----End
Configuration Files
Configuration file of RouterA
#
sysname RouterA
#
interface Ethernet 1/0/0
ip address 1.1.1.1 255.255.0.0
#
dns resolve
dns server 2.1.1.1
dns proxy enable
dns forward expire-time 150
#
dns spoofing 10.1.1.3
#
ospf 1
area 0.0.0.0
network 1.1.0.0 0.0.255.255
#
return
#
sysname RouterB
#
interface Ethernet 1/0/0
ip address 1.1.1.2 255.255.0.0
#
interface Ethernet 2/0/0
ip address 2.1.1.2 255.255.0.0
#
ospf 1
area 0.0.0.0
network 1.1.0.0 0.0.255.255
network 2.1.0.0 0.0.255.255
#
return
DDNS Server
2.1.1.3/16
Configuration Roadmap
The configuration roadmap is as follows:
1. Create a DDNS policy.
2. Configure the URL for the DDNS server.
3. Set the interval for sending DDNS update requests.
4. Bind a DDNS policy to an interface.
Data Preparation
To complete the configuration, you need the following data:
l Domain name of RouterA
l URL of the DDNS server
l User name and password for the DDNS client to log in to the DDNS server
l Interval for sending DDNS update requests
Procedure
Step 1 Configure RouterA.
# Create a DDNS policy.
<Huawei> system-view
[Huawei] sysname RouterA
[RouterA] ddns policy mypolicy
After the configuration is complete, when the IP address of Eth1/0/0 changes, RouterA instructs
the DNS server to establish a mapping between the domain name www.abc.com and the new IP
address through the DDNS server. By doing this, users on the Internet can resolve a new IP
address mapping the domain name www.abc.com.
# Configure OSPF.
[RouterA] ospf
[RouterA-ospf-1] area 0
NOTE
To implement communication between the DDNS client, DDNS server, and the DNS server, configure
OSPF on RouterB and RouterC. For details about OSPF configurations on RouterB and RouterC, see the
configuration files.
# Run the display ddns interface ethernet 1/0/0 command on RouterA, and you can view
information about the DDNS policy on Eth1/0/0.
<RouterA> display ddns interface ethernet 1/0/0
===== Policy mypolicy =======
URL: oray://steven:nevets@phddnsdev.oray.net
Statuses:
ESTABLISH
Refresh: enable
----End
Configuration Files
Configuration file of RouterA
#
sysname RouterA
#
ddns policy mypolicy
url oray://steven:nevets@phddnsdev.oray.net
#
interface Ethernet1/0/0
ip address 1.1.1.2 255.255.0.0
ddns apply policy mypolicy fqdn www.abc.com
#
ospf 1
area 0.0.0.0
network 1.1.0.0 0.0.255.255
#
return
#
sysname RouterB
#
interface LoopBack0
ip address 4.1.1.1 255.255.255.255
#
interface Ethernet1/0/0
ip address 1.1.1.1 255.255.0.0
#
interface Ethernet2/0/0
ip address 2.1.1.1 255.255.0.0
#
ospf 1
area 0.0.0.0
network 1.1.0.0 0.0.255.255
network 2.1.0.0 0.0.255.255
network 4.1.1.1 0.0.0.0
#
return
#
sysname RouterC
#
interface LoopBack0
ip address 4.1.1.2 255.255.255.255
#
interface Ethernet1/0/0
ip address 3.1.1.1 255.255.0.0
#
interface Ethernet2/0/0
ip address 2.1.1.2 255.255.0.0
#
ospf 1
area 0.0.0.0
network 2.1.0.0 0.0.255.255
network 3.1.0.0 0.0.255.255
network 4.1.1.2 0.0.0.0
#
return
5 NAT Configuration
Network Address Translation (NAT) translates private addresses into public addresses. It
conserves IPv4 addresses and improves network security by shielding the private network
topology.
Principle of NAT
As shown in Figure 5-1, the private address must be translated when a host on a private network
accesses the Internet or interworks with the hosts on a public network.
Router Internalnetwork
203.196.3.23 Externalnetwork
WWW Server
202.18.245.251
The private network uses network segment 10.0.0.0 and its public address is 203.196.3.23. The
host 10.1.1.48 on the private network accesses the server 202.18.245.251 on the public network
in Web mode.
The host sends a data packet, and uses port 6084 as the source port and port 80 as the destination
port. After the address is translated, the source address/port of the packet is changed to
203.196.3.23:32814, and the destination address/port remains unchanged. The AR150/200
maintains a mapping table between addresses and ports.
After the web server responds to the host, the AR150/200 translates the destination IP address/
port in the returned data packet to 10.1.1.48:6084. In this way, the host on the private network
can access the server on the public network.
Static NAT
Static NAT maps a private address to a public address. That is, the number of private addresses
is equal to the number of public addresses. Static NAT cannot save public addresses, but can
shield the topology of the private network.
When a packet is sent from a private network to the public network, static NAT translates the
source IP address of the packet to a public address. When the public network returns a response,
static NAT translates the destination IP address of the response packet to the private address.
PAT
Port address translation (PAT), which is also called network address port translation (NAPT),
maps a public address to multiple private addresses. Therefore, public addresses are saved. PAT
translates source IP addresses of packets from hosts that reside on the private network to a public
address. The translated port numbers of these packets are different, and the private addresses
can share a public address.
A mapping table between private addresses and ports is configured for PAT. Before packets
from different private addresses are sent to the public network, the PAT-enabled device replaces
the source addresses with the same public address. The source port numbers of the packets,
however, are replaced with different port numbers. When the public network returns response
packets to private networks, the PAT-enabled device translates the destination IP addresses to
private addresses according to the port numbers. Figure 5-2 shows how PAT translates IP
addresses and port numbers.
Datagram 2 Datagram 2
Src IP: 192.168.1.3 Src IP: 202.169.10.1
Src Port:80 Src Port:10080
192.168.1.3 Router
192.168.1.2
Datagram 3 Datagram 3
Src IP: 192.168.1.2 Src IP: 202.169.10.1
Src Port:23 Src Port:11023
Datagram 4 Datagram 4
Src IP: 192.168.1.2 Src IP: 202.169.10.1
Src Port:80 Src Port:11080
Internal Server
NAT can shield internal hosts. In applications, users on the public network may need to access
the internal hosts. For example, users on the public network need to access a Web server or a
file transfer protocol (FTP) server.
NAT allows you to flexibly configure IP addresses for internal servers. For example, you can
use 202.110.10.10 or even 202.110.10.12:8080 as the public address of a Web server, and use
202.110.10.11 as the public address of an FTP server. Multiple servers (Web servers for
example) can be provided for external user.
You can configure an internal server and map the public address and port to the internal server.
In this way, hosts on the public network can access the internal server.
NAT Mapping
The NAT function saves IPv4 addresses and improves network security. NAT implementation
of different vendors may be different; therefore, the applications using the simple traversal of
UDP through NAT (STUN), traversal using relay NAT (TURN), and Interactive Connectivity
Establishment (ICE) technologies may fail to traverse the NAT devices of these vendors. These
technologies are commonly used on the SIP proxy. NAT mapping enables these applications to
traverse the NAT devices.
NAT Filtering
A NAT device filters the traffic from external network to internal network. After a host on the
internal network sends an access request to a host on the external network, the host on the external
network transmits traffic to the internal host. The NAT device filters the traffic sent to the internal
host.
Easy IP
Easy IP takes the public IP address of the interface as the source address after NAT is performed.
In addition, it uses the Access Control List (ACL) to control the private addresses to be translated.
NAT ALG
Some protocols are sensitive to the NAT function and cannot work correctly without special
processing. Packets of these protocols contain the IP address and/or port number in the payload,
which affects protocol interaction.
The NAT ALG function allows such protocol packets to traverse NAT devices. It replaces the
IP address and port number in the payload to implement transparent transmission and relay of
protocol packets. The NAT ALG of the AR150/200 supports the domain name system (DNS),
FTP, Real-Time Streaming Protocol (RTSP) and Session Initiation Protocol (SIP).
Twice NAT
Basic NAT translates only the source or destination address of packets, whereas twice NAT
translates both the source and destination addresses. The twice NAT technology applies to the
scenario where IP addresses of hosts on private and public networks overlap. As shown in Figure
5-3, the IP address of PC1 on the private network is the same as the IP address of PC3 on the
public network. If PC2 on the private network sends a packet to PC3, the packet will be forwarded
to PC1. Twice NAT translates the overlapping IP address into a unique temporary address (based
on basic NAT) according to the mapping between the overlapping address pool and the
temporary address pool. In this way, packets can be forwarded correctly.
PC 1
10.0.0.1/24
PC 3
Router
www.web.com
10.0.0.1/24
PC 2
10.0.0.1/24
DNS Server
The mapping indicates that one overlapping address pool maps one temporary address pool. The
translation rules are as follows:
Temporary address = Start IP address in the temporary address pool + (Overlapping IP address
- Start IP address in the overlapping address pool)
Overlapping address = Start IP address in the overlapping address pool + (Temporary IP address
- Start IP address in the temporary address pool)
When PC2 on the private network accesses PC3 on the public network using the domain name,
packets are processed as follows:
1. PC2 sends a DNS request for resolving the domain name www.web.com of the web server.
After the DNS server resolves the DNS request, the AR150/200 receives the response
packet from the DNS server. The AR150/200 resolves the address 10.0.0.1 in the payload
of the response packet and detects that the address is an overlapping address (it is in the
overlapping address pool). The AR150/200 translates the address 10.0.0.1 into the
temporary address 3.0.0.1, and translates the destination address of the response packet
using basic NAT. Then the AR150/200 sends the packet to PC2.
2. PC2 sends an access request packet with the temporary address 3.0.0.1 corresponding to
www.web.com to access the public network. When the packet reaches the AR150/200, the
AR150/200 translates the source address of the packet using basic NAT and then translates
the destination address (temporary address) to the overlapping address 10.0.0.1.
3. The AR150/200 sends the packet to the WAN-side outbound interface. The packet is then
forwarded to PC3 hop by hop.
4. When the packet sent from PC3 to PC2 reaches the AR150/200, the AR150/200 checks the
source address 10.0.0.1, which is the overlapping address (it is in the overlapping address
pool). The AR150/200 translates the source address to the temporary address 3.0.0.1, and
translates the destination address using basic NAT. Then the AR150/200 sends it to PC2.
Applicable Environment
NAT must be configured at the boundary between the private network and the public network
so that it can translate private and public addresses.
Pre-configuration Tasks
Before configuring NAT, complete the following task:
l Creating a basic ACL or an advanced ACL and configuring ACL rules
Data Preparation
To configure NAT, you need the following data.
No. Data
1 Number of the public address pool, start IP address, and end IP address
3 Information about the internal server, including the protocol type, public address,
public port number, private address (the VPN instance may be included), and
(optional) private port number
4 Information about static NAT, including the protocol type, public address, public
port number, private address (the VPN instance may be included), (optional)
private port number, and subnet mask
5 Index of the overlapping address pool and temporary address pool, start IP
address, address pool length, and (optional) VPN instance
Procedure
Step 1 Run:
system-view
The public address pool IDs are numerals. Up to 8 address pools can be configured.
----End
Procedure
Step 1 Run:
system-view
Step 2 Run:
interface interface-type interface-number
Step 3 Run:
nat outbound acl-number [ address-group group-index [ no-pat ] | interface
loopback interface-number ]
After an ACL is associated with an address pool, the AR150/200 translates source addresses of
data packets matching the ACL to an IP address in the address pool. Different IP address
translation entries can be configured on an interface.
In the command, no-pat indicates one-to-one NAT, that is, only the IP address is translated and
the port number is not translated
----End
Procedure
Step 1 Run:
system-view
Step 2 Run:
interface interface-type interface-number
Step 3 Run:
nat outbound acl-number [ address-group group-index [ no-pat ] | interface
loopback interface-number ]
Easy IP is configured.
----End
Procedure
Step 1 Run:
system-view
Step 2 Run:
interface interface-type interface-number
Step 3 Run:
l nat server protocol { tcp | udp } global { global-address | current-interface } global-
port inside host-address [ host-port ] [ vpn-instance vpn-instance-name ] [ acl acl-
number ] [ description description ]
l nat server protocol { tcp | udp } global interface loopback interface-number global-
port [ vpn-instance vpn-instance-name ] inside host-address [ host-port ] [ vpn-instance
vpn-instance-name ] [ acl acl-number ] [ description description ]
l nat server [ protocol { protocol-number | icmp | tcp | udp } ] global global-address
inside host-address [ vpn-instance vpn-instance-name ] [ acl acl-number ] [ description
description ]
Users on the public network can access the configured internal server. When a host on the public
network sends a connection request to the public address (global-address) of the internal server,
NAT translates the destination address of the request to a private address (host-address). The
AR150/200 then forwards the request the server.
NOTE
When configuring an internal server, ensure that global-address and host-address are different from
interface IP addresses and IP addresses in the user address pool.
----End
Procedure
Step 1 Run:
system-view
When configuring static NAT, ensure that global-address and host-address are different from interface IP
addresses and IP addresses in the user address pool.
----End
Procedure
Step 1 Run:
system-view
----End
Context
NAT filtering has the following modes:
l Endpoint-independent filtering
l Address-dependent filtering
l Address and port-dependent filtering
Procedure
Step 1 Run:
system-view
----End
Context
The NAT function saves IPv4 addresses and improves network security. NAT mapping has the
following modes:
l Endpoint-independent mapping: reuses the port mapping for subsequent packets sent from
the same internal IP address and port to any external IP address and port.
l Address-dependent mapping: reuses the port mapping for subsequent packets sent from the
same internal IP address and port to the same external IP address, regardless of the external
port.
l Address and port-dependent mapping: reuses the port mapping for subsequent packets sent
from the same internal IP address and port to the same external IP address and port while
the mapping is still active.
