Table of Contents 1 IPv6 Configuration 1-1 IPv6 Overview 1-1 IPv6 Features 1-1 Introduction to IPv6 Address 1-2 Introduction to IPv6 Neighbor Discovery Protocol 1-5 Introduction to ND Snooping 1-7 Introduction to ND Detection 1-8 Introduction to DHCPv6 Snooping 1-10 Introduction to IPv6 Filtering 1-11 Introduction to IPv6 DNS 1-12 Protocols and Standards 1-12 IPv6 Configuration Task List 1-13 Configuring an IPv6 Unicast Address 1-13 Configuring IPv6 NDP 1-15 Configuring a Static IPv6 Route 1-17 Configuring IPv6 TCP Properties 1-17 Configuring the Maximum Number of IPv6 ICMP Error Packets Sent within a Specified Time 1-18 Configuring the Hop Limit of ICMPv6 Reply Packets 1-18 Configuring ND Snooping 1-18 Configuring the ND Detection 1-19 Configuring DHCPv6 Snooping 1-20 Configuring IPv6 Filtering 1-21 Configuring IPv6 DNS 1-22 Displaying and Maintaining IPv6 1-23 IPv6 Configuration Examples 1-24 IPv6 Unicast Address Configuration Example 1-24 DHCPv6 Snooping Configuration Example 1-26 ND Detection Configuration Example 1-27 IPv6 Filtering Configuration Example 1-28 2 IPv6 Application Configuration 2-1 Introduction to IPv6 Applications 2-1 Configuring IPv6 Applications 2-1 IPv6 Ping 2-1 IPv6 Traceroute 2-1 IPv6 TFTP 2-2 IPv6 Telnet 2-3 IPv6 Application Configuration Example 2-4 Troubleshooting IPv6 Applications 2-5 Unable to Ping a Remote Destination 2-5 Unable to Run Traceroute 2-5 Unable to Run TFTP 2-6 Unable to Run Telnet 2-6 i
1 IPv6 Configuration H3C S3100 Series Ethernet Switches support IPv6 management features, but do not support IPv6 forwarding and related features. The term router in this document refers to a router in a generic sense or an Ethernet switch running a routing protocol. IPv6 Overview Internet protocol version 6 (IPv6), also called IP next generation (IPng), was designed by the Internet Engineering Task Force (IETF) as the successor to Internet protocol version 4 (IPv4). The significant difference between IPv6 and IPv4 is that IPv6 increases the IP address size from 32 bits to 128 bits. IPv6 Features Header format simplification IPv6 cuts down some IPv4 header fields or move them to extension headers to reduce the load of basic IPv6 headers. IPv6 uses a fixed-length header, thus making IPv6 packet handling simple and improving the forwarding efficiency. Although the IPv6 address size is four times that of IPv4 addresses, the size of basic IPv6 headers is only twice that of IPv4 headers (excluding the Options field). For the specific IPv6 header format, see Figure 1-1. Figure 1-1 Comparison between IPv4 header format and IPv6 header format 1-1
Adequate address space The source IPv6 address and the destination IPv6 address are both 128 bits (16 bytes) long. IPv6 can provide 3.4 x 10 38 addresses to completely meet the requirements of hierarchical address division as well as allocation of public and private addresses. Hierarchical address structure IPv6 adopts the hierarchical address structure to quicken route search and reduce the system source occupied by the IPv6 routing table by means of route aggregation. Automatic address configuration To simplify the host configuration, IPv6 supports stateful address configuration and stateless address configuration. Stateful address configuration means that a host acquires an IPv6 address and related information from the server (for example, DHCP server). Stateless address configuration means that the host automatically configures an IPv6 address and related information based on its own link-layer address and the prefix information issued by the router. In addition, a host can automatically generate a link-local address based on its own link-layer address and the default prefix (FE80::/64) to communicate with other hosts on the link. Built-in security IPv6 uses IPSec as its standard extension header to provide end-to-end security. This feature provides a standard for network security solutions and improves the interoperability between different IPv6 applications. Support for QoS The Flow Label field in the IPv6 header allows the device to label packets in a flow and provide special handling for these packets. Enhanced neighbor discovery mechanism The IPv6 neighbor discovery protocol is implemented by a group of Internet control message protocol version 6 (ICMPv6) messages. The IPv6 neighbor discovery protocol manages message exchange between neighbor nodes (nodes on the same link). The group of ICMPv6 messages takes the place of address resolution protocol (ARP), Internet control message protocol version 4 (ICMPv4), and ICMPv4 redirect messages to provide a series of other functions. Flexible extension headers IPv6 cancels the Options field in IPv4 packets but introduces multiple extension headers. In this way, IPv6 enhances the flexibility greatly to provide scalability for IP while improving the processing efficiency. The Options field in IPv4 packets contains only 40 bytes, while the size of IPv6 extension headers is restricted by that of IPv6 packets. Introduction to IPv6 Address IPv6 addresses An IPv6 address is represented as a series of 16-bit hexadecimals, separated by colons. An IPv6 address is divided into eight groups, 16 bits of each group are represented by four hexadecimal numbers which are separated by colons, for example, 2001:0000:130F:0000:0000:09C0:876A:130B. To simplify the representation of IPv6 addresses, zeros in IPv6 addresses can be handled as follows: Leading zeros in each group can be removed. For example, the above-mentioned address can be represented in shorter format as 2001:0:130F:0:0:9C0:876A:130B. 1-2
