Configuration Guide Huawei

HUAWEI NetEngine5000E Core Router
V800R002C01
Configuration Guide - IP Services

Issue
01
Date
2011-10-15
HUAWEI TECHNOLOGIES CO., LTD.
Copyright Huawei Technologies Co., Ltd. 2011. All rights reserved.

No part of this document may be reproduced or transmitted in any form or by any means without prior written
consent of Huawei Technologies Co., Ltd.
Trademarks and Permissions

and other Huawei trademarks are trademarks of Huawei Technologies Co., Ltd.
All other trademarks and trade names mentioned in this document are the property of their respective holders.
Notice
The purchased products, services and features are stipulated by the contract made between Huawei and the
customer. All or part of the products, services and features described in this document may not be within the
purchase scope or the usage scope. Unless otherwise specified in the contract, all statements, information,
and recommendations in this document are provided "AS IS" without warranties, guarantees or representations
of any kind, either express or implied.
The information in this document is subject to change without notice. Every effort has been made in the
preparation of this document to ensure accuracy of the contents, but all statements, information, and
recommendations in this document do not constitute the warranty of any kind, express or implied.
Huawei Technologies Co., Ltd.

Address:
Huawei Industrial Base

Bantian, Longgang
Shenzhen 518129
People's Republic of China
Website:
http://www.huawei.com
Email:
support@huawei.com
Issue 01 (2011-10-15)
Huawei Proprietary and Confidential

Copyright Huawei Technologies Co., Ltd.

About This Document
About This Document

Intended Audience
This document provides the basic concepts, configuration procedures, and configuration
examples in different application scenarios of the IP Services feature supported by the
NE5000E device.
This document describes how to configure the Basic Configurations feature.
This document is intended for:
l
Data configuration engineers
Commissioning engineers
Network monitoring engineers
System maintenance engineers
Related Versions (Optional)

The following table lists the product versions related to this document.
Product Name
Version
HUAWEI NetEngine5000E
Core Router
V800R002C01
Symbol Conventions
The symbols that may be found in this document are defined as follows.
Symbol
Description
Indicates a hazard with a high level of risk, which if not
avoided, will result in death or serious injury.
Indicates a hazard with a medium or low level of risk, which
if not avoided, could result in minor or moderate injury.
Issue 01 (2011-10-15)

ii

Symbol
About This Document
Description
Indicates a potentially hazardous situation, which if not
avoided, could result in equipment damage, data loss,
performance degradation, or unexpected results.
Indicates a tip that may help you solve a problem or save time.
Provides additional information to emphasize or supplement
important points of the main text.
Command Conventions (Optional)

The command conventions that may be found in this document are defined as follows.
Convention
Description
Boldface
The keywords of a command line are in boldface.
Italic
Command arguments are in italics.
[]
Items (keywords or arguments) in brackets [ ] are optional.
{ x | y | ... }
Optional items are grouped in braces and separated by

vertical bars. One item is selected.
[ x | y | ... ]
Optional items are grouped in brackets and separated by

vertical bars. One item is selected or no item is selected.
{ x | y | ... }*
Optional items are grouped in braces and separated by

vertical bars. A minimum of one item or a maximum of all
items can be selected.
[ x | y | ... ]*
Optional items are grouped in brackets and separated by

vertical bars. Several items or no item can be selected.
&<1-n>
The parameter before the & sign can be repeated 1 to n times.
A line starting with the # sign is comments.
Change History
Updates between document issues are cumulative. Therefore, the latest document issue contains
all updates made in previous issues.
Changes in Issue 01 (2011-10-15)

The initial commercial release.
Issue 01 (2011-10-15)

iii

Contents
Contents
About This Document.....................................................................................................................ii
1 ARP Configuration........................................................................................................................1
1.1 ARP Overview....................................................................................................................................................3
1.2 ARP Features Supported by the NE5000E.........................................................................................................3
1.3 Configuring Dynamic ARP................................................................................................................................5
1.4 Configuring Static ARP......................................................................................................................................7
1.5 Configuring Routed Proxy ARP.........................................................................................................................8
1.6 Configuring ARP Security................................................................................................................................11
1.6.1 Restricting Dynamic ARP Entry Learning..............................................................................................12
1.6.2 Configuring Strict ARP Entry Learning..................................................................................................13
1.6.3 Limiting the ARP Packet Processing Rate..............................................................................................15
1.6.4 Limiting the Number of ARP Entries on Interfaces................................................................................16
1.6.5 Limiting the ARP Miss Message Processing Rate..................................................................................17
1.6.6 Checking the Configuration.....................................................................................................................18
1.7 Configuring ARP-Ping.....................................................................................................................................19
1.7.1 Configuring ARP-Ping IP........................................................................................................................19
1.7.2 Configuring ARP-Ping MAC..................................................................................................................20
1.8 Monitoring the ARP Status...............................................................................................................................21
1.9 Configuration Examples...................................................................................................................................21
1.9.1 Example for Configuring Static ARP......................................................................................................21
1.9.2 Example for Configuring Routed Proxy ARP.........................................................................................23
1.9.3 Example for Configuring ARP Security..................................................................................................26
2 ACL Configuration......................................................................................................................30
2.1 ACL Overview.................................................................................................................................................32
2.2 ACL Types Supported by the NE5000E..........................................................................................................32
2.3 Configuring an Interface-based ACL...............................................................................................................33
2.3.1 Creating an Interface-based ACL............................................................................................................35
2.3.2 Configuring Rules for an Interface-based ACL.......................................................................................35
2.3.3 (Optional) Configuring an ACL Step......................................................................................................36
2.3.4 (Optional) Configuring an ACL Description...........................................................................................37
2.4 Configuring a Basic ACL.................................................................................................................................38
Issue 01 (2011-10-15)

iv

Contents
2.4.1 Creating a Basic ACL..............................................................................................................................39

2.4.2 Configuring Rules for a Basic ACL........................................................................................................39
2.5 Configuring an Advanced ACL........................................................................................................................42
2.5.1 Creating an Advanced ACL....................................................................................................................43
2.5.2 Configuring Rules for an Advanced ACL...............................................................................................44
2.6 Configuring an Ethernet Frame Header-based ACL........................................................................................46
2.6.1 Creating an Ethernet Frame Header-based ACL.....................................................................................48
2.6.2 Configuring Rules for an Ethernet Frame Header-based ACL...............................................................48
2.7 Configuring a MPLS-based ACL.....................................................................................................................50
2.7.1 Creating a MPLS-based ACL..................................................................................................................50
2.7.2 Configuring Rules for a MPLS-based ACL............................................................................................51
2.8 Configuring the Validity Period of an ACL Rule.............................................................................................51
2.8.1 Creating the Validity Period of an ACL Rule.........................................................................................52
2.8.2 Specifying the Validity Period for an ACL Rule....................................................................................53
2.9 Maintaining an ACL.........................................................................................................................................54
2.9.1 Clearing ACL Statistics...........................................................................................................................54
2.9.2 Monitoring the ACL Operation...............................................................................................................54
3 Basic Configurations of IPv4.....................................................................................................56

3.1 IPv4 Overview..................................................................................................................................................58
3.2 IPv4 Features Supported by the NE5000E.......................................................................................................58
3.3 Configuring IP Addresses for Interfaces..........................................................................................................59
3.3.1 Configuring a Primary IP Address for an Interface.................................................................................60
3.3.2 (Optional) Configuring a Secondary IP Address for an Interface...........................................................61
3.4 Configuring IP Address Negotiation on Interfaces..........................................................................................62
3.4.1 Configuring a Server to Assign an IP Address to a Client Through Negotiation...................................64
3.4.2 Configuring a Client to Obtain an IP Address Through Negotiation......................................................65
3.5 Configuring IP Unnumbered on Interfaces......................................................................................................66
3.5.1 Configuring a Primary IP Address for a Numbered Interface.................................................................67
3.5.2 Configuring an Unnumbered Interface to Borrow an IP Address from Another Interface.....................68
Issue 01 (2011-10-15)


Contents

3.6 Configuring the Security of the IPv4 Protocol Stack.......................................................................................69
3.6.1 Controlling the Processing of IP Packets Carrying Options....................................................................70
3.6.2 Controlling the Sending or Receiving of ICMP Packets.........................................................................71
3.6.3 Setting the Timeout Period of the Regroup Queue..................................................................................72
3.7 Configuring TCP..............................................................................................................................................73
3.7.1 Configuring TCP Timer...........................................................................................................................74
3.7.2 Specifying the Size of a TCP Sliding Window.......................................................................................74
3.8 Maintaining IPv4..............................................................................................................................................76
3.8.1 Monitoring the IPv4 Running Status.......................................................................................................76
3.8.2 Clearing IPv4 Statistics...........................................................................................................................77
3.9.1 Example for Configuring Primary and Secondary IP Addresses for an Interface...................................77
3.9.2 Example for Configuring IP Address Negotiation on Interfaces.............................................................79
3.9.3 Example for Configuring IP Unnumbered on Interfaces.........................................................................82
3.9.4 Example for Configuring Address Overlapping on a Device..................................................................85
3.9.5 Example for Configuring an IP Address with a 31-bit Mask..................................................................90
4 Configuring Load Balancing.....................................................................................................93

4.1 Load Balancing Overview................................................................................................................................94
4.2 Load Balancing Features Supported by the NE5000E.....................................................................................95
4.3 Configuring IP Packet Load Balancing............................................................................................................95
4.3.1 Configuring Interface-specific UCMP During IP Packet Forwarding....................................................96
4.3.2 Configuring Global UCMP for IP Packet Forwarding............................................................................97
4.3.3 Configuring Level 2 Improved Load Balancing......................................................................................98
4.4.1 Example for Configuring Interface-specific UCMP for IP Packet Forwarding......................................99
4.4.2 Example for Configuring Global UCMP for IP Packet Forwarding.....................................................105
5 ACL6 Configuration..................................................................................................................110
5.1 ACL6 Overview.............................................................................................................................................111
5.2 ACL6 Features Supported by the NE5000E...................................................................................................111
5.3 Configuring an Interfaced-based ACL6.........................................................................................................112
5.3.1 Creating an Interface-based ACL6........................................................................................................113
5.3.2 Configuring Rules for an Interface-based ACL6...................................................................................113
5.3.3 Checking the Configuration...................................................................................................................114
5.4 Configuring a Basic ACL6.............................................................................................................................114
5.4.1 Creating a Basic ACL6..........................................................................................................................116
5.4.2 Configuring Rules for a Basic ACL6....................................................................................................116
5.5 Configuring an Advanced ACL6....................................................................................................................117
Issue 01 (2011-10-15)

vi

Contents
5.5.1 Creating an Advanced ACL6................................................................................................................118

5.5.2 Configuring Rules for an Advanced ACL6...........................................................................................119
5.6 Configuring the Validity Period of an ACL6 Rule.........................................................................................120
5.6.1 Creating the Validity Period of an ACL6 Rule.....................................................................................121
5.6.2 Specifying the Validity Period for an ACL6 Rule................................................................................121
5.7 Maintaining an ACL6.....................................................................................................................................122
5.7.1 Clearing ACL6 Statistics.......................................................................................................................122
5.7.2 Monitoring the ACL6 Operation...........................................................................................................123
6 Basic Configurations of IPv6...................................................................................................124

6.1 IPv6 Overview................................................................................................................................................126
6.2 IPv6 Features Supported by the NE5000E.....................................................................................................126
6.3 Configuring an IPv6 Address for the Interface...............................................................................................127
6.3.1 Enabling IPv6........................................................................................................................................129
6.3.2 Configuring a Link-local Address on an Interface................................................................................130
6.3.3 Configuring a Global Unicast Address on an Interface.........................................................................130
6.3.4 Configuring an IPv6 Anycast Address for an Interface.........................................................................131
6.4 Configuring an IPv6 Address Selection Policy Table....................................................................................133
6.5 Configuring IPv6 Neighbor Discovery...........................................................................................................135
6.5.1 Configuring Static Neighbors................................................................................................................136
6.5.2 Setting the Aging Time for Neighbor Entries in the Stale State...........................................................137
6.5.3 Setting the Interval for Detecting Neighbor Reachability.....................................................................137
6.6 Configuring Duplicate Address Detection.....................................................................................................139
6.6.1 Setting the Number of Times of Duplicate Address Detection.............................................................139
6.6.2 Setting the Interval for Duplicate Address Detection............................................................................140
6.7 Configuring RA..............................................................................................................................................141
6.7.1 Enabling RA..........................................................................................................................................142
6.7.2 Setting the Interval for Advertising RA Messages................................................................................142
6.7.3 Setting Parameters Carried in RA Messages.........................................................................................143
6.8 Configuring ICMPv6 Message Control..........................................................................................................145
6.9 Configuring PMTUs.......................................................................................................................................146
6.9.1 Configuring a Static PMTU...................................................................................................................147
6.9.2 Setting the Aging Time of Dynamic PMTU Entries.............................................................................147
6.10 Configuring TCP6........................................................................................................................................149
6.10.1 Configuring TCP6 Timer.....................................................................................................................149
6.10.2 Specifying the Size of a TCP6 Sliding Window.................................................................................150
Issue 01 (2011-10-15)

vii

Contents
6.10.3 Checking the Configuration.................................................................................................................150

6.11 Maintaining IPv6..........................................................................................................................................152
6.11.1 Clearing IPv6 Statistics.......................................................................................................................152
6.11.2 Monitoring the IPv6 Running Status...................................................................................................152
6.12 Configuration Examples...............................................................................................................................153
6.12.1 Example for Configuring IPv6 Addresses for Interfaces....................................................................153
6.12.2 Example for Configuring IPv6 Neighbor Discovery...........................................................................156
6.12.3 Example for Configuring IPv6 Address Selection Policy Table.........................................................159
7 IPv6 over IPv4 Tunnel Configuration...................................................................................163

7.1 IPv6 over IPv4 Tunnel Overview...................................................................................................................164
7.2 IPv6 over IPv4 Tunnel Technology Supported by the NE5000E..................................................................164
7.3 Configuring a Manual IPv6 over IPv4 Tunnel...............................................................................................166
7.4 Configuring a 6to4 Tunnel.............................................................................................................................168
7.5 Maintaining an IPv6 over IPv4 Tunnel..........................................................................................................170
7.5.1 Monitoring an IPv6 over IPv4 Tunnel...................................................................................................170
7.6 Configuration Examples.................................................................................................................................171
7.6.1 Example for Configuring a Manual IPv6 over IPv4 Tunnel.................................................................171
7.6.2 Example for Configuring a 6to4 Tunnel................................................................................................175
7.6.3 Example for Configuring 6to4 Relay....................................................................................................178
Issue 01 (2011-10-15)

viii

1 ARP Configuration
ARP Configuration
About This Chapter

The Address Resolution Protocol (ARP) is used to translate IP addresses into MAC addresses.
ARP sets up IP-address-to-MAC-address mappings and transmits Ethernet frames over Layer
2 networks based on the mappings.
1.1 ARP Overview
ARP provides a mechanism for translating IP addresses into MAC addresses to implement data
forwarding through Ethernet network.
1.2 ARP Features Supported by the NE5000E
There are two types of ARP: dynamic ARP and static ARP. ARP supports extended applications,
including routed proxy ARP, ARP security, and ARP-Ping.
1.3 Configuring Dynamic ARP
Dynamic ARP entry learning is supported by hosts and routers, and is enabled by default.
Parameters for dynamic ARP, however, can be adjusted as required.
1.4 Configuring Static ARP
In static ARP mode, mappings between IP addresses and MAC addresses are configured and
cannot be changed on hosts or routers. Static ARP entries are always not aged on routing devices
that are working properly.
1.5 Configuring Routed Proxy ARP
Routed proxy ARP allows devices whose IP addresses are on the same network segment but on
different physical networks to communicate with each other.
1.6 Configuring ARP Security
ARP security features such as ARP packet processing rate limiting and interface-based ARP
entry number limiting can be configured to protect valid ARP packets to improve network
security.
1.7 Configuring ARP-Ping
ARP-Ping is classified into ARP-Ping IP and ARP-Ping MAC.
1.8 Monitoring the ARP Status
To monitor the ARP status, you can check the ARP entries, strict ARP entry learning on
interfaces, ARP packet statistics, ARP packet processing rate, maximum number of ARP entries
Issue 01 (2011-10-15)


1 ARP Configuration
that can be learned by an interface, and source IP address-based ARP Miss message processing
rate.
1.9 Configuration Examples
This section describes several ARP configuration examples, providing networking requirements,
configuration notes and roadmap, and configuration procedure for each example. Configuration
flowcharts provided in this section will help you understand the configuration procedures.
Issue 01 (2011-10-15)


1 ARP Configuration
1.1 ARP Overview

ARP provides a mechanism for translating IP addresses into MAC addresses to implement data
forwarding through Ethernet network.
Introduction
Each host or router on a Local Area Network (LAN) has a 32-bit IP address and uses the IP
address to communicate with other devices. IP addresses are configurable.
On an Ethernet, a host or a router sends or receives Ethernet frames based on 48-bit MAC
addresses. A MAC address is also called a physical address or a hardware address. It is allocated
to an Ethernet interface when a device is being manufactured. In internetworking scenarios, an
address resolution mechanism is needed for providing mappings between IP addresses and MAC
addresses. ARP is introduced as such a mechanism.
Working Mechanism
The ARP working mechanism is described below:
1.
To obtain the MAC address corresponding to an IP address, a host or a device broadcasts

an ARP request packet.
2.
After having received the ARP request packet, another host or device whose MAC address
is requested sends an ARP reply packet, and creates an ARP entry based on the mapping
between the IP address and MAC address of the request sender.
3.
The request sender receives the ARP reply packet and creates an ARP entry based on the
mapping between the IP address and the MAC address of the reply sender.
1.2 ARP Features Supported by the NE5000E

There are two types of ARP: dynamic ARP and static ARP. ARP supports extended applications,
including routed proxy ARP, ARP security, and ARP-Ping.
Static ARP and Dynamic ARP

After translating an IP address into a MAC address by using ARP, a device adds an ARP entry
to its ARP table. This ARP entry records a mapping between the IP address and the MAC address,
and guides the forwarding of packets destined for the IP address.
ARP entries are classified into static and dynamic ARP entries.
Table 1-1 Comparison between static ARP and dynamic ARP
Issue 01 (2011-10-15)
Feature
Description
ARP Entry Generation and Maintenance
Dynamic
ARP
Dynamic ARP entries

are automatically
generated and
maintained by ARP.
l Dynamic ARP entries can be aged and updated,

and can also be overwritten by static ARP
entries.
l By default, ARP entries are dynamically
learned and maintained.


1 ARP Configuration
Feature
Description
ARP Entry Generation and Maintenance
Static ARP
Static ARP entries are

configured. This means
that the mappings
between IP addresses
and MAC addresses are
configured and cannot
be changed on hosts or
routers.
Static ARP entries will not be aged or overwritten

by dynamic ARP entries, and are manually
configured and maintained.
NOTE
Configuring static ARP improves communication
security, but increases configuration and maintenance
costs if a large number of static ARP entries are
configured.
Extended Applications Supported by ARP

ARP supports the following extended applications.
Table 1-2 Extended applications supported by ARP and their usage scenarios
Application
Description
Usage Scenario
Routed proxy
ARP
Routed proxy ARP allows

hosts or routers on the same
network segment but
different physical networks
to communicate with each
other.
Hosts or devices are located on the same

network segment but different physical
networks.
ARP security
ARP security
configurations include:
ARP security is applicable to networks

where there are lots of threats to ARP
entries.
1. ARP packet processing

rate limiting
2. ARP Miss message
processing rate limiting
3. Interface-based ARP
entry number limiting
4. Strict ARP entry
learning
ARP-Ping
ARP-Ping includes ARPPing IP and ARP-Ping

MAC.
l ARP-Ping IP is used to check whether

a specific IP address is being used by
another device.
l ARP-Ping MAC is used to check
whether a specific MAC address is
being used by another device, or to
obtain the IP address corresponding to
the MAC address.
Issue 01 (2011-10-15)


1 ARP Configuration
1.3 Configuring Dynamic ARP

Dynamic ARP entry learning is supported by hosts and routers, and is enabled by default.
Parameters for dynamic ARP, however, can be adjusted as required.
Applicable Environment
ARP aging parameters include the aging time, number of ARP probes, and ARP probe interval.
Proper setting of these aging parameters can improve network reliability:
l
Aging time: When the aging time of a dynamic ARP entry expires, a device sends an ARP
probe (ARP request packet) from the outbound interface recorded in the dynamic ARP
entry, and starts counting the number of ARP probes.
Number of ARP probes: Before deleting an aged dynamic ARP entry, a device sends ARP
probes to the IP address recorded in the ARP entry at specified intervals. If the configured
number of ARP probes is exceeded but the ARP entry has not been updated, the device
will delete the ARP entry.
ARP probe interval: It is the interval at which probe packets are sent.
NOTE
1. If the aging time of dynamic ARP entries is set too short, for example, 1 minute, a device will
be busy updating dynamic ARP entries. This consumes a lot of system resources and affects the
processing of other services.
2. Length of time before the deletion of a dynamic ARP entry = Number of ARP probes x Probe
interval
Setting a long probe interval is not recommended, because a long interval will delay the deletion
of an aged dynamic ARP entry according to the formula.
Pre-configuration Tasks
Before configuring dynamic ARP, complete the following tasks:
l
Configuring link layer protocol parameters for the interfaces to make sure that the link layer
protocol status of the interfaces is Up
Procedure
Step 1 Run:
system-view
The system view is displayed.

Step 2 Run:
interface interface-type interface-number
The interface view is displayed.

Step 3 Run:
arp expire-time expire-time
The aging time is set for dynamic ARP entries.

By default, the aging time of dynamic ARP entries is 1200 seconds.
Issue 01 (2011-10-15)


1 ARP Configuration
Step 4 Run:
arp detect-times detect-times
The number of ARP probes is set.

By default, the number of ARP probes is 3.
Step 5 Run:
arp detect-interval detect-interval
The interval for sending ARP probes is set.

By default, the interval for sending ARP probes is 5 seconds.
Step 6 Run:
commit
The configuration is committed.

----End
Checking the Configuration

Run the following commands to check the previous configuration:
l
Run the display arp all command to check all ARP entries on MPUs and LPUs.
Run the display arp interface interface-name command to check the ARP entries on a
specified interface.
Run the display arp slot slot-id command to check the ARP entries on a board in a specified
slot.
Run the display arp vpn-instance vpn-instance-name slot slot-id [ dynamic | static ]
command to check the ARP entries in a specified VPN instance.
Run the display arp all command to view all ARP entries on MPUs and LPUs.
<HUAWEI> display arp all
IP ADDRESS
MAC ADDRESS
EXPIRE(M) TYPE
INTERFACE
VPN-INSTANCE
VLAN/CEVLAN PVC
-----------------------------------------------------------------------------15.1.1.1
3885-d010-0301
I GE3/0/1
15.1.1.2
3885-d010-0303 15
D-3
GE3/0/1
-----------------------------------------------------------------------------Total:2
Dynamic:1
Static:0
Interface:1
Run the display arp interface command to view the ARP entries on a specified interface.
<HUAWEI> display arp interface gigabitethernet1/0/0
IP ADDRESS
MAC ADDRESS
EXPIRE(M) TYPE
INTERFACE
VPN-INSTANCE
VLAN/CEVLAN PVC
-----------------------------------------------------------------------------10.1.1.1
3885-d040-0201
I GE1/0/0
10.1.1.2
3885-d040-0203 20
D-3
GE1/0/0
-----------------------------------------------------------------------------Total:2
Dynamic:1
Static:0
Interface:1
Run the display arp slot command to view the ARP entries on a board in a specified slot.
<HUAWEI> display arp slot 1
IP ADDRESS
MAC ADDRESS
EXPIRE(M) TYPE
INTERFACE
VPN-INSTANCE
VLAN/CEVLAN PVC
------------------------------------------------------------------------------
Issue 01 (2011-10-15)


1 ARP Configuration
192.168.1.12
0000-0a41-0202
I GE1/0/1
vpn2
192.168.1.1
0000-0a41-0200 17
D-6
GE1/0/1
vpn2
192.168.1.11
0000-0a41-0201
I GE1/0/0
192.168.1.1
0000-0a41-0200 17
D-6
GE1/0/0
-----------------------------------------------------------------------------Total:4
Dynamic:2
Static:0
Interface:2
Run the display arp vpn-instance command to view the ARP entries in a specified VPN
instance.
<HUAWEI> display arp vpn-instance r1 slot 1
IP ADDRESS
MAC ADDRESS
EXPIRE(M) TYPE
INTERFACE
VPN-INSTANCE
VLAN/CEVLAN PVC
-----------------------------------------------------------------------------192.168.1.11
0000-0a41-0201
I GE1/0/0
vpn1
192.168.1.1
0000-0a41-0200 12
D-6
GE1/0/0
vpn1
-----------------------------------------------------------------------------Total:2
Dynamic:1
Static:0
Interface:1
1.4 Configuring Static ARP

In static ARP mode, mappings between IP addresses and MAC addresses are configured and
cannot be changed on hosts or routers. Static ARP entries are always not aged on routing devices
that are working properly.
Static ARP entries will not be aged or overwritten by dynamic ARP entries, and are manually
configured and maintained. Configuring static ARP entries improves communication security.
In the case that device A communicates with device B that uses a specified IP address, device
A can be configured with a fixed mapping between device B's IP address and MAC address.
This mapping will not be changed because devices do not update ARP entries after receiving
attack packets. This ensures communication between the two devices.
Static ARP can be used for the following purposes:
l
To enable a local gateway to forward packets whose destination IP addresses are not on
the local network segment.
To bind the invalid IP addresses of received ARP packets to a non-existent MAC address.
When an important network device such as a server is communicating with another device, a
static ARP entry recording the mapping between another device's IP address and MAC address
can be configured on the important network device. The static ARP entry on the important device
cannot be overwritten by the ARP packets forged by attackers, and also prevents the important
device from responding to invalid ARP request packets. This protects the important device
against network attacks.
NOTE
Static ARP entries will never be overwritten, but configuring a large number of ARP entries is heavy
workload. Therefore, static ARP is applicable to small networks where host IP addresses seldom change.
Before configuring static ARP, complete the following tasks:
l
Issue 01 (2011-10-15)
Connecting interfaces and configuring physical parameters for the interfaces to make sure
that the physical status of the interfaces is Up

1 ARP Configuration
Procedure
Step 1 Run:
system-view

Step 2 Run:
arp static ip-address mac-address [ vpn-instance vpn-instance-name ] [ vid vlanid ]
A static ARP entry is configured.

If vpn-instance vpn-instance-name is specified, the static ARP entry records the IP-MAC
mapping of a device in the specified VPN.
vid vlan-id is applicable to the scenario where sub-interfaces support inter-VLAN
communication.
Step 3 Run:
commit

----End

Run the following command to check the previous configuration:
l
slot.
Run the display arp slot command to view the ARP entries on all LPUs.
<HUAWEI> display arp slot 1 static
IP ADDRESS
MAC ADDRESS
EXPIRE(M) TYPE
INTERFACE
VPN-INSTANCE
VLAN/CEVLAN PVC
-----------------------------------------------------------------------------10.1.1.1
0000-0a41-0200
S-3/10.1.1.2
0000-0a41-0202
S-3/10.1.1.3
0000-0a41-0204
S-3/-----------------------------------------------------------------------------Total:3
Dynamic:0
Static:3
Interface:0
1.5 Configuring Routed Proxy ARP

Routed proxy ARP allows devices whose IP addresses are on the same network segment but on
different physical networks to communicate with each other.
Proxy ARP is a technique that a device on a given network uses to answer an ARP request sent
from a host on another network to a host on the given network. (The two hosts are on different
Issue 01 (2011-10-15)


1 ARP Configuration
physical networks but on the same network segment, and the device connects the two hosts.)
Proxy ARP makes users on different physical networks feel that they are communicating with
each other on the same physical network.
Routed proxy ARP is one way to allow hosts or routers on the same network segment but on
different physical networks to communicate with each other. If a host connected to the router
does not have a default gateway address (does not know how to reach an agent), the host cannot
forward data to the destination host on another physical network. Routed proxy ARP can solve
this problem. When a host sends an ARP request for the MAC address of the destination host
on another network, the proxy ARP-enabled router receives the request and responds to the
request with its own MAC address. Data packets sent by the host can then be forwarded by the
router.
Users belong to two different physical networks (two subnets on the same IP network) on the
same network segment. To allow the users to communicate with each other, configure routed
proxy ARP on the interface connecting routers to the physical networks.
Figure 1-1 shows the networking diagram of routed proxy ARP.
Figure 1-1 Networking diagram of routed proxy ARP
Host A
172.16.1.2/16
Host B
172.16.2.2/16
GE1/0/0
172.16.1.1/24
Ethernet A
Router A
POS2/0/0
172.17.3.1/24
Proxy ARP
Router B
GE1/0/0
172.16.2.1/24
POS2/0/0
172.17.3.2/24
Proxy ARP
Ethernet B
CAUTION
The IP addresses of all hosts on each subnet must have the same network ID. None of the hosts
needs to be configured with a default gateway.
Before configuring routed proxy ARP, complete the following tasks:
l
Procedure
Step 1 Run:
system-view
Issue 01 (2011-10-15)


1 ARP Configuration

Step 2 Run:

The interface specified in this command is the one that connects a router to a physical network,
and needs to be enabled with routed proxy ARP.
Step 3 Run:
ip address ip-address { mask | mask-length }
An IP address is configured for the interface.

The configured IP address on the routed proxy ARP-enabled interface must belong to the same
network segment as the IP addresses of the hosts on the interface-connecting physical network.
Step 4 Run:
arp-proxy enable
Routed proxy ARP is enabled on the interface.

