hp msr router series - h20628. · hp msr router series layer 3 ... overview ... setting the maximum...

HP MSR Router Series Layer 3IP Services Configuration Guide(V7)

Part number: 5998-7723b

Software version: CMW710-R0304

Document version: 6PW104-20150914

i

Legal and notice information

Copyright 2015 Hewlett-Packard Development Company, L.P.

No part of this documentation may be reproduced or transmitted in any form or by any means without prior written consent of Hewlett-Packard Development Company, L.P.

The information contained herein is subject to change without notice.

HEWLETT-PACKARD COMPANY MAKES NO WARRANTY OF ANY KIND WITH REGARD TO THIS MATERIAL, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. Hewlett-Packard shall not be liable for errors contained herein or for incidental or consequential damages in connection with the furnishing, performance, or use of this material.

The only warranties for HP products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. HP shall not be liable for technical or editorial errors or omissions contained herein.

i

Contents

Configuring ARP 1Overview 1

ARP message format 1ARP operating mechanism 1ARP table 2

Configuring a static ARP entry 3Setting the maximum number of dynamic ARP entries for a device 4Setting the maximum number of dynamic ARP entries for an interface 4Setting the aging timer for dynamic ARP entries 5Enabling dynamic ARP entry check 5Enabling ARP logging 6Displaying and maintaining ARP 6Configuration examples 7

Long static ARP entry configuration example 7Short static ARP entry configuration example 8

Configuring gratuitous ARP 10Overview 10

Gratuitous ARP packet learning 10Periodic sending of gratuitous ARP packets 10

Configuration procedure 11Enabling IP conflict notification 12

Configuring proxy ARP 13Enabling common proxy ARP 13Enabling local proxy ARP 13Displaying proxy ARP 14Common proxy ARP configuration example 14

Network requirements 14Configuration procedure 14Verifying the configuration 15

Configuring ARP fast-reply 16Overview 16Configuration procedure 16ARP fast-reply configuration example 17

Network requirements 17Configuration procedure 17

Configuring ARP PnP 18Overview 18Configuration prerequisites 18Configuration procedure 18Displaying and maintaining ARP PnP 19ARP PnP configuration example 19


Configuring ARP suppression 21Overview 21

ii

Configuration procedure 21Displaying and maintaining ARP suppression 22ARP suppression configuration example 22


Configuring ARP direct route advertisement 24Overview 24Configuration procedure 24

Configuring IP addressing 25Overview 25

IP address classes 25Special IP addresses 26Subnetting and masking 26

Assigning an IP address to an interface 27Configuration guidelines 27Configuration procedure 27

Configuring IP unnumbered 27Configuration guidelines 28Configuration prerequisites 28Configuration procedure 28

Displaying and maintaining IP addressing 28Configuration examples 29

IP address configuration example 29IP unnumbered configuration example 30

DHCP overview 32DHCP address allocation 32

Allocation mechanisms 32IP address allocation process 33IP address lease extension 33

DHCP message format 34DHCP options 35

Common DHCP options 35Custom DHCP options 35

Protocols and standards 38

Configuring the DHCP server 39Overview 39

DHCP address pool 39IP address allocation sequence 41

DHCP server configuration task list 41Configuring an address pool on the DHCP server 42

Configuration task list 42Creating a DHCP address pool 42Specifying IP address ranges for a DHCP address pool 42Specifying gateways for DHCP clients 46Specifying a domain name suffix for DHCP clients 46Specifying DNS servers for DHCP clients 47Specifying WINS servers and NetBIOS node type for DHCP clients 47Specifying BIMS server for DHCP clients 48Specifying the configuration file for DHCP client auto-configuration 48Specifying a server for DHCP clients 49Configuring Option 184 parameters for DHCP clients 49

iii

Customizing DHCP options 50Configuring the DHCP user class whitelist 52

Enabling DHCP 52Enabling the DHCP server on an interface 53Applying an address pool on an interface 53Configuring IP address conflict detection 53Enabling handling of Option 82 54Configuring DHCP server compatibility 54

Configuring the DHCP server to broadcast all responses 54Configure the DHCP server to ignore BOOTP requests 55Configuring the DHCP server to send BOOTP responses in RFC 1048 format 55

Setting the DSCP value for DHCP packets sent by the DHCP server 55Configuring DHCP binding auto backup 56Configuring address pool usage alarming 56Binding gateways to a common MAC address 57Advertising subnets assigned to clients 58Applying a DHCP address pool to a VPN instance 58Enabling client offline detection on the DHCP server 59Configuring DHCP logging on the DHCP server 59Displaying and maintaining the DHCP server 60DHCP server configuration examples 60

Static IP address assignment configuration example 61Dynamic IP address assignment configuration example 62DHCP user class configuration example 64DHCP user class whitelist configuration example 66Primary and secondary subnets configuration example 67DHCP option customization configuration example 68

Troubleshooting DHCP server configuration 70Symptom 70Analysis 70Solution 70

Configuring the DHCP relay agent 71Overview 71

Operation 71DHCP relay agent support for Option 82 72

DHCP relay agent configuration task list 72Enabling DHCP 73Enabling the DHCP relay agent on an interface 73Specifying DHCP servers on a relay agent 73Configuring the DHCP relay agent security functions 74

Enabling the DHCP relay agent to record relay entries 74Enabling periodic refresh of dynamic relay entries 74Enabling DHCP starvation attack protection 75

Configuring the DHCP relay agent to release an IP address 76Configuring Option 82 76Setting the DSCP value for DHCP packets sent by the DHCP relay agent 77Enabling DHCP server proxy on a DHCP relay agent 77Configuring a DHCP relay address pool 78Specifying a gateway address for DHCP clients 79Enabling client offline detection on the DHCP relay agent 79Displaying and maintaining the DHCP relay agent 80DHCP relay agent configuration examples 80

DHCP relay agent configuration example 80Option 82 configuration example 81

iv

Troubleshooting DHCP relay agent configuration 82Symptom 82Analysis 82Solution 82

Configuring the DHCP client 83Enabling the DHCP client on an interface 83Configuring a DHCP client ID for an interface 83Enabling duplicated address detection 84Setting the DSCP value for DHCP packets sent by the DHCP client 84Displaying and maintaining the DHCP client 85DHCP client configuration example 85


Configuring DHCP snooping 88Overview 88

Application of trusted and untrusted ports 89DHCP snooping support for Option 82 90

Command and hardware compatibility 90DHCP snooping configuration task list 91Configuring basic DHCP snooping 91Configuring Option 82 92Configuring DHCP snooping entry auto backup 93Enabling DHCP starvation attack protection 94Enabling DHCP-REQUEST attack protection 94Setting the maximum number of DHCP snooping entries 95Displaying and maintaining DHCP snooping 95DHCP snooping configuration examples 96

Basic DHCP snooping configuration example 96Option 82 configuration example 97

Configuring the BOOTP client 99BOOTP application 99Obtaining an IP address dynamically 99Protocols and standards 99Configuring an interface to use BOOTP for IP address acquisition 100Displaying and maintaining BOOTP client 100BOOTP client configuration example 100


Configuring DNS 101Overview 101

Static domain name resolution 101Dynamic domain name resolution 101DNS proxy 102DNS spoofing 103

DNS configuration task list 104Configuring the IPv4 DNS client 105

Configuring static domain name resolution 105Configuring dynamic domain name resolution 105

Configuring the IPv6 DNS client 106Configuring static domain name resolution 106

v

Configuring dynamic domain name resolution 107Configuring the DNS proxy 108Configuring DNS spoofing 108Configuring network mode tracking for an output interface 109Specifying the source interface for DNS packets 109Configuring the DNS trusted interface 110Setting the DSCP value for outgoing DNS packets 110Displaying and maintaining IPv4 DNS 111IPv4 DNS configuration examples 111

Static domain name resolution configuration example 111Dynamic domain name resolution configuration example 112DNS proxy configuration example 115

IPv6 DNS configuration examples 116Static domain name resolution configuration example 116Dynamic domain name resolution configuration example 117DNS proxy configuration example 121

Troubleshooting IPv4 DNS configuration 122Symptom 122Solution 122

Troubleshooting IPv6 DNS configuration 122Symptom 122Solution 122

Configuring DDNS 124Overview 124

DDNS application 124DDNS client configuration task list 125Configuring a DDNS policy 125

Configuration prerequisites 126Configuration procedure 126

Applying the DDNS policy to an interface 127Setting the DSCP value for outgoing DDNS packets 128Displaying DDNS 128DDNS configuration examples 128

DDNS configuration example with www.3322.org 128DDNS configuration example with PeanutHull server 130

Configuring NAT 132Overview 132

Terminology 132NAT types 133NAT control 133

Command and hardware compatibility 133NAT implementations 134

Static NAT 134Dynamic NAT 134NAT Server 135NAT444 135DS-Lite NAT444 137

NAT entries 138NAT session entry 138EIM entry 138NO-PAT entry 138NAT444 entry 138