Procedure
Step 1 Run:
system-view
NAT mapping applies to the traffic from an internal network to an external network. The default
mode is address and port-dependent mapping.
----End
Procedure
Step 1 Run:
system-view
Step 2 Run:
nat dns-map domain-name global-address global-port { tcp | udp }
The mapping from a domain name to a public IP address, port number, and protocol type is
configured.
Step 3 Run:
nat alg { all | dns | ftp | rtsp | sip } enable
CAUTION
The NAT ALG function allows hosts on a private network to access servers on the private
network through the external DNS server.
----End
Context
When IP addresses of internal hosts and external hosts overlap, configure the mapping between
the overlapping address pool and the temporary address pool. Then the overlapping address is
translated to a unique temporary address and packets can be forwarded correctly. In addition,
configure outbound NAT to implement twice NAT.
Procedure
Step 1 Run:
system-view
Step 2 Run:
nat overlap-address map-index overlappool-startaddress temppool-startaddress pool-
length length [ inside-vpn-instance inside-vpn-instance-name ]
The overlapping address pool and temporary address pool contain consecutive IP addresses. The
lengths of the two address pools are the same, and up to 255 IP addresses can be configured in
each of the two address pools.
Up to 8 mapping entries between the overlapping address pool and the temporary address pool
can be configured.
When the VPN instance in the NAT mapping is deleted, the twice NAT configuration is also
deleted.
----End
Procedure
l Run the display nat alg command to check whether the NAT ALG function is enabled.
l Run the display nat address-group [ group-index ] [ verbose ] command to check the
configuration of the NAT address pool.
l Run the display nat dns-map [ domain-name ] command to check information about DNS
mapping.
l Run the display nat outbound [ acl acl-number | address-group group-index |
interface { Ethernet } interface-number.subnumber ] command to check information
about outbound NAT.
l Run the display nat overlap-address { map-index | all | inside-vpn-instance inside-vpn-
instance-name } command to check information about twice NAT.
l Run the display nat server [ global global-address | inside host-address [ vpn-instance
vpn-instance-name ] | interface interface-type interface-number.subnumber ] command to
check the configuration of the NAT server.
l Run the display nat static [ global global-address | inside host-address [ vpn-instance
vpn-instance-name ] | interface interface-type interface-name ] command to check the
configuration of static NAT.
l Run the display nat mapping table { all | number } command to view the NAT mapping
table information or number of entries in the table.
----End
Networking Requirements
As shown in Figure 5-4, a company is connected to the wide area network (WAN) through the
AR150/200 enabled with the network address translation (NAT) function. The company
provides the web server and FTP server for users on the public network to access. The private
IP address of the web server is 192.168.20.2:8080 and its public address is 202.169.10.5/24. The
private IP address of the FTP server is 10.0.0.3/24 and its public address is 202.169.10.33/24.and
the interface address of the AR150/200 connected to the carrier device is 202.169.10.2/24.
WWW Server
192.168.20.2:8080
Eth0/0/0 Eth2/0/0
Eth0/0/1 Router
Host
FTP Server
10.0.0.3/24
Configuration Roadmap
The configuration roadmap is as follows:
1. Configure IP addresses for interfaces and configure the NAT servers on the WAN-side
interface to allow external users to access the internal servers.
2. Configure a default route.
3. Enable the FTP NAT ALG function to allow the external FTP packets to traverse the NAT
servers.
Procedure
Step 1 Configure IP addresses for the interfaces on the AR150/200 and configure the NAT server on
the WAN-side interface.
<Huawei> system-view
[Huawei] vlan 100
[Huawei-vlan100] quit
[Huawei] interface vlanif 100
[Huawei-Vlanif100] ip address 192.168.20.1 24
[Huawei-Vlanif100] quit
[Huawei] interface Ethernet 0/0/0
[Huawei-Ethernet0/0/0] port link-type access
[Huawei-Ethernet0/0/0] port default vlan 100
[Huawei-Ethernet0/0/0] quit
[Huawei] vlan 200
[Huawei-vlan200] quit
[Huawei] interface vlanif 200
[Huawei-Vlanif200] ip address 10.0.0.1 24
[Huawei-Vlanif200] quit
[Huawei] interface Ethernet 0/0/1
[Huawei-Ethernet0/0/1] port link-type access
[Huawei-Ethernet0/0/1] port default vlan 200
[Huawei-Ethernet0/0/1] quit
[Huawei] interface ethernet 2/0/0
[Huawei-Ethernet2/0/0] ip address 202.169.10.1 24
[Huawei-Ethernet2/0/0] nat server protocol tcp global 202.169.10.5 www inside
192.168.20.2 8080
[Huawei-Ethernet2/0/0] nat server protocol tcp global 202.169.10.33 ftp inside
10.0.0.3 ftp
[Huawei-Ethernet2/0/0] quit
Step 2 On the AR150/200, configure a static route with the next hop address 202.169.10.2
[Huawei] ip route-static 0.0.0.0 0.0.0.0 202.169.10.2
Step 3 Enable the NAT ALG function for FTP packets on the AR150/200.
[Huawei] nat alg ftp enable
Run the display nat server command on the AR150/200 to view the NAT server configuration.
[Huawei] display nat server
Nat Server Information:
Interface : Ethernet2/0/0
Global IP/Port : 202.169.10.5/80(www)
Inside IP/Port : 192.168.20.2/8080
Protocol : 6(tcp)
VPN instance-name : ----
Acl number : ----
Total : 2
Run the display nat alg command on the AR150/200, and the command output is as follows:
[Huawei] display nat alg
NAT Application Level Gateway Information:
----------------------------------
Application Status
----------------------------------
dns Disabled
ftp Enabled
rtsp Disabled
sip Disabled
----------------------------------
Verify that external users can access the web server and FTP server.
----End
Configuration Files
#
vlan batch 100 200
#
nat alg ftp enable
#
interface Vlanif100
ip address 192.168.20.1 255.255.255.0
#
interface Vlanif200
ip address 10.0.0.1 255.255.255.0
#
interface Ethernet0/0/0
port link-type access
port default vlan 100
#
interface Ethernet0/0/1
port link-type access
port default vlan 200
#
interface Ethernet2/0/1
ip address 202.169.10.1 255.255.255.0
nat server protocol tcp global 202.169.10.5 www inside 192.168.20.2 8080
nat server protocol tcp global 202.169.10.33 ftp inside 10.0.0.3 ftp
#
ip route-static 0.0.0.0 0.0.0.0 Ethernet 2/0/0
#
return
Networking Requirements
As shown in Figure 5-5, the intranet of area A is connected to the wide area network (WAN)
through the AR150/200. The network address translation (NAT) function is enabled on the
AR150/200. To ensure the security of company A's intranet, you need to use the IP addresses
in the public address pool (202.169.10.100-202.169.10.200) to replace the host addresses of area
A on the network segment 192.168.20.0/24. The hosts of area A then can access servers on the
WAN.
The intranet of area B is also connected to the WAN through the AR150/200. Only a few public
IP addresses are allocated to area B. To save the public IP addresses and improve the security
of company B's intranet, you need to use the IP addresses in the public address pool
(202.169.10.80-202.169.10.83) to replace the host addresses of area B on the network segment
10.0.0.0/24. The hosts of company B then can access servers on the WAN.
Area A
PC 1...PC n
192.168.20.0/24
Eth0/0/0 Eth2/0/0
Eth0/0/1 Router
Area B
PC 1...PC n
10.0.0.0/24
Configuration Roadmap
The configuration roadmap is as follows:
Procedure
Step 1 Configure IP addresses for the interfaces of the AR150/200.
<Huawei> system-view
[Huawei] vlan 100
[Huawei-vlan100] quit
[Huawei] interface vlanif 100
[Huawei-Vlanif100] ip address 192.168.20.1 24
[Huawei-Vlanif100] quit
[Huawei] interface Ethernet 0/0/0
[Huawei-Ethernet0/0/0] port link-type access
[Huawei-Ethernet0/0/0] port default vlan 100
[Huawei-Ethernet0/0/0] quit
[Huawei] vlan 200
[Huawei-vlan200] quit
[Huawei] interface vlanif 200
[Huawei-Vlanif200] ip address 10.0.0.1 24
[Huawei-Vlanif200] quit
[Huawei] interface Ethernet 0/0/1
[Huawei-Ethernet0/0/1] port link-type access
[Huawei-Ethernet0/0/1] port default vlan 200
[Huawei-Ethernet0/0/1] quit
[Huawei] interface ethernet 2/0/0
[Huawei-Ethernet2/0/0] ip address 202.169.10.1 24
[Huawei-Ethernet2/0/0] quit
Step 2 On the AR150/200, configure a static route with the next hop address 202.169.10.2.
[Huawei] ip route-static 0.0.0.0 0.0.0.0 202.169.10.2
----End
Configuration Files
#
vlan batch 100 200
#
acl number 2000
rule 5 permit source 192.168.20.0 0.0.0.255
#
acl number 2001
rule 5 permit source 10.0.0.0
0.0.0.255
#
interface Vlanif100
ip address 192.168.20.1 255.255.255.0
#
interface Vlanif200
ip address 10.0.0.1 255.255.255.0
#
interface Ethernet0/0/0
port link-type access
port default vlan 100
#
interface Ethernet0/0/1
port link-type access
port default vlan
200
#
interface Ethernet2/0/0
ip address 202.169.10.1
255.255.255.0
nat outbound 2000 address-group 1 no-pat
nat outbound 2001 address-group 2
#
nat address-group 1 202.169.10.100 202.169.10.200
nat address-group 2 202.169.10.80
202.169.10.83
#
ip route-static 0.0.0.0 0.0.0.0 Ethernet 2/0/0
#
return
Networking Requirements
As shown in Figure 5-6, the IP address of PC1 on the private network is the same as the IP
address of host A on the public network. When PC2 sends a packet to host A, the packet may
be forwarded to PC1. In addition to the network address translation function, twice NAT of the
AR150/200 specifies the mapping between the overlapping address pool and the temporary
address pool. The overlapping IP address is translated to a unique temporary address so that
packets can be forwarded correctly.
Eth0/0/0 Eth2/0/0
Company B
PC 2 DNS Server
10.0.0.3/24
Configuration Roadmap
The configuration roadmap is as follows:
Procedure
Step 1 Configure IP addresses for the interfaces of the AR150/200.
<Huawei> system-view
[Huawei] vlan 100
[Huawei-vlan100] quit
[Huawei] interface vlanif 100
[Huawei-Vlanif100] ip address 192.168.20.1 24
[Huawei-Vlanif100] quit
[Huawei] interface Ethernet 0/0/0
[Huawei-Ethernet0/0/0] port link-type access
[Huawei-Ethernet0/0/0] port default vlan 100
[Huawei-Ethernet0/0/0] quit
[Huawei] vlan 200
[Huawei-vlan200] quit
[Huawei] interface vlanif 200
[Huawei-Vlanif200] ip address 10.0.0.1 24
[Huawei-Vlanif200] quit
[Huawei] interface Ethernet 0/0/1
[Huawei-Ethernet0/0/1] port link-type access
[Huawei-Ethernet0/0/1] port default vlan 200
[Huawei-Ethernet0/0/1] quit
[Huawei] interface ethernet 2/0/0
[Huawei-Ethernet2/0/0] ip address 202.169.10.2 24
[Huawei-Ethernet2/0/0] quit
Step 3 Configure the mapping between the overlapping address pool and the temporary address pool
on the AR150/200.
[Huawei] nat overlap-address 0 192.168.20.2 202.169.100.2 pool-length 254
Step 4 Configure a static route on the AR150/200 from the temporary address pool to outbound interface
Ethernet2/0/0.
[Huawei] ip route-static 202.169.100.2 32 ethernet 2/0/0 202.169.10.2
Run the display nat overlap-address all command on the AR150/200 to view the mapping
between address pools.
[Huawei] display nat overlap-address all
Nat Overlap Address Pool To Temp Address Pool Map Information:
-------------------------------------------------------------------------------
Id Overlap-Address Temp-Address Pool-Length Inside-VPN-Instance-Name
-------------------------------------------------------------------------------
0 192.168.20.2 202.169.100.2 254
-------------------------------------------------------------------------------
Total : 1
Run the display nat outbound command on the AR150/200 to view outbound NAT information.
[Huawei] display nat outbound
NAT Outbound Information:
-----------------------------------------------------------------
Interface Acl Address-group/IP/Interface Type
-----------------------------------------------------------------
Ethernet2/0/0 3180 1 pat
-----------------------------------------------------------------
Total : 1
----End
Configuration Files
#
vlan batch 100 200
#
acl number 3180
rule 5 permit ip source 192.168.20.0
0.0.0.255
#
nat alg dns enable
#
nat address-group 1 160.160.0.2
160.160.0.254
#
nat dns-map www.server.com 192.168.20.2 80 tcp
#
nat overlap-address 0 192.168.20.2 202.169.100.2 pool-length 254
#
ip route-static 202.169.100.2 255.255.255.255 Ethernet2/0/0 202.169.10.2
#
interface Vlanif100
ip address 192.168.20.1 255.255.255.0
#
interface Vlanif200
ip address 10.0.0.1 255.255.255.0
#
interface Ethernet0/0/0
port link-type access
port default vlan 100
#
interface Ethernet0/0/1
port link-type access
port default vlan 200
#
interface Ethernet2/0/0
ip address 202.169.10.1 255.255.255.0
nat outbound 3180 address-group 1
#
return
6 DHCP Configuration
The Dynamic Host Configuration Protocol (DHCP) dynamically assigns and manages IP
addresses and other configuration parameters from specified address pools to clients, ensuring
reasonable IP address allocation and high usage.