If an IPv6 address contains two or more consecutive groups of zeros, they can be replaced by the double-colon (::) option. For example, the above-mentioned address can be represented in the shortest format as 2001:0:130F::9C0:876A:130B. The double-colon can be used only once in an IPv6 address. Otherwise, the device is unable to determine how many zeros the double-colon represents when converting it to zeros to restore the IPv6 address to a 128-bit address. An IPv6 address consists of two parts: address prefix and interface ID. The address prefix and the interface ID are respectively equivalent to the network ID and the host ID in an IPv4 address. An IPv6 address prefix is written in IPv6-address/prefix-length notation, where IPv6-address is an IPv6 address in any of the notations and prefix-length is a decimal number indicating how many bits from the left of an IPv6 address are the address prefix. IPv6 address classification IPv6 addresses mainly fall into three types: unicast address, multicast address and anycast address. Unicast address: An identifier for a single interface, similar to an IPv4 unicast address.a packet sent to a unicast address is delivered to the interface identified by that address. Multicast address: An identifier for a set of interfaces (typically belonging to different nodes), similar to an IPv4 multicast address. A packet sent to a multicast address is delivered to all interfaces identified by that address. Anycast address: An identifier for a set of interfaces (typically belonging to different nodes).a packet sent to an anycast address is delivered to one of the interfaces identified by that address (the nearest one, according to the routing protocols measure of distance). There are no broadcast addresses in IPv6. Their function is superseded by multicast addresses. The type of an IPv6 address is designated by the format prefix. Table 1-1 lists the mapping between major address types and format prefixes. Table 1-1 Mapping between address types and format prefixes Type Format prefix (binary) IPv6 prefix ID Unassigned address 00...0 (128 bits) ::/128 Loopback address 00...1 (128 bits) ::1/128 Unicast address Link-local address 1111111010 FE80::/10 Site-local address 1111111011 FEC0::/10 Global unicast address other forms Multicast address 11111111 FF00::/8 1-3
Type Format prefix (binary) IPv6 prefix ID Anycast address Anycast addresses are taken from unicast address space and are not syntactically distinguishable from unicast addresses. Unicast address There are several forms of unicast address assignment in IPv6, including global unicast address, link-local address, and site-local address. The global unicast address, equivalent to an IPv4 public address, is used for aggregatable links and provided for network service providers. This type of address allows efficient routing aggregation to restrict the number of global routing entries. The link-local address is used in the neighbor discovery protocol and the stateless autoconfiguration process. Routers must not forward any packets with link-local source or destination addresses to other links. IPv6 unicast site-local addresses are similar to private IPv4 addresses. Routers must not forward any packets with site-local source or destination addresses outside of the site (equivalent to a private network). Loopback address: The unicast address 0:0:0:0:0:0:0:1 (represented in shorter format as ::1) is called the loopback address and may never be assigned to any physical interface. Like the loopback address in IPv4, it may be used by a node to send an IPv6 packet to itself. Unassigned address: The unicast address :: is called the unassigned address and may not be assigned to any node. Before acquiring a valid IPv6 address, a node may fill this address in the source address field of an IPv6 packet, but may not use it as a destination IPv6 address. Multicast address Multicast addresses listed in Table 1-2 are reserved for special purpose. Table 1-2 Reserved IPv6 multicast addresses Address Application FF01::1 FF02::1 FF01::2 FF02::2 FF05::2 Node-local scope all-nodes multicast address Link-local scope all-nodes multicast address Node-local scope all-routers multicast address Link-local scope all-routers multicast address Site-local scope all-routers multicast address Besides, there is another type of multicast address: solicited-node address. The solicited-node multicast address is used to acquire the link-layer addresses of neighbor nodes on the same link and is also used for duplicate address detection. Each IPv6 unicast or anycast address has one corresponding solicited-node address. The format of a solicited-node multicast address is as follows: FF02:0:0:0:0:1:FFXX:XXXX Where, FF02:0:0:0:0:1:FF is permanent and consists of 104 bits, and XX:XXXX is the last 24 bits of an IPv6 address. Interface identifier in IEEE EUI-64 format Interface identifiers in IPv6 unicast addresses are used to identify interfaces on a link and they are required to be unique on that link. Interface identifiers in IPv6 unicast addresses are currently required to be 64 bits long. An interface identifier is derived from the link-layer address of that interface. Interface identifiers in IPv6 addresses are 64 bits long, while MAC addresses are 48 bits long. Therefore, the 1-4
hexadecimal number FFFE needs to be inserted in the middle of MAC addresses (behind the 24 high-order bits).to ensure the interface identifier obtained from a MAC address is unique, it is necessary to set the universal/local (U/L) bit (the seventh high-order bit) to 1. Thus, an interface identifier in EUI-64 format is obtained. Figure 1-2 Convert a MAC address into an EUI-64 address Introduction to IPv6 Neighbor Discovery Protocol The IPv6 neighbor discovery protocol (NDP) uses five types of ICMPv6 messages to implement the following functions: Address resolution Neighbor unreachability detection Duplicate address detection Router/prefix discovery Address autoconfiguration Redirection Table 1-3 lists the types and functions of ICMPv6 messages used by the NDP. Table 1-3 Types and functions of ICMPv6 messages ICMPv6 message Function Used to acquire the link-layer address of a neighbor Neighbor solicitation (NS) message Used to verify whether the neighbor is reachable Used to perform a duplicate address detection Used to respond to a neighbor solicitation message Neighbor advertisement (NA) message Router solicitation (RS) message When the link layer address changes, the local node initiates a neighbor advertisement message to notify neighbor nodes of the change. After started, a host sends a router solicitation message to request the router for an address prefix and other configuration information for the purpose of autoconfiguration. Used to respond to a router solicitation message Router advertisement (RA) message Redirect message With the RA message suppression disabled, the router regularly sends a router advertisement message containing information such as address prefix and flag bits. When a certain condition is satisfied, the default gateway sends a redirect message to the source host so that the host can reselect a correct next hop router to forward packets. 1-5
