HP 5500 Ei 5500 Si Switch Series Configuration Guide
Have a look at the manual HP 5500 Ei 5500 Si Switch Series Configuration Guide online for free. It’s possible to download the document as PDF or print. UserManuals.tech offer 1114 HP manuals and user’s guides for free. Share the user manual or guide on Facebook, Twitter or Google+.
119 Figure 55 Path MTU discovery process 1. The source host compares its MTU with the packet to be sent, performs necessary fragmentation, and sends the resulting packet to the destination host. 2. If the MTU supported by a forwarding interface is smaller than the packet, the device discards the packet and returns an ICMPv6 error packet contai ning the interface MTU to the source host. 3. After receiving the ICMPv6 error packet, the source host uses the returned MTU to limit the packet size, performs fragmentation, and sends th e resulting packet to the destination host. 4. Step 2 and step 3 are repeated until the destinat ion host receives the packet. In this way, the source host decides the minimum MTU of all links in the path to the destination host. IPv6 transition technologies Before IPv6 dominates the Internet, high-efficient and seamless IPv6 transition technologies are needed to enable communication between IPv4 and IPv6 netw orks. Several IPv6 transition technologies can be used in different environments and periods, such as dual stack (RFC 2893) and tunneling (RFC 2893). Dual stack Dual stack is the most direct transition approach. A network node that supports both IPv4 and IPv6 is a dual stack node. A dual stack node configured with an IPv4 address and an IPv6 address can forward both IPv4 and IPv6 packets. For an upper layer application that supports both IPv4 and IPv6, either TCP or UDP can be selected at the transport layer, whereas the IPv6 stack is preferred at the network layer. Dual stack is suitable for communication between IPv4 nodes or between IPv6 nodes. It is the basis of all transition technologies. However, it does not solv e the IPv4 address depletion issue because each dual stack node must have a globally unique IP address. Tunneling Tunneling is an encapsulation techno logy that utilizes one network protocol to encapsulate packets of another network protocol and transfer them over th e network. For more information about tunneling, see Configuring tunneling. Protocols and standards Protocols and standards related to IPv6 include: • R F C 18 81, IPv6 Address Allocation Management • RFC 1887, An Architecture for IPv6 Unicast Address Allocation • RFC 1981, Pa t h M T U D i s c ove r y fo r I P ve r s io n 6 • RFC 2375, IPv6 Multicast Address Assignments
120 • RFC 2460, Internet Protocol, Version 6 (IPv6) Specification • RFC 2461, Neighbor Discovery for IP Version 6 (IPv6) • RFC 2462, IPv6 Stateless Address Autoconfiguration • RFC 2463, Internet Control Message Protocol (ICMPv6) for the Internet Protocol Version 6 (IPv6) Specification • RFC 2464, Transmission of IPv6 Packets over Ethernet Networks • RFC 2526, Reserved IPv6 Subnet Anycast Addresses • RFC 2894, Router Renumbering for IPv6 • RFC 3307, Allocation Guidelines for IPv6 Multicast Addresses • R F C 3 513 , Internet Protocol Version 6 (IPv6) Addressing Architecture IPv6 basics configuration task list Task Remarks Configuring basic IPv6 functions Enabling IPv6 Required Configuring an IPv6 global unicast address Required to configure one Configuring an IPv6 link-local address Configure an IPv6 anycast address Configuring IPv6 ND Configuring a static neighbor entry Optional Configuring the maximum number of neighbors dynamically learned Optional Setting the age timer for ND entries in stale state Optional Configuring parameters related to RA messages Optional Configuring the maximum number of attempts to send an NS message for DAD Optional Configuring ND snooping Optional Enabling ND proxy Optional Configuring path MTU discovery Configuring a static path MTU for a specified IPv6 address Optional Configuring the aging time for dynamic path MTUs Optional Configuring IPv6 TCP properties Optional Configuring ICMPv6 packet sending Configuring the maximum ICMPv6 error packets sent in an interval Optional Enabling replying to multicast echo requests Optional Enabling sending of ICMPv6 time exceeded messages Optional Enabling sending of ICMPv6 destination unreachable messages Optional