This section describes how to clear DHCP statistics and monitor DHCP status.
6.9 Configuration Examples
The DHCP configuration examples provide networking requirements, networking diagram,
precautions, configuration roadmaps, and configuration procedures.
As the network expands and becomes complex, the number of hosts often exceeds the number
of available IP addresses. As portable computers and wireless networks are widely used, the
positions of computers often change, causing IP addresses of the computers to be changed
accordingly. As a result, network configurations become increasingly complex. DHCP is
developed to solve the preceding problems.
DHCP uses the client/server model. A client sends a configuration request to the server, and the
server replies with requested configurations, such as an IP address to the client. This allows
dynamic configuration for clients.
The early DHCP protocol is applicable only to the scenario where the DHCP clients and DHCP
server reside on the same subnet. This requires that each subnet be configured with a DHCP
server, wasting resources. The DHCP relay function is used to solve this problem.
When the AR150/200 functions as a server, create an address pool on the AR150/200 to provide
IP addresses to DHCP clients. The address pool can be a global address pool or an interface
address pool.
l After a DHCP server based on a global address pool is configured, all online users of the
server can obtain IP addresses from this address pool.
l After a DHCP server based on an interface address pool is configured, only users that get
online from this specified interface can obtain IP addresses from this address pool.
The AR150/200 allocates IP addresses to clients by using the global address pool or an interface
address pool.
Applicable Environment
When the AR150/200 functions as a DHCP server, you can configure a global address pool on
the AR150/200. The AR150/200 then allocates IP addresses and configuration parameters to
clients from the global address pool.
The global address pool applies to the following scenarios:
DHCP clients and the AR150/200 used as a DHCP server are on the same network segment.
DHCP clients can obtain IP addresses and other configuration parameters from a global address
pool. Figure 6-1 shows the networking.
DHCP Server
DHCP Client
DHCP clients and the AR150/200 functioning as a DHCP server are on different network
segments. DHCP clients can obtain IP addresses and other configuration parameters from a
global address pool through a DHCP relay agent. Figure 6-2 shows the networking.
DHCP Server
Internet
DHCP Relay
DHCP Client
Pre-configuration Tasks
Before configuring a DHCP server based on a global address pool, complete the following tasks:
l Ensuring that the link between the DHCP client and the AR150/200 works properly
l (Optional) Configuring the DNS service on a DHCP client
l (Optional) Configuring the NetBIOS service on a DHCP client
l Configuring the routes destined to the DNS server and the NetBIOS server on the
AR150/200 (The routes are configured only after the DNS and NetBIOS servers are
configured.)
l (Optional) Configuring user-defined DHCP options on the DHCP server
Data Preparation
To configure the DHCP server based on a global address pool, you need the following data.
No. Data
1 Name of a global address pool, IP address range and lease, (optional) range of IP
addresses that cannot be assigned dynamically, and (optional) IP and MAC address
entries that need to be statically bound
3 (Optional) IP address of the DNS server and domain name of a DHCP client
4 (Optional) IP address of the NetBIOS server and the NetBIOS node type of a DHCP
client
Procedure
Step 1 Run:
system-view
l If a DHCP client and the AR150/200 functioning as the DHCP server are on the same network
segment, and no relay agent is deployed between them, the AR150/200 assigns IP addresses
on the same network segment as the interface to users who get online from the interface. If
no IP address is configured for the interface, or there is no address pool having the same
network segment as the interface, users cannot get online.
l If a DHCP client and the AR150/200 functioning as a DHCP server are on different network
segments, and a DHCP relay agent is deployed between them, the AR150/200 parses the
giaddr field of a DHCP request packet to obtain an IP address. If the IP address does not
match the corresponding address pool, the user cannot get online.
Step 5 Run:
dhcp select global
The interface is configured to select a global address pool for IP address allocation. After the
configuration, users who get online from this interface can obtain IP addresses and other
configuration parameters from a global address pool.
----End
are bound manually. IP addresses in the global address pool can be assigned dynamically or
bound manually as required.
Procedure
Step 1 Run:
system-view
Step 2 Run:
ip pool ip-pool-name
Step 3 Run:
network ip-address [ mask { mask | mask-length } ]
The range of dynamically assignable IP addresses in the global address pool is configured.
Only one address segment can be specified for an address pool. A mask can be used to set the
address range of the address pool.
NOTE
When configuring the range of dynamically assignable IP addresses in the global address pool, ensure that the
range is that same as the network segment on which the DHCP server interface address or the DHCP relay agent
interface address resides. This avoids incorrect assignment of IP addresses.
The DHCP server can specify different IP address leases for different address pools. All IP
addresses in an address pool must have the same lease.
The range of the IP addresses that cannot be dynamically assigned in the global address pool is
configured.
If an IP address has been assigned to a server, such as a DNS server, it cannot be assigned to a
DHCP client. You can run the excluded-ip-address command for one time to configure an IP
address that cannot be assigned dynamically. Running the excluded-ip-address command
multiple times specifies multiple IP addresses that cannot be dynamically assigned.
Step 6 Run:
gateway-list ip-address &<1-8>
NOTE
When a DHCP client is communicating with a server or a host outside the local network segment, the data
transmitted between them is forwarded or received by using the gateway.
To perform load balancing for traffic and improve network reliability, you can configure multiple gateways.
An address pool can be configured with a maximum of eight gateway addresses. Gateway addresses cannot
be subnet broadcast addresses.
If a user requires a fixed IP address, you can bind an unused IP address to the MAC address of
the user device.
NOTE
Before binding the IP address to a MAC address, ensure that the IP address is one of IP addresses that can be
dynamically assigned.
IP addresses that cannot be released from the IP address pool are recycled.
----End
Context
The DNS and NetBIOS configurations have been specified before the DHPC server allocates
IP addresses to the DHCP client. If you do not have the configurations allocated by the carrier,
dynamically allocate the DNS and NetBIOS configurations to the DHCP client.
NOTE
If the static DNS, NetBIOS, and domain name are available in the address pool, use the static configurations.
Procedure
Step 1 Run:
system-view
Step 2 Run:
ip pool ip-pool-name
Step 3 Run:
import all
The DHCP client is dynamically allocated the DNS and NetBIOS configurations.
----End
Context
When a host accesses the Internet through the domain name, the domain name needs to be
resolved to the IP address. This is implemented by the DNS. To ensure that a DHCP client can
successfully connect to the Internet, the DHCP server needs to specify the DNS server address
when allocating the IP address to the client.
Procedure
Step 1 Run:
system-view
Step 2 Run:
ip pool ip-pool-name
Step 3 Run:
domain-name domain-name
The DNS domain name that is assigned to the DHCP client is configured.
On the DHCP server, you can specify a DNS domain name used by the client for each address
pool.
Step 4 Run:
dns-list ip-address &<1-8>
The IP address of the DNS server connected to the DHCP client is configured.
To perform load balancing on traffic and improve network reliability, you can configure multiple
DNS servers. An address pool can be configured with a maximum of eight DNS server addresses.
----End
Context
NOTE
Before a DHCP client communicates with hosts by using NetBIOS, the mapping between the
host names and IP addresses of the client and host needs to be established. The DHCP client can
be specified as one of the following NetBIOS nodes based on mappings between host names
and IP addresses:
l B-node: b indicates broadcast. B-nodes obtain mappings between host names and IP
addresses in broadcast mode.
l P-node: p indicates peer-to-peer. P-nodes obtain mappings between host names and IP
addresses from the NetBIOS server.
l M-node: m indicates mixed. M-nodes are the p-nodes that have some broadcast features.
l H-node: h indicates hybrid. H-nodes are the b-nodes that provide the peer-to-peer
communication mechanism.
Procedure
Step 1 Run:
system-view
The IP address of the NetBIOS server connected to the DHCP client is configured.
An address pool can be configured with a maximum of eight NetBIOS server addresses.
Step 4 Run:
netbios-type { b-node | h-node | m-node | p-node }
----End
Context
If the Option attribute has been configured on the DHCP server and a DHCP client applies for
an IP address, the client can obtain the configurations in the Option field of the DHCPREPLY
packet from the server.
NOTE
The DNS service, NetBIOS service, and IP address lease can be configured by commands. If these
commands are not supported by the device, you can run the option command to configure values for the
options corresponding to the DNS service, NetBIOS service, and IP address lease.
The related commands are as follows:
l DNS service: domain-name and dns-list
l Configuration command of the NetBIOS service: nbns-list and netbios-type
l IP address lease: lease
Procedure
Step 1 Run:
system-view
Step 2 Run:
ip pool ip-pool-name
Step 3 Run:
option code [ sub-option sub-code ] { ascii ascii-string | hex hex-string | ip-
address ip-address &<1-8> }
The option command specifies the options that are sent in the DHCP packet by the server to the
client. Learn about the functions of options before running the option command. For descriptions
of common DHCP options, see RFC 2132.
----End
Context
You can use the dhcp server ping command to check whether a response to the ping packet is
received within a specified period. If the AR150/200 does not receive a response packet within
the specified period, it sends ping packets continuously until the number of sent ping packets
reaches the upper limit. If the AR150/200 still does not receive a response packet, the IP address
is not used on the local network segment. This ensures that the IP address to be assigned is
unique.
Procedure
Step 1 Run:
system-view
Step 2 Run:
dhcp server ping packet number
The maximum number of ping packets that the AR150/200 can send to the same destination is
configured.
The default value is 0. The AR150/200 sends no ping packet and does not perform a ping.
Step 3 Run:
dhcp server ping timeout milliseconds
The timeout period to wait for a response packet is set for the AR150/200.
By default, the timeout period is 500 milliseconds.
----End
Prerequisites
The configurations of the DHCP server based on the global address pool are complete.
Procedure
l Run the display dhcp server statistics command to check the statistics on the DHCP
server.
l Run the display ip pool name ip-pool-name [ low-ip-address high-ip-address | all |
expired | conflict | used ] command to check information about the configured global
address pool.
----End
Example
Run the display dhcp server statistics command to view statistics on the DHCP server.
<Huawei> display dhcp server statistics
DHCP Server Statistics:
Client Request: 6
Dhcp Discover: 1
Dhcp Request: 4
Dhcp Decline: 0
Dhcp Release: 1
Dhcp Inform: 0
Server Reply: 4
Dhcp Offer: 1
Dhcp Ack: 3
Dhcp Nak: 0
Bad Messages: 0
Run the display ip pool name ip-pool-name command to view information about the IP address
pool named pool1.
<Huawei> display ip pool name pool1
Pool-Name : pool1
Pool-No : 2
Lease : 3 Days 0 Hours 0 Minutes
Domain-name : -
DNS-Server0 : 10.10.10.5
DNS-Server1 : 10.10.10.6
NBNS-Server0 : 20.20.20.5
Netbios-type : -
Position : Local Status : Unlocked
Gateway-0 : 10.10.10.10
Mask : 255.255.255.0
Vpn instance : --
--------------------------------------------------------------------------
Start End Total Used Idle(Expired) Conflict
Disable
--------------------------------------------------------------------------
10.10.10.1 10.10.10.254 253 0 253 0 0
--------------------------------------------------------------------------
Applicable Environment
On the AR150/200 functioning as a DHCP server, you can configure an interface address pool.
As shown in Figure 6-3, interface address pools are applicable only to the scenario where a
DHCP client and a server are on the same network segment.
DHCP Server
DHCP Client
Pre-configuration Tasks
Before configuring a DHCP server based on an interface address pool, complete the following
tasks:
l Ensuring that the link between a DHCP client and the AR150/200 works properly
l (Optional) Configuring the DNS server
l (Optional) Configuring the NetBIOS server
l Configuring the routes destined to the DNS server and the NetBIOS server on the
AR150/200 (The routes can be configured only after the DNS and NetBIOS servers are
configured.)
Data Preparation
To configure a DHCP server based on an interface address pool, you need the following data.
No. Data
1 Number of the interface on which the interface address pool is enabled, IP address
range and lease, (optional) range of IP addresses that cannot be assigned dynamically,
and (optional) IP and MAC address entries that need to be bound statically
2 (Optional) IP address of the DNS server and domain name of a DHCP client
3 (Optional) IP address of the NetBIOS server and NetBIOS node type of a DHCP
client
Procedure
Step 1 Run:
system-view
Step 2 Run:
dhcp enable
Step 3 Run:
interface interface-type interface-number
On the AR150/200, a Layer 3 Ethernet interface or its sub-interface, a Layer 3 Eth-trunk interface
or its sub-interface, or a VLANIF interface can be configured to select an interface address pool
for IP address allocation.
Step 4 Run:
ip address ip-address { mask | mask-length }
Step 5 Run:
dhcp select interface
The AR150/200 is configured to select an interface address pool for IP address allocation.
The range of dynamically assignable IP addresses in the interface address pool is the network
segment to which the address of the interface belongs. The users whose IP addresses are in this
network segment can get online only from this interface.
The IP address that cannot be assigned dynamically in the interface address pool is specified.