After routed proxy ARP is enabled on a router, run the arp expire-time expire-time command
on the host to reduce the ARP entry aging time. This can age out invalid ARP entries on the host
as soon as possible, and reduce the number of invalid packets sent from the host to the router.
Step 5 Run:
commit

----End

l
Run the display arp interface interface-name command to check the ARP entries on a
specified interface.
slot.
Run the display arp vpn-instance vpn-instance-name slot slot-id [ dynamic | static ]
command to check the ARP entries in a specified VPN instance.
Run the display arp interface command to view the ARP entries on a specified interface.
<HUAWEI> display arp interface gigabitethernet1/0/0
IP ADDRESS
MAC ADDRESS
EXPIRE(M) TYPE
INTERFACE
VPN-INSTANCE
VLAN/CEVLAN PVC
-----------------------------------------------------------------------------10.1.1.2
2202-0003-0001 20
D-3
GE1/0/0
-----------------------------------------------------------------------------Total:1
Dynamic:1
Static:0
Interface:0
Run the display arp slot command to view the ARP entries on all LPUs.
<HUAWEI> display arp slot 1
IP ADDRESS
MAC ADDRESS
EXPIRE(M) TYPE
INTERFACE
VPN-INSTANCE
VLAN/CEVLAN PVC
------------------------------------------------------------------------------
Issue 01 (2011-10-15)

10

1 ARP Configuration
192.168.1.12
0000-0a41-0202
I GE1/0/1
r2
192.168.1.1
0000-0a41-0200 17
D-6
GE1/0/1
r2
192.168.1.11
0000-0a41-0201
I GE1/0/0
r1
192.168.1.1
0000-0a41-0200 17
D-6
GE1/0/0
r1
-----------------------------------------------------------------------------Total:4
Dynamic:2
Static:0
Interface:2
Run the display arp vpn-instance command to view the ARP entries in a specified VPN
instance.
<HUAWEI> display arp vpn-instance r1 slot 1
IP ADDRESS
MAC ADDRESS
EXPIRE(M) TYPE
INTERFACE
VPN-INSTANCE
VLAN/CEVLAN PVC
-----------------------------------------------------------------------------192.168.1.11
0000-0a41-0201
I GE1/0/0
r1
192.168.1.1
0000-0a41-0200 12
D-6
GE1/0/0
r1
-----------------------------------------------------------------------------Total:2
Dynamic:1
Static:0
Interface:1
1.6 Configuring ARP Security

ARP security features such as ARP packet processing rate limiting and interface-based ARP
entry number limiting can be configured to protect valid ARP packets to improve network
security.
ARP is a basic link layer protocol that can be used on an Ethernet. It maps devices' IP addresses
to MAC addresses. For details on the ARP working mechanism, see Working Mechanism.
The working mechanism shows that ARP is simple to use but has no security guarantee.
Attackers may send forged ARP packets to attack devices.
ARP attacks may cause the following problems:
l
Networks become unstable, causing users to be unable to go online or enterprise networks

to break down.
Attackers steal user accounts and passwords for online games, Internet banks, or file transfer
services, causing the attacked people's interests to suffer a great loss.
Improving ARP security is becoming more important. There are several solutions: limiting the
ARP packet processing rate, limiting the number of ARP entries on interfaces, and limiting the
ARP Miss message processing rate.
Before configuring ARP security, complete the following tasks:
l
Connecting interfaces and configuring physical parameters for the interfaces to make sure
that the physical status of the interfaces is Up
Configuration Procedures
Choose one or more configuration tasks (excluding "Checking the Configuration") as needed.
Issue 01 (2011-10-15)

11

1 ARP Configuration
Figure 1-2 Flowchart for configuring ARP security

Restrict Dynamic ARP Entry
Learning
Configure Strict ARP Entry
Learning
Limit the ARP Packet
Processing Rate
Limit the Number of ARP
Entries on Interfaces
Limit the ARP Miss Message
Processing Rate
Mandatory
procedure
Optional
procedure
1.6.1 Restricting Dynamic ARP Entry Learning

When a large number of ARP entries are generated on a specified interface, you can prevent the
interface to dynamically learn ARP entries.
Background Information
CAUTION
l If dynamic ARP entry learning is disabled on an interface, traffic forwarding may fail on this
interface.
l After dynamic ARP entry learning is disabled on an interface, the system will not
automatically delete the ARP entries that were learnt previously on this interface. You can
delete or retain these dynamic ARP entries as required.
Procedure
Step 1 Run:
system-view

Step 2 Run:

Issue 01 (2011-10-15)

12

1 ARP Configuration
Step 3 Run:
arp learning disable
Dynamic ARP entry learning is disabled on the interface.

By default, the dynamic ARP entry learning function is enabled on an interface.
Step 4 Run:
commit

----End
1.6.2 Configuring Strict ARP Entry Learning

Strict ARP entry learning is usually used on a network that requires high ARP security. Devices
that receive attack packets may generate a large number of invalid ARP entries, consuming
resources. Strict ARP entry learning allows the device to discard attack packets so that valid
ARP entries can be generated.
On an Ethernet, attackers continuously send a large number of ARP packets to attack devices.
This severely affects forwarding of valid service packets. To address the problem, configure
strict ARP entry learning. This strictly controls the learning of unknown users' ARP entries.
Strict ARP entry learning can be configured globally or on an interface to allow the router or
the interface to learn only the ARP reply packets in response to the ARP request packets sent
by the router or the interface itself.
l
If strict ARP entry learning is disabled, a device processes a received ARP packet as
follows:
When a device receives an ARP reply packet, it processes the packet in either of the
following manners:
If the device has no ARP entry matching the source IP address of the ARP reply
packet, the device creates a new ARP entry based on the source IP address and source
MAC address of the ARP reply packet.
If the device has an ARP entry matching the source IP address of the ARP reply
packet, the device updates the ARP entry based on the source IP address and source
MAC address of the ARP reply packet.
When a device receives an ARP request packet that requests its MAC address, the device
first sends an ARP reply packet to the request sender and then creates an ARP entry
based on the IP address and MAC address of the request sender.
After strict ARP entry learning is enabled, a device processes a received ARP packet as
follows:
If the device receives an ARP reply packet, it determines whether the reply packet is in
response to the ARP request packet sent by the device itself. If it is such a reply packet,
the device learns the MAC address and updates the corresponding ARP entry.
Otherwise, the device does not learn the MAC address or update the corresponding ARP
entry.
If a device receives an ARP request packet, it only replies to the request but does not
generate a new ARP entry or update the existing ARP entry.
Issue 01 (2011-10-15)

13

1 ARP Configuration
As shown in Figure 1-3, strict ARP entry learning is configured on a backbone network's edge
routers that are connected to user access devices.
Figure 1-3 Networking diagram of configuring strict ARP entry learning
Core network
RouterB
RouterA
ARP
learning
strict
ARP
learning
strict
For details on ARP security problems, see 1.6 Configuring ARP Security.
Before configuring strict ARP entry learning, complete the following task:
l
Disabling dynamic ARP entry learning where strict ARP entry learning is enabled
Enable strict ARP entry learning globally.
Procedure
1.
Run:
system-view

2.
Run:
arp learning strict
Strict ARP entry learning is enabled globally.

3.
Run:
commit

l
Configure strict ARP entry learning on an interface. Strict ARP entry learning enabled on
an interface takes effect regardless of whether strict ARP entry learning is enabled globally.
1.
Issue 01 (2011-10-15)
Run:
14

1 ARP Configuration
system-view

2.
Run:

3.
Run:
arp learning strict force-enable
Strict ARP entry learning is enabled on the specified interface.

NOTE
If strict ARP entry learning is not enabled globally, running the arp learning strict forceenable command on a specified interface enables strict ARP entry learning on the interface.
4.
(Optional) Run:
arp learning strict force-disable
Strict ARP entry learning is disabled on the specified interface.

NOTE
If strict ARP entry learning is not disabled globally, running the arp learning strict forcedisable command on a specified interface disables strict ARP entry learning on the interface.
5.
Run:
commit

l
Restore the global strict ARP entry learning configuration on the interface.
1.
Run:
system-view

2.
Run:

3.
Run:
arp learning strict trust
The global strict ARP entry learning configuration is restored on the interface.
4.
Run:
commit

----End
1.6.3 Limiting the ARP Packet Processing Rate

The number of the ARP packets sent to the same destination in a unit of time can be limited.
This protects devices against forged ARP packet attacks and improves network security.
Context
Processing ARP packets on a device consumes the device's resources. In addition, restricted by
the system memory size and required by ARP entry searching efficiency, a device usually limits
Issue 01 (2011-10-15)

15

1 ARP Configuration
the number of ARP entries and the ARP packet processing rate. Sometimes, a large number of
packets whose destination IP addresses cannot be resolved are sent to a device. The device then
keeps resolving the destination IP addresses, causing the device's CPU to be overloaded. This
is called an ARP flood attack. The ARP flood attack severely affects service forwarding on
devices and causes customers to suffer an incalculable economic loss.
Configuring a device to limit the ARP packet processing rate effectively guards against ARP
flood attack, improves network security and stability, and ensures service forwarding for
authorized users.
Procedure
Step 1 Run:
system-view

Step 2 Run:
arp speed-limit destination-ip maximum maximum slot slot-id
The ARP packet processing rate is set on an LPU.

By default, an LPU processes 500 ARP packets bound for a specific destination every second.
Step 3 Run:
commit

----End
1.6.4 Limiting the Number of ARP Entries on Interfaces

When the number of dynamic ARP entries that an interface has learned reaches the maximum,
no more entries can be learned. This is to prevent ARP entry resources on the device from being
exhausted when a host connected to the interface attacks the device.
Background
Attackers send a large number of ARP packets with forged source IP addresses to a device,
causing the number of ARP entries on the device to exceed the allowed maximum number. As
a result, the device cannot process valid ARP packets and generate valid ARP entries.
Procedure
Step 1 Run:
system-view

Step 2 Run:

Step 3 Run:
arp-limit maximum maximum
Issue 01 (2011-10-15)

16

1 ARP Configuration
The number of ARP entries on an interface is limited.

By default, an interface can learn a maximum of 32768 ARP entries.
NOTE
If the number of ARP entries that have been learnt on an interface exceeds the maximum number, the
interface will not delete the excess learned ARP entries, but will not learn any more new entries.
If the maximum number of dynamic ARP entries that an interface can learn is set to 0, no limit is set on
the number of the dynamic ARP entries.
Step 4 Run:
commit

----End
1.6.5 Limiting the ARP Miss Message Processing Rate

Limiting the number of ARP Miss messages with the same source IP address in a time unit on
an LPU prevents resource waste on the router and guards against threats to network security.
Context
An upper-layer device sends an ARP packet destined for a specific host to the router. If the
router does not have the MAC address corresponding to the ARP packet's destination IP address,
Layer 3 forwarding of this ARP packet fails. Then, the router sends an ARP request packet to
the destination host and sends an ARP Miss message to the upper-layer device. Sending too
many ARP Miss messages to the upper-layer devices and sending too many ARP request packets
to the destination host waste resources on the router. This affects processing of other services
on the router. Therefore, the ARP Miss message processing rate must be limited on the router.
An Ethernet is exposed to lots of scan attacks. To prevent these attacks, ARP Miss message
processing rate limiting needs to be configured on devices at the access or aggregation layer on
the Ethernet.
Procedure
Step 1 Run:
system-view

Step 2 Run:
arp-miss speed-limit source-ip maximum maximum slot slot-id
The ARP Miss message processing rate is set on an LPU.

By default, an LPU processes 500 ARP Miss messages every second.
Step 3 Run:
commit

----End
Issue 01 (2011-10-15)

17

1 ARP Configuration
1.6.6 Checking the Configuration

The configuration of protecting ARP entries against attacks can be checked.
Prerequisite
The configurations of protecting ARP entries against attacks are completed.
Procedure
l
Run the display arp speed-limit destination-ip [ slot slot-id ] command to check the ARP
packet processing rate on an LPU.
Run the display arp-limit command to check the number of ARP entries that an interface
can learn.
Run the display arp-miss speed-limit source-ip [ slot slot-id ] command to check the rate
of processing the ARP Miss messages with a specific source IP address.
Run the display arp learning strict command to check the configuration of strict ARP
entry learning.
----End
Example
# Run the display arp speed-limit destination-ip [ slot slot-id ] command to view the ARP
<HUAWEI> display arp speed-limit destination-ip slot 3
Slot
SuppressType
SuppressValue
--------------------------------------------------3
ARP
500
# Run the display arp-limit command to view the number of ARP entries that an interface can
learn.
<HUAWEI> display arp-limit
interface
LimitNum
VlanID
LearnedNum
--------------------------------------------------------------------------GigabitEthernet2/0/1
16384
0
0
GigabitEthernet4/0/1
100
0
0
Total:2
# Run the display arp-miss speed-limit source-ip [ slot slot-id ] command to view the rate of
processing the ARP Miss messages with a specific source IP address.
<HUAWEI> display arp-miss speed-limit source-ip slot 3
Slot
SuppressType
SuppressValue
--------------------------------------------------3
ARP-miss
600
# Run the display arp learning strict command to view the configuration of strict ARP entry
learning.
<HUAWEI> display arp learning strict
The global configuration:arp learning strict
interface
LearningStrictState
-----------------------------------------------------------GigabitEthernet3/0/1
force-enable
force-enable
-----------------------------------------------------------Total:2
Issue 01 (2011-10-15)

18

1 ARP Configuration
Force-enable:2
Force-disable:0
1.7 Configuring ARP-Ping

ARP-Ping is classified into ARP-Ping IP and ARP-Ping MAC.
Before configuring an IP address for a device on a LAN, run the arp-ping ip command to check
whether the IP address to be configured is being used by another device on the network.
The ping command can also be used to check whether this IP address is used by another device
on the network. If the destination host and the router that are enabled with the firewall function
are configured not to reply to ping packets, the destination host and the router do not reply to
ping packets. This means that the ping always fails and the IP address is regarded as being
unused. ARP is a Layer 2 protocol. In most cases, ARP packets can pass through a firewall that
is configured not to reply to ping packets. Therefore, whether an IP address is being used by
another device can be detected.
When a device knows a specific MAC address on a network segment but does not know the
corresponding IP address, the arp-ping mac command can be run on the device to broadcast
ICMP packets to obtain the corresponding IP address.
Before configuring ARP-Ping, complete the following task:
l
Configuring link layer protocol parameters and IP addresses for interfaces to ensure that
the link layer protocol status of the interfaces is Up
You can choose one or more configuration tasks as required.
Figure 1-4 Flowchart for configuring ARP-Ping
Configure ARP-Ping IP
Configuring ARP-Ping MAC

Mandatory
procedure
Optional
procedure
1.7.1 Configuring ARP-Ping IP

ARP-Ping IP checks whether an IP address is being used by another device on a LAN by sending
ARP packets.
Issue 01 (2011-10-15)

19

1 ARP Configuration
Procedure
Step 1 Run:
arp-ping ip ip-address [ interface interface-type interface-number ]
Whether an IP address is being used by another device is checked.

There are two possible results after the command is run:
l If the IP address is not being used by another device, the command output is as follows:
[~HUAWEI] arp-ping ip 110.1.1.2
ARP-Pinging 110.1.1.2:
Request timed out
Request timed out
Request timed out
The IP address is not used by anyone!
l If the IP address is being used by another device, the command output is as follows:
[~HUAWEI] arp-ping ip 128.1.1.1
ARP-Pinging 128.1.1.1:
128.1.1.1 is used by 00e0-517d-f202
----End
1.7.2 Configuring ARP-Ping MAC

ARP-Ping MAC checks whether a MAC address is used by another device on a LAN by sending
ICMP packets.
Procedure
Step 1 Run:
arp-ping mac mac-address { ip-address [ vpn-instance vpn-instance-name ] |
interface interface-type interface-number }
Whether a MAC address is being used by another device is checked. (If the MAC address is
used, the IP address corresponding to this MAC address will be displayed.)
There are two possible results after the command is run:
l If the MAC address is not being used by another device, the command output is as follows:
[~HUAWEI] arp-ping mac 00e0-517d-f201 interface gigabitethernet 1/0/0
OutInterface: GigabitEthernet1/0/0 MAC[00-E0-51-7D-F2-01], press CTRL_C to
break
Request timed out
Request timed out
Request timed out
----- ARP-Ping MAC statistics ----3 packet(s) transmitted
0 packet(s) received
MAC[00-E0-51-7D-F2-01] not be used
l If the MAC address is being used by another device, the command output is as follows:
[~HUAWEI] arp-ping mac 00e0-517d-f202 interface gigabitethernet 1/0/0
OutInterface: GigabitEthernet1/0/0 MAC[00-E0-51-7D-F2-02], press CTRL_C to
break
----- ARP-Ping MAC statistics ----1 packet(s) transmitted
IP ADDRESS
MAC ADDRESS
128.1.1.1
00-E0-51-7D-F2-02
----End
Issue 01 (2011-10-15)

20

1 ARP Configuration
1.8 Monitoring the ARP Status

To monitor the ARP status, you can check the ARP entries, strict ARP entry learning on
interfaces, ARP packet statistics, ARP packet processing rate, maximum number of ARP entries
that can be learned by an interface, and source IP address-based ARP Miss message processing
rate.
Procedure
l
Run the display arp all command in any view to check all ARP entries on MPUs and LPUs.
Run the display arp interface interface-type interface-number command in any view to
check the ARP status on a specified interface.
Run the display arp slot slot-id command in any view to check the ARP running status on
a board in a specified slot.
Run the display arp learning strict command in any view to check strict ARP entry
learning on all interfaces.
Run the display arp packet statistics [ slot slot-id ] command in any view to check statistics
on ARP packets.
Run the display arp speed-limit destination-ip [ slot slot-id ] command to check the ARP
Run the display arp-limit [ interface interface-type interface-number] command in any

view to check the maximum number of ARP entries that the specified interface can learn.
Run the display arp-miss speed-limit source-ip [ slot slot-id ] command in any view to
check the rate of processing the ARP Miss messages with a specific source IP address.
----End

This section describes several ARP configuration examples, providing networking requirements,
configuration notes and roadmap, and configuration procedure for each example. Configuration
flowcharts provided in this section will help you understand the configuration procedures.
1.9.1 Example for Configuring Static ARP

This example describes static ARP configuration procedures.
Networking Requirements
CAUTION
On a single NE5000E, an interface is numbered in the format of slot number/card number/
interface number. On the NE5000E cluster, an interface is numbered in the format of chassis
ID/slot number/card number/interface number. If the slot number is specified, the chassis ID of
the slot must also be specified.
ARP is a basic link layer protocol that can be used on the Ethernet. It maps devices' IP addresses
to MAC addresses. ARP is simple to use but does not have any security guarantee. Attackers
Issue 01 (2011-10-15)

21

1 ARP Configuration
may send forged ARP packets to attack networks, causing normal services to be interrupted and
devices to break down. Therefore, carriers want to enhance backbone network security.
As shown in Figure 1-5, users are connected to the backbone network through routers. To protect
the devices on the backbone network against ARP attacks and ensure stable data transmission,
static ARP needs to be configured on routers.
Figure 1-5 Networking diagram of configuring static ARP
Static ARP
10.1.1.1 is mapped to
0000-0a41-0200
0000-0a41-0202
0000-0a41-0204
Static ARP
0000-0a41-0300
0000-0a41-0302
0000-0a41-0304
Core network
RouterA
RouterB
Precautions
None.
Configuration Roadmap
The configuration roadmap is as follows:
l
Configure static ARP entries on routers. These entries will not be aged or overwritten by
dynamic ARP entries. User data can thus be transmitted stably.
Data Preparation
To complete the configuration, you need the following data:
l
IP addresses and MAC addresses between which mappings need to be set up
Procedure
Step 1 Configure static ARP entries on Router A. The configuration on Router B is the same as that on
Router A.
Issue 01 (2011-10-15)

22

1 ARP Configuration
<HUAWEI> system-view
[~HUAWEI] sysname RouterA
[~HUAWEI] commit
[~RouterA] arp static 10.1.1.1 0000-0a41-0200
[~RouterA] commit
Step 2 Verify the configuration.

# Run the display arp all command on Router A to check configured ARP entries.
<RouterA> display arp all
IP ADDRESS
MAC ADDRESS
EXPIRE(M) TYPE
INTERFACE
VPN-INSTANCE
VLAN/CEVLAN PVC
-----------------------------------------------------------------------------10.1.1.1
0000-0a41-0200
S-10.1.1.2
0000-0a41-0202
S-10.1.1.3
0000-0a41-0204
S------------------------------------------------------------------------------Total:3
Dynamic:0
Static:3
Interface:0
----End
Configuration Files
l
Configuration file of Router A

#
sysname RouterA
#
arp static 10.1.1.1 0000-0a41-0200
arp static 10.1.1.2 0000-0a41-0202
arp static 10.1.1.3 0000-0a41-0204
#
return
Configuration file of Router B

#
sysname RouterB
#
arp static 10.1.2.1 0000-0a41-0300
arp static 10.1.2.2 0000-0a41-0302
arp static 10.1.2.3 0000-0a41-0304
#
return
1.9.2 Example for Configuring Routed Proxy ARP

This example describes routed proxy ARP configurations.
CAUTION
Two users on the same network segment but on different physical networks need to communicate
with each other.
Issue 01 (2011-10-15)

23

1 ARP Configuration
As shown in Figure 1-6, two routers are connected by serial links. No default gateways are set
for Host A and Host B on different physical networks. Routed proxy ARP needs to be configured
on routers to enable Host A and Host B to communicate with each other.
Figure 1-6 Networking diagram of configuring routed proxy ARP
Host A
172.16.1.2/16
0000-5e33-ee20
Host B
172.16.2.2/16
0000-5e33-ee10
GE1/0/0
172.16.1.1/24 Router A
00e0-fc39-80aa
Ethernet A
Proxy
ARP
GE1/0/0
Router B 172.16.2.1/24
00e0-fc39-80bb
POS2/0/0
POS2/0/0
172.17.3.1/24 172.17.3.2/24 Proxy
ARP Ethernet B
Precautions
None.
1.
Configure an IP address for the interface that connects each router to a host, ensuring that
the link between each host and each router is working properly.
2.
Configure routed proxy ARP on the interface that connects each router to a host. After
receiving an ARP request (for the destination host's MAC address) sent by the host, the
router enabled with routed proxy ARP responds to the request with its own MAC address.
The host then forwards data to the router.
3.
Configure a default route between two routers to ensure that there is a reachable route
between them and data can be transmitted along the route.
Data Preparation
l
IP address of the interface that connects Router A to Host A: 172.16.1.1/24; IP address of

the interface that connects Router B to Host B: 172.16.2.1/24
Default route on each router
IP address of Host A: 172.16.1.1/16; IP address of Host B: 172.16.2.2/16
Procedure
Step 1 Configure routerRouter A.
# Configure an IP address for GE 1/0/0.
Issue 01 (2011-10-15)

24

1 ARP Configuration

[~HUAWEI] commit
[~RouterA] interface gigabitethernet 1/0/0
[~RouterA-GigabitEthernet1/0/0] ip address 172.16.1.1 255.255.255.0
# Enable routed proxy ARP.

[~RouterA-GigabitEthernet1/0/0] arp-proxy enable
[~RouterA-GigabitEthernet1/0/0] undo shutdown
[~RouterA-GigabitEthernet1/0/0] quit
# Configure a static route.

[~RouterA] ip route-static 0.0.0.0 0 pos 2/0/0 172.17.3.2
# Configure an IP address for POS 2/0/0.

[~RouterA] interface pos 2/0/0
[~RouterA-Pos2/0/0] ip address 172.17.3.1 255.255.255.0
[~RouterA-Pos2/0/0] undo shutdown
[~RouterA-Pos2/0/0] quit
[~RouterA] commit
Step 2 Configure routerRouter B.

[~HUAWEI] sysname RouterB
[~HUAWEI] commit
[~RouterB] interface gigabitethernet 1/0/0
[~RouterB-GigabitEthernet1/0/0] ip address 172.16.2.1 255.255.255.0
# Enable routed proxy ARP.

[~RouterB-GigabitEthernet1/0/0] arp-proxy enable
[~RouterB-GigabitEthernet1/0/0] undo shutdown
[~RouterB-GigabitEthernet1/0/0] quit

[~RouterB] ip route-static 0.0.0.0 0 pos 2/0/0 172.17.3.1

[~RouterB] interface pos 2/0/0
[~RouterB-Pos2/0/0] ip address 172.17.3.2 255.255.255.0
[~RouterB-Pos2/0/0] undo shutdown
[~RouterB-Pos2/0/0] quit
[~RouterB] commit
Step 3 Configure hosts.

# Configure an IP address for Host A to be 172.16.1.2/16.
# Configure an IP address for Host B to be 172.16.2.2/16.
# Ping Host B from Host A, and the ping is successful.
# View ARP entries on Host A. The command output shows that the MAC address of Host B is
the MAC address of GE 1/0/0 on Router A.
C:\Documents and Settings\Administrator>arp -a
Interface: 172.16.1.2 --- 0x2
Internet Address
Physical Address
Type
172.16.2.2
00e0-fc39-80aa
dynamic
----End
Issue 01 (2011-10-15)

25

1 ARP Configuration
Configuration Files
l

#
sysname RouterA
#
ip route-static 0.0.0.0 0 Pos2/0/0
#
admin
#
interface GigabitEthernet1/0/0
undo shutdown
ip address 172.16.1.1 255.255.255.0
arp-proxy enable
#
interface Pos2/0/0
undo shutdown
link-protocol ppp
ip address 172.17.3.1 255.255.255.0
#
return

#
sysname RouterB
#
ip route-static 0.0.0.0 0 Pos2/0/0
#
admin
#
undo shutdown
ip address 172.16.2.1 255.255.255.0
arp-proxy enable
#
interface Pos2/0/0
undo shutdown
link-protocol ppp
ip address 172.17.3.2 255.255.255.0
#
return
1.9.3 Example for Configuring ARP Security

This example describes ARP security configuration procedures.
CAUTION
ARP is a basic link layer protocol that can be used on the Ethernet. It maps devices' IP addresses
to MAC addresses. ARP is simple to use but does not have any security guarantee. Attackers
may send forged ARP packets to attack networks, causing normal services to be interrupted and
devices to break down. Therefore, carriers want to enhance backbone network security.
Issue 01 (2011-10-15)

26

1 ARP Configuration
As shown in Figure 1-7, an Internet bar is connected to the Internet through the router. ARP
security needs to be configured on the router to protect the Internet bar against ARP attacks.
Figure 1-7 Networking diagram of configuring ARP security
Router
Switch1
Switch2
Internet
Switch4
Switch3
Precautions
None.
1.
To prevent ARP entry attacks:

l Limit the ARP packet processing rate on LPUs. This effectively prevents devices from
continuously processing a large number of invalid ARP packets (with destination IP
addresses unable to be resolved) sent by attackers. Burdens on the devices' CPUs are
relieved and valid packets can be properly processed on the devices.
l Limit the number of ARP entries on interfaces. This effectively prevents devices from
processing invalid ARP packets with forged source IP addresses sent by attackers. The
devices can then process valid ARP packets and generate valid ARP entries, ensuring
proper data forwarding.
l Configure strict ARP entry learning on interfaces. This effectively prevents devices
from receiving invalid ARP packets sent by attackers.
2.
To guard against ARP scan attacks:

l Limit the ARP Miss message processing rate on LPUs. This effectively prevents a waste
of devices' CPU resources in processing too many ARP Miss messages.
Data Preparation
l
LPU slot number: 3; number of ARP packets that the LPU processes every second: 50
Maximum number of ARP entries that an interface can learn: 20
Issue 01 (2011-10-15)

27

1 ARP Configuration
LPU slot number: 3; number of ARP Miss messages that the LPU processes every second:
50
Procedure
Step 1 Configure the LPU in slot 3 to process 50 ARP packets to a specific destination every second.
[~HUAWEI] sysname Router
[~HUAWEI] commit
[~Router] arp speed-limit destination-ip maximum 50 slot 3
Step 2 Configure GE 3/0/0 to learn a maximum of 20 ARP entries and enable strict ARP entry learning
on GE 3/0/0.
[~Router] interface Gigabitethernet 3/0/0
[~Router-GigabitEthernet3/0/0] arp-limit maximum 20
[~Router-GigabitEthernet3/0/0] arp learning strict force-enable
[~Router-GigabitEthernet3/0/0] quit
Step 3 Configure the LPU in slot 3 to process 50 ARP Miss messages with a specific source IP address
every second.
[~Router] arp-miss speed-limit source-ip maximum 50 slot 3
[~Router] commit

Use a tool to send gratuitous ARP packets to the router. Run the display arp command on the
router. The command output shows that the router has not learned the received gratuitous ARP
packets.
<Router> display arp all
IP ADDRESS
MAC ADDRESS
EXPIRE(M) TYPE
INTERFACE
VPN-INSTANCE
VLAN/CEVLAN PVC
-----------------------------------------------------------------------------100.1.1.200
00e0-fc7f-7258
I GE3/0/0
100.1.1.180
000d-88f4-d06b 9
D-0
GE2/0/0
100.1.1.24
0013-d326-ab88 9
D-0
GE0/0/0
100.1.1.166
0014-2afd-7376 10
D-0
GE0/0/0
100.1.1.37
00e0-4c77-a2f9 12
D-0
GE0/0/0
100.1.1.168
000d-88f8-332c 14
D-0
GE0/0/0
100.1.1.48
0015-e9ac-7a30 16
D-0
GE0/0/0
32.1.1.1
0088-0010-000a
I GE4/0/9
24.1.1.1
0088-0010-0009
I GE4/0/8
10.1.1.1
0088-0010-0003
I GE4/0/2
10.1.1.2
00e0-fc22-18d5 9
D-3
GE4/0/2
-----------------------------------------------------------------------------Total:11
Dynamic:7
Static:0
Interface:4
Run the display arp speed-limit command on the router to view the configured ARP packet
processing rate. Run the display arp-miss speed-limit command on the to view the configured
ARP Miss message processing rate.
<Router> display arp speed-limit destination-ip slot 3
Slot
SuppressType
SuppressValue
--------------------------------------------------3
ARP
50
<Router> display arp-miss speed-limit source-ip slot 3
Slot
SuppressType
SuppressValue
--------------------------------------------------3
ARP-miss
50
Use a tool to scan the router. Run the display arp packet statistics command on the router to
view the number of discarded ARP Miss messages.
<Router> display arp packet statistics
Issue 01 (2011-10-15)

28

ARP Pkt Received:
sum
23
ARP-Miss Msg Received:
sum
0
ARP Learnned Count:
sum
8
ARP Pkt Discard For Limit:
sum
5
ARP Pkt Discard For SpeedLimit:
sum
0
ARP Pkt Discard For Other:
sum
10
ARP-Miss Msg Discard For SpeedLimit:
sum
ARP-Miss Msg Discard For Other:
sum
0
1 ARP Configuration
----End
Configuration Files
#
sysname Router
arp speed-limit destination-ip maximum 50 slot 3
arp-miss speed-limit destination-ip maximum 50 slot 3
#
admin
undo shutdown
arp learning strict force-enable
arp-limit maximum 20
#
return
Issue 01 (2011-10-15)

29

2 ACL Configuration
ACL Configuration
About This Chapter

You can distinguish packets through access control lists (ACLs) and process them in different
manners.
2.1 ACL Overview
An ACL is a list of rules. An ACL classifies packets according to ACL rules, and then the device
determines whether to accept the classified packets according to the rules in the ACL. An ACL
can be applied to multiple services, such as the routing policy, traffic policy and QoS.
2.2 ACL Types Supported by the NE5000E
According to the differences in filtering rules, ACLs can be categorized into interface-based
ACLs, basic ACLs, advanced ACLs, Ethernet frame header-based ACLs and MPLS-based
ACLs.
2.3 Configuring an Interface-based ACL
An interface-based ACL is an ACL that specifies rules according to interfaces that receive
packets.
2.4 Configuring a Basic ACL
When defining rules in a basic ACL, you can specify source IP addresses.
2.5 Configuring an Advanced ACL
You can define rules in an advanced ACL according to the source address, destination address,
type of the protocol over IP, and protocol features such as the source port and destination port
of TCP and the type and code of ICMP.
2.6 Configuring an Ethernet Frame Header-based ACL
You can define rules in an Ethernet frame header-based ACL according to the source MAC
address, destination MAC address, and the protocol type.
2.7 Configuring a MPLS-based ACL
MPLS-based ACL defines rules to filter packets based on the Exp value, Label value, and TTL
value of MPLS packets.
2.8 Configuring the Validity Period of an ACL Rule
By performing this configuration task, you can configure the validity period of an ACL rule.
2.9 Maintaining an ACL
Issue 01 (2011-10-15)

30

2 ACL Configuration
This section describes how to maintain an ACL. Detailed operations include clearing ACL
statistics and monitoring the ACL operation.
Issue 01 (2011-10-15)

31

2 ACL Configuration
2.1 ACL Overview

An ACL is a list of rules. An ACL classifies packets according to ACL rules, and then the device
determines whether to accept the classified packets according to the rules in the ACL. An ACL
can be applied to multiple services, such as the routing policy, traffic policy and QoS.
To filter packets, the device needs to be configured with a set of rules. These rules are defined
in an ACL.
An ACL is an ordered set of rules that consist of a series of deny | permit clauses. ACL rules
are applied to interfaces on the device. The device permits or denies packets according to the
ACL rules.
ACLs can be classified into the following types:
l
Interface-based ACLs: classify packets according to the interface from which packets are
received.
Basic ACLs: classify packets according to the source address.
Advanced ACLs: classify packets according to the source address, destination address,
source port number, destination port number, and protocol type.
Ethernet frame header-based ACLs: classify packets according to the source MAC address
and destination MAC address.
MPLS-based ACLs: classify MPLS packets according to the Exp value, label, or TTL value
in MPLS packets.
NOTE
As a mere group of rules, an ACL does not implement the function of filtering packets. An ACL can only
identity packets of a certain type. How packets are processed depends on the functions introduced to an
ACL. In the NE5000E, the ACL must be used in conjunction with certain functions, such as routing policy,
and QoS, to filter packets.
2.2 ACL Types Supported by the NE5000E

According to the differences in filtering rules, ACLs can be categorized into interface-based
ACLs, basic ACLs, advanced ACLs, Ethernet frame header-based ACLs and MPLS-based
ACLs.
Interface-based ACLs
The rules in an interface-based ACL are defined according to the inbound interfaces of packets
and are used to filter packets received by different inbound interfaces. The number of an
interface-based ACL ranges from 1000 to 1999.
Basic ACL
The rules in a basic ACL are defined according to the source addresses of packets and are used
to filter packets with different source addresses. The number of a basic ACL ranges from 2000
to 2999.
Basic ACLs are commonly applied to the implementation of the routing policy and QoS. For
example, by configuring an ACL, you can control the rights of users logging in to the device or
control the traffic on the device.
Issue 01 (2011-10-15)

32

2 ACL Configuration
Advanced ACLs
The rules in an advanced ACL are defined according to the source addresses, destination
addresses, protocol types, source port numbers, and destination port numbers of packets.
Advanced ACLs can be classified into numbered ACLs and named ACLs according to the
naming rule of ACLs. The number of a numbered ACL ranges from 3000 to 3999; the number
of a named ACL ranges from 42768 to 59151.
An advanced ACL provides more extensive filtering rules, which can be applied to the routing
policy and packet filtering. For example, you can configure an advanced ACL in the multicast
service to filter multicast packets with different source addresses and group addresses.
Ethernet Frame Header-based ACLs

The rules in an Ethernet frame header-based ACL are defined according to Ethernet frame header
information in packets. The number of an Ethernet frame header-based ACL ranges from 4000
to 4099.
Ethernet frame header-based ACLs are commonly applied to packet filtering. During rule
matching, the wildcards of the Layer 2 protocol type are compared first. If the wildcards of the
Layer 2 protocol type are the same, the source MAC address wildcards are compared. If the
source MAC address wildcards are the same, the destination MAC address wildcards are
compared. If the destination MAC address wildcards are still the same, the rules are arranged
according to the configuration order.
MPLS-based ACLs
MPLS-based ACLs classify packets based on the Exp value, label, and TTL value in MPLS
packets. MPLS-based ACLs are numbered from 10000 to 10999. This means that a maximum
of 999 MPLS ACLs can be configured.
2.3 Configuring an Interface-based ACL

An interface-based ACL is an ACL that specifies rules according to interfaces that receive
packets.
Issue 01 (2011-10-15)

33

2 ACL Configuration
Figure 2-1 Typical application environment of an interface-based ACL
Network A
GE1/0/0
Internet
RouterA
Interface-based
GE2/0/0 ACL enable
Network B
As shown in Figure 2-1, an ACL that is based on GE 1/0/0 is created on Router A. Router A
needs to accept all the packets that are sent from Network A to the Internet and deny all the
packets that are sent from Network B to the Internet.
Before configuring an Interface-based ACL, complete the following tasks:
l
Issue 01 (2011-10-15)
Configuring the parameters of the link layer protocol for interfaces to ensure that the link
layer protocol status of interfaces is Up

34

2 ACL Configuration
Configuration Procedure
Figure 2-2 Flowchart for configuring an interface-based ACL
Create an interface-based
ACL
Configure rules for an
interface-based ACL
Configure an ACL step
Configure an ACL
description
Mandatory
procedure
Optional
procedure
2.3.1 Creating an Interface-based ACL

This part describes how to create an interface-based ACL, whose number ranges from 1000 to
1999.
Procedure
Step 1 Run:
system-view

Step 2 Run:
acl [ number ] acl-number [ match-order { auto | config } ]
An interface-based ACL is created.

