H3C S9500 Series Operating instructions

Type
Operating instructions
H3C S9500 Series Routing Switches
Operation Manual
Hangzhou H3C Technologies Co., Ltd.
http://www.h3c.com
Manual Version: T2-081655-20080530-C-2.03
Product Version: S9500-CMW520-R2132
Copyright © 2007-2008, Hangzhou H3C Technologies Co., Ltd. and its licensors
All Rights Reserved
No part of this manual may be reproduced or transmitted in any form or by any means
without prior written consent of Hangzhou H3C Technologies Co., Ltd.
Trademarks
H3C, , Aolynk, , H
3
Care,
, TOP G, , IRF, NetPilot,
Neocean, NeoVTL, SecPro, SecPoint, SecEngine, SecPath, Comware, Secware,
Storware, NQA, VVG, V
2
G, V
n
G, PSPT, XGbus, N-Bus, TiGem, InnoVision and
HUASAN are trademarks of Hangzhou H3C Technologies Co., Ltd.
All other trademarks that may be mentioned in this manual are the property of their
respective owners.
Notice
The information in this document is subject to change without notice. Every effort has
been made in the preparation of this document to ensure accuracy of the contents, but
all statements, information, and recommendations in this document do not constitute
the warranty of any kind, express or implied.
To obtain the latest information, please access:
http://www.h3c.com
Technical Support
customer_service@h3c.com
http://www.h3c.com
About This Manual
Related Documentation
In addition to this manual, each H3C S9500 Series Routing Switches documentation
set includes the following:
Manual Description
H3C S9500 Series Routing Switches
Installation Manual
It introduces the installation procedure,
commissioning, maintenance and
monitoring of the S9500 series routing
switches.
H3C S9500 Series Routing Switches
Command Manual
It includes Feature List and Command
Index, Access Volume, IP Service
Volume, IP Routing Volume, IP Multicast
Volume, MPLS VPN Volume, QoS ACL
Volume, Security Volume, System
Volume, and unsupported commands.
Organization
H3C Configuration Manual is organized as follows:
Part Contents
00 Product Overview
includes Obtaining the Documentation, Product
Features, and Features.
01 Access Volume
includes Ethernet Interface Configuration, POS
Interface Configuration, GVRP Configuration, Link
Aggregation Configuration, Port Mirroring
Configuration, RPR Configuration, Ethernet OAM
Configuration MSTP Configuration, VLAN
Configuration, QinQ Configuration, BPDU Tunneling
Configuration, and Port Isolation Configuration.
02 IP Services Volume
includes ARP Configuration, DHCP Configuration,
DNS Configuration, IP Addressing Configuration, IP
Performance Configuration, UDP Helper Configuration
IPv6 Basics Configuration, Dual Stack Configuration,
Tunneling Configuration, and Adjacency Table
Configuration.
Part Contents
03 IP Routing Volume
includes IP Routing Overview, BGP Configuration,
IS-IS Configuration, OSPF Configuration, RIP
Configuration, Routing Policy Configuration, Static
Routing Configuration, IPv6 BGP Configuration, IPv6
IS-IS Configuration, IPv6 OSPFv3 Configuration, IPv6
RIPng Configuration, and IPv6 Static Routing
Configuration.
04 IP Multicast Volume
includes Multicast Overview, Multicast Routing and
Forwarding Configuration, IGMP Snooping
Configuration, IGMP Configuration, PIM Configuration,
MSDP Configuration, IPv6 Multicast Routing and
Forwarding Configuration, MLD Snooping
Configuration, MLD Configuration, IPv6 PIM
Configuration, and Multicast VLAN Configuration.
05 MPLS VPN Volume
includes MPLS Basics Configuration, MPLS TE
Configuration, VPLS Configuration, MPLS L2VPN
Configuration, MPLS L3VPN Configuration, MPLS
Hybrid Insertion Configuration, and GRE Configuration.
06 QoS ACL Volume includes QoS Configuration and ACL Configuration.
07 Security Volume
includes 802.1x Configuration, AAA RADIUS
HWTACACS Configuration, MAC Authentication
Configuration, L3+NAT Configuration, Password
Control Configuration, SSH2.0 Configuration, and
Portal Configuration.
