No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

NE20E-S2 V800R010C10SPC500 Configuration Guide - IP Services 01

This is NE20E-S2 V800R010C10SPC500 Configuration Guide - IP Services
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Configuring DHCPv6 Relay

Configuring DHCPv6 Relay

When a DHCPv6 client and a DHCPv6 server reside on different links, configure a DHCPv6 relay agent to relay DHCPv6 messages between the client and server.

Usage Scenario

On the network shown in Figure 5-1, DHCPv6 clients reside on Network A, and the DHCPv6 server resides on Network B. A DHCPv6 relay agent must be configured to relay DHCPv6 messages between the clients and server so that the clients can apply for IPv6 addresses from the server.

Figure 5-1 Configuring DHCPv6 relay

Pre-configuration Tasks

Before configuring DHCPv6 relay, complete the following tasks:

  • Configure a DHCPv6 server.
  • Configure a DHCPv6 relay interface.
  • Configure a route on the DHCPv6 server destined for the DHCPv6 relay interface.

Configuration Procedures

Figure 5-2 Flowchart for configuring DHCPv6 relay

Enable DHCPv6

DHCPv6 provides client, relay, and server functions.

Context

DHCPv6 provides client, relay, and server functions. The NE20E can only have the DHCPv6 relay functionality.

A DHCP Unique Identifier (DUID) uniquely identifies a DHCPv6 device. Each DHCPv6 client or server must have one DUID. The DUID is optional for DHCPv6 relay agents.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run dhcpv6 enable

    DHCPv6 is enabled globally.

  3. (Optional) Run dhcpv6 duid { duid-value | llt }

    The DUID is configured for the device.

  4. Run commit

    The configuration is committed.

Configuring DHCPv6 Relay Forwarding

DHCPv6 relay forwarding functions are configured on the inbound interface of DHCPv6 messages. You can specify the outbound interface, or destination DHCPv6 server address, or next-hop DHCPv6 relay agent address.

Context

To relay packets sent from DHCPv6 clients on a network segment, configure DHCPv6 relay forwarding on the DHCPv6 relay agent's interface that connects to the network segment. If multiple outbound interfaces or destination IPv6 addresses are specified, the DHCPv6 relay agent forwards one copy of packets to each outbound interface or destination IPv6 address. The destination IPv6 address can be an interface address on the next-hop DHCPv6 relay agent or the DHCPv6 server.

Procedure

  1. Run system-view

    The system view is displayed.

  2. (Optional) Run dhcpv6 relay server group group-name

    A DHCPv6 relay server group is configured, and the server group view is displayed.

    If you want to enable DHCPv6 relay on multiple interfaces and specify the same DHCPv6 relay servers for these interfaces, configure a DHCPv6 relay server group to simplify the configuration.

  3. (Optional) Run server server-addr

    A server is added to the DHCPv6 relay server group.

  4. Run quit

    Return to the system view.

  5. Run interface interface-type interface-number

    The interface view is displayed.

  6. Run either of the following commands:

    • To specify an outbound interface or destination IPv6 address for DHCPv6 messages on the interface, run the dhcpv6 relay { interface interface-type interface-number | destination ipv6–address } command.
    • To bind the interface to a DHCPv6 relay server group, run the dhcpv6 relay binding server group command.

  7. (Optional) Run dhcpv6 relay link-address ipv6–address

    A DHCPv6 relay gateway address is configured.

  8. (Optional) Run dhcpv6 relay source-ip-address ipv6–address

    The source IPv6 address is specified for DHCPv6 messages on the interface.

  9. Run quit

    Return to the system view.

  10. (Optional) Run dhcpv6 rate-limit { enable | rate-limit }

    Global rate limiting is enabled for DHCPv6 messages.

    After global rate limiting is enabled and a rate limit is configured for DHCPv6 messages on a DHCPv6 device, when the device is being attacked or the system is busy, the device can control the rate at which DHCPv6 messages are processed and discards the messages exceeding the specified rate limit.

  11. (Optional) Run dhcpv6 source-ip-address format adaptive enable

    The source IPv6 address type of the response packets sent by the DHCPv6 relay to the DHCPv6 client is configured as link-local.

  12. Run commit

    The configuration is committed.

(Optional) Configuring DHCPv6 PD Relay Functions

A DHCPv6 relay agent can be configured to advertise DHCPv6 PD routes, limit the maximum number of access DHCPv6 clients, and check the physical information of DHCPv6 packets.

Context

The NE20E functioning as a DHCPv6 relay agent supports the following DHCPv6 PD relay functions:
  • Advertises DHCPv6 PD routes.