H3C S3100 Series Ethernet Switches do not support RS, RA, or Redirect message. Of the above mentioned IPv6 NDP functions, H3C S3100 Series Ethernet Switches support the following three functions: address resolution, neighbor unreachability detection, and duplicate address detection. The subsequent sections present a detailed description of these three functions and relevant configuration. The NDP mainly provides the following functions: Address resolution Similar to the ARP function in IPv4, a node acquires the link-layer address of neighbor nodes on the same link through NS and NA messages. Figure 1-3 shows how node A acquires the link-layer address of node B. Figure 1-3 Address resolution The address resolution procedure is as follows: 1) Node A multicasts an NS message. The source address of the NS message is the IPv6 address of the interface of node A and the destination address is the solicited-node multicast address of node B. The NS message contains the link-layer address of node A. 2) After receiving the NS message, node B judges whether the destination address of the packet is the corresponding solicited-node multicast address of its own IPv6 address. If yes, node B learns the link-layer address of node A and returns an NA message containing the link-layer address of node B in the unicast mode. 3) Node A acquires the link-layer address of node B from the NA message. After that, node A and node B can communicate with each other. Neighbor unreachability detection After node A acquires the link-layer address of its neighbor node B, node A can verify whether node B is reachable according to NS and NA messages. 1) Node A sends an NS message whose destination address is the IPv6 address of node B. 2) If node A receives an NA message from node B, node A considers that node B is reachable. Otherwise, node B is unreachable. Duplicate address detection After a node acquires an IPv6 address, it should perform the duplicate address detection to determine whether the address is being used by other nodes (similar to the gratuitous ARP function). The 1-6
duplication address detection is accomplished through NS and NA messages. Figure 1-4 shows the duplicate address detection procedure. Figure 1-4 Duplicate address detection The duplicate address detection procedure is as follows: 2) Node A sends an NS message whose source address is the unassigned address :: and the destination address is the corresponding solicited-node multicast address of the IPv6 address to be detected. The NS message also contains the IPv6 address. 3) If node B uses this IPv6 address, node B returns an NA message. The NA message contains the IPv6 address of node B. 4) Node A learns that the IPv6 address is being used by node B after receiving the NA message from node B. Otherwise, node B is not using the IPv6 address and node A can use it. Introduction to ND Snooping Among the S3100 series Ethernet switches, only the S3100-EI series support ND snooping. The ND snooping feature is used in Layer 2 switching networks. It creates ND snooping entries using NS messages. ND snooping entries are used to: Cooperate with the ND detection function. For details about ND detection, refer to Introduction to ND Detection. Cooperate with the IPv6 filtering function. For details about IPv6 filtering, refer to Introduction to IPv6 Filtering. After you enable ND snooping on a VLAN of a device, ND packets received by the interfaces of the VLAN are redirected to the CPU. The CPU uses ND packets to create ND snooping entries comprising source IPv6 address, source MAC address, source VLAN, and receiving port information. The following describes how an ND snooping entry is created, updated, and aged out. 1) Creating an ND snooping entry The device uses a received DAD NS message to create an ND snooping entry. 2) Updating an ND snooping entry Upon receiving an ND packet, the device searches for the corresponding entry of the source IPv6 address, and then checks the ND packet information against the found entry. 1-7
If they are consistent, the device resets the aging timer for the ND snooping entry. If they are inconsistent and the received packet is a DAD NS message, the message is ignored. If they are inconsistent and the received packet is not a DAD NS message, the device performs active acknowledgement. The active acknowledgement process is as follows: The device checks the validity of the existing ND snooping entry. The device sends out a DAD NS message including the IPv6 address of the ND snooping entry every one second for three times at most. If a corresponding NA message (that is, the source IPv6 address, source MAC address, source VLAN, and receiving port information are consistent with those of the existing entry) is received, the device stops sending out DAD NS messages and resets the aging timer. If no corresponding NA message is received within five seconds after the first DAD NS message is sent, the device starts to check the validity of the received packet. To check the validity of the received packet (packet A for example), the device sends out a DAD NS message including the source IPv6 address of packet A every one second for three times at most. If a corresponding NA message (that is, the source IPv6 address, source MAC address, source VLAN, and receiving port information are consistent with those of packet A) is received, the device stops sending out DAD NS messages and updates the corresponding entry. If no corresponding NA message is received within five seconds after the first DAD NS message is sent, the device does not update the entry. 3) Aging out an ND snooping entry An ND snooping entry is aged out after 25 minutes. If an ND snooping entry is not updated for 15 minutes, the device performs active acknowledgement as follows: The device sends out a DAD NS message including the IPv6 address of the ND snooping entry every one second for three times at most. If a corresponding NA message is received (that is, the source IPv6 address, source MAC address, source VLAN, and receiving port information are consistent with those of the existing entry), the device stops sending out DAD NS messages and resets the aging timer. If no corresponding NA message is received within five seconds after the first DAD NS message is sent out, the device removes the entry when the timer expires. Introduction to ND Detection Among the S3100 series Ethernet switches, only the S3100-EI series support ND Detection. Background The IPv6 Neighbor Discovery (ND) protocol uses five types of ICMPv6 messages to implement the following five functions: address resolution, authentication of neighbor reachability, detection of repeated address, router and prefix discovery, and address auto-configuration and redirection. The five types of ICMPv6 used by the ND protocol are as follows: Neighbor Solicitation (NS) Neighbor Advertisement (NA) Router Solicitation (RS) 1-8