08 System Volume
includes GR Configuration, VRRP Configuration, HA
Configuration, Device Management Configuration,
NQA Configuration, NetStream Configuration, NTP
Configuration, RMON Configuration, SNMP
Configuration, File System Management Configuration,
System Maintaining and Debugging Configuration,
Basic System Configuration, Information Center
Configuration, User Interface Configuration, MAC
Address Table Management Configuration, PoE
Configuration, and Clock Monitoring Configuration.
09 OAA Volume
includes OAP Module Configuration and ACSEI
Configuration.
10 Acronyms Offers the acronyms used in this manual.
Conventions
The manual uses the following conventions:
I. Command conventions
Convention Description
Boldface
The keywords of a command line are in Boldface.
italic
Command arguments are in italic.
[ ]
Items (keywords or arguments) in square brackets [ ] are
optional.
{ x | y | ... }
Alternative items are grouped in braces and separated by
vertical bars. One is selected.
[ x | y | ... ]
Optional alternative items are grouped in square brackets
and separated by vertical bars. One or none is selected.
{ x | y | ... } *
Alternative items are grouped in braces and separated by
vertical bars. A minimum of one or a maximum of all can be
selected.
[ x | y | ... ] *
Optional alternative items are grouped in square brackets
and separated by vertical bars. Many or none can be
selected.
&<1-n>
The argument(s) before the ampersand (&) sign can be
entered 1 to n times.
# A line starting with the # sign is comments.
II. GUI conventions
Convention Description
< >
Button names are inside angle brackets. For example, click
<OK>.
[ ]
Window names, menu items, data table and field names
are inside square brackets. For example, pop up the [New
User] window.
/
Multi-level menus are separated by forward slashes. For
example, [File/Create/Folder].
III. Symbols
Convention Description
Warning
Means reader be extremely careful. Improper operation
may cause bodily injury.
Caution
Means reader be careful. Improper operation may cause
data loss or damage to equipment.
Note Means a complementary description.
Operation Manual
H3C S9500 Series Routing Switches IP Services Volume Organization
Manual Version
T2-081655-20080530-C-2.03
Product Version
S9500-CMW520-R2132
Organization
The IP Services Volume is organized as follows:
Features
(operation
manual)
Description
ARP
Address Resolution Protocol (ARP) is used to resolve an IP
address into a data link layer address. The volume describes:
z ARP Overview
z ARP configuration
z Proxy ARP configuration
DHCP
DHCP is built on a client-server model, in which the client
sends a configuration request and then the server returns a
reply to send configuration parameters such as an IP address
to the client. The volume describes:
z DHCP overview
z DHCP server configuration
z DHCP relay agent configuration
DNS
Used in the TCP/IP application, Domain Name System (DNS)
is a distributed database which provides the translation
between domain name and the IP address. The volume
describes:
z Introduction to DNS
z DNS configuration
IP Address
An IP address is a 32-bit address allocated to a network
interface on a device that is attached to the Internet. The
volume describes:
z Introduction to IP addresses
z IP address configuration
z IP unnumbered configuration
IP Performance
In some network environments, you need to adjust the IP
parameters to achieve best network performance. The volume
describes:
z IP performance overview
z IP performance configuration
Operation Manual
H3C S9500 Series Routing Switches IP Services Volume Organization
Features
(operation
manual)
Description
UDP Helper
UDP Helper functions as a relay agent that converts UDP
broadcast packets into unicast packets and forwards them to a
specified server. The volume describes:
z UDP Helper overview
z UDP Helper configuration
IPv6 Basics
Internet protocol version 6 (IPv6), also called IP next
generation (IPng), was designed by the Internet Engineering
Task Force (IETF) as the successor to Internet protocol
version 4 (IPv4). The volume describes:
z IPv6 overview
z Basic IPv6 functions configuration
z IPv6 NDP configuration
z PMTU discovery configuration
z IPv6 TCP properties configuration
z IPv6 FIB-Based forwarding configuration
z Capacity and update period of token bucket configuration
z IPv6 DNS configuration
Dual Stack
A network node that supports both IPv4 and IPv6 is called a
dual stack node. A dual stack node configured with an IPv4
address and an IPv6 address can have both IPv4 and IPv6
packets transmitted. The volume describes:
z Dual stack overview
z Dual stack configuration
Tunneling
Tunneling is an encapsulation technique, which utilizes one
network transport protocol to encapsulate packets of another
network transport protocol and transfer them over the network.
