HP 5500 Ei 5500 Si Switch Series Configuration Guide
Have a look at the manual HP 5500 Ei 5500 Si Switch Series Configuration Guide online for free. It’s possible to download the document as PDF or print. UserManuals.tech offer 1114 HP manuals and user’s guides for free. Share the user manual or guide on Facebook, Twitter or Google+.
![Page 610
128
Step Command Remarks
3. Enter interface view. interface
interface-type
interface-number N/A
4.
Configure the prefix
information in RA
messages. ipv6 nd ra prefix
{ ipv6-prefix
prefix-length |
ipv6-prefix /prefix-length }
valid-lifetime preferred-lifetime
[ no-autoconfig | off-link ] * Optional.
By default, no prefix information is
configured for RA messages, and the
IPv6 address of the interface sending RA
messages is used as the prefix
information with valid lifetime...](http://img.usermanuals.tech/thumb/36/58909/w64_hp-5500-ei-5500-si-switch-series-configuration-guide-609.png "Page 610
128
Step Command Remarks
3. Enter interface view. interface
interface-type
interface-number N/A
4.
Configure the prefix
information in RA
messages. ipv6 nd ra prefix
{ ipv6-prefix
prefix-length |
ipv6-prefix /prefix-length }
valid-lifetime preferred-lifetime
[ no-autoconfig | off-link ] * Optional.
By default, no prefix information is
configured for RA messages, and the
IPv6 address of the interface sending RA
messages is used as the prefix
information with valid lifetime...")
129
continues to send an NS message. If the interface still does not receive a response after the number of
sent attempts reaches the threshold (specified with the ipv6 nd dad attempts command), the acquired
address is considered usable.
To configure the attempts to send an NS message for DAD:
Step Command Remarks
1. Enter system view.
system-view N/A
2. Enter interface view. interface
interface-type
interface-number N/A
3.
Configure the number of attempts to
send an NS message for DAD. ipv6 nd dad attempts
value Optional.
1 by default. When the
value
argument is set to 0, DAD is
disabled.
Configuring ND snooping
Introduction
The ND snooping feature is used in Layer 2 switching networks. It creates ND snooping entries using
DAD NS messages.
ND snooping entries are used to do the following:
• Cooperate with the ND detection function. For more information about ND detection, see Security
Configuration Guide .
• Cooperate with the IP Source Guard function. For more information about IP source guard, see
Security Configuration Guide .
• Work in all SAVI scenarios. For more information about SAVI, see Security Configuration Guide.
After you enable ND snooping on a VLAN of a devi ce, ND packets received by the interfaces of the
VLAN are redirected to the CPU. When ND snooping is enabled globally, the CPU uses the ND packets
to create or update ND snooping entries comprisi ng source IPv6 address, source MAC address,
receiving VLAN, and receiving port information.
The following items describe how an ND snoopin g entry is created, updated, and aged out.
1. Create an ND snooping entry
The device only uses received DAD NS me ssages to create ND snooping entries.
2. Update an ND snooping entry
Upon receiving an ND packet, the device searches the ND snooping table for an entry containing
the source IPv6 address of the packet. If the en try was refreshed within one second, the device
does not update the entry. If the entry is not refreshed for more than one second, the device
matches the MAC address of the ND packet and the receiving port against that in the entry.
{ If both of them match those in the entry, the device updates the aging time of the ND snooping
entry.
{ If neither of them matches the entry and th e received packet is a DAD NS message, the
message is ignored.
{ If neither of them matches the entry and the received packet is not a DAD NS message, the
device performs active acknowledgement.
The active acknowledgement is pe rformed in the following steps.
130
{ The device checks the validity of the existing ND snooping entry. The device sends out a DAD
NS message including the IPv6 address of the ND snooping entry. If a corresponding NA
message (whose source IPv6 address, source MAC address, receiving port, and source VLAN
are consistent with those of the existing entry) is received, the device updates the aging time of
the existing entry. If no corresponding NA message is received within one second after the
DAD NS message is sent, the device starts to check the validity of the received ND packet.
{ To check the validity of the received ND packet (packet A for example), the device sends out a
DAD NS message including the source IPv6 address of packet A. If a corresponding NA
message (whose source IPv6 address, source MAC address, receiving port, and source VLAN
are consistent with those of packet A) is received , the device updates the aging time of the entry.
If no corresponding NA message is received within one second after the DAD NS message is
sent, the device does not update the entry.