Using NAT with other features 139

vi

VRF-aware NAT 139NAT with DNS mapping 139NAT with ALG 140

NAT configuration task list 140Configuring static NAT 141

Configuration prerequisites 141Configuring outbound one-to-one static NAT 141Configuring outbound net-to-net static NAT 141Configuring inbound one-to-one static NAT 142Configuring inbound net-to-net static NAT 143

Configuring dynamic NAT 143Configuration restrictions and guidelines 143Configuration prerequisites 143Configuring outbound dynamic NAT 144Configuring inbound dynamic NAT 145

Configuring NAT Server 146Configuring common NAT Server 146Configuring load sharing NAT Server 147Configuring ACL-based NAT Server 147

Configuring NAT444 148Configuring static NAT444 148Configuring dynamic NAT444 148

Configuring DS-Lite NAT444 149Configuring NAT with DNS mapping 150Configuring NAT hairpin 150Configuring NAT with ALG 151Configuring NAT session logging 151Displaying and maintaining NAT 152NAT configuration examples 153

Outbound one-to-one static NAT configuration example 153Outbound dynamic NAT configuration example (non-overlapping addresses) 155Outbound bidirectional NAT configuration example 157NAT Server for external-to-internal access configuration example 161NAT Server for external-to-internal access through domain name configuration example 164Bidirectional NAT for external-to-internal NAT Server access through domain name configuration example 167NAT hairpin in C/S mode configuration example 170NAT hairpin in P2P mode configuration example 173Twice NAT configuration example 176Load sharing NAT Server configuration example 179NAT with DNS mapping configuration example 181Static NAT444 configuration example 184Dynamic NAT444 configuration example 186DS-Lite NAT444 configuration example 189NAT444 with BRAS configuration example 191

Basic IP forwarding on the device 194FIB table 194Displaying FIB table entries 194

Configuring load sharing 196Command and hardware compatibility 196Configuring per-packet or per-flow load sharing 196Configuring load sharing based on bandwidth 197

vii

Configuring fast forwarding 198Overview 198Command and hardware compatibility 198Configuring the aging time for fast forwarding entries 198Configuring fast forwarding load sharing 198Displaying and maintaining fast forwarding 199

Configuring flow classification 200Feature and hardware compatibility 200Specifying a flow classification policy 200

Displaying the adjacency table 201Overview 201Command and hardware compatibility 202Displaying commands 202

Configuring IRDP 203Overview 203

IRDP operation 203Basic concepts 203Protocols and standards 204

Configuration procedure 204IRDP configuration example 205


Optimizing IP performance 208Command and hardware compatibility 208Enabling an interface to receive and forward directed broadcasts destined for the directly connected network 208

Configuration procedure 208Configuration example 209

Configuring MTU for an interface 210Configuring TCP MSS for an interface 210Configuring TCP path MTU discovery 211Enabling TCP SYN Cookie 211Configuring the TCP buffer size 212Configuring TCP timers 212Enabling sending ICMP error messages 213Configuring rate limit for ICMP error messages 214Specifying the source address for ICMP packets 215Enabling IPv4 local fragment reassembly 215Displaying and maintaining IP performance optimization 216

Configuring UDP helper 219Overview 219Configuration restrictions and guidelines 219Configuring UDP helper to convert broadcast to unicast 219Configuring UDP helper to convert broadcast to multicast 220Configuring UDP helper to convert multicast to broadcast or unicast 221Displaying and maintaining UDP helper 222UDP helper configuration examples 222

Configuring UDP helper to convert broadcast to unicast 222Configuring UDP helper to convert broadcast to multicast 223Configuring UDP helper to convert multicast to broadcast 224

viii

Configuring basic IPv6 settings 226Overview 226

IPv6 features 226IPv6 addresses 227IPv6 ND protocol 230IPv6 path MTU discovery 232

IPv6 transition technologies 232Dual stack 233Tunneling 233NAT-PT 2336PE 233

Protocols and standards 234Command and hardware compatibility 234IPv6 basics configuration task list 234Assigning IPv6 addresses to interfaces 235

Configuring an IPv6 global unicast address 235Configuring an IPv6 link-local address 238Configuring an IPv6 anycast address 239

Configuring IPv6 ND 239Configuring a static neighbor entry 239Setting the maximum number of dynamic neighbor entries 240Setting the aging timer for ND entries in stale state 240Minimizing link-local ND entries 241Setting the hop limit 241Configuring parameters for RA messages 241Configuring the maximum number of attempts to send an NS message for DAD 244Enabling ND proxy 244Configuring IPv6 ND suppression 246Configuring IPv6 ND direct route advertisement 247

Configuring path MTU discovery 248Configuring the interface MTU 248Configuring a static path MTU for an IPv6 address 248Configuring the aging time for dynamic path MTUs 248

Controlling sending ICMPv6 messages 249Configuring the rate limit for ICMPv6 error messages 249Enabling replying to multicast echo requests 249Enabling sending ICMPv6 destination unreachable messages 250Enabling sending ICMPv6 time exceeded messages 250Enabling sending ICMPv6 redirect messages 251Specifying the source address for ICMPv6 packets 251

Enabling IPv6 local fragment reassembly 251Configuring IPv6 load sharing based on bandwidth 252Displaying and maintaining IPv6 basics 252IPv6 configuration examples 256

Basic IPv6 configuration example 256IPv6 ND suppression configuration example 260

Troubleshooting IPv6 basics configuration 261Symptom 261Solution 261

DHCPv6 overview 262DHCPv6 address/prefix assignment 262

Rapid assignment involving two messages 262Assignment involving four messages 262

Address/prefix lease renewal 263

ix

Stateless DHCPv6 264Protocols and standards 264

Configuring the DHCPv6 server 265Overview 265

IPv6 address assignment 265IPv6 prefix assignment 265Concepts 266DHCPv6 address pool 267IPv6 address/prefix allocation sequence 268

Configuration task list 268Configuring IPv6 prefix assignment 269

Configuration guidelines 269Configuration procedure 269

Configuring IPv6 address assignment 270Configuration guidelines 270Configuration procedure 271

Configuring network parameters assignment 271Configuring network parameters in a DHCPv6 address pool 272Configuring network parameters in a DHCPv6 option group 272

Configuring the DHCPv6 server on an interface 273Configuration guidelines 273Configuration procedure 273

Setting the DSCP value for DHCPv6 packets sent by the DHCPv6 server 274Configuring DHCPv6 binding auto backup 274Advertising subnets assigned to clients 275Applying a DHCPv6 address pool to a VPN instance 276Configuring DHCPv6 logging on the DHCPv6 server 276Displaying and maintaining the DHCPv6 server 277DHCPv6 server configuration examples 278

Dynamic IPv6 prefix assignment configuration example 278Dynamic IPv6 address assignment configuration example 280

Configuring the DHCPv6 relay agent 283Overview 283DHCPv6 relay agent configuration task list 284Enabling the DHCPv6 relay agent on an interface 284Specifying DHCPv6 servers on the relay agent 284Setting the DSCP value for DHCPv6 packets sent by the DHCPv6 relay agent 285Specifying a padding mode for the Interface-ID option 285Configuring a DHCPv6 relay address pool 286Specifying a gateway address for DHCPv6 clients 286Displaying and maintaining the DHCPv6 relay agent 287DHCPv6 relay agent configuration example 287


Configuring the DHCPv6 client 290Overview 290Configuration restrictions and guidelines 290DHCPv6 client configuration task list 290Configuring IPv6 address acquisition 290Configuring IPv6 prefix acquisition 291Configuring IPv6 address and prefix acquisition 291Configuring stateless DHCPv6 291

x

Setting the DSCP value for DHCPv6 packets sent by the DHCPv6 client 292Displaying and maintaining DHCPv6 client 292DHCPv6 client configuration examples 293

IPv6 address acquisition configuration example 293IPv6 prefix acquisition configuration example 294IPv6 address and prefix acquisition configuration example 296Stateless DHCPv6 configuration example 299

Configuring DHCPv6 snooping 301Overview 301

Application of trusted and untrusted ports 301Command and hardware compatibility 302HP implementation of Option 18 and Option 37 302

Option 18 for DHCPv6 snooping 302DHCPv6 snooping support for Option 37 303

DHCPv6 snooping configuration task list 304Configuring basic DHCPv6 snooping 304Configuring Option 18 and Option 37 304Configuring DHCPv6 snooping entry auto backup 305Setting the maximum number of DHCPv6 snooping entries 306Enabling DHCPv6-REQUEST check 306Displaying and maintaining DHCPv6 snooping 307DHCPv6 snooping configuration example 307


Configuring IPv6 fast forwarding 309Overview 309Command and hardware compatibility 309Configuring the aging time for IPv6 fast forwarding entries 309Configuring IPv6 fast forwarding load sharing 310Displaying and maintaining IPv6 fast forwarding 310

Configuring tunneling 311Overview 311

IPv6 over IPv4 tunneling 311IPv4 over IPv4 tunneling 314IPv4 over IPv6 tunneling 315IPv6 over IPv6 tunneling 318Protocols and standards 318