Step 3 Run:
commit

----End
2.3.2 Configuring Rules for an Interface-based ACL

The rules in an interface-based ACL are defined according to inbound interfaces of packets and
are used to filter packets received by different inbound interfaces.
Issue 01 (2011-10-15)

35

2 ACL Configuration
Procedure
Step 1 Run:
system-view

Step 2 Run:
acl [ number ] acl-number
The interface-based ACL view is displayed.

Step 3 Run:
rule [ rule-id ] { deny | permit } interface { interface-type interface-number |
any } [ time-range time-name ] *
Rules for the interface-based ACL are configured.

Step 4 Run:
commit

----End
2.3.3 (Optional) Configuring an ACL Step

An ACL step is the difference between two adjacent automatically-assigned ACL numbers.
When setting an ACL step, you can change the number of an existing ACL rule.
Procedure
Step 1 Run:
system-view

Step 2 Run:
The ACL view is displayed.

Step 3 Run:
step step
An ACL step is set.

When changing ACL configurations, note the following:
l The undo step command restores the default step and re-arranges ACL rules.
l The default step is 5.
Step 4 Run:
commit

----End
Issue 01 (2011-10-15)

36

2 ACL Configuration
2.3.4 (Optional) Configuring an ACL Description

By configuring ACL descriptions, you can know the purpose of an ACL when viewing the
configuration of the ACL.
Procedure
Step 1 Run:
system-view

Step 2 Run:
acl acl-number

Step 3 Run:
description text
The ACL description is configured.

The description of an ACL indicates the purpose of an ACL and cannot be longer than 127
characters.
Step 4 Run:
commit

----End

You can view the configuration of an interface-based ACL.
Prerequisite
The configuration of the interface-based ACL is complete.
Procedure
Step 1 Run the display acl { acl-number | all } command to view the configured ACL rules.
----End
Example
After running the preceding command, you can view the ACL number, number of ACL rules,
ACL step, and rule contents.
<HUAWEI> display acl 1200
Interface Based ACL 1200,1 rule
ACL's step is 5
ACL's match-order is config
rule 5 permit interface Pos4/0/0 (1 times matched)
Issue 01 (2011-10-15)

37

2 ACL Configuration
2.4 Configuring a Basic ACL

When defining rules in a basic ACL, you can specify source IP addresses.
Figure 2-3 Typical application environment of a basic ACL
Network A
10.1.1.0/24
GE1/0/0 Router A
Network B
10.1.2.0/24
Internet
Basic ACL enable
GE2/0/0
Network C
10.1.3.0/24
As shown in Figure 2-3, a basic ACL is created on Router A. Router A accepts the packets that
are sent from Network A and refuses the packets that are sent from Network B, and Network C
to the Internet.
Before configuring a Basic ACL, complete the following tasks:
l
Issue 01 (2011-10-15)
layer protocol status of the interface is Up

38

2 ACL Configuration
Figure 2-4 Flowchart for configuring a basic ACL
Create a basic ACL

Configure rules for a
basic ACL
Configure an ACL
description
Mandatory
procedure
Optional
procedure
2.4.1 Creating a Basic ACL

This part describes how to create a basic ACL, whose number ranges from 2000 to 2999.
Procedure
Step 1 Run:
system-view

Step 2 Run:
A basic ACL is created.

Step 3 Run:
commit

----End
2.4.2 Configuring Rules for a Basic ACL

A basic ACL uses a source IP address, a fragment type, and a time range in which an ACL rule
takes effect to define an ACL rule.
Issue 01 (2011-10-15)

39

2 ACL Configuration
Procedure
Step 1 Run:
system-view

Step 2 Run:
The basic ACL view is displayed.

Step 3 Run:
rule [ rule-id ] { deny | permit } [ fragment-type fragment-type-name | source
{ source-ip-address soucer-wildcard | any } | time-range time-name | vpn-instance
vpn-instance-name ] *
The rules for the basic ACL are configured.

Step 4 Run:
commit

----End

Procedure
Step 1 Run:
system-view

Step 2 Run:

Step 3 Run:
step step
An ACL step is set.

Step 4 Run:
commit

----End
Issue 01 (2011-10-15)

40

2 ACL Configuration

Procedure
Step 1 Run:
system-view

Step 2 Run:
acl acl-number

Step 3 Run:
description text

characters.
Step 4 Run:
commit

----End

You can view the configuration of a basic ACL.
Prerequisite
The configuration of the basic ACL is complete.
Procedure
Step 1 Run the display acl { acl-number | all } command to view the configured basic ACL.
----End
Example
ACL step, and rule contents.
Basic ACL 2000, 1 rule
Acl's step is 5
Acl's match-order is config
rule 5 deny source 10.1.1.1 0 (3 times matched)
Issue 01 (2011-10-15)

41

2 ACL Configuration
2.5 Configuring an Advanced ACL

You can define rules in an advanced ACL according to the source address, destination address,
type of the protocol over IP, and protocol features such as the source port and destination port
of TCP and the type and code of ICMP.
Figure 2-5 Typical application environment of an advanced ACL
Network A
1.1.1.0/24
Network D
4.4.4.0/24
ICMP
packet
RouterA
RouterD
RouterE
Network B
2.2.2.0/24
Network C
3.3.3.0/24
ICMP
packet
RouterB
RouterC
As shown in Figure 2-5, an advanced ACL is created on Router E. Router E needs to accept all
the ICMP packets sent from Router B to Router D and deny all the ICMP packets sent from
Router A to Router C.
Before configuring an Advanced ACL, complete the following tasks:
l
Issue 01 (2011-10-15)
layer protocol status of the interfaces is Up

42

2 ACL Configuration
Figure 2-6 Flowchart for configuring an advanced ACL
Configure numbered
advanced ACL
Configure named
advanced ACL
Create an advanced ACL
Create an advanced ACL

advanced ACL

advanced ACL
Configure an ACL
description
Configure an ACL
description
Mandatory
procedure
Optional
procedure
2.5.1 Creating an Advanced ACL

This part describes how to create a numbered advanced ACL whose number ranges from 3000
to 3999 or a named advanced ACL.
Procedure
Step 1 Run:
system-view

Step 2 Run either of the following commands according to the naming mode of the advanced ACL:
l Run the acl [ number ] acl-number [ match-order { auto | config } ] command to create a
numbered advanced ACL.
The number of a numbered advanced ACL ranges from 3000 to 3999.
l Run the acl name acl-name [ number acl-number ] [ match-order { auto | config } ]
command to create a named advanced ACL.
The number of a named advanced ACL ranges from 42768 to 59151.
Step 3 Run:
commit

----End
Issue 01 (2011-10-15)

43

2 ACL Configuration
2.5.2 Configuring Rules for an Advanced ACL

You can define rules in an advanced ACL according to the source IP address, destination IP
address, type of the protocol over IP, source port, and destination port.
Procedure
Step 1 Run:
system-view

Step 2 Run either of the following commands according to the naming mode of the advanced ACL:
l Run the acl [ number ] acl-number command to create a numbered advanced ACL.
l Run the acl name acl-name [ number acl-number ] command to create a named advanced
ACL.
Step 3 Do as follows as required:
l If the value of protocol is UDP, run the following command to create ACL rules:
rule [ rule-id ] { deny | permit } udp [ [ dscp dscp | [ precedence precedence | tos tos ]* ]
| destination { destination-ip-address destination-wildcard | any } | destination-port
operator port | fragment-type fragment-type-name | source { source-ip-address sourcewildcard | any } | source-port operator port | time-range time-name | vpn-instance vpninstance-name ] *
l If the value of protocol is TCP, run the following command to create an ACL rule:
rule [ rule-id ] { deny | permit } tcp [ [ dscp dscp | [ precedence precedence | tos tos ]* ] |
destination { destination-ip-address destination-wildcard | any } | destination-port
operator port | fragment-type fragment-type-name | source { source-ip-address sourcewildcard | any } | source-port operator port | syn-flag syn-flag | time-range time-name |
vpn-instance vpn-instance-name ] *
l If the value of protocol is ICMP, run the following command to create an ACL rule:
rule [ rule-id ] { deny | permit } icmp [ [ dscp dscp | [ precedence precedence | tos tos ]
] | destination { destination-ip-address destination-wildcard | any } | fragment-type
fragment-type-name | icmp-type { icmp-name | icmp-type icmp-code } | source { source-ipaddress source-wildcard | any } | time-range time-name | vpn-instance vpn-instancename ] *
l If the value of protocol is a protocol other than TCP, UDP, and ICMP, run the following
command to create an ACL rule:
rule [ rule-id ] { deny | permit } protocol [ [ dscp dscp | [ precedence precedence | tos
tos ] * ] | destination { destination-ip-address destination-wildcard | any } | fragmenttype fragment-type-name | source { source-ip-address source-wildcard | any } | timerange time-name | vpn-instance vpn-instance-name ] *
Issue 01 (2011-10-15)

44

2 ACL Configuration
NOTE
You can configure the advanced ACL according to the protocol type. For different protocol types, the
parameters specified differ.
l For TCP and UDP, the [ source-port operator port ] [ destination-port operator port ] parameters
are available. which can not be configured for other protocols.
l For TCP, the [ syn-flag syn-flag ] parameters is available. which can not be configured for other
protocols.
Step 4 Run:
commit

----End

Procedure
Step 1 Run:
system-view

Step 2 Run:

Step 3 Run:
step step
An ACL step is set.

Step 4 Run:
commit

----End

Procedure
Step 1 Run:
Issue 01 (2011-10-15)

45

2 ACL Configuration
system-view

Step 2 Run:
acl acl-number

Step 3 Run:
description text

characters.
Step 4 Run:
commit

----End

You can view the configuration of an advanced ACL.
Prerequisite
The configuration of the advanced ACL is complete.
Procedure
Step 1 Run the display acl { name acl-name | acl-number | all } command to view the configuration
of the advanced ACL.
----End
Example
Run the command, and you can view the ACL number, number of rules, ACL step, and rule
contents.
Advanced ACL 3000, 3 rules
Acl's step is 5
rule 0 permit icmp (0 times matched)
rule 1 permit ip source 1.1.1.1 0 destination 2.2.2.2 0 (2 times matched)
rule 2 permit tcp source 10.110.0.0 0.0.255.255 (1 times matched)
2.6 Configuring an Ethernet Frame Header-based ACL

You can define rules in an Ethernet frame header-based ACL according to the source MAC
address, destination MAC address, and the protocol type.
Issue 01 (2011-10-15)

46

2 ACL Configuration
Figure 2-7 Typical application environment of an Ethernet frame header-based ACL
Network A
1-1-1 1-1-1
Network D
3-3-3 1-1-0
MAC Frame
RouterA
RouterD
Router E
Network B
2-2-2 0-0-1
Network C
4-4-4 0-0-0
MAC
Frame
RouterB
RouterC
As shown in Figure 2-7, an Ethernet frame header-based ACL is created on Router E. Router
E needs to filter packets from Network A and Network B according to source MAC addresses
or filter packets destined for Network C and Network D according to destination MAC addresses.
Before configuring an Ethernet Frame Header-based ACL, complete the following tasks:
l
Figure 2-8 Flowchart for configuring an Ethernet frame header-based ACL
Create an ethernet frame

header-based ACL
Configure rules for an ethernet
frame header-based ACL
Configure an ACL description

Mandatory
procedure
Optional
procedure
Issue 01 (2011-10-15)

47

2 ACL Configuration
2.6.1 Creating an Ethernet Frame Header-based ACL

This part describes how to create an Ethernet frame header-based ACL, whose number ranges
from 4000 to 4099.
Procedure
Step 1 Run:
system-view

Step 2 Run:
An Ethernet frame header-based ACL is created.

Step 3 Run:
commit

----End
2.6.2 Configuring Rules for an Ethernet Frame Header-based ACL

When defining rules for an Ethernet frame header-based ACL, you can specify source MAC
addresses, destination MAC addresses, and protocol types of packets.
Procedure
Step 1 Run:
system-view

Step 2 Run:

Step 3 Run:
rule [ rule-id ] { deny | permit } [ type type type-mask | source-mac source-mac
sourcemac-mask | dest-mac dest-mac destmac-mask | time-range time-name ] *
Rules for the Ethernet frame header-based ACL are configured.

Step 4 Run:
commit

----End
Issue 01 (2011-10-15)

48

2 ACL Configuration

Procedure
Step 1 Run:
system-view

Step 2 Run:

Step 3 Run:
step step
An ACL step is set.

Step 4 Run:
commit

----End

Procedure
Step 1 Run:
system-view

Step 2 Run:
acl acl-number

Step 3 Run:
description text

characters.
Issue 01 (2011-10-15)

49

2 ACL Configuration
Step 4 Run:
commit

----End

You can view the configuration of an Ethernet frame header-based ACL.
Prerequisite
The configuration of the Ethernet frame header-based ACL is complete.
Procedure
Step 1 Run the display acl { acl-number | all } command to view the configuration of the Ethernet
frame header-based ACL.
----End
Example
Run the preceding command, and you can view the ACL number, number of ACL rules, ACL
step, and rule contents.
Ethernet frame ACL 4001, 2 rules
Acl's step is 5
rule 5 deny source-mac 0000-0000-0000 0002-0002-0002 dest-mac 0002-0002-0002
0003-0003-0003 (0 times matched)
rule 10 deny type 0200 0222 dest-mac 0000-0000-0000 0002-0002-0002 (2 times
matched)
2.7 Configuring a MPLS-based ACL

2.7.1 Creating a MPLS-based ACL

This part describes how to create a MPLS-based ACL, whose number ranges from 10000 to
10999.
Procedure
Step 1 Run:
system-view

Step 2 Run:
Issue 01 (2011-10-15)

50

2 ACL Configuration
A MPLS-based ACL is created.

----End
2.7.2 Configuring Rules for a MPLS-based ACL

Procedure
Step 1 Run:
system-view

Step 2 Run:
The MPLS-based ACL view is displayed.

Step 3 Run:
rule [ rule-id ] { deny | permit } [ exp { exp-value | any } &<1-4> | label { labelvalue | any } &<1-4> | ttl { ttl-operator ttl-value | any } &<1-3> ] *
Rules for the MPLS-based ACL are configured.

----End

You can view the configuration of a MPLS-based ACL.
Prerequisite
The configuration of the MPLS-based ACL is complete.
Procedure
l
Run the display acl { acl-number | all } command to check the configured ACL rule.
----End
Example
and rule contents.
Mpls ACL 10001, 2 rules
Acl's step is 5
rule 5 permit exp 2 any any any (0 times matched)
rule 10 permit ttl gt 2 any any (0 times matched)
2.8 Configuring the Validity Period of an ACL Rule

By performing this configuration task, you can configure the validity period of an ACL rule.
Issue 01 (2011-10-15)

51

2 ACL Configuration
To control certain types of traffic in a specified period, you can configure the validity period of
an ACL rule to determine the time traffic passes. For example, to ensure reliable transmission
of video traffic at prime time at night, you need to limit the volume of traffic for common online
users.
After this configuration task is performed, a time range is created. Then, you can specify the
time range as the validity period when creating an ACL rule.
The validity period of an ACL rule can be either of the following types:
l
Absolute time range: The validity period is fixed.
Relative time range: The validity period is a periodic period, for example, each Monday.
Before configuring the Validity Period of an ACL Rule, complete the following tasks:
l
Configuring an ACL
Figure 2-9 Flowchart for configuring the validity period of an ACL rule
Create the validity period

of an ACL rule
Specify the validity period
for an ACL rule
Mandatory
procedure
Optional
procedure
2.8.1 Creating the Validity Period of an ACL Rule

This configuration task is to create the validity period of an ACL rule. You can create multiple
validity periods with the same name.
Procedure
Step 1 Run:
system-view

Step 2 Run:
Issue 01 (2011-10-15)

52

2 ACL Configuration
time-range time-name { start-time to end-time days | from time1 date1 [ to time2

date2 ] }
The validity period of an ACL rule is created.

Step 3 Run:
commit

----End
2.8.2 Specifying the Validity Period for an ACL Rule

When configuring the validity period for an ACL rule, the rule can take effect during the specified
time.
Procedure
Step 1 Run:
system-view

Step 2 Run:

Step 3 Run:
rule [ rule-id ] { deny | permit } time-range time-name
The validity period is configured for the ACL rule.

NOTE
When a period which is not existed is configured for the ACL, the ACL will be rule invalid.
Step 4 Run:
commit

----End

You can view the configuration of the validity period for an ACL rule.
Prerequisite
The configuration of the validity period for an ACL rule is complete.
Procedure
Step 1 Run the display time-range { time-name | all } to view the validity period for the ACL rule.
----End
Issue 01 (2011-10-15)

53

2 ACL Configuration
Example
Run the display time-range command to view the configuration and status of the validity period
for the ACL rule are displayed.
<HUAWEI> display time-range all
Current time is 14:19:16 3-15-2006 Wednesday
Time-range : time1 ( Inactive )
10:00 to 12:00 daily
from 13:00 2006/4/1 to 23:59 2099/12/31
Time-range : active1 ( Active )
14:00 to 00:00 daily
2.9 Maintaining an ACL

This section describes how to maintain an ACL. Detailed operations include clearing ACL
statistics and monitoring the ACL operation.
2.9.1 Clearing ACL Statistics

This part describes how to clear ACL statistics.
Context
CAUTION
ACL statistics cannot be restored after being cleared. So, confirm the action before you run the
following command.
Procedure
Step 1 After checking that ACL Statistics need to be cleared, run the reset acl counter { acl-number |
name acl-name | all } command in the user view.
----End
2.9.2 Monitoring the ACL Operation

This part describes how to monitor the ACL operation.
Context
In routine maintenance, you can run either of the following commands in any view to view the
ACL operation.
Procedure
l
Run:
display acl { acl-number | name acl-name
Issue 01 (2011-10-15)
| all }

54

2 ACL Configuration
The operation of the ACL is displayed.

l
Run:
display time-range { time-name | all }
The time range of the ACL is displayed.

----End
Issue 01 (2011-10-15)

55

3 Basic Configurations of IPv4
Basic Configurations of IPv4
About This Chapter

By configuring IPv4 addresses for network interfaces, you can implement data communication
between network devices. In addition, by controlling ICMP packets and IP packets carrying
options, you can improve network security.
3.1 IPv4 Overview
The Internet Protocol is the core protocol in the TCP/IP protocol suite. All TCP, UDP, ICMP
and IGMP data is transmitted in the format of IP packets. Devices in different networks use IP
addresses for communication. To ensure the security of the TCP/IP protocol suite, you can
defend against network attacks by controlling ICMP packets and IP packets carrying options.
3.2 IPv4 Features Supported by the NE5000E
IP addresses can be obtained through static manual configuration, auto-negotiation, or
borrowing. To implement the communication of the network, by controlling whether to process
the IP packets carrying route options or controlling the sending or receiving of ICMP packets,
you can effectively defend networks against attacks utilizing these packets.
3.3 Configuring IP Addresses for Interfaces
Assigning an IP address to a device on a network enables the device to communicate with the
other devices on the network.
3.4 Configuring IP Address Negotiation on Interfaces
If users access the network in the Point-to-Point Protocol (PPP) mode, the server can assign IP
addresses to the clients through the address negotiation function of PPP.
3.5 Configuring IP Unnumbered on Interfaces
IP address unnumbered refers to the situation that an interface that is not assigned an IP address
obtains an IP address by borrowing an IP address from another interface.
3.6 Configuring the Security of the IPv4 Protocol Stack
By controlling whether to process the IP packets carrying route options or controlling the sending
or receiving of ICMP packets, you can effectively defend networks against attacks utilizing these
packets.
3.7 Configuring TCP
By setting IP packets, you can improve the performance of the network.
3.8 Maintaining IPv4
Issue 01 (2011-10-15)

56

Check the configuration information of IPv4.

This section includes the networking requirements, precautions for configuration, and
configuration roadmap.
Issue 01 (2011-10-15)

57

3.1 IPv4 Overview

The Internet Protocol is the core protocol in the TCP/IP protocol suite. All TCP, UDP, ICMP
and IGMP data is transmitted in the format of IP packets. Devices in different networks use IP
addresses for communication. To ensure the security of the TCP/IP protocol suite, you can
defend against network attacks by controlling ICMP packets and IP packets carrying options.
On an IP network, each host needs to be assigned an IP address for communication. An IP
address, which is a 32-bit address used on the Internet, consists of two parts: network ID and
host ID.
l
The network ID of an IP address uniquely identifies a network segment or the summarized

network segment of multiple network segments.
The host ID of an IP address uniquely identifies a specific device on a network segment.
If multiple devices on the same network segment have the same network ID, they belong to the
same network regardless of their physical locations.
The increasing complexity of networks and emergence of new technologies pose requirements
for higher network security. By controlling ICMP packets and IP packets carrying options, you
can defend networks against attacks utilizing the two types of packets, thus improving device
performance and ensuring the normal operation of networks.

IP addresses can be obtained through static manual configuration, auto-negotiation, or
borrowing. To implement the communication of the network, by controlling whether to process
the IP packets carrying route options or controlling the sending or receiving of ICMP packets,
you can effectively defend networks against attacks utilizing these packets.
Configurations of IP Addresses
The NE5000E supports IP address configuration through the following methods:
l
Manually configuring an IP address for an interface
Obtaining an interface IP address through automatic negotiation
Borrowing an IP address from another interface
The NE5000E supports the overlapping of network segment addresses to save the address space.
l
Different interfaces on the same device can be configured with IP addresses that have
overlapped network segments but are not the same. For example, after configuring the IP
address 20.1.1.1/16 for an interface on a device, if you configure the IP address 20.1.1.2/24
for another interface, the system displays a prompt. The configuration, however, still
succeeds. If you configure the IP address 20.1.1.2/16 for another interface, the system
prompts an IP address conflict, and the configuration fails.
An interface can be configured with primary and secondary IP addresses that have
overlapped network segments. For example, after configuring a primary IP address
20.1.1.1/24 for an interface, if you configure the IP address 20.1.1.2/16 sub as the secondary
IP address, the system displays a prompt. The configuration, however, still succeeds.
Different interfaces on the same device can be configured with primary and secondary IP
addresses that have overlapped network segments but are not the same. For example, after
Issue 01 (2011-10-15)

58

configuring the IP address 20.1.1.1/16 for an interface on a device, if you configure the IP
address 20.1.1.2/24 sub for another interface, the system displays a prompt. The
configuration, however, still succeeds.
To save the IP address space, the NE5000E allows IP addresses with 31-bit masks on interfaces.
After an interface is configured with an IP address with a 31-bit mask, there are only two IP
addresses on the same network segment, that is, the network segment address and broadcast
address of the network segment. The two addresses are called host addresses.
You can configure an IP address with a 31-bit mask for a Point-to-Point (P2P), Non-Broadcast
Multiple Access (NBMA), broadcast, or loopback interface. If you configure an IP address with
a 31-bit mask for a non-P2P interface, the system prompts you to confirm the configuration to
protect broadcast links. For example, if an Ethernet interface on a device is assigned an IP address
with a 31-bit mask, the router can access only one host rather than all hosts on the directly
connected subnet. On a broadcast backbone network, if a P2P link exists, you can configure IP
addresses with 31-bit masks to save the IP address space.
Security of the IPv4 Protocol Stack

The NE5000E supports the processing of packets with the following types of options:
l
Route alert option
Record route option
Source route option
Timestamp option
The NE5000E supports the control of the following types of Internet Control Message Protocol
(ICMP) packets:
l
ICMP Host Unreachable packet
ICMP Port Unreachable packet
ICMP Redirect packet
ICMP Timeout packet
ICMP Echo packet
3.3 Configuring IP Addresses for Interfaces

Assigning an IP address to a device on a network enables the device to communicate with the
other devices on the network.
Before running IP services on interfaces, you need to configure IP addresses for interfaces. Each
interface on a device can be configured with multiple IP addresses, of which one is the primary
IP address and the others are secondary IP addresses.
Generally, an interface needs to be configured with only a primary IP address. In some special
scenarios, an interface also needs to be configured with secondary IP addresses. For example, a
device connects to a physical network through an interface, and hosts on this network belong to
two Class C networks. In this case, to ensure that the device communicates with all hosts on this
network, you need to configure a primary IP address and a secondary IP address for this interface.
Issue 01 (2011-10-15)

59

Before configuring IP addresses for interfaces, complete the following tasks:
l
Configuring link layer parameters for interfaces to ensure that the link layer protocol status
of the interfaces is Up
Figure 3-1 Procedures for configuring IP addresses
Configure a primary IP
address for an interface
Configure a secondary IP
address for an interface
Mandatory
procedure
Optional
procedure
3.3.1 Configuring a Primary IP Address for an Interface

An interface can have only one primary IP address. An IP address consists of a host number and
a network number.
Procedure
Step 1 Run:
system-view

Step 2 Run:

Step 3 Run:
A primary IP address is configured.

An interface has only one primary IP address. When you configure a primary IP address for the
interface that already has a primary IP address, the newly configured primary IP address replaces
the original one.
Step 4 Run:
commit

----End
Issue 01 (2011-10-15)

60

3.3.2 (Optional) Configuring a Secondary IP Address for an

Interface
To enable an interface to communicate with several networks with different network IDs, you
need to assign a secondary IP address to this interface.
Context
Configuring secondary IP addresses for an interface is a optional procedure. This configuration
is performed only when an interface requires multiple IP addresses.
For example, if an interface on a device is configured with one primary IP address and two
secondary IP addresses, this interface can be connected to three networks with different network
IDs.
Procedure
Step 1 Run:
system-view

Step 2 Run:

Step 3 Run:
ip address ip-address { mask | mask-length } sub
A secondary IP address is configured.

To save the IP address space, you can configure secondary IP addresses with 31-bit masks for
an interface.
Each interface can be configured with up to 255 secondary IP addresses.
Step 4 Run:
commit

----End

You can view the configuration of the IP address for an interface.
Prerequisite
The configurations of IP addresses are complete.
Issue 01 (2011-10-15)

61

Procedure
l
Run the display interface [ brief | interface-type interface-number ] command to check

information about the interface.
----End
Example
Run the display interface command, and you can view the configurations of the IP address and
subnet mask of the interface.
<RouterA> display interface gigabitethernet 1/1/0
GigabitEthernet1/1/0 current state : UP
Line protocol current state : UP
Description: HUAWEI, GigabitEthernet1/1/0 Interface (ifindex: 10, vr: 0)
Route Port,The Maximum Transmit Unit is 1500
Internet Address is 11.1.1.1/24
Internet Address is 11.1.2.1/24 Sub
IP Sending Frames' Format is PKTFMT_ETHNT_2, Hardware address 3870-1210-0300
Last physical up time
: 2010-02-06 15:19:40
Last physical down time : 2010-02-06 15:19:40
Current system time: 2010-02-06 17:36:40
Statistics last cleared:
Last 300 seconds input rate: 0 bits/sec, 0 packets/sec
Last 300 seconds output rate: 0 bits/sec, 0 packets/sec
Input: 0 bytes, 54025 packets
Output: 0 bytes, 0 packets
Input:
Unicast: 0 packets, Multicast: 7106 packets
Broadcast: 46919 packets, JumboOctets: 0 packets
CRC: 0 packets, Symbol: 11661289460833714176 packets
Overrun: 0 packets, InRangeLength: 0 packets
LongPacket: 0 packets, Jabber: 0 packets, Alignment: 0 packets
Fragment: 0 packets, Undersized Frame: 0 packets
RxPause: 0 packets
Output:
Unicast: 0 packets, Multicast: 0 packets
Broadcast: 0 packets, JumboOctets: 0 packets
Lost: 0 packets, Overflow: 0 packets, Underrun: 2715105531 packets
System: 0 packets, Overruns: 0 packets
TxPause: 0 packets
3.4 Configuring IP Address Negotiation on Interfaces

If users access the network in the Point-to-Point Protocol (PPP) mode, the server can assign IP
addresses to the clients through the address negotiation function of PPP.
If devices are connected through Point-to-Point Protocol (PPP) links, interfaces on the client can
obtain IP addresses from the server through negotiation. This is applicable when the client
accesses the Internet by connecting to the Internet Service Provider (ISP) through PPP links (for
example by dial-up). In this case, the ISP device assigns an IP address to the client through
negotiation.
As shown in Figure 3-2, after the interfaces that directly connect Router A on the server side
to Router B on the client side are encapsulated with PPP, the client can obtain an IP address
from the server through negotiation.
Issue 01 (2011-10-15)

62

Figure 3-2 Configuring IP address negotiation on interfaces
Ethernet
POS 1/0/0
192.168.1.1/24
RouterA
POS 1/0/0
192.168.1.2
Ethernet
RouterB
When configuring IP address negotiation on interfaces, note the following:

l
PPP supports IP address negotiation. Therefore, you can configure IP address negotiation
for an interface only after the interface is encapsulated with PPP. If the PPP status is Down,
the IP address generated during negotiation is deleted.
If an interface is configured to obtain an IP address through negotiation, you do not need

to configure any IP address for the interface because the IP address is obtained through
negotiation. If the interface already has an IP address, the original IP address is deleted.
After an interface obtains an IP address through negotiation, you cannot configure

secondary IP addresses for this interface.
After an interface obtains an IP address through negotiation, if you configure IP address

negotiation on the interface again, the originally generated IP address is deleted, and the
interface obtains a new IP address through negotiation.
After the IP address generated through negotiation is deleted, an interface becomes an

addressless interface.
Before configuring IP address negotiation on interfaces, complete the following tasks:
l
Configuring IP addresses for interfaces on the server to ensure that the link layer protocol
status of the interfaces is Up
Configuring physical parameters and the link layer protocol PPP for interfaces on the client
Configure a server to assign an IP

address to a client through negotiation
Configure a client to obtain an

IP address through negotiation
Mandatory procedure
Optional procedure
Issue 01 (2011-10-15)

63

3.4.1 Configuring a Server to Assign an IP Address to a Client

Through Negotiation
After being assigned an IP address, the server can assign IP addresses to the clients.
Context
The IP address to be assigned to the remote device should not conflict with the IP addresses on
the local device.
Procedure
Step 1 Run:
system-view

Step 2 Run:
The view of the interface that is directly connected to the client is displayed.
IP address negotiation can be configured on only the PPP-encapsulated interface.
Step 3 Run:
remote address ip-address
An IP address is assigned to the interface on the client.

The IP address to be assigned to the remote device should not conflict with the IP addresses on
the local device.
Step 4 Run:
shutdown
The interface is shut down.

Step 5 Run:
commit

Step 6 Run:
undo shutdown
The interface is enabled.

Step 7 Run:
commit

----End
Issue 01 (2011-10-15)

64

3.4.2 Configuring a Client to Obtain an IP Address Through

Negotiation
After interface IP address negotiation is enabled on a client, the client can obtain an IP address
from the server.
Procedure
Step 1 Run:
system-view

Step 2 Run:
The view of the interface that is directly connected to the server is displayed.
IP address negotiation can be configured on only the PPP-encapsulated interface.
Step 3 Run:
ip address ppp-negotiate
IP address negotiation is enabled on the interface.

