No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

CX11x, CX31x, CX710 (Earlier Than V6.03), and CX91x Series Switch Modules V100R001C10 Configuration Guide 12

The documents describe the configuration of various services supported by the CX11x&CX31x&CX91x series switch modules The description covers configuration examples and function configurations.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Configuration Examples

Configuration Examples

This section provides IPv6 configuration examples, including networking requirements and configuration roadmap.

Example for Configuring Basic IPv6 Functions

Networking Requirements

As shown in Figure 6-57, 10GE1/17/1 of SwitchA connects to 10GE1/17/1 of SwitchB. The two interfaces belong to VLAN 100. An IPv6 global unicast address is configured for VLANIF 100 to allow SwitchA to communicate with SwitchB.

Figure 6-57 Networking diagram for configuring basic IPv6 functions

Configuration Roadmap

The configuration roadmap is as follows:

  1. Enable the IPv6 function on switch interfaces.

  2. Configure global unicast IPv6 addresses for the interfaces.

Procedure

  1. Create a VLAN and add interfaces to the VLAN.

    # Configure SwitchA.

    <HUAWEI> system-view
    [~HUAWEI] sysname SwitchA
    [*HUAWEI] commit
    [~SwitchA] vlan batch 100
    [*SwitchA] interface 10ge 1/17/1
    [*SwitchA-10GE1/17/1] port link-type trunk
    [*SwitchA-10GE1/17/1] port trunk allow-pass vlan 100
    [*SwitchA-10GE1/17/1] quit
    [*SwitchA] commit
    

    # Configure SwitchB.

    <HUAWEI> system-view
    [~HUAWEI] sysname SwitchB
    [*HUAWEI] commit
    [~SwitchB] vlan batch 100
    [*SwitchB] interface 10ge 1/17/1
    [*SwitchB-10GE1/17/1] port link-type trunk
    [*SwitchB-10GE1/17/1] port trunk allow-pass vlan 100
    [*SwitchB-10GE1/17/1] quit
    [*SwitchB] commit
    

  2. Enable the IPv6 function on interfaces and configure global unicast addresses for the interfaces.

    # Configure SwitchA.

    [~SwitchA] interface vlanif 100
    [*SwitchA-Vlanif100] ipv6 enable
    [*SwitchA-Vlanif100] ipv6 address 3001::1/64
    [*SwitchA-Vlanif100] commit
    [~SwitchA-Vlanif100] quit
    [~SwitchA] quit

    # Configure SwitchB.

    [~SwitchB] interface vlanif 100
    [*SwitchB-Vlanif100] ipv6 enable
    [*SwitchB-Vlanif100] ipv6 address 3001::2/64
    [*SwitchB-Vlanif100] commit
    [~SwitchB-Vlanif100] quit
    [~SwitchB] quit

  3. Verify the configuration.

    If the preceding configurations are successful, you can view the configured global unicast addresses. The interface status and the IPv6 protocol are Up. You can also check the neighbor of the interfaces.

    # Check interface information on SwitchA.

    <SwitchA> display ipv6 interface vlanif 100
    Vlanif100 current state : UP
    IPv6 protocol current state : UP
    link-local address is FE80::C964:0:B8B6:1
      Global unicast address(es):
        3001::1, subnet is 3001::/64
      Joined group address(es):
        FF02::1:FF00:1
        FF02::1:FFB6:1
        FF02::2
        FF02::1
      MTU is 1500 bytes
      ND DAD is enabled, number of DAD attempts: 1
      ND reachable time is 1200000 milliseconds
      ND retransmit interval is 1000 milliseconds
      Hosts use stateless autoconfig for addresses

    # Check interface information on SwitchB.

    <SwitchB> display ipv6 interface vlanif 100
    Vlanif100 current state : UP
    IPv6 protocol current state : UP
    link-local address is FE80::2D6F:0:7AF3:1
      Global unicast address(es):
        3001::2, subnet is 3001::/64
      Joined group address(es):
        FF02::1:FF00:2
        FF02::1:FFF3:1
        FF02::2
        FF02::1
      MTU is 1500 bytes
      ND DAD is enabled, number of DAD attempts: 1
      ND reachable time is 1200000 milliseconds
      ND retransmit interval is 1000 milliseconds
      Hosts use stateless autoconfig for addresses

    # Ping the link-local address of SwitchB from SwitchA. You must use the parameter -i to specify the interface with the link-local address.