Command and hardware compatibility 319Tunneling configuration task list 319Configuring a tunnel interface 319Configuring an IPv6 over IPv4 manual tunnel 321

Configuration example 322Configuring an automatic IPv4-compatible IPv6 tunnel 324

Configuration example 325Configuring a 6to4 tunnel 326

6to4 tunnel configuration example 3276to4 relay configuration example 329

Configuring an ISATAP tunnel 330Configuration example 331

Configuring an IPv4 over IPv4 tunnel 334Configuration example 335

Configuring an IPv4 over IPv6 manual tunnel 337

xi

Configuration example 338Configuring a DS-Lite tunnel 339

Configuration example 341Configuring an IPv6 over IPv6 tunnel 342

Configuration example 344Displaying and maintaining tunneling configuration 345Troubleshooting tunneling configuration 346

Symptom 346Analysis 346Solution 346

Configuring GRE 347Overview 347

GRE encapsulation format 347GRE tunnel operating principle 348GRE security mechanisms 348GRE application scenarios 349Protocols and standards 350

Configuring a GRE/IPv4 tunnel 351Configuration guidelines 351Configuration procedure 351

Configuring a GRE/IPv6 tunnel 353Configuration guidelines 353Configuration procedure 353

Displaying and maintaining GRE 355GRE configuration examples 355

Configuring an IPv4 over IPv4 GRE tunnel 355Configuring an IPv4 over IPv6 GRE tunnel 358

Troubleshooting GRE 360Symptom 360Analysis 360Solution 361

Configuring ADVPN 362Overview 362

ADVPN structures 362How ADVPN operates 364NAT traversal 367

ADVPN configuration task list 367Configuring AAA 368Configuring the VAM server 368

Creating an ADVPN domain 368Enabling the VAM server 369Configuring a pre-shared key for the VAM server 369Configuring hub groups 369Configuring the port number of the VAM server 371Specifying authentication and encryption algorithms for the VAM server 372Configuring an authentication method 372Configuring keepalive parameters 373Configuring the retry timer 373

Configuring the VAM client 374Creating a VAM client 374Enabling VAM clients 374Specifying VAM servers 374Specifying an ADVPN domain for a VAM client 375

xii

Configuring a pre-shared key for a VAM client 375Setting the retry timer and retry times for a VAM client 375Setting the dumb timer for a VAM client 376Configuring a username and password for a VAM client 376

Configuring an ADVPN tunnel interface 376Configuring routing 378Configuring IPsec for ADVPN tunnels 379Displaying and maintaining ADVPN 379ADVPN configuration examples 380

IPv4 full-mesh ADVPN configuration example 380IPv6 full-mesh ADVPN configuration example 388IPv4 hub-spoke ADVPN configuration example 396IPv6 hub-spoke ADVPN configuration example 404IPv4 multi-hub-group ADVPN configuration example 412IPv6 multi-hub-group ADVPN configuration example 426IPv4 full-mesh NAT traversal ADVPN configuration example 441

Configuring WAAS 450TFO 450

Slow start optimization 450Increased buffering 450Congestion algorithm optimization 450Selective acknowledgement 451

DRE 451DRE compression process 451DRE decompression process 451

LZ compression 452Protocols and standards 452Command and hardware compatibility 452WAAS configuration task list 452Configuring a WAAS class 453Configuring a WAAS policy 453Applying a WAAS policy to an interface 454Configuring TFO parameters 454Configuring the TFO blacklist autodiscovery feature 455Deleting all WAAS settings 455Restoring predefined WAAS settings 455Displaying and maintaining WAAS 456WAAS configuration examples 457

Predefined WAAS policy configuration example 457User-defined WAAS policy configuration example 459

Configuring AFT 462Overview 462Command and hardware compatibility 462AFT implementations 462

Static AFT 462Dynamic AFT 462Prefix translation 463AFT internal server 464

AFT translation process 464For IPv6-initiated communication 464For IPv4-imitated communication 465

AFT with ALG 466AFT configuration task list 466

xiii

For IPv6-initiated communication 466For IPv4-initiated communication 467

Enabling AFT 467Configuring an IPv6-to-IPv4 destination address translation policy 467Configuring an IPv6-to-IPv4 source address translation policy 468Configuring an IPv4-to-IPv6 destination address translation policy 469Configuring an IPv4-to-IPv6 source address translation policy 469Configuring AFT logging 470Setting the ToS field to 0 for translated IPv4 packets 470Setting the Traffic Class field to 0 for translated IPv6 packets 470Displaying and maintaining AFT 471AFT configuration examples 472

Allowing IPv4 Internet access from an IPv6 network 472Providing FTP service from an IPv6 network to the IPv4 Internet 475Allowing mutual access between IPv4 and IPv6 networks 477Allowing IPv6 Internet access from an IPv4 network 479Providing FTP service from an IPv4 network to the IPv6 Internet 481

Support and other resources 484Contacting HP 484

Subscription service 484Related information 484

Documents 484Websites 484

Conventions 485

Index 487

1

Configuring ARP

Overview ARP resolves IP addresses into MAC addresses on Ethernet networks.

ARP message format ARP uses two types of messages: ARP request and ARP reply. Figure 1 shows the format of ARP request/reply messages. Numbers in the figure refer to field lengths.

Figure 1 ARP message format

Hardware typeHardware address type. The value 1 represents Ethernet. Protocol typeType of the protocol address to be mapped. The hexadecimal value 0x0800

represents IP.

Hardware address length and protocol address lengthLength, in bytes, of a hardware address and a protocol address. For an Ethernet address, the value of the hardware address length field is 6. For an IPv4 address, the value of the protocol address length field is 4.

OPOperation code, which describes the type of ARP message. The value 1 represents an ARP request, and the value 2 represents an ARP reply.

Sender hardware addressHardware address of the device sending the message. Sender protocol addressProtocol address of the device sending the message. Target hardware addressHardware address of the device to which the message is being sent. Target protocol addressProtocol address of the device to which the message is being sent.

ARP operating mechanism As shown in Figure 2, Host A and Host B are on the same subnet. Host A sends a packet to Host B as follows:

1. Host A looks through the ARP table for an ARP entry for Host B. If one entry is found, Host A uses the MAC address in the entry to encapsulate the IP packet into a data link layer frame. Then Host A sends the frame to Host B.

2

2. If Host A finds no entry for Host B, Host A buffers the packet and broadcasts an ARP request. The payload of the ARP request contains the following information:

Sender IP address and sender MAC addressHost A's IP address and MAC address.

Target IP addressHost B's IP address.

Target MAC addressAn all-zero MAC address.

All hosts on this subnet can receive the broadcast request, but only the requested host (Host B) processes the request.

3. Host B compares its own IP address with the target IP address in the ARP request. If they are the same, Host B operates as follows:

a. Adds the sender IP address and sender MAC address into its ARP table.

b. Encapsulates its MAC address into an ARP reply.

c. Unicasts the ARP reply to Host A.

4. After receiving the ARP reply, Host A operates as follows:

a. Adds the MAC address of Host B into its ARP table.

b. Encapsulates the MAC address into the packet and sends the packet to Host B.

Figure 2 ARP address resolution process

If Host A and Host B are on different subnets, Host A sends a packet to Host B as follows:

5. Host A broadcasts an ARP request where the target IP address is the IP address of the gateway.

6. The gateway responds with its MAC address in an ARP reply to Host A.

7. Host A uses the gateway's MAC address to encapsulate the packet, and then sends the packet to the gateway.

8. If the gateway has an ARP entry for Host B, it forwards the packet to Host B directly. If not, the gateway broadcasts an ARP request, in which the target IP address is the IP address of Host B.

9. After the gateway gets the MAC address of Host B, it sends the packet to Host B.

ARP table An ARP table stores dynamic, static, OpenFlow, and Rule ARP entries.

Dynamic ARP entry

ARP automatically creates and updates dynamic entries. A dynamic ARP entry is removed when its aging timer expires or the output interface goes down. In addition, a dynamic ARP entry can be overwritten by a static ARP entry.

3

Static ARP entry

A static ARP entry is manually configured and maintained. It does not age out and cannot be overwritten by any dynamic ARP entry.

Static ARP entries protect communication between devices because attack packets cannot modify the IP-to-MAC mapping in a static ARP entry.

The device supports the following types of static ARP entries:

Long static ARP entryIt contains the IP address, MAC address, VLAN, and output interface. It is directly used for forwarding packets.

Short static ARP entryIt contains only the IP address and MAC address. If the output interface is a Layer 3 Ethernet interface, the short ARP entry can be directly used to

forward packets.

If the output interface is a VLAN interface, the device sends an ARP request whose target IP address is the IP address in the short entry. If the sender IP and MAC addresses in the received ARP reply match the short static ARP entry, the device performs the following operations:

Adds the interface that received the ARP reply to the short static ARP entry.

Uses the resolved short static ARP entry to forward IP packets.