Router Advertisement (RA) Redirect The ND protocol functions powerfully, but without any security mechanism, it is apt to be used by attackers. ND attacks usually come from users. Normally, when the device Switch is a Layer-2 access device, ND multiple packets sent by users are broadcast on the VLAN, and ND unicast packets are forwarded on Layer 2. Attackers can imitate other users and gateways to send forged ND packets and attack the network. In Figure 1-5, Host A communicates with Host C through a switch. To intercept the traffic between Host A and Host C, the hacker (Host B) forwards invalid ND packets to Host A and Host C respectively, causing the two hosts to update the MAC address corresponding to the peer IPv6 address in their ND entry with the MAC address of Host B. Then, the traffic between Host A and C will pass through Host B which acts like a man-in-the-middle that may intercept and modify the communication information. Figure 1-5 ND attack diagram Switch Host A IP_A MAC_A Host C IP_C MAC_C Forged ND packets Forged ND packets Host B IP_B MAC_B A forged ND packet has the following features: The source MAC address in the forged ND packet is inconsistent to that in the link layer address option. The mapping between the source IPv6 address and MAC address in the forged ND packet is not real for legal users. Introduction to ND Detection The ND detection is mainly used in the access device to check users legality. Forward the ND packets of legal users, otherwise, discard them directly to prevent the attack of imitated users and gateways. The ND detection divides the ports on the access device into two types: ND trusted ports and untrusted ports For the trusted ports, the ND detection does not check the users legality; For the untrusted ports, the received RA and RR messages are considered illegal and discarded directly. If other types of ND packets are received, the ND detection checks their legality to prevent the attack of imitated users. 1-9
The user legality check is based on the source IPv6 address and source MAC address in the ND packet to check whether the user is legal on the VLAN where the port receives the packet. The check includes those based on the IPv6 static binding entry, the security entry of ND snooping and of DHCPv6 snooping. If all the three entries above are available, the check processes are as follows: First check the IPv6 static binding entry. If a static binding entry is found corresponding to the source IPv6 address and source MAC address, then the ND packet is considered legal and forwarded. If a static binding entry is found but inconsistent to the source IPv6 address and source MAC address, then the ND packet is considered illegal and discarded. If no static binding entry is found that corresponds to the source IPv6, then keep on checking the security entry of DHCPv6 snooping and ND snooping. After the check based on the IPv6 static binding entry is the check on the security entry of DHCPv6 snooping and ND snooping. If either one is legal, then the ND packet is considered legal and forwarded. If no checks find matched entries, then the packet is considered legal and discarded directly. The IPv6 static binding entry is generated through the ipv6 source static binding command. For more information, see Configuring IPv6 Filtering. The security entry of DHCPv6 snooping is generated automatically through DHCPv6 snooping itself. For more information, see Configuring DHCPv6 Snooping. The security entry of ND snooping is generated automatically through ND snooping itself. For more information, see Configuring ND snooping. Introduction to DHCPv6 Snooping Among the S3100 series Ethernet switches, only the S3100-EI series support DHCPv6 snooping. For the sake of security, the IPv6 addresses used by online DHCPv6 clients need to be tracked for the administrator to verify the corresponding relationship between the IPv6 addresses the DHCPv6 clients obtained from DHCPv6 servers and the MAC addresses of the DHCPv6 clients. As a DHCPv6 security feature, DHCPv6 snooping can implement the following: Recording IP-to-MAC mappings of DHCPv6 clients Ensuring DHCPv6 clients to obtain IP addresses from authorized DHCPv6 servers Recording IPv6-to-MAC mappings of DHCPv6 clients DHCPv6 snooping reads DHCPv6-REQUEST messages and DHCPv6-ACK messages from trusted ports to record DHCPv6 snooping entries, including MAC addresses of clients, IPv6 addresses obtained by the clients, ports that connect to DHCPv6 clients, and VLANs to which the ports belong. With DHCPv6 snooping entries. The network administrator can check out which IPv6 addresses are assigned to the DHCPv6 clients with the display dhcp-snooping ipv6 command. 1-10
Ensuring DHCPv6 clients to obtain IP addresses from authorized DHCPv6 servers If there is an unauthorized DHCPv6 server on a network, the DHCPv6 clients may obtain invalid IPv6 addresses. With DHCPv6 snooping, the ports of a device can be configured as trusted or untrusted, ensuring the clients to obtain IPv6 addresses from authorized DHCPv6 servers. Trusted: A trusted port forwards DHCPv6 messages normally to guarantee that DHCPv6 clients can obtain valid IPv6 addresses from a DHCPv6 server. Untrusted: An untrusted port discards the DHCPv6 reply message packets from any DHCPv6 server to prevent DHCPv6 clients from receiving invalid IPv6 addresses. Figure 1-6 Configure trusted and untrusted ports DHCPv6 server Untrusted Trusted DHCPv6 snooping Untrusted DHCPv6 client DHCPv6 reply messages Unauthorized DHCPv6 server As shown in Figure 1-6, a DHCPv6 snooping device s port that is connected to an authorized DHCPv6 server should be configured as a trusted port to forward reply messages from the DHCPv6 server, so that the DHCPv6 client can obtain an IPv6 address from the authorized DHCPv6 server. Introduction to IPv6 Filtering Among the S3100 series Ethernet switches, only the S3100-EI series support IPv6 Filtering. With the IPv6 filtering function enabled on the user access port of the device, the device can block illegal usages of network resources and improve the network security. For example, IPv6 filtering function can prevent an illegal host from pretending to be a legal user to access the network. 1-11