If an IP address has been assigned to a server, such as a DNS server, it cannot be assigned to a
DHCP client. You can run the dhcp server excluded-ip-address command at one time to
configure an IP address that cannot be assigned dynamically. Running the dhcp server
excluded-ip-address command multiple times specifies multiple IP addresses that cannot be
dynamically assigned.
If a user requires a fixed IP address, you can bind an unused IP address in the interface address
pool to the MAC address of the user device.
NOTE
Before binding the IP address to the MAC address, ensure that the IP address is dynamically assignable in the
interface address pool.
----End
Context
The DNS and NetBIOS configurations have been specified before the DHPC server allocates
IP addresses to the DHCP client. If you do not have the configurations allocated by the carrier,
dynamically allocate the DNS and NetBIOS configurations to the DHCP client.
NOTE
If the static DNS, NetBIOS, and domain name are available in the address pool, use the static configurations.
Procedure
Step 1 Run:
system-view
Step 2 Run:
interface interface-type interface-number
Interfaces on the AR150/200 that can work in the interface address pool mode are Ethernet
interfaces and sub-interfaces, Eth-trunk interfaces and sub-interfaces, and VLANIF interfaces.
Step 3 Run:
dhcp select interface
Step 4 Run:
dhcp server import all
The DHCP client is dynamically allocated the DNS and NetBIOS configurations.
----End
Context
When a host accesses the Internet through the domain name, the domain name needs to be
resolved to the IP address. This is implemented by the DNS. To ensure that a DHCP client can
successfully connect to the Internet, the DHCP server needs to specify the DNS server address
when allocating the IP address to the client.
Procedure
Step 1 Run:
system-view
Step 2 Run:
interface interface-type interface-number
On the AR150/200, a Layer 3 Ethernet interface or its sub-interface, a Layer 3 Eth-trunk interface
or its sub-interface, and a VLANIF interface can be configured to select an interface address
pool for IP address allocation.
Step 3 Run:
dhcp server domain-name domain-name
The DNS domain name that is assigned to the DHCP client is configured.
Step 4 Run:
dhcp server dns-list ip-address &<1-8>
The IP address of the DNS server used by the DHCP client is configured.
To perform load balancing on traffic and improve network reliability, you can configure multiple
DNS servers. An address pool can be configured with a maximum of eight DNS server addresses.
----End
Context
Before a host on the DHCP client communicates with another host by using NetBIOS, the
mappings between the host names and IP addresses need to be established. The DHCP client
can be specified as one of the following NetBIOS nodes based on mappings between host names
and IP addresses:
l B-node: b indicates broadcast. B-nodes obtain mappings between host names and IP
addresses in broadcast mode.
l P-node: p indicates peer-to-peer. P-nodes obtain mappings between host names and IP
addresses from the NetBIOS server.
l M-node: m indicates mixed. M-nodes are the p-nodes that have some broadcast features.
l H-node: h indicates hybrid. H-nodes are the b-nodes that provide the peer-to-peer
communication mechanism.
Procedure
Step 1 Run:
system-view
Step 3 Run:
dhcp server nbns-list ip-address &<1-8>
The IP address of the NetBIOS server used by the DHCP client is configured.
An address pool can be configured with a maximum of eight NetBIOS server addresses.
Step 4 Run:
dhcp server netbios-type { b-node | h-node | m-node | p-node }
----End
Context
If the Option attribute has been configured on the DHCP server and the DHCP client applies for
an IP address, the client can obtain the configurations in the Option field of the DHCP packet
from the server.
NOTE
The DNS service, NetBIOS service, and IP address lease can be configured by using commands. If these
commands are not supported by the device, you can run the option command to configure values for the
options corresponding to the DNS service, NetBIOS service, and IP address lease.
The related commands are as follows:
l DNS service: dhcp server domain-name and dhcp server dns-list
l NetBIOS service: dhcp server nbns-list and dhcp server netbios-type
l IP address lease: dhcp server lease
Procedure
Step 1 Run:
system-view
The dhcp server option command specifies the options that are sent in the DHCPREPLY packet
by the server to the client. Learn about the functions of options before running the option
command. For descriptions of common DHCP options, see RFC 2132.
----End
Context
You can use the dhcp server ping command to check whether a response to the ping packet is
received within a specified period. If the AR150/200 does not receive a response packet within
the specified period, it sends ping packets continuously until the number of sent ping packets
reaches the upper limit. If the AR150/200 still does not receive a response packet, the IP address
is not used on the local network segment. This ensures that the IP address to be assigned is
unique.
Procedure
Step 1 Run:
system-view
Step 2 Run:
dhcp server ping packet number
The maximum number of ping packets that the AR150/200 can send to the same destination is
configured.
The default value is 0. The AR150/200 sends no ping packet and does not perform a ping.
Step 3 Run:
dhcp server ping timeout milliseconds
The timeout period to wait for a response packet is set for the AR150/200.
----End
Context
The configurations of a DHCP server based on an interface address pool are complete.
Procedure
l Run the display dhcp server statistics command to check the statistics on the DHCP
server.
l Run the display ip pool interface interface-name [ low-ip-address high-ip-address | all |
expired | conflict | used ] command to check information about the configured interface
address pool.
----End
Example
Run the display dhcp server statistics command to view the statistics on the DHCP server.
<Huawei> display dhcp server statistics
Client Request: 6
Dhcp Discover: 1
Dhcp Request: 4
Dhcp Decline: 0
Dhcp Release: 1
Dhcp Inform: 0
Server Reply: 4
Dhcp Offer: 1
Dhcp Ack: 3
Dhcp Nak: 0
Bad Messages: 0
Run the display ip pool interface ip-pool-name command to view information about the
interface address pool on VLANIF 10.
<Huawei> display ip pool interface VLANIF10
Pool-name : vlanif10
Pool-No : 2
Lease : 1 Days 0 Hours 0 Minutes
Domain-name : -
DNS-server0 : -
NBNS-server0 : -
Netbios-type : -
Position : Interface Status : Unlocked
Gateway-0 : 192.168.10.2
Mask : 255.255.255.0
VPN instance : --
-----------------------------------------------------------------------------
Start End Total Used Idle(Expired) Conflict Disable
-----------------------------------------------------------------------------
192.168.10.1 192.168.10.254 253 0 253 0 0 0
-----------------------------------------------------------------------------
Applicable Environment
A DHCP client can communicate with a DHCP server on another network segment by using the
AR150/200 functioning as a DHCP relay agent to obtain an IP address and other configurations
from the global address pool of the DHCP server. In this manner, DHCP clients on multiple
network segments can share one DHCP server. This reduces costs and facilitates centralized
management. Figure 6-4 shows the application scenario of a DHCP relay agent.
Internet
DHCP Relay
DHCP Client
NOTE
AR150/200WAN-side Ethernet interfaces do not support DHCP relay.
Pre-configuration Tasks
Before configuring a DHCP relay agent, complete the following tasks:
l Configuring a DHCP server
l Configuring a route destined to the DHCP server on the AR150/200
Data Preparation
To configure a DHCP relay agent, you need the following data.
No. Data
3 Number and IP address of the interface on which the DHCP relay function is enabled
Context
NOTE
A DHCP packet can be relayed for a maximum of 16 times from a DHCP client to a DHCP server. A DHCP
packet that has been relayed more than 16 times is dropped.
A super VLAN interface that has been enabled with the DHCP relay function cannot be enabled with the
DHCP snooping function.
Procedure
Step 1 Run:
system-view
NOTE
The IP address of the egress gateway that is configured in the IP address pool of the server must be consistent
with the IP address of the DHCP relay.
Step 5 Run:
dhcp select relay
----End
Follow-up Procedure
When the AR150/200 functions as a DHCP relay agent, it can forward the client's DHCP requests
to the DHCP server. Configure the IP address of the DHCP server on the interface that has been
enabled with the DHCP relay function. The AR150/200 supports the following methods by
which the IP address of the DHCP server is specified on the interface that functions as a DHCP
relay agent:
l 6.5.3 Specifying a Server Group on the DHCP Relay Agent and 6.5.4 Binding a DHCP
Server Group to a DHCP Relay Interface.
l Run the dhcp relay server-ip ip-address command in the interface view to configure the
IP address of the DHCP server connected to the DHCP relay agent.
Procedure
Step 1 Run:
system-view
A DHCP server group is created and the DHCP server group view is displayed.
The AR150/200 supports a maximum of 64 DHCP server groups.
Step 3 Run:
dhcp-server ip-address [ ip-address-index ]
----End
Procedure
Step 1 Run:
system-view
----End
Context
When a DHCP relay agent is configured to instruct the DHCP server to reclaim the IP address
of a DHCP client, the relay agent sends a DHCP Release packet to the DHCP server. After
receiving the packet, the DHCP server reclaims the lease of the IP address.
Procedure
Step 1 Run:
system-view
On the AR150/200, a Layer 3 Ethernet interface or its sub-interface, a Layer 3 Eth-trunk interface
or its sub-interface, or a VLANIF interface can be configured to function as a DHCP relay agent.
Step 3 Run:
dhcp relay release client-ip-address mac-address server-ip-address
A request packet is sent to the DHCP server to instruct the server to reclaim the IP address that
is obtained by a DHCP client.
----End
Prerequisites
The DHCP relay configurations are complete.
Procedure
l Run the display dhcp relay { all | interface interface-type interface-number } command
to check the DHCP server group that is bound to the interface and information about the
DHCP group servers.
l Run the display dhcp relay statistics command to check the statistics on the DHCP relay
agent.
l Run the display dhcp server group group-name command to check the configurations of
the DHCP server group.
----End
Example
Run the display dhcp relay interface interface-type interface-number command to view the
DHCP server group bound to VLANIF 100 and information about the DHCP group servers.
<Huawei> display dhcp relay interface vlanif 100
Run the display dhcp relay statistics command to view the statistics on the DHCP relay agent.
<Huawei> display dhcp relay statistics
The statistics of DHCP RELAY:
DHCP packets received from clients : 0
DHCP DISCOVER packets received : 0
DHCP REQUEST packets received : 0
DHCP RELEASE packets received : 0
DHCP INFORM packets received : 0
DHCP DECLINE packets received : 0
DHCP packets sent to clients : 0
Unicast packets sent to clients : 0
Broadcast packets sent to clients : 0
DHCP packets received from servers : 0
DHCP OFFER packets received : 0
DHCP ACK packets received : 0
DHCP NAK packets received : 0
DHCP packets sent to servers : 0
DHCP Bad packets received : 0
Run the display dhcp server group group-name command to view the configurations of DHCP
server group 1.
<Huawei> display dhcp server group group1
Group-name : group1
Group-type : --
(0) Server-IP : 100.10.10.1
(1) Server-IP : 100.10.10.2
Gateway : --
VPN instance : --
1 DHCP server group(s) in total
Applicable Environment
After a Layer 3 interface on the AR150/200 is configured to function as a DHCP/BOOTP client,
the interface can use the DHCP/BOOTP protocol to dynamically obtain an IP address and other
configurations from a DHCP server. This facilitates the configuration for users and centralized
management.
NOTE
After the DHCP/BOOTP client is configured, the DHCP server can assign an IP address to the DHCP/BOOTP
client. Therefore, a BOOTP server is not necessary.
Pre-configuration Tasks
Before configuring a DHCP/BOOTP client, complete the following tasks:
l Configuring a DHCP server
l (Optional) Configuring a DHCP relay agent
l Configuring a route destined to the DHCP relay agent or the DHCP server on the
AR150/200
Data Preparation
To configure a DHCP/BOOTP client, you need the following data.
No. Data
3 Number and IP address of the interface on which the DHCP relay function is enabled
Procedure
l Configure DHCP client attributes.
1. Run:
system-view
Procedure
l Enable the DHCP client.
1. Run:
system-view
dhcp enable
----End
Prerequisites
The DHCP/BOOTP client configurations are complete.
Procedure
l Run the display current-configuration command to check the configurations of the
DHCP/BOOTP client.
----End
Example
# Run the display current-configuration command to view the configurations of the DHCP
client.
[Huawei] display current-configuration
...
#
interface Ethernet1/0/0
ip address dhcp-alloc
#
...
# Run the display interface command to view the IP address that is obtained by the interface.
[Huawei] display interface ethernet 1/0/0
Ethernet1/0/0 current state : DOWN
Line protocol current state : DOWN
Description:HUAWEI, Huawei Series, Ethernet1/0/0 Interface
Route Port,The Maximum Transmit Unit is 1500
Internet Address is allocated by DHCP, 22.22.22.222/24
IP Sending Frames' Format is PKTFMT_ETHNT_2, Hardware address is 00e0-fc11-000a
Last physical up time : 2007-12-01 10:48:50
Last physical down time : 2007-12-01 10:52:56
Current system time: 2007-12-01 16:52:01
Port Mode: COMMON COPPER
Speed : 100, Loopback: NONE
Duplex: FULL, Negotiation: ENABLE
Mdi : AUTO
Last 300 seconds input rate 0 bits/sec, 0 packets/sec
Last 300 seconds output rate 0 bits/sec, 0 packets/sec
Input peak rate 1928 bits/sec,Record time: 2007-11-30 14:57:22
Output peak rate 7384 bits/sec,Record time: 2007-11-30 10:13:15
Applicable Environment
If network attackers send DHCP packets continuously, the DHCP protocol stack of the
AR150/200 is affected.
To protect the AR150/200 against the attacks by sending a large number of DHCP packets, you
can configure the highest rate at which DHCP packets are sent to the protocol stack on the
AR150/200. After the configuration is complete, the AR150/200 checks the rates at which DHCP
packets are sent to the AR150/200. Only a specific number of packets can be sent to the protocol
stack in a specified period and excess packets are discarded.