The volume describes:
z Tunneling overview
z IPv6 manually tunnel configuration
z Automatic IPv4-compatible IPv6 tunnel configuration
z 6to4 tunnel configuration
z 6to4 relay configuration
z ISATAP tunnel configuration
z IPv4 over IPv4 tunnel configuration
z Tunnel hybrid insertion configuration
Adjacency Table
An adjacency table manages the information on the neighbors
that are both connected and active. The volume describes:
z Adjacency table overview
z Displaying and maintaining the adjacency table
Operation Manual – ARP
H3C S9500 Series Routing Switches Table of Contents
i
Table of Contents
Chapter 1 ARP Configuration....................................................................................................... 1-1
1.1 ARP Overview....................................................................................................................1-1
1.1.1 ARP Function..........................................................................................................1-1
1.1.2 ARP Message Format.............................................................................................1-1
1.1.3 ARP Address Resolution Process...........................................................................1-2
1.1.4 ARP Mapping Table................................................................................................1-3
1.2 Configuring ARP................................................................................................................1-4
1.2.1 Configuring a Static ARP Entry...............................................................................1-4
1.2.2 Configuring the Maximum Number of ARP Entries a VLAN Interface Can Learn...........1-4
1.2.3 Setting Aging Time for Dynamic ARP Entries.........................................................1-5
1.2.4 Enabling the ARP Entry Check............................................................................... 1-5
1.2.5 Enabling the Support for ARP Requests from a Natural Network .......................... 1-6
1.2.6 ARP Configuration Examples..................................................................................1-6
1.3 Configuring Gratuitous ARP ..............................................................................................1-7
1.3.1 Introduction to Gratuitous ARP ...............................................................................1-7
1.3.2 Configuring Gratuitous ARP....................................................................................1-7
1.4 Configuring ARP Source Suppression ..............................................................................1-8
1.4.1 Introduction to ARP Source Suppression ...............................................................1-8
1.4.2 Configuring ARP Source Suppression....................................................................1-8
1.5 Configuring ARP Defense Against IP Packet Attack.........................................................1-8
1.5.1 Introduction to ARP Defense Against IP Packet Attack.......................................... 1-8
1.5.2 Enabling ARP Defense Against IP Packet Attack...................................................1-9
1.6 Configuring ARP Active Acknowledgement.......................................................................1-9
1.6.1 Introduction..............................................................................................................1-9
1.6.2 Configuring the ARP Active Acknowledgement Function....................................... 1-9
1.7 Configuring ARP Packet Source MAC Address Consistency Check..............................1-10
1.7.1 Introduction............................................................................................................1-10
1.7.2 Configuring ARP Packet Source MAC Address Consistency Check.................... 1-10
1.8 Displaying and Maintaining ARP .....................................................................................1-10
Chapter 2 Proxy ARP Configuration............................................................................................2-1
2.1 Proxy ARP Overview .........................................................................................................2-1
2.2 Enabling Proxy ARP..........................................................................................................2-1
2.3 Displaying and Maintaining Proxy ARP.............................................................................2-2
2.4 Proxy ARP Configuration Example....................................................................................2-2
Operation Manual – ARP
H3C S9500 Series Routing Switches Chapter 1 ARP Configuration
1-1
Chapter 1 ARP Configuration
When configuring ARP, go to these sections for information you are interested in:
z ARP Overview
z Configuring ARP
z Configuring Gratuitous ARP
z Configuring ARP Source Suppression
z Configuring ARP Defense Against IP Packet Attack
z Configuring ARP Active Acknowledgement
z Configuring ARP Packet Source MAC Address Consistency Check
z Displaying and Maintaining ARP
1.1 ARP Overview
1.1.1 ARP Function
Address resolution protocol (ARP) is used to resolve an IP address into a data link layer
address.
An IP address is the address of a host at the network layer. To send a network layer
packet to a destination host, the device must know the MAC address of the destination
host or the next hop. To this end, the IP address must be resolved into the
corresponding MAC address. Each host maintains an IP-to-MAC mapping table that
contains IP and MAC addresses of devices that communicated with the host recently.