To communicate with a host by using a fixed IP-to-MAC mapping, configure a short static ARP entry on the device. To communicate with a host by using a fixed IP-to-MAC mapping through an interface in a VLAN, configure a long static ARP entry on the device.

OpenFlow ARP entry

ARP creates OpenFlow ARP entries by learning from the OpenFlow module. An OpenFlow ARP entry does not age out, and it cannot be updated. It can be overwritten by a static ARP entry. An OpenFlow ARP entry can be used directly to forward packets. For more information about OpenFlow, see OpenFlow Configuration Guide.

Rule ARP entry

ARP creates Rule ARP entries by learning from the IPoE or portal module. A Rule ARP entry does not age out, and it cannot be updated. It can be overwritten by a static ARP entry. A Rule ARP entry can be used directly to forward packets. For more information about IPoE, see Layer 2WAN Access Configuration Guide. For more information about portal, see Security Configuration Guide.

Configuring a static ARP entry A static ARP entry is effective when the device functions correctly. If a VLAN or VLAN interface is deleted, long static ARP entries in the VLAN are deleted, and resolved short static ARP entries in the VLAN become unresolved.

A resolved short static ARP entry becomes unresolved upon certain events. For example, it becomes unresolved when the resolved output interface goes down.

A long static ARP entry is ineffective in either of the following situations:

The IP address in the entry conflicts with a local IP address. No local interface has an IP address in the same subnet as the IP address in the ARP entry.

Follow these guidelines when you configure a long static ARP entry:

4

The vlan-id argument must be the ID of an existing VLAN where the ARP entry resides. The specified Ethernet interface must belong to that VLAN.

The VLAN interface must be created. Its IP address and the IP address specified by the ip-address argument must be on the same subnet.

To configure a static ARP entry:

Step Command Remarks

1. Enter system view. system-view N/A

2. Configure a static ARP entry.

Configure a long static ARP entry: arp static ip-address mac-address vlan-id interface-type interface-number [ vpn-instance vpn-instance-name ]

Configure a short static ARP entry: arp static ip-address mac-address [ vpn-instance vpn-instance-name ]

By default, no static ARP entry is configured.

Setting the maximum number of dynamic ARP entries for a device

A device can dynamically learn ARP entries. To prevent a device from holding too many ARP entries, you can set the maximum number of dynamic ARP entries that the device can learn. When the maximum number is reached, the device stops learning ARP entries.

If you set a value lower than the number of existing dynamic ARP entries, the device does not remove the existing entries unless they are aged out.

To set the maximum number of dynamic ARP entries for a device:



2. Set the maximum number of dynamic ARP entries for the device.

arp max-learning-number number

If the value for the number argument is set to 0, the device is disabled from learning dynamic ARP entries.

Setting the maximum number of dynamic ARP entries for an interface

An interface can dynamically learn ARP entries. To prevent an interface from holding too many ARP entries, you can set the maximum number of dynamic ARP entries that the interface can learn. When the maximum number is reached, the interface stops learning ARP entries.

You can set limits for both a Layer 2 interface and the VLAN interface for a permitted VLAN on the Layer 2 interface. The Layer 2 interface learns an ARP entry only when neither limit is reached.

5

To set the maximum number of dynamic ARP entries for an interface:



2. Enter interface view. interface interface-type interface-number

N/A

3. Set the maximum number of dynamic ARP entries for the interface.

arp max-learning-num number If the value of the number argument is set to 0, the interface is disabled from learning dynamic ARP entries.

Setting the aging timer for dynamic ARP entries Each dynamic ARP entry in the ARP table has a limited lifetime, called an aging timer. The aging timer of a dynamic ARP entry is reset each time the dynamic ARP entry is updated. A dynamic ARP entry that is not updated before its aging timer expires is deleted from the ARP table.

To set the aging timer for dynamic ARP entries:



2. Set the aging timer for dynamic ARP entries. arp timer aging aging-time

By default, the aging time for dynamic ARP entries is 20 minutes.

Enabling dynamic ARP entry check The dynamic ARP entry check function disables the device from supporting dynamic ARP entries that contain multicast MAC addresses. The device cannot learn dynamic ARP entries containing multicast MAC addresses. You cannot manually add static ARP entries containing multicast MAC addresses.

When dynamic ARP entry check is disabled, ARP entries containing multicast MAC addresses are supported. The device can learn dynamic ARP entries containing multicast MAC addresses obtained from the ARP packets sourced from a unicast MAC address. You can also manually add static ARP entries containing multicast MAC addresses.

To enable dynamic ARP entry check:



2. Enable dynamic ARP entry check. arp check enable By default, dynamic ARP entry check is enabled.

6

Enabling ARP logging This function enables a device to log ARP events when ARP cannot resolve IP addresses correctly. The device can log the following ARP events:

On a proxy ARP-disabled interface, the target IP address of a received ARP packet is not one of the following IP addresses:

The IP address of the receiving interface.

The virtual IP address of the VRRP group.

The public IP address after NAT.

The sender IP address of a received ARP reply conflicts with one of the following IP addresses: The IP address of the receiving interface.

The virtual IP address of the VRRP group.

The public IP address after NAT.

The device sends ARP log messages to the information center. You can use the info-center source command to specify the log output rules for the information center. For more information about information center, see Network Management and Monitoring Configuration Guide.

To enable the ARP logging function:



2. Enable the ARP logging function. arp check log enable By default, ARP logging is disabled.

Displaying and maintaining ARP IMPORTANT:

Clearing ARP entries from the ARP table might cause communication failures. Make sure the entries to becleared do not affect current communications.

Execute display commands in any view and reset commands in user view.

Task Command

Display ARP entries (centralized devices in standalone mode).

display arp [ [ all | dynamic |multiport | static ] | vlan vlan-id | interface interface-type interface-number ] [ count | verbose ]

Display ARP entries (distributed devices in standalone mode/centralized devices in IRF mode).

display arp [ [ all | dynamic | multiport | static ] [ slot slot-number ] | vlan vlan-id | interface interface-type interface-number ] [ count | verbose ]

Display ARP entries (distributed devices in IRF mode).

display arp [ [ all | dynamic | multiport | static ] [ chassis chassis-number slot slot-number ] | vlan vlan-id | interface interface-type interface-number ] [ count | verbose ]

Display the ARP entry for an IP address (centralized devices in standalone mode). display arp ip-address [ verbose ]

7

Task Command

Display the ARP entry for an IP address (distributed devices in standalone mode/centralized devices in IRF mode).

display arp ip-address [ slot slot-number ] [ verbose ]

Display the ARP entry for an IP address (distributed devices in IRF mode).

display arp ip-address [ chassis chassis-number slot slot-number ] [ verbose ]

Display the ARP entries for a VPN instance. display arp vpn-instance vpn-instance-name [ count ]

Display the aging timer of dynamic ARP entries. display arp timer aging

Clear ARP entries from the ARP table (centralized devices in standalone mode).

reset arp { all | dynamic | interface interface-type interface-number | multiport | static }

Clear ARP entries from the ARP table (distributed devices in standalone mode/centralized devices in IRF mode).

reset arp { all | dynamic | interface interface-type interface-number | multiport | slot slot-number | static }

Clear ARP entries from the ARP table (distributed devices in IRF mode).

reset arp { all | chassis chassis-number slot slot-number | dynamic | interface interface-type interface-number | multiport | static }

Configuration examples

Long static ARP entry configuration example Network requirements

As shown in Figure 3, hosts are connected to Router B. Router B is connected to Router A through interface GigabitEthernet 2/0/1 in VLAN 10.

To ensure secure communications between Router A and Router B, configure a long static ARP entry for Router A on Router B.

Figure 3 Network diagram

8

Configuration procedure

# Create VLAN 10. system-view

[RouterB] vlan 10

[RouterB-vlan10] quit

# Add interface GigabitEthernet 2/0/1 to VLAN 10. [RouterB] interface gigabitethernet 2/0/1

[RouterB-GigabitEthernet2/0/1] port access vlan 10

[RouterB-GigabitEthernet2/0/1] quit

# Create VLAN-interface 10 and configure its IP address. [RouterB] interface vlan-interface 10

[RouterB-vlan-interface10] ip address 192.168.1.2 8

[RouterB-vlan-interface10] quit

# Configure a static ARP entry that has IP address 192.168.1.1, MAC address 00e0-fc01-0000, and output interface GigabitEthernet 2/0/1 in VLAN 10. [RouterB] arp static 192.168.1.1 00e0-fc01-0000 10 gigabitethernet 2/0/1

Verifying the configuration

# Verify that Router B has a long static ARP entry for Router A. [RouterB] display arp static

Type: S-Static D-Dynamic O-Openflow R-Rule M-Multiport I-Invalid

IP address MAC address VLAN Interface Aging Type

192.168.1.1 00e0-fc01-0000 10 GE2/0/1 N/A S

Short static ARP entry configuration example Network requirements

As shown in Figure 4, hosts are connected to Router B. Router B is connected to Router A through interface GigabitEthernet 2/0/2.

To ensure secure communications between Router A and Router B, configure a short static ARP entry for Router A on Router B.