3. Age out an ND snooping entry
An ND snooping entry is aged out after 25 minutes. If an ND snooping entry is not updated within
15 minutes, the device perfor ms active acknowledgement.
The device sends out a DAD NS message incl uding the IPv6 address of the ND snooping.
{ If a corresponding NA message is received (the source IPv6 address, source MAC address,
receiving port, and source VLAN are consistent with those of the existing entry), the device
updates the aging time of the existing entry.
{ If no corresponding NA message is received within one second after the DAD NS message is
sent out, the device removes the entry when the timer expires.
Configuration procedure
To configure ND snooping:
Step Command Remarks
1. Enter system view.
system-view N/A
2. Configure ND snooping.
• Enable ND snooping based on global
unicast addresses (the devices use DAD
NS messages containing global unicast
addresses to create ND snooping entries):
ipv6 nd snooping enable global
• Enable ND snooping based on link local
addresses (the devices use DAD NS
messages containing link local addresses
to create ND snooping entries):
ipv6 nd snooping enable link-local Use either approach.
By default, ND snooping is
disabled.
3.
Enter VLAN view.
vlan vlan-id N/A
4. Enable ND snooping.
ipv6 nd snooping enable Disabled by default.
5. Return to system view.
quit N/A
6. Enter Layer 2 Ethernet port
view/Layer 2 aggregate
interface view. interface
interface-type interface-number N/A
131 Step Command Remarks 7. Configure the maximum number of ND snooping entries the interface can learn. ipv6 nd snooping max-learning-num number Optional. By default, the number of ND snooping entries an interface can learn is unlimited. 8. Configure the interface as an uplink interface and disable it from learning ND snooping entries. ipv6 nd snooping uplink Optional. By default, when ND snooping is enabled on the device, an interface is allowed to learn ND snooping entries. Enabling ND proxy ND proxy supports the NS and NA messages only. Introduction If a host sends an NS message requesting the hardware address of another host that is isolated from the sending host at Layer 2, the device between the host s must be able to forward the NS message to allow Layer 3 communication between the two hosts. This process is achieved by ND proxy. Depending on application scenarios, ND proxy falls into common ND proxy and local ND proxy. • Common ND proxy As shown in Figure 56, VLAN-interface 1 with IPv6 addres s 4:1::99/64 and VLAN -interface 2 with IPv6 address 4:2::99/64 belong to different su bnets. Host A and Host B reside on the same network but in different broadcast domains. Figure 56 Application environment of common ND proxy Because Host A’s IPv6 address is on the same subn et as Host B’s, Host A directly sends an NS message to obtain Host B’s MAC address. However, Host B cannot receive the NS message because they belong to di fferent broadcast domains. To solve this problem, enable common ND proxy on VLAN-interface 1 and VLAN-interface 2 of the switch. The switch finds the matching forwarding entry according to the destination IPv6 address of the NS message and sends the message through the output interface of that entry. Upon receiving the NS message, Host B sends an NA message to the switch, which forwards it to Host A. • Local ND proxy As shown in Figure 57, both Host A and Host B belong to VLAN 2, but they conn ect to GigabitEthernet 1/0/3 and GigabitEthernet 1/0/1 re spectively, which are isolated at Layer 2.
132
Figure 57 Application environment of local ND proxy
Because Host A’s IPv6 address is on the same subn et as Host B’s, Host A directly sends an NS
message to obtain Host B’s MAC address. However, Host B cannot receive the NS message
because they are isolated at Layer 2.
To solve this problem, enable local ND proxy on VLAN-interface 2 of the switch A so that the
switch A can forward messages between Host A and Host B.
Local ND proxy implements Layer 3 communication for two hosts in the following cases:
{ The two hosts must connect to differen t isolated Layer 2 ports of a VLAN.
{ If super VLAN is used, the two hosts must belong to different sub VLANs.
{ If isolate -user-VLAN is used, the two hosts must belong to different secondary VLANs.
Configuration procedure
You can enable common ND proxy and local ND proxy in VLAN interface view, Layer 3 Ethernet port
view.
To enable common ND proxy:
Step Command Remarks
1. Enter system view.
system-view N/A
2. Enter interface view. interface
interface-type
interface-number N/A
3.
Enable common ND proxy.
proxy-nd enable Disabled by default
To enable local ND proxy:
Step Command Remarks
1. Enter system view.
system-view N/A
2. Enter interface view.
interface interface-type interface-number N/A
3. Enable local ND proxy.
local-proxy-nd enable Optional.