1.1.2 ARP Message Format
2211
2
4664
Hardware address length
Protocol address length
28-byte ARP request/response
Protocol
type
Hardware
type
OP
Sender hardware
address
Sender protocol
address
Target hardware
address
Target
protocol
address
Figure 1-1 ARP message format
The following explains the fields in
Figure 1-1.
Operation Manual – ARP
H3C S9500 Series Routing Switches Chapter 1 ARP Configuration
1-2
z Hardware type: This field specifies the type of a hardware address. The value “1”
represents an Ethernet address.
z Protocol type: This field specifies the type of the protocol address to be mapped.
The hexadecimal value “0x0800” represents an IP address.
z Hardware address length and protocol address length: They respectively specify
the length of a hardware address and a protocol address, in bytes. For an Ethernet
address, the value of the hardware address length field is "6”. For an IP(v4)
address, the value of the protocol address length field is “4”.
z OP: Operation code. This field specifies the type of ARP message. The value “1”
represents an ARP request and “2” represents an ARP reply.
z Sender hardware address: This field specifies the hardware address of the device
sending the message.
z Sender protocol address: This field specifies the protocol address of the device
sending the message.
z Target hardware address: This field specifies the hardware address of the device
the message is being sent to.
z Target protocol address: This field specifies the protocol address of the device the
message is being sent to.
1.1.3 ARP Address Resolution Process
Sender MAC
address
00a0.2470.febd
Target IP
address
192.168.1.1
Target IP
address
192.168.1.2
Host A
192.168.1.1
0002.6779.0f4c
Host B
192.168.1.2
00a0.2470.febc
Target MAC
address
0000.0000.0000
Sender IP
address
192.168.1.1
Sender IP
address
192.168.1.2
Sender MAC
address
0002.6779.0f4c
Target MAC
address
0002.6779.0f4c
Figure 1-2 ARP address resolution process
Suppose that Host A and Host B are on the same subnet and that Host A sends a
message to Host B. The resolution process is as follows:
1) Host A looks in its ARP mapping table to see whether there is an ARP entry for
Host B. If Host A finds it, Host A uses the MAC address in the entry to encapsulate
the IP packet into a data link layer frame and sends the frame to Host B.
2) If Host A finds no entry for Host B, Host A buffers the packet and broadcasts an
ARP request, in which the source IP address and source MAC address are
respectively the IP address and MAC address of Host A and the destination IP
address and MAC address are respectively the IP address of Host B and an
Operation Manual – ARP
H3C S9500 Series Routing Switches Chapter 1 ARP Configuration
1-3
all-zero MAC address. Because the ARP request is sent in broadcast mode, all
hosts on this subnet can receive the request, but only the requested host (namely,
Host B) will process the request.
3) Host B compares its own IP address with the destination IP address in the ARP
request. If they are the same, Host B saves the source IP address and source
MAC address into its ARP mapping table, encapsulates its MAC address into an
ARP reply, and unicasts the reply to Host A.
4) After receiving the ARP reply, Host A adds the MAC address of Host B into its ARP
mapping table for subsequent packet forwarding. Meanwhile, Host A
encapsulates the IP packet and sends it out.
If Host A and Host B are not on the same subnet, Host A first sends an ARP request to
the gateway. The target IP address in the ARP request is the IP address of the gateway.
After obtaining the MAC address of the gateway from an ARP reply, Host A sends the
packet to the gateway. If the gateway maintains the ARP entry of Host B, it forwards the
packet to Host B directly; if not, it broadcasts an ARP request, in which the target IP
address is the IP address of Host B. After obtaining the MAC address of Host B, the
gateway sends the packet to Host B.
1.1.4 ARP Mapping Table
After obtaining the destination MAC address, the device adds the IP-to-MAC mapping
into its own ARP mapping table. This mapping is used for forwarding packets with the
same destination in future.
An ARP mapping table contains ARP entries, which fall into two categories: dynamic
and static.
1) A dynamic entry is automatically created and maintained by ARP. It can get aged,
be updated by a new ARP packet, or be overwritten by a static ARP entry. When
the aging timer expires or the interface goes down, the corresponding dynamic
ARP entry will be removed.