121 Configuring basic IPv6 functions Enabling IPv6 Enable IPv6 before you perform any IPv6-related configuration. Without IPv6 enabled, an interface cannot forward IPv6 packets even if it has an IPv6 address configured. To enable IPv6: Step Command Remarks 1. Enter system view. system-view N/A 2. Enable IPv6. ipv6 Disabled by default Configuring an IPv6 global unicast address Configure an IPv6 global unicast address by using the following options: • EUI-64 IPv6 addressing—The IPv6 address prefix of an interface is manually configured, and the interface identifier is generated automatically by the interface. • Manual configuration —The IPv6 global unicast address is configured manually. • Stateless address autoconfiguration —The IPv6 global unicast address is generated automatically based on the address prefix information contained in the RA message. Follow these guidelines when you configure an IPv6 global unicast address: • You can configure multiple IPv6 global unicast addr esses with different prefixes on an interface. • A manually configured global unicast address takes precedence over an automatically generated one. If a global unicast address has been automatically generated on an interface when you manually configure another one with the same address prefix, the latter overwrites the previous. The overwritten automatic global unicast address will not be restored even if the manual one is removed. Instead, a new global unicast address will be automatically generated based on the address prefix information in the RA message that the interface receives at the next time. EUI-64 IPv6 addressing To configure an interface to generate an EUI-64 IPv6 address: Step Command Remarks 1. Enter system view. system-view N/A 2. Enter interface view. interface interface-type interface-number N/A 3. Configure the interface to generate an EUI-64 IPv6 address. ipv6 address ipv6-address/ prefix-length eui-64 By default, no IPv6 global unicast address is configured on an interface. Manual configuration To specify an IPv6 address manually for an interface:
122
Step Command Remarks
1. Enter system view.
system-view N/A
2. Enter interface view. interface
interface-type
interface-number N/A
3.
Configure an IPv6 address
manually. ipv6 address
{ ipv6-address
prefix-length |
ipv6-address /prefix-length } By default, no IPv6 global unicast
address is configured on an interface.
Stateless address autoconfiguration
To configure an interface to generate an IPv6 address by using stateless address autoconfiguration:
Step Command Remarks
1.
Enter system view.
system-view N/A
2. Enter interface view. interface
interface-type
interface-number N/A
3.
Configure an IPv6 address to be
generated through stateless address
autoconfiguration. ipv6 address auto
By default, no IPv6 global unicast
address is configured on an interface.
NOTE:
Using the undo ipv6 address auto command on an interface removes all IPv6 global unicast addresses
automatically generated on the interface.
With stateless address autoconfiguration enabled on an interface, the device automatically generates an
IPv6 global unicast address by using the address prefix information in the received RA message and the
interface ID. On an IEEE 802 interface (such as a VLAN interface), the interface ID is generated based
on the MAC address of the interface, and is globally unique. As a result, the interface ID portion of the
IPv6 global address remains unchanged and exposes the sender. An attacker can further exploit
communication details such as the communication peer and time.
To fix the vulnerability, configure the temporary addres s function that enables the system to generate and
use temporary IPv6 addresses with different interface ID portions on an interface. With this function
configured on an IEEE 802 interface, the system can generate two addresses, public IPv6 address and
temporary IPv6 address.
• Public IPv6 address —Comprises an address prefix provided by the RA message, and a fixed
interface ID generated based on the MAC address of the interface.
• Temporary IPv6 address —Comprises an address prefix provided by the RA message, and a
random interface ID generated through MD5.
Before sending a packet, the system preferably uses the temporary IPv6 address of the sending interface
as the source address of the packet to be sent. When this temporary IPv6 address expires, the system
removes it and generates a new one. This enables th e system to send packets with different source
addresses through the same interface. If the temporary IPv6 address cannot be used because of a DAD
conflict, the public IPv6 address is used.