Step 4 Run:
commit

----End

You can view the configuration of interface IP address negotiation.
Prerequisite
The configurations of IP address negotiation are complete.
Procedure
l

----End
Example
subnet mask of the interface on the client.
[~RouterB] display interface pos 1/0/0
Pos1/0/0 current state : UP
Line protocol current state : DOWN
Description: HUAWEI, pos 1/0/0 Interface (ifindex: 10, vr: 0)
Route Port,The Maximum Transmit Unit is 1500
Internet Address is 10.1.1.1/24
Issue 01 (2011-10-15)

65

Link layer protocol is PPP

LCP stopped
Last physical up time
: 2011-01-13 03:34:07
Last physical down time : 2011-01-13 03:34:07
Current system time: 2011-01-24 21:41:31
Statistics last cleared:never
Last 300 seconds input rate 0 bits/sec, 0 packets/sec
Last 300 seconds output rate 0 bits/sec, 0 packets/sec
Input:0 packets, 0 bytes
Input error: 0 shortpacket, 0 longpacket, 0 CRC, 0 lostpacket
Output: 0 packets, 0 bytes
Output error: 0 lostpackets
Output error: 0 overrunpacket, 0 underrunpackets
Last 300 seconds input utility rate: 0.00%
Last 300 seconds output utility rate: 0.00%
3.5 Configuring IP Unnumbered on Interfaces

IP address unnumbered refers to the situation that an interface that is not assigned an IP address
obtains an IP address by borrowing an IP address from another interface.
In some situations, to save IP address resources, you need to configure an interface to borrow
an IP address from another interface. You can configure an interface that is occasionally used
to borrow an IP address, instead of configuring a new IP address for the interface.
Restrictions on configuring IP unnumbered on an interface are as follows:
l
The unnumbered interface cannot be an Ethernet interface.
The IP address of the numbered interface cannot be a borrowed IP address.
The IP address of the IP numbered interface can be lent to multiple interfaces.
If the numbered interface has multiple IP addresses, the IP address to be lent must be the
primary IP address.
If the numbered interface is not configured with an IP address, the unnumbered interface
borrows the IP address 0.0.0.0.
The IP address of the virtual loopback interface can be borrowed by other interfaces, but
the virtual loopback interface cannot borrow an IP address from other interfaces.
Before configuring IP unnumbered on an interface, complete the following tasks:
l
Issue 01 (2011-10-15)
Configuring the link layer protocol on the unnumbered interface and numbered interface

66

Figure 3-4 Procedures for configuring IP unnumbered
Configure a primary IP address for a

numbered interface
Configure an unnumbered interface to borrow

an IP address from another Interface
Mandatory procedure
Optional procedure
3.5.1 Configuring a Primary IP Address for a Numbered Interface

Only the primary IP address of an interface can be borrowed.
Context
Configuring IP unnumbered aims to save IP address resources. You can configure an interface
that is occasionally used to borrow an IP address, instead of configuring a new IP address for
the interface.
Procedure
Step 1 Run:
system-view

Step 2 Run:
The view of the numbered interface is displayed.

Step 3 Run:
A primary IP address is configured for the numbered interface.

The IP address of a numbered interface can be configured through the ip address command or
obtained through negotiation.
Step 4 Run:
commit

----End
Issue 01 (2011-10-15)

67

3.5.2 Configuring an Unnumbered Interface to Borrow an IP

Address from Another Interface
An Ethernet interface cannot borrow the IP address of another interface.
Context
Configuring IP unnumbered aims to save IP address resources. You can configure an interface
that is occasionally used to borrow an IP address, instead of configuring a new IP address for
the interface.
NOTE
The configuration procedure described in this section involves only configuring an interface to borrow an
IP address. The unnumbered interface has no IP address, and thus dynamic routing protocols cannot run
on this interface. In this case, you need to configure a static route to the remote network segment for
communication between devices.
Procedure
Step 1 Run:
system-view

Step 2 Run:
The view of the unnumbered interface is displayed.

Step 3 Run:
ip address unnumbered interface interface-type interface-number
The unnumbered interface is configured to borrow an IP address from a specified interface.

The tunnel interface encapsulated with PPP, HDLC, or frame relay can borrow an IP address
from an Ethernet interface or another type of interface.
Step 4 Run:
commit

----End

You can view the borrowed IP address of an interface.
Prerequisite
The configurations of IP unnumbered are complete.
Issue 01 (2011-10-15)

68

Procedure
l

----End
Example
subnet mask of the unnumbered interface.
<RouterA> display interface pos 1/1/0
pos1/1/0 current state : UP
Description: HUAWEI, Pos 1/1/0 Interface (ifindex: 8, vr: 0)
Route Port,The Maximum Transmit Unit is 4470, Hold timer is 10(sec)
Internet Address is unnumbered, using address of GigabitEthernet1/0/0
(172.16.10.1/24)
Current BW: 100 Mbits
Input: 0 packets, 0 bytes
Output error: 0 overrunpackets, 0 underrunpackets
3.6 Configuring the Security of the IPv4 Protocol Stack

By controlling whether to process the IP packets carrying route options or controlling the sending
or receiving of ICMP packets, you can effectively defend networks against attacks utilizing these
packets.
The route-related options in an IP packet can be used for link fault diagnosis and temporary
transmission of special services. The packets carrying route options may also be utilized by
malicious attackers to probe the network structure and launch attacks. Therefore, by configuring
whether to process the IP packets carrying route options, you can defend networks against attacks
utilizing these packets.
Network attackers perform scan detection by using various packets, and devices reply to these
packets with ICMP packets. Then, network attackers obtain network information from these
received ICMP packets and then launch attacks on networks. In addition, network attackers can
also utilize ICMP packets to affect the normal packet transmission on devices, thus hindering
the devices from providing normal services. Therefore, by controlling the sending or receiving
of ICMP packets, you can effectively defend networks against attacks utilizing ICMP packets.
Before configuring the security of the IPv4 protocol stack, complete the following tasks:
l
Issue 01 (2011-10-15)
Setting parameters of the link layer protocols for the interfaces to ensure that the status of
the link layer protocols on the interfaces is Up
69

You can choose one or several configuration tasks (excluding "Checking the Configuration") as
required.
3.6.1 Controlling the Processing of IP Packets Carrying Options

By controlling whether to process the IP packets carrying route options, you can effectively
defend networks against attacks utilizing these packets.
Context
IP packets can carry the following route options:
l
Route alert option
Record route option
Source route option
Timestamp option
Generally, the preceding options are used for link fault diagnosis and temporary transmission
of special services. These options may also be utilized by network attackers to probe the network
structure and launch attacks. In this case, you need to use commands to determine whether the
system needs to process the IP packets carrying route options.
By default, devices process the IP packets carrying route options. To defend networks against
attacks utilizing the IP packets carrying route options, you can perform the following
configurations to disable the system from processing these IP packets.
Procedure
Step 1 Run:
system-view

Step 2 Do as follows according to different route options in IP packets:
l Run:
undo ip option route-alert enable
The system is disabled from processing the IP packets carrying route alert options.
l Run:
undo ip option route-record enable
The system is disabled from processing the IP packets carrying record route options.
l Run:
undo ip option source-route enable
The system is disabled from processing the IP packets carrying source route options.
l Run:
undo ip option time-stamp enable
The system is disabled from processing the IP packets carrying timestamp options.
By default, the system is enabled to process the IP packets carrying route options.
Step 3 Run:
Issue 01 (2011-10-15)

70

commit

----End
3.6.2 Controlling the Sending or Receiving of ICMP Packets

By controlling the sending or receiving of ICMP packets, you can effectively defend networks
against attacks utilizing these packets.
Context
Most attacks on networks are launched through ICMP packets. To ensure network security, you
can use commands to determine whether the system needs to send or receive ICMP packets.
To defend networks against attacks utilizing ICMP packets, you can perform the following
configurations to disable the system from sending or receiving ICMP packets.
Procedure
Step 1 Run:
system-view

Step 2 Run:
undo icmp receive
or
undo icmp send
Disable the system from receiving or sending ICMP packets.

By default, the system is disabled from sending or receiving ICMP packets.
Table 3-1 shows the relationship between ICMP name and the corresponding type and code.
Table 3-1 Relationship between ICMP name, type and code
Issue 01 (2011-10-15)
name
type
code
echo
echo-reply
fragmentneed-dfset
host-redirect
host-tos-redirect
host-unreachable
information-reply
16
information-request
15

71

name
type
code
net-redirect
net-tos-redirect
net-unreachable
parameter-problem
12
port-unreachable
protocol-unreachable
reassembly-timeout
11
source-quench
source-route-failed
timestamp-reply
14
timestamp-request
13
ttl-exceeded
11
Step 3 Run:
commit

----End
3.6.3 Setting the Timeout Period of the Regroup Queue

By properly setting the reassembly timeout period, you can age in time the regroup queue that
waits for all fragments to be reassembled for a long period. This improves the performance of
routing devices and prevents against network attacks.
Procedure
Step 1 Run:
system-view

Step 2 Run:
ipv4 reassembling timeout time
The timeout period of IPv4 fragment reassembly is set.

The parameter time ranges from 5 to 120 seconds. It is recommended to use the default value of
30 seconds.
----End
Issue 01 (2011-10-15)

72


You can view the security of the IPv4 Protocol Stack.
Prerequisite
The configurations of the security of the IPv4 protocol stack are complete.
Procedure
l
Run the display icmp statistics command to check ICMP traffic statistics.
Run the display ip statistics command to check IP traffic statistics.
----End
Example
Run the display icmp statistics command, and you can view ICMP traffic statistics.
<HUAWEI> display icmp statistics
Input: bad format
0
echo
0
source quench
0
echo reply
0
timestamp
0
mask requests
0
time exceeded
0
Mping request
0
Output: echo
0
source quench
0
echo reply
0
timestamp
0
mask requests
0
time exceeded
0
Mping request
0
bad checksum
destination unreachable
redirects
parameter problem
information request
mask replies
other
Mping reply
destination unreachable
redirects
parameter problem
information request
mask replies
0
0
0
0
0
0
0
0
0
0
0
0
0
Mping reply
Run the display ip statistics command, and you can view IP traffic statistics.
<HUAWEI> display ip statistics
Input:
sum
bad protocol
bad checksum
discard srr
Output:
forwarding
dropped
Fragment:
input
dropped
couldn't fragment
Reassembling: sum
2061
0
0
0
0
0
0
0
0
0
local
bad format
bad options
TTL exceeded
local
no route
output
fragmented
392
87
0
0
0
0
0
0
timeouts
3.7 Configuring TCP

By setting IP packets, you can improve the performance of the network.
None.
Issue 01 (2011-10-15)

73

None.
required.
3.7.1 Configuring TCP Timer

By setting two TCP timers, you can control TCP connection time.
Context
The types of TCP timers are shown as follows:
l
The SYN-Wait timer: On sending SYN packets, the TCP starts the SYN-Wait timer. If
response packets are not received before the SYN-Wait timer timeout, the TCP connection
is terminated. The SYN-Wait timer timeout ranges from 2 seconds to 600 seconds, and the
default value is 75 seconds.
The FIN-Wait timer: When the TCP connection status turns from FIN_WAIT_1 to
FIN_WAIT_2, the FIN-Wait timer starts. If FIN packets are not received before the FINWait timer timeout, the TCP connection is terminated. The FIN-Wait timer timeout ranges
from 76 seconds to 3600 seconds, and the default value is 675 seconds.
Do as follows on the router:
Procedure
Step 1 Run:
system-view

Step 2 Run:
tcp timer syn-timeout interval
The SYN-Wait timer of setting up TCP connections is configured.

Step 3 Run:
tcp timer fin-timeout interval
The FIN_WAIT_2 timer of setting TCP connections is configured.

Step 4 Run:
commit

----End
3.7.2 Specifying the Size of a TCP Sliding Window

By setting the sliding window size for TCP, you can set the sizes of the receiving buffer and
transmitting buffer in the socket. In this manner, you can improve the security of the network.
Issue 01 (2011-10-15)

74

Procedure
Step 1 Run:
system-view

Step 2 Run:
tcp window window-size
The receiving/sending buffer size of the TCP socket is configured.

The receiving and sending window-size of the connection-oriented socket: It ranges from 1K
bytes to 32K bytes, and the default value is 8K bytes.
Step 3 Run:
commit

----End

You can view the configuration of TCP.
Prerequisite
The configurations of TCP function are complete.
Procedure
l
Run the display tcp status [ [ task-id task-id ] [ socket-id socket-id ] | [ local-ip ipv4address ] [ local-port local-port-number ] [ remote-ip ipv4-address ] [ remote-port
remote-port-number ] ] command to check the TCP connection status.
Run the display tcp statistics command to check the TCP traffic statistics.
----End
Example
Run the display tcp status command. If the information about the TCP connection status is
displayed, it means that the configuration succeeds. For example:
<HUAWEI> display tcp status
-------------------------------------------------------------------------------Pid/SocketID
Local Addr:Port
Foreign Addr:Port
VPNID State
-------------------------------------------------------------------------------0x80C8272D/2
0.0.0.0:23
0.0.0.0:0
42949 LISTEN
0x80932727/6
0.0.0.0:22
0.0.0.0:0
42949 LISTEN
--------------------------------------------------------------------------------
Run the display tcp statistics command. If the TCP traffic statistics are displayed, it means that
the configuration succeeds. For example:
<HUAWEI> display tcp statistics
------------------------ Display TCP Statistics ---------------------Received packets:
Total: 0
Packets in sequence: 0 (bytes)
Issue 01 (2011-10-15)

75

Window probe packets: 0

Window update packets: 0
Checksum error: 0
Offset error: 0
Short error: 0
Duplicate packet: 0 (bytes)
Partially duplicate packet: 0 (bytes)
Out-of-order packets: 0 (bytes)
Packets with data after window: 0
Packet after close: 0
ACK packets: 0 (bytes)
Duplicate ACK packets: 0
Send packets:
Total: 0
Urgent packet: 0
Control packet: 0 (RST)
Data packets: 0
Data packets retransmitted: 0
ACK only packets: 0
Retransmitted timeout: 0
Connection dropped in retransmitted timeout: 0
Keepalive timeout: 0
Keepalive probe: 0
Keepalive timeout, so connections disconnected: 0
Initiated connections: 0
Accepted connections: 0
Established connections: 0
Closed connections: 0
Packets dropped with MD5 authentication: 0
Packets premitted with MD5 authentication: 0
-----------------------------------------------------------------------

Check the configuration information of IPv4.
3.8.1 Monitoring the IPv4 Running Status

By running the display command, you can monitor the operation of IPv4.
Context
In routine maintenance, you can run the following commands in any view to check the IPv4
running status.
Procedure
l
Run the display interface brief command in any view to view interface brief information.
Run the display ip statistics command in any view to view IP traffic statistics.
Run the display icmp statistics command in any view to view ICMP traffic statistics.
Run the display ip socket command in any view to view the information about the created
IPv4 socket.
Run the display rawip status command in any view to view the information about an IPv4
RawIP connection.
Issue 01 (2011-10-15)

76

Run the display rawlink status command in any view to view the information about an
IPv4 Rawlink connection.
----End
3.8.2 Clearing IPv4 Statistics

By running the reset command, you can delete IPv4 statistics.
Context
CAUTION
ICMP or IP traffic statistics cannot be restored after being cleared. Therefore, confirm the action
before you run the command.
Procedure
l
After confirming that you need to clear IP and ICMP traffic statistics, run the reset ip
statistics command in the user view.
----End

This section includes the networking requirements, precautions for configuration, and
configuration roadmap.
3.9.1 Example for Configuring Primary and Secondary IP Addresses

for an Interface
This part describes how to configure a primary IP address and a secondary IP address for an
interface.
CAUTION
interface number. On an NE5000E cluster, the interface is numbered in the format of chassis
ID/slot number/card number/interface number. This requires the chassis ID to be specified along
with the slot number.
As shown in Figure 3-5, GE 1/0/1 on the device is connected to a Local Area Network (LAN),
in which hosts belong to two network segments 172.16.1.0/24 and 172.16.2.0/24. It is required
that the device communicate with the two network segments. Hosts on the network segment
172.16.1.0/24 cannot communicate with hosts on the network segment 172.16.2.0/24.
Issue 01 (2011-10-15)

77

Figure 3-5 Configuring primary and secondary IP addresses for an interface

172.16.1.0/24
Router
GE1/0/1
172.16.1.1/24
172.16.2.1/24 sub
172.16.2.0/24
Configuring Notes
None
1.
Analyze the address of the network segment to which the interface is connected.
2.
Configure a primary IP address for the interface and then configure one or multiple
secondary IP addresses for the interface.
NOTE
The primary and secondary IP addresses of an interface can have overlapped network segments but are not
the same. The secondary IP addresses of an interface must belong to different network segments.
Data Preparation
l
Primary IP address and subnet mask of the interface
Secondary IP address and subnet mask of the interface
Procedure
Step 1 Configure the device.
# Configure primary and secondary IP addresses for GE 1/0/1 on the device.
[~HUAWEI] sysname Router
[~HUAWEI] commit
[~Router] interface gigabitethernet 1/0/1
[~Router-GigabitEthernet1/0/1] ip address 172.16.1.1 255.255.255.0
[~Router-GigabitEthernet1/0/1] ip address 172.16.2.1 255.255.255.0 sub
[~Router-GigabitEthernet1/0/1] undo shutdown
[~Router-GigabitEthernet1/0/1] commit
[~Router-GigabitEthernet1/0/1] quit
Issue 01 (2011-10-15)

78


# Ping the host on the network segment 172.16.1.0 from the device. Then, the ping operation
succeeds.
[~Router] ping 172.16.1.2
PING 172.16.1.2: 56 data bytes, press CTRL_C to break
Reply from 172.16.1.2: bytes=56 Sequence=1 ttl=255 time=614 ms
--- 172.16.1.2 ping statistics --5 packet(s) transmitted
0.00% packet loss
round-trip min/avg/max = 25/26/27 ms
# Ping the host on the network segment 172.16.2.0 from the device. Then, the ping operation
succeeds.
[~Router] ping 172.16.2.2
0.00% packet loss
# The hosts on the two network segments cannot ping each other successfully.
----End
Configuration Files
Configuration file of the Router
#
sysname Router
#
admin
undo shutdown
ip address 172.16.1.1 255.255.255.0
ip address 172.16.2.1 255.255.255.0 sub
#
return
3.9.2 Example for Configuring IP Address Negotiation on Interfaces

This part describes how an interface obtains an IP address through negotiation.
Issue 01 (2011-10-15)

79

CAUTION
As shown in Figure 3-6, Router A assigns an IP address to POS 1/0/0 on Router B through PPP
negotiation.
Ethernet
POS 1/0/0
192.168.1.1/24
POS 1/0/0
RouterA
Ethernet
RouterB
Configuring Notes
None
1.
Configure an IP address for the local interface.
2.
Assign an IP address to the interface on the client.
3.
Configure the client to obtain an IP address through negotiation.
Data Preparation
l
IP address and subnet mask of the local interface
The IP address to be assigned to the client
Procedure
Step 1 Configure Router A.
# Assign an IP address to the interface on the client.

Issue 01 (2011-10-15)

80

[~HUAWEI] commit
[~RouterA-Pos1/0/0] remote address 192.168.1.2
[~RouterA-Pos1/0/0] shutdown
[~RouterA-Pos1/0/0] commit
Step 2 Configure Router B.

# Configure the interface to obtain an IP address through negotiation.
[~HUAWEI] commit
[~RouterB-Pos1/0/0] ip address ppp-negotiate
[~RouterB-Pos1/0/0] commit

# Router B can ping through POS 1/0/0 on Router A.
[~RouterB] ping 192.168.1.1
0.00% packet loss
# View the status of POS 1/0/0 on Router B.

[~RouterB] display interface pos 1/0/0
Last line protocol up time : 2007-12-07, 17:12:39
Description : HUAWEI, Pos1/0/0 Interface
Route Port,The Maximum Transmit Unit is 4470, Hold timer is 10(sec)
Internet Address is negotiated, 192.168.1.2/32
LCP opened, IPCP opened
The Vendor PN is FTRJ1321P1BTL
Port BW: 2.5G, Transceiver max BW: 2.5G, Transceiver Mode: SingleMode
WaveLength: 1310nm, Transmission Distance: 5km
Rx Power: -2.81dBm, Tx Power: -1.91dBm
Physical layer is Packet Over SDH
Scramble enabled, clock master, CRC-32, loopback: none
Flag J0 "NetEngine
"
Flag J1 "NetEngine
"
Flag C2 22(0x16)
SDH alarm:
section layer: none
line
layer: none
path
layer: none
SDH error:
section layer: B1 61575
line
layer: B2 12002824 REI 16835916
path
layer: B3 65535
Issue 01 (2011-10-15)

81


Input: 3510 packets, 57372 bytes
Output error: 0 overrunpackets, 0 underrunpackets
If "Internet Address is negotiated, 192.168.1.2/32" is displayed in the command output, it means

that IP address negotiation succeeds.
----End
Configuration Files
l

#
sysname RouterA
#
admin
interface Pos1/0/0
undo shutdown
link-protocol ppp
ip address 192.168.1.1 255.255.255.0
remote address pool 192.168.1.2
#
return

#
sysname RouterB
#
admin
interface Pos1/0/0
undo shutdown
link-protocol ppp
ip address ppp-negotiate
#
return
3.9.3 Example for Configuring IP Unnumbered on Interfaces

This part describes how to configure IP address borrowing for an interface.
CAUTION
As shown in Figure 3-7, an enterprise builds its intranet through the ISDN. Router A and Router
B connect to a local LAN through GE interfaces and connect to each other through dialing
interfaces. Each of the two devices connects to the Ethernet through GE 1/0/0 and connects to
the ISDN through POS 2/0/0. To save IP address resources, the dialing interfaces are configured
to borrow IP addresses from GE interfaces.
Issue 01 (2011-10-15)

82

Figure 3-7 Configuring IP unnumbered on interfaces
RouterB
RouterA
Ethernet
Ethernet
ISDN
GE1/0/0 POS 2/0/0

172.16.10.1/24
POS 2/0/0 GE1/0/0

172.16.20.1/24
Configuring Notes
None
1.
Configure IP addresses to be borrowed.
2.
Configure interfaces to borrow IP addresses from other interfaces.
Data Preparation
l
IP addresses of the interfaces that lend IP addresses
Numbers of the interfaces that lend IP addresses
Procedure
[~HUAWEI] commit
# Configure the POS interface to borrow an IP address from the GE interface.

[~RouterA-Pos2/0/0] ip address unnumbered interface gigabitethernet 1/0/0
[~RouterA-Pos2/0/0] link-protocol ppp
# Configure a route to the Ethernet network segment of Router B.

[~RouterA] ip route-static 172.16.20.0 255.255.255.0 pos 2/0/0
[~RouterA] commit

Issue 01 (2011-10-15)

83

[~HUAWEI] commit
# Configure the POS interface to borrow an IP address from the GE interface.

[~RouterB-Pos2/0/0] ip address unnumbered interface gigabitethernet 1/0/0
[~RouterB-Pos2/0/0] link-protocol ppp
# Configure a route to the Ethernet network segment of Router Router A.

[~RouterB] ip route-static 172.16.10.0 255.255.255.0 pos 2/0/0
[~RouterB] commit

# Router A can ping through the IP address of the interface that is connected to Router B.
[~RouterA] ping 172.16.20.1
Reply from 172.16.20.2: bytes=56 Sequence=1 ttl=255 time=25
0.00% packet loss
ms
ms
ms
ms
ms
----End
Configuration Files
l

#
sysname RouterA
#
admin
interface Pos2/0/0
undo shutdown
link-protocol ppp
ip address unnumbered interface GigabitEthernet1/0/0
#
undo shutdown
ip address 172.16.10.1 255.255.255.0
#
ip route-static 172.16.20.0 255.255.255.0 Pos2/0/0
#
return

#
sysname RouterB
#
admin
interface Pos2/0/0
undo shutdown
link-protocol ppp
Issue 01 (2011-10-15)

84

ip address unnumbered interface GigabitEthernet1/0/0

#
undo shutdown
ip address 172.16.20.1 255.255.255.0
#
ip route-static 172.16.10.0 255.255.255.0 Pos2/0/0
#
return
3.9.4 Example for Configuring Address Overlapping on a Device

This part describes how to configure IP address overlapping on a device.
CAUTION
As shown in Figure 3-8, Network A and Network B are independent of each other. They access
the Internet through different paths. Network A and Network B access each other through the
same Layer 2 network provided by ISP1.
It is required that Network A and Network B connect to the Layer 2 network provided by ISP1
through Router B, by using IP addresses 192.168.1.11/24 and 192.168.1.12/24 respectively on
the same network segment.
Figure 3-8 Networking diagram of configuring address overlapping on a device
GE1/0/0
192.168.1.1/24
RouterA
AS:100
Layer2
network
r1
GE1/0/0
192.168.1.11/24
r2
GE3/0/0
192.168.1.12/24
POS2/0/0
10.1.1.1/24
POS4/0/0
20.1.1.1/24
POS2/0/0
10.1.1.2/24
RouterB
ISP1 AS:200
RouterC
Network A
Issue 01 (2011-10-15)
POS4/0/0
20.1.1.2/24
RouterD
Network B

85

Configuring Notes
None
Procedure
Step 1 Configure a VPN instance.
# On Router B, create a VPN instance for Network A, and bind the VPN instance to the inbound
interface Gigabit Ethernet 1/0/0 and the outbound interface POS 2/0/0.
[~HUAWEI] commit
[~RouterB] ip vpn-instance r1
[~RouterB-vpn-instance-r1] route-distinguisher 100:1
[~RouterB-vpn-instance-r1] quit
[~RouterB-GigabitEthernet1/0/0] ip binding vpn-instance r1
[~RouterB-GigabitEthernet1/0/0] ip address 192.168.1.11 24
[~RouterB-Pos2/0/0] ip binding vpn-instance r1
[~RouterB-Pos2/0/0] ip address 10.1.1.1 24
# On Router B, create a VPN instance for Network B, and bind the VPN instance to the inbound
interface Gigabit Ethernet 3/0/0 and the outbound interface POS 4/0/0.
[~RouterB] ip vpn-instance r2
[~RouterB-vpn-instance-r2] route-distinguisher 100:2
[~RouterB-vpn-instance-r2] quit
[~RouterB-GigabitEthernet3/0/0] ip binding vpn-instance r2
[~RouterB-GigabitEthernet3/0/0] ip address 192.168.1.12 24
[~RouterB-Pos4/0/0] ip binding vpn-instance r2
# On Router B, configure static routes for the two VPN instances.

[~RouterB] ip route-static vpn-instance r1 0.0.0.0 0 192.168.1.1
[~RouterB] ip route-static vpn-instance r2 0.0.0.0 0 192.168.1.1
[~RouterB] commit
Step 2 Establish the EBGP neighbor relationship between Router A and the two inbound interfaces on
Router B.
# Configure Router B.
[~RouterB] bgp 200
[~RouterB-bgp] router-id 100.1.1.1
[~RouterB-bgp] ipv4-family vpn-instance r1
[~RouterB-bgp-r1] peer 192.168.1.1 as-number 100
[~RouterB-bgp-r1] import-route direct
[~RouterB-bgp-r1] quit
[~RouterB-bgp] ipv4-family vpn-instance r2
[~RouterB-bgp-r2] peer 192.168.1.1 as-number 100
[~RouterB-bgp-r2] import-route direct
[~RouterB-bgp-r2] commit
[~RouterB-bgp-r2] quit
Issue 01 (2011-10-15)

86

# Configure Router A.
[~HUAWEI] commit
[~RouterA-GigabitEthernet1/0/0] ip address 192.168.1.1 24
[~RouterA] bgp 100
[~RouterA-bgp] peer 192.168.1.11 as-number 200
[~RouterA-bgp] peer 192.168.1.12 as-number 200
[~RouterA-bgp] commit
[~RouterA-bgp] quit
Step 3 Configure IP addresses and static routes for Router C and Router D on the local network.
# Configure an IP address and a static route for Router C.
[~HUAWEI] sysname RouterC
[~HUAWEI] commit
[~RouterC] interface pos 2/0/0
[~RouterC-Pos2/0/0] ip address 10.1.1.2 24
[~RouterC-Pos2/0/0] undo shutdown
[~RouterC-Pos2/0/0] quit
[~RouterC] ip route-static 0.0.0.0 0 10.1.1.1
[~RouterC] commit
# Configure an IP address and a static route for Router D.

[~HUAWEI] sysname RouterD
[~HUAWEI] commit
[~RouterD] interface pos 4/0/0
[~RouterD-Pos4/0/0] ip address 20.1.1.2 24
[~RouterD-Pos4/0/0] undo shutdown
[~RouterD-Pos4/0/0] quit
[~RouterD] ip route-static 0.0.0.0 0 20.1.1.1
[~RouterD] commit

# After the preceding configurations, check the VPN routing table on Router B. You can view
that the routes of the two local networks connected to Router B belong to two VPN instances
(r1 and r2). This indicates that the routes are isolated.
[~RouterB] display ip routing-table vpn-instance r1
Route Flags: R - relay, D - download for forwarding
-----------------------------------------------------------------------------Routing Tables: r1
Destinations : 6
Routes : 6
Destination/Mask
Proto
0.0.0.0/0
10.1.1.0/24
10.1.1.1/32
10.1.1.2/32
192.168.1.0/24
192.168.1.11/32
Static
Direct
Direct
Direct
Direct
Direct
Pre
60
0
0
0
0
0
Cost
0
0
0
0
0
0
Flags
RD
D
D
D
D
D
NextHop
192.168.1.1
10.1.1.1
127.0.0.1
10.1.1.2
192.168.1.11
127.0.0.1
Interface
Pos2/0/0
InLoopBack0
Pos2/0/0
InLoopBack0
[~RouterB] display ip routing-table vpn-instance r2

-----------------------------------------------------------------------------Routing Tables: r2
Destinations : 6
Routes : 6
Destination/Mask
Issue 01 (2011-10-15)
Proto
Pre
Cost
Flags
NextHop

Interface
87

0.0.0.0/0
20.1.1.0/24
20.1.1.1/32
20.1.1.2/32
192.168.1.0/24
192.168.1.12/32
Static
Direct
Direct
Direct
Direct
Direct
60
0
0
0
0
0
0
0
0
0
0
0
RD
D
D
D
D
D
192.168.1.1
20.1.1.1
127.0.0.1
20.1.1.2
192.168.1.12
127.0.0.1
Pos4/0/0
InLoopBack0
Pos4/0/0
InLoopBack0
# Run the display ip routing-table command on Router A. You can view that the IP routing
table on Router A contains the routes to the two local networks.
[~RouterA] display ip routing-table
-----------------------------------------------------------------------------Routing Tables: Public
Destinations : 8
Routes : 8
Destination/Mask
Proto
Pre
10.1.1.0/24
10.1.1.2/32
20.1.1.0/24
20.1.1.2/32
127.0.0.0/8
127.0.0.1/32
192.168.1.0/24
192.168.1.1/32
BGP
BGP
BGP
BGP
Direct
Direct
Direct
Direct
255
255
255
255
0
0
0
0
Cost
0
0
0
0
0
0
0
0
Flags
D
D
D
D
D
D
D
D
NextHop
Interface
192.168.1.11
192.168.1.11
192.168.1.12
192.168.1.12
127.0.0.1
127.0.0.1
192.168.1.1
127.0.0.1
InLoopBack0
InLoopBack0
InLoopBack0
Devices on the two local networks, Network A and Network B, can ping through each other.
----End
Configuration Files
l

#
sysname RouterA
#
admin
undo shutdown
ip address 192.168.1.1 255.255.255.0
#
bgp 100
peer 192.168.1.11 as-number 200
peer 192.168.1.12 as-number 200
#
ipv4-family unicast
undo synchronization
peer 192.168.1.11 enable
peer 192.168.1.12 enable
#
return

#
sysname RouterB
#
ip vpn-instance r1
ipv4-family
route-distinguisher 100:1
#
ip vpn-instance r2
ipv4-family
route-distinguisher 100:2
#
admin
Issue 01 (2011-10-15)

88

undo shutdown
ip binding vpn-instance r1
ip address 192.168.1.11 255.255.255.0
#
undo shutdown
ip address 192.168.1.12 255.255.255.0
#
interface Pos2/0/0
undo shutdown
link-protocol ppp
ip address 10.1.1.1 255.255.255.0
#
interface Pos4/0/0
undo shutdown
link-protocol ppp
ip address 20.1.1.1 255.255.255.0
#
bgp 200
router-id 100.1.1.1
#
ipv4-family unicast
undo synchronization
#
ipv4-family vpn-instance r1
import-route direct
peer 192.168.1.1 as-number 100
#
ipv4-family vpn-instance r2
import-route direct
peer 192.168.1.1 as-number 100
#
ip route-static vpn-instance r1 0.0.0.0 0.0.0.0 192.168.1.1
ip route-static vpn-instance r2 0.0.0.0 0.0.0.0 192.168.1.1
#
return
Configuration file of Router C

#
sysname RouterC
#
admin
interface pos 2/0/0
undo shutdown
link-protocol ppp
ip address 10.1.1.2 255.255.255.0
#
ip route-static 0.0.0.0 0.0.0.0 10.1.1.1
#
return
Configuration file of Router D

#
sysname RouterD
#
admin
interface pos 4/0/0
undo shutdown
link-protocol ppp
ip address 20.1.1.2 255.255.255.0
#
ip route-static 0.0.0.0 0.0.0.0 20.1.1.1
#
Return
Issue 01 (2011-10-15)

89

3.9.5 Example for Configuring an IP Address with a 31-bit Mask

This part describes how to configure an IP address with a 31-bit mask.
CAUTION
As shown in Figure 3-9, Router A and Router B are directly connected through a PPP link.
Figure 3-9 Networking diagram of configuring an IP address with a 31-bit mask
POS1/0/0
10.1.1.1/31
POS1/0/0
10.1.1.0/31
RouterB
RouterA
Configuring Notes
None
1.
Configure an IP address with a 31-bit mask for POS 1/0/0 on Router A.
2.
Configure an IP address with a 31-bit mask for POS 1/0/0 on Router B.
Data Preparation
l
IP address and subnet mask of POS 1/0/0 on Router A
IP address and subnet mask of POS 1/0/0 on Router B
Procedure
Step 1 Configure an IP address for each interface.
# Configure an IP address for POS 1/0/0 on Router A.
Issue 01 (2011-10-15)

90


[~HUAWEI] commit
[~RouterA-Pos1/0/0] ip address 10.1.1.1 31
# Configure an IP address for POS 1/0/0 on Router B.