2) A static ARP entry is manually configured and maintained. It cannot get aged or be
overwritten by a dynamic ARP entry. It can be permanent or non-permanent.
z A permanent static ARP entry can be directly used to forward packets. When
configuring a permanent static ARP entry, you must configure a VLAN and
outbound interface for the entry besides the IP address and MAC address.
z A non-permanent static ARP entry cannot be directly used for forwarding data.
When configuring a non-permanent static ARP entry, you only need to configure
the IP address and MAC address. When forwarding IP packets, the device sends
an ARP request. If the source IP and MAC addresses in the received ARP reply
are the same as the configured IP and MAC addresses, the device adds the
interface receiving the ARP reply into the static ARP entry. Now the entry can be
used for forwarding IP packets.
Operation Manual – ARP
H3C S9500 Series Routing Switches Chapter 1 ARP Configuration
1-4
Note:
Usually ARP dynamically implements and automatically seeks mappings from IP
addresses to MAC addresses, without manual intervention.
1.2 Configuring ARP
1.2.1 Configuring a Static ARP Entry
A static ARP entry is effective when the device works normally. However, when a VLAN
or VLAN interface to which a static ARP entry corresponds is deleted, the entry, if
permanent, will be deleted, and if non-permanent and resolved, will become
unresolved.
Follow these steps to configure a static ARP entry:
To do… Use the command… Remarks
Enter system view
system-view
Configure a
permanent static
ARP entry
arp static ip-address mac-address
[ vlan-id interface-type
interface-number ]
[ vpn-instance-name ]
Required
No permanent static
ARP entry is configured
by default.
Configure a
non-permanent
static ARP entry
arp static ip-address mac-address
[ vpn-instance vpn-instance-name ]
Required
No non-permanent
static ARP entry is
configured by default.
Caution:
The vlan-id argument must be the ID of an existing VLAN which corresponds to the
ARP entries. In addition, the Ethernet interface following the argument must belong to
that VLAN.
1.2.2 Configuring the Maximum Number of ARP Entries a VLAN Interface Can
Learn
Follow these steps to set the maximum number of dynamic ARP entries that a VLAN
interface can learn:
Operation Manual – ARP
H3C S9500 Series Routing Switches Chapter 1 ARP Configuration
1-5
To do… Use the command… Remarks
Enter system view
system-view
Enter VLAN interface view
interface vlan-interface
interface-number
Set the maximum number of
dynamic ARP entries that the
interface can learn
arp max-learning-num
number
Optional
4096 by default
1.2.3 Setting Aging Time for Dynamic ARP Entries
After dynamic ARP entries expire, the system will delete them from the ARP mapping
table. You can adjust the aging time for dynamic ARP entries according to the actual
network condition.
Follow these steps to set aging time for dynamic ARP entries:
To do… Use the command… Remarks
Enter system view
system-view
Set aging time for
dynamic ARP entries
arp timer aging
aging-time
Optional
20 minutes by default
1.2.4 Enabling the ARP Entry Check
The ARP entry check function disables a device from learning multicast MAC
addresses. With the ARP entry check enabled, the device cannot learn any ARP entry
with a multicast MAC address, and configuring such a static ARP entry is not allowed;
otherwise, the system displays error messages.
After the ARP entry check is disabled, the device can learn multicast ARP entries, and
you can also configure such static ARP entries on the device.
Follow these steps to enable the ARP entry check:
To do… Use the command… Remarks
Enter system view
system-view
Enable the ARP
entry check
arp check enable
Optional
Enabled by default. That is, the
device does not learn multicast
MAC addresses.
Operation Manual – ARP
H3C S9500 Series Routing Switches Chapter 1 ARP Configuration
1-6
1.2.5 Enabling the Support for ARP Requests from a Natural Network
When learning MAC addresses, if the device finds that the source IP address of an
ARP packet and the IP address of the inbound interface are not on the same subnet,
the device will further judge whether these two IP addresses are on the same natural
network.
Suppose that the IP address of Vlan-interface10 is 10.10.10.5/24 and that this interface
receives an ARP packet from 10.11.11.1/8. Because these two IP addresses are not on
the same subnet, Vlan-interface10 cannot process the packet. With this feature
enabled, the device will make judgment on natural network basis. Because the IP
address of Vlan-interface10 is a Class A address and its default mask length is 8, these
two IP addresses are on the same natural network. In this way, Vlan-interface10 can
learn the MAC address of the source IP address 10.11.11.1.