The preferred lifetime and valid lifetime for temporary IPv6 addresses are specified as follows:
• The preferred lifetime of a temporary IPv6 address takes the value of the smaller of the following
values:
{ The preferred lifetime of the address prefix in the RA message.
123
{ The preferred lifetime configured for temporary IPv6 addresses minus DESYNC_FACTOR
(which is a random number ranging 0 to 600, in seconds).
• The valid lifetime of a temporary IPv6 address takes the value of the smaller of the following values:
{ The valid lifetime of the address prefix.
{ The valid lifetime configured for temporary IPv6 addresses.
To configure the temporary address function:
Step Command Remarks
1. Enter system view.
system-view N/A
2. Configure the system to generate
and preferably use the temporary
IPv6 address of the sending
interface as the source address of
the packet to be sent. ipv6 prefer temporary-address
[ valid-lifetime preferred-lifetime ] By default, the system does
not generate or use a
temporary IPv6 address.
You must also enable stateless address autoconfigurat
ion on an interface if you need temporary IPv6
addresses to be generated on that interface. Temporary IPv6 addresses do not override public IPv6
addresses. Therefore, an interface may have multiple IPv6 addresses with the same address prefix but
different interface ID portions.
If the public IPv6 address fails to be generated on an interface because of a prefix conflict or other
reasons, no temporary IPv6 address will be generated on the interface.
Configuring an IPv6 link-local address
IPv6 link-local addresses can be configured in either of the following ways:
• Automatic generation —The device automatically generates a link-local address for an interface
according to the link-local address prefix (FE80::/10) and the link-layer address of the interface.
• Manual assignment —IPv6 link-local addresses can be assigned manually.
An interface can have only one link-local address. To avoid link-local address conflicts, use the automatic
generation method.
Manual assignment takes precedence over automatic generation.
• If you first use automatic generation and then manual assignment, the manually assigned link-local
address will overwrite the automatically generated one.
• If you first use manual assignment and then automatic generation, the automatically generated
link-local address will not take effect and the link-loc al address is still the manually assigned one. If
you delete the manually assigned address, the automatically generated link-local address is
validated.
To configure automatic generation of an IPv6 link-local address for an interface:
Step Command Remarks
1. Enter system view.
system-view N/A
2. Enter interface view. interface
interface-type
interface-number N/A
124 Step Command Remarks 3. Configure the interface to automatically generate an IPv6 link-local address. ipv6 address auto link-local Optional. By default, no link-local address is configured on an interface. After an IPv6 global unicast address is configured on the interface, a link-local address is generated automatically. To configure an IPv6 link-local address manually: Step Command Remarks 1. Enter system view. system-view N/A 2. Enter interface view. interface interface-type interface-number N/A 3. Configure an IPv6 link-local address manually. ipv6 address ipv6-address link-local Optional. By default, no link-local address is configured on an interface. After an IPv6 global unicast address is configured on the interface, a link-local address is generated automatically. After an IPv6 global unicast address is configured fo r an interface, a link-local address is generated automatically. • The automatically generated link-local address is the same as the one generated by using the ipv6 address auto link-local command. • If a link-local address is manually assigned to an interface, this manual link-local address takes effect. If the manually assigned link-local address is removed, the automatically generated link-local address takes effect. The undo ipv6 address auto link-local command can only remove the link-local addresses generated through the ipv6 address auto link-local command. • If an IPv6 global unicast address is already conf igured for an interface, the interface still has a link-local address because the system automa tically generates one for the interface. • If no IPv6 global unicast address is config ured, the interface has no link-local address. Configure an IPv6 anycast address To configure an IPv6 anycast address for an interface: Step Command Remarks 1. Enter system view. system-view N/A 2. Enter interface view. interface interface-type interface-number N/A 3. Configure an IPv6 anycast address. ipv6 address ipv6-address/ prefix-length anycast Optional. By default, no IPv6 anycast address is configured on an interface.
