No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

CX11x, CX31x, CX710 (Earlier Than V6.03), and CX91x Series Switch Modules V100R001C10 Configuration Guide 12

The documents describe the configuration of various services supported by the CX11x&CX31x&CX91x series switch modules The description covers configuration examples and function configurations.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Configuring Basic IPv6

Configuring Basic IPv6

This section describes the procedures for configuring IPv6.

Configuring IPv6 Addresses for Interfaces

To enable network devices to communicate at the network layer, configure interface IPv6 addresses on the network devices.

Pre-configuration Tasks

Before configuring IPv6 addresses for interfaces, complete the following task:

  • Configuring link layer protocol parameters for interfaces to ensure that the link layer protocol status on the interfaces is Up

Configuration Process

You can perform the following configuration tasks in any sequence as required.

Configuring Global Unicast Addresses for Interfaces

Context

A global unicast address is similar to an IPv4 public address and provided for the Internet Service Provider (ISP). A global unicast address can be generated using either of the following methods:

  • Generated in the EUI-64 format: An IPv6 global unicast address in the EUI-64 format contains a manually configured prefix and an automatically generated interface identifier.
  • Configured manually: An IPv6 global unicast address can be manually configured.
NOTE:

An interface can be configured with multiple global unicast addresses with different network prefixes.

Procedure

  1. Run:

    system-view

    The system view is displayed.

  2. Run:

    interface interface-type interface-number

    The interface view is displayed.

    The global unicast address can be configured on interfaces of the switch, including GE, 10GE, 40GE, Eth-Trunk, VLANIF, loopback, and tunnel interfaces.

  3. On an Ethernet interface, run:

    undo portswitch

    The interface is switched to Layer 3 mode.

    By default, an Ethernet interface works in Layer 2 mode.

    If an Ethernet interface already has Layer 2 configuration, this command fails to be executed on the interface. Before running this command on the interface, delete all the Layer 2 configuration of the interface.

    NOTE:

    If many Ethernet interfaces need to be switched to Layer 3 mode, run the undo portswitch batch interface-type { interface-number1 [ to interface-number2 ] } &<1-10> command in the system view to switch these interfaces to Layer 3 mode in batches.

  4. Run:

    ipv6 enable

    The IPv6 function is enabled on the interface.

    By default, the IPv6 function is disabled on an interface.

  5. You can run either of the following commands to configure an IPv6 global unicast address for an interface:

    • Run:

      ipv6 address { ipv6-address prefix-length | ipv6-address/prefix-length }

      An IPv6 global unicast address is manually configured.

    • Run:

      ipv6 address { ipv6-address prefix-length | ipv6-address/prefix-length } eui-64

      An IPv6 global unicast address is generated in the EUI-64 format.

    A maximum of 16 global unicast addresses can be configured on an interface.

  6. Run:

    commit

    The configuration is committed.

Checking the Configuration
  • Run the display ipv6 interface [ interface-type interface-number | brief ] command in any view to check IPv6 information on an interface.

  • Run the display this ipv6 interface command in the interface view to check IPv6 information on the interface.

Configuring Link-local Addresses for Interfaces

Context

Link-local addresses are used in neighbor discovery or stateless autoconfiguration. An IPv6 link-local address can be obtained using either of the following methods:

  • Automatically generated: A device automatically generates a link-local address for an interface based on the link-local prefix (FE80::/10) and link layer address of the interface.
  • Manually configured: You can manually configure an IPv6 link-local address for an interface.
NOTE:
  • Each interface can be configured with only one link-local address. To prevent link-local address conflict, automatically generated link-local addresses are recommended. After an interface is configured with an IPv6 global unicast address, it automatically generates a link-local address.

  • Manually configured link-local addresses have higher priority than automatically generated ones. Manually configured addresses can overwrite automatically generated ones, but automatically generated addresses cannot overwrite manually configured ones. If manually configured addresses are deleted, the overwritten automatically generated ones take effect.

Procedure

  1. Run:

    system-view

    The system view is displayed.

  2. Run:

    interface interface-type interface-number

    The interface view is displayed.

    The link-local address can be configured on interfaces of the switch, including GE, 10GE, 40GE, Eth-Trunk, VLANIF, loopback, and tunnel interfaces.