[~HUAWEI] commit

# After the preceding configurations, check the routing table on Router A. In the routing table,
you can view that both the network address and the broadcast address of the network segment
are used as host addresses.
[~RouterA] display ip routing-table
Destinations : 5
Routes : 5
Destination/Mask
Proto Pre Cost
Flags NextHop
Interface
10.1.1.0/31
10.1.1.0/32
10.1.1.1/32
127.0.0.0/8
127.0.0.1/32
Direct
Direct
Direct
Direct
Direct
0
0
0
0
0
0
0
0
0
0
D
D
D
D
D
10.1.1.1
10.1.1.0
127.0.0.1
127.0.0.1
127.0.0.1
Pos1/0/0
Pos1/0/0
Pos1/0/0
InLoopBack0
InLoopBack0
# After the preceding configurations, check the routing table on Router B. In the routing table,
you can view that both the network address and the broadcast address of the network segment
are used as host addresses.
[~RouterB] display ip routing-table
Destinations : 5
Routes : 5
Destination/Mask
10.1.1.0/31
10.1.1.0/32
10.1.1.1/32
127.0.0.0/8
127.0.0.1/32
Proto
Pre
Cost
Direct
Direct
Direct
Direct
Direct
0
0
0
0
0
0
0
0
0
0
Flags NextHop
D
D
D
D
D
10.1.1.0
127.0.0.1
10.1.1.1
127.0.0.1
127.0.0.1
Interface
Pos1/0/0
Pos1/0/0
Pos1/0/0
InLoopBack0
InLoopBack0
----End
Configuration Files
l

#
sysname RouterA
#
admin
interface Pos1/0/0
undo shutdown
Issue 01 (2011-10-15)

91

link-protocol ppp
ip address 10.1.1.1 255.255.255.254
#
return

#
sysname RouterB
#
admin
interface Pos1/0/0
undo shutdown
link-protocol ppp
ip address 10.1.1.0 255.255.255.254
#
return
Issue 01 (2011-10-15)

92

4 Configuring Load Balancing
Configuring Load Balancing
About This Chapter

Load balancing improves the packet forwarding performance on a network.
4.1 Load Balancing Overview
Load balancing is classified into equal-cost multiple path (ECMP) and unequal-cost multiple
path (UCMP). ECMP is automatically implemented by routing protocols, without being
configured. UCMP is implemented by using commands.
4.2 Load Balancing Features Supported by the NE5000E
This section describes classification and usage scenarios for load balancing on NE5000Es.
4.3 Configuring IP Packet Load Balancing
ECMP or UCMP improves packet forwarding performance on a network.
You can know the configuration process according to the configuration flowchart. Each
configuration example consists of such information as the networking requirements,
configuration notes, and configuration roadmap.
Issue 01 (2011-10-15)

93

4.1 Load Balancing Overview

Load balancing is classified into equal-cost multiple path (ECMP) and unequal-cost multiple
path (UCMP). ECMP is automatically implemented by routing protocols, without being
configured. UCMP is implemented by using commands.
Load Balancing Classification

Load balancing is classified into the following modes based on traffic ratios:
l
ECMP: evenly load-balances traffic over multiple equal-cost paths to a single destination,
irrespective of bandwidth. This results in congestion on some paths with lower bandwidth.
UCMP: load-balances traffic among multiple equal-cost paths to a destination based on

bandwidth ratios, improving load balancing efficiency.
Problems in Hash-based Load Balancing

Figure 4-1 shows two-level load balancing. All NE5000Es use the hash algorithm to loadbalance traffic and every NE5000E has two outbound interfaces. Router A load-balances traffic
between Router B and Router C. After traffic arrives at Router B and Router C, neither of them
load-balances traffic between two outbound interfaces due to a bug in the hash algorithm, which
means Level 2 load balancing fails. Assume that 1000 data flows arrive at Router A. These data
flows have different source and destination IP addresses. Of the 1000 data flows, the last bit of
each IP address of 500 data flows is an odd number, whereas the last bit of each IP address of
the other 500 data flows is an even number. Router A, Router B, and Router C each uses the
hash algorithm to carry out traffic load balancing and has two outbound interfaces.
The hash algorithm yields two results. In result 1, data flows travel through outbound interface
1; in result 2, data flows travel through outbound interface 2.
Router A load-balances traffic by sending 500 data flows to Router B and the other 500 data
flows to Router C.
After receiving the 500 data flows, Router B uses the hash algorithm to yield result 1 and forwards
the data flows only through outbound interface 1. Similarly, Router C forwards the data flows
only through outbound interface 2. As a result, Level 2 load balancing fails.
Figure 4-1 Networking diagram for two-level load balancing
Router B
Outinterface 1
Outinterface 2
Router A
Data flows
Outinterface 1
Outinterface 2
Outinterface 1
Router C
Issue 01 (2011-10-15)
Outinterface 2

94

To address the preceding problem, Level 2 improved load balancing is configured on Router B's
and Router C's LPUs that receive traffic.
4.2 Load Balancing Features Supported by the NE5000E

This section describes classification and usage scenarios for load balancing on NE5000Es.
NE5000Es support per-flow load balancing. After receiving packets, the NE5000E uses the hash
algorithm to calculate a value and selects a link based on the value before forwarding the packets.
The hash algorithm is based on the protocol type, source and destination IP addresses and masks,
and source and destination port numbers in the packets. The NE5000E supports the following
per-flow load balancing functions:
l
ECMP: Multiple routes with the same preference to a single destination can be configured
on the NE5000E. All these equal-cost routes are used to evenly load-balance IP packets to
the destination.
In addition to manual configuration, a specific routing protocol can also discover multiple
equal-cost routes to a single destination. All these equal-cost routes are valid and carry out
load balancing if the routing protocol has the highest preference among active routing
protocols. Currently, the Open Shortest Path First (OSPF), Border Gateway Protocol
(BGP), and Intermediate System-to-Intermediate System (IS-IS) protocol and static route
support load balancing.
Interface-specific UCMP: UCMP is enabled on specified interfaces. After UCMP has been
enabled on the specified interfaces, the shutdown and undo shutdown commands need to
be run on this interface. This makes the configuration take effect but interrupts traffic.
Global UCMP: Global UCMP takes effect immediately after being enabled. Unlike
situations in interface-specific UCMP, no interface needs to be restarted and traffic will
not be interrupted.
Level 2 improved load balancing if two-level load balancing is enabled
4.3 Configuring IP Packet Load Balancing

ECMP or UCMP improves packet forwarding performance on a network.
ECMP evenly load-balances traffic over multiple equal-cost paths to a single destination,
irrespective of bandwidth. This results in congestion on some paths with lower bandwidth.
ECMP is automatically supported by routing protocols, without being configured. The
NE5000E supports the multi-route mode. Currently, the Open Shortest Path First (OSPF), Border
Gateway Protocol (BGP), and Intermediate System-to-Intermediate System (IS-IS) protocol and
static route support load balancing.
UCMP load-balances traffic among multiple equal-cost paths to a single destination based on
bandwidth ratios, improving load balancing efficiency.
Before configuring IP packet load balancing, complete the following tasks:
Issue 01 (2011-10-15)

95

Connecting interfaces and setting physical parameters for the interfaces to ensure that the
physical interface status is Up
Configuring parameters of a data link layer protocol for interfaces to ensure that the data
link layer protocol status of the interfaces is Up
l
Enable ECMP. ECMP is automatically supported by routing protocols, without being

configured. The NE5000E supports multiple routes for load balancing. Currently, OSPF,
BGP, and IS-IS routing protocols and static route support ECMP.
Configure UCMP for IP packets by performing either of the following operations:

4.3.1 Configuring Interface-specific UCMP During IP Packet Forwarding
4.3.2 Configuring Global UCMP for IP Packet Forwarding
Configure Level 2 improved load balancing.

Figure 4-2 Flowchart for configuring two-level load balancing
Configure UCMP
Configure proportional Level 2

Load balancing on a network
enabled with two-level load
balancing
Mandatory
Optional
4.3.1 Configuring Interface-specific UCMP During IP Packet

Forwarding
If multiple equal-cost physical links to a single destination are reachable, traffic is load-balanced
among these physical links based on bandwidth ratios, improving load balancing efficiency.
ECMP takes effect on an interface only after the shutdown and undo shutdown commands are
run. Restarting an interface results in traffic interruption.
Procedure
Step 1 Run:
system-view

Step 2 Run:
The physical interface view is displayed.

Issue 01 (2011-10-15)

96

NOTE
This interface must be an outbound interface of a route among equal-cost routes. UCMP takes effect on
outbound interfaces associated with equal-cost routes only after all outbound interfaces have been enabled
with UCMP and FIB entries have been refreshed; if one outbound interface is not enabled with UCMP,
ECMP, not UCMP, is performed even though FIB entries have been refreshed.
GE and POS interfaces support UCMP.

Step 3 Run:
load-balance unequal-cost enable
UCMP is enabled on the outbound interface during IP packet forwarding.

After a command line is run to enable or disable UCMP on a physical interface, UCMP
configuration does not immediately take effect. After routing entries have been refreshed, UCMP
configurations take effect.
Step 4 Run:
shutdown
undo shutdown
The interface is restarted, triggering routing entry refreshing. After this, UCMP configurations
take effect.
NOTE
Alternatively, changing the interface IP address also triggers routing entry refreshing to make UCMP
configuration take effect.
Step 5 Run:
commit

----End
4.3.2 Configuring Global UCMP for IP Packet Forwarding

If multiple equal-cost physical links to a single destination are reachable, UCMP unequal-cost
multiple path (UCMP) load-balances traffic among these physical links based on bandwidth
ratios, improving load balancing efficiency. Global UCMP takes effect immediately after being
enabled. Unlike situations in interface-specific UCMP, no interface needs to be restarted and
traffic will not be interrupted.
Procedure
Step 1 Run:
system-view

Step 2 Run:
Global UCMP is enabled during IP packet forwarding.

UCMP is disabled by default.
Issue 01 (2011-10-15)

97

NOTE
l Ethernet, GE, POS, Eth-Trunk, IP-Trunk, and TE tunnel interfaces support global UCMP.
After UCMP is enabled on a TE tunnel interface, the bandwidth of the TE tunnel interface cannot be
0, but can be any other value.
l Frequently enabling and disabling UCMP on an interface deteriorates system performance. Therefore,
setting the interval between enabling and disabling UCMP to the time equal to or longer than 5 minutes
is recommended.
Step 3 Run:
commit

----End
4.3.3 Configuring Level 2 Improved Load Balancing

During two-level load balancing, load imbalance occurs and Level 2 load balancing fails due to
a bug in the hash algorithm. Enabling Level 2 improved load balancing can address this problem.
Procedure
Step 1 Run:
system-view

Step 2 Run:
load-balance avoid-degradation { ipv4 | ipv6 | mpls } { all | slot slot-id }
Level 2 improved load balancing is enabled on the network that implements two-level load
balancing for IPv4, IPv6, or MPLS traffic.
Level 2 improved load balancing is disabled by default.
Step 3 Run:
commit

----End

After configuring the load balancing function, you can view bandwidth usage of interfaces to
verify that IP packet load balancing takes effect.
Prerequisite
The configurations of IP packet load balancing are complete.
Procedure
l
Issue 01 (2011-10-15)
Run the display interface brief command to check bandwidth usage of interfaces. If
unequal-cost multiple path (UCMP) takes effect, the command output shows that the ratio
between traffic volumes on outbound interfaces is similar to the ratio between bandwidth
values of the outbound interfaces.
98

NOTE
Among the paths that perform UCMP, bandwidth of each path must be equal to or higher than 1/64
(if one end of the path is on LPUB or LPUC, the value should be 1/32) of the total bandwidth;
otherwise, the path carries no traffic.
----End
Example
# Display brief information about all interfaces, including bandwidth usage, on the current
device.
<HUAWEI> display interface brief
PHY: Physical
*down: administratively down
^down: standby
(l):loopback
(s):spoofing
(b):BFD down
(e):EFM down
(d):Dampening Suppressed
InUti/OutUti: input utility/output utility
Interface
PHY Protocol
Eth-Trunk0
down down
Eth-Trunk1
down down
up
up
up
up
*down down
*down down
NULL0
up
up
InUti
0%
0%
50%
50%
0%
0%
0%
OutUti
0%
0%
50%
50%
0%
0%
0%
inErrors
12
0
23
15
0
0
0
outErrors
0
0
125
78
0
0
0

4.4.1 Example for Configuring Interface-specific UCMP for IP

Packet Forwarding
This section provides an example for configuring interface-specific UCMP for IP packet
forwarding.
CAUTION
On the network shown in Figure 4-3, three paths between Router A and Router E travel through
Router B, Router C, and Router D respectively. UCMP needs to be performed among these three
Issue 01 (2011-10-15)

99

paths for IP packet forwarding. In this example, UCMP is configured on specified interfaces,
not on an entire Router.
Figure 4-3 Networking diagram for interface-specific UCMP
RouterB
POS1/0/0
POS2/0/0
POS4/0/0
POS4/0/0
RouterC
RouterA
RouterE
GE3/0/0 GE1/0/0
GE2/0/0 GE3/0/0
GE1/0/0
GE1/0/0
10.1.1.1/24
20.1.1.1/24
GE2/0/0
GE2/0/0
RouterD
GE1/0/0
GE2/0/0
Device Name
Interface Name
IP Address
Router A
POS 4/0/0
30.1.1.1/24
GE 3/0/0
40.1.1.1/24
GE 2/0/0
50.1.1.1/24
POS 1/0/0
30.1.1.2/24
POS 2/0/0
60.1.1.2/24
GE 1/0/0
40.1.1.2/24
GE 2/0/0
70.1.1.2/24
GE 1/0/0
50.1.1.2/24
GE 2/0/0
80.1.1.2/24
POS 4/0/0
60.1.1.1/24
GE 3/0/0
70.1.1.1/24
GE 2/0/0
80.1.1.1/24
Router B
Router C
Router D
Router E
1.
Configure an IGP on each router. The Intermediate System-to-Intermediate System (IS-IS)

protocol is used in this example.
2.
Enable UCMP on each interface, allowing the three paths between Router A and Router E
to perform UCMP during IP packet forwarding.
Data Preparation
l
Type and number of each interface
IP address of each interface
IS-IS area ID and level for each router
Issue 01 (2011-10-15)

100

Procedure
Step 1 Assign an IP address to each interface. The configuration procedure is not provided.
Step 2 Configure basic IS-IS functions.
[~RouterA] isis 1
[~RouterA-isis-1] is-level level-1
[~RouterA-isis-1] network-entity 10.0000.0000.0001.00
[~RouterA-isis-1] commit
[~RouterA-isis-1] quit
[~RouterA-GigabitEthernet1/0/0] isis enable 1
[~RouterA-Pos4/0/0] isis enable 1
[~RouterA] commit
[~RouterB] isis 1
[~RouterB-isis-1] is-level level-1
[~RouterB-isis-1] network-entity 10.0000.0000.0002.00
[~RouterB-isis-1] commit
[~RouterB-isis-1] quit
[~RouterB-Pos1/0/0] isis enable 1
[~RouterB-Pos2/0/0] isis enable 1
# Configure Router C.
[~RouterC] isis 1
[~RouterC-isis-1] is-level level-1
[~RouterC-isis-1] network-entity 10.0000.0000.0003.00
[~RouterC-isis-1] quit
[~RouterC] interface gigabitethernet 1/0/0
[~RouterC-GigabitEthernet1/0/0] isis enable 1
[~RouterC-GigabitEthernet1/0/0] quit
[~RouterC-GigabitEthernet2/0/0] isis enable 1
[~RouterC] commit
# Configure Router D.
[~RouterD] isis 1
[~RouterD-isis-1] is-level level-1
[~RouterD-isis-1] network-entity 10.0000.0000.0004.00
[~RouterD-isis-1] commit
[~RouterD-isis-1] quit
[~RouterD] interface gigabitethernet 1/0/0
[~RouterD-GigabitEthernet1/0/0] isis enable 1
[~RouterD-GigabitEthernet1/0/0] quit
[~RouterD] interface gigabitethernet 2/0/0
[~RouterD-GigabitEthernet2/0/0] isis enable 1
[~RouterD-GigabitEthernet2/0/0] quit
[~RouterD] commit
Issue 01 (2011-10-15)

101

# Configure Router E.
[~RouterE] isis 1
[~RouterE-isis-1] is-level level-1
[~RouterE-isis-1] network-entity 10.0000.0000.0005.00
[~RouterE-isis-1] commit
[~RouterE-isis-1] quit
[~RouterE] interface gigabitethernet 1/0/0
[~RouterE-GigabitEthernet1/0/0] isis enable 1
[~RouterE-GigabitEthernet1/0/0] quit
[~RouterE] interface pos 4/0/0
[~RouterE-Pos4/0/0] isis enable 1
[~RouterE-Pos4/0/0] quit
[~RouterE] commit
Step 3 Verify basic IS-IS configurations.

# Display IS-IS routing information on Router A.
[~RouterA] display isis route
Route information for ISIS(1)
----------------------------ISIS(1) Level-1 Forwarding Table
-------------------------------IPV4 Destination
IntCost
ExtCost ExitInterface
NextHop
Flags
-------------------------------------------------------------------------------10.1.1.0/24
10
NULL
GE1/0/0
Direct
D/-/
L/-/20.1.1.0/24
30
NULL
GE3/0/0
40.1.1.2
A/-/-/-/
C
GE2/0/0
50.1.1.2
Pos4/0/0
30.1.1.2
30.1.1.0/24
10
NULL
Pos4/0/0
Direct
D/-/
L/-/40.1.1.0/24
10
NULL
GE3/0/0
Direct
D/-/
L/-/50.1.1.0/24
10
NULL
GE2/0/0
Direct
D/-/
L/-/60.1.1.0/24
20
NULL
Pos4/0/0
30.1.1.2
R/-/70.1.1.0/24
20
NULL
GE3/0/0
40.1.1.2
A/-/-/-/80.1.1.0/24
20
NULL
GE2/0/0
50.1.1.2
R/-/Flags: D-Direct, A-Added to URT, L-Advertised in LSPs, S-IGP Shortcut,
U-Up/Down Bit Set, C-In Computing
# Ping Router E (20.1.1.1) from Router A. The ping is successful. The network management
station (NM station) that manages Router A displays that ECMP is implemented among
outbound interfaces.
<RouterA> ping 20.1.1.1
Issue 01 (2011-10-15)

102

0.00% packet loss

Step 4 Enable UCMP on every outbound interface of Router A.

[~RouterA-GigabitEthernet2/0/0] load-balance unequal-cost enable
[~RouterA-Pos4/0/0] load-balance unequal-cost enable
[~RouterA-GigabitEthernet3/0/0] load-balance unequal-cost enable
[~RouterA] commit
Step 5 Restart GE 2/0/0, GE 3/0/0, POS 4/0/0 to make UCMP configurations take effect on Router A.
[~RouterA-GigabitEthernet2/0/0] shutdown
[~RouterA-GigabitEthernet3/0/0] shutdown
[~RouterA]interface pos 4/0/0
[~RouterA-Pos4/0/0] shutdown
[~RouterA] commit

# Ping Router E (20.1.1.1) from Router A. The ping is still successful. The NM station displays
that UCMP is implemented among outbound interfaces.
<RouterA> ping 20.1.1.1
0.00% packet loss
----End
Configuration Files
l

#
sysname RouterA
#
isis 1
is-level level-1
network-entity 10.0000.0000.0001.00
#
undo shutdown
ip address 10.1.1.1 255.255.255.0
isis enable 1
#
Issue 01 (2011-10-15)

103

undo shutdown
ip address 50.1.1.1 255.255.255.0
isis enable 1
#
undo shutdown
ip address 40.1.1.1 255.255.255.0
isis enable 1
#
interface Pos4/0/0
link-protocol ppp
undo shutdown
ip address 30.1.1.1 255.255.255.0
isis enable 1
#
return

#
sysname RouterB
#
isis 1
is-level level-1
network-entity 10.0000.0000.0002.00
#
interface Pos1/0/0
undo shutdown
link-protocol ppp
ip address 30.1.1.2 255.255.255.0
isis enable 1
#
interface Pos2/0/0
link-protocol ppp
undo shutdown
ip address 60.1.1.2 255.255.255.0
isis enable 1
#
return

#
sysname RouterC
#
isis 1
is-level level-1
network-entity 10.0000.0000.0003.00
#
undo shutdown
ip address 40.1.1.2 255.255.255.0
isis enable 1
#
undo shutdown
ip address 70.1.1.2 255.255.255.0
isis enable 1
#
return
Configuration file of Router D

#
sysname RouterD
#
isis 1
is-level level-1
network-entity 10.0000.0000.0004.00
#
Issue 01 (2011-10-15)

104

undo shutdown
ip address 50.1.1.2 255.255.255.0
isis enable 1
#
undo shutdown
ip address 80.1.1.2 255.255.255.0
isis enable 1
#
return
Configuration file of Router E

#
sysname RouterE
#
isis 1
is-level level-1
network-entity 10.0000.0000.0005.00
#
undo shutdown
ip address 20.1.1.1 255.255.255.0
isis enable 1
#
undo shutdown
ip address 80.1.1.1 255.255.255.0
isis enable 1
#
undo shutdown
ip address 70.1.1.1 255.255.255.0
isis enable 1
#
interface Pos4/0/0
link-protocol ppp
undo shutdown
ip address 60.1.1.1 255.255.255.0
isis enable 1
#
return
4.4.2 Example for Configuring Global UCMP for IP Packet

Forwarding
This section provides an example for configuring global UCMP for IP packet forwarding.
CAUTION
On the network shown in Figure 4-4, two paths connect Router A and Router C.
l
Issue 01 (2011-10-15)
A physical link connects Router A's GE 2/0/0 and Router B's GE 2/0/0.
105

Router A's GE 3/0/0 and GE 4/0/0 and Router B's GE 3/0/0 and GE 4/0/0 are added to EthTrunk1.
Eth-Trunk1 contains two GE interfaces, and therefore the bandwidth of Eth-Trunk1 is the sum
of the bandwidth of the two member GE links. Global UCMP needs to be performed among the
two member links from Router A to Router C. UCMP needs to be performed among the trunk
member interfaces.
Figure 4-4 Networking diagram for global UCMP
RouterB
POS2/0/0
POS1/0/0
POS4/0/0
RouterA
RouterC
GE3/0/0GE1/0/0
Ethernet1/0/0
10.1.1.1/24
Ethernet2/0/0
GE2/0/0 GE3/0/0
RouterD
Ethernet1/0/0
POS4/0/0
Ethernet1/0/0
20.1.1.1/24
Ethernet2/0/0
Ethernet2/0/0
Device Name
Interface Name
IP Address
Router A
GE 2/0/0
30.1.1.1/24
Eth-Trunk1
40.1.1.1/24
GE 2/0/0
30.1.1.2/24
Eth-Trunk1
40.1.1.2/24
GE 2/0/2
50.1.1.1/24
GE 2/0/2
50.1.1.2/24
Router B
Router C
RouterE
NOTE
In this example, the bandwidth of GE 2/0/0 on Router A and Router B is 1 Gbit/s, that of GE 3/0/0 is 2
Gbit/s, and that of GE 4/0/0 is 3 Gbit/s.
1.
Configure static routes on every router.
2.
Enable global UCMP on Router A, allowing the two paths between Router A and Router
C to perform UCMP based on bandwidth ratios.
3.
Configure UCMP on Router A, allowing the trunk member interfaces on Router A to

perform UCMP based on interface bandwidth ratios.
Data Preparation
l
Issue 01 (2011-10-15)
Type and number of each interface

106

IP address of each interface
Eth-Trunk interface number
Procedure
Step 1 Assign an IP address to every physical interface and Eth-Trunk interface. The configuration
procedure is not provided.
Step 2 Configure static routes.
[~RouterA]
[~RouterA]
[~RouterA]
[~RouterA]
[~RouterA]
ip route-static
ip route-static
ip route-static
ip route-static
commit
20.1.1.0
20.1.1.0
50.1.1.0
50.1.1.0
255.255.255.0
255.255.255.0
255.255.255.0
255.255.255.0
gigabitethernet2/0/0 30.1.1.2
eth-trunk1 40.1.1.2
gigabitethernet2/0/0 30.1.1.2
eth-trunk1 40.1.1.2
[~RouterB]
[~RouterB]
[~RouterB]
[~RouterB]
ip route-static 10.1.1.0 255.255.255.0 gigabitethernet2/0/0 30.1.1.1

ip route-static 10.1.1.0 255.255.255.0 eth-trunk1 40.1.1.1
commit
# Configure Router C.
[~RouterC]
[~RouterC]
[~RouterC]
[~RouterC]

ip route-static 40.1.1.0 255.255.255.0 GigabitEthernet2/0/2 50.1.1.1
commit

# Ping Router A (10.1.1.1) from Router C. The ping is successful. Run the display interface
brief command to view bandwidth usage of outbound interfaces. The command output shows
that Eth-Trunk1's bandwidth usage is similar to GE 2/0/0's bandwidth usage. This verifies that
UCMP has been enabled and traffic is load-balanced among outgoing interfaces based on the
bandwidth ratio.
[~RouterC] ping -c 100 -t 10 -m 10 10.1.1.1
...
1.00% packet loss
[~RouterB] display interface brief
PHY: Physical
^down: standby
(l): loopback
(s): spoofing
(b): BFD down
(e): EFM down
(d): Dampening Suppressed
InUti/OutUti: input utility/output utility
Interface
PHY Protocol
InUti OutUti inErrors
Eth-Trunk1
up
up
20%
30%
35
up
up
15%
20%
22
up
up
20%
30%
23
*down down
0%
0%
0
Issue 01 (2011-10-15)

outErrors
210
120
125
0
107

Ip-Trunk1
LoopBack0
NULL0

*down
*down
*down
*down
*down
down
down
up
down
down
down
down
down
down
up(s)
up
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
----End
Configuration Files
l

#
sysname RouterA
#
#
interface Eth-Trunk1
ip address 40.1.1.1 255.255.255.0
#
undo shutdown
ip address 10.1.1.1 255.255.255.0
#
undo shutdown
ip address 30.1.1.1 255.255.255.0
#
undo shutdown
eth-trunk 1
#
undo shutdown
eth-trunk 1
#
ip route-static 20.1.1.0 255.255.255.0
ip route-static 20.1.1.0 255.255.255.0
ip route-static 50.1.1.0 255.255.255.0
ip route-static 50.1.1.0 255.255.255.0
#
GigabitEthernet2/0/0 30.1.1.2
Eth-Trunk1 40.1.1.2
GigabitEthernet2/0/0 30.1.1.2
Eth-Trunk1 40.1.1.2

#
sysname RouterB
#
interface Eth-Trunk1
ip address 40.1.1.2 255.255.255.0
#
undo shutdown
ip address 30.1.1.2 255.255.255.0
#
undo shutdown
ip address 50.1.1.1 255.255.255.0
#
undo shutdown
eth-trunk 1
#
undo shutdown
eth-trunk 1
#
Issue 01 (2011-10-15)

108

ip route-static 10.1.1.0 255.255.255.0 Eth-Trunk1 40.1.1.1

#
return

#
sysname RouterC
#
#
undo shutdown
ip address 20.1.1.1 255.255.255.0
#
undo shutdown
ip address 50.1.1.2 255.255.255.0
#
return
Issue 01 (2011-10-15)

109

5 ACL6 Configuration
ACL6 Configuration
About This Chapter

You can distinguish packets through an ACL6 and process them in different manners.
5.1 ACL6 Overview
An ACL6 is a list of rules. An ACL6 classifies packets according to ACL6 rules, and then the
device determines whether to accept the classified packets according to the rules in the ACL6.
An ACL6 can be applied to multiple services, such as routing policy and traffic policy.
5.2 ACL6 Features Supported by the NE5000E
According to the difference in filtering rules, ACL6s can be categorized into interface-based
ACL6s, basic ACL6s, and advanced ACL6s.
5.3 Configuring an Interfaced-based ACL6
An interface-based ACL6 is an ACL that specifies rules according to interfaces that receive
packets.
5.4 Configuring a Basic ACL6
When defining rules in a basic ACL6, you can specify source IP addresses.
5.5 Configuring an Advanced ACL6
An advanced ACL6 defines rules according to the source address, destination address, type of
the protocol over IP, and protocol features, for example, the source port and destination port of
TCP and the type and code of ICMP.
5.6 Configuring the Validity Period of an ACL6 Rule
By performing this configuration task, you can configure the validity period of an ACL6 rule.
5.7 Maintaining an ACL6
This section describes how to maintain an ACL6. Detailed operations include deleting ACL6
statistics and monitoring the ACL6 operation.
Issue 01 (2011-10-15)

110

5.1 ACL6 Overview

An ACL6 is a list of rules. An ACL6 classifies packets according to ACL6 rules, and then the
device determines whether to accept the classified packets according to the rules in the ACL6.
An ACL6 can be applied to multiple services, such as routing policy and traffic policy.
To filter packets, the device needs to be configured with a set of rules. These rules are defined
through an ACL.
An ACL6 is an ordered set of rules that consist of a series of deny | permit clauses. ACL6 rules
are applied to interfaces of the device. The device permits or denies packets according to the
ACL6 rules.
For example, you can set a rule in the ACL6 to prevent user terminals from logging in to a device
through Telnet or or to allow each user terminal to e-mail the device through the Simple Mail
Transfer Protocol (SMTP).
ACL6s can be classified into the following types:
l
Interface-based ACL6s: classify packets according to the interface from which packets are
received.
Basic ACL6s: classify packets according to the source address.
Advanced ACL6s: classify packets based on multiple optional parameters, such as source
address, destination address, source port number, destination port number, and protocol
type.
5.2 ACL6 Features Supported by the NE5000E

According to the difference in filtering rules, ACL6s can be categorized into interface-based
ACL6s, basic ACL6s, and advanced ACL6s.
Interface-based ACL6s
The rules in an interface-based ACL6 are defined according to inbound interfaces of packets
and are used to filter packets of different inbound interfaces. The number of an interface-based
ACL6 ranges from 1000 to 1999.
Basic ACL6s
The rules in a basic ACL6 are defined according to source addresses of packets and are used to
filter packets with different source addresses. The number of a basic ACL6 ranges from 2000
to 2999.
Basic ACL6s are commonly applied to the implementation of routing policy and QoS. For
example, by configuring an ACL6, you can control the rights of users logging in to the device
or control the traffic on the device.
Advanced ACL6s
The rules in an advanced ACL6 are defined according to the source addresses, destination
addresses, protocol types, source port numbers, and destination port numbers of packets.
Issue 01 (2011-10-15)

111

Advanced ACL6s can be classified into numbered ACL6s and named ACL6s according to the
naming rule of ACL6s. The number of a numbered ACL6 ranges from 3000 to 3999; the number
of a named ACL6 ranges from 42768 to 59151.
An advanced ACL6 provides more extensive filtering rules, which can be applied to routing
policy and packet filtering. For example, you can configure an advanced ACL6 in the multicast
service to filter multicast packets with different source addresses and group addresses.
5.3 Configuring an Interfaced-based ACL6

An interface-based ACL6 is an ACL that specifies rules according to interfaces that receive
packets.
Figure 5-1 Typical application environment of an interface-based ACL6
Network A
GE1/0/0
Internet
RouterA
Interface-based
GE2/0/0 ACL6 enable
Network B
As shown in Figure 5-1, an ACL that is based on GE 1/0/0 is created on Router A. Router A
accepts all the packets that are sent from Network A to the Internet and denies all the packets
that are sent from Network B to the Internet.
Before configuring an interfaced-based ACL6, complete the following task:
l
Issue 01 (2011-10-15)

112

Figure 5-2 Flowchart for configuring an interface-based ACL6
Create an interface-based ACL6
Configure rules for an interface-based ACL6

Mandatory procedure
Optional procedure
5.3.1 Creating an Interface-based ACL6

This part describes how to create an interface-based ACL6, whose number ranges from 1000 to
1999.
Procedure
Step 1 Run:
system-view

Step 2 Run:
acl ipv6 [ number ] acl6-number [ match-order { auto | config } ]
The interface-based ACL6 is created.