9



# Configure an IP address for GigabitEthernet 2/0/2. system-view

[RouterB] interface gigabitethernet 2/0/2

[RouterB-GigabitEthernet2/0/2] ip address 192.168.1.2/24


# Configure a static ARP entry that has IP address 192.168.1.1 and MAC address 00e0-fc01-001f. [RouterB] arp static 192.168.1.1 00e0-fc01-001f


# Verify that Router B has a short static ARP entry for Router A. [RouterB] display arp static

Type: S-Static D-Dynamic O-Openflow R-Rule M-Multiport I-Invalid

IP address MAC address VLAN Interface Aging Type

192.168.1.1 00e0-fc01-001f N/A N/A N/A S

10

Configuring gratuitous ARP

Overview In a gratuitous ARP packet, the sender IP address and the target IP address are the IP address of the sending device.

A device sends a gratuitous ARP packet for either of the following purposes:

Determine whether its IP address is already used by another device. If the IP address is already used, the device is informed of the conflict by an ARP reply.

Inform other devices of a MAC address change.

Gratuitous ARP packet learning This function enables a device to create or update ARP entries by using the sender IP and MAC addresses in received gratuitous ARP packets.

When this function is disabled, the device uses received gratuitous ARP packets to update existing ARP entries only. ARP entries are not created based on the received gratuitous ARP packets, which saves ARP table space.

Periodic sending of gratuitous ARP packets Enabling periodic sending of gratuitous ARP packets helps downstream devices update ARP entries or MAC entries in a timely manner.

This feature can implement the following functions:

Prevent gateway spoofing. Gateway spoofing occurs when an attacker uses the gateway address to send gratuitous ARP packets to the hosts on a network. The traffic destined for the gateway from the hosts is sent to the attacker instead. As a result, the hosts cannot access the external network.

To prevent such gateway spoofing attacks, you can enable the gateway to send gratuitous ARP packets at intervals. Gratuitous ARP packets contain the primary IP address and manually configured secondary IP addresses of the gateway, so hosts can learn correct gateway information.

Prevent ARP entries from aging out. If network traffic is heavy or if the host CPU usage is high, received ARP packets can be discarded or are not promptly processed. Eventually, the dynamic ARP entries on the receiving host age out. The traffic between the host and the corresponding devices is interrupted until the host re-creates the ARP entries.

To prevent this problem, you can enable the gateway to send gratuitous ARP packets periodically. Gratuitous ARP packets contain the primary IP address and manually configured secondary IP addresses of the gateway, so the receiving hosts can update ARP entries in a timely manner.

Prevent the virtual IP address of a VRRP group from being used by a host.

11

The master router of a VRRP group can periodically send gratuitous ARP packets to the hosts on the local network. The hosts can then update local ARP entries and avoid using the virtual IP address of the VRRP group. The sender MAC address in the gratuitous ARP packet is the virtual MAC address of the virtual router. For more information about VRRP, see High Availability Configuration Guide.

Update MAC entries of devices in the VLANs having ambiguous Dot1q or QinQ termination configured.

In VRRP configuration, if ambiguous Dot1q or QinQ termination is configured for multiple VLANs and VRRP groups, interfaces configured with VLAN termination must be disabled from transmitting broadcast/multicast packets. Also, a VRRP control VLAN must be configured so that VRRP advertisements can be transmitted within the control VLAN only. In such cases, you can enable periodic sending of gratuitous ARP packets containing the following addresses:

The VRRP virtual IP address.

The primary IP address or a manually configured secondary IP address of the sending interface on the subinterfaces.

When a VRRP failover occurs, devices in the VLANs can use the gratuitous ARP packets to update their corresponding MAC entries in a timely manner. For more information about ambiguous Dot1q or QinQ termination, see Layer 2LAN Switching Configuration Guide.

Configuration procedure The following conditions apply to the gratuitous ARP configuration:

You can enable periodic sending of gratuitous ARP packets on a maximum of 1024 interfaces. Periodic sending of gratuitous ARP packets takes effect only when the link of the enabled interface

goes up and an IP address has been assigned to the interface.

If you change the interval for sending gratuitous ARP packets, the configuration is effective at the next sending interval.

The frequency of sending gratuitous ARP packets might be much lower than the sending interval set by the user in any of the following circumstances:

This function is enabled on multiple interfaces.

Each interface is configured with multiple secondary IP addresses.

A small sending interval is configured when the previous two conditions exist.

To configure gratuitous ARP:



2. Enable learning of gratuitous ARP packets. gratuitous-arp-learning enable

By default, learning of gratuitous ARP packets is enabled.

3. Enable the device to send gratuitous ARP packets upon receiving ARP requests whose sender IP address belongs to a different subnet.

gratuitous-arp-sending enable

By default, a device does not send gratuitous ARP packets upon receiving ARP requests whose sender IP address belongs to a different subnet.

12



N/A

5. Enable periodic sending of gratuitous ARP packets and set the sending interval.

arp send-gratuitous-arp [ interval milliseconds ]

By default, periodic sending of gratuitous ARP packets is disabled.

Enabling IP conflict notification By default, if the sender IP address of an ARP packet is being used by the receiving device, the receiving device sends a gratuitous ARP request. It also displays an error message after it receives an ARP reply about the conflict.

You can use this command to enable the device to display error messages before sending a gratuitous ARP reply or request for conflict confirmation.

To enable IP conflict notification:



2. Enable IP conflict notification. arp ip-conflict log prompt

By default, IP conflict notification is disabled.

13

Configuring proxy ARP

Proxy ARP enables a device on one network to answer ARP requests for an IP address on another network. With proxy ARP, hosts on different broadcast domains can communicate with each other as they would on the same broadcast domain.

Proxy ARP includes common proxy ARP and local proxy ARP.

Common proxy ARPAllows communication between hosts that connect to different Layer 3 interfaces and reside in different broadcast domains.

Local proxy ARPAllows communication between hosts that connect to the same Layer 3 interface and reside in different broadcast domains.

Enabling common proxy ARP Step Command Remarks



The following interface types are supported: VLAN interface. Layer 3 Ethernet interface. Layer 3 Ethernet subinterface. Layer 3 aggregate interface. Layer 3 aggregate subinterface.

3. Enable common proxy ARP. proxy-arp enable By default, common proxy ARP is disabled.

Enabling local proxy ARP Step Command Remarks



The following interface types are supported: VLAN interface. Layer 3 Ethernet interface. Layer 3 Ethernet subinterface. Layer 3 aggregate interface. Layer 3 aggregate subinterface.

3. Enable local proxy ARP. local-proxy-arp enable [ ip-range startIP to endIP ]

By default, local proxy ARP is disabled.

14

Displaying proxy ARP Execute display commands in any view.

Task Command

Display common proxy ARP status. display proxy-arp [ interface interface-type interface-number ]

Display local proxy ARP status. display local-proxy-arp [ interface interface-type interface-number ]

Common proxy ARP configuration example

Network requirements As shown in Figure 5, Host A and Host D have the same prefix and mask, but they are located on different subnets. No default gateway is configured on Host A and Host D.

Configure common proxy ARP on the router to enable communication between Host A and Host D.


Configuration procedure # Configure the IP address of interface GigabitEthernet 2/0/2. system-view

[Router] interface gigabitethernet 2/0/2

[Router-GigabitEthernet2/0/2] ip address 192.168.10.99 255.255.255.0

# Enable common proxy ARP on interface GigabitEthernet 2/0/2. [Router-GigabitEthernet2/0/2] proxy-arp enable

[Router-GigabitEthernet2/0/2] quit

15

# Configure the IP address of interface GigabitEthernet 2/0/1. [Router] interface gigabitethernet 2/0/1


# Enable common proxy ARP on interface GigabitEthernet 2/0/1. [Router-GigabitEthernet2/0/1] proxy-arp enable


Verifying the configuration # Verify that Host A and Host D can ping each other.

16

Configuring ARP fast-reply

Overview ARP fast-reply enables a device to directly answer ARP requests according to DHCP snooping entries or ARP snooping entries. ARP fast-reply functions in a VLAN. For information about DHCP snooping, see "Configuring DHCP snooping."

If the target IP address of a received ARP request is the IP address of the VLAN interface, the device delivers the request to the ARP module. If not, the device takes the following steps to process the packet:

1. Search the DHCP snooping table for a match by using the target IP address.

2. If a match is found, whether the device returns a reply depends on the type of interface in the matching entry.

If the interface is the Ethernet interface that received the ARP request, the device does not return any reply.

If the interface is a wireless interface or an Ethernet interface other than the receiving interface, the device returns a reply according to the matching entry.

3. If no matching DHCP snooping entry is found and ARP snooping is enabled, the device searches the ARP snooping table.

If the interface in the matching entry is the Ethernet interface that received the ARP request, the device does not return any reply.

If the interface is a wireless interface or an Ethernet interface other than the receiving interface, the device returns a reply according to the ARP snooping entry.

4. If no match is found in both tables, the ARP request is forwarded to other interfaces except the receiving interface in the VLAN, or delivered to other modules.