  3. On an Ethernet interface, run:

    undo portswitch

    The interface is switched to Layer 3 mode.

    By default, an Ethernet interface works in Layer 2 mode.

    If an Ethernet interface already has Layer 2 configuration, this command fails to be executed on the interface. Before running this command on the interface, delete all the Layer 2 configuration of the interface.

    NOTE:

    If many Ethernet interfaces need to be switched to Layer 3 mode, run the undo portswitch batch interface-type { interface-number1 [ to interface-number2 ] } &<1-10> command in the system view to switch these interfaces to Layer 3 mode in batches.

  4. Run:

    ipv6 enable

    The IPv6 function is enabled on the interface.

    By default, the IPv6 function is disabled on an interface.

  5. You can run either of the following commands to configure a link-local address for an interface:

    • Run:

      ipv6 address ipv6-address link-local

      A link-local address is configured for an interface.

    • Run:

      ipv6 address auto link-local

      A link-local address is automatically generated.

  6. Run:

    commit

    The configuration is committed.

Checking the Configuration
  • Run the display ipv6 interface [ interface-type interface-number | brief ] command in any view to check IPv6 information on an interface.

  • Run the display this ipv6 interface command in the interface view to check IPv6 information on the interface.

Configuring Anycast Addresses for Interfaces

Context

IPv6 anycast addresses are allocated from the unicast address space. An anycast address identifies a group of interfaces, which usually belong to different nodes. When using anycast addresses, pay attention to the following points:

  • Anycast addresses can only be used as destination addresses.
  • Packets addressed to an anycast address are delivered to the nearest interface that is identified by the anycast address, depending on the routing protocols.

Procedure

  1. Run:

    system-view

    The system view is displayed.

  2. Run:

    interface interface-type interface-number

    The interface view is displayed.

    The anycast address can be configured on interfaces of the switch, including GE, 10GE, 40GE, Eth-Trunk, VLANIF, loopback, and tunnel interfaces.

  3. On an Ethernet interface, run:

    undo portswitch

    The interface is switched to Layer 3 mode.

    By default, an Ethernet interface works in Layer 2 mode.

    If an Ethernet interface already has Layer 2 configuration, this command fails to be executed on the interface. Before running this command on the interface, delete all the Layer 2 configuration of the interface.

    NOTE:

    If many Ethernet interfaces need to be switched to Layer 3 mode, run the undo portswitch batch interface-type { interface-number1 [ to interface-number2 ] } &<1-10> command in the system view to switch these interfaces to Layer 3 mode in batches.

  4. Run:

    ipv6 enable

    The IPv6 function is enabled on the interface.

    By default, the IPv6 function is disabled on an interface.

  5. Run:

    ipv6 address { ipv6-address prefix-length | ipv6-address/prefix-length } anycast

    An IPv6 anycast address is configured for the interface.

  6. Run:

    commit

    The configuration is committed.

Checking the Configuration
  • Run the display ipv6 interface [ interface-type interface-number | brief ] command in any view to check IPv6 information on an interface.

  • Run the display this ipv6 interface command in the interface view to check IPv6 information on the interface.

Configuring an IPv6 Address Selection Policy Table

If multiple addresses are configured on an interface of the device, the IPv6 address selection policy table can be used to select source and destination addresses for packets.

Pre-configuration Tasks
Before configuring an IPv6 address selection policy table, complete the following tasks:
  • Setting link layer protocol parameters for interfaces to ensure that the link layer protocol status of the interfaces is Up

Context

IPv6 addresses can be classified into different types based on different applications.

  • Link local addresses and global unicast addresses based on the effective range of the IPv6 addresses
  • Temporary addresses and public addresses based on security levels
  • Home addresses and care-of addresses based on the application in the mobile IPv6 field
  • Physical interface addresses and logical interface addresses based on the interface attributes

The preceding IPv6 addresses can be configured on the same interface of the switch modules. In this case, the device must select a source address or a destination addresses from multiple addresses on the interface. If the device supports the IPv4/IPv6 dual-stack, it also must select IPv4 addresses or IPv6 addresses for communication. For example, if a domain name maps both an IPv4 address and an IPv6 address, the system must select an address to respond to the DNS request of the client.