    <SwitchA> ping ipv6 FE80::2D6F:0:7AF3:1 -i vlanif 100
      PING FE80::2D6F:0:7AF3:1 : 56  data bytes, press CTRL_C to break
        Reply from FE80::2D6F:0:7AF3:1
        bytes=56 Sequence=1 hop limit=64  time = 7 ms
        Reply from FE80::2D6F:0:7AF3:1
        bytes=56 Sequence=2 hop limit=64  time = 3 ms
        Reply from FE80::2D6F:0:7AF3:1
        bytes=56 Sequence=3 hop limit=64  time = 3 ms
        Reply from FE80::2D6F:0:7AF3:1
        bytes=56 Sequence=4 hop limit=64  time = 3 ms
        Reply from FE80::2D6F:0:7AF3:1
        bytes=56 Sequence=5 hop limit=64  time = 3 ms
    
      --- FE80::2D6F:0:7AF3:1 ping statistics ---
        5 packet(s) transmitted
        5 packet(s) received
        0.00% packet loss
        round-trip min/avg/max = 3/3/7 ms
    

    # Ping the global unicast IPv6 address of SwitchB from SwitchA. The global unicast IPv6 address can be pinged successfully.

    <SwitchA> ping ipv6 3001::2
      PING 3001::2 : 56  data bytes, press CTRL_C to break
        Reply from 3001::2
        bytes=56 Sequence=1 hop limit=64  time = 12 ms
        Reply from 3001::2
        bytes=56 Sequence=2 hop limit=64  time = 3 ms
        Reply from 3001::2
        bytes=56 Sequence=3 hop limit=64  time = 3 ms
        Reply from 3001::2
        bytes=56 Sequence=4 hop limit=64  time = 3 ms
        Reply from 3001::2
        bytes=56 Sequence=5 hop limit=64  time = 3 ms
    
      --- 3001::2 ping statistics ---
        5 packet(s) transmitted
        5 packet(s) received
        0.00% packet loss
        round-trip min/avg/max = 3/4/12 ms
    

Configuration File
  • Configuration file of SwitchA

    #
    sysname SwitchA
    #
    vlan batch 100 
    #
    interface Vlanif100
     ipv6 enable
     ipv6 address 3001::1/64
    #
    interface 10GE1/17/1
     port link-type trunk
     port trunk allow-pass vlan 100
    #
    return
  • Configuration file of SwitchB

    #
    sysname SwitchB
    #
    vlan batch 100 
    #
    interface Vlanif100
     ipv6 enable
     ipv6 address 3001::2/64
    #
    interface 10GE1/17/1
     port link-type trunk
     port trunk allow-pass vlan 100
    #
    return

Example for Configuring IPv6 SEND

Networking Requirements

As shown in Figure 6-58, IPv6 SEND is configured on Switch Module A to ensure its security. When a network device not enabled with IPv6 SEND, such as Switch Module B, sends messages to Switch Module A, Switch Module A regards them invalid and discards them.

Figure 6-58 Networking diagram for configuring IPv6 SEND
Configuration Roadmap

The configuration roadmap is as follows:

  1. Configure a CGA IPv6 address and a common IPv6 address on Switch Module A.

  2. Enable the strict security mode on an interface of Switch Module A.

  3. Configure an IPv6 address for an interface on Switch Module B.

Procedure

  1. Configure a CGA IPv6 address on Switch Module A.

    <HUAWEI> system-view
    [~HUAWEI] sysname Switch ModuleA
    [*HUAWEI] commit
    [~Switch ModuleA] rsa key-pair label huawei
    [*Switch ModuleA] interface 10ge 1/17/1
    [*Switch ModuleA-10GE1/17/1] undo portswitch
    [*Switch ModuleA-10GE1/17/1] ipv6 enable
    [*Switch ModuleA-10GE1/17/1] ipv6 security rsakey-pair huawei
    [*Switch ModuleA-10GE1/17/1] ipv6 security modifier sec-level 1
    [*Switch ModuleA-10GE1/17/1] ipv6 address fe80::3 link-local cga
    [*Switch ModuleA-10GE1/17/1] ipv6 address 3000::/64 cga
    [*Switch ModuleA-10GE1/17/1] ipv6 address 1::1/64