125
Configuring IPv6 ND
Configuring a static neighbor entry
The IPv6 address of a neighboring node can be resolved into a link-layer address dynamically through
NS and NA messages or through a manually configured static neighbor entry.
The device uniquely identifies a static neighbor entry by the neighbors IPv6 address and the local Layer
3 interface number. You can configure a static neighbor entry by using either of the following methods:
• Method 1 —Associate a neighbor IPv6 address and link-layer address with the Layer 3 interface of
the local node.
• Method 2 —Associate a neighbor IPv6 address and link-layer address with a port in a VLAN
containing the local node.
You can use either of the previous configuration methods to configure a static neighbor entry for a VLAN
interface.
• After a static neighbor entry is configured by using the first method, the device must resolve the
corresponding Layer 2 port inform ation of the VLAN interface.
• If you use the second method, make sure that the corresponding VLAN interface exists and that the
Layer 2 port specified by port-type port-number belongs to the VLAN specified by vlan-id. After a
static neighbor entry is configured, the device as sociates the VLAN interface with the IPv6 address
to identify the static neighbor entry uniquely.
To configure a static neighbor entry:
Step Command Remarks
1. Enter system view.
system-view N/A
2. Configure a static neighbor
entry. ipv6 neighbor
ipv6-address
mac-address { vlan-id port-type
port-number | interface
interface-type interface-number }
[ vpn-instance vpn-instance-name ]
Only HP 5500 EI Switch Series
supports the vpn-instance
vpn-instance-name option.
Configuring the maximum number of neighbors dynamically
learned
The device can dynamically acquire the link-layer address of a neighboring node through NS and NA
messages and add it into the neighbor table. A large table can reduce the forwarding performance of
the device. You can restrict the size of the neighbor table by setting the maximum number of neighbors
that an interface can dynamically learn. When the number of dynamically learned neighbors reaches
the threshold, the interface will stop learning neighbor information.
To configure the maximum number of neighbors dynamically learned:
Step Command Remarks
1. Enter system view.
system-view N/A
126 Step Command Remarks 2. Enter interface view. interface interface-type interface-number N/A 3. Configure the maximum number of neighbors dynamically learned by an interface. ipv6 neighbors max-learning-num number Optional. By default, a Layer 2 interface does not limit the number of neighbors dynamically learned. A Layer 3 interface can learn up to 1024 neighbors dynamically for HP 5500 SI Switch Series, and up to 4096 neighbors dynamically for HP 5500 EI Switch Series. Setting the age timer for ND entries in stale state ND entries in stale state have an age timer. If an ND entry in stale state is not refreshed before the timer expires, it transits to the delay state. If it is still not refreshed in five seconds, the ND entry transits to the probe state, and the device sends an NS message for detection. If no response is received, the device removes the ND entry. To set the age timer for ND entries in stale state: Step Command Remarks 1. Enter system view. system-view N/A 2. Set the age timer for ND entries in stale state. ipv6 neighbor stale-aging aging-time Optional. Four hours by default. Configuring parameters related to RA messages You can enable an interface to send RA messages, and configure the interval for sending RA messages and parameters in RA messages. After receiving an RA message, a host can use these parameters to perform corresponding operations. Tabl e 9 lists and de scribes the configurable parameters in an RA message. The maximum interval for sending RA messages should be less than (or equal to) the router lifetime in RA messages, so the router can be updated through an RA message before expiration. The values of the NS retransmission timer and the reachable time configured for an interface are sent to hosts via RA messages. Furthermore, this interfac e sends NS messages at the interval of the NS retransmission timer and considers a neighbor reachable within the reachable time. Table 9 Parameters in an RA message and their descriptions Parameters Descri ption Cur Hop Limit When sending an IPv6 packet, a host uses the value to fill the Hop Limit field in IPv6 headers. The value is also filled into the Ho p Limit field in the response packet of a device. Prefix Information options After receiving the prefix information, the hosts on the same link can perform stateless autoconfiguration.