An IPv6 address selection policy table solves the preceding problems. It defines a group of address selection rules. The source and destination addresses of packets can be specified or planned based on these rules. This table, similar to a routing table, can be queried by using the longest matching rule. The address is selected based on the source and destination addresses.

Procedure

  1. Run:

    system-view

    The system view is displayed.

  2. Run:

    ipv6 address-policy [ vpn-instance vpn-instance-name ] ipv6-address prefix-length precedence label

    The source or destination address selection policies are configured.

    By default, only default address selection policy entries are contained. These entries are prefixed with ::1, ::, 2002::, FC00::, and ::FFFF:0.0.0.0.

    A maximum of 50 address selection policy entries are supported by the system.

    • The label parameter can be used to determine the result of source address selection. The address whose label value is the same as the label value of the destination address is selected preferably as the source address.
    • The destination address is selected based on both the label and the precedence parameters. If label values of the candidate addresses are the same, the address whose precedence value is largest is selected preferably as the destination address.

  3. Run:

    commit

    The configuration is committed.

Checking the Configuration

Run the following commands to check the previous configuration.

  • Run the display ipv6 address-policy [ vpn-instance vpn-instance-name ] { all | ipv6-address prefix-length } command to check address selection policy entries.

Configuring ICMPv6 Packet Control

Configuring ICMPv6 packet control reduces network traffic and prevents malicious attacks.

Context

If a large number of ICMPv6 error packets are sent on the network in a short period, network congestion may occur. To prevent network congestion, you can limit the maximum number of ICMPv6 error packets sent in a specified period using the token bucket algorithm.

You can set the bucket size and interval for placing tokens into the bucket. The bucket size indicates the maximum number of tokens that a bucket can hold. One token represents an ICMPv6 error packet. When an ICMPv6 error packet is sent, one token is taken out of the token bucket. When there is no token, ICMPv6 error packets cannot be sent until new tokens are placed into the token bucket after the interval.

If transmission of too many ICMPv6 error packets causes network congestion or the network is attacked by forged ICMPv6 error packets, you can disable the system from sending ICMPv6 error packets, Host Unreachable packets, and Port Unreachable packets.

Pre-configuration Tasks

Before setting rate limit for sending ICMPv6 error packets, complete the following task:

Procedure

  • Control ICMPv6 messages in the system view.
    1. Run:

      system-view

      The system view is displayed.

    2. Run the following commands to configure ICMPv6 packet control.

      • Run:

        ipv6 icmp-error { bucket bucket-size | ratelimit interval } *

        Rate limit for sending ICMPv6 error packets is set.

        By default, a token bucket can hold a maximum of 10 tokens and the interval for placing tokens into the bucket is 100 ms.

      • Run:

        ipv6 icmp { icmpv6-type icmpv6-code | icmpv6-name | all } receive disable

        The system is disabled from receiving ICMPv6 messages.

        By default, the system is enabled to receive ICMPv6 messages.

      • Run:

        ipv6 icmp { icmpv6-type icmpv6-code | icmpv6-name | all } send disable

        The system is disabled from sending ICMPv6 messages.

        By default, the system is enabled to send ICMPv6 messages.

    3. Run:

      commit

      The system view is displayed.

  • Control ICMPv6 messages in the interface view.
    1. Run:

      system-view

      The system view is displayed.

    2. Run:

      interface interface-type interface-number

      The interface view is displayed.

    3. On an Ethernet interface, run:

      undo portswitch

      The interface is switched to Layer 3 mode.

      By default, an Ethernet interface works in Layer 2 mode.

      If an Ethernet interface already has Layer 2 configuration, this command fails to be executed on the interface. Before running this command on the interface, delete all the Layer 2 configuration of the interface.

      NOTE:

      If many Ethernet interfaces need to be switched to Layer 3 mode, run the undo portswitch batch interface-type { interface-number1 [ to interface-number2 ] } &<1-10> command in the system view to switch these interfaces to Layer 3 mode in batches.

    4. Run:

      ipv6 enable

      The IPv6 function is enabled on the interface.

      By default, the IPv6 function is disabled on an interface.

    5. Run the following commands to configure ICMPv6 packet control.

      • Run:

        ipv6 icmp hop-limit-exceeded send disable

        The interface is disabled from sending ICMPv6 hop-limit-exceeded messages.

        By default, the transmission of ICMPv6 Hop Limit Exceeded messages configured globally also takes effect on an interface.