Procedure
l Configure the highest rate at which DHCP packets are sent to the protocol stack in the
system view.
1. Run:
system-view
The checking rate of DHCP messages sent to the DHCP protocol stack is configured.
By default, the rate does not exceed 100 pps. The DHCP messages that exceed the
rate are discarded.
5. (Optional) Run:
dhcp check dhcp-rate alarm enable
5. Run:
dhcp check dhcp-rate rate
The checking rate of DHCP messages sent to the DHCP protocol stack is configured.
By default, the rate does not exceed 100 pps. The DHCP messages that exceed the
rate are discarded.
l Configure the highest rate at which DHCP packets are sent to the protocol stack in the
interface view.
1. Run:
system-view
The checking rate of DHCP messages sent to the DHCP protocol stack is configured.
By default, the rate does not exceed 100 pps. The DHCP messages that exceed the
rate are discarded.
5. (Optional) Run:
dhcp alarm dhcp-rate enable
The alarm threshold for the DHCP message checking on an interface is configured.
By default, the threshold is 100. When the number of packets that are discarded
because their sending rates exceed the upper limit is larger than the threshold, an alarm
is generated.
----End
Context
CAUTION
DHCP statistics cannot be restored after you clear them. Exercise caution when running reset
commands.
Procedure
l Run the reset dhcp server statistics command in the user view to clear the statistics on a
DHCP server.
l Run the reset dhcp relay statistics command in the user view to clear the statistics on a
DHCP relay agent.
----End
Procedure
l Run the display dhcp relay { all | interface interface-type interface-number } command
to check the DHCP server group that is bound to the relay interface and information about
the group servers.
l Run the display dhcp relay statistics command to check the statistics on a DHCP relay
agent.
l Run the display dhcp server group [ group-name ] command to check the configurations
of the servers in the DHCP server group.
----End
Networking Requirements
As shown in Figure 6-5, the two offices of a company are deployed on the same network. To
save resources, all hosts in the two offices are assigned IP addresses by the Router that functions
as a DHCP server.
Office 1 belongs to the network segment 10.1.1.0/25, and all hosts in Office 1 are added to VLAN
10. These hosts use the DNS service but not the NetBIOS service. Office 2 belongs to the network
segment 10.1.1.128/25, and all hosts in Office 2 are added to VLAN 20. These hosts use both
DNS and NetBIOS services.
A global address pool needs to be configured on the Router. In addition, IP addresses need to
be dynamically assigned to the hosts in the two offices.
Figure 6-5 Networking diagram for configuring a DHCP server based on a global address pool
NetBIOS DHCP DHCP DHCP
server client client client
Etherent0/0/0 Etherent0/0/1
VLANIF10 VLANIF20
10.1.1.1/25 10.1.1.129/25
Router
DHCP server
Configuration Roadmap
The configuration roadmap is as follows:
Data Preparation
To complete the configuration, you need the following data:
1. Names of the global address pools created for Office 1 and Office 2: pool1 and pool2
respectively
2. Address ranges of pool1 and pool2: 10.1.1.0/25 and 10.1.1.128/25 respectively
3. IP addresses of egress gateways configured for Office 1 and Office 2: 10.1.1.1 and
10.1.1.129 respectively
4. IP address leases for Office 1 and Office 2: 10 days and 2 days respectively
5. IP address of the DNS server: 10.1.1.2
6. IP address of the NetBIOS server: 10.1.1.4
7. IP addresses of VLANIF 10 and VLANIF 20: 10.1.1.1 and 10.1.1.129 respectively
Procedure
Step 1 # Enable the DHCP function.
<Huawei> system-view
[Huawei] sysname Router
[Router] dhcp enable
# Create pool1 and configure attributes for pool1, including address range, DNS server address,
egress gateway, and IP address lease.
[Router] ip pool pool1
[Router-ip-pool-pool1] network 10.1.1.0 mask 255.255.255.128
[Router-ip-pool-pool1] dns-list 10.1.1.2
[Router-ip-pool-pool1] gateway-list 10.1.1.1
[Router-ip-pool-pool1] excluded-ip-address 10.1.1.2
[Router-ip-pool-pool1] excluded-ip-address 10.1.1.4
[Router-ip-pool-pool1] lease day 10
[Router-ip-pool-pool1] quit
# Create pool2 and configure attributes for pool2, including address range of pool2, DNS server
address, egress gateway, and IP address lease.
[Router] ip pool pool2
[Router-ip-pool-pool2] network 10.1.1.128 mask 255.255.255.128
[Router-ip-pool-pool2] dns-list 10.1.1.2
[Router-ip-pool-pool2] nbns-list 10.1.1.4
[Router-ip-pool-pool2] gateway-list 10.1.1.129
[Router-ip-pool-pool2] lease day 2
[Router-ip-pool-pool2] quit
# Configure the clients connected to VLANIF 10 to obtain IP addresses from the global address
pool.
[Router] interface vlanif 10
[Router-Vlanif10] ip address 10.1.1.1 255.255.255.128
[Router-Vlanif10] dhcp select global
[Router-Vlanif10] quit
# Configure the clients connected to VLANIF 20 to obtain IP addresses from the global address
pool.
[Router] interface vlanif 20
[Router-Vlanif20] ip address 10.1.1.129 255.255.255.128
[Router-Vlanif20] dhcp select global
[Router-Vlanif20] quit
-----------------------------------------------------------------------
Pool-name : pool2
Pool-No : 1
Position : Local Status : Unlocked
Gateway-0 : 10.1.1.129
Mask : 255.255.255.128
Vpn instance : --
IP address Statistic
Total :250
Used :0 Idle :248
Expired :0 Conflict :0 Disable :2
----End
Configuration Files
Configuration file of the Router
#
sysname Router
#
vlan batch 10 20
#
dhcp enable
#
ip pool pool1
ip pool pool2
#
ip pool pool1
gateway-list 10.1.1.1
network 10.1.1.0 mask 255.255.255.128
excluded-ip-address 10.1.1.2
excluded-ip-address 10.1.1.4
dns-list 10.1.1.2
lease day 10 hour 0 minute 0
#
ip pool pool2
gateway-list 10.1.1.254
network 10.1.1.128 mask 255.255.255.128
dns-list 10.1.1.2
nbns-list 10.1.1.4
lease day 2 hour 0 minute 0
#
interface Vlanif10
ip address 10.1.1.1 255.255.255.128
dhcp select global
#
interface Vlanif20
ip address 10.1.1.129 255.255.255.128
dhcp select global
#
interface Ethernet 0/0/0
port hybrid pvid vlan 10
port hybrid untagged vlan 10
#
interface Ethernet 0/0/1
port hybrid pvid vlan 20
port hybrid untagged vlan 20
#
return
Networking Requirements
As shown in Figure 6-6, the two offices of a company are deployed on the same network. To
save resources, all hosts in the two offices are assigned IP addresses by the Router that functions
as a DHCP server.
Office 1 belongs to the network segment 10.1.1.0/24, and all hosts in Office 1 are added to VLAN
10. These hosts use the DNS and NetBIOS services. Office 2 belongs to the network segment
10.1.2.0/24, and all host in Office 2 are added to VLAN 20. These hosts do not use DNS and
NetBIOS services.
An interface address pool needs to be configured on the Router. In addition, IP addresses need
to be dynamically assigned to the hosts in the two offices.
Figure 6-6 Networking diagram for configuring a DHCP server based on an interface address
pool
Office1
NetBIOS Server DHCP DNS Server
10.1.1.3/24 Client 10.1.1.2/24
VLANIF10
10.1.1.1/24
Etherent0/0/0
Router
Etherent0/0/1 DHCP
VLANIF20 Server
10.1.2.1/24
Configuration Roadmap
The configuration roadmap is as follows:
1. Enable the DHCP function on the Router.
2. Configure two VLANIF interfaces, and configure IP addresses for the VLANIF interfaces
so that the interface address pool range can be determined.
3. Enable the interface address pool.
4. Configure address pool attributes for the clients, including the DNS server address,
NetBOIS server address, and IP address leases.
Data Preparation
To complete the configuration, you need the following data:
1. IP addresses of VLANIF 10 and VLANIF 20: 10.1.1.1 and 10.1.2.1 respectively
2. IP address leases for Office 1 and Office 2: 30 days and 20 days respectively
3. IP address of the DNS server: 10.1.1.2
4. IP address of the NetBIOS server: 10.1.1.3
Procedure
Step 1 Enable the DHCP service.
<Huawei> system-view
[Huawei] sysname Router
Step 2 Configure the address assignment method for the VLANIF interfaces.
# Add Ethernet 0/0/0 and Ethernet 0/0/1 to the corresponding VLANs respectively.
[Router] vlan batch 10 20
[Router] interface ethernet 0/0/0
[Router-Ethernet0/0/0] port hybrid pvid vlan 10
[Router-Ethernet0/0/0] port hybrid untagged vlan 10
[Router-Ethernet0/0/0] quit
[Router] interface ethernet 0/0/1
[Router-Ethernet0/0/1] port hybrid pvid vlan 20
[Router-Ethernet0/0/1] port hybrid untagged vlan 20
[Router-Ethernet0/0/1] quit
# Configure the clients connected to VLANIF 10 to obtain IP addresses from the interface address
pool.
[Router] interface vlanif 10
[Router-Vlanif10] ip address 10.1.1.1 255.255.255.0
[Router-Vlanif10] dhcp select interface
[Router-Vlanif10] quit
# Configure the clients connected to VLANIF 20 to obtain IP addresses from the interface address
pool.
[Router] interface vlanif 20
[Router-Vlanif20] ip address 10.1.2.1 255.255.255.0
[Router-Vlanif20] dhcp select interface
[Router-Vlanif20] quit
Step 3 Configure the attributes related to DNS and NetBOIS services for the interface address pool.
# Configure the DNS and NetBOIS services for VLANIF 10 address pool.
[Router] interface vlanif 10
[Router-Vlanif10] dhcp server domain-name huawei.com
[Router-Vlanif10] dhcp server dns-list 10.1.1.2
[Router-Vlanif10] dhcp server nbns-list 10.1.1.3
[Router-Vlanif10] dhcp server excluded-ip-address 10.1.1.2
[Router-Vlanif10] dhcp server excluded-ip-address 10.1.1.3
[Router-Vlanif10] dhcp server netbios-type b-node
Step 4 Configure the IP address lease for the interface address pool.
# Set the IP address lease for Office 1 to 30 days.
[Router] interface vlanif 10
[Router-Vlanif10] dhcp server lease day 30
[Router-Vlanif10] quit
NBNS-Server0 : 10.1.1.3
Netbios-type : b-node
Position : Interface Status : Unlocked
Gateway-0 : 10.1.1.1
Mask : 255.255.255.0
VPN instance : --
-----------------------------------------------------------------------------
Start End Total Used Idle(Expired) Conflict Disable
-----------------------------------------------------------------------------
10.1.1.1 10.1.1.254 253 0 251 0 0 2
-----------------------------------------------------------------------------
[Router] display ip pool interface vlanif20
Pool-name : vlanif20
Pool-No : 1
Lease : 20 Days 0 Hours 0 Minutes
Domain-name : -
DNS-Server0 : -
NBNS-Server0 : -
Netbios-type : -
Position : Interface Status : Unlocked
Gateway-0 : 10.1.2.1
Mask : 255.255.255.0
VPN instance : --
-----------------------------------------------------------------------------
Start End Total Used Idle(Expired) Conflict Disable
-----------------------------------------------------------------------------
10.1.2.1 10.1.2.254 253 0 253 0 0 0
-----------------------------------------------------------------------------
----End
Example
Configuration file of the Router
#
sysname Router
#
vlan batch 10 to 20
#
dhcp enable
#
interface Vlanif10
ip address 10.1.1.1 255.255.255.0
dhcp select interface
dhcp server dns-list 10.1.1.2
dhcp server netbios-type b-node
dhcp server nbns-list 10.1.1.3
dhcp server excluded-ip-address 10.1.1.2 10.1.1.3
dhcp server lease day 30 hour 0 minute 0
dhcp server domain-name huawei.com
#
interface Vlanif20
ip address 10.1.2.1 255.255.255.0
dhcp select interface
dhcp server lease day 20 hour 0 minute 0
#
interface Ethernet 0/0/0
port hybrid pvid vlan 10
port hybrid untagged vlan 10
#
interface Ethernet 0/0/1
port hybrid pvid vlan 20
port hybrid untagged vlan 20
#
return
Networking Requirements
As shown in Figure 6-7, multiple offices of a company are in different commercial buildings,
and the hosts in one office are on the same VLAN. RouterB that functions as a DHCP server is
required to assign IP addresses to hosts in different offices.
Hosts in Office A of the company are on the network segment 20.20.20.0/24, and the DHCP
server is on the network segment 100.10.10.0/24. RouterA must be configured to function as a
DHCP relay agent to forward DHCP packets so that the DHCP clients can obtain IP addresses
and other configurations from the DHCP server.
On RouterA, the public address of Ethernet0/0/8 is 100.10.20.1/24 and the interface address of
RouterA connected to the carrier device is 100.10.20.2/24.
On RouterB, the public address of Ethernet3/0/0 is 100.10.10.1/24 and the interface address of
RouterB connected to the carrier device is 100.10.10.2/24.
Etherent0/0/8
100.10.20.1/24
OFFICE A
Configuration Roadmap
The configuration roadmap is as follows:
1. Configure the DHCP relay function on RouterA. RouterA can forward DHCP packets
between the hosts in Office A and hosts in other network segments.
