AR Router Maintenance Guide-FAQ(IP Service)

Run the display current-configuration | include dns command.

No, you do not need to enable dynamic domain name service (DNS) resolution when configuring static domain name service (DNS) entries. You must enable dynamic DNS resolution when configuring dynamic DNS entries.

Yes. Run the reset dns dynamic-host command to clear dynamic domain name service (DNS) entries.

The DNS proxy or relay function enables a DNS client on a LAN to connect to an external DNS server. After the external DNS server translates the domain name of the DNS client to an IP address, the DNS client can access the Internet.

After receiving DNS query packets from the DNS client, the device with DNS proxy enabled searches the local cache. The device with DNS relay enabled directly forwards the DNS query packets to the external DNS server, and does not search the local cache.

If the DNS client needs to obtain resource records on the DNS server in real time, enable the DNS relay function on the device.

The device supports DNS proxy. The DNS proxy forwards DNS request and response packets between a DNS client and DNS server. The DNS client on a LAN considers the DNS proxy as the DNS server and sends DNS request packets to the DNS proxy. The DNS proxy forwards DNS request packets to the DNS server, and sends DNS response packets from the DNS server to the DNS client, to implement domain name resolution. When the DNS server's IP address changes, you only need to change the DNS proxy configuration without changing the configuration of each DNS client. This simplifies network management.

Yes. Network address translation (NAT) supports virtual private network (VPN) multi-instance.

Run the display nat session all command to view the NAT session table.

Run the reset nat session all command to forcibly age NAT session tables.

Interfaces on the local area network (LAN) side (such as VLANIF interfaces) do not support network address translation (NAT) configuration.

Based on the interface type, you can configure static ARP entries in the following methods:

• For Layer 3 physical interfaces and Layer 3 Eth-Trunk interfaces, run the arp static ip-address mac-address command to configure static ARPentries.

  For example:

  <Huawei> system-view

  [Huawei] arp static 1.1.1.1 0000-1111-1111

• For Dot1q termination sub-interfaces, run the arp static ip-address mac-address vid vlan-id interface interface-type interface-number command to configure static ARP entries.

  For example: # Configure a static ARP entry for a sub-interface for dot1q VLAN tag termination. The static ARP entry's IP address 2.1.1.1 maps the MAC address 0edc-15e5-f7e4. GE1/0/0.1 is added to VLAN 20.

  • # Configure a sub-interface for dot1q VLAN tag termination and add the sub-interface to VLAN 20.

    <Huawei> system-view

    [Huawei] interface gigabitethernet 1/0/0.1

    [Huawei-GigabitEthernet1/0/0.1] control-vid 100 dot1q-termination 

    [Huawei-GigabitEthernet1/0/0.1] dot1q termination vid 20

    [Huawei-GigabitEthernet1/0/0.1] ip address 2.1.1.2 24

    [Huawei-GigabitEthernet1/0/0.1] quit

    NOTE:

    The control-vid 100 dot1q-termination command does not need to be configured in AR V2R2C01 or later versions.

  • # Configure a static ARP entry for the sub-interface for dot1q VLAN tag termination.

    [Huawei] arp static 2.1.1.1 0edc-15e5-f7e4 vid 20 interface gigabitethernet1/0/0.1

• For QinQ termination sub-interfaces, run the arp static ip-address mac-address vid vlan-id cevid ce-vid interface interface-type interface-number command to configure static ARP mapping entries with double tags.

  For example: # Configure a static ARP entry for a sub-interface for QinQ VLAN tag termination. The static ARP entry's IP address 2.1.1.1 maps the MAC address 0edc-15e5-f7e4. The inner and outer VLAN IDs of the outbound interface GE1/0/0.1 are 20 and 10 respectively.

  • # Configure a sub-interface for QinQ VLAN tag termination and the inner and outer VLAN IDs of the outbound interface GE1/0/0.1 are 20 and 10 respectively.