      • Run:

        ipv6 icmp host-unreachable send disable

        The interface is disabled from sending ICMPv6 host-unreachable packets.

        By default, the transmission of ICMPv6 host-unreachable messages configured globally also takes effect on an interface.

      • Run:

        ipv6 icmp port-unreachable send disable

        The interface is disabled from sending ICMPv6 Port Unreachable messages.

        By default, the transmission of ICMPv6 Port Unreachable messages configured globally also takes effect on an interface.

    6. Run:

      commit

      The system view is displayed.

Checking the Configuration
  • Run the display icmpv6 statistics [ interface interface-type interface-number ] command to check ICMPv6 traffic statistics.

Configuring IPv6 Neighbor Discovery

The Neighbor Discovery Protocol (NDP) is a basic IPv6 protocol. It replaces the Address Resolution Protocol (ARP) and ICMP Router Discovery on an IPv4 network. Additionally, IPv6 ND provides redirection and neighbor unreachability detection.

Pre-configuration Tasks

Before configuring IPv6 ND, complete the following task:

Configuration Process

You can perform the following configuration tasks in any sequence as required.

Configuring Static Neighbors

Context

To communicate with a destination host, a host needs to obtain the link-layer address of the destination host. The link-layer address of a neighbor node can be obtained using the neighbor discovery mechanism or by manually configuring static neighbor entries. A device identifies a static neighbor entry based on the IPv6 address of this neighbor and number of the Layer 3 interface connected to this neighbor. To filter invalid packets, you can create static neighbor entries, binding the destination IPv6 addresses of these packets to nonexistent MAC addresses.

Procedure

  1. Run:

    system-view

    The system view is displayed.

  2. Run:

    interface interface-type interface-number

    The interface view is displayed.

    The static neighbor entries can be configured on interfaces of the switch, including GE, 10GE, 40GE, Eth-Trunk, and VLANIF interfaces.

  3. On an Ethernet interface, run:

    undo portswitch

    The interface is switched to Layer 3 mode.

    By default, an Ethernet interface works in Layer 2 mode.

    If an Ethernet interface already has Layer 2 configuration, this command fails to be executed on the interface. Before running this command on the interface, delete all the Layer 2 configuration of the interface.

    NOTE:

    If many Ethernet interfaces need to be switched to Layer 3 mode, run the undo portswitch batch interface-type { interface-number1 [ to interface-number2 ] } &<1-10> command in the system view to switch these interfaces to Layer 3 mode in batches.

  4. Run:

    ipv6 enable

    The IPv6 function is enabled.

    By default, the IPv6 function is disabled on an interface.

  5. Run the following commands to configure static neighbors based on the interface type.

    • For a VLANIF interface, run the ipv6 neighbor ipv6-address mac-address vlan vlan-id interface-type interface-number command.
    • For a GE interface, 10GE interface, 40GE interface, or a Eth-Trunk interface, run the ipv6 neighbor ipv6-address mac-address command.

    By default, no static neighbor entry is configured.

  6. Run:

    commit

    The configuration is committed.

Configuring Neighbor Discovery

Context

IPv6 NDP provides the following functions: address resolution, neighbor unreachability detection, DAD, router/prefix discovery, address autoconfiguration, and redirection.

NOTE:

After the IPv6 function is enabled on the switch modules, the switch modules automatically implements address resolution, DAD, and redirection. Neighbor unreachability detection, router/prefix discovery, and address autoconfiguration need to be manually configured. You can also configure the switch modules to send RA packets to enable router/prefix discovery and address autoconfiguration, and enable the automatic detection of ND entries to check whether neighbors are reachable.

After the automatic detection of ND entries is enabled on the switch modules, the switch modules can send NS packets to check whether neighbors are reachable before aging ND entries. If neighbors are reachable, the switch modules updates ND entries; otherwise, the switch modules ages ND entries.

You can enable the switch modules to send RA packets. After receiving the RA packets, network nodes perform address autoconfiguration and router/prefix discovery based on the prefix and other configuration information in the RA packets.

After the preceding configurations are complete, NDP functions work properly. You can also adjust ND parameters based on service requirements.

Procedure

  1. You can run the following commands to enable NDP functions to work properly.

    1. Run:

      system-view

      The system view is displayed.