Configuration procedure To improve the availability of ARP fast-reply, enable ARP snooping at the same time.

To configure ARP fast-reply:

Step Command Remarks 1. Enter system view. system-view N/A

2. Enter VLAN view. vlan vlan-id N/A

3. Enable ARP fast-reply. arp fast-reply enable By default, ARP fast-reply is disabled.

17

ARP fast-reply configuration example

Network requirements As shown in Figure 6, all clients are in VLAN 2, and access the network through the router. They have obtained IP addresses through DHCP.

Enable ARP snooping and ARP fast-reply for VLAN 2. The router directly returns an ARP reply without broadcasting received ARP requests in the VLAN.


Configuration procedure # Enable ARP snooping for VLAN 2 on the router. system-view

[Router] vlan 2

[Router-vlan2] arp snooping enable

# Enable ARP fast-reply for VLAN 2 on the router. [Router-vlan2] arp fast-reply enable

[Router-vlan2] quit

Router

Client 1 Client 16

Client 17 Client 32

DHCP server

VLAN 2

VLAN 2

18

Configuring ARP PnP

Overview The ARP plug and play (PnP) feature is typically configured on a gateway. This feature allows end users to access the gateway without changing their IP addresses on subnets different from the subnet where the gateway resides.

After ARP PnP is enabled on an interface, it provides the following functions:

ARP PnP enables the interface to always reply to users' ARP requests with the interface's MAC address.

Upon receiving a packet from the user, ARP PnP replaces the source IP address of the packet with an agent IP address. The agent IP address is on the same subnet as the interface IP address.

Upon receiving the return packet destined to the agent IP address, ARP PnP replaces the agent IP with the user's original IP address.

Configuration prerequisites Before you configure the ARP PnP feature on an interface, perform the following tasks:

Assign the interface a primary IP address. ARP PnP generates agent IP addresses based on the primary IP address and mask length of the interface.

Use the reset arp command to delete all ARP entries on the interface. Configure NAT on the interface that connects to the external network. For more information about

NAT, see "Configuring NAT."

Configuration procedure Step Command Remarks 1. Enter system view. system-view N/A

2. Configure an address group and enter its view.

nat address-group group-number By default, no address group exists.

3. Add an IP address range to the address group.

address start-address end-address

By default, an address group has no IP address range.

You can add multiple IP address ranges to an address group.

The IP address ranges must not overlap.

4. Enter interface view of the interface that connects to the external network.

interface interface-type interface-number

The following interface types are supported: Layer 3 Ethernet interfaces. Layer 3 Ethernet subinterfaces.

19

Step Command Remarks 5. Configure outbound dynamic

NAT. nat outbound address-group group-number

By default, outbound dynamic NAT is not configured.

6. Return to system view. quit N/A

7. Enter interface view of the interface that connects to the internal network.

interface interface-type interface-number

The following interface types are supported: Layer 3 Ethernet interfaces. Layer 3 Ethernet subinterfaces.

8. Enable the ARP PnP feature. arp pnp By default, the ARP PnP feature is disabled.

Displaying and maintaining ARP PnP Execute display commands in any view.

Task Command

Display ARP PnP mappings. display arp pnp [ interface interface-type interface-number ]

ARP PnP configuration example

Network requirements As shown in Figure 7, configure the ARP PnP feature to allow the host at 1.2.3.4 to access the external server through GigabitEthernet 2/0/1.


Configuration procedure 1. Configure NAT:

# Specify IP addresses for GigabitEthernet 2/0/1 and GigabitEthernet 2/0/2. system-view


[Router-GigabitEthernet2/0/1] ip address 192.168.0.2 24



[Router-GigabitEthernet2/0/2] ip address 202.38.1.100 24


20

# Configure ACL 2000 to identify packets from subnet 192.168.0.0/24. [Router] acl number 2000

[Router-acl-basic-2000] rule permit source 192.168.0.0 0.0.0.255

[Router-acl-basic-2000] quit

# Create address group 1, and add address 202.38.1.100 to the group. [Router] nat address-group 1

[Router-nat-address-group-1] address 202.38.1.100 202.38.1.100

[Router-nat-address-group-1] quit

# Enable outbound PAT on interface GigabitEthernet 2/0/2 to translate the source address of outgoing packets matching ACL 2000 into the address in address group 1. [Router] interface gigabitethernet 2/0/2

[Router-GigabitEthernet2/0/2] nat outbound 2000 address-group 1

2. Enable the ARP PnP feature on GigabitEthernet 2/0/1. [Router] interface gigabitethernet 2/0/1

[Router-GigabitEthernet2/0/1] arp pnp


Verifying the configuration # Verify that the router creates an ARP PnP mapping for the host IP address 1.2.3.4 on GigabitEthernet 2/0/1. [Router] display arp pnp interface gigabitethernet 2/0/1

Total number of entries : 1

Agent IP address User IP address MAC address Interface Aging

192.168.0.3 1.2.3.4 00e0-fc00-0001 GE2/0/1 10

21

Configuring ARP suppression

Overview The ARP suppression feature enables a device to directly answer ARP requests by using ARP suppression entries. The device generates ARP suppression entries based on dynamic ARP entries that it learns. This feature is typically configured on the PEs connected to base stations in an MPLS L2VPN that provides access to an L3VPN network.

You can also configure the ARP suppression push function to push ARP suppression entries at intervals by broadcasting gratuitous ARP packets.

Figure 8 shows a typical application scenario. ARP suppression is enabled on the PE that connects to the base station. The PE generates ARP suppression entries for the base station, PE-agg 1, and PE-agg 2, and it directly replies subsequent ARP requests for these devices.

Figure 8 Typical application


2. Create a cross-connect group and enter its view. xconnect-group group-name

By default, no cross-connect group exists.

For more information about this command, see MPLS Command Reference.

22


3. Create a cross-connect and enter its view. connection connection-name

By default, no cross-connect exists.


4. Enable ARP suppression. arp suppression enable By default, ARP suppression is disabled.

5. Return to cross-connect group view. quit N/A

6. Return to system view. quit N/A

7. (Optional.) Enable the ARP suppression push function and set a push interval.

arp suppression push interval interval

By default, the ARP suppression push function is disabled.

Displaying and maintaining ARP suppression Execute display commands in any view and reset commands in user view.

Task Command

Display ARP suppression entries (centralized devices in standalone mode).

display arp suppression xconnect-group [ name group-name ] [ count ]

Display ARP suppression entries (distributed devices in standalone mode/centralized devices in IRF mode).

display arp suppression xconnect-group [ name group-name ] [ slot slot-number ] [ count ]

Display ARP suppression entries (distributed devices in IRF mode).

display arp suppression xconnect-group [ name group-name ] [ chassis chassis-number slot slot-number ] [ count ]

Clear ARP suppression entries (centralized devices in standalone mode).

reset arp suppression xconnect-group

Clear ARP suppression entries (distributed devices in standalone mode/centralized devices in IRF mode).

reset arp suppression xconnect-group [ name group-name ] [ slot slot-number ]

Clear ARP suppression entries (distributed devices in IRF mode).

reset arp suppression xconnect-group [ name group-name ] [ chassis chassis-number slot slot-number ]

ARP suppression configuration example

Network requirements As shown in Figure 9, the base station, Router A, and Router B are in an MPLS L2VPN. The base station can reach the L3VE interface VE-L3VPN 1 of Router B.

Enable ARP suppression on Router A to directly reply to ARP requests for Router B.

23


Configuration procedure 1. Configure IP addresses for the interfaces as shown in Figure 9. (Details not shown.)

2. Configure ARP suppression on Router A:

# Create a cross-connect group named vpna and create a cross-connect named svc in the group. system-view

[RouterA] xconnect-group vpna

[RouterA-xcg-vpna] connection svc

# Enable ARP suppression for the cross-connect svc in cross-connect group vpna. [RouterA-xcg-vpna-svc] arp suppression enable

Verifying the configuration 1. On the base station, clear ARP entries, and ping the L3VE interface VE-L3VPN 1 of Router B.

(Details not shown.)

2. Verify that Router A has ARP suppression entries for the base station and Router B. [RouterA-xcg-vpna-svc] display arp suppression xconnect-group

IP address MAC address Xconnect-group Connection Aging

10.1.1.1 00e0-fc04-582c vpna svc 25

10.1.1.3 0023-89b7-0861 vpna svc 25

3. Enable ARP debugging on Router B to verify that Router B does not receive an ARP request from the base station under the following conditions (details not shown):

a. Clear ARP entries on the base station.

b. Ping the L3VE interface VE-L3VPN 1 of Router B from the base station.

24

Configuring ARP direct route advertisement

Overview The ARP direct route advertisement feature advertises host routes instead of advertising the network route. This feature is typically configured on PE-aggs to advertise host routes to the connected PEs in the L3VPN.

Figure 10 shows a typical application scenario where the PE in the L3VPN has ECMP routes destined to a base station in the L2VPN. Traffic from the PE in the L3VPN to the base station can be load shared by PE-agg 1 and PE-agg 2. If PE-agg 1 fails, the PE uses the host route through PE-agg 2 to forward traffic.