2. Configure a global address pool 20.20.20.0/24 on RouterB. RouterB can assign IP addresses
in the global address pool to hosts in Office A on a different network segment.
Data Preparation
To complete the configuration, you need the following data:
1. Name of the DHCP server group: dhcpgroup1
2. IP address of the DHCP server: 100.10.10.1
3. VLAN that Office A belongs to: VLAN 100
4. IP address of VLANIF 100: 20.20.20.1
5. Name of the global address pool: pool1
6. Address range of pool1: 20.20.20.0/24
7. IP address of the egress gateway configured for Office A: 20.20.20.1
Procedure
l Configure the DHCP relay function on RouterA.
1. Create a DHCP server group and add a DHCP server to the group.
# Create a DHCP server group.
<Huawei> system-view
[Huawei] sysname RouterA
[RouterA] dhcp server group dhcpgroup1
# Enable the DHCP function globally and the DHCP relay function on VLANIF 100.
[RouterA] dhcp enable
[RouterA] interface vlanif 100
[RouterA-Vlanif100] dhcp select relay
[RouterA-Vlanif100] quit
4. Configure a static route from the DHCP server to RouterA. This ensures that the route
from the DHCP server to the network segment 20.20.20.0/24 is reachable. (The
configuration details are not provided here.)
l Configure a default route on RouterB.
[RouterA] ip route-static 0.0.0.0 0.0.0.0 100.10.10.2
# Run the display dhcp relay command on RouterA. You can view the DHCP relay
configurations on VLANIF 100.
[RouterA] display dhcp relay interface vlanif 100
** Vlanif100 DHCP Relay Configuration **
DHCP server group name : dhcpgroup1
DHCP server IP [0] :100.10.10.1
# Run the display ip pool command on RouterB. You can view the configurations of the
IP address pool.
[RouterB] display ip pool
-----------------------------------------------------------------------
Pool-name : pool1
Pool-No : 0
Position : Local Status : Unlocked
Gateway-0 : 10.1.1.1
Mask : 255.255.255.0
Vpn instance : --
IP address Statistic
Total :250
Used :0 Idle :248
Expired :0 Conflict :0 Disable :2
----End
Configuration Files
Configuration file of RouterA
#
sysname RouterA
#
vlan 100
#
dhcp enable
#
dhcp server group dhcpgroup1
dhcp-server 100.10.10.1
#
interface Vlanif100
ip address 20.20.20.1 255.255.255.0
dhcp select relay
dhcp relay server-select dhcpgroup1
#
interface Ethernet 2/0/0
port hybrid pvid vlan 100
port hybrid untagged vlan 100
#
ip route-static 0.0.0.0 0.0.0.0 100.10.20.2
#
return
Networking Requirements
As shown in Figure 6-8, Router A functions as a DHCP client; Router B functions as a BOOTP
client; Router C functions as a DHCP server. Router A dynamically obtains an IP address, a
DNS server address, and a gateway address from Router C. Router B obtains an IP address from
an IP-MAC binding entry, a DNS server address, and a gateway address from Router C
functioning as a DHCP server.
NOTE
AR150/200 is RouterA, RouterC, or RouterD.
Figure 6-8 Networking diagram for configuring DHCP and BOOTP clients
Gateway
10.1.1.126/24
Eth1/0/0
10.1.1.1/24 10.1.1.2/24 Eth1/0/0 Eth1/0/0
Configuration Roadmap
The configuration roadmap is as follows:
1. Enable the DHCP client function on Router A.
2. Enable the BOOTP client function on Router B.
3. Create a global address pool on Router C and configure related attributes.
Data Preparation
To complete the configuration, you need the following data:
1. MAC address of Eth 1/0/0 on Router B: a234-e211-a256
2. IP address of Eth1/0/0 on Router C: 10.1.1.1
3. IP address of the egress gateway configured for the DHCP client: 10.1.1.126
4. IP address of the DNS server connected to the DHCP client: 10.1.1.2
Procedure
l Configure the DHCP client function on Router A.
# Enable the DHCP service.
<Huawei> system-view
[Huawei] sysname RouterA
[RouterA] dhcp enable
2. Configure Eth 1/0/0 to select a global address pool for IP address allocation.
[RouterC] interface Ethernet 1/0/0
[RouterC-Ethernet1/0/0] ip address 10.1.1.1 24
[RouterC-Ethernet1/0/0] dhcp select global
[RouterC-Ethernet1/0/0] quit
# Run the display interface command on Router A after the interface obtains an IP address.
You can view the IP address of the interface.
[RouterA] display interface ethernet 1/0/0
Ethernet1/0/0 current state : DOWN
Line protocol current state :
DOWN
Description:HUAWEI, Huawei Series, Ethernet1/0/0 Interface
Route Port,The Maximum Transmit Unit is
1500
Internet Address is allocated by DHCP,10.1.1.11/24
IP Sending Frames' Format is PKTFMT_ETHNT_2, Hardware address is 00e0-
fc11-000a
Last physical up time : 2007-12-01
10:48:50
Last physical down time : 2007-12-01
10:52:56
Current system time: 2007-12-01
16:52:01
Port Mode: COMMON
COPPER
Speed : 100, Loopback:
NONE
Duplex: FULL, Negotiation:
ENABLE
Mdi :
AUTO
Last 300 seconds input rate 0 bits/sec, 0 packets/
sec
Last 300 seconds output rate 0 bits/sec, 0 packets/
sec
Input peak rate 1928 bits/sec,Record time: 2007-11-30
14:57:22
Output peak rate 7384 bits/sec,Record time: 2007-11-30
10:13:15
# Run the display current-configuration command on Router B. You can view the
configurations of the BOOTP client function.
[RouterB] display current-configuration
...
#
interface Ethernet1/0/0
ip address bootp-alloc
#
...
# Run the display interface command on Router B after the interface obtains an IP address.
You can view the IP address of the interface.
[RouterB] display interface ethernet 1/0/0
Ethernet1/0/0 current state : DOWN
Line protocol current state :
DOWN
Description:HUAWEI, Huawei Series, Ethernet1/0/0 Interface
Route Port,The Maximum Transmit Unit is
1500
Internet Address is allocated by DHCP,10.1.1.22/24
IP Sending Frames' Format is PKTFMT_ETHNT_2, Hardware address is 00e0-
fc11-000a
Last physical up time : 2007-12-01
10:48:50
Last physical down time : 2007-12-01
10:52:56
Current system time: 2007-12-01
16:52:01
Port Mode: COMMON
COPPER
Speed : 100, Loopback:
NONE
Duplex: FULL, Negotiation:
ENABLE
Mdi :
AUTO
Last 300 seconds input rate 0 bits/sec, 0 packets/
sec
Last 300 seconds output rate 0 bits/sec, 0 packets/
sec
Input peak rate 1928 bits/sec,Record time: 2007-11-30
14:57:22
Output peak rate 7384 bits/sec,Record time: 2007-11-30
10:13:15
# Run the display ip pool command on Router C. You can view the configuration about
the IP address pool of Router C.
[RouterB] display ip pool
-----------------------------------------------------------------------
Pool-name : pool1
Pool-No : 0
Position : Local Status : Unlocked
Gateway-0 : 10.1.1.126
Mask : 255.255.255.0
Vpn instance : --
IP address Statistic
Total :250
Used :1 Idle :248
Expired :0 Conflict :0 Disable :2
----End
Example
Configuration file of Router A
#
sysname RouterA
#
dhcp enable
#
interface Ethernet 1/0/0
ip address dhcp-alloc
#
return
Networking Requirements
As shown in Figure 6-9, a department uses Router A to directly connect the client. Hosts in this
department function as DHCP clients and are assigned IP addresses by the DHCP server. If the
attacker sends a large number of DHCP packets to Router A, the CPU resources of Router A
will become insufficient. As a result, the requests of authorized users cannot be processed in
time. To avoid this problem, network administrators limit the rate at which DHCP packets are
sent to Router A. This allows Router A to effectively defend against DHCP attack packets, and
to process requests of authorized users in time.
DHCP Server
Internet
RouterB
DHCP Relay
RouterA
DHCP DHCP
Attacker
Client Client
Configuration Roadmap
The configuration roadmap is as follows:
l Configure the highest rate at which DHCP packets are sent to Router A in the system view.
This allows Router A to limit the rate at which DHCP packets are received within a normal
range.
Data Preparation
1. Highest rate at which DHCP packets are sent to the protocol stack: 90 pps
2. Alarm threshold: 80
Procedure
Step 1 Enable the DHCP service.
<Huawei> system-view
[Huawei] sysname RouterA
[RouterA] dhcp enable
Step 2 Configure the highest rate at which DHCP packets are sent to the protocol stack.
# Enable the system to check the rate at which DHCP packets are sent to the protocol stack.
[RouterA] dhcp check dhcp-rate enable
# Configure the highest rate at which DHCP packets are sent to the protocol stack.
[RouterA] dhcp check dhcp-rate 90
----End
Configuration Files
Configuration file of Router A
#
sysname RouterA
#
dhcp enable
dhcp check dhcp-rate enable
dhcp check dhcp-rate 90
dhcp check dhcp-rate alarm enable
dhcp check dhcp-rate alarm threshold 80
#
return
7 IP Performance Configuration
Applicable Environment
On certain networks, you need to modify parameters for IP packets to optimize network
performance.
Pre-configuration Tasks
Before optimizing IP performance, complete the following tasks:
l Connecting interfaces and setting physical parameters for the interfaces to ensure that the
physical layer status of the interfaces is Up
l Setting link layer protocol parameters for interfaces to ensure that the link layer protocol
status on the interfaces is Up
l Configuring IP addresses for interfaces
l Configuring an ACL
Data Preparation
To optimize IP performance, you need the following data.
No. Data
1 Number of the interface where validity of source addresses of received packets will
be checked
2 Number of an ACL and number of the interface that will forward broadcast packets
Procedure
Step 1 Run:
system-view
----End
Procedure
Step 1 Run:
system-view
----End
Procedure
Step 1 Run:
system-view
----End
Procedure
Step 1 Run:
system-view
NOTE
The function that resets the DF field is valid for outgoing packets; therefore, this function must be
configured on the outbound interface.
Step 3 Run:
clear ip df
----End
Context
By default, an interface is enabled to send ICMP redirection packets.
CAUTION
If an interface is not enabled to send ICMP redirection packets, the router does not send ICMP
redirection packets.
Procedure
Step 1 Run:
system-view
Step 2 Run:
interface interface-type interface-number
Step 3 Run:
icmp redirect send
----End
Context
By default, IP unicast protocol packets generated by the AR150/200 are scheduled first and can
preempt all the bandwidth.
You can change the priority of IP unicast protocol packets generated by the AR150/200 to
implement proper bandwidth allocation.
Procedure
Step 1 Run:
system-view
----End
Procedure
l Run the display udp statistics command to check the UDP traffic statistics.
l Run the display ip interface [ interface-type interface-number ] or display ip interface
brief [ interface-type interface-number ] command to check information about the
interface.
l Run the display ip statistics command to check the IP traffic statistics.
l Run the display icmp statistics command to check the ICMP traffic statistics.
l Run the display ip socket [ monitor ] [ task-id task-id socket-id socket-id | socket-type
socket-type ] command to check the IP socket information.
----End
Example
# Run the display udp statistics command, and you can view the UDP traffic statistics.
<Huawei> display udp statistics
Received packets:
Total: 13228
Total(64bit high-capacity counter): 13228
checksum error: 0
shorter than header: 0, data length larger than packet: 0
unicast(no socket on port): 0
broadcast/multicast(no socket on port): 954
not delivered, input socket full: 0
input packets missing pcb cache: 0
Sent packets:
Total: 11904
Total(64bit high-capacity counter): 11904
# Run the display ip interface command, and you can view information about the interface.
<Huawei> display ip interface ethernet 1/0/0
Ethernet1/0/0 current state : UP
Line protocol current state : DOWN
The Maximum Transmit Unit : 1500 bytes
input packets : 0, bytes : 0, multicasts : 0
output packets : 0, bytes : 0, multicasts : 0
Directed-broadcast packets:
received packets: 0, sent packets: 0
forwarded packets: 0, dropped packets: 0
ARP packet input number: 0
Request packet: 0
Reply packet: 0
Unknown packet: 0
Internet protocol processing : disabled
Broadcast address : 0.0.0.0
TTL being 1 packet number: 0
TTL invalid packet number: 0
ICMP packet input number: 0
Echo reply: 0
Unreachable: 0
Source quench: 0
Routing redirect: 0
Echo request: 0
Router advert: 0
Router solicit: 0
Time exceed: 0
IP header bad: 0
Timestamp request: 0
Timestamp reply: 0
Information request: 0
Information reply: 0
Netmask request: 0
Netmask reply: 0
Unknown type: 0
# Run the display ip statistics command, and you can view the IP traffic statistics.
<Huawei> display ip statistics
Input: sum 31786 local 31786
bad protocol 0 bad format 0
bad checksum 0 bad options
discard srr 0 TTL exceeded 0
Output: forwarding 0 local 41289
dropped 0 no route 1
Fragment: input 0 output 0
dropped 0
fragmented 0 couldn't fragment 0
Reassembling:sum 0 timeouts 0
# Run the display icmp statistics command, and you can view the ICMP traffic statistics.
<Huawei> display icmp statistics
Input: bad formats 0 bad checksum 0
echo 0 destination unreachable 0
source quench 0 redirects 0
echo reply 0 parameter problem 0
timestamp 0 information request 0
mask requests 0 mask replies 0
time exceeded 0
Mping request 0 Mping reply 0
Output:echo 0 destination unreachable 168
source quench 0 redirects 0
echo reply 0 parameter problem 0
Applicable Environment
On the AR150/200, there are multiple equal-cost routes over multiple equal-cost links to a
destination. Among the equal-cost links, there are high-speed links and low-speed links.