  2. Enable the strict security mode on an interface of Switch Module A.

    [*Switch ModuleA-10GE1/17/1] ipv6 nd security strict
    [*Switch ModuleA-10GE1/17/1] commit

  3. Configure an IPv6 address of Switch Module B.

    <HUAWEI> system-view
    [~HUAWEI] sysname Switch ModuleB
    [*HUAWEI] commit
    [~Switch ModuleB] interface 10ge 1/17/1
    [~Switch ModuleB-10GE1/17/1] undo portswitch
    [*Switch ModuleB-10GE1/17/1] ipv6 enable
    [*Switch ModuleB-10GE1/17/1] ipv6 address auto link-local
    [*Switch ModuleB-10GE1/17/1] ipv6 address 3000::2/64
    [*Switch ModuleB-10GE1/17/1] ipv6 address 1::2/64
    [*Switch ModuleB-10GE1/17/1] commit

  4. Verify the configuration.

    If the configuration is successful, you can view that the IPv6 address and IPv6 SEND have been configured and the interface status and IPv6 protocol status are Up.

    # View information about 10GE 1/17/1 on Switch Module A.

    [~Switch ModuleA-10GE1/17/1] display this ipv6 interface
    10GE1/17/1 current state : UP
    IPv6 protocol current state : UP
    link-local address is FE80::3057:B5D6:6BD6:6CA8
      Global unicast address(es):
        1::1, subnet is 1::/64
        3000::2092:84CE:827B:D5A4, subnet is 3000::/64
      Joined group address(es):
        FF02::1:FF00:1
        FF02::1:FF7B:D5A4
        FF02::1:FFD6:6CA8
        FF02::2
        FF02::1
      MTU is 1500 bytes
      ND DAD is enabled, number of DAD attempts: 1
      ND reachable time is 1200000 milliseconds
      ND retransmit interval is 1000 milliseconds
      Hosts use stateless autoconfig for addresses

    # View the IPv6 SEND configuration on 10GE 1/17/1 of Switch Module A.

    [~Switch ModuleA-10GE1/17/1] display ipv6 security interface 10ge 1/17/1
     (L) : Link local address
     SEND: Security ND
     SEND information for the interface : 10GE1/17/1
    ----------------------------------------------------------------------------
     IPv6 address                                   PrefixLength Collision Count
    ----------------------------------------------------------------------------
     FE80::3057:B5D6:6BD6:6CA8 (L)                  10           0
     3000::2092:84CE:827B:D5A4                      64           0
    ----------------------------------------------------------------------------
     SEND sec value : 1
     SEND security modifier value : 585D:9EA0:328:2792:B763:1DE3:BBC4:D22D
     SEND RSA key label bound : huawei
     SEND ND minimum key length value : 512
     SEND ND maximum key length value : 2048
     SEND ND Timestamp delta value : 300
     SEND ND Timestamp fuzz value : 1
     SEND ND Timestamp drift value : 1
     SEND ND fully secured mode : enable

    # View information about 10GE 1/17/1 on Switch Module B.

    [~Switch ModuleB-10GE1/17/1] display this ipv6 interface
    10GE1/17/1 current state : UP
    IPv6 protocol current state : UP
    link-local address is FE80::2E0:E6FF:FE13:8100
      Global unicast address(es):
        1::2, subnet is 1::/64
        3000::2, subnet is 3000::/64
      Joined group address(es):
        FF02::1:FF00:2
        FF02::1:FF13:8100
        FF02::2
        FF02::1
      MTU is 1500 bytes
      ND DAD is enabled, number of DAD attempts: 1
      ND reachable time is 1200000 milliseconds
      ND retransmit interval is 1000 milliseconds
      Hosts use stateless autoconfig for addresses

    # Ping the CGA link-local address of Switch Module A from Switch Module B. The ping fails because IPv6 SEND is configured on Switch Module A.