Follow these steps to enable the support for ARP requests from a natural network:
To do… Use the command… Remarks
Enter system view
system-view
Enable the support for
ARP requests from a
natural network
naturemask-arp enable
Required
Disabled by default
1.2.6 ARP Configuration Examples
I. Network requirements
z Disable ARP entry check.
z Set the aging time for dynamic ARP entries to 10 minutes.
z Enable the support for ARP requests from a natural network.
z Set the maximum number of dynamic ARP entries that VLAN-interface 10 can
learn to 1,000.
z Add a static ARP entry, with the IP address being 192.168.1.1, the MAC address
being 00e0-fc01-0000, and the outbound interface being Ethernet1/1/1 of VLAN
10.
z Add a static ARP entry, with the IP address being 192.168.1.1/24, the MAC
address being 000F-E201-0070, and the outbound interface being Ethernet 1/1/1
of VLAN 10.
II. Configuration procedure
<Sysname> system-view
[Sysname] undo arp check enable
[Sysname] arp timer aging 10
[Sysname] naturemask-arp enable
Operation Manual – ARP
H3C S9500 Series Routing Switches Chapter 1 ARP Configuration
1-7
[Sysname] vlan 10
[Sysname-vlan10] quit
[Sysname] interface ethernet 1/1/1
[Sysname-Ethernet1/1/1] port access vlan 10
[Sysname-Ethernet1/1/1] quit
[Sysname] interface Vlan-interface 10
[Sysname-Vlan-interface10] arp max-learning-num 1000
[Sysname-Vlan-interface10] quit
[Sysname] arp static 192.168.1.1 000f-e201-0070 10 ethernet1/1/1
1.3 Configuring Gratuitous ARP
1.3.1 Introduction to Gratuitous ARP
A gratuitous ARP packet is a special ARP packet, in which the source IP address and
destination IP address are both the IP address of the sender, the source MAC address
is the MAC address of the sender, and the destination MAC address is a broadcast
address.
A device can implement the following functions by sending gratuitous ARP packets:
z Determining whether its IP address is already used by another device.
z Informing other devices of its MAC address change so that they can update their
ARP entries.
Upon receiving a gratuitous ARP packet, the device will do the following:
z If no corresponding ARP entry for the ARP packet is found in the cache, the device
adds the information carried in the packet to its own dynamic ARP entry table.
z If the source IP address of the ARP packet is identical to its own IP address, the
device returns an ARP reply to inform the sender of an address conflict.
1.3.2 Configuring Gratuitous ARP
Follow these steps to configure gratuitous ARP:
To do… Use the command… Remarks
Enter system view
system-view
Enable the device to send
gratuitous ARP packets
when receiving ARP
requests from another
network segment
gratuitous-arp-sendi
ng enable
Optional
By default, a device cannot
send gratuitous ARP
packets when receiving ARP
requests from another
network segment.
Enable the gratuitous ARP
packet learning function
gratuitous-arp-learni
ng enable
Required
Disabled by default.
Operation Manual – ARP
H3C S9500 Series Routing Switches Chapter 1 ARP Configuration
1-8
1.4 Configuring ARP Source Suppression
1.4.1 Introduction to ARP Source Suppression
If hosts on a network attack the device by sending large amounts of IP packets whose
IP addresses cannot be resolved, the following consequences will be resulted in:
z The device sends large amounts of ARP request messages to the destination
subnet, which increases the load of the destination subnet.
z The device continuously resolves destination IP addresses, which increase the
load of the CPU.
To protect against such attacks, S9500 series switches provide the ARP source
suppression function. With the function enabled, whenever the number of packets with
unresolvable destination IP addresses from a host within five seconds exceeds a
specified threshold, the device suppress the sending host from triggering any ARP
requests within the following five seconds.