Figure 1-7 Diagram for the IPv6 filtering function The switch can filter invalid IPv6 packets through IPv6 static binding entries or IP-to-MAC address mappings of IPv6 dynamic binding entries. IPv6 Static Binding Entry A static binding is configured manually. It is suitable when there are a few hosts in a LAN or you need to configure a binding entry for a host separately. IPv6 Dynamic Binding Entry You can configure a port to filter arriving IPv6 packets according to DHCPv6 snooping entries or ND snooping entries obtained automatically. Such a port control feature is applicable to a LAN where many hosts reside and DHCPv6 is used, thus effectively preventing problems such as IP address conflicts and IP address spoofing. For details about DHCPv6 snooping, refer to Introduction to DHCPv6 Snooping. For details about ND snooping, refer to Introduction to ND Snooping. Introduction to IPv6 DNS In the IPv6 network, a domain name system (DNS) supporting IPv6 converts domain names into IPv6 addresses. Different from an IPv4 DNS, an IPv6 DNS converts domain names into IPv6 addresses, instead of IPv4 addresses. However, just like an IPv4 DNS, an IPv6 DNS also covers static domain name resolution and dynamic domain name resolution. The function and implementation of these two types of domain name resolution are the same as those of an IPv4 DNS. For details, refer to DNS.. Usually, the DNS server connecting IPv4 and IPv6 networks contain not only A records (IPv4 addresses) but also AAAA records (IPv6 addresses). The DNS server can convert domain names into IPv4 addresses or IPv6 addresses. In this way, the DNS server has the functions of both IPv6 DNS and IPv4 DNS. Protocols and Standards Protocol specifications related to IPv6 include: RFC 1881: IPv6 Address Allocation Management RFC 1887: An Architecture for IPv6 Unicast Address Allocation 1-12
RFC 1981: Path MTU Discovery for IP version 6 RFC 2375: IPv6 Multicast Address Assignments RFC 2460: Internet Protocol, Version 6 (IPv6) Specification. RFC 2461: Neighbor Discovery for IP Version 6 (IPv6) RFC 2462: IPv6 Stateless Address Autoconfiguration RFC 2463: Internet Control Message Protocol (ICMPv6) for the Internet Protocol Version 6 (IPv6) Specification RFC 2464: Transmission of IPv6 Packets over Ethernet Networks RFC 2526: Reserved IPv6 Subnet Anycast Addresses RFC 3307: Allocation Guidelines for IPv6 Multicast Addresses RFC 3513: Internet Protocol Version 6 (IPv6) Addressing Architecture RFC 3596: DNS Extensions to Support IP Version 6 IPv6 Configuration Task List Table 1-4 Complete these tasks to configure IPv6: Task Remarks Configuring an IPv6 Unicast Address Configuring IPv6 NDP Configuring a Static IPv6 Route Configuring IPv6 TCP Properties Configuring the Maximum Number of IPv6 ICMP Error Packets Sent within a Specified Time Configuring the Hop Limit of ICMPv6 Reply Packets Configuring ND Snooping Configuring the ND Detection Configuring DHCPv6 Snooping Configuring IPv6 Filtering Configuring IPv6 DNS Displaying and Maintaining IPv6 Configuring an IPv6 Unicast Address An IPv6 address is required for a host to access an IPv6 network. A host can be assigned a global unicast address, a site-local address, or a link-local address. To enable a host to access a public IPv6 network, you need to assign an IPv6 global unicast address to it. IPv6 site-local addresses and global unicast addresses can be configured in either of the following ways: EUI-64 format: When the EUI-64 format is adopted to form IPv6 addresses, the IPv6 address prefix of an interface is the configured prefix and the interface identifier is derived from the link-layer address of the interface. 1-13
Manual configuration: IPv6 site-local addresses or global unicast addresses are configured manually. IPv6 link-local addresses can be acquired in either of the following ways: Automatic generation: The device automatically generates a link-local address for an interface according to the link-local address prefix (FE80::/64) and the link-layer address of the interface. Manual assignment: IPv6 link-local addresses can be assigned manually. Table 1-5 Configure an IPv6 unicast address To do... Use the command... Remarks Enter system view system-view Enter VLAN interface view interface interface-type interface-number Configure an IPv6 global unicast address or site-local address Manually assign an IPv6 address Adopt the EUI-64 format to form an IPv6 address ipv6 address { ipv6-address prefix-length ipv6-address/prefix-length } ipv6 address ipv6-address/prefix-length eui-64 Use either command By default, no site-local address or global unicast address is configured for an interface. Note that the prefix specified by the prefix-length argument in an EUI-64 address cannot exceed 64 bits in length. Configure an IPv6 link-local address Automatically generate a link-local address Manually assign a link-local address for an interface. ipv6 address auto link-local ipv6 address ipv6-address link-local By default, after an IPv6 site-local address or global unicast address is configured for an interface, a link-local address will be generated automatically. 1-14