Figure 10 Typical application


2. Create an L3VE interface and enter its view.

interface ve-l3vpn interface-number

By default, no L3VE interface exists.


3. Enable the ARP direct route advertisement feature.

arp route-direct advertise By default, the ARP direct route advertisement feature is disabled.

25

Configuring IP addressing

The IP addresses in this chapter refer to IPv4 addresses unless otherwise specified.

This chapter describes IP addressing basics and manual IP address assignment for interfaces. Dynamic IP address assignment (BOOTP and DHCP) and PPP address negotiation are beyond the scope of this chapter.

Overview This section describes the IP addressing basics.

IP addressing uses a 32-bit address to identify each host on an IPv4 network. To make addresses easier to read, they are written in dotted decimal notation, each address being four octets in length. For example, address 00001010000000010000000100000001 in binary is written as 10.1.1.1.

IP address classes Each IP address breaks down into the following sections:

Net IDIdentifies a network. The first several bits of a net ID, known as the class field or class bits, identify the class of the IP address.

Host IDIdentifies a host on a network.

IP addresses are divided into five classes, as shown in Figure 11. The shaded areas represent the address class. The first three classes are most commonly used.

Figure 11 IP address classes

Table 1 IP address classes and ranges

Class Address range Remarks

A 0.0.0.0 to 127.255.255.255

The IP address 0.0.0.0 is used by a host at startup for temporary communication. This address is never a valid destination address.

Addresses starting with 127 are reserved for loopback test. Packets destined to these addresses are processed locally as input packets rather than sent to the link.

B 128.0.0.0 to 191.255.255.255 N/A

26

Class Address range Remarks

C 192.0.0.0 to 223.255.255.255 N/A

D 224.0.0.0 to 239.255.255.255 Multicast addresses.

E 240.0.0.0 to 255.255.255.255 Reserved for future use, except for the broadcast address 255.255.255.255.

Special IP addresses The following IP addresses are for special use and cannot be used as host IP addresses:

IP address with an all-zero net IDIdentifies a host on the local network. For example, IP address 0.0.0.16 indicates the host with a host ID of 16 on the local network.

IP address with an all-zero host IDIdentifies a network. IP address with an all-one host IDIdentifies a directed broadcast address. For example, a packet

with the destination address of 192.168.1.255 will be broadcast to all the hosts on the network 192.168.1.0.

Subnetting and masking Subnetting divides a network into smaller networks called subnets by using some bits of the host ID to create a subnet ID.

Masking identifies the boundary between the host ID and the combination of net ID and subnet ID.

Each subnet mask comprises 32 bits that correspond to the bits in an IP address. In a subnet mask, consecutive ones represent the net ID and subnet ID, and consecutive zeros represent the host ID.

Before being subnetted, Class A, B, and C networks use these default masks (also called natural masks): 255.0.0.0, 255.255.0.0, and 255.255.255.0, respectively.

Figure 12 Subnetting a Class B network

Subnetting increases the number of addresses that cannot be assigned to hosts. Therefore, using subnets means accommodating fewer hosts.

For example, a Class B network without subnetting can accommodate 1022 more hosts than the same network subnetted into 512 subnets.

Without subnetting65534 (216 2) hosts. (The two deducted addresses are the broadcast address, which has an all-one host ID, and the network address, which has an all-zero host ID.)

With subnettingUsing the first nine bits of the host-id for subnetting provides 512 (29) subnets. However, only seven bits remain available for the host ID. This allows 126 (27 2) hosts in each subnet, a total of 64512 (512 126) hosts.

27

Assigning an IP address to an interface An interface must have an IP address to communicate with other hosts. You can either manually assign an IP address to an interface, or configure the interface to obtain an IP address through BOOTP, DHCP, or PPP address negotiation. If you change the way an interface obtains an IP address, the new IP address will overwrite the previous address.

An interface can have one primary address and multiple secondary addresses.

Typically, you need to configure a primary IP address for an interface. If the interface connects to multiple subnets, configure primary and secondary IP addresses on the interface so the subnets can communicate with each other through the interface.

Configuration guidelines Follow these guidelines when you assign an IP address to an interface:

An interface can have only one primary IP address. A newly configured primary IP address overwrites the previous one.

You cannot assign secondary IP addresses to an interface that obtains an IP address through BOOTP, DHCP, PPP address negotiation, or IP unnumbered.

The primary and secondary IP addresses assigned to the interface can be located on the same network segment. Different interfaces on your device must reside on different network segments.

Configuration procedure To assign an IP address to an interface:



2. Enter interface view. interface interface-type interface-number N/A

3. Assign an IP address to the interface.

ip address ip-address { mask | mask-length } [ sub ]

By default, no IP address is assigned to the interface.

Configuring IP unnumbered Typically, you assign an IP address to an interface either manually or through DHCP. If the IP addresses are not enough, or the interface is used only occasionally, you can configure an interface to borrow an IP address from other interfaces. This is called IP unnumbered, and the interface borrowing the IP address is called IP unnumbered interface.

You can use IP unnumbered to save IP addresses either when available IP addresses are inadequate or when an interface is brought up only for occasional use.

28

Configuration guidelines Follow these guidelines when you configure IP unnumbered:

Loopback interfaces cannot borrow IP addresses of other interfaces, but other interfaces can borrow IP addresses of loopback interfaces.

An interface cannot borrow an IP address from an unnumbered interface. Multiple interfaces can use the same unnumbered IP address. If an interface has multiple manually configured IP addresses, only the manually configured primary

IP address can be borrowed.

Configuration prerequisites Assign an IP address to the interface from which you want to borrow the IP address. Alternatively, you can configure the interface to obtain one through BOOTP, DHCP, or PPP address negotiation.

Configuration procedure To configure IP unnumbered on an interface:



2. Enter interface view. interface interface-type interface-number N/A

3. Specify the interface to borrow the IP address of the specified interface.

ip address unnumbered interface interface-type interface-number

By default, the interface does not borrow IP addresses from other interfaces.

A dynamic routing protocol cannot be enabled on the interface where IP unnumbered is configured. To enable the interface to communicate with other devices, configure a static route to the peer device on the interface. For more configuration information, see "IP unnumbered configuration example."

Displaying and maintaining IP addressing Execute display commands in any view.

Task Command

Display IP configuration and statistics for the specified or all Layer 3 interfaces.

display ip interface [ interface-type interface-number ]

Display brief IP configuration for Layer 3 interfaces. display ip interface [ interface-type [ interface-number ] ] brief [ description ]

29

Configuration examples

IP address configuration example Network requirements

As shown in Figure 13, GigabitEthernet 2/0/1 on the router is connected to a LAN comprising two segments: 172.16.1.0/24 and 172.16.2.0/24.

To enable the hosts on the two network segments to communicate with the external network through the router, and to enable the hosts on the LAN to communicate with each other:

Assign a primary IP address and a secondary IP address to GigabitEthernet 2/0/1 on the router. Set the primary IP address of the router as the gateway address of the PCs on subnet 172.16.1.0/24.

Set the secondary IP address of the router as the gateway address of the PCs on subnet 172.16.2.0/24.



# Assign a primary IP address and a secondary IP address to GigabitEthernet 2/0/1. system-view



[Router-GigabitEthernet2/0/1] ip address 172.16.2.1 255.255.255.0 sub

# Set the gateway address to 172.16.1.1 on the PCs attached to subnet 172.16.1.0/24, and to 172.16.2.1 on the PCs attached to subnet 172.16.2.0/24.


# Verify the connectivity between a host on subnet 172.16.1.0/24 and the router. ping 172.16.1.2

Ping 172.16.1.2 (172.16.1.2): 56 data bytes, press CTRL_C to break

56 bytes from 172.16.1.2: icmp_seq=0 ttl=128 time=7.000 ms

30





--- Ping statistics for 172.16.1.2 ---

5 packet(s) transmitted, 5 packet(s) received, 0.0% packet loss

round-trip min/avg/max/std-dev = 1.000/2.600/7.000/2.245 ms

# Verify the connectivity between a host on subnet 172.16.2.0/24 and the router. ping 172.16.2.2










# Verify the connectivity between a host on subnet 172.16.1.0/24 and a host on subnet 172.16.2.0/24. The ping operation succeeds.

IP unnumbered configuration example Network requirements

As shown in Figure 14, two routers on an intranet are connected to each other through serial interfaces across a Digital Data Network. Each router connects to a LAN through an Ethernet interface.

To save IP addresses, configure the serial interfaces to borrow IP addresses from the Ethernet interfaces.