    2. Run:

      undo ipv6 nd auto-detect disable

      Automatic detection of ND entries is enabled.

      By default, automatic detection of ND entries is enabled.

    3. Run:

      interface interface-type interface-number

      The interface view is displayed.

      You can configure the switch to send RA packets in the GE interface view, 10GE interface view, 40GE interface view, Eth-Trunk interface view, or VLANIF interface view.

    4. (For Ethernet interfaces) Run: undo portswitch The interface is switched to Layer 3 mode.

      By default, an Ethernet interface works in Layer 2 mode.

      The command fails if any Layer 2 configuration exists on the interface. In such a case, clear the Layer 2 configurations on the interface before running the undo portswitch command.
      NOTE:

      You can run the undo portswitch batch interface-type { interface-number1 [ to interface-number2 ] } &<1-10> command in the system view to switch the working mode of multiple Ethernet interfaces in batches.

    5. Run:

      ipv6 enable

      The IPv6 function is enabled.

      By default, the IPv6 function is disabled on an interface.

    6. Run:

      ipv6 nd ra halt disable

      The system is enabled to send RA packets.

      By default, the system is disabled from sending RA packets.

    7. Run:

      commit

      The configuration is committed.

  2. (Optional) After completing the preceding configurations, adjust ND parameters to meet service requirements.

    Perform the following operations in the system view.

    Run:

    quit

    Return to the system view.

    • In the system view, run:

      ipv6 nd hop-limit limit

      The hop limit for IPv6 unicast packets initially sent by a device is set.

      By default, the IPv6 unicast packets initially sent by a device can travel 64 hops.

    • In the system view, run:

      ipv6 nd pre-detect

      Pre-detection of ND entries is enabled.

      By default, pre-detection of ND entries is disabled, which is recommended.

    • In the system view, run:

      ipv6 nd stale-timeout timeout-value

      The aging time of ND entries in STALE state is set.

      By default, the aging time of ND entries in STALE state is 1200 seconds.

    Perform the following operations on interfaces.

    Run:

    interface interface-type interface-number

    The interface view is displayed.

    • Run:

      ipv6 nd stale-timeout seconds

      The aging time of ND entries in STALE state is set.

      By default, the aging time of ND entries in STALE state is 1200 seconds.

    • Run:

      ipv6 nd ra hop-limit limit

      The hop limit for RA packets is set.

      By default, the hop limit for RA packets is 64.

    • Run:

      ipv6 nd ns retrans-timer interval

      The interval for sending NS packets is set.

      By default, the interval for sending NS packets is 1000 ms.

    • Run:

      ipv6 nd ra { max-interval maximum-interval | min-interval minimum-interval }

      The interval for sending RA packets is set.

      By default, the maximum interval is 600s and the minimum interval is 200s.

    • Run:

      ipv6 nd ra prefix { ipv6-address prefix-length | ipv6-address/prefix-length } valid-lifetime preferred-lifetime [ no-autoconfig ] [ off-link ]

      Prefix information in RA packets is configured.

      By default, an RA packet carries only the address prefix configured using the ipv6 address command.

    • Run:

      ipv6 nd autoconfig managed-address-flag

      The managed address configuration flag (M flag) for stateful autoconfiguration in RA packets is set.

      By default, the M flag in an RA packet is not set.

    • Run:

      ipv6 nd autoconfig other-flag

      The other configuration flag (O flag) for stateful autoconfiguration in RA packets is set.

      By default, the O flag in an RA packet is not set.

    • Run:

      ipv6 nd nud reachable-time value

      The IPv6 neighbor reachable time is set.

      By default, the IPv6 neighbor reachable time is 1200000 ms.

    • Run:

      ipv6 nd ra router-lifetime ra-lifetime

      The time to live (TTL) is set for RA packets.

      By default, the TTL of an RA packet is 1800s.

    • Run:

      ipv6 nd dad attempts value

      The number of times NS packets are sent when the system performs Duplicate Address Detection is set.

      By default, the number of times NS packets are sent when the system performs DAD is 1.

    • Run:

      commit

      The configuration is committed.