IPv6 unicast addresses can be configured for only one VLAN interface of an H3C S3100 Series Ethernet Switches. Only one global unicast address or one site-local address can be configured for an interface. After an IPv6 site-local address or global unicast address is configured for an interface, a link-local address will be generated automatically. The automatically generated link-local address is the same as the one generated by using the ipv6 address auto link-local command. The manual assignment takes precedence over the automatic generation. That is, if you first adopt the automatic generation and then the manual assignment, the manually assigned link-local address will overwrite the automatically generated one. If you first adopt the manual assignment and then the automatic generation, the automatically generated link-local address will not take effect and the link-local address of an interface is still the manually assigned one. If the manually assigned link-local address is deleted, the automatically generated link-local address takes effect. You must have carried out the ipv6 address auto link-local command before you carry out the undo ipv6 address auto link-local command. However, if an IPv6 site-local address or global unicast address is already configured for an interface, the interface still has a link-local address because the system automatically generates one for the interface. If no IPv6 site-local address or global unicast address is configured, the interface has no link-local address. Configuring IPv6 NDP Configure a static neighbor entry The IPv6 address of a neighbor node can be resolved into a link-layer address dynamically through NS and NA messages or statically through manual configuration. You can configure a static neighbor entry in two ways: Mapping a VLAN interface to an IPv6 address and a link-layer address Mapping a port in a VLAN to an IPv6 address and a link-layer address If you configure a static neighbor entry in the second way, make sure the corresponding VLAN interface exists. In this case, the device associates the VLAN interface to the IPv6 address to uniquely identify a static neighbor entry. Table 1-6 Configure a static neighbor entry To do... Use the command... Remarks Enter system view system-view Configure a static neighbor entry ipv6 neighbor ipv6-address mac-address { vlan-id port-type port-number interface interface-type interface-number } Configure the maximum number of neighbors dynamically learned The device can dynamically acquire the link-layer address of a neighbor node through NS and NA messages and add it to the neighbor table. Too large a neighbor table may lead to the forwarding performance degradation of the device. Therefore, you can restrict the size of the neighbor table by setting the maximum number of neighbors that an interface can dynamically learn. When the number of 1-15
dynamically learned neighbors reaches the threshold, the interface will stop learning neighbor information. Table 1-7 Configure the maximum number of neighbors dynamically learned: Enter system view system-view Enter VLAN interface view Configure the maximum number of neighbors dynamically learned by an interface interface interface-type interface-number ipv6 neighbors max-learning-num number The default value is 2,048 Configure the attempts to send an ns message for duplicate address detection The device sends a neighbor solicitation (NS) message for duplicate address detection. If the device does not receive a response within a specified time (set by the ipv6 nd ns retrans-timer command), the device continues to send an NS message. If the device still does not receive a response after the number of attempts to send an NS message reaches the maximum, the device judges the acquired address is available. Table 1-8 Configure the attempts to send an NS message for duplicate address detection Enter system view system-view Enter VLAN interface view Configure the attempts to send an NS message for duplicate address detection interface interface-type interface-number ipv6 nd dad attempts value 1 by default. When the value argument is set to 0, the duplicate address detection is disabled. Configure the NS Interval After a device sends an NS message, if it does not receive a response within a specific period, the device will send another NS message. You can configure the interval for sending NS messages. Table 1-9 Configure the NS interval Enter system view system-view Enter VLAN interface view Specify the NS interval interface interface-type interface-number ipv6 nd ns retrans-timer value 1,000 milliseconds by default Configure the neighbor reachable timeout time on an interface After a neighbor passed the reachability detection, the device considers the neighbor to be reachable in a specific period. However, the device will examine whether the neighbor is reachable again when there is a need to send packets to the neighbor after the neighbor reachable timeout time elapsed. 1-16
Table 1-10 Configure the neighbor reachable timeout time on an interface Enter system view system-view Enter VLAN interface view Configure the neighbor reachable timeout time interface interface-type interface-number ipv6 nd nud reachable-time value 30,000 milliseconds Configuring a Static IPv6 Route You can configure static IPv6 routes for network interconnection in a small sized IPv6 network. Table 1-11 Configure a static IPv6 route Enter system view system-view Configure a static IPv6 route ipv6 route-static ipv6-address prefix-length [ interface-type interface-number] nexthop-address By default, no static IPv6 route is configured. Configuring IPv6 TCP Properties The IPv6 TCP properties you can configure include: synwait timer: When a SYN packet is sent, the synwait timer is triggered. If no response packet is received before the synwait timer expires, the IPv6 TCP connection establishment fails. finwait timer: When the IPv6 TCP connection status is FIN_WAIT_2, the finwait timer is triggered. If no packet is received before the finwait timer expires, the IPv6 TCP connection is terminated. If FIN packets are received, the IPv6 TCP connection status becomes TIME_WAIT. If other packets are received, the finwait timer is reset from the last packet and the connection is terminated after the finwait timer expires. Size of IPv6 TCP receiving/sending buffer. Table 1-12 Configure IPv6 TCP properties Enter system view system-view Set the finwait timer of IPv6 TCP packets Set the synwait timer of IPv6 TCP packets Configure the size of IPv6 TCP receiving/sending buffer tcp ipv6 timer fin-timeout wait-time tcp ipv6 timer syn-timeout wait-time tcp ipv6 window size 675 seconds by default 75 seconds by default 8 KB by default 1-17