Step 3 Run:
commit

----End
5.3.2 Configuring Rules for an Interface-based ACL6

The rules in an interface-based ACL6 are defined according to inbound interfaces of packets
and are used to filter packets of different inbound interfaces.
Procedure
Step 1 Run:
system-view

Step 2 Run:
acl ipv6 [ number ] acl6-number
Issue 01 (2011-10-15)

113

The interface-based ACL6 view is displayed.

Step 3 Run:
rule [ rule-id ] { deny | permit } interface { interface-type interface-number |
any } [ time-range time-name ] *
Rules of the interface-based ACL6 are created.

Step 4 Run:
commit

----End

You can view the configuration of an interface-based ACL6.
Prerequisite
The configuration of the interface-based ACL6 is complete.
Procedure
Step 1 Run: display acl ipv6 { acl6-number | all } The configuration of the interface-based ACL6 is
displayed.
----End
Example
and rule contents.
<HUAWEI> display acl ipv6 1000
Interface Based IPv6 ACL 1000, 1 rule
rule 5 permit interface Pos4/0/0 (0 times matched)
5.4 Configuring a Basic ACL6

When defining rules in a basic ACL6, you can specify source IP addresses.
Issue 01 (2011-10-15)

114

Figure 5-3 Typical application environment of a basic ACL6
Network A
GE1/0/0 Router A
Network B
Internet
Basic ACL6 enable
GE2/0/0
Network C
As shown in Figure 5-3, a basic ACL6 is created on Router A. Router A accepts all the packets
that are sent from Network A, Network B, and Network C to the Internet.
Before configuring a basic ACL6, complete the following task:
l
Figure 5-4 Flowchart for configuring a basic ACL6
Create a basic ACL6
Configure rules for a basic ACL6

Mandatory
procedure
Optional
procedure
Issue 01 (2011-10-15)

115

5.4.1 Creating a Basic ACL6

This part describes how to create a basic ACL6, whose number ranges from 2000 to 2999, and
specify filtering rules according to source interfaces.
Procedure
Step 1 Run:
system-view

Step 2 Run:
acl ipv6 [ number ] acl6-number [ match-order { auto | config } ]
A basic ACL6 is created.

Step 3 Run:
commit

----End
5.4.2 Configuring Rules for a Basic ACL6

When defining rules for a basic ACL6, you can specify source IP addresses.
Procedure
Step 1 Run:
system-view

Step 2 Run:
The basic ACL6 view is displayed.

Step 3 Run:
rule [ rule-id ] { deny | permit } [ fragment | source { source-ipv6-address prefixlength | source-ipv6-address/prefix-length | any } | time-range time-name | vpn6instance vpn6-instance-name ] *
Rules for the basic ACL6 are created.

Step 4 Run:
commit

----End

You can view the configuration of a basic ACL6.
Issue 01 (2011-10-15)

116

Prerequisite
The configuration of the basic ACL6 is complete.
Procedure
Step 1 Run the display acl ipv6 { acl6-number | all } command to view the configuration of the basic
ACL6.
----End
Example
After running the display acl ipv6 command, you can view the ACL6 number, number of ACL6
rules, and rule contents.
Basic IPv6 ACL 2200, 1 rule
rule 5 permit (3 times matched)
5.5 Configuring an Advanced ACL6

An advanced ACL6 defines rules according to the source address, destination address, type of
the protocol over IP, and protocol features, for example, the source port and destination port of
TCP and the type and code of ICMP.
Figure 5-5 Typical application environment of an advanced ACL6
Network A
Network D
ICMPv6
packet
RouterA
RouterD
RouterE
ICMPv6
packet
Network B
RouterB
Network C
RouterC
As shown in Figure 5-5, an advanced ACL6 is created on Router E. Router E needs to accept
all the ICMPv6 packets sent from Router B to Router D and deny all the ICMPv6 packets sent
from Router A to Router C.
Issue 01 (2011-10-15)

117

Before configuring an advanced ACL6, complete the following task:
l
Figure 5-6 Flowchart for configuring an advanced ACL6
Configure numbered
advanced ACL6
Configure named
advanced ACL6
Create an advanced ACL6
Create an advanced ACL6

advanced ACL6

advanced ACL6
Mandatory
procedure
Optional
procedure
5.5.1 Creating an Advanced ACL6

This part describes how to create an advanced ACL6, whose number ranges from 3000 to 3999.
Procedure
Step 1 Run:
system-view

Step 2 Run either of the following commands according to the naming mode of the advanced ACL6:
l Run the acl ipv6 [ number ] acl6-number [ match-order { auto | config } ] command to
create a numbered advanced ACL6.
The number of a numbered advanced ACL6 ranges from 3000 to 3999.
l Run the acl ipv6 name acl-name [ number acl-number ] [ match-order { auto | config } ]
command to create a named advanced ACL6.
The number of a named advanced ACL6 ranges from 42768 to 59151.
Step 3 Run:
commit

----End
Issue 01 (2011-10-15)

118

5.5.2 Configuring Rules for an Advanced ACL6

When defining rules for an advanced ACL6, you can specify the source IP address, destination
IP address, type of the protocol over IP, source port, and destination port.
Procedure
Step 1 Run:
system-view

Step 2 Run either of the following commands according to the naming mode of the advanced ACL6:
l Run the acl ipv6 [ number ] acl6-number command to enter the ACL6 view.
l Run the acl ipv6 name acl-name [ number acl-number ] command to enter the ACL6 view.
Step 3 Do as follows as required:
l If the value of protocol is TCP or UDP, to create an ACL6 rule, run the rule [ rule-id ]
{ deny | permit } protocol [ destination { destination-ipv6-address prefix-length |
destination-ipv6-address/prefix-length | any } | destination-port operator port | fragment |
source { source-ipv6-address prefix-length | source-ipv6-address/prefix-length |any } |
source-port operator port | time-range time-name | [ dscp dscp | [ precedence
precedence | tos tos ] * ] | vpn-instance vpn-instance-name ] * command.
l If the value of protocol is ICMPv6, to create an ACL6 rule, run the rule [ rule-id ] { deny |
permit } protocol [ destination { destination-ipv6-address prefix-length | destination-ipv6address/prefix-length | any } | fragment | icmpv6-type { icmp6-type-name | icmp6-type
icmp6-code } | source { source-ipv6-address prefix-length | source-ipv6-address/prefixlength | any } | time-range time-name | [ dscp dscp | [ precedence precedence | tos tos ] * ]
| vpn-instance vpn-instance-name ] * command.
l If the value of protocol is other than TCP, UDP, and ICMPv6, to create an ACL6 rule, run
the rule [ rule-id ] { deny | permit } protocol [ destination { destination-ipv6-address prefixlength | destination-ipv6-address/prefix-length | any } | fragment | source { source-ipv6address prefix-length | source-ipv6-address/prefix-length | any } | time-range time-name |
[ dscp dscp | [ precedence precedence | tos tos ] * ] | vpn-instance vpn-instance-name ] *
command.
Step 4 Run:
commit

----End

You can view the configuration of an advanced ACL6.
Prerequisite
The configuration of the advanced ACL6 is complete.
Issue 01 (2011-10-15)

119

Procedure
Step 1 Run the display acl ipv6 { name acl-name | acl6-number | all } command to view the
configuration of the advanced ACL6.
----End
Example
After running display acl ipv6 command, you can view the ACL6 number, number of ACL6
rules, and rule contents.
Advanced IPv6 ACL 3100, 3 rules
ACL's match-order is config
rule 0 permit icmpv6 (1 times matched)
rule 1 permit ipv6 source 3001::/16 destination 4001::/16 (2 times matched)
rule 2 permit tcp source 5001::/16 (3 times matched)
5.6 Configuring the Validity Period of an ACL6 Rule

By performing this configuration task, you can configure the validity period of an ACL6 rule.
To control certain types of traffic in a specified period, you can configure the validity period of
an ACL6 rule to determine the time traffic passes. For example, to ensure reliable transmission
of video traffic at prime time at night, you need to limit the volume of traffic for common online
users.
After this configuration task is performed, a time range is created. Then, you can specify the
time range as the validity period when creating an ACL6 rule.
The validity period of an ACL6 rule can be either of the following types:
l
Absolute time range: The validity period is fixed.
Relative time range: The validity period is a periodic period, for example, each Monday.
Before configuring the Validity Period of an ACL6 Rule, complete the following tasks:
l
Configuring an ACL6
Issue 01 (2011-10-15)

120

Figure 5-7 Flowchart for configuring the validity period of an ACL6 rule
Create the validity period of an ACL6 rule
Specify the validity period for an ACL6 rule

Mandatory procedure
Optional procedure
5.6.1 Creating the Validity Period of an ACL6 Rule

This configuration task is to create the validity period of an ACL6 rule. You can create multiple
validity periods with the same name.
Procedure
Step 1 Run:
system-view

Step 2 Run:
time-range time-name { start-time to end-time days | from time1 date1 [ to time2
date2 ] }
The validity period of an ACL6 rule is created.

Step 3 Run:
commit

----End
5.6.2 Specifying the Validity Period for an ACL6 Rule

When configuring the validity period for an ACL6 rule, the rule can take effect during the
specified time.
Procedure
Step 1 Run:
system-view

Issue 01 (2011-10-15)

121

Step 2 Run:
The ACL6 view is displayed.

Step 3 Run:
rule [ rule-id ] { deny | permit } time-range time-name
The validity period is configured for the ACL6 rule.

NOTE
When a period which is not existed is configured for the ACL6, the ACL6 will be rule invalid.
Step 4 Run:
commit

----End

You can view the configuration of the validity period for an ACL6 rule.
Prerequisite
The configuration of the validity period for an ACL6 rule is complete.
Procedure
Step 1 Run the display time-range { time-name | all } to view the validity period for the ACL6 rule.
----End
Example
Run the display time-range command to view the configuration and status of the validity period
for the ACL6 rule are displayed.
<HUAWEI> display time-range all
Current time is 14:19:16 3-15-2006 Wednesday
10:00 to 12:00 daily
from 13:00 2006/4/1 to 23:59 2099/12/31
Time-range : active1 ( Active )
14:00 to 00:00 daily
5.7 Maintaining an ACL6

This section describes how to maintain an ACL6. Detailed operations include deleting ACL6
statistics and monitoring the ACL6 operation.
5.7.1 Clearing ACL6 Statistics

This section describes how to clear ACL6 statistics.
Issue 01 (2011-10-15)

122

Context
CAUTION
Statistics cannot be restored after being cleared. So, confirm the action before you run the
following command.
Procedure
Step 1 After checking that ACL6 Statistics need to be cleared, run the reset acl ipv6 counter { acl6number | name acl-name | all } command in the user view.
----End
5.7.2 Monitoring the ACL6 Operation

This section describes how to monitor the ACL6 operation.
Context
In routine maintenance, you can run the following command in any view to check the ACL6
operation.
Procedure
l
Run:
display acl ipv6 { acl6-number | name acl-name | all }
The ACL6 operation status is displayed.

----End
Issue 01 (2011-10-15)

123

Basic Configurations of IPv6
About This Chapter

The IPv6 protocol stack is a support for the routing protocols and application protocols in an
IPv6 network.
6.1 IPv6 Overview
Internet Protocol Version 6 (IPv6), also called IP Next Generation (IPng), is a standard network
protocol of the second generation. It is designed by the Internet Engineering Task Force (IETF)
as an upgraded version of IPv4, and makes up the defects of IPv4.
Basic functions supported by the IPv6 protocol stack include IPv6 address configuration, IPv6
neighbor discovery, duplicate address detection, route advertisement, ICMPv6 packet control,
and PMTU. The IPv6 protocol stack is a support for the routing protocols and application
protocols in an IPv6 network.
6.3 Configuring an IPv6 Address for the Interface
You can manually configure IPv6 addresses for a device so that the device can communicate
with other devices on the network.
6.4 Configuring an IPv6 Address Selection Policy Table
If multiple addresses are configured on an interface of the device, the IPv6 address selection
policy table can be used to select source and destination addresses for packets.
6.5 Configuring IPv6 Neighbor Discovery
The IPv6 neighbor discovery (ND) protocol uses a group of messages and processes to identify
the relationships between neighboring nodes. The ND protocol replaces ARP of IPv4 and the
router discovery protocol of ICMP, and provides the function of neighbor reachability detection.
6.6 Configuring Duplicate Address Detection
Duplicate address detection is a process in which a device checks whether the address to be used
has been used by another device.
6.7 Configuring RA
A router periodically sends Router Advertisement (RA) messages that carry prefixes and flag
bits, or responds to the router request messages with RA messages.
6.8 Configuring ICMPv6 Message Control
In ICMPv6 message control, the token bucket algorithm is adopted, and one token represents
one ICMPv6 message. Tokens are placed in the virtual bucket at fixed intervals until the capacity
Issue 01 (2011-10-15)

124

of the token bucket reaches the upper threshold. If the number of ICMPv6 messages exceeds
the upper threshold, extra messages are discarded.
6.9 Configuring PMTUs
Through the configuration of a PMTU, devices on the network send packets based on the same
MTU so that packets do not need to be fragmented in the transmission process and the burden
of intermediate devices is reduced. Therefore, network resources are efficiently made use of to
achieve the optimal traffic throughput.
6.10 Configuring TCP6
By setting TCP6 packets, you can improve the performance of the network.
This section describes how to maintain IPv6. The detailed configurations include clearing IPv6
statistics and monitoring IPv6 running status.
Issue 01 (2011-10-15)

125

6.1 IPv6 Overview

Internet Protocol Version 6 (IPv6), also called IP Next Generation (IPng), is a standard network
protocol of the second generation. It is designed by the Internet Engineering Task Force (IETF)
as an upgraded version of IPv4, and makes up the defects of IPv4.
The most remarkable difference between IPv6 and IPv4 is that the length of the IP address
changes from 32 bits to 128 bits. Featuring the simplified packet header format, sufficient address
space, hierarchical address structure, flexible extension header, and enhanced neighbor
discovery (ND) mechanism, IPv6 is competitive in the future market.

Basic functions supported by the IPv6 protocol stack include IPv6 address configuration, IPv6
neighbor discovery, duplicate address detection, route advertisement, ICMPv6 packet control,
and PMTU. The IPv6 protocol stack is a support for the routing protocols and application
protocols in an IPv6 network.
IPv6 Address
An 128-bit IPv6 address can be in either of the following formats:
l
X:X:X:X:X:X:X:X
In this format, an 128-bit IP address is divided into eight groups. The 16 bits in each group
are represented by four hexadecimal characters, namely, 0 to 9 and A to F. These groups
are separated by a colon (:). Each "X" represents four hexadecimal characters.
X:X:X:X:X:X:d.d.d.d
Including IPv4-mapped IPv6 address
In this format, "X:X:X:X:X:X" represents the high-order six groups of numbers, and the
16 bits in each group are represented by hexadecimal numbers. "d.d.d.d" represents the
low-order four groups of numbers, and the 8 bits in each group are represented by decimal
numbers. "d.d.d.d" is a standard IPv4 address.
An IPv6 address can be divided into two parts:

l
Network prefix: It is of n bits and equals the network ID of an IPv4 address.
Interface identifier: It is of 128-n bits and equals the host ID of an IPv4 address.
IPv6 Neighbor Discovery

the relationships between neighboring nodes. The ND protocol replaces the Address Resolution
Protocol (ARP) of IPv4 and the router discovery protocol of ICMP, and provides additional
functions.
Selection of Source and Destination Addresses

When network administrators need to specify or plan a source and a destination addresses, they
can define a group of address selection rules. An address selection policy table can be created
based on these rules. Similar to a routing table, this table can be queried based on the longest
match rule. The address is selected based on a source and a destination addresses.
Issue 01 (2011-10-15)

126

Duplicate Address Detection

Duplicate address detection (DAD) is a mechanism used to check whether an IPv6 address is
available.
When a node is configured with an IPv6 address, it sends a Neighbor Solicitation (NS) message
to check whether the IPv6 address can be used. If the IPv6 address has been used by another
node, the node replies to the sender with a Neighbor Advertisement (NA) message, notifying
that the IPv6 address has been used.
Router Advertisement
A Router Advertisement (RA) message is used in neighbor discovery. An RA message carries
information such as a prefix and a flag bit.
ICMPv6 Message Control

In the ICMPv6 message control function, the token bucket algorithm is adopted. One token
represents one ICMPv6 message. Tokens are placed in the virtual bucket at a fixed interval until
the capacity of the token bucket reaches the upper threshold. If the number of ICMPv6 messages
exceeds the upper threshold, extra messages are discarded.
IPv6 PMTU
The problem of different MTUs of the packets from different networks can be addressed in the
following methods:
l
The routers fragment packets as required. In this method, the source end only needs to
fragment packets; the intermediate routers, however, need to both fragment and reassemble
packets.
The source end fragments packets based on a proper MTU so that the packets do not need
to be fragmented on intermediate routers. In this manner, the burden on the intermediate
routers can be reduced. Since IPv6 intermediate routers do not support IPv6 packet
fragmentation, this method is adopted to address the problem.
The Path MTU Discovery (PMTU) mechanism is designed to find a smallest MTU for a path
from the source end to the destination end.
6.3 Configuring an IPv6 Address for the Interface

You can manually configure IPv6 addresses for a device so that the device can communicate
with other devices on the network.
If a router intends to communicate with an IPv6 device, you need to configure IPv6 addresses
for the interfaces on the router.
On the NE5000E, you can configure IPv6 addresses on the following types of interface:
l
GigabitEthernet interface and its sub-interfaces
Serial interface (only the serial interface of a PPP link or an HDLC link supports IPv6)
POS interface (only the POS interface of a PPP link or an HDLC link supports IPv6)
Issue 01 (2011-10-15)

127

Tunnel interface
Loopback interface
Eth-Trunk interface
Each interface can be configured with at most 10 global unicast addresses.

Link-local addresses are used for the communication between link-local nodes in ND and in the
stateless auto-configuration process. The packets with link-local addresses as source or
destination addresses are not be forwarded to other links.
Link-local addresses can be automatically generated or manually configured.
l
After the IPv6 function is enabled on an interface, the system automatically generates a
link-local address for the interface.
The link-local address that is manually configured must be valid (usually with the FE80::/10
prefix).
Link-local addresses are used for the communication between link-local nodes. It means that
link-local addresses are usually used for the communication between protocols, and are not
directly related to the communication between users. Therefore, automatic generation of linklocal addresses is recommended.
Global unicast addresses, equivalent to public IPv4 addresses, are used for data forwarding on
a public network and are necessary for the communication between users.
EUI-64 addresses function the same as global unicast addresses. The difference is that only the
network bits need to be specified for an EUI-64 address, and the host bits are derived from the
interface MAC address; for a global unicast address, all the 128 bits must be specified. You must
note that the prefix length of the network bits of an EUI-64 address cannot be more than 64 bits.
Both or either of EUI-64 addresses and global unicast addresses can be configured on an interface
for communications. The addresses that are configured on the same interface, however, must
belong to different network segments.
IPv6 addresses are classified into unicast addresses, multicast addresses, and anycast addresses.
Multicast address: identifies a group of interfaces that belong to different nodes and is similar
to an IPv4 multicast address. The packets with a multicast destination address are transmitted
to all the interfaces identified by this multicast address. Anycast address: identifies multiple
interfaces that generally belong to different nodes. A packet addressed for an anycast address is
sent to the interface that is nearest to the sender based on the distance vector in the interface
group identified by the anycast address. Currently, anycast addresses are applicable to a few
scenarios. In typical applications, anycast addresses are used by a large number of 6to4 relay
routers in a 6to4 tunnel to enhance the network expandability.
Before configuring IPv6 addresses for interfaces, complete the following tasks:
l
physical status of the interfaces is Up
Setting parameters of the link layer protocols for the interfaces to ensure that the status of
the link layer protocols on the interfaces is Up
Issue 01 (2011-10-15)

128

Figure 6-1 Flowchart of configuring IPv6 addresses
Enable IPv6
Configure a link-local
address on an interface
Configure a global unicast
Configure an anicast
Mandatory
procedure
Optional
procedure
6.3.1 Enabling IPv6

You can perform IPv6-related configurations on an interface only when IPv6 is enabled in the
interface view.
Procedure
Step 1 Run:
system-view

Step 2 Run:
The view of the interface where IPv6 needs to be enabled is displayed.

Step 3 Run:
ipv6 enable
IPv6 is enabled on the interface.

By default, IPv6 is not enabled on an interface.
Step 4 Run:
commit

----End
Issue 01 (2011-10-15)

129

6.3.2 Configuring a Link-local Address on an Interface

Link-local addresses are used for the communication between link-local nodes in neighbor
discovery and in the stateless auto-configuration process. Link-local addresses are valid only on
local links. The packets with link-local addresses as source or destination addresses are not be
forwarded to other links.
Procedure
Step 1 Run:
system-view

Step 2 Run:

Step 3 Run:
ipv6 address ipv6-address link-local
The link-local address is configured on the interface.

l If you do not run the ipv6 address ipv6-address link-local command to configure a linklocal address, the system automatically generates a link-local address after the task of
Enabling IPv6 is performed in the interface view.
l Running the ipv6 address ipv6-address link-local command overrides the link-local address
that is automatically generated by the system.
Step 4 Run:
commit

----End
6.3.3 Configuring a Global Unicast Address on an Interface

Global unicast addresses, equivalent to IPv4 addresses, are used for the links whose route
prefixes can be aggregated, thus reducing the number of routing entries.
Procedure
Step 1 Run:
system-view

Step 2 Run:

Step 3 Run:
ipv6 address { ipv6-address prefix-length | ipv6-address/prefix-length } or ipv6
address { ipv6-address prefix-length | ipv6-address/prefix-length } eui-64
Issue 01 (2011-10-15)

130

The global unicast address is configured on the interface.

Each interface can be configured with at most 10 global unicast addresses.
Step 4 Run:
commit

----End
6.3.4 Configuring an IPv6 Anycast Address for an Interface

An anycast address is used to identify a group of interfaces.
Context
Anycast addresses and unicast addresses are in the same address range. An anycast address is
used to identify a group of interfaces on different nodes.
l
Similar to a multicast address, an anycast address is listened to by multiple nodes.

Therefore, it is only used as a destination address.
The packets destined for an anycast address are transmitted to an interface that is in the
interface group identified by the anycast address and is closest to the source node. (The
distance between an interface and the source node is calculated based on the routing
protocol). The packets destined for a multicast address are transmitted to a group of
interfaces with the multicast address.
When the 6to4 tunnel is used for the communication between the 6to4 network and the native
IPv6 network, the NE5000E supports the configuration of an anycast address with the prefix of
2002:c058:6301:: on the tunnel interface of the 6to4 relay route device.
Alternatively, you can configure a 6to4 address on the tunnel interface of the 6to4 relay route
device. When multiple 6to4 relay route devices are configured on the network, the difference
between the two methods is as follows:
l
If an 6to4 address is used, you need to configure different addresses for tunnel interfaces
of all devices.
If an anycast address is used, you need to configure the same address for the tunnel
interfaces of all devices. In this manner, the number of addresses is reduced.
Procedure
Step 1 Run:
system-view

Step 2 Run:

Step 3 Run:
ipv6 address { ipv6-address prefix-length | ipv6-address/prefix-length } anycast
An IPv6 anycast address is assigned to an interface.

Issue 01 (2011-10-15)

131

Step 4 Run:
commit

----End

This section describes how to check the configuration of IPv6 addresses.
Prerequisite
The configurations of IPv6 addresses are complete.
Procedure
Step 1 Run the display ipv6 interface [ interface-type interface-number | brief ] command to view
information about IPv6 on the specified interface.
Step 2 Run the display ipv6 statistics [ interface interface-type interface-number ] command to view
the statistics about IPv6 packets on the interfaces.
----End
Example
Run the display ipv6 interface command, and you can view the IPv6 addresses that are
configured on the interface.
<HUAWEI> display ipv6 interface gigabitethernet 1/0/0
IPv6 protocol current state : UP
link-local address is FE80::3A6F:12FF:FE10:300
Global unicast address(es):
1::1, subnet is 1::/64
Joined group address(es):
FF02::1:FF10:300
FF02::1:FF00:1
FF02::1
FF02::2
MTU is 1500 bytes
ND DAD is enabled, number of DAD attempts: 1.
ND reachable time is 30000 milliseconds.
ND retransmit interval is 1000 milliseconds.
Hosts use stateless autoconfig for addresses.
Run the display ipv6 interface brief command, and you can view the IPv6 addresses that are
configured on the interface and the interface status.
<HUAWEI> display ipv6 interface brief
!down: FIB overload down
(l): loopback
(s): spoofing
Interface
Physical
up
[IPv6 Address] 2030::101:101
Protocol
up
Run the display ipv6 statistics command, and you can view the statistics about IPv6 packets.
<HUAWEI> display ipv6 statistics
Issue 01 (2011-10-15)

132

IPv6 protocol:
Sent packets:
Total
Local sent out
Raw packets
: 3630
: 3630
: 0
Forwarded
Discarded
: 0
: 0
Fragmented
Fragments failed
: 0
: 0
Fragments
Multicast
: 0
: 0
:
:
:
:
:
:
:
Local host
Header error
Routing failed
Protocol error
Option error
Reassembled
Multicast
:
:
:
:
:
:
:
Received packets:
Total
Hop count exceeded
Too big
Address error
Truncated
Fragments
Reassembly timeout
3630
0
0
0
0
0
0
3630
0
0
0
0
0
0
6.4 Configuring an IPv6 Address Selection Policy Table

If multiple addresses are configured on an interface of the device, the IPv6 address selection
policy table can be used to select source and destination addresses for packets.
IPv6 addresses can be classified into different types based on different applications.
l
Link local addresses and global unicast addresses based on the effective range of the IPv6
addresses
Temporary addresses and public addresses based on security levels
Home addresses and care-of addresses based on the application in the mobile IPv6 field
Physical interface addresses and logical interface addresses based on the interface attributes
The preceding IPv6 addresses can be configured on the same interface of the router. In this case,
the device must select a source address or a destination addresses from multiple addresses on
the interface. If the device supports the IPv4/IPv6 dual-stack, it also must select IPv4 addresses
or IPv6 addresses for communication. For example, if a domain name maps both an IPv4 address
and an IPv6 address, the system must select an address to respond to the DNS request of the
client.
An IPv6 address selection policy table solves the preceding problems. It defines a group of
address selection rules. The source and destination addresses of packets can be specified or
planned based on these rules. This table, similar to a routing table, can be queried by using the
longest matching rule. The address is selected based on the source and destination addresses.
l
The label parameter can be used to determine the result of source address selection. The
address whose label value is the same as the label value of the destination address is selected
preferably as the source address.
The destination address is selected based on both the label and the precedence parameters.
If label values of the candidate addresses are the same, the address whose precedence value
is largest is selected preferably as the destination address.
Issue 01 (2011-10-15)

133

None.
Procedure
Step 1 Run:
system-view

Step 2 Run:
ipv6 address-policy [ vpn-instance vpn-instance-name ] ipv6-address prefix-length
precedence label
The source or destination address selection policies are configured.

By default, only default address selection policy entries are contained. These entries are prefixed
with ::1, ::, 2002::, FC00::, and ::ffff:0:0.
A maximum of 50 address selection policy entries are supported by the system.
Step 3 Run:
commit

----End

Run the following commands to check the previous configuration.
l
Run the display ipv6 address-policy [ vpn-instance vpn-instance-name ] { all | ipv6address prefix-length } command to check address selection policy entries.
Run the display ipv6 address-policy all command, and you can check all address selection
policy entries, including the default address selection policy entries and the address selection
policy entry configured by ipv6 address-policy command whose prefix is 3::.
<HUAWEI> display ipv6 address-policy all
Policy Table :
Total:6
------------------------------------------------------------------------------Prefix
: ::
PrefixLength : 0
Precedence : 40
Label
: 1
Default
: Yes
Prefix
: ::1
Precedence : 50
Default
: Yes
PrefixLength
Label
: 128
: 0
Prefix
: ::FFFF:0.0.0.0
Precedence : 10
Default
: Yes
PrefixLength
Label
: 96
: 4
Prefix
: 3::
Precedence : 40
Default
: No
PrefixLength
Label
Prefix
: 2002::
Precedence : 30
Default
: Yes
Issue 01 (2011-10-15)

: 64
: 20
PrefixLength
Label
: 16
: 2
134

Prefix
: FC00::
Precedence : 20
Default
: Yes
PrefixLength
Label
: 7
: 3
-------------------------------------------------------------------------------
6.5 Configuring IPv6 Neighbor Discovery

the relationships between neighboring nodes. The ND protocol replaces ARP of IPv4 and the
router discovery protocol of ICMP, and provides the function of neighbor reachability detection.
Most ND configurations are based on interfaces.
Currently, you can configure IPv6 ND on the following types of interface:
l
GigabitEthernet interface and its sub-interfaces
Serial interface (only the serial interface of a PPP link or an HDLC link supports IPv6)
POS interface (only the POS interface of a PPP link or an HDLC link supports IPv6)
Tunnel interface
Loopback interface
Eth-Trunk interface, Eth-Trunk sub-interfaces, and IP-Trunk interfaces

NOTE
Commands related to the IPv6 configuration can be run on serial and POS interfaces, but the forwarding
of packets on these two types of interface does not require neighbor entries.
Before configuring IPv6 neighbor discovery, complete the following tasks:
l
Setting the parameters of the link layer protocols on interfaces
Enabling IPv6 on the interfaces view
Configuring IPv6 addresses for interfaces
Issue 01 (2011-10-15)

135

Figure 6-2 Flowchart of configuring IPv6 neighbor discovery
Configure static neighbors

Set the aging time for neighbor
entries in the stale state
Set the interval for detecting
neighbor reachability
Mandatory
procedure
Optional
procedure
6.5.1 Configuring Static Neighbors

You can obtain the mappings between IPv6 addresses and MAC addresses of neighbors by
configuring static neighbors. Neighbor entries represent the mappings between IPv6 addresses
and MAC addresses of neighbors. If a device is not enabled with the function of sending ND
protocol packets, it cannot obtain neighbor entries. In this case, you can configure static
neighbors on the device to obtain neighbor entries.
Procedure
Step 1 Run:
system-view

Step 2 Run:
The view of the interface where static neighbors need to be configured is displayed.
Step 3 Run:
ipv6 neighbor ipv6-address mac-address
Static neighbors are configured.

You can configure static neighbors on GE interfaces, or GE sub-interfaces. Each interface can
be configured with at most 300 static neighbors.
Step 4 Run:
commit

----End
Issue 01 (2011-10-15)

136

6.5.2 Setting the Aging Time for Neighbor Entries in the Stale State
Setting the aging time for neighbor entries in the Stale state speeds up the aging of neighbor
entries. That is, you can delete the neighbor entries that do not exist in time by shortening the
aging time of the neighbor entries in the Stale state.
Procedure
Step 1 Run:
system-view

Step 2 Run:
The view of the interface where the aging time for the neighbor entries in the Stale state needs
to be set is displayed.
Step 3 Run:
ipv6 nd stale-timeout seconds
The aging time for the neighbor entries in the Stale state is set.
By default, the aging time for the neighbor entries in the Stale state is 86400s.
Step 4 Run:
commit

----End
6.5.3 Setting the Interval for Detecting Neighbor Reachability

A device can detect whether its neighbors are reachable by sending NS messages. You can set
the interval for sending NS messages to control the frequency of neighbor reachability detection.
Frequent sending of NS messages can immediately determine whether neighbors are reachable.
It, however, degrades the performance of the device. Therefore, it is recommended that the
interval not be set too short.
Procedure
Step 1 Run:
system-view

Step 2 Run:

Step 3 Run:
ipv6 nd ns retrans-timer interval
The interval for detecting neighbor reachability is set.

Issue 01 (2011-10-15)

137

By default, the interval for detecting neighbor reachability is 1000 ms.