Disabled by default.
133 Configuring path MTU discovery Configuring a static path MTU for a specified IPv6 address You can configure a static path MTU for a specified destination IPv6 address. When a source host sends a packet through an interface, it compares the interface MTU with the static path MTU of the specified destination IPv6 address. If the packet size is larger than the smaller one of the two values, the host fragments the packet according to the smaller value. To configure a static path MTU for a specified IPv6 address: Step Command Remarks 1. Enter system view. system-view N/A 2. Configure a static path MTU for a specified IPv6 address. ipv6 pathmtu [ vpn-instance vpn-instance-name ] ipv6-address [ value ] Not configured by default Only HP 5500 EI Switch Series supports the vpn-instance vpn-instance-name option Configuring the aging time for dynamic path MTUs After the path MTU from a source host to a dest ination host is dynamically determined (see IPv6 path MTU di scovery ), the source host sends subsequent packets to the destination host based on this MTU. After the aging time expires, the dynamic path MTU is removed and the source host re-determines a dynamic path MTU through the path MTU mechanism. The aging time is invalid for a static path MTU. To configure the aging time for dynamic path MTUs: Step Command Remarks 1. Enter system view. system-view N/A 2. Configure the aging time for dynamic path MTUs. ipv6 pathmtu age age-time Optional. 10 minutes by default. Configuring IPv6 TCP properties You can configure the following IPv6 TCP properties: • synwait timer —When a SYN packet is sent, the synwait timer is triggered. If no response packet is received before the synwait timer expires, the IPv6 TCP connection establishment fails. • finwait timer —When the IPv6 TCP connection status is FI N_WAIT_2, the finwait timer is triggered. If no packet is received before the finwait timer expires, the IPv6 TCP connection is terminated. If a FIN packet is received, the IPv6 TCP connection status becomes TIME_WAIT. If non-FIN packets are received, the finwait timer is reset upon receipt of the last non-FIN packet and the connection is terminated after the finwait timer expires. • Size of the IPv6 TCP sending/receiving buffer
134
To configure IPv6 TCP properties:
Step Command Remarks
1. Enter system view.
system-view N/A
2. Set the synwait timer. tcp ipv6 timer syn-timeout
wait-time
Optional.
75 seconds by default.
3.
Set the finwait timer.
tcp ipv6 timer fin-timeout wait-time Optional.
675 seconds by default.
4. Set the size of the IPv6 TCP
sending/receiving buffer. tcp ipv6 window
size Optional.
8 KB by default.
Configuring ICMPv6 packet sending
Configuring the maximum ICMPv6
error packets sent in an
interval
If too many ICMPv6 error packets are sent within a short time in a network, network congestion may
occur. To avoid network congestion, you can control the maximum number of ICMPv6 error packets sent
within a specified time by adopting the token bucket algorithm.
You can set the capacity of a token bucket to determ ine the number of tokens in the bucket. In addition,
you can set the update interval of the token bucket, the interval for restoring the configured capacity. One
token allows one ICMPv6 error packet to be sent. Each time an ICMPv6 error packet is sent, the number
of tokens in a token bucket decreases by one. If the number of ICMPv6 error packets successively sent
exceeds the capacity of the token bucket, the additional ICMPv6 error packets cannot be sent out until
the capacity of the token bucket is restored.
To configure the capacity and update interval of the token bucket:
Step Command Remarks
1. Enter system view.
system-view N/A
2. Configure the capacity
and update interval of
the token bucket. ipv6 icmp-error
{ bucket
bucket-size | ratelimit
interval } * Optional.
By default, the capacity of a token bucket is 10 and
the update interval is 100 milliseconds. A
maximum of 10 ICMPv6 error packets can be sent
within 100 milliseconds.
The update interval 0 indicates that the number
of ICMPv6 error packets sent is not restricted.
Enabling replying to multicast echo requests
If hosts are configured to answer multicast echo requests, an attacker can use this mechanism to attack
a host. For example, if Host A (an attacker) sends an echo request with the source being Host B to a
multicast address, all the hosts in the multicast group will send echo replies to Host B. To prevent such an
attack, disable a device from answering multicast
echo requests by default. In some application
scenarios, however, you must enable the device to answer multicast echo requests.