Configuring the Maximum Number of IPv6 ICMP Error Packets Sent within a Specified Time If too many IPv6 ICMP error packets are sent within a short time in a network, network congestion may occur. To avoid network congestion, you can control the maximum number of IPv6 ICMP error packets sent within a specified time. Currently, the token bucket algorithm is adopted. You can set the capacity of a token bucket, namely, the number of tokens in the bucket. In addition, you can set the update period of the token bucket, namely, the interval for updating the number of tokens in the token bucket to the configured capacity. One token allows one IPv6 ICMP error packet to be sent. Each time an IPv6 ICMP error packet is sent, the number of tokens in a token bucket decreases by 1. If the number of the IPv6 ICMP error packets that are continuously sent out reaches the capacity of the token bucket, the subsequent IPv6 ICMP error packets cannot be sent out until new tokens are put into the token bucket based on the specified update frequency. Table 1-13 Configure the maximum number of IPv6 ICMP error packets sent within a specified time Enter system view system-view Configure the maximum number of IPv6 ICMP error packets sent within a specified time ipv6 icmp-error { bucket bucket-size ratelimit interval }* By default, the capacity of a token bucket is 10 and the update period to 100 milliseconds. That is, at most 10 IPv6 ICMP error packets can be sent within an update period. Configuring the Hop Limit of ICMPv6 Reply Packets When sending an ICMPv6 reply packet, the device will fill a configurable value in the Hop Limit field in the ICMPv6 reply packet header. Table 1-14 Configure the hop limit of ICMPv6 reply packets Enter system view system-view Configure the hop limit of ICMPv6 reply packets ipv6 nd hop-limit value 64 by default. Configuring ND Snooping Among the S3100 series Ethernet switches, only the S3100-EI series support ND Snooping. 1-18
Configuring ND snooping Follow these steps to configure ND snooping: Enter system view system-view Enter VLAN view vlan vlan-id Enable ND snooping ipv6 nd snooping enable Disabled by default. Return to system view quit Enter Layer 2 Ethernet interface view Configure the maximum number of ND snooping entries an interface can learn interface interface-type interface-number ipv6 nd snooping max-learning-num number By default, the number of ND snooping entries an interface can learn is 1024. Configuring an ND snooping uplink port In a large Layer 2 network, if an uplink port on the device learns a large number of ND snooping entries, the system resources will be consumed. To prevent such a problem, you can configure the uplink port as an ND snooping uplink port. Follow these steps to configure an ND snooping uplink port: Enter system view system-view Enter Layer 2 Ethernet port view Configure the port as an ND snooping uplink port interface interface-type interface-number ipv6 nd snooping uplink [ learn [ probe ] ] Not configured by default. Configuring the ND Detection Among the S3100 series Ethernet switches, only the S3100-EI series support ND Detection. Follow these steps to configure the ND detection: To do Use the command Remarks Enter system view system-view Enter VLAN view vlan vlan-id Enable the ND Detection ipv6 nd detection enable No check on the user legality Quit system view quit 1-19
To do Use the command Remarks Enter Layer-2 Ethernet interface view Configure the ports requiring no user legality check as ND trusted ports interface interface-type interface-number ipv6 nd detection trust A port is ND untrusted by default When configuring the ND detection, configure at least one of the following three: the IPv6 static binding entry, DHCPv6 snooping, or ND snooping. Otherwise, all the ND packets received from ND untrusted ports are discarded. Configuring DHCPv6 Snooping Among the S3100 series Ethernet switches, only the S3100-EI series support DHCPv6 Snooping. Configuring DHCPv6 snooping Follow these steps to configure DHCPv6 snooping: Enter system view system-view Enable DHCPv6 snooping Enter Ethernet interface view Specify the port as trusted Configure the maximum number of DHCPv6 snooping entries an interface can learn dhcp-snooping ipv6 enable interface interface-type interface-number dhcp-snooping ipv6 trust dhcp-snooping ipv6 max-learning-num number Disabled by default. Untrusted by default. By default, the number of DHCPv6 snooping entries an interface can learn is unlimited. You need to specify the ports connected to the valid DHCPv6 servers as trusted to ensure that DHCPv6 clients can obtain valid IPv6 addresses. The trusted port and the port connected to the DHCPv6 client must be in the same VLAN. 1-20
Configuring DHCPv6 snooping support for DHCPv6 Option 18/Option 37 DHCPv6 Option 37, also known as the DHCPv6 relay agent remote ID option, records the location information of DHCPv6 clients. Option 18, also known as the DHCPv6 interface ID option, records the interface that receives messages from DHCPv6 clients. Upon receiving a DHCPv6 request, the DHCPv6 snooping device that supports DHCPv6 options adds Option 18/Option 37 to the request before forwarding it to the DHCPv6 server. Then the DHCPv6 server assigns an IPv6 address and other parameters as requested. Note that the DHCPv6 snooping support for Option 18/Option 37 setting takes effect only after DHCPv6 snooping is enabled globally. Follow these steps to configure DHCPv6 snooping support for DHCPv6 Option 18/Option 37: Enter system view system-view Enable DHCPv6 snooping to support DHCPv6 options Specify the DHCPv6 option supported by DHCPv6 snooping Configure the DHCPv6 sub-option dhcp-snooping ipv6 information enable dhcp-snooping ipv6 information option { 18 37 } dhcp-snooping ipv6 information remote-id { ipv4-address ipv4-address ipv6-address ipv6-address string string sysname } Not enabled by default. Option 37 is specified by default. Not configured by default. Configuring IPv6 Filtering Among the S3100 series Ethernet switches, only the S3100-EI series support IPv6 filtering. Follow these steps to configure IPv6 filtering: Enter system view system-view Configure an IPv6 binding entry Configure an IPv6 static binding entry Configure to use IPv6 dynamic entries interface interface-type interface-number ipv6 source static binding ip-address ipv6-address [ mac-address mac-address ] [ vlan vlan-id ] Configure DHCPv6 snooping or ND snooping to obtain DHCPv6 snooping entries or ND snooping entries. Use at least one approach. Not configured by default. Enable IPv6 filtering ipv6 check source ip-address [ mac-address ] Disabled by default. 1-21