Step 4 Run:
commit

----End

This section describes how to check the configuration of IPv6 neighbor discovery.
Prerequisite
The configurations of IPv6 neighbor discovery are complete.
Procedure
Step 1 Run the display ipv6 neighbors [ [ vid vlan-id ] interface-type interface-number ] command to
view information in the buffer of each neighbor.
information about IPv6 on the interfaces.
----End
Example
Run the display ipv6 neighbors command, and you can view that information about IPv6
addresses and the interface on which the addresses are configured is stored in the buffer of each
neighbor.
<HUAWEI> display ipv6 neighbors gigabitethernet 1/0/0
-------------------------------------------------------IPv6 Address : 3003::2
Link-layer
: 00e0-fc89-fe6e
State : STALE
Interface
: GE1/0/0
Age
: 7
VPN name
: vpn1
VLAN : IPv6 Address : FE80::2E0:FCFF:FE89:FE6E
Link-layer
: 00e0-fc89-fe6e
State : STALE
Interface
: GE1/0/0
Age
: 7
VPN name
: vpn1
VLAN : --------------------------------------------------------Total: 2
Dynamic: 2
Static: 0
link-local address is FE80::200:1FF:FE04:5D00
2001::1, subnet is 2001::/64
FF02::1:FF00:1
FF02::1:FF04:5D00
FF02::2
FF02::1
MTU is 1500 bytes
Issue 01 (2011-10-15)

138

ND DAD is enabled, number of DAD attempts: 1

ND reachable time is 30000 milliseconds
ND retransmit interval is 1000 milliseconds
Hosts use stateless autoconfig for addresses
Run the display ipv6 interface briefcommand, and you can view the IPv6 addresses that are
configured on the interface and the interface status.
<HUAWEI> display ipv6 interface brief
!down: FIB overload down
(l): loopback
(s): spoofing
Interface
Physical
up
[IPv6 Address] 2030::101:101
Protocol
up
6.6 Configuring Duplicate Address Detection

Duplicate address detection is a process in which a device checks whether the address to be used
has been used by another device.
Duplicate address detection (DAD) is a process in which a device checks whether the address
to be used has been used by another device. Before configuring an IPv6 unicast address for an
interface, you must check all the devices on the local link to ensure that the IPv6 unicast address
is unique and is not used by another device.
Before configuring DAD, complete the following tasks:
l
You can choose one of the following configuration tasks (excluding "Checking the
Configuration") as required.
6.6.1 Setting the Number of Times of Duplicate Address Detection

A device can send NS messages to detect whether the IPv6 address to be configured has been
used by another device. The number of times of duplicate address detection refers to the number
of times of sending NS messages. DAD is implemented through NS and NA messages. The
principles of DAD are similar to that of gratuitous ARP of IPv4. Through DAD, a device can
detect whether the IPv6 address to be configured has been used by another device.
Procedure
Step 1 Run:
system-view
Issue 01 (2011-10-15)

139


Step 2 Run:
The view of the interface where the number of times of duplicate address detection needs to be
set is displayed.
Step 3 Run:
ipv6 nd dad attempts value
The number of times of duplicate address detection is set.

By default, the number of times of duplicate address detection is 1. If the number is set to 0, it
indicates that duplicate address detection is disabled.
Step 4 Run:
commit

----End
6.6.2 Setting the Interval for Duplicate Address Detection

A device can detect whether its neighbors are reachable by sending NS messages. You can set
the interval for sending NS messages to control the frequency of neighbor reachability detection.
Frequent sending of NS messages can immediately determine whether neighbors are reachable.
It, however, degrades the performance of the device. Therefore, it is recommended that the
interval not be set too short.
Procedure
Step 1 Run:
system-view

Step 2 Run:

Step 3 Run:
ipv6 nd ns retrans-timer interval
The interval for detecting neighbor reachability is set.

By default, the interval for detecting neighbor reachability is 1000 ms.
Step 4 Run:
commit

----End

This section describes how to check the configuration of duplicate address detection.
Issue 01 (2011-10-15)

140

Prerequisite
The configurations of duplicate address detection are complete.
Procedure
information about duplicate address detection.
----End
Example
Run the display ipv6 interface command, and you can view the number of times of duplicate
address detection on the interface.
2001::1, subnet is 2001::/64
FF02::1:FF00:1
FF02::1:FF04:5D00
FF02::2
FF02::1
MTU is 1500 bytes
6.7 Configuring RA
A router periodically sends Router Advertisement (RA) messages that carry prefixes and flag
bits, or responds to the router request messages with RA messages.
The information carried in RA messages includes the parameters of the hosts on the local link.
Before configuring RA, complete the following tasks:
l
Issue 01 (2011-10-15)

141

Figure 6-3 Flowchart of configuring RA
Enable RA
Set the interval for advertising RA messages
Set parameters carried in RA messages

Mandatory procedure
Optional procedure
6.7.1 Enabling RA
After being enabled with RA, a device can advertises RA messages to provide route prefixes for
hosts.
Procedure
Step 1 Run:
system-view

Step 2 Run:
The view of the interface that advertises RA messages is displayed.

Step 3 Run:
undo ipv6 nd ra halt
RA is enabled.
Step 4 Run:
commit

----End
6.7.2 Setting the Interval for Advertising RA Messages

Setting the interval for advertising RA messages can speed up the RA process. In addition, RA
messages provide prefixes and flag bits to neighbors.
Issue 01 (2011-10-15)

142

Procedure
Step 1 Run:
system-view

Step 2 Run:
interfaceinterface-type interface-number

Step 3 Run:
ipv6 nd ra { max-interval maximum-interval | min-interval minimum-interval }
The interval for advertising RA messages is set.

By default, the maximum interval is 600s and the minimum interval is 200s.
The maximum interval must be longer than the minimum interval.
Step 4 Run:
commit

----End
6.7.3 Setting Parameters Carried in RA Messages

The parameters carried in an RA message include the maximum number of hops, prefix,
neighbor-reachable time, and life cycle of the RA message.
Procedure
Step 1 Run:
system-view

Step 2 Run:
ipv6 nd hop-limit limit
The maximum number of hops through which an RA message passes is set.

By default, the maximum number of hops through which an RA message passes is 64.
Step 3 Run:

Step 4 Run:
ipv6 nd ra prefix ipv6-address prefix-length valid-lifetime preferred-lifetime [ noautoconfig ] [ off-link ]
The prefix in an RA message is configured.

Step 5 Run:
ipv6 nd nud reachable-time value
Issue 01 (2011-10-15)

143

The neighbor-reachable time is set.

By default, the neighbor-reachable time is 1200000 ms.
Step 6 Run:
ipv6 nd ra router-lifetime ra-lifetime
The life cycle of an RA message is configured.

By default, the life cycle of an RA message is 1800s.
NOTE
When you run the ipv6 nd ra command to set the interval for advertising RA messages, the specified
interval must be shorter than or equal to the life cycle of an RA message.
Step 7 Run:
commit
The configuration is submitted.

----End

This section describes how to check the configuration of RA.
Prerequisite
All configurations of RA are complete.
Procedure
information in RA messages.
----End
Example
Run the display ipv6 interface command, and you can view the configuration of RA on the
interface.
2001::1, subnet is 2001::/64
FF02::1:FF00:1
FF02::1:FF04:5D00
FF02::2
FF02::1
MTU is 1500 bytes
Issue 01 (2011-10-15)

144

6.8 Configuring ICMPv6 Message Control

In ICMPv6 message control, the token bucket algorithm is adopted, and one token represents
one ICMPv6 message. Tokens are placed in the virtual bucket at fixed intervals until the capacity
of the token bucket reaches the upper threshold. If the number of ICMPv6 messages exceeds
the upper threshold, extra messages are discarded.
Before configuring ICMPv6 message control, complete the following tasks:
l
Procedure
Step 1 Run:
system-view

Step 2 Run:
ipv6 icmp-error { bucket bucket-size | ratelimit interval }
The interval for sending ICMPv6 error messages is set.

By default, a token bucket can contain ten tokens and the interval for sending ICMPv6 error
messages is 100 ms.
Step 3 Run:
commit

----End

Run the following commands to check the previous configuration.
l
Run the display ipv6 interface [ interface-type interface-number | brief ] command to

view the configuration of IPv6 on the specified interface.
Run the display icmpv6 statistics [ interface-type interface-number ] command to view

the statistics about ICMPv6 traffic on the specified interface.
Issue 01 (2011-10-15)

145

2001::1, subnet is 2001::/64

FF02::1:FF00:1
FF02::1:FF04:5D00
FF02::2
FF02::1
MTU is 1500 bytes
Run the display icmpv6 statistics command, and you can view statistics about ICMPv6 traffic.
<HUAWEI> display icmpv6 statistics
ICMPv6 protocol:
Sent packets:
Total
Unreached
Hop count exceeded
Too big
Echo replied
Router advert
Neighbor advert
Rate limited
:
:
:
:
:
:
:
:
16
0
0
0
5
0
2
0
:
:
:
:
:
:
:
:
:
:
:
16
0
0
0
0
0
0
5
0
2
0
Prohibited
Parameter problem
Echoed
Router solicit
Neighbor solicit
Redirected
:
:
:
:
:
:
0
0
5
0
4
0
Format error
Too short
Bad length
Unknown error type
Prohibited
Parameter problem
Echoed
Router solicit
Neighbor solicit
Redirected
:
:
:
:
:
:
:
:
:
:
0
0
0
0
0
2
5
0
4
0
Received packets:
Total
Checksum error
Bad code
Unknown info type
Unreached
Hop count exceeded
Too big
Echo replied
Router advert
Neighbor advert
Rate limited
6.9 Configuring PMTUs

Through the configuration of a PMTU, devices on the network send packets based on the same
MTU so that packets do not need to be fragmented in the transmission process and the burden
of intermediate devices is reduced. Therefore, network resources are efficiently made use of to
achieve the optimal traffic throughput.
Before configuring PMTUs, complete the following task:
l
Configuring the IPv6 MTU of the Interface, for details please refer to Configuring the MTU
of the Interface
You can choose one of the following configuration tasks (excluding "Checking the
Configuration") as required.
Issue 01 (2011-10-15)

146

Dynamic PMTU values can be set on a device by default, ensuring the smallest value of MTU
values is used on all interfaces along the source to the destination nodes.
Configuring a static PMTU sets the maximum length of a packet that can be sent from the source
end to the destination end. This prevents attacks initiated by sending jambo packets.
The static PMTU value is equal to or smaller than the IPv6 MTU value of each interface along
the link. If the a static PMTU value is larger than the IPv6 MTU value of an interface, the packet
will be fragmented on the node with a smaller IPv6 MTU.
6.9.1 Configuring a Static PMTU

You can manually configure static PMTU entries according to the minimum MTU of the path
along which packets are sent to speed up packet transmission.
Procedure
Step 1 Run:
system-view

Step 2 Run:
ipv6 pathmtu ipv6-address [ [ vpn-instance vpn-instance-name ] path-mtu ]
The PMTU is configured for the path destined for the specified IPv6 address.
By default, the PMTU of the path destined for an IPv6 address is 1500 bytes.
Step 3 Run:
commit

----End
6.9.2 Setting the Aging Time of Dynamic PMTU Entries

The aging time of PMTUs is used to change the life cycle of the dynamic PMTU entries in the
buffer. Static PMTU entries do not age.
Procedure
Step 1 Run:
system-view

Step 2 Run:
ipv6 pathmtu age age-time
The aging time of dynamic PMTU entries is set.

By default, the aging time of dynamic PMTU entries is 10 minutes.
The ipv6 pathmtu age age-time command is used to change the life cycle of the dynamic PMTU
entries in the buffer. It is invalid for static PMTU entries, because static PMTU entries do not
age.
Issue 01 (2011-10-15)

147

When both static PMTUs and dynamic PMTUs are configured, only static PMTUs take effect.
Step 3 Run:
commit

----End

This section describes how to check the configuration of PMTUs.
Prerequisite
All configurations of PMTUs are complete.
Procedure
Step 1 Run the display ipv6 pathmtu { ipv6-address | all | dynamic | static } command to view all
PMTU entries.
Step 2 Run the display ipv6 interface [ interface-type interface-number | brief ] command to view the
current MTU on an interface.
----End
Example
Run the display ipv6 pathmtu command, and you can view the destination IPv6 address, PMTU,
aging time of PMTU entries, and type of PMTU entries.
<HUAWEI> display ipv6 pathmtu all
Total: 2
Dynamic: 1
Static: 1
----------------------------------------------------------------------------IPv6 Destination Address
fe80::12
2222::3
ZoneID
0
0
PathMTU
1300
1280
LifeTime(M)
40
-
Type
Dynamic
Static
Run the display ipv6 interface command, and you can view the current MPU on the interface.
GigabitEthernet1/0/0 current state : UP ,
2001::1, subnet is 2001::/64
FF02::1:FF00:1
FF02::1:FF04:5D00
FF02::2
FF02::1
MTU is 1500 bytes
Issue 01 (2011-10-15)

148

6.10 Configuring TCP6

By setting TCP6 packets, you can improve the performance of the network.
To optimize network performance, you need to adjust the TCP6 parameters.
Before configuring TCP6, complete the following tasks:
l
Connecting and configuring the physical features for the interface and ensuring that the
status of the physical layer of the interface is Up
Configuring the link layer protocol parameters for the interface and ensuring that the status
of the link layer protocol on the interface is Up
required.
6.10.1 Configuring TCP6 Timer

By setting two TCP6 timers, you can control TCP6 connection time.
Context
The types of TCP6 timers are shown as follows:
l
The SYN-Wait timer: On sending SYN packets, the TCP6 starts the SYN-Wait timer. If
response packets are not received before the SYN-Wait timer timeout, the TCP6 connection
is terminated. The SYN-Wait timer timeout ranges from 2 seconds to 600 seconds, and the
default value is 75 seconds.
The FIN-Wait timer: When the TCP connection status turns from FIN_WAIT_1 to
FIN_WAIT_2, the FIN-Wait timer starts. If FIN packets are not received before the FINWait timer timeout, the TCP6 connection is terminated. The FIN-Wait timer timeout ranges
from 76 seconds to 3600 seconds, and the default value is 675 seconds.
Do as follows on the router:
Procedure
Step 1 Run:
system-view

Step 2 Run:
tcp ipv6 timer syn-timeout interval
The SYN-Wait timer of setting up TCP6 connections is configured.

Issue 01 (2011-10-15)

149

Step 3 Run:
tcp ipv6 timer fin-timeout interval
The FIN_WAIT_2 timer of setting TCP6 connections is configured.

Step 4 Run:
commit

----End
6.10.2 Specifying the Size of a TCP6 Sliding Window

By setting the sliding window size for TCP6, you can set the sizes of the receiving buffer and
transmitting buffer in the socket. In this manner, you can improve the security of the network.
Procedure
Step 1 Run:
system-view

Step 2 Run:
tcp ipv6 window window-size
The receiving/sending buffer size of the TCP6 socket is configured.

The receiving and sending window-size of the connection-oriented socket: It ranges from 1K
bytes to 32K bytes, and the default value is 8K bytes.
Step 3 Run:
commit

----End

You can view the configuration of TCP6.
Prerequisite
The configurations of the TCP6 function are complete.
Procedure
l
Run the display tcp ipv6 status [ [ task-id task-id ] [ socket-id socket-id ] | [ local-ip ipv4address ] [ local-port local-port-number ] [ remote-ip ipv4-address ] [ remote-port
remote-port-number ] ] command to check the TCP connection status.
Run the display tcp ipv6 statistics command to check the TCP traffic statistics.
Run the display ipv6 socket[ monitor ] [ socktype socket-type ] [ pid pid ] [ socket-id
socket-id ] command to check the information of the specified socket.
----End
Issue 01 (2011-10-15)

150

Example
Run the display tcp ipv6 status command. If the information about the TCP connection status
is displayed, it means that the configuration succeeds. For example:
-------------------------------------------------------------------------------Pid/SocketID
Local Addr:Port
Foreign Addr:Port
VPNID
State
-------------------------------------------------------------------------------0x80C8272D/6
:: : 23
:: : 0
0
LISTEN
--------------------------------------------------------------------------------
Run the display tcp ipv6 statistics command. If the TCP traffic statistics are displayed, it means
that the configuration succeeds. For example:
<HUAWEI> display tcp ipv6 statistics
------------------------ Display TCP Statistics ---------------------Received packets:
Total: 0
Packets in sequence: 0 (bytes)
Checksum error: 0
Offset error: 0
Short error: 0
Duplicate packet: 0 (bytes)
Partially duplicate packet: 0 (bytes)
Out-of-order packets: 0 (bytes)
Packets with data after window: 0
Packet after close: 0
ACK packets: 0 (bytes)
Duplicate ACK packets: 0
Send packets:
Total: 0
Urgent packet: 0
Control packet: 0 (RST)
Data packets: 0
Data packets retransmitted: 0
ACK only packets: 0
Retransmitted timeout: 0
Connection dropped in retransmitted timeout: 0
Keepalive timeout: 0
Keepalive probe: 0
Keepalive timeout, so connections disconnected: 0
Initiated connections: 0
Accepted connections: 0
Established connections: 0
Closed connections: 0
Packets dropped with MD5 authentication: 0
Packets premitted with MD5 authentication: 0
----------------------------------------------------------------------<HUAWEI> display tcp statistics
SOCK_STREAM:
Task = VTYD(14), socketid = 4, Proto = 6,
LA = ::->22, FA = ::->0,
sndbuf = 8192, rcvbuf = 8192, sb_cc = 0, rb_cc = 0,
socket option = SO_ACCEPTCONN SO_REUSEPORT SO_SENDVPNID,
socket state = SS_PRIV SS_ASYNC
LA = ::->23, FA = ::->0,
Issue 01 (2011-10-15)

151

Run the display ipv6 socket command. If the related socket information is displayed, it means
that the configuration succeeds. For example:
<HUAWEI> display ipv6 socket socktype 1
SOCK_STREAM:
LA = ::->22, FA = ::->0,
LA = ::->23, FA = ::->0,

This section describes how to maintain IPv6. The detailed configurations include clearing IPv6
statistics and monitoring IPv6 running status.
6.11.1 Clearing IPv6 Statistics

This section describes how to use reset commands to clear IPv6 statistics.
Context
CAUTION
Ipv6 statistics cannot be restored after being cleared. Therefore, confirm the action before you
use the command.
Procedure
l
After checking that IPv6 statistics need to be cleared, run the reset ipv6 statistics command
in the user view.
After checking that all TCP6 statistics need to be cleared, run the reset tcp ipv6
After checking that all UDP6 statistics need to be cleared, run the reset udp ipv6
After checking that the PMTU entries in the buffer need to be cleared, run the reset ipv6
pathmtu [ vpn-instance vpn-instance-name | all ] command in the user view.
After checking that the information in the buffers of IPv6 neighbors needs to be cleared,
run the reset ipv6 neighbors { all | vid vlan-id [ interface-type interface-number] |
interface-type interface-number } command in the user view.
----End
6.11.2 Monitoring the IPv6 Running Status

This section describes how to use display commands to monitor the IPv6 running status.
Issue 01 (2011-10-15)

152

Context
In routine maintenance, you can run the following commands in any view to check the running
status of IPv6.
Procedure
l
Run the display ipv6 interface [ interface-type interface-number | brief ] command in any
view to view information about IPv6 on an interface.
Run the display ipv6 statistics [ interface interface-type interface-number ] command in

any view to view the statistics about IPv6 packets.
Run the display icmpv6 statistics [ interface interface-type interface-number ] command

in any view to view the statistics about ICMPv6 packets.
Run the display tcp ipv6 statistics command in any view to check TCP6 statistics.
Run the display ipv6 neighbors [ [ vid vlan-id ] interface-type interface-number ]

command in any view to view information in the buffers of neighbors.
Run the display ipv6 address-policy [ vpn-instance vpn-instance-name ] { all | ipv6address prefix-length } command in any view to check address selection policy entries.
Run the display ipv6 pathmtu { ipv6-address | all | dynamic | static } command in any
view to view all PMTU entries.
----End

6.12.1 Example for Configuring IPv6 Addresses for Interfaces

This example shows how to configure IPv6 addresses for interfaces.
CAUTION
As shown in Figure 6-4, Router A and Router B are connected through POS interfaces. Global
unicast IPv6 addresses need to be configured for the POS interfaces to check the connectivity
between the two interfaces.
The global unicast IPv6 addresses to be configured are 3001::1/64 and 3001::2/64.
Issue 01 (2011-10-15)

153

Figure 6-4 Networking diagram of configuring IPv6 addresses for interfaces

POS 1/0/0
3001::1/64
RouterA
POS 1/0/0
3001::2/64
RouterB
Configuration Notes
None.
1.
Enable IPv6 forwarding on the two routers.
2.
Configure global unicast IPv6 addresses for interfaces.
Data Preparation
l
Global unicast IPv6 addresses of the interface.
Procedure
Step 1 Configure global unicast addresses for interfaces.
[~HUAWEI] commit
[~RouterA-Pos1/0/0] ipv6 enable
[~RouterA-Pos1/0/0] ipv6 address 3001::1 64
[~HUAWEI] commit
[~RouterB-Pos1/0/0] ipv6 enable
[~RouterB-Pos1/0/0] ipv6 address 3001::2 64

If you can view the configured unicast global addresses and that the interfaces and the IPv6
protocol are in the Up state, it indicates that the configuration is successful.
Issue 01 (2011-10-15)

154

# Display the interface information of Router A.

[~RouterA] display ipv6 interface pos 1/0/0
link-local address is FE80::C964:0:B8B6:1
3001::1, subnet is 3001::/64
FF02::1:FF00:1
FF02::1:FFB6:1
FF02::2
FF02::1
MTU is 4470 bytes
# Display the interface information of Router B.

[~RouterB] display ipv6 interface pos 1/0/0
link-local address is FE80::2D6F:0:7AF3:1
3001::2, subnet is 3001::/64
FF02::1:FF00:2
FF02::1:FFF3:1
FF02::2
FF02::1
MTU is 4470 bytes
# Ping the link-local address of Router B from Router A. Note that you need to use the parameter
-i to specify the interface corresponding to the link-local address.
[~RouterA] ping ipv6 fe80::2d6f:0:7af3:1 -i pos 1/0/0
PING FE80::2D6F:0:7AF3:1 : 56 data bytes, press CTRL_C to break
Reply from FE80::2D6F:0:7AF3:1
bytes=56 Sequence=1 hop limit=64 time = 60 ms
--- FE80::2D6F:0:7AF3:1 ping statistics --5 packet(s) transmitted
0.00% packet loss
# Ping the global unicast IPv6 address of Router B from Router A.

[~RouterA] ping ipv6 3001::2
PING 3001::2 : 56 data bytes, press CTRL_C to break
Reply from 3001::2
Reply from 3001::2
Reply from 3001::2
Issue 01 (2011-10-15)

155

Reply from 3001::2
bytes=56 Sequence=4 hop limit=64
Reply from 3001::2
time = 20 ms
time = 40 ms
--- 3001::2 ping statistics --5 packet(s) transmitted

0.00% packet loss
----End
Configuration Files
l

#
sysname RouterA
#
admin
interface pos1/0/0
undo shutdown
link-protocol ppp
ipv6 enable
ipv6 address 3001::1/64
#
return

#
sysname RouterB
#
admin
interface pos1/0/0
undo shutdown
link-protocol ppp
ipv6 enable
#
return
6.12.2 Example for Configuring IPv6 Neighbor Discovery

This section provides an example of configuring IPv6 Neighbor Discovery.
CAUTION
As shown in Figure 6-5, device is directly connected to the PC by GE 1/0/10. This PC runs the
Windows XP operating system.
Issue 01 (2011-10-15)

156

Figure 6-5 Example for configuring IPv6 neighbor discovery
Router A
PC
GE1/0/10
3000::/64 eui-64
1.
Configure a link-local unicast address and global EUI-64 unicast addresses on GE 1/0/10.
2.
Configure the RA prefix message to be advertised on GE 1/0/10 and enable the

advertisement of the RA prefix message.
Data Preparation
l
Local unicast addresses of the link and global EUI-64 on GE 1/0/10
RA prefix message to be advertised
Procedure
Step 1 Configure the local unicast address of the link on GE 1/0/10. After the ipv6 enable command
is run on an interface, the system automatically generates a link-local address for the interface.
[~HUAWEI] commit
[~RouterA-GigabitEthernet1/0/10] ipv6 enable
[~RouterA-GigabitEthernet1/0/10] commit
Step 2 Configure the local unicast address of the EUI-64 site on GE 1/0/10 and the prefix in the RA
message.
NOTE
A PC can automatically obtain the RA prefix message from devices only after the Router Advertisement
(RA) prefix message to be advertised is configured and the advertisement of the RA prefix message is
enabled on devices.
[~RouterA-GigabitEthernet1/0/10]
ipv6 address 3000::/64 eui-64

ipv6 nd ra prefix 3000::/64 1000 1000
commit
quit

If configurations are successful, you can view the configured local unicast address of the link
and the global EUI-64 and find that GE 1/0/10 is Up and IPv6 is Up.
# Display information about interfaces of devices.
[~RouterA-GigabitEthernet1/0/10] display this ipv6 interface
Issue 01 (2011-10-15)

157


IPv6 is enabled, link-local address is FE80::2E0:FCFF:FE7D:A497
3000::2E0:FCFF:FE7D:A497, subnet is 3000::/64
FF02::1:FF7D:A497
FF02::2
FF02::1
MTU is 1500 bytes
ND advertised reachable time is 0 milliseconds
ND advertised retransmit interval is 0 milliseconds
ND router advertisement max interval 600 seconds, min interval 200 seconds
ND router advertisements live for 1800 seconds
# Display information about PCs.

Ethernet adapter 1:
Connection-specific
Description . . . .
rnet NIC #2
Physical Address. .
Dhcp Enabled. . . .
IP Address. . . . .
Subnet Mask . . . .
IP Address. . . . .
IP Address. . . . .
IP Address. . . . .
Default Gateway . .
DNS Servers . . . .
DNS Suffix . :
. . . . . . . : Realtek RTL8139 Family PCI Fast Ethe
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
:
:
:
:
:
:
:
:
:
00-E0-4C-77-A1-B6
No
110.1.1.33
255.0.0.0
3000::78b3:4397:c0c4:f078
3000::2e0:4cff:fe77:a1b6
fe80::2e0:4cff:fe77:a1b6%6
fe80::288:ff:fe10:b%6
fec0:0:0:ffff::1%1
fec0:0:0:ffff::2%1
fec0:0:0:ffff::3%1
# Ping the local unicast address of the link on the PC from the device with the use of the parameter
-i which specifies the interface corresponding to the local unicast address.
[~RouterA-GigabitEthernet1/0/10] ping ipv6 fe80::2e0:4cff:fe77:a1b6 -i
gigabitethernet1/0/10
PING FE80::2E0:4CFF:FE77:A1B6: 56 data bytes, press CTRL_C to break
Reply from FE80::2E0:4CFF:FE77:A1B6
--- FE80::2E0:4CFF:FE77:A1B6 ping statistics --5 packet(s) transmitted
0.00% packet loss
# Ping the local unicast address of global EUI-64 of the PC from the device.
[~RouterA-GigabitEthernet1/0/10] ping ipv6 3000::78b3:4397:c0c4:f078
PING 3000::78B3:4397:C0C4:F078 : 56 data bytes, press CTRL_C to break
Reply from 3000::78B3:4397:C0C4:F078
Reply from 3000::78B3:4397:C0C4:F078
Reply from 3000::78B3:4397:C0C4:F078
Reply from 3000::78B3:4397:C0C4:F078
Issue 01 (2011-10-15)

158


Reply from 3000::78B3:4397:C0C4:F078
--- 3000::78B3:4397:C0C4:F078 ping statistics --5 packet(s) transmitted
0.00% packet loss
----End
Configuration Files
#
sysname RouterA
#
undo shutdown
ipv6 enable
ipv6 nd ra prefix 3000::/64 1000 1000
ipv6 address 3000::/64 eui-64
#
return
6.12.3 Example for Configuring IPv6 Address Selection Policy

Table
This part describes how to configure IPv6 address selection policy table.
CAUTION
As shown in Figure 6-6, the domain name (huawei.com) of Server A maps multiple IPv6
addresses. When Router A, as an IPv6 DNS client, accesses Server A by using the domain name
(huawei.com), the DNS Server sends all IPv6 addresses of Server A to Router A. Then,Router
A queries the IPv6 address selection policy table to select a proper IPv6 address as the destination
address of Server A.
Issue 01 (2011-10-15)

159

Figure 6-6 Networking diagram for configuring an IPv6 address selection policy table
DNS Server
abcd::1234/64
DNS Client
RouterA
Ethernet
GE1/0/0
a::1/64
2001:2::2/64
b::1/64
2001::1/64
fed0:1::2/64
abcd::7764
huawei.com
Server A
Configuration Notes
None
1.
Configure IPv6 address selection policy entries.
2.
Configure dynamic IPv6 DNS services.
Data Preparation
l
IPv6 addresses on the interface of Router A
Addresses, label values and precedence values of IPv6 address selection policy entries
IPv6 addresses of the DNS server
Procedure
Step 1 Configure IPv6 address selection policy entries
# Configure IPv6 addresses for the interface.
[~HUAWEI] commit
[~RouterA] interface gigabitethernet
[~RouterA-GigabitEthernet1/0/0] undo
[~RouterA-GigabitEthernet1/0/0] ipv6
[~RouterA-GigabitEthernet1/0/0] ipv6
Issue 01 (2011-10-15)
1/0/0
shutdown
enable
address fe80::1 link-local

160


ipv6 address fed0:1::2 64
ipv6 address 2001:2::2 64
ipv6 address abcd::77 64
commit
quit
# Configure destination address selection policies.

[~RouterA] ipv6 address-policy fed0:1::2 128 100 100
[~RouterA] ipv6 address-policy 2001::1 128 100 100
[~RouterA] commit
Step 2 Configure dynamic IPv6 DNS services.