    <Huawei> system-view

    [Huawei] interface gigabitethernet 1/0/0.1

    [Huawei-GigabitEthernet1/0/0.1] control-vid 100 qinq-termination

    [Huawei-GigabitEthernet1/0/0.1] qinq termination pe-vid 10 ce-vid 20

    [Huawei-GigabitEthernet1/0/0.1] ip address 2.1.1.2 24

    [Huawei-GigabitEthernet1/0/0.1] quit

    NOTE:

    The control-vid 100 qinq-termination command does not need to be configured in AR V2R2C01 or later versions.

  • # Configure a static ARP entry for the sub-interface for QinQ VLAN tag termination.

    [Huawei] arp static 2.1.1.1 0edc-15e5-f7e4 vid 10 cevid 20 interface gigabitethernet1/0/0.1

• For VLANIF interfaces, run the arp static ip-address mac-address vid vlan-id interface interface-type interface-number command to configure static ARP entries.

  For example:

  <Huawei> system-view

  [Huawei] arp static 192.168.1.88 0000-1111-1111 vid 4094 interface ethernet 0/0/7

  NOTE:

  The outbound interface here indicates the Layer 2 interface bound to the VLAN.

  In AR V2R2C01 or later versions, the VLANIF interface supports short ARP entries. You can directly configure the mapping between the IP address and MAC address without specifying the VID and outbound interface.

  For example:

  <Huawei> system-view

  [Huawei] arp static 192.168.1.88 0000-1111-1111

The router functions as the egress router of an Internet cafe and uses the typical configuration. However, web pages are displayed at a low rate and users often go offline when playing online games. How do I solve this problem?

You can perform the preceding operations to significantly improve the Internet access performance.

The maximum segment size (MSS) is negotiated during TCP connection setup. The MSS determines the maximum length of a TCP packet. Some upper-layer applications such as HTTP reset the Don't fragment (DF) field of IP packets to prevent TCP packets from being fragmented. If the DF field is reset and the interface MTU is smaller than the MSS, the router discards TCP packets because TCP packets cannot be fragmented.

A TCP packet has the TCP header and IP header; therefore, the MSS value plus all the header lengths cannot exceed the MTU. The MTUs supported by Ethernet and PPPoE are 1500 bytes and 1492 bytes respectively. You are advised to set the MSS to 1200 bytes. If the interface MTU is changed or encapsulation packets of some special applications cannot be fragmented in PPPoE, L3VPN, and IPSec scenarios, note the MSS setting.

When a device with empty configuration starts, the auto-config function allows the device to automatically obtain the configuration file and restart for the configuration to take effect. The device enabled with the auto-config function periodically clears all DHCP-related configurations on the device.

To solve this problem, proceed as follows:

1. Run the undo autoconfig enable command to disable the auto-config function.
2. Wait 4 to 5 minutes and run the display autoconfig-status command to check the auto-config status. If the Running status is NO, the auto-config function has been disabled.
3. Reconfigure the device as required by the customer and save the configuration.

No.

The device allows a server IP address to map multiple domain names.

After you configure IP addresses for termination sub-interfaces that connect two devices, they cannot ping each other. Check whether you have run the arp broadcast enable command on the interfaces. If this command is not run, the devices fail to send ARP Request packets through these interfaces and cannot learn ARP entries. By default, the arp broadcast enable command is disabled in V200R003C00 and earlier versions and enabled in V200R003C01 and later versions.

When the device functions as a DHCP server, you can enlarge the address pool range and shorten the lease of IP addresses to allow DHCP clients to quickly connect to and disconnect from the network.

Ensure that the DHCP configuration is correct, and reduce the IP address lease. If a long IP address lease is set, after all addresses in the address pool are allocated, addresses that are not required cannot be released immediately. As a result, other DHCP clients cannot obtain IP addresses.

When both the DHCP server function and the DHCP relay function are enabled on an interface, the DHCP server function is processed preferentially. The local DHCP server that is on the same network segment as the interface's IP address is used preferentially to allocate IP addresses. If the local DHCP server cannot allocate IP addresses, a remote DHCP server allocates IP addresses through the DHCP relay agent.

An IPv6 link-local address can be used for communication between nodes on the same link. Packets with IPv6 link-local addresses can be forwarded only through a local link.

NAT logs are generated when the device performs address translation.