You cannot configure both IPv6 filtering and port binding. Configuring IPv6 DNS Configure a static host name to IPv6 address mapping You can directly use a host name when applying telnet applications and the system will resolve the host name into an IPv6 address. Each host name can correspond to only one IPv6 address. A newly configured IPv6 address will overwrite the previous one. Table 1-15 Configure a static host name to IPv6 address mapping Enter system view system-view Configure a static host name to IPv6 address mapping ipv6 host hostname ipv6-address Configure dynamic DNS resolution If you want to use the dynamic domain name function, you can use the following command to enable the dynamic domain name resolution function. In addition, you should configure a DNS server so that a query request message can be sent to the correct server for resolution. The system can support at most six DNS servers. You can configure a domain name suffix so that you only need to enter some fields of a domain name and the system automatically adds the preset suffix for address resolution. The system can support at most 10 domain name suffixes. Table 1-16 Configure dynamic DNS resolution Enter system view system-view Enable the dynamic domain name resolution function Configure an IPv6 DNS server Configure the domain suffix. dns resolve dns server ipv6 ipv6-address [ interface-type interface-number ] dns domain domain-name Disabled by default. If the IPv6 address of the DNS server is a link-local address, the interface-type and interface-number arguments are required. By default, no domain name suffix is configured, that is, the domain name is resolved according to the input information. The dns resolve and dns domain commands are the same as those of IPv4 DNS. For details about the commands, refer to DNS. 1-22
Displaying and Maintaining IPv6 Display DHCPv6 snooping entries Display DNS domain name suffix information Display IPv6 dynamic domain name cache information. display dhcp-snooping ipv6 { all unit unit-id } display dns domain [ dynamic ] display dns ipv6 dynamic-host Available in any view Available in any view Available in any view Display DNS server information display dns server [ dynamic ] Available in any view Display the FIB entries display ipv6 fib Available in any view Display the mapping between host name and IPv6 address Display the brief IPv6 information of an interface Display neighbor information Display the total number of neighbor entries satisfying the specified conditions Display information about the routing table Display information related to a specified socket Display the statistics of IPv6 packets and IPv6 ICMP packets Display information about IPv6 static binding entries display ipv6 host display ipv6 interface [ interface-type interface-number brief ] display ipv6 neighbors [ ipv6-address all dynamic interface interface-type interface-number static vlan vlan-id ] [ { begin exclude include } regular-expression ] display ipv6 neighbors { all dynamic static interface interface-type interface-number vlan vlan-id } count display ipv6 route-table [ verbose ] display ipv6 socket [ socktype socket-type ] [ task-id socket-id ] display ipv6 statistics display ipv6 source static binding [ vlan vlan-id interface interface-type interface-number unit unit-id ] Available in any view Available in any view Available in any view Available in any view Available in any view Available in any view Available in any view Available in any view Display the ND detection configuration display ipv6 nd detection Available in any view Display the statistics of discarded packets when the ND detection checks the user legality Display ND snooping entries display ipv6 nd detection statistics [ interface interface-type interface-number ] display ipv6 nd snooping [ ipv6-address vlan vlan-id ] Available in any view Available in any view Display the statistics of IPv6 TCP packets display tcp ipv6 statistics Available in any view Display the IPv6 TCP connection status display tcp ipv6 status Available in any view Display the statistics of IPv6 UDP packets display udp ipv6 statistics Available in any view Clear DHCPv6 snooping entries reset dhcp-snooping ipv6 all Available in user view Clear IPv6 dynamic domain name cache information Clear IPv6 neighbor information reset dns ipv6 dynamic-host reset ipv6 neighbors [ all dynamic interface interface-type interface-number static ] Available in user view Available in user view Clear the statistics of IPv6 packets reset ipv6 statistics Available in user view 1-23
Clear the statistics by ND detection Remove ND snooping entries Clear the statistics of all IPv6 TCP packets Clear the statistics of all IPv6 UDP packets reset ipv6 nd detection statistics [ interface interface-type interface-number ] reset ipv6 nd snooping [ ipv6-address vlan vlan-id ] reset tcp ipv6 statistics reset udp ipv6 statistics Available in user view Available in user view Available in user view Available in user view The display dns domain and display dns server commands are the same as those of IPv4 DNS. For details about the commands, refer to DNS. IPv6 Configuration Examples IPv6 Unicast Address Configuration Example Network requirements Two switches are directly connected through two Ethernet ports. The Ethernet ports belong to VLAN 1. IPv6 addresses are configured for the interface Vlan-interface1 on each switch to verify the connectivity between the two switches. The global unicast address of Switch A is 3001::1/64, and the global unicast address of Switch B is 3001::2/64. Network diagram Figure 1-8 Network diagram for IPv6 address configuration Configuration procedure 1) Configure Switch A. # Configure an automatically generated link-local address for the interface Vlan-interface1. <SwitchA> system-view [SwitchA] interface Vlan-interface 1 [SwitchA-Vlan-interface1] ipv6 address auto link-local # Configure a global unicast address for the interface Vlan-interface1. [SwitchA-Vlan-interface1] ipv6 address 3001::1/64 2) Configure Switch B. # Configure an automatically generated link-local address for the interface Vlan-interface1. <SwitchA> system-view [SwitchB] interface Vlan-interface 1 [SwitchB-Vlan-interface1] ipv6 address auto link-local # Configure a global unicast address for the interface Vlan-interface1. 1-24