127 Parameters Description MTU Make sure that all nodes on a link use the same MTU value. M flag Determines whether hosts use the stateful autoconfiguration to acquire IPv6 addresses. If the M flag is set to 1, hosts use the stateful autoconfiguration (for example, through a DHCP server) to acquire IPv6 addresse s. Otherwise, hosts use the stateless autoconfiguration to acquire IPv6 addresses and generate IPv6 addresses according to their own link-layer addresses and the obtained prefix information. O flag Determines whether hosts use stateful autoconfiguration to acquire other\ configuration information. If the O flag is set to 1, hosts use statef ul autoconfiguration (for example, through a DHCP server) to acquire other configurat ion information. Otherwise, hosts use stateless autoconfiguration to acquire other configuration information. Router Lifetime Tells the receiving hosts how long the advertising device can live Retrans Timer If the device fails to receive a response message within the specified time after sending an NS message, it will retransmit the NS message. Reachable Time If the neighbor reachability detection shows that a neighbor is reachable, the device considers the neighbor reachable within th e specified reachable time. If the device must send a packet to the neighbor after the specified reachable time expires, the device will reconfirm whether the neighbor is reachable. To allow sending of RA messages: Step Command Remarks 1. Enter system view. system-view N/A 2. Enter interface view. interface interface-type interface-number N/A 3. Disable RA message suppression. undo ipv6 nd ra halt By default, RA messages are suppressed. 4. Configure the maximum and minimum intervals for sending RA messages. ipv6 nd ra interval max-interval-value min-interval-value Optional. By default, the maximum interval for sending RA messages is 600 seconds, and the minimum interval is 200 seconds. The device sends RA messages at random intervals between the maximum interval and the minimum interval. The minimum interval should be less than or equal to 0.75 times the maximum interval. To configure parameters related to RA messages: Step Command Remarks 1. Enter system view. system-view N/A 2. Configure the hop limit. ipv6 nd hop-limit value Optional. 64 by default.
128
Step Command Remarks
3. Enter interface view. interface
interface-type
interface-number N/A
4.
Configure the prefix
information in RA
messages. ipv6 nd ra prefix
{ ipv6-prefix
prefix-length |
ipv6-prefix /prefix-length }
valid-lifetime preferred-lifetime
[ no-autoconfig | off-link ] * Optional.
By default, no prefix information is
configured for RA messages, and the
IPv6 address of the interface sending RA
messages is used as the prefix
information with valid lifetime 2592000
seconds (30 days) and preferred lifetime
604800 seconds (seven days).
5.
Turn off the MTU option in
RA messages. ipv6 nd ra no-advlinkmtu Optional.
By default, RA messages contain the
MTU option.
6.
Set the M flag bit to 1. ipv6 nd autoconfig
managed-address-flag Optional.
By default, the M flag bit is set to 0 and
hosts acquire IPv6 addresses through
stateless autoconfiguration.
7.
Set the O flag bit to 1.
ipv6 nd autoconfig other-flag Optional.
By default, the O flag bit is set to 0 and
hosts acquire other configuration
information through stateless
autoconfiguration.
8.
Configure the router
lifetime in RA messages. ipv6 nd ra router-lifetime
value Optional.
1800 seconds by default.
9.
Set the NS retransmission
timer. ipv6 nd ns retrans-timer
value Optional.
By default, the local interface sends NS
messages at 1000 millisecond intervals,
and the value of the Retrans Timer field
in RA messages sent by the local
interface is 0. The interval for
retransmitting an NS message is
determined by the receiving device.
10.
Set the reachable time. ipv6 nd nud reachable-time
value Optional.
By default, the neighbor reachable time
on the local interface is 30000
milliseconds, and the value of the
Reachable Time field in the RA messages
sent by the local interface is 0. The
neighbor reachable time is determined
by the receiving device.
Configuring the maximum number
of attempts to send an NS
message for DAD
An interface sends an NS message for DAD after acquiring an IPv6 address. If the interface does not
receive a response within a specified time (determined by the ipv6 nd ns retrans-timer command), it