Checking the Configuration
Procedure
  • Run the display ipv6 interface [ interface-type interface-number | brief ] command to check IPv6 information on an interface.
  • Run the display ipv6 neighbors [ ipv6-address | [ vlan vlan-id ] interface-type interface-number | vpn-instance vpn-instance-name ] command to check information about neighbor entries.

Configuring IPv6 SEND

The SEcure Neighbor Discovery (SEND) protocol is a security extension of the Neighbor Discovery Protocol (NDP) in IPv6.

Pre-configuration Tasks

Before configuring IPv6 SEND, complete the following tasks:

Configuration Process

You can perform the following configuration tasks in sequence.

Configuring a CGA IPv6 Address

Context

To enable IPv6 SEND to protect ND messages that carry CGA and RSA options, you need to configure a CGA IPv6 address on an interface that sends ND messages. After receiving the packet, the peer device uses the CGA option to authenticate the validity of source IP addresses carried in ND messages and the RSA option to authenticate the completeness of ND messages.

Procedure

  1. Run:

    system-view

    The system view is displayed.

  2. Run:

    rsa key-pair label label-name [ modulus modulus-bits ]

    An RSA key pair is created.

  3. Run:

    interface interface-type interface-number

    The view of the interface where a CGA IPv6 address needs to be configured is displayed.

  4. On an Ethernet interface, run:

    undo portswitch

    The interface is switched to Layer 3 mode.

    By default, an Ethernet interface works in Layer 2 mode.

    If an Ethernet interface already has Layer 2 configuration, this command fails to be executed on the interface. Before running this command on the interface, delete all the Layer 2 configuration of the interface.

    NOTE:

    If many Ethernet interfaces need to be switched to Layer 3 mode, run the undo portswitch batch interface-type { interface-number1 [ to interface-number2 ] } &<1-10> command in the system view to switch these interfaces to Layer 3 mode in batches.

  5. Run:

    ipv6 enable

    The IPv6 function is enabled on the interface.

    By default, the IPv6 function is disabled on an interface.

  6. Run:

    ipv6 security rsakey-pair label-name

    The RSA key pair is bound to the interface to generate a CGA address.

    By default, an RSA key pair is not bound to an interface.

    The RSA key pair is created using the rsa key-pair label label-name [ modulus modulus-bits ] command in step 2.

  7. Run:

    ipv6 security modifier sec-level sec-value [ modifier-value ]

    The modifier value and security level are configured for the CGA address.

    By default, no modifier value or security level is set for a CGA address.

    The modifier value can be manually configured only when the security level of the CGA address is 0.

  8. Configuring a CGA IPv6 Address.Run the following commands as required. You can configure both the CGA link local address and global unicast address or one of them.

    • Run:

      ipv6 address ipv6-address link-local cga

      A CGA IPv6 address is configured.

      By default, no link-local address is configured for an interface.

    • Run:

      ipv6 address { ipv6-address prefix-length | ipv6-address/prefix-length } cga

      A CGA global unicast address is configured.

      By default, no CGA global unicast addresses is configured.

  9. Run:

    commit

    The configuration is committed.

Enable IPv6 SEND

Context

When IPv6 SEND is enabled, that is the strict security mode is enabled on an interface, the interface regards the received ND message insecure and discards it in the following cases:
  • The received ND message does not carry a CGA or RSA option. That is, the interface that sent the ND message does not have a CGA address.
  • The rate of processing the received ND message exceeds the rate limit of the system.
  • The key length in the received ND message is out of the length range allowed on the interface.
  • The difference between the receive time and the send time of the ND message is out of the time range allowed on the interface.

Procedure

  1. Run:

    system-view

    The system view is displayed.

  2. (Optional) Run:

    ipv6 nd security rate-limit ratelimit-value

    The rate limit for processing received ND messages is set.

    By default, no rate limit for the system to process received ND messages is set.

  3. Run:

    interface interface-type interface-number

    The interface view is displayed.

  4. (Optional) Run:

    ipv6 nd security key-length { minimum keylen-value | maximum keylen-value } *

    The key length allowed on the interface is set.

    By default, the minimum key length is 512 bits and the maximum key length is 2048 bits.

  5. (Optional) Run:

    ipv6 nd security timestamp  { delta delta-value | drift drift-value | fuzz-factor fuzz-value } *

    The timestamp configuration parameters are set.