135 To enable replying to multicast echo requests: Step Command Remarks 1. Enter system view. system-view N/A 2. Enable replying to multicast echo requests. ipv6 icmpv6 multicast-echo-reply enable Not enabled by default Enabling sending of ICMPv6 time exceeded messages A device sends out an ICMPv6 Time Exceeded message in the following situations: • If a received IPv6 packet’s destination IP address is not a local address and its hop limit is 1, the device sends an ICMPv6 Hop Limit Exceeded message to the source. • Upon receiving the first fragment of an IPv6 dat agram with the destination IP address being the local address, the device starts a timer. If the timer expires before all the fragments arrive, an ICMPv6 Fragment Reassembly Timeout message is sent to the source. If large quantities of malicious packets are received, the performance of a device degrades greatly because it must send back ICMP Time Exceeded me ssages. You can disable sending of ICMPv6 Time Exceeded messages. To enable sending of ICMPv6 time exceeded messages: Step Command Remarks 1. Enter system view. system-view N/A 2. Enable sending of ICMPv6 Time Exceeded messages. ipv6 hoplimit-expires enable Optional. Enabled by default. Enabling sending of ICMPv6 destination unreachable messages If the device fails to forward a received IPv6 packet because of one of the following reasons, it drops the packet and sends a corresponding ICMPv6 Destinat ion Unreachable error message to the source. • If no route is available for forwarding the packe t, the device sends a no route to destination ICMPv6 error message to the source. • If the device fails to forward the packet because of an administrative prohibition (such as a firewall filter or an ACL), the device sends the source a destination network administratively prohibited ICMPv6 error message. • If the device fails to deliver the packet because the destination is beyond the scope of the source IPv6 address (for example, the source IPv6 address of the packet is a link-local address whereas the destination IPv6 address of the packet is a global unicast address), the device sends the source a beyond scope of source address ICMPv6 error message. • If the device fails to resolve the corresponding link layer address of the destination IPv6 address, the device sends the source an address unreachable ICMPv6 error message. • If the packet with the destination being local and transport layer protocol being UDP and the packet’s destination port number does not match the running process, the device sends the source a port unreachable ICMPv6 error message.
136
If an attacker sends abnormal traffic that causes the device to generate ICMPv6 destination unreachable
messages, end users may be affected. To prevent such attacks, you can disable the device from sending
ICMPv6 destination unreachable messages.
To enable sending of ICMPv6 destination unreachable messages:
Step Command Remarks
1. Enter system view.
system-view N/A
2. Enable sending of ICMPv6 destination
unreachable messages. ipv6 unreachables enable
Disabled by default
Displaying and maintaining IPv6 basics
configuration
Task Command Remarks
Display the IPv6 FIB entries. display ipv6 fib
[ vpn-instance
vpn-instance-name ] [ acl6 acl6-number |
ipv6-prefix ipv6-prefix-name ] [ | { begin |
exclude | include } regular-expression ] Available in any view
Only HP 5500 EI
Switch Series supports
the
vpn-instance
vpn-instance-name
option.
Display the IPv6 FIB entry of a
specified destination IPv6
address. display
ipv6 fib [ vpn-instance
vpn-instance-name ] ipv6-address [ prefix-length ]
[ | { begin | exclude | include }
regular-expression ] Available in any view
Only HP 5500 EI
Switch Series supports
the
vpn-instance
vpn-instance-name
option.
Display the IPv6 information of
the interface. display ipv6 interface
[ interface-type
[ interface-number ] ] [ brief ] [ | { begin | exclude
| include } regular-expression ] Available in any view
Display neighbor information. display ipv6 neighbors
{ { ipv6-address | all |
dynamic | static } [ slot slot-number ] | interface
interface-type interface-number | vlan vlan-id }
[ verbose ] [ | { begin | exclude | include }
regular-expression ] Available in any view
Only HP 5500 EI
Switch Series supports
the
verbose keyword.
Display the total number of
neighbor entries satisfying the
specified conditions. display ipv6 neighbors
{ { all | dynamic | static }
[ slot slot-number ] | interface interface-type
interface-number | vlan vlan-id } count [ | { begin
| exclude | include } regular-expression ] Available in any view
Display the neighbor
information of a specified
VPN(only available on the HP
5500 EI). display ipv6 neighbors vpn-instance
vpn-instance-name
[ count ] [ | { begin | exclude |
include } regular-expression ] Available in any view
137
Task Command Remarks
Display the IPv6 path MTU
information. display ipv6 pathmtu
[ vpn-instance
vpn-instance-name ] { ipv6-address | all |
dynamic | static } [ | { begin | exclude | include }
regular-expression ] Available in any view
Only HP 5500 EI
Switch Series supports
the
vpn-instance
vpn-instance-name
option.