    [~Switch ModuleB-10GE1/17/1] ping ipv6 FE80::3057:B5D6:6BD6:6CA8 -i 10ge 1/17/1
      PING FE80::3057:B5D6:6BD6:6CA8 : 56  data bytes, press CTRL_C to break
        Request time out
        Request time out
        Request time out
        Request time out
        Request time out
    
      --- FE80::3057:B5D6:6BD6:6CA8 ping statistics ---
        5 packet(s) transmitted
        0 packet(s) received
        100.00% packet loss
        round-trip min/avg/max = 0/0/0 ms
                                

    # Ping the CGA global unicast address of Switch Module A from Switch Module B. The ping fails because IPv6 SEND is configured on Switch Module A.

    [~Switch ModuleB-10GE1/17/1] ping ipv6 3000::2092:84CE:827B:D5A4
      PING 3000::2092:84CE:827B:D5A4 : 56  data bytes, press CTRL_C to break
        Request time out
        Request time out
        Request time out
        Request time out
        Request time out
    
      --- 3000::2092:84CE:827B:D5A4 ping statistics ---
        5 packet(s) transmitted
        0 packet(s) received
        100.00% packet loss
        round-trip min/avg/max = 0/0/0 ms
                                  

    # Ping the common global unicast address of Switch Module A from Switch Module B. The ping fails because IPv6 SEND is configured on Switch Module A.

    [~Switch ModuleB-10GE1/17/1] ping ipv6 1::1
      PING 1::1 : 56  data bytes, press CTRL_C to break
        Request time out
        Request time out
        Request time out
        Request time out
        Request time out
    
      --- 1::1 ping statistics ---
        5 packet(s) transmitted
        0 packet(s) received
        100.00% packet loss
        round-trip min/avg/max = 0/0/0 ms
                                  

    # Disable IPv6 SEND on Switch Module A. The ping from Switch Module B to Switch Module A is successful. The following part provides an example of pinging the CGA global unicast address of Switch Module A.

    [~Switch ModuleA-10GE1/17/1] undo ipv6 nd security strict
    [*Switch ModuleA-10GE1/17/1] commit
    [~Switch ModuleB-10GE1/17/1] ping ipv6 3000::2092:84CE:827B:D5A4
      PING 3000::2092:84CE:827B:D5A4 : 56  data bytes, press CTRL_C to break
        Reply from 3000::2092:84CE:827B:D5A4
        bytes=56 Sequence=1 hop limit=64  time = 1 ms
        Reply from 3000::2092:84CE:827B:D5A4
        bytes=56 Sequence=2 hop limit=64  time = 20 ms
        Reply from 3000::2092:84CE:827B:D5A4
        bytes=56 Sequence=3 hop limit=64  time = 1 ms
        Reply from 3000::2092:84CE:827B:D5A4
        bytes=56 Sequence=4 hop limit=64  time = 1 ms
        Reply from 3000::2092:84CE:827B:D5A4
        bytes=56 Sequence=5 hop limit=64  time = 1 ms
    
      --- 3000::2092:84CE:827B:D5A4 ping statistics ---
        5 packet(s) transmitted
        5 packet(s) received
        0.00% packet loss
        round-trip min/avg/max = 1/4/20 ms
                                    

Configuration Files
  • Configuration file of SwitchA

    #
    sysname Switch ModuleA
    #
    rsa key-pair label huawei modulus 2048
    #
    interface 10GE1/17/1
     undo portswitch
     ipv6 enable
     ipv6 security rsakey-pair huawei
     ipv6 security modifier sec-level 1
     ipv6 address 1::1/64
     ipv6 address 3000::/64 cga
     ipv6 address FE80::3 link-local cga
     ipv6 nd security strict
    #
    return
  • Configuration file of SwitchB

    #
    sysname Switch ModuleB
    #
    interface 10GE1/17/1
     undo portswitch
     ipv6 enable
     ipv6 address 1::2/64
     ipv6 address 3000::2/64
     ipv6 address auto link-local
    #
    return
Translation
Download
Updated: 2019-08-09

Document ID: EDOC1000041694

Views: 57466

Downloads: 3619

Average rating:
This Document Applies to these Products
Related Version
Related Documents
Share
Previous Next