NOTE
If multiple routes to the same destination have the same preference, the same number of hops, and the same
cost, these routes are equal-cost routes.
By default, the AR150/200 uses the flow-based ECMP mode, in which traffic is evenly load
balanced among equal-cost links regardless of the bandwidth. In this mode, congestion may
occur on low-speed links and bandwidth of high-speed links cannot be used efficiently.
ECMP evenly load balances traffic over multiple equal-cost links, regardless of the bandwidth.
Consequently, traffic congestion may occur on low-speed links and bandwidth of high-speed
links cannot be used efficiently. To load balance traffic on the equal-cost links based on
bandwidth, configure UCMP.
Pre-configuration Tasks
Before configuring load balancing for IP packet forwarding, complete the following tasks:
l Connecting interfaces and setting physical parameters for the interfaces to ensure that the
physical status of the interfaces is Up
l Setting parameters for data link layer protocols on interfaces to ensure that the data link
layer protocol status of the interfaces is Up
Data Preparation
To configure load balancing for IP packet forwarding, you need the following data.
No. Data
2 (Optional) Number of the interface where the bandwidth will be configured manually
Context
ECMP evenly load balances traffic over multiple equal-cost links, regardless of the bandwidth.
Consequently, traffic congestion may occur on low-speed links and bandwidth of high-speed
links cannot be used efficiently. To load balance traffic on the equal-cost links based on
bandwidth, configure UCMP.
When configuring the UCMP function, manually set the bandwidth of an interface in the
following scenarios:
l Users need to adjust the bandwidth of equal-cost links so that the equal-cost links load
balance traffic based on the configured bandwidth.
l The outbound interface of the equal-cost route is a logical interface.
Procedure
Step 1 Run:
system-view
NOTE
NOTE
Traffic is load balanced based on bandwidth only when UCMP is enabled on outbound interfaces of all the
equal-cost links and FIB entry updating is triggered. If UCMP is not enabled on any outbound interface,
the equal-cost links evenly load balance traffic even though FIB entry updating is triggered.
----End
Procedure
l Run the display fib [ slot-id ] command to check the FIB table on a specified LPU.
l Run the display fib acl acl-number [ verbose ] command to check FIB entries matching
an ACL.
l Run the display fib [ slot-id ] destination-address1 [ destination-mask1 ] [ longer ]
[ verbose ] command to check FIB entries matching destination addresses.
l Run the display fib [ slot-id ] destination-address1 destination-mask1 destination-
address2 destination-mask2 [ verbose ] command to check FIB entries matching
destination addresses in the range of destination-address1 destination-mask1 to
destination-address2 destination-mask2.
l Run the display fib ip-prefix prefix-name [ verbose ] command to check FIB entries
matching the specified IP prefix list.
l Run the display fib interface interface-type interface-number command to check FIB
entries matching a specified interface.
l Run the display fib next-hop ip-address command to check FIB entries matching a
specified next hop address.
l Run the display fib [ slot-id ] statistics command to check the total number of FIB entries.
----End
Example
# Run the display fib command to view the summary of the FIB table.
<Huawei> display fib
Route Flags: G - Gateway Route, H - Host Route, U - Up Route
S - Static Route, D - Dynamic Route, B - Black Hole Route
------------------------------------------------------------------------------
FIB Table:
Total number of Routes : 4
Destination/Mask Nexthop Flag TimeStamp Interface TunnelID
127.0.0.1/32 127.0.0.1 HU t[49] InLoop0 0x0
127.0.0.0/8 127.0.0.1 U t[49] InLoop0 0x0
127.255.255.255/32 127.0.0.1 HU t[49] InLoop0 0x0
255.255.255.255/32 127.0.0.1 HU t[49] InLoop0 0x0
Applicable Environment
On certain networks, you need to adjust TCP parameters to improve network performance.
Pre-configuration Tasks
Before configuring TCP attributes, complete the following tasks:
l Connecting interfaces and setting physical parameters for the interfaces to ensure that the
physical layer status of the interfaces is Up
l Setting link layer protocol parameters for interfaces to ensure that the link layer protocol
status on the interfaces is Up
l Setting network layer protocol parameters for interfaces to ensure that the routing protocol
status on the interfaces is Up
Data Preparation
To configure TCP attributes, you need the following data.
No. Data
1 Values of the SYN-Wait timer and FIN-Wait timer, and packet receive or transmit
buffer size of a connection-oriented socket
Context
TCP uses the following timers:
l SYN-Wait timer: When SYN packets are sent, the SYN-Wait timer is started. If no response
packet is received after the SYN-Wait timer expires, the TCP connection is closed. The
value of the SYN-Wait timer ranges from 2 to 600, in seconds. The default value is 75s.
l FIN-Wait timer: When the TCP connection status changes from FIN_WAIT_1 to
FIN_WAIT_2, the FIN-Wait timer is started. If no response packet is received after the
FIN-Wait timer expires, the TCP connection is closed. The value of the FIN-Wait timer
ranges from 76 to 3600, in seconds. The default value is 675s.
Procedure
Step 1 Run:
system-view
Step 2 Run:
tcp timer syn-timeout interval
Step 3 Run:
tcp timer fin-timeout interval
----End
Context
When hosts on the same network communicate with each other, the MTU of the network is
important for the hosts. When hosts communicate with each other across multiple networks, it
is important to determine the minimum MTU on the network path because the MTUs of the link
layers on different networks are different. The minimum MTU on the network path is called the
PMTU.
Procedure
Step 1 Run:
system-view
Step 2 Run:
tcp timer pathmtu-age age-time
The aging time of an IPv4 PMTU is an integer ranging from 10 to 100, in minutes. The default
value is 0 minutes, that is, the PMTU never ages..
----End
Procedure
Step 1 Run:
system-view
----End
Procedure
Step 1 Run:
system-view
----End
Procedure
l Run the display tcp status [ [ task-id task-id ] [ socket-id socket-id ] | [ local-ip ipv4-
address ] [ local-port local-port-number ] [ remote-ip ipv4-address ] [ remote-port
remote-port-number ] ] command to check the TCP connection status.
l Run the display tcp statistics command to check the TCP traffic statistics.
----End
Example
# Run the display tcp status command to view the TCP connection status.
# Run the display tcp statistics command to view the TCP traffic statistics.
<Huawei> display tcp statistics
Received packets:
Total: 34574
Total(64bit high-capacity counter): 34574
packets in sequence: 2852 (3242 bytes)
window probe packets: 0, window update packets: 0
checksum error: 0, offset error: 0, short error: 0
Sent packets:
Total: 35094
Total(64bit high-capacity counter): 35094
urgent packets: 0
control packets: 0 (including 1 RST)
window probe packets: 0, window update packets: 0
Other information:
Retransmitted timeout: 0, connections dropped in retransmitted timeout: 0
Keep alive timeout: 29072, keep alive probe: 29072, Keep alive timeout,
so connections disconnected : 0
Initiated connections: 0, accepted connections: 16, established connecti
ons: 16
Closed connections: 13 ( dropped: 10, initiated dropped: 0)
Packets dropped with MD5 authentication: 0
Packets permitted with MD5 authentication: 0
Send Packets permitted with Keychain authentication: 0
Receive Packets permitted with Keychain authentication: 0
Receive Packets Dropped with Keychain authentication: 0
Context
CAUTION
The IP/TCP/UDP traffic statistics cannot be restored after being cleared. Exercise caution when
you run the commands.
Procedure
l Run the reset ip statistics [ interface interface-type interface-number ] command in the
user view to clear the IP traffic statistics.
l Run the reset ip socket monitor [ task-id task-id socket-id socket-id ] command in the
user view to clear information in a socket monitor.
l Run the reset tcp statistics command in the user view to clear the TCP traffic statistics.
l Run the reset udp statistics command in the user view to clear the UDP traffic statistics.
----End
Context
In routine maintenance, you can run the following commands in any view to view the IP running
status.
Procedure
l Run the display tcp status [ [ task-id task-id ] [ socket-id socket-id ] | [ local-ip ipv4-
address ] [ local-port local-port-number ] [ remote-ip ipv4-address ] [ remote-port
remote-port-number ] ] command in any view to check the TCP connection status.
l Run the display tcp statistics command in any view to check the TCP traffic statistics.
l Run the display udp statistics command in any view to check the UDP traffic statistics.
l Run the display ip interface [ interface-type interface-number ] command in any view to
check information about an interface.
l Run the display ip statistics command in any view to check the IP traffic statistics.
l Run the display icmp statistics command in any view to check the ICMP traffic statistics.
l Run the display fib acl acl-number [ verbose ] command in any view to check FIB entries
matching the specified ACL.
l Run the display fib [ slot-id ] destination-address1 [ destination-mask1 ] [ longer ]
[ verbose ] command in any view to check FIB entries matching the specified destination
address.
l Run the display fib [ slot-id ] destination-address1 destination-mask1 destination-
address2 destination-mask2 [ verbose ] command in any view to check FIB entries
matching destination addresses in the range of destination-address1 destination-mask1 to
destination-address2 destination-mask2.
l Run the display fib ip-prefix prefix-name [ verbose ] command in any view to check FIB
entries matching the specified IP prefix list.
l Run the display fib interface interface-type interface-number command in any view to
check FIB entries matching a specified interface.
l Run the display fib next-hop ip-address command in any view to check FIB entries
matching a specified next hop address.
l Run the display fib [ slot-id ] statistics command in any view to check the total number
of FIB entries.
l Run the display fib [ slot-id ] command in any view to check information about the FIB
table.
l Run the display ip socket [ monitor ] [ task-id task-id socket-id socket-id | sock-type
socket-type ] command in any view to check the IP socket information.
----End
Networking Requirements
As shown in Figure 7-1, to limit the sending of ICMP redirection packets, RouterA, RouterB,
and RouterC are required to be connected with each other by using layer 3 interfaces.
Figure 7-1 Network diagram of Disabling the Sending of ICMP Redirection Packets
RouterA
Eth1/0/0
1.1.1.1/24
Internet
Eth1/0/0 Eth1/0/0
2.2.2.2/24 1.1.1.2/24
RouterC RouterB
Configuration Roadmap
The configuration roadmap is as follows:
1. Configure an IP address for each connected interface.
2. Configure static routes to indirectly connected devices.
3. Disable an interface from sending ICMP redirection packets.
Data Preparation
To complete the configuration, you need the following data:
l Static routes to indirectly connected devices.
l IP addresses of interfaces.
Procedure
Step 1 Configure IP addresses for interfaces.
# Configure RouterA.
<Huawei> system-view
[Huawei] sysname RouterA
[RouterA] interface ethernet 1/0/0
[RouterA-Ethernet1/0/0] ip address 1.1.1.1 24
[RouterA-Ethernet1/0/0] quit
# Configure RouterB.
<Huawei> system-view
[Huawei] sysname RouterB
[RouterB] interface ethernet 1/0/0
[RouterB-Ethernet1/0/0] ip address 1.1.1.2 24
[RouterB-Ethernet1/0/0] quit
# Configure RouterC.
<Huawei> system-view
[Huawei] sysname RouterC
[RouterC] interface ethernet 1/0/0
[RouterC-Ethernet1/0/0] ip address 2.2.2.2 24
[RouterC-Ethernet1/0/0] quit
# Configure RouterB.
[RouterB] ip route-static 2.2.2.0 255.255.255.0 1.1.1.1
# Ping RouterA. You can see that RouterB does not send ICMP redirection packets. There is no
information about ICMP redirection packets in the debugging command output.
[RouterA] ping 2.2.2.2
PING 2.2.2.2: 56 data bytes, press CTRL_C to break
Reply from 2.2.2.2: bytes=56 Sequence=1 ttl=255 time=3 ms
Reply from 2.2.2.2: bytes=56 Sequence=2 ttl=255 time=3 ms
Reply from 2.2.2.2: bytes=56 Sequence=3 ttl=255 time=3 ms
Reply from 2.2.2.2: bytes=56 Sequence=4 ttl=255 time=3 ms
Reply from 2.2.2.2: bytes=56 Sequence=5 ttl=255 time=3 ms
----End
Configuration Files
l Configuration file of RouterA
#
sysname RouterA
#
interface Ethernet1/0/0
ip address 1.1.1.1 255.255.255.0
#
ip route-static 2.2.2.0 255.255.255.0 1.1.1.2
#
return
#
sysname RouterB
#
interface Ethernet1/0/0
ip address 1.1.1.2 255.255.255.0
undo icmp redirect send
#
ip route-static 2.2.2.0 255.255.255.0 1.1.1.1
#
return
#
sysname RouterC
#
interface Ethernet1/0/0
ip address 2.2.2.2 255.255.255.0
#
return
By configuring IP unicast PBR, you can improve the security of the network and perform load
balancing.
NOTE
A traffic policy can be configured on the AR150/200's interface to redirect the data packets of which the
destination address is not the local address. This traffic policy is invalid for the local packets sent to the
CPU. It applies to the following situations:
l Load balancing: specifies a forwarding path for special packets.
l Security inspection: redirects certain packets to the firewall.
For details about the redirection configuration, see Configuring Redirection in the Huawei AR150&200
Series Enterprise Routers Configuration Guide - QoS.