1.4.2 Configuring ARP Source Suppression
Follow these steps to configure ARP source suppression:
To do… Use the command… Remarks
Enter system view
system-view
Enable ARP source suppression
arp
source-suppression
enable
Required
Disabled by
default
Set the maximum number of packets
with the same source IP address but
unresolvable destination IP
addresses that the device can receive
in five consecutive seconds
arp
source-suppression
limit limit-value
Optional
10 by default
1.5 Configuring ARP Defense Against IP Packet Attack
1.5.1 Introduction to ARP Defense Against IP Packet Attack
In forwarding an IPv4 packet, a device depends on ARP to resolve the MAC address of
the next hop. If the address resolution is successful, the forwarding chip forwards the
packet directly. Otherwise, the device runs software for further processing. When large
amounts of IP packets for which ARP cannot resolve the IP addresses of the next hops
arrive at a device, the software on the device will be called again and again and the
CPU of the device will be overburdened. This is called IP packet attack.
To protect a device against IP packet attack, you can configure the ARP defense
against IP packet attack function. After receiving an IP packet with the IP address of the
Operation Manual – ARP
H3C S9500 Series Routing Switches Chapter 1 ARP Configuration
1-9
next hop unreachable (an IP packet that ARP cannot resolve the MAC address of the
next hop), a device with this function creates a black hole route immediately and the
forwarding chip simply drops all packets to the address. Note that a black hole route
can get aged, in which case a subsequent IP packet with the same next hop triggers the
above process. This protects the device against the IP packet attack efficiently,
reducing the load of the CPU.
1.5.2 Enabling ARP Defense Against IP Packet Attack
The ARP defense against IP packet attack function works for forwarded packets and
those originated by the device.
Follow these steps to configure ARP defense against IP packet attack:
To do… Use the command… Remarks
Enter system view
system-view
Enable ARP defense
against IP packet attack
arp resolving-route
enable
Optional
Enabled by default
1.6 Configuring ARP Active Acknowledgement
1.6.1 Introduction
Typically, the ARP active acknowledgement feature is configured on gateway devices
to identify invalid ARP packets.
With this feature enabled, the gateway, upon receiving an ARP packet with a different
source MAC address from that in the corresponding ARP entry, checks whether the
ARP entry has been updated within the last minute:
z If yes, the gateway ignores the ARP packet;
z If not, the gateway sends a unicast request to the source MAC address of the ARP
entry.
Then,
z If a response is received within five seconds, the ARP packet is ignored;
z If no response is received, the gateway sends a unicast request to the MAC
address of the ARP packet.
Then,
z If a response is received within five seconds, the gateway updates the ARP entry;
z If not, the ARP entry is not updated.
1.6.2 Configuring the ARP Active Acknowledgement Function
Follow these steps to configure ARP active acknowledgement:
Operation Manual – ARP
H3C S9500 Series Routing Switches Chapter 1 ARP Configuration
1-10
To do… Use the command… Remarks
Enter system view
system-view
Enable the ARP active
acknowledgement
function
arp anti-attack
active-ack enable
Required
Disabled by default.
1.7 Configuring ARP Packet Source MAC Address
Consistency Check
1.7.1 Introduction
This feature enables the device to filter out ARP packets with the source MAC address
in the Ethernet header different from the sender MAC address in the ARP message.
1.7.2 Configuring ARP Packet Source MAC Address Consistency Check
Follow these steps to enable ARP packet source MAC address consistency check:
To do… Use the command… Remarks
Enter system view
system-view
Enable ARP packet source MAC
address consistency check
arp anti-attack
valid-check enable
Required
Disabled by default.