Configuration Example

Configure the device to generate NAT logs at an interval of 200 seconds.

<Huawei> system-view
[Huawei] firewall log all enable 
[Huawei] info-center enable
[Huawei] firewall log defend log-interval 200

You can use the firewall-nat session aging-time command to set the aging time of the session entries.

Configuration Example

# Set the aging time of FTP session entries to 60 seconds.

<Huawei> system-view
[Huawei] firewall-nat session ftp aging-time 60

Run the display ip pool [ { interface interface-pool-name | name ip-pool-name } [ start-ip-address [ end-ip-address ] | all | conflict | expired | used ] ] command to view IP address allocation.

By default, STP is enabled on the device used as the user access device (WAN-side interface connects to the Internet and LAN-side interface connects to the internal network). The device interface is in Discard state 30s after users connect to the device. DHCP Request packets are discarded. DHCP packets are processed after 30s.

It is recommended that STP be disabled to prevent network flapping caused by slow STP convergence.

The private network user and server are connected to the same VLANIF interface and the same subcard. After the nat server command is executed in the VLANIF interface view to map the server IP address to a public network address, the response packet sent by the server to the user cannot be sent to the CPU, so the packet address cannot be translated. As a result, the user cannot connect to the server. To solve this problem, run the nat outbound command on the VLANIF interface so that the server's response packet can be sent to the router and the packet address can be translated. The router then forwards the packet to the user. The user can connect to the server.

When internal users access the external network, NAT server translates only internal IP addresses to external IP addresses, whereas NAT static translates both internal IP addresses and ports to external IP addresses and ports.

The enterprise requires that its internal users can access the external server and external users can access its internal server, as shown in Figure 2-7. If you configure both NAT server and Easy IP on the router, it translates only internal IP addresses to external IP addresses when internal users access the external network. This may result in a failure to set up stream tables. In this case, you are advised to configure NAT static but not NAT server on the router.

Figure 2-7  Networking diagram of NAT server and Easy IP

A SIP server is deployed on an internal network and a NAT server and MTU are configured on the outbound and inbound interfaces of a gateway router on this network. In this case, the router sends fragmented packets to the SIP server and the server returns ICMP Error packets. An external phone fails to register with the SIP server. Disable the MTU configuration on the inbound interface or run the ip soft-forward enhance enable command to enable the enhanced IP forwarding function on the router, so that the external phone can correctly register with the SIP server to implement NAT translation.

Easy IP uses the public IP address of an interface as the translated source address, as shown in Figure 2-8.

Figure 2-8  Networking of Easy IP

When the address pool mode is used, you need to configure a public address pool from which public addresses mapping private addresses are selected, as shown in Figure 2-9.

Figure 2-9  Networking of an address pool

Use Easy IP or address pool according to planning of public IP addresses:

• If there are idle public IP addresses after IP addresses of outbound interfaces on NAT devices and other applications are configured, use the address pool mode.
• If there are no idle public IP addresses after IP addresses of outbound interfaces on NAT devices and other applications are configured, use Easy IP.

After outbound NAT is configured, run the ip soft-forward enhance enable command to enable the enhanced IP forwarding function before running the ping -a source-ip-address host command. The device then does not translate private source addresses into public addresses when sending packets.

[Huawei-GigabitEthernet1/0/0] nat server protocol tcp global 10.10.10.1 telnet inside 192.168.2.10 telnet

When a network device attempts to access the Telnet port of the public interface, the device accesses the Telnet port on the internal network that is mapped by the NAT server, and cannot access the Telnet port of the public interface. You can change the Telnet port of the public interface in the NAT server configuration, for example, change the Telnet port to port 1001.

[Huawei-GigabitEthernet1/0/0] nat server protocol tcp global 10.10.10.1 1001 inside 192.168.2.10 telnet

After a NAT address pool is configured on an interface, a 32-bit local user network route (UNR) is automatically generated, and its priority is 64. When a packet sent to an IP address in the address pool passes the router, it matches the 32-bit local UNR and is sent to the router protocol stack. However, the router cannot forward the packet because it does not have the protocol stack of the IP address. The packet is discarded.