    In DHCPv6 (IA_PD) scenarios, a DHCPv6 relay agent generates a PD route based on the DHCPv6 PD prefix assigned by the DHCPv6 server to a DHCPv6 client. By default, this PD route applies only to the relay agent and is not advertised. Other devices cannot obtain the routes destined for the CPE and its attached user terminals. As a result, the user terminals cannot access the network. To allow devices to obtain routes destined for the CPE and its attached user terminals, perform either of the following operations:
    • Configure a summarized route with a DHCPv6 PD prefix and use a routing protocol to advertise the route to other devices. This method is recommended because it does not require other devices to learn many routes, so it has little impact on the core network.
    • Run the dhcpv6 export pd-route command to allow a DHCPv6 relay agent to automatically advertise the PD routes it generated to other devices. Because the PD routes generated on the DHCPv6 relay agent are destined for clients and the clients are constantly applying for and releasing prefixes, PD routes cannot be dynamically summarized. Advertising all PD routes has a large impact on the core network. Therefore, this method is not recommended.
  • Configures the maximum number of access DHCPv6 clients on the DHCPv6 relay agent.

    The maximum number of access DHCPv6 clients can be limited on an interface or a specified interface in a VLAN.

  • Configures the DHCPv6 relay agent to check the physical information of DHCPv6 packets.

    If the location of a WLAN user changes, the physical information (user access interface, PE-VLAN ID, and CE-VLAN ID) of DHCPv6 packets from that user will also change. In this case, the DHCPv6 relay agent does not need to check the physical information of DHCPv6 packets.

    However, the physical information of DHCPv6 packets from fixed network users does not change unless an error has occurred. To allow a DHCPv6 relay interface to check the physical information of DHCPv6 packets for security purposes, run the dhcpv6 relay strict-check interface-info command.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run dhcpv6 export pd-route

    The DHCPv6 relay agent is enabled to advertise DHCPv6 PD routes.

  3. Run dhcpv6 relay pd-route auto-save file-name

    The DHCPv6 relay agent is enabled to automatically save PD routes.

    After a DHCPv6 relay agent is restarted, the PD routes are lost, so users cannot access the network. After you enable the DHCPv6 relay agent to save PD routes to a file, it can restore the PD routes from the file after a restart.

  4. Run interface interface-type interface-number

    The DHCPv6 relay interface view is displayed.

  5. Run dhcpv6 relay access-limit

    The maximum number of access DHCPv6 clients on the DHCPv6 relay interface is configured. After the number is reached, additional DHCPv6 clients are not allowed to go online through the DHCPv6 relay interface.

    • The dhcpv6 relay access-limit limit-number command configures the maximum number of access DHCPv6 clients on a DHCPv6 relay interface.
    • The dhcpv6 relay access-limit limit-number vlan vlan-id [ end-vlan-id ] command configures the maximum number of access DHCPv6 clients in a specified VLAN on a DHCPv6 relay interface. If both vlanid and end-vlan-id are configured to specify a VLAN range, the maximum number of access DHCPv6 clients applies to all the VLANs in this range. Each relay interface supports 16 VLAN ranges. For example, if the dhcpv6 relay access-limit 1 vlan 1 100 command is run on GE 0/1/1.1, one DHCPv6 client is allowed to go online through VLANs in the range 1-100.
    • The dhcpv6 relay access-limit limit-number pevlan pevlan-id { cevlan cevlan-id [ end-cevlan-id ] | any } command configures the maximum number of DHCPv6 clients that send double-tagged packets to go online through a DHCPv6 relay interface. Each relay interface supports 16 VLAN ranges. If you configure any for cevlan, the maximum number of DHCPv6 clients whose packets carry the outer VLAN ID specified by pevlan-id and any VLAN ID not in the CE-VLAN range is limited. This configuration is counted in the 16 VLAN ranges allowed. For example, if both the dhcpv6 relay access-limit 1 pevlan 2 cevlan 1 100 and dhcpv6 relay access-limit 2 pevlan 2 cevlan any commands are run on GE 0/1/1.1, one DHCPv6 client whose packets carry PE-VLAN 2 and any CE-VLAN ID in the range 1-100 is allowed to go online, and two DHCPv6 clients whose packets carry PE-VLAN 2 and any CE-VLAN ID in the range 101-4094 are allowed to go online.
    • The dhcpv6 relay access-limit limit-number vlan any command configures the maximum number of DHCPv6 clients that can go online through single or double VLANs that do not have such a limit configured. This configuration is not counted in the 16 VLAN ranges allowed. Run this command to limit the maximum number of access DHCPv6 clients on a DHCPv6 relay interface in a specified VLAN. For example, if DHCPv6 clients send double-tagged packets to go online, each pair of VLAN tags identifies a VLAN. Run the dhcpv6 relay access-limit 1 vlan any command to configure a DHCPv6 relay interface to allow only one client that sends double-tagged VLAN packets to go online. This configuration protects the device against packets with changing MAC addresses and DUIDs.

  6. Run dhcpv6 relay strict-check interface-info

    The DHCPv6 relay interface is enabled to check the physical information of DHCPv6 packets.