Display socket information. display ipv6 socket
[ socktype socket-type ]
[ task-id socket-id ] [ slot slot-number ] [ | { begin |
exclude | include } regular-expression ] Available in any view
Display the statistics of IPv6
packets and ICMPv6 packets. display ipv6 statistics [
slot slot-number ] [ | { begin
| exclude | include } regular-expression ] Available in any view
Display the IPv6 TCP connection
statistics. display tcp ipv6 statistics
[ | { begin | exclude |
include } regular-expression ] Available in any view
Display the IPv6 TCP connection
status information. display tcp ipv6 status
[ | { begin | exclude |
include } regular-expression ] Available in any view
Display the IPv6 UDP connection
statistics. display udp ipv6 statistics
[ | { begin | exclude |
include } regular-expression ] Available in any view
Display ND snooping entries. display ipv6 nd snooping
[ ipv6-address | vlan
vlan-id ] [ | { begin | exclude | include }
regular-expression ] Available in any view
Clear IPv6 neighbor
information. reset ipv6 neighbors
{ all | dynamic | interface
interface-type interface-number | slot slot-number
| static } Available in user view
Clear the path MTU values.
reset ipv6 pathmtu { all | static | dynamic } Available in user view
Clear the statistics of IPv6 and
ICMPv6 packets. reset ipv6 statistics [ slot
slot-number ] Available in user view
Clear all IPv6 TCP connection
statistics. reset tcp ipv6 statistics
Available in user view
Clear the statistics of all IPv6
UDP packets. reset udp ipv6 statistics
Available in user view
Clear ND snooping entries. reset ipv6 nd snooping
[ ipv6-address | vlan
vlan-id ] Available in user view
IPv6 basics configuration example
Network requirements
As shown in Figure 58
, a host, Switch A and Switch B are connected through Ethernet ports. Add the
Ethernet ports into corresponding VLANs, configure IPv6 addresses for the VLAN interfaces and verify
that they are connected.
• The global unicast addresses of VLAN-interface 1 and VLAN-interface 2 on Switch A are
2001::1/64 and 3001::1/64, respectively.
• The global unicast address of VLAN-interface 2 on Switch B is 3001::2/64, and a route to Host is
available.
138
• IPv6 is enabled for the host to automatically obtain an IPv6 address through IPv6 ND, and a route
to Switch B is available.
Figure 58 Network diagram
The VLAN interfaces have been created on the switch.
Configuration procedure
1. Configure Switch A:
# Enable IPv6.
system-view
[SwitchA] ipv6
# Specify a global unicast addr ess for VLAN-interface 2.
[SwitchA] interface vlan-interface 2
[SwitchA-Vlan-interface2] ipv6 address 3001::1/64
[SwitchA-Vlan-interface2] quit
# Specify a global unicast address for VLAN-interface 1, and allow it to advertise RA messages (no
interface advertises RA messages by default).
[SwitchA] interface vlan-interface 1
[SwitchA-Vlan-interface1] ipv6 address 2001::1/64
[SwitchA-Vlan-interface1] undo ipv6 nd ra halt
[SwitchA-Vlan-interface1] quit
2. Configure Switch B:
# Enable IPv6.
system-view
[SwitchB] ipv6
# Configure a global unicast address for VLAN-interface 2.
[SwitchB] interface vlan-interface 2
[SwitchB-Vlan-interface2] ipv6 address 3001::2/64
[SwitchB-Vlan-interface2] quit
# Configure an IPv6 static route with dest ination IP address 2001::/64 and next hop address
3001::1.
[SwitchB] ipv6 route-static 2001:: 64 3001::1
3. Configure the host:
# Enable IPv6 for Host to automatically obtain an IPv6 address through IPv6 ND.
# Display the neighbor information of GigabitEthernet 1/0/2 on Switch A.
[SwitchA] display ipv6 neighbors interface GigabitEthernet 1/0/2
Type: S-Static D-Dynamic
IPv6 Address Link-layer VID Interface State T A\
ge
FE80::215:E9FF:FEA6:7D14 0015-e9a6-7d14 1 GE1/0/2 STAL\
E D 1238
2001::15B:E0EA:3524:E791 0015-e9a6-7d14 1 GE1/0/2 STAL\
E D 1248
The output shows that the IPv6 global unicast address that the host obtained is
2001::15B:E0EA:3524:E791.