    By default, the maximum difference between the receive time and send time of an ND message is 300 seconds; the maximum difference between the system time of the sender and the system time of the receiver is 1%; the maximum alive time of an ND message is 1 second.

  6. Run:

    ipv6 nd security strict

    The strict security mode is enabled on the interface.

    By default, the strict security mode is not enabled on an interface.

  7. Run:

    commit

    The configuration is committed.

Checking the Configurations

Procedure

  • Run the display ipv6 security interface interface-type interface-number command to check the IPv6 SEND configurations.

Configuring PMTU

When the device functions as the source node and sends IPv6 packets to the destination node, the device fragments packets based on PMTU. The intermediate device does not need to fragment packets. This reduces the burden of the intermediate device to effectively use network resources and obtain the maximum throughput.

Pre-configuration Tasks

Before configuring PMTU, complete the following tasks:

Configuration Process

You can perform the following configuration tasks in any sequence as required.

Configuring Static PMTU

Context

Generally, the PMTU is dynamically negotiated according to the IPv6 MTU value of an interface. In special situations, to protect devices on the network and avoid attacks from large-sized packets, you can manually configure the PMTU to a specified destination node to control the maximum length of packets forwarded from the device to the destination node.

NOTE:

When the PMTU from the device to a specified destination node is set, the IPv6 MTU values for interfaces on all intermediate devices cannot be smaller than the configured PMTU value. Otherwise, packets are discarded.

Procedure

  1. Run:

    system-view

    The system view is displayed.

  2. (Optional) Configure the IPv6 MTU for an interface.

    1. Run:

      interface interface-type interface-number

      The interface view is displayed.

      The IPv6 MTU can be configured for interfaces of the switch, including GE, 10GE, 40GE, Eth-Trunk, VLANIF, and tunnel interfaces.

    2. (For Ethernet interfaces) Run:

      undo portswitch

      The interface is switched to Layer 3 mode.

      By default, an Ethernet interface works in Layer 2 mode.

      The command fails if any Layer 2 configuration exists on the interface. In such a case, clear the Layer 2 configurations on the interface before running the undo portswitch command.
      NOTE:

      You can run the undo portswitch batch interface-type { interface-number1 [ to interface-number2 ] } &<1-10> command in the system view to switch the working mode of multiple Ethernet interfaces in batches.

    3. Run:

      ipv6 enable

      The IPv6 function is enabled on the interface.

      By default, the IPv6 function is disabled on an interface.

    4. Run:

      ipv6 mtu mtu

      The MTU of IPv6 packets on an interface is set.

      By default, the MTU of IPv6 packets on an interface is 1500 bytes.

      NOTE:

      After the MTU value is changed, run the shutdown and undo shutdown or restart (interface view)commands to restart the interface to make the changed MTU take effect.

    5. Run:

      quit

      Return to the system view.

  3. Run:

    ipv6 pathmtu ipv6-address [ vpn-instance vpn-instance-name ] [ path-mtu ]

    The PMTU is set for a specified IPv6 address.

  4. Run:

    commit

    The configuration is committed.

Setting the Aging Time of Dynamic PMTU

Context

When the device functions as the source node and sends packets to the destination node, the device dynamically negotiates the PMTU with the destination node according to the IPv6 MTU values of interfaces and fragments packets based on the PMTU. After the PMTU ages out, the dynamic PMTU is deleted. The source node dynamically renegotiates the PMTU with the destination node.

NOTE:

When both static PMTU and dynamic PMTU are configured, only static PMTU takes effect. Static PMTU entries never age.

The interface MTU, IPv6 interface MTU, and PMTU are valid only for the packets generated on the device but not for the packets forwarded by the host.

A switch can receive ICMPv6 error packets that are sent from other devices and learns the path MTU according to the received ICMPv6 error packets.

Procedure

  1. Run:

    system-view

    The system view is displayed.

  2. (Optional) Configure the IPv6 MTU for an interface.

    1. Run:

      interface interface-type interface-number

      The interface view is displayed.

      The IPv6 MTU can be configured for interfaces of the switch, including GE, 10GE, 40GE, Eth-Trunk, VLANIF, and tunnel interfaces.

    2. (For Ethernet interfaces) Run:

      undo portswitch

      The interface is switched to Layer 3 mode.

      By default, an Ethernet interface works in Layer 2 mode.