  7. Run commit

    The configuration is committed.

(Optional) Configuring DHCPv6 Relay Options

DHCPv6 relay options include the Interface-ID option, Remote-ID option, and Subscriber-ID option. These options carry detailed user information for address assignment and parameter configuration.

Context

A DHCPv6 server assigns IPv6 addresses and other configuration parameters to clients based on options carried in DHCPv6 messages. You can determine whether to enable the DHCPv6 relay agent to add these options to DHCPv6 messages based on the server implementation.

  • The Interface-ID option carries information about the inbound interface that receives client messages.
  • The Remote-ID option carries information about a DHCPv6 relay agent, such as the DUID, port identifier, and VLAN ID.
  • The Subscriber-ID option carries the MAC address of a client.

Among these options, the Interface-ID, Remote-ID, and Subscribe-ID options can be configured for Layer 2 or Layer 3 Ethernet interfaces.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run interface interface-type interface-number

    The interface view is displayed.

  3. Run dhcpv6 relay option-insert { interface-id mode { cn-telecom | tr-101 } | remote-id | subscriber-id }

    Or, dhcpv6 relay option-insert { interface-id mode self-define self-define-value | remote-id mode self-define self-define-value }

    The interface is enabled to add the Interface-ID, Subscriber-ID, and Remote-ID relay options to DHCPv6 messages.

  4. Run commit

    The configuration is committed.

(Optional) Configuring IPsec on a DHCPv6 Relay Agent

To defend against DoS attacks, configure IPsec on a DHCPv6 relay agent so that IPsec can be implemented on packets exchanged between DHCPv6 relay agents or between the DHCPv6 relay agent and DHCPv6 server.

Context

If an attacker pretends to be a DHCPv6 server and sends bogus DHCPv6 messages to a client, the client may suffer from DoS attacks or be incorrectly configured. To defend against DoS attacks, implement IPsec on packets exchanged between DHCPv6 relay agents or between a DHCPv6 relay agent and a DHCPv6 server.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run dhcpv6 ipsec sa sa-name [ peer peer-ipv6–address [ vpn-instance vpn-instance ] ]

    IPsec is enabled on the DHCPv6 relay agent to authenticate packets exchanged between DHCPv6 relay agents or between the DHCPv6 relay agent and DHCPv6 server.

    NOTE:

    An IPsec SA must have been configured before you run this command. For details, see IPsec Configuration.

  3. Run commit

    The configuration is committed.

Verifying the Configuration of DHCPv6 Relay

After configuring DHCPv6 relay on a host or router, verify the configuration.

Prerequisites

DHCPv6 relay has been configured and the DHCPv6 relay agent is able to forward DHCPv6 messages.

Procedure

  • Run the display dhcpv6 relay statistics command to check packet statistics on a DHCPv6 relay agent.
  • Run the display dhcpv6 relay configuration command to check global configurations of a DHCPv6 relay agent.

Example

Run the display dhcpv6 relay statistics command. The command output shows statistics about various DHCPv6 messages on a DHCPv6 relay agent.

<HUAWEI> display dhcpv6 relay statistics
  -------------------------------------------------------------------
  Bad Packets received                                :   0
  DHCPv6 packets received from clients                :   41357
         DHCPv6 SOLICIT packets received              :   41357
         DHCPv6 REQUEST packets received              :   0
         DHCPv6 CONFIRM packets received              :   0
         DHCPv6 RENEW packets received                :   0
         DHCPv6 REBIND packets received               :   0
         DHCPv6 DECLINE packets received              :   0
         DHCPv6 RELEASE packets received              :   0
         DHCPv6 INFORMATION-REQUEST packets received  :   0

  DHCPv6 packets received from relay agents or servers:   6
         DHCPv6 RELAY-FORWARD packets received        :   6
         DHCPv6 RELAY-REPLY packets received          :   0

  DHCPv6 packets sent to clients                      :   0
         DHCPv6 ADVERTISE packets sent                :   0
         DHCPv6 REPLY packets sent                    :   0
         DHCPv6 RECONFIGURE packets sent              :   0

  DHCPv6 packets sent to relay agents or servers      :   41333
         DHCPv6 RELAY-FORWARD packets sent            :   41333
         DHCPv6 RELAY-REPLY packets sent              :   0

  DHCPv6 packets dropped                              :   33
         Table Full                                   :   0
         General Error                                :   33
         IPSec Authentication Failed                  :   0
  -------------------------------------------------------------------

Run the display dhcpv6 relay configuration command. The command output shows global configurations of a DHCPv6 relay agent.

<HUAWEI> display dhcpv6 relay configuration
DHCPv6 DUID: 12334ef34
DHCPv6 export pd-route: enable
Translation
Download
Updated: 2019-01-02

Document ID: EDOC1100055376

Views: 15205

Downloads: 33

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next