1. Configure Router A:

# Assign a primary IP address to GigabitEthernet 2/0/1.

Ser2/1/1 Ser2/1/1

GE2/0/1172.16.10.1/24

GE2/0/1172.16.20.1/24

DDN

Router BRouter A

31

system-view

[RouterA] interface gigabitethernet 2/0/1

[RouterA-GigabitEthernet2/0/1] ip address 172.16.10.1 255.255.255.0

[RouterA-GigabitEthernet2/0/1] quit

# Configure Serial 2/1/1 to borrow an IP address from GigabitEthernet 2/0/1. [RouterA] interface serial 2/1/1

[RouterA-Serial2/1/1] ip address unnumbered interface gigabitethernet 2/0/1

[RouterA-Serial2/1/1] quit

# Configure a static route to the subnet attached to Router B, specifying Serial 2/1/1 as the outgoing interface. [RouterA] ip route-static 172.16.20.0 255.255.255.0 serial 2/1/1

2. Configure Router B:

# Assign a primary IP address to GigabitEthernet 2/0/1. system-view

[RouterB] interface gigabitethernet 2/0/1

[RouterB-GigabitEthernet2/0/1] ip address 172.16.20.1 255.255.255.0


# Configure interface Serial 2/1/1 to borrow an IP address from GigabitEthernet 2/0/1. [RouterB] interface serial 2/1/1

[RouterB-Serial2/1/1] ip address unnumbered interface gigabitethernet 2/0/1

[RouterB-Serial2/1/1] quit

# Configure a static route to the subnet attached to Router A, specifying Serial 2/1/1 as the outgoing interface. [RouterB] ip route-static 172.16.10.0 255.255.255.0 serial 2/1/1


# Verify that a host attached to Router B can be pinged from Router A. [RouterA] ping 172.16.20.2










32

DHCP overview

The Dynamic Host Configuration Protocol (DHCP) provides a framework to assign configuration information to network devices.

Figure 15 shows a typical DHCP application scenario where the DHCP clients and the DHCP server reside on the same subnet. The DHCP clients can also obtain configuration parameters from a DHCP server on another subnet through a DHCP relay agent. For more information about the DHCP relay agent, see "Configuring the DHCP relay agent."

Figure 15 A typical DHCP application

DHCP address allocation

Allocation mechanisms DHCP supports the following allocation mechanisms:

Static allocationThe network administrator assigns an IP address to a client, such as a WWW server, and DHCP conveys the assigned address to the client.

Automatic allocationDHCP assigns a permanent IP address to a client. Dynamic allocationDHCP assigns an IP address to a client for a limited period of time, which is

called a lease. Most DHCP clients obtain their addresses in this way.

33

IP address allocation process Figure 16 IP address allocation process

As shown in Figure 16, a DHCP server assigns an IP address to a DHCP client in the following process:

1. The client broadcasts a DHCP-DISCOVER message to locate a DHCP server.

2. Each DHCP server offers configuration parameters such as an IP address to the client in a DHCP-OFFER message. The sending mode of the DHCP-OFFER is determined by the flag field in the DHCP-DISCOVER message. For more information, see "DHCP message format."

3. If the client receives multiple offers, it accepts the first received offer, and broadcasts it in a DHCP-REQUEST message to formally request the IP address. (IP addresses offered by other DHCP servers can be assigned to other clients.)

4. All DHCP servers receive the DHCP-REQUEST message. However, only the server selected by the client does one of the following operations:

Returns a DHCP-ACK message to confirm that the IP address has been allocated to the client.

Returns a DHCP-NAK message to deny the IP address allocation.

After receiving the DHCP-ACK message, the client verifies the following details before using the assigned IP address:

The assigned IP address is not in use. To verify this, the client broadcasts a gratuitous ARP packet. The assigned IP address is not in use if no response is received within the specified time.

The assigned IP address is not on the same subnet as any IP address in use on the client.

Otherwise, the client sends a DHCP-DECLINE message to the server to request an IP address again.

IP address lease extension A dynamically assigned IP address has a lease. When the lease expires, the IP address is reclaimed by the DHCP server. To continue using the IP address, the client must extend the lease duration.

When about half of the lease duration elapses, the DHCP client unicasts a DHCP-REQUEST to the DHCP server to extend the lease. Depending on the availability of the IP address, the DHCP server returns one of the following messages:

A DHCP-ACK unicast confirming that the client's lease duration has been extended. A DHCP-NAK unicast denying the request.

34

If the client receives no reply, it broadcasts another DHCP-REQUEST message for lease extension when about seven-eighths of the lease duration elapses. Again, depending on the availability of the IP address, the DHCP server returns either a DHCP-ACK unicast or a DHCP-NAK unicast.

DHCP message format Figure 17 shows the DHCP message format. DHCP uses some of the fields in significantly different ways. The numbers in parentheses indicate the size of each field in bytes.

Figure 17 DHCP message format

opMessage type defined in options field. 1 = REQUEST, 2 = REPLY htype, hlenHardware address type and length of the DHCP client. hopsNumber of relay agents a request message traveled. xidTransaction ID, a random number chosen by the client to identify an IP address allocation. secsFilled in by the client, the number of seconds elapsed since the client began address

acquisition or renewal process. This field is reserved and set to 0.

flagsThe leftmost bit is defined as the BROADCAST (B) flag. If this flag is set to 0, the DHCP server sent a reply back by unicast. If this flag is set to 1, the DHCP server sent a reply back by broadcast. The remaining bits of the flags field are reserved for future use.

ciaddrClient IP address if the client has an IP address that is valid and usable. Otherwise, set to zero. (The client does not use this field to request an IP address to lease.)

yiaddrYour IP address. It is an IP address assigned by the DHCP server to the DHCP client. siaddrServer IP address, from which the client obtained configuration parameters. giaddrGateway IP address. It is the IP address of the first relay agent to which a request message

travels.

chaddrClient hardware address. snameServer host name, from which the client obtained configuration parameters. fileBoot file (also called system software image) name and path information, defined by the

server to the client.

35

optionsOptional parameters field that is variable in length. Optional parameters include the message type, lease duration, subnet mask, domain name server IP address, and WINS IP address.

DHCP options DHCP extends the message format as an extension to BOOTP for compatibility. DHCP uses the options field to carry information for dynamic address allocation and provide additional configuration information for clients.

Figure 18 DHCP option format

Common DHCP options The following are common DHCP options:

Option 3Router option. It specifies the gateway address. Option 6DNS server option. It specifies the DNS server's IP address. Option 33Static route option. It specifies a list of classful static routes (the destination addresses

in these static routes are classful) that a client should add into its routing table. If both Option 33 and Option 121 exist, Option 33 is ignored.

Option 51IP address lease option. Option 53DHCP message type option. It identifies the type of the DHCP message. Option 55Parameter request list option. It is used by a DHCP client to request specified

configuration parameters. The option includes values that correspond to the parameters requested by the client.

Option 60Vendor class identifier option. A DHCP client uses this option to identify its vendor. A DHCP server uses this option to distinguish DHCP clients, and assigns IP addresses to them.

Option 66TFTP server name option. It specifies a TFTP server to be assigned to the client. Option 67Boot file name option. It specifies the boot file name to be assigned to the client. Option 121Classless route option. It specifies a list of classless static routes (the destination

addresses in these static routes are classless) that a client should add into its routing table. If both Option 33 and Option 121 exist, Option 33 is ignored.

Option 150TFTP server IP address option. It specifies the TFTP server IP address to be assigned to the client.

For more information about DHCP options, see RFC 2132 and RFC 3442.

Custom DHCP options Some options, such as Option 43, Option 82, and Option 184, have no standard definitions in RFC 2132.

36

Vendor-specific option (Option 43)

DHCP servers and clients use Option 43 to exchange vendor-specific configuration information.

The DHCP client can obtain the following information through Option 43:

ACS parameters, including the ACS URL, username, and password. Service provider identifier, which is acquired by the CPE from the DHCP server and sent to the ACS

for selecting vender-specific configurations and parameters. For more information about CPE and ACS, see Network Management and Monitoring Configuration Guide.

PXE server address, which is used to obtain the boot file or other control information from the PXE server.

AC address, which is used by an AP to obtain the boot file or other control information from the AC. 1. Format of Option 43:

Figure 19 Option 43 format

Network configuration parameters are carried in different sub-options of Option 43 as shown in Figure 19.

Sub-option typeThe field value can be 0x01 (ACS parameter sub-option), 0x02 (service provider identifier sub-option), or 0x80 (PXE server address sub-option).

Sub-option lengthExcludes the sub-option type and sub-option length fields.

Sub-option valueThe value format varies by sub-option.

2. Sub-option value field formats:

ACS parameter sub-option value fieldIncludes the ACS URL, username, and password separated by spaces (0x20) as shown in Figure 20.

Figure 20 ACS parameter sub-option value field

Service provider identifier sub-option value fieldIncludes the service provider identifier.

PXE server address sub-option value fieldIncludes the PXE server type that can only be 0, the server number that indicates the number of PXE servers contained in the sub-option, and server IP addresses, as shown in Figure 21.

37

Figure 21 PXE server address sub-option value field

Relay agent option (Option 82)

Option 82 is the relay agent option. It records the location information about the DHCP client. When a DHCP relay agent or DHCP snooping device receives a client's request, it adds Option 82 to the request and sends it to the server.

The admi