      The command fails if any Layer 2 configuration exists on the interface. In such a case, clear the Layer 2 configurations on the interface before running the undo portswitch command.
      NOTE:

      You can run the undo portswitch batch interface-type { interface-number1 [ to interface-number2 ] } &<1-10> command in the system view to switch the working mode of multiple Ethernet interfaces in batches.

    3. Run:

      ipv6 enable

      The IPv6 function is enabled on the interface.

      By default, the IPv6 function is disabled on an interface.

    4. Run:

      ipv6 mtu mtu

      The MTU of IPv6 packets on an interface is set.

      By default, the MTU of IPv6 packets on an interface is 1500 bytes.

      NOTE:

      After the MTU value is changed, run the shutdown and undo shutdown or restart (interface view) commands to restart the interface to make the changed MTU take effect.

    5. Run:

      quit

      The system view is displayed.

  3. Run:

    ipv6 pathmtu age age-time

    The aging time is set for dynamic PMTU entries.

    By default, the aging time of dynamic PMTU entries is 10 minutes.

  4. Run:

    commit

    The configuration is committed.

Checking the Configuration
Procedure
  • Run the display ipv6 pathmtu [ vpn-instance vpn-instance-name ]{ ipv6-address | all | dynamic | static } command to check all PMTU entries.
  • Run the display ipv6 interface [ interface-type interface-number | brief ] command to check the IPv6 information on the interface.

Configuring TCP6

You can configure TCP6 attributes to improve network performance.

Pre-configuration Tasks

Before configuring TCP6, complete the following task:

  • Configuring link layer protocol parameters for interfaces to ensure that the link layer protocol status on the interfaces is Up
Configuration Process

You can perform the following configuration tasks in any sequence as required.

Setting TCP6 Timers

Context

You need to set the following TCP6 timers:

  • SYN-Wait timer: When SYN packets are sent, the SYN-Wait timer is started. If no response packet is received after the SYN-Wait timer expires, the TCP6 connection is terminated.

  • FIN-Wait timer: When the TCP connection status changes from FIN_WAIT_1 to FIN_WAIT_2, the FIN-Wait timer is started. If no response packet is received after the FIN-Wait timer expires, the TCP6 connection is terminated.

Procedure

  1. Run:

    system-view

    The system view is displayed.

  2. Run:

    tcp ipv6 timer syn-timeout interval

    The SYN-Wait timer is set for TCP6 connections.

    By default, the value of the SYN-Wait timer is set to 75s.

  3. Run:

    tcp ipv6 timer fin-timeout interval

    The FIN-Wait timer is set for TCP6 connections.

    By default, the value of the FIN_Wait timer is set to 675s.

  4. Run:

    commit

    The configuration is committed.

Setting the TCP6 Sliding Window Size

Context

You can set the TCP6 sliding window size to improve network performance. The sliding window size indicates the receive or send buffer size of a TCP6 socket.

Procedure

  1. Run:

    system-view

    The system view is displayed.

  2. Run:

    tcp ipv6 window window-size

    The receive and send buffer sizes of a TCP6 socket are set.

    By default, the receive or send buffer size of a TCP6 socket is 8 KB.

  3. Run:

    commit

    The configuration is committed.

Setting the MSS Value for a TCP6 Connection

Context

Setting the maximum value of Maximum Segment Size (MSS) for a TCP6 connection defines the largest TCP6 packet size, allowing TCP6 packets to be successfully forwarded by intermediate devices when no Path MTU is available.

Procedure

  1. Run:

    system-view

    The system view is displayed.

  2. Run:

    tcp ipv6 max-mss mss-value

    The maximum MSS value is set for a TCP6 connection.

    By default, the maximum MSS value is not configured for TCP6 connections.

  3. Run:

    commit

    The configuration is committed.

Checking the Configuration

Procedure

  • Run the display tcp ipv6 status [ local-ip local-ip ] [ local-port local-port ] [ remote-ip remote-ip ] [ remote-port remote-port ] [ cid cid ] [ socket-id socket-id ] command to check the status of all IPv6 TCP connections.
Translation
Download
Updated: 2019-08-09

Document ID: EDOC1000041694

Views: 59815

Downloads: 3623

Average rating:
This Document Applies to these Products
Related Version
Related Documents
Share
Previous Next