Applicable Environment
An internal network is connected to an external network through a router. The router has multiple
egresses to the external network. You can use IP unicast PBR on the interface to control some
packets to pass the specified egress of the router.
To perform PBR on the packets generated by the router, you should configure the local PBR.
Pre-configuration Tasks
Before configuring IP unicast PBR, complete the following tasks:
l Configuring the interface between the router and other devices
Data Preparation
To configure IP Policy-based Routing, you need the following data.
No. Data
Procedure
Step 1 Run:
system-view
Step 2 Run:
policy-based-route policy-name { deny | permit } node node-id
Step 3 Run:
if-match packet-length min-length max-length or if-match acl acl-number
----End
Follow-up Procedure
Note the following when configuring PBR:
l You can use the policy to import the routes or to forward the IP packets.
l You can specify the routing policy by using the if-match and apply clauses.
l A single policy can include multiple if-match clauses, such as if-match acl and if-match
packet-length, which can be used in combination.
– If if-match acl acl-number is used repeatedly to set ACL rules, the new configuration
supersedes the old configuration.
– If if-match packet-length min-length max-length is used repeatedly to set ACL rules,
the new configuration supersedes the old configuration.
l permit means allowing the packets matching the rule to pass during the policy-based
routing; deny means denying the packets that match the rule to pass during the policy-based
routing.
l A routing policy contains several policy nodes. Each policy node is specified by a node-
id. The smaller the node-id is, the higher the preference of the policy node is. The policy
of a higher preference is first executed.
Procedure
Step 1 Run:
system-view
Step 2 Run:
policy-based-route policy-name { deny | permit } node node-id
Step 3 Run:
apply ip-precedence precedence
Step 4 Run:
apply ip-address default next-hop ip-address1 [ ip-address2 ]
NOTE
The default next hop cannot be a local IP address.
Step 5 Run:
apply default output-interface interface-type1 interface-number1 [ interface-type2
interface-number2 ]
NOTE
The default outbound interface cannot be a broadcast interface, such as an Ethernet interface.
Step 6 Run:
apply ip-address next-hop ip-address1 [ ip-address2 ]
NOTE
The next hop cannot be a local IP address.
Step 7 Run:
apply output-interface interface-type interface-number
NOTE
Step 8 Run:
apply access-vpn vpn-instance vpn-instance-name &<1-6>
The apply ip-precedence command is used to set the precedence of the packet. The value of
precedence ranges from 0 to 7. In addition, some key words can be used as the value of
precedence. Table 8-1 shows the relationship between key words and precedence.
0 Routine
1 Priority
2 Immediate
3 Flash
4 Flash-override
5 Critical
6 Internet
7 Network
----End
Follow-up Procedure
Note the following when defining actions in PBR:
l A policy can include multiple apply clauses, which can be used in combination.
l If multiple next hops are specified, the load balancing is complemented among multiple
next hops.
l If multiple outbound interfaces are specified, the load balancing is complemented among
multiple outbound interfaces.
l If outbound interfaces and next hops are configured at the same time, the load balancing is
implemented only on outbound interfaces.
l If you run the apply output-interface command to configure two egresses at first and then
run the command again to configure another one. The thirdly configured egress supersedes
only the first configured one.
Procedure
l Enabling local PBR
1. Run:
system-view
Prerequisites
The configurations of the IP Policy-based Routing function are complete.
Procedure
l Run the display ip policy-based-route command to check the enabled PBR.
l Run the display ip policy-based-route setup local command to check the configuration
of local PBR.
l Run the display ip policy-based-route statistics local command to check the statistics of
the local packet that is enabled with PBR.
l Run the display policy-based-route [ policy-name ] command to check the created policy.
----End
Example
Run the display ip policy-based-route command to check the enabled PBR.
<Huawei> display ip policy-based-route
Run the display ip policy-based-route setup local command. If configurations of the local PBR
are displayed, the configuration is successful.
<Huawei> display ip policy-based-route setup local
policy-based-route aaa permit node 5
if-match acl 2000
apply output-interface Ethernet1/0/0
Run the display ip policy-based-route statistics local command. If statistics of local PBR is
displayed, it means the configuration succeeds.
<Huawei> display ip policy-based-route statistics local
Local policy based routing information:
policy-based-route: aaa
permit node 21
Total denied: 0, forwarded: 0
Networking Requirements
As shown in Figure 8-1, IP unicast PBR is applied to RouterA:
l The next hop address 150.1.1.2 is set for packets with 64 to 1400 bytes.
l The next hop address 151.1.1.2 is set for packets with 1401 to 1500 bytes.
l Packets with other lengths are routed based on destination addresses.
Eth2/0/0 Eth2/0/0
RouterA RouterB
151.1.1.1/24 151.1.1.2/24
Configuration Roadmap
The configuration roadmap is as follows:
Data Preparation
To complete the configuration, you need the following data:
Procedure
Step 1 Assign an IP address to each interface.
# On RouterA, ping the IP address of Loopback0 interface on RouterB and set the packet length
to 80 bytes.
<RouterA> ping -s 80 10.1.2.1
PING 100.1.2.1: 80 data bytes, press CTRL_C to break
Mar 9 2011 15:00:35.40.2 RouterA PBR/7/POLICY-ROUTING:IP Policy routing success
: next-hop : 150.1.1.2
Reply from 100.1.2.1: bytes=80 Sequence=1 ttl=254 time=1 ms
Reply from 100.1.2.1: bytes=80 Sequence=2 ttl=254 time=1 ms
Reply from 100.1.2.1: bytes=80 Sequence=3 ttl=254 time=1 ms
Reply from 100.1.2.1: bytes=80 Sequence=4 ttl=254 time=1 ms
Reply from 100.1.2.1: bytes=80 Sequence=5 ttl=254 time=1 ms
RouterA forwards the received packets from Ethernet1/0/0 because the next hop address in the
PBR route is 150.1.1.2.
# On RouterA, ping the IP address of Loopback0 interface on RouterB and set the packet length
to 1401 bytes.
<RouterA> ping -s 1401 10.1.2.1
PING 100.1.2.1: 1401 data bytes, press CTRL_C to break
Mar 9 2011 15:41:26.350.2 RouterA PBR/7/POLICY-ROUTING:IP Policy routing succes
s : next-hop : 151.1.1.2
Mar 9 2011 15:41:26.350.3 RouterA PBR/7/POLICY-ROUTING:IP Policy routing succes
s : next-hop : 151.1.1.2
Reply from 100.1.2.1: bytes=1401 Sequence=1 ttl=254 time=2 ms
Mar 9 2011 15:41:26.850.1 RouterA PBR/7/POLICY-ROUTING:IP Policy routing succes
s : next-hop : 151.1.1.2
Reply from 100.1.2.1: bytes=1401 Sequence=2 ttl=254 time=2 ms
Mar 9 2011 15:41:27.340.1 RouterA PBR/7/POLICY-ROUTING:IP Policy routing succes
s : next-hop : 151.1.1.2
Reply from 100.1.2.1: bytes=1401 Sequence=3 ttl=254 time=2 ms
Mar 9 2011 15:41:27.840.1 RouterA PBR/7/POLICY-ROUTING:IP Policy routing succes
s : next-hop : 151.1.1.2
Reply from 100.1.2.1: bytes=1401 Sequence=4 ttl=254 time=2 ms
Mar 9 2011 15:41:28.340.1 RouterA PBR/7/POLICY-ROUTING:IP Policy routing succes
s : next-hop : 151.1.1.2
Reply from 100.1.2.1: bytes=1401 Sequence=5 ttl=254 time=2 ms
RouterA forwards the received packets from Ethernet2/0/0 because the next hop address in the
PBR route is 151.1.1.2.
----End
Configuration Files
Configuration file of RouterA
#
sysname RouterA
#
interface Ethernet1/0/0
ip address 150.1.1.1 255.255.255.0
#
interface Ethernet2/0/0
ip address 151.1.1.1 255.255.255.0
#
ip route-static 10.1.2.0 255.255.255.0 150.1.1.2
ip route-static 10.1.2.0 255.255.255.0 151.1.1.2
#
policy-based-route lab1 permit node 10
if-match packet-length 64 1400
apply ip-address next-hop 150.1.1.2
policy-based-route lab1 permit node 20
if-match packet-length 1401 1500
apply ip-address next-hop 151.1.1.2
#
ip local policy-based-route lab1
#
sysname RouterB
#
interface Ethernet1/0/0
ip address 150.1.1.2 255.255.255.0
#
interface Ethernet2/0/0
ip address 151.1.1.2 255.255.255.0
#
ip route-static 10.1.1.0 255.255.255.0 150.1.1.1
ip route-static 10.1.1.0 255.255.255.0 151.1.1.1
This chapter describes the principle and configuration of UDP helper, and provides configuration
examples.
A host on an intranet needs to obtain the configuration from a server by sending broadcast packets
such as UDP broadcast packets. If the host and the server are located in different broadcast
domains, broadcast packets cannot reach the server and the host cannot obtain the configuration
from the server.
The AR150/200 provides the UDP Helper function to solve this problem. It can relay broadcast
packets with specified UDP ports by converting broadcast packets into unicast packets and
sending the unicast packets to the specified destination server.
After UDP helper is enabled on the AR150/200, the AR150/200 relays broadcast packets with
the default UDP ports to corresponding destination servers. Table 9-1 lists the default UDP
ports. Other UDP ports must be configured manually after UDP helper is enabled.
Domain Name 53
System (DNS)
Time Service 37
Terminal Access 49
Controller Access
Control System
(TACACS)
The UDP helper function cannot relay Dynamic Host Configuration Protocol (DHCP) messages,
so the destination port numbers cannot be set to 67 or 68. To relay DHCP messages, enable the
DHCP relay function.
Applicable Environment
A host on an intranet needs to obtain the configuration from a server by sending broadcast packets
such as UDP broadcast packets. If the host and the server are located in different broadcast
domains, broadcast packets cannot reach the server and the host cannot obtain the configuration
from the server.
The AR150/200 provides the UDP Helper function to solve this problem. It can relay broadcast
packets with specified UDP ports by converting broadcast packets into unicast packets and
sending the unicast packets to the specified destination server.
Pre-configuration Tasks
Before configuring UDP helper, complete the following task:
l Configuring a reachable route from the AR150/200 to the destination server
Data Preparation
To configure UDP helper, you need the following data.
No. Data
Context
After UDP helper is enabled, the Router checks the destination UDP port of a received broadcast
packet and determines whether to relay the packet:
l If the packet destination UDP port number is the same as the specified UDP port number
and the destination MAC address is a broadcast MAC address, the Router changes the
destination IP address in the IP packet header and sends the packet to a specified destination
server.
l If the destination UDP port number of packets is different from the specified UDP port
number, the Router discards the packet.
Procedure
Step 1 Run:
system-view
Step 2 Run:
udp-helper enable
----End
Prerequisites
UDP helper has been enabled.
Context
After the UDP helper function is enabled, the AR150/200 relays broadcast packets with UDP
ports 37, 49, 53, 69, 137, and 138 by default. If the port number that needs to be configured is
in the range of default UDP port numbers, you can skip this configuration procedure.
The AR150/200 does not relay DHCP messages with UDP ports 67 or 68.
Procedure
Step 1 Run:
system-view
Step 2 Run:
udp-helper port { port-number | dns | netbios-ds | netbios-ns | tacacs | tftp |
time }
----End
Procedure
Step 1 Run:
system-view
----End
Procedure
l Run the display udp-helper server command to check the numbers of the interfaces that
have relayed UDP packets, IP addresses of destination servers, and the number of forwarded
UDP packets.
l Run the display udp-helper port command to check the UDP port numbers of the packets
that need to be relayed.
----End
Example
# Run the display udp-helper server command to view UDP helper information.
<Huawei> display udp-helper server
Server-interface Server-Ip packet-num
------------------------------------------------------------------------
Vlanif20 1.1.1.2 0
Ethernet1/0/0.1 192.168.1.200 0
# Run the display udp-helper port command to view the UDP port numbers of the packets that
need to be relayed.
<Huawei> display udp-helper port
Udp-Port-Number Description
-------------------------------------------------------------
1 TCP Port Service Multiplexer
37 Time
49 Login Host Protocol
53 Domain Name Server
69 Trivial File Transfer
137 NETBIOS Name Service
138 NETBIOS Datagram Service
Context
CAUTION
UDP helper statistics cannot be restored after being cleared. Exercise caution when you run the
reset udp-helper packet command.
Procedure
Step 1 Run the reset udp-helper packet command in the user view to clear UDP helper statistics.
----End
Internet
NETBIOS-NS
Name Server
Ethernet0/0/0
10.2.1.1/16
VLANIF100
10.110.1.1/16
Router
PC1 PC2
Configuration Roadmap
The configuration roadmap is as follows:
After UDP helper is enabled on the Router, the Router forwards broadcast packets with destination UDP port
137 by default. The UDP port number, therefore, does not need to be configured here.
Data Preparation
To complete the configuration, you need the following data:
Procedure
Step 1 Enable UDP helper.
<Huawei> system-view
[Huawei] sysname Router
[Router] udp-helper enable
----End
Configuration Files
Configuration file of the Router
#
sysname Router
#
udp-helper enable
#
vlan batch 100
#
interface Ethernet0/0/0
port hybrid pvid vlan 100
port hybrid untagged vlan 100
#
interface Vlanif100
ip address 10.110.1.1 255.255.0.0
udp-helper server 10.2.1.1
#
return