1.8 Displaying and Maintaining ARP
To do… Use the command… Remarks
Display the ARP entries in
the ARP mapping table
display arp { { all | dynamic |
static } [ slot slot-id ] | vlan
vlan-id | interface interface-type
interface-number } [ [ verbose ]
[ | { begin | exclude | include }
text ] | count ]
Available in any
view
Display the ARP entries
for a specified IP address
display arp ip-address [ slot
slot-id ] [ verbose ] [ | { begin |
exclude | include } text ]
Available in any
view
Display the ARP entries
for a specified VPN
instance
display arp vpn-instance
vpn-instance-name [ | { begin |
exclude | include } text | count ]
Available in any
view
Display the aging time for
dynamic ARP entries
display arp timer aging
Available in any
view
Operation Manual – ARP
H3C S9500 Series Routing Switches Chapter 1 ARP Configuration
1-11
To do… Use the command… Remarks
Display the configuration
information of ARP source
suppression
display arp
source-suppression
Available in any
view
Clear ARP entries from
the ARP mapping table
reset arp { all | dynamic | static
| slot slot-id | interface
interface-type interface-number }
Available in user
view
  • Page 1 1
  • Page 2 2
  • Page 3 3
  • Page 4 4
  • Page 5 5
  • Page 6 6
  • Page 7 7
  • Page 8 8
  • Page 9 9
  • Page 10 10
  • Page 11 11
  • Page 12 12
  • Page 13 13
  • Page 14 14
  • Page 15 15
  • Page 16 16
  • Page 17 17
  • Page 18 18
  • Page 19 19
  • Page 20 20
  • Page 21 21
  • Page 22 22
  • Page 23 23
  • Page 24 24
  • Page 25 25
  • Page 26 26
  • Page 27 27
  • Page 28 28
  • Page 29 29
  • Page 30 30
  • Page 31 31
  • Page 32 32
  • Page 33 33
  • Page 34 34
  • Page 35 35
  • Page 36 36
  • Page 37 37
  • Page 38 38
  • Page 39 39
  • Page 40 40
  • Page 41 41
  • Page 42 42
  • Page 43 43
  • Page 44 44
  • Page 45 45
  • Page 46 46
  • Page 47 47
  • Page 48 48
  • Page 49 49
  • Page 50 50
  • Page 51 51
  • Page 52 52
  • Page 53 53
  • Page 54 54
  • Page 55 55
  • Page 56 56
  • Page 57 57
  • Page 58 58
  • Page 59 59
  • Page 60 60
  • Page 61 61
  • Page 62 62
  • Page 63 63
  • Page 64 64
  • Page 65 65
  • Page 66 66
  • Page 67 67
  • Page 68 68
  • Page 69 69
  • Page 70 70
  • Page 71 71
  • Page 72 72
  • Page 73 73
  • Page 74 74
  • Page 75 75
  • Page 76 76
  • Page 77 77
  • Page 78 78
  • Page 79 79
  • Page 80 80
  • Page 81 81
  • Page 82 82
  • Page 83 83
  • Page 84 84
  • Page 85 85
  • Page 86 86
  • Page 87 87
  • Page 88 88
  • Page 89 89
  • Page 90 90
  • Page 91 91
  • Page 92 92
  • Page 93 93
  • Page 94 94
  • Page 95 95
  • Page 96 96
  • Page 97 97
  • Page 98 98
  • Page 99 99
  • Page 100 100
  • Page 101 101
  • Page 102 102
  • Page 103 103
  • Page 104 104
  • Page 105 105
  • Page 106 106
  • Page 107 107
  • Page 108 108
  • Page 109 109
  • Page 110 110
  • Page 111 111
  • Page 112 112
  • Page 113 113
  • Page 114 114
  • Page 115 115
  • Page 116 116
  • Page 117 117
  • Page 118 118
  • Page 119 119
  • Page 120 120
  • Page 121 121
  • Page 122 122
  • Page 123 123
  • Page 124 124
  • Page 125 125
  • Page 126 126
  • Page 127 127
  • Page 128 128
  • Page 129 129
  • Page 130 130
  • Page 131 131
  • Page 132 132
  • Page 133 133
  • Page 134 134
  • Page 135 135
  • Page 136 136
  • Page 137 137
  • Page 138 138
  • Page 139 139
  • Page 140 140
  • Page 141 141
  • Page 142 142
  • Page 143 143
  • Page 144 144
  • Page 145 145
  • Page 146 146
  • Page 147 147
  • Page 148 148
  • Page 149 149
  • Page 150 150
  • Page 151 151
  • Page 152 152
  • Page 153 153
  • Page 154 154
  • Page 155 155
  • Page 156 156
  • Page 157 157
  • Page 158 158
  • Page 159 159
  • Page 160 160
  • Page 161 161
  • Page 162 162
  • Page 163 163
  • Page 164 164
  • Page 165 165
  • Page 166 166
  • Page 167 167
  • Page 168 168
  • Page 169 169
  • Page 170 170
  • Page 171 171
  • Page 172 172
  • Page 173 173
  • Page 174 174
  • Page 175 175
  • Page 176 176

H3C S9500 Series Operating instructions

Type
Operating instructions

Ask a question and I''ll find the answer in the document

Finding information in a document is now easier with AI