[~RouterA]
[~RouterA]
[~RouterA]
[~RouterA]
[~RouterA]
dns resolve
dns server ipv6 abcd::1234
dns domain com
commit
quit

# Run the ping ipv6 huawei.com command on Router A, and you can find that Server A can
be pinged successfully, with the destination IP address being 2001::1.
<RouterA> ping ipv6 huawei.com
Resolved Host (huawei.com -> 2001::1)
PING huawei.com : 56 data bytes, press CTRL_C to
Reply from 2002::1: bytes=56 Sequence=1 ttl=126
--- huawei.com ping statistics ---
break
time=6
time=4
time=4
time=4
time=4
ms
ms
ms
ms
ms
5 packet(s) transmitted
0.00% packet loss
# Run the display ipv6 interface gigabitethernet 1/0/0 command on Router A, and you can
view information about the IPv6 address of GigabitEthernet 1/0/0.
<RouterA> display ipv6 interface gigabitethernet 1/0/0
IPv6 is enabled, link-local address is FE80::1
FED0:1::2, subnet is FED0:1::/64
2001:2::2, subnet is 2001:2::/64
ABCD::77, subnet is ABCD::/64
FF02::1:FF00:77
FF02::2
FF02::1
FF02::1:FF00:2
FF02::1:FF00:1
MTU is 1500 bytes
# Run the display ipv6 address-policy all command on Router A, and you can view information
about address selection policy entries.
<RouterA> display ipv6 address-policy all
Policy Table :
Total:7
Issue 01 (2011-10-15)

161

------------------------------------------------------------------------------Prefix
: ::
PrefixLength : 0
Precedence : 40
Label
: 1
Default
: Yes
Prefix
: ::1
Precedence : 50
Default
: Yes
PrefixLength
Label
: 128
: 0
Prefix
: ::FFFF:0.0.0.0
Precedence : 10
Default
: Yes
PrefixLength
Label
: 96
: 4
Prefix
: 2001::1
Precedence : 100
Default
: No
PrefixLength
Label
: 128
: 100
Prefix
: 2002::
Precedence : 30
Default
: Yes
PrefixLength
Label
: 16
: 2
Prefix
: FC00::
Precedence : 20
Default
: Yes
PrefixLength
Label
: 7
: 3
Prefix
: FED0:1::2
Precedence : 100
Default
: No
PrefixLength
Label
: 128
: 100
-------------------------------------------------------------------------------
----End
Configuration Files
l

#
sysname RouterA
#
dns resolve
dns server ipv6 abcd::1234
dns domain com
#
undo shutdown
ipv6 enable
ipv6
ipv6
ipv6
ipv6
address
address
address
address
1001::1/64
2001:2::2/64
FE80::1 link-local
FED0:1::2/64
#
ipv6 address-policy 2001::1 128 100 100
ipv6 address-policy FED0:1::2 128 100 100
#
return
Issue 01 (2011-10-15)

162

7 IPv6 over IPv4 Tunnel Configuration
IPv6 over IPv4 Tunnel Configuration
About This Chapter

The IPv6 over IPv4 tunnel technology is developed to address the problem with the transition
from IPv4 networks to IPv6 networks.
7.1 IPv6 over IPv4 Tunnel Overview
The IPv6 over IPv4 tunnel technology can provide connectivity for IPv6 networks that are
isolated from each other by using existing IPv4 networks. An IPv6 packet is transparently
transmitted after being encapsulated into an IPv4 packet.
7.2 IPv6 over IPv4 Tunnel Technology Supported by the NE5000E
You can configure manual IPv6 over IPv4 tunnels or 6to4 tunnels to interconnect IPv6 networks.
7.3 Configuring a Manual IPv6 over IPv4 Tunnel
A manual IPv6 over IPv4 tunnel is a P2P tunnel. The source address and destination address of
a manual IPv6 over IPv4 tunnel are both manually assigned. The source address and destination
address of a manual IPv6 over IPv4 tunnel on the same device must be unique. A manual IPv6
over IPv4 tunnel acts as a permanent link that crosses an IPv4 network and connects two IPv6
networks. Border routers can communicate with each other securely and regularly through
manual IPv6 over IPv4 tunnels.
7.4 Configuring a 6to4 Tunnel
A 6to4 tunnel is a P2MP tunnel and can interconnect IPv6 networks which are isolated from
each other through an IPv4 network.
7.5 Maintaining an IPv6 over IPv4 Tunnel
This section describes how to maintain an IPv6 over IPv4 tunnel, including how to monitor an
IPv6 over IPv4 tunnel.
This section provides several configuration examples, which include the networking
requirements, precautions for configuration, and configuration roadmap.
Issue 01 (2011-10-15)

163

7.1 IPv6 over IPv4 Tunnel Overview

The IPv6 over IPv4 tunnel technology can provide connectivity for IPv6 networks that are
isolated from each other by using existing IPv4 networks. An IPv6 packet is transparently
transmitted after being encapsulated into an IPv4 packet.
During the early phase of the transition from the IPv4 Internet to the IPv6 Internet, a large number
of IPv4 networks have been deployed, whereas IPv6 networks are of a small number and are
isolated from each other. It is uneconomical to interconnect IPv6 networks with dedicated lines.
The IPv6 over IPv4 tunnel technology is a common method of interconnecting IPv6 networks.
This technology allows you to create tunnels on IPv4 networks to interconnect IPv6 networks.
This is similar to deploying VPNs on an IP network through the tunnel technology.
An IPv6 over IPv4 tunnel is a tunnel that is on an IPv4 network and is used to interconnect IPv6
networks. To establish an IPv6 over IPv4 tunnel, you need to configure both the IPv4 protocol
suite and the IPv6 protocol suite on the routers where an IPv4 network borders an IPv6 network.
7.2 IPv6 over IPv4 Tunnel Technology Supported by the

NE5000E
You can configure manual IPv6 over IPv4 tunnels or 6to4 tunnels to interconnect IPv6 networks.
IPv6 over IPv4 Tunnel

Figure 7-1 helps you understand the principle of the IPv6 over IPv4 tunnel technology.
1.
Configuring both the IPv4 and IPv6 protocol suites on the border routers.
The IPv4 and IPv6 protocol suites are both configured on the border routers.
2.
Encapsulating IPv6 packets

After a border router receives a packet from an IPv6 network, if the packet is not destined
for the border router, it appends an IPv4 header to the IPv4 packet to encapsulate the packet
into an IPv4 packet.
3.
Forwarding the encapsulated packet

The border router forwards the packet to its peer across the IPv4 network.
4.
Decapsulating the packet

The peer border router decapsulates the packet by removing its IPv4 header, and then sends
the decapsulated packet to the remote IPv6 network.
Figure 7-1 Principle of the IPv6 over IPv4 tunnel technology
Dual Stack
Router
IPv6
IPv4
Tunnel
Dual Stack
Router
IPv6
IPv6 host
IPv6 host
IPv6 Header
IPv6 Data
IPv4 Header
Issue 01 (2011-10-15)
IPv6 Header
IPv6 Data
IPv6 Header IPv6 Data

164

The virtual tunnel that links the two border routers and transmits the IPv6 packet is referred to
as an IPv6 over IPv4 tunnel. You can categorize IPv6 over IPv4 tunnels according to creating
modes. At present, the common modes of creating IPv6 over IPv4 tunnels are as follows:
l
Manual IPv6 over IPv4 tunnels
6to4 tunnels
Manual IPv6 over IPv4 Tunnels

A manual IPv6 over IPv4 tunnel is created through manual configuration on the border routers
at both ends of the tunnel. To create a manual IPv6 over IPv4 tunnel, you need to specify its
source IPv4 address and destination IPv4 address.
A manual IPv6 over IPv4 tunnel is a permanent link that crosses an IPv4 network and connects
two IPv6 networks. Border routers can communicate with each other securely and regularly
through IPv6 over IPv4 tunnels.
Manual IPv6 over IPv4 tunnels can be used for communications between IPv6 networks. You
can also configure an IPv6 over IPv4 tunnel between a border router and a host. The host and
border router at the two ends of an IPv6 over IPv4 tunnel must support both the IPv4 protocol
suite and the IPv6 protocol suite.
6to4 Tunnels
A 6to4 tunnel is also a tunnel that interconnects IPv6 networks through an IPv4 network. You
can configure a 6to4 tunnel on the routers where an IPv4 network borders IPv6 networks. The
boarder routers at the two ends of a 6to4 tunnel must support both the IPv4 protocol suite and
the IPv6 protocol suite.
Unlike a manual IPv6 over IPv4 tunnel, a 6to4 tunnel can be a P2MP connection. A manual IPv6
over IPv4 tunnel is a P2P connection. Hence, the routers at the two ends of a 6to4 tunnel are not
configured in pairs.
An end of a 6to4 tunnel can automatically detect the other end of the tunnel.
6to4 tunnels use 6to4 addresses, which are special IPv6 addresses and whose format is as follows:
2002:IPv4 address:subnet ID:interface ID
The prefix of a 6to4 address contains 48 bits and is in the format of 2002:IPv4 address. The
IPv4 address contained in a 6to4 address is a globally-unique address that is applied for an IPv6
network. You must configure this IPv4 address on the physical interface connecting the border
router to the IPv4 network. The subnet ID is 16 bits long and the interface ID is 64 bits long.
You can allocate them within the IPv6 network.
As shown in Figure 7-2, Site1 and Site2 are both 6to4 networks and the hosts and routers on
them are assigned 6to4 tunnel addresses. The IPv4 address contained in the 6to4 addresses of
the host and router on Site1 is the IPv4 address of the interface connecting routerA to the IPv4
network. The IPv4 address contained in the 6to4 addresses of the host and router on Site2 is the
IPv4 address of the interface connecting routerB to the IPv4 network. routerA and routerB are
both 6to4 routers.
Issue 01 (2011-10-15)

165

Figure 7-2 6to4 tunnel and 6to4 relay
6to4
Router
6to4
Network
Site1
6to4
Router
6to4
Network
Site2
RouterB
IPv4
Network
RouterA
6to4
Relay
RouterC
IPv6
Internet
Site3
The process of the access of the host on Site1 to the host on Site2 is as follows:
1.
An IPv6 packet is transmitted from Site1 to routerA.
2.
routerA finds that the destination address of the packet is a 6to4 address and obtains the
IPv4 address of the peer end of the 6to4 tunnel from the 6to4 address.
3.
routerA encapsulates the IPv6 packet into an IPv4 packet. The destination address contained
in the header of the IPv4 packet is the IPv4 address of the peer end of the 6to4 tunnel; the
source address contained in the header of the IPv4 packet is the IPv4 address of the local
end of the 6to4 tunnel.
4.
routerA forwards this IPv4 packet to routerB through the IPv4 network.
5.
routerB decapsulates this IPv4 packet and obtains the original IPv6 packet. Then, routerB
forwards the IPv6 packet to the destination host on Site2.
Through the preceding process, you can implement communications between 6to4 networks. A
native IPv6 network refers to an IPv6 network where the hosts and routers are not assigned 6to4
addresses. To implement communications between a native IPv6 network and a 6to4 network,
you need to use a 6to4 relay router.
A 6to4 relay router functions as a gateway between a 6to4 network and a native IPv6 network.
A 6to4 relay router links a native IPv6 network to an IPv4 network. A 6to4 tunnel is set up
between the 6to4 router and the 6to4 relay router. Figure 7-2 shows the process of the access
of the host on the 6to4 network to the IPv6 Internet:
1.
An IPv6 packet is routed to routerA.
2.
A 6to4 tunnel is set up between routerA and routerC.
3.
The IPv6 packet is encapsulated into an IPv4 packet and then is forwarded to routerC.
4.
routerC decapsulates the IPv4 packet into the original IPv6 packet and forwards it to the
destination host on the IPv6 Internet.

A manual IPv6 over IPv4 tunnel is a P2P tunnel. The source address and destination address of
a manual IPv6 over IPv4 tunnel are both manually assigned. The source address and destination
address of a manual IPv6 over IPv4 tunnel on the same device must be unique. A manual IPv6
Issue 01 (2011-10-15)

166

over IPv4 tunnel acts as a permanent link that crosses an IPv4 network and connects two IPv6
networks. Border routers can communicate with each other securely and regularly through
manual IPv6 over IPv4 tunnels.
To enable IPv6 networks to communicate with each other through an IPv4 network, you need
to configure IPv6 over IPv4 tunnels on the routers where IPv6 networks border an IPv4 network.
You can create a manual IPv6 over IPv4 tunnel between two border routers to provide reliable
connections for IPv6 networks that are isolated from each other. You can also create a manual
IPv6 over IPv4 tunnel between a terminal and a border router to enable the terminal to access
an IPv6 network. The devices between which a manual IPv6 over IPv4 tunnel is created must
support both the IPv4 protocol suite and the IPv6 protocol suite. The devices between which no
manual IPv6 over IPv4 tunnel is created do not have to support both the IPv4 protocol suite and
the IPv6 protocol suite. To create manual IPv6 over IPv4 tunnels between a border router and
multiple devices, you must configure multiple manual IPv6 over IPv4 tunnels on the border
router. In this manner, you can provide connections for multiple IPv6 networks.
Before configuring a manual IPv6 over IPv4 tunnel, complete the following tasks:
l
Connecting interfaces and setting the physical parameters of the interfaces to ensure that
their physical layer status is up
Setting parameters of the link layer protocol for the interfaces to ensure that their status of
the link layer protocol is up
Assigning an IPv4 address to the border router
Configuring IPv6 globally and on the interfaces
Assigning an IPv6 address to the border router
Procedure
Step 1 Run:
system-view

Step 2 Run:
interface tunnel interface-number
A tunnel interface is created.

Step 3 Run:
tunnel-protocol ipv6-ipv4
The tunnel mode is set to manual.

Step 4 Run:
source { ipv4-address | interface-type interface-number }
The source address or source interface of the tunnel is specified.

Step 5 Run:
destination ipv4-address
Issue 01 (2011-10-15)

167

The destination address of the tunnel is specified.

NOTE
The destination address of an IPv6 over IPv4 tunnel can be a physical interface address or a loopback
interface address.
Step 6 Run:
ipv6 enable
IPv6 is configured on the interface.

Step 7 Run:
ipv6 address { ipv6-address prefix-length | ipv6-address/prefix-length }
An IPv6 address is set for the tunnel interface.

Step 8 Run:
commit
The previous configurations are committed.

----End

l
Run the display ipv6 interface tunnel interface-number command to check the IPv6
configuration of the tunnel interface.
Run the display ipv6 interface tunnel command, and you can view that both the status of the
tunnel interface and IPv6 protocol is Up. In addition, you can view the source address and values
of ND parameters.
<HUAWEI> display ipv6 interface tunnel 3
Tunnel3 current state : UP
link-local address is FE80::201:102
::2.1.1.2, subnet is ::/96
FF02::1:FF01:102
FF02::2
FF02::1
MTU is 1500 bytes
Related Tasks
7.6.1 Example for Configuring a Manual IPv6 over IPv4 Tunnel

A 6to4 tunnel is a P2MP tunnel and can interconnect IPv6 networks which are isolated from
each other through an IPv4 network.
Issue 01 (2011-10-15)

168

To enable IPv6 networks to communicate with each other through an IPv4 network, you need
to configure IPv6 over IPv4 tunnels on the routers where IPv6 networks border an IPv4 network.
6to4 tunnels use special 6to4 addresses that are in the format of 2002:a.b.c.d::/48, in which a.b.c.d
represents the source address of the tunnel interface. During communications, the IPv4 address
in a 6to4 address is used to encapsulate packets. The 6to4 tunnel does not need to be configured
with a destination address.
Before configuring a 6to4 tunnel, complete the following tasks:
l
Connecting interfaces and setting the physical parameters of the interfaces to ensure that
their physical layer status is up
Setting parameters of the link layer protocol for the interfaces to ensure that their status of
the link layer protocol is up
Configuring the IPv4 and IPv6 protocol suites
Procedure
Step 1 Run:
system-view

Step 2 Run:
interface tunnel interface-number
A tunnel interface is created.

Step 3 Run:
tunnel-protocol ipv6-ipv4 6to4
The tunnel mode is set to 6to4.

Step 4 Run:
source { ipv4-address | interface-type interface-number }
The source address or source interface of the tunnel is specified.

Step 5 Run:
ipv6 enable
IPv6 is configured on the interface.

Step 6 Run:
ipv6 address { ipv6-address prefix-length | ipv6-address/prefix-length }
The IPv6 address of the tunnel interface is set.

NOTE
The prefix of the IPv6 address specified in the preceding command is the same as the prefix of the address
of the 6to4 network where the border router resides.
Step 7 Run:
commit
Issue 01 (2011-10-15)

169

The previous configurations are submitted.

----End

l
Run the display ipv6 interface tunnel interface-number command to check the IPv6
configuration of the tunnel interface.
Run the display ipv6 interface tunnel command, and you can view that the status of the tunnel
interface and IPv6 protocol is both Up. In addition, you can view the source address and the
value of the ND parameter.
<HUAWEI> display ipv6 interface tunnel 3
2002:201:101::1, subnet is 2002:201:101::/64
FF02::1:FF01:102
FF02::2
FF02::1
MTU is 1500 bytes
Related Tasks
7.6.2 Example for Configuring a 6to4 Tunnel
7.6.3 Example for Configuring 6to4 Relay
7.5 Maintaining an IPv6 over IPv4 Tunnel

This section describes how to maintain an IPv6 over IPv4 tunnel, including how to monitor an
IPv6 over IPv4 tunnel.
7.5.1 Monitoring an IPv6 over IPv4 Tunnel

This section describes how to monitor an IPv6 over IPv4 tunnel.
Context
In routine maintenance, you can run the following command in any view to monitor an IPv6
over IPv4 tunnel.
Procedure
Step 1 Run the display ipv6 interface tunnel interface-number command to view the operation status
of the tunnel interface.
----End
Issue 01 (2011-10-15)

170


This section provides several configuration examples, which include the networking
requirements, precautions for configuration, and configuration roadmap.
7.6.1 Example for Configuring a Manual IPv6 over IPv4 Tunnel

This section provides an example for configuring a manual IPv6 over IPv4 tunnel.
CAUTION
As shown in Figure 7-3, two IPv6 networks are connected to Router B on the IPv4 backbone
network through Router A and Router C. A manual IPv6 over IPv4 tunnel needs to be configured
between Router A and Router C to interconnect the two IPv6 networks.
Figure 7-3 Diagram of configuring a manual IPv6 over IPv4 tunnel
IPv4
network
Router
GE1/0/0
B
GE2/0/0
192.168.50.1/24
192.168.51.1/24
GE1/0/0
GE1/0/0
192.168.50.2/24
Router B
192.168.51.2/24
Dual
Dual
Stack
Stack
IPv6
RouterA
RouterC
IPv6
Precautions
During the configuration, pay attention to the following points:
l
You need to create a tunnel interface. Then, you can set the parameters of the tunnel
interface.
You need to perform the following configuration on both routers at the two ends of the
tunnel. Note that the source address of the local of a tunnel is the destination address of the
Issue 01 (2011-10-15)

171

remote of the tunnel. Similarly, the destination address of the local of a tunnel is the source
address of the remote of the tunnel.
l
To support routing protocols, you need to configure the network address of the tunnel
interface.
The configuration roadmap of a manual IPv6 over IPv4 tunnel is as follows:
1.
Assign an IP address to the physical interface.
2.
Configure the IPv6 address, source interface number, and destination address of the tunnel
interface.
3.
Set the protocol type is IPv6-IPv4.
Data Preparation
l
IP addresses of the interface
IPv6 address, source interface number, and destination address of the tunnel
Procedure
# Configure the IP address of the interface.
[~HUAWEI] commit
# Set the protocol type to IPv6-IPv4.

[~RouterA] interface tunnel 1
[~RouterA-Tunnel1] tunnel-protocol ipv6-ipv4
# Configure the IPv6 address, source interface number, and destination address of the tunnel
interface.
[~RouterA-Tunnel1]
[~RouterA-Tunnel1]
[~RouterA-Tunnel1]
[~RouterA-Tunnel1]
[~RouterA-Tunnel1]
ipv6 enable
ipv6 address 3001::1 64
source 192.168.50.2
destination 192.168.51.2
quit

[~RouterA] ip route-static 192.168.51.2 255.255.255.0 192.168.50.1
[~RouterA] commit

[~HUAWEI] commit
Issue 01 (2011-10-15)

172


[~RouterB-GigabitEthernet2/0/0] commit
Step 3 # Configure Router C.

[~HUAWEI] sysname RouterC
[~HUAWEI] commit
[~RouterC-GigabitEthernet1/0/0] ip address 192.168.51.2 255.255.255.0
[~RouterC-GigabitEthernet1/0/0] undo shutdown
# Set the protocol type to IPv6-IPv4.

[~RouterC] interface tunnel 1
[~RouterC-Tunnel1] tunnel-protocol ipv6-ipv4
# Configure the IPv6 address, source interface number, and destination address of the tunnel
interface.
[~RouterC-Tunnel1]
[~RouterC-Tunnel1]
[~RouterC-Tunnel1]
[~RouterC-Tunnel1]
[~RouterC-Tunnel1]
ipv6 enable
ipv6 address 3001::2 64
source 192.168.51.2
quit

[~RouterC] ip route-static 192.168.50.2 255.255.255.0 192.168.51.1
[~RouterC] commit

# Ping the IPv4 address of GE 1/0/0 on Router A from Router C, and a response packet is
received.
[~RouterC] ping 192.168.50.2
0.00% packet loss
# Ping the IPv6 address of Tunnel 1 on Router A from Router C, and a response packet is received.
[~RouterC] ping ipv6 3001::1
Reply from 3001::1
Reply from 3001::1
Reply from 3001::1
Issue 01 (2011-10-15)

173

Reply from 3001::1
Reply from 3001::1
5 packet(s) transmitted
0.00% packet loss

time = 26 ms
time = 27 ms
time = 26 ms
----End
Configuration Files
l

#
sysname RouterA
#
admin
undo shutdown
ip address 192.168.50.2 255.255.255.0
#
interface Tunnel 1
ipv6 enable
source 192.168.50.2
#
ip route-static 192.168.51.0 255.255.255.0 192.168.50.1
#
return

#
sysname RouterB
#
admin
undo shutdown
ip address 192.168.50.1 255.255.255.0
#
undo shutdown
ip address 192.168.51.1 255.255.255.0
#
return

#
sysname RouterC
#
admin
undo shutdown
ip address 192.168.51.2 255.255.255.0
#
interface Tunnel 1
ipv6 enable
source 192.168.51.2
#
ip route-static 192.168.50.0 255.255.255.0 192.168.51.1
#
return
Issue 01 (2011-10-15)

174

Related Tasks
7.6.2 Example for Configuring a 6to4 Tunnel

This section provides an example for configuring a 6to4 tunnel.
CAUTION
As shown in Figure 7-4, the two IPv6 networks are both 6to4 networks; both Router A and
Router B connect with a 6to4 network and the IPv4 backbone network. A 6to4 tunnel needs to
be created between Router A and Router B to interconnect the hosts on the two 6to4 networks.
You need to assign 6to4 addresses to the hosts on the two 6to4 networks to interconnect the two
6to4 networks. The prefix of a 6to4 address contains 48 bits and is in the format of 2002:IPv4
address. As shown in Figure 7-4, the IPv4 address of the interface connecting Router A to the
IPv4 network is 2.1.1.1. Therefore, the prefix of the 6to4 address of the 6to4 network where
Router A resides is 2002:0201:0101::, prefix length is 64.
Figure 7-4 Networking diagram of configuring a 6to4 tunnel
IPv4
POS1/0/0
POS1/0/0
2.1.1.1
2.1.1.2
RouterA
RouterB
GE2/0/0
6to4
6to4
GE2/0/0
2002:201:101:1::1/64
Router
Router
2002:201:102:1::1/64
Tunnel 1
Tunnel 1
2002:201:101::1/64
2002:201:102::1/64
PC1
2002:201:101:1::2
2002:201:102:1::2
IPv6
PC2
IPv6
Precautions
l
Issue 01 (2011-10-15)
You need to create a tunnel interface first. Then, you can set the parameters of the tunnel
interface.
175

When configuring a 6to4 tunnel, you need to configure only the source address of the tunnel.
The destination address of the tunnel is contained in the original IPv6 packet. The source
address of a 6to4 tunnel must be unique.
You must assign a 6to4 address to the interface connecting a border router to a 6to4 network
and assign an IPv4 address to the interface connecting a border router to an IPv4 network.
To support routing protocols, you also need to configure the network address of the tunnel
interface.
1.
Configure both the IPv4 and IPv6 protocol suites on the routers.
2.
Configure 6to4 tunnels on the routers.
3.
Configure related routes on the routers.
Data Preparation
l
IPv4 and IPv6 addresses of the interfaces
Source interface of the tunnel
Procedure
# Configure the IPv4 and IPv6 protocol suites.
[~HUAWEI] commit
[~RouterA-pos1/0/0] ip address 2.1.1.1 8
[~RouterA-pos1/0/0] undo shutdown
[~RouterA-pos1/0/0] quit
[~RouterA-GigabitEthernet2/0/0] ipv6 address 2002:0201:0101:1::1 64
# Configure the 6to4 tunnel.

[~RouterA-Tunnel1] tunnel-protocol ipv6-ipv4 6to4
[~RouterA-Tunnel1] ipv6 enable
[~RouterA-Tunnel1] ipv6 address 2002:0201:0101::1 64
[~RouterA-Tunnel1] source 2.1.1.1
[~RouterA-Tunnel1] quit
# Configure the routes to other 6to4 networks.

[~RouterA] ipv6 route-static 2002:: 16 tunnel 1
[~RouterA] commit
Step 2 ConfigureRouter B.
Issue 01 (2011-10-15)

176


[~HUAWEI] commit
[~RouterB-pos1/0/0] ip address 2.1.1.2 8
[~RouterB-pos1/0/0] undo shutdown
[~RouterB-pos1/0/0] quit
[~RouterB-GigabitEthernet2/0/0] ipv6 enable
[~RouterB-GigabitEthernet2/0/0] ipv6 address 2002:0201:0102:1::1 64

[~RouterB] interface tunnel 1
[~RouterB-Tunnel1] tunnel-protocol ipv6-ipv4 6to4
[~RouterB-Tunnel1] ipv6 enable
[~RouterB-Tunnel1] ipv6 address 2002:0201:0102::1 64
[~RouterB-Tunnel1] source 2.1.1.2
[~RouterB-Tunnel1] quit
# Configure routes to other 6to4 networks.

[~RouterB] ipv6 route-static 2002:: 16 tunnel 1
[~RouterB] commit
NOTE
A reachable route is required between Router A and Router B. In this example, the two routers are directly
connected. Hence, no routing protocol is configured.

# Check the IPv6 status of Tunnel 1 on Router A, and you can find that it is Up.
[~RouterA] display ipv6 interface tunnel 1
2002:201:101::1, subnet is 2002:201:101::/64
FF02::1:FF01:101
FF02::1:FF00:1
FF02::2
FF02::1
MTU is 1500 bytes
# You can ping the 6to4 address of GE 2/0/0 on Router B from Router A.
[~RouterA] ping ipv6 2002:0201:0102:1::1
PING 2002:201:102:1::1 : 56 data bytes, press CTRL_C to break
Reply from 2002:201:102:1::1
bytes=56 Sequence=1 hop limit=64 time=37 ms
Reply from 2002:201:102:1::1
Reply from 2002:201:102:1::1
Reply from 2002:201:102:1::1
Reply from 2002:201:102:1::1
---2002:201:102:1::1 ping statistics--5 packet(s) transmitted
Issue 01 (2011-10-15)

177

0.00% packet loss

----End
Configuration Files
l

#
sysname RouterA
#
admin
interface pos1/0/0
undo shutdown
link-protocol ppp
ip address 2.1.1.1 255.0.0.0
#
interface GigabitEthernet 2/0/0
undo shutdown
ipv6 enable
ipv6 address 2002:201:101:1::1/64
#
interface Tunnel 1
ipv6 enable
ipv6 address 2002:201:101::1/64
source 2.1.1.1
#
ipv6 route-static 2002:: 16 Tunnel 1
#
return

#
sysname RouterB
#
admin
interface pos1/0/0
undo shutdown
link-protocol ppp
ip address 2.1.1.2 255.0.0.0
#
undo shutdown
ipv6 enable
ipv6 address 2002:201:102:1::1/64
#
interface Tunnel 1
ipv6 enable
ipv6 address 2002:201:102::1/64
source 2.1.1.2
#
#
return
Related Tasks
7.6.3 Example for Configuring 6to4 Relay

This section provides an example for configuring 6to4 relay.
Issue 01 (2011-10-15)

178

CAUTION
As shown in Figure 7-5, Router A functions as a 6to4 router and is connected to the 6to4 network;
Router B is a 6to4 relay router and is connected to the IPv6 network (2001::/64); Router A is
connected to Router B through the IPv4 backbone network. A 6to4 tunnel needs to be configured
between Router A and Router B to interconnect the hosts on the 6to4 network and the IPv6
network.
The method of configuring a tunnel between a 6to4 relay router and a common 6to4 router is
the same as the method of configuring a tunnel between common 6to4 routers. To interconnect
a 6to4 network with an IPv6 network, you need to configure a static route to the IPv6 network
on the common 6to4 router.
Figure 7-5 Networking diagram of configuring 6to4 relay
POS1/0/0
2.1.1.1
RouterA
GE2/0/0
2002:201:101:1::1/64
PC1
6to4
IPv4
6to4
Router
Tunnel 1
2002:201:101::1/64
POS1/0/0
2.1.1.2
6to4
Relay
RouterB
GE2/0/0
2001::1/64
Tunnel 1
2002:201:102::1/64
2002:201:101:1::2
2001::2
PC2
IPv6
Precautions
l
You need to create a tunnel interface first. Then, you can set the parameters of the tunnel
interface.
When configuring a 6to4 tunnel, you need to configure only the source address of the tunnel.
The destination address of the tunnel is the same as the destination address contained in
the original IPv6 packet. The source address of a 6to4 tunnel must be unique.
You need to assign a 6to4 address to the interface connecting a border router to a 6to4
network and assign an IPv4 address to the interface connecting a border router to an IPv4
Issue 01 (2011-10-15)

179

network. To support routing protocols, you need to configure the network address of the
tunnel interface.
1.
Configure both the IPv4 and IPv6 protocol suites on the routers.
2.
Configure 6to4 tunnels on the routers.
3.
Configure related static routes on the routers.
Data Preparation
l
IPv4 and IPv6 addresses of the interfaces
Source interface of the tunnel
Static route to the indirectly-connected router
Procedure
[~HUAWEI] commit
[~RouterA-GigabitEthernet2/0/0] ipv6 address 2002:0201:0101:1::1 64
# Configure a 6to4 tunnel.

[~RouterA-Tunnel1] tunnel-protocol ipv6-ipv4 6to4
[~RouterA-Tunnel1] ipv6 enable
[~RouterA-Tunnel1] ipv6 address 2002:0201:0101::1 64
[~RouterA-Tunnel1] source 2.1.1.1
[~RouterA-Tunnel1] quit
# Configure a static route to 2002::/16.

[~RouterA] ipv6 route-static 2002:: 16 tunnel 1
# Configure a default route to the IPv6 network.

[~RouterA] ipv6 route-static :: 0 2002:0201:0102::1
[~RouterA] commit
Step 2 ConfigureRouter B.
Issue 01 (2011-10-15)

180

[~HUAWEI] commit
[~RouterB-Pos1/0/0] ip address 2.1.1.2 255.0.0.0
[~RouterB-GigabitEthernet2/0/0] ipv6 enable
[~RouterB-GigabitEthernet2/0/0] ipv6 address 2001::1 64

[~RouterB] interface tunnel 1
[~RouterB-Tunnel1] tunnel-protocol ipv6-ipv4 6to4
[~RouterB-Tunnel1] ipv6 enable
[~RouterB-Tunnel1] ipv6 address 2002:0201:0102::1 64
[~RouterB-Tunnel1] source 2.1.1.2
[~RouterB-Tunnel1] quit
# Configure a static route to 2002::/16.

[~RouterB] ipv6 route-static 2002:: 16 tunnel 1
[~RouterB] commit

# You can ping the IPv6 address of GE 2/0/0 on Router B from Router A.
[~RouterA] ping ipv6 2001::1
Reply from 2001::1
Reply from 2001::1
Reply from 2001::1
Reply from 2001::1
Reply from 2001::1
--- 2001::1 ping statistics --5 packet(s) transmitted
0.00% packet loss
----End
Configuration Files
l

#
sysname RouterA
#
admin
interface pos1/0/0
undo shutdown
link-protocol ppp
ip address 2.1.1.1 255.0.0.0
#
undo shutdown
ipv6 enable
ipv6 address 2002:201:101:1::1/64
#
interface Tunnel 1
Issue 01 (2011-10-15)

181

ipv6 enable
ipv6 address 2002:201:101::1/64
source 2.1.1.1
#
ipv6 route-static :: 0 2002:201:102::1
#
#
return
Configuration file of RouterB

#
sysname RouterB
#
admin
interface Pos1/0/0
undo shutdown
link-protocol ppp
ip address 2.1.1.2 255.0.0.0
#
undo shutdown
ipv6 enable
#
interface Tunnel 1
ipv6 enable
ipv6 address 2002:201:102::1/64
source 2.1.1.2
#
#
return
Related Tasks
Issue 01 (2011-10-15)

182

Configuration Guide Huawei

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Configuration Guide Huawei

Uploaded by

Copyright:

Available Formats

HUAWEI NetEngine5000E Core Router

Configuration Guide - IP Services

HUAWEI TECHNOLOGIES CO., LTD.

Copyright Huawei Technologies Co., Ltd. 2011. All rights reserved.

Trademarks and Permissions

Huawei Technologies Co., Ltd.

Huawei Industrial Base

Huawei Proprietary and Confidential

HUAWEI NetEngine5000E Core Router

About This Document

About This Document

Data configuration engineers

Network monitoring engineers

System maintenance engineers

Related Versions (Optional)

Huawei Proprietary and Confidential

HUAWEI NetEngine5000E Core Router

About This Document

Command Conventions (Optional)

The keywords of a command line are in boldface.

Command arguments are in italics.

Items (keywords or arguments) in brackets [ ] are optional.

Optional items are grouped in braces and separated by

Optional items are grouped in brackets and separated by

Optional items are grouped in braces and separated by

Optional items are grouped in brackets and separated by

The parameter before the & sign can be repeated 1 to n times.

A line starting with the # sign is comments.

Changes in Issue 01 (2011-10-15)

Huawei Proprietary and Confidential

HUAWEI NetEngine5000E Core Router

Huawei Proprietary and Confidential

HUAWEI NetEngine5000E Core Router

2.4.1 Creating a Basic ACL..............................................................................................................................39

3 Basic Configurations of IPv4.....................................................................................................56

Huawei Proprietary and Confidential

HUAWEI NetEngine5000E Core Router

3.5.3 Checking the Configuration.....................................................................................................................68

4 Configuring Load Balancing.....................................................................................................93

Huawei Proprietary and Confidential

HUAWEI NetEngine5000E Core Router

5.5.1 Creating an Advanced ACL6................................................................................................................118

6 Basic Configurations of IPv6...................................................................................................124

Huawei Proprietary and Confidential

HUAWEI NetEngine5000E Core Router

6.10.3 Checking the Configuration.................................................................................................................150

7 IPv6 over IPv4 Tunnel Configuration...................................................................................163

Huawei Proprietary and Confidential

HUAWEI NetEngine5000E Core Router

About This Chapter

Huawei Proprietary and Confidential

HUAWEI NetEngine5000E Core Router

Huawei Proprietary and Confidential

HUAWEI NetEngine5000E Core Router

1.1 ARP Overview

To obtain the MAC address corresponding to an IP address, a host or a device broadcasts

1.2 ARP Features Supported by the NE5000E

Static ARP and Dynamic ARP

ARP Entry Generation and Maintenance

Dynamic ARP entries

l Dynamic ARP entries can be aged and updated,

Huawei Proprietary and Confidential

HUAWEI NetEngine5000E Core Router