You can run the ip route-static command to configure a static route. The default priority of a static route is 60, which is higher than that of the UNR. This configuration prevents packets sent to an IP address in the address pool from being discarded.

For example, configure a NAT address pool to implement many-to-one address translation for hosts on the network segment 10.110.10.0/24. The IP address 1.1.1.1 is configured in the NAT address pool.

<Huawei> system-view
[Huawei] acl number 2001
[Huawei-acl-basic-2001] rule permit source 10.110.10.0 0.0.0.255
[Huawei-acl-basic-2001] quit
[Huawei] nat address-group 1 1.1.1.1 1.1.1.1
[Huawei] interface gigabitethernet 0/0/1
[Huawei-Gigabitethernet0/0/1] nat outbound 2001 address-group 1
[Huawei-Gigabitethernet0/0/1] quit

After completing the NAT address pool configuration, check the routing table. A UNR with the priority of 64 is added to the table.

[Huawei] display ip routing-table
Route Flags:Route Flags: R - relay, D - download to fib                         
------------------------------------------------------------------------------  
Routing Tables: Public                                                          
         Destinations : 5        Routes : 5                                     
                                                                                
Destination/Mask    Proto   Pre  Cost      Flags NextHop         Interface      
                                                                                
        1.1.1.1/32  Unr     64   0           D   127.0.0.1       InLoopBack0    
      127.0.0.0/8   Direct  0    0           D   127.0.0.1       InLoopBack0
      127.0.0.1/32  Direct  0    0           D   127.0.0.1       InLoopBack0
127.255.255.255/32  Direct  0    0           D   127.0.0.1       InLoopBack0
255.255.255.255/32  Direct  0    0           D   127.0.0.1       InLoopBack0

Run the ip route-static command to configure a static route with the destination IP address 1.1.1.1. After completing the configuration, check the routing table.

[Huawei] ip route-static 1.1.1.1 32 192.168.200.100
[Huawei] display ip routing-table
Route Flags: R - relay, D - download to fib                                     
------------------------------------------------------------------------------  
Routing Tables: Public                                                          
         Destinations : 6       Routes : 6                                    
                                                                                
Destination/Mask    Proto   Pre  Cost      Flags NextHop         Interface      
                                                                                
        1.1.1.1/32  Static  60   0          RD   192.168.200.100 GigabitEthernet0/0/0
        1.1.1.1/32  Unr     64   0           D   127.0.0.1       InLoopBack0    
      127.0.0.0/8   Direct  0    0           D   127.0.0.1       InLoopBack0
      127.0.0.1/32  Direct  0    0           D   127.0.0.1       InLoopBack0
127.255.255.255/32  Direct  0    0           D   127.0.0.1       InLoopBack0
255.255.255.255/32  Direct  0    0           D   127.0.0.1       InLoopBack0

As shown in the preceding routing table, a static route with the destination IP address 1.1.1.1 is added. The router then uses this static route to forward packets sent to the IP address in the address pool.

It is recommended that you run the display port-mapping command to query occupied interfaces before configuring NAT server. You can choose an idle interface.

After DNS mapping is configured, the CPU processes packets before the router forwards the packets. If a large number of packets need to be processed, the CPU usage is high.

If the CPU usage remains high and affects device usage, it is recommended that you delete the DNS mapping configuration and disable the DNS ALG function to prevent packets from being sent to the CPU, reducing the CPU usage. To protect the router and meet users' service demands, add the NAT server configuration on the interface connecting to the internal network.

When an internal network host accesses an internal network server using the domain name, the host sends a domain name request to the DNS server. The DNS server encapsulates the public IP address corresponding to the domain name into the response packet. If the DNS mapping and DNS ALG functions are enabled, the router converts the public IP address encapsulated in a DNS response packet into a private IP address when forwarding the packet to an internal network host. After the DNS mapping and DNS ALG configurations are deleted, the router cannot perform IP address translation. You can add the NAT server configuration on the interface connecting to the internal network. The public IP address then can be converted into the private IP address of the internal network server, allowing internal network hosts to access the internal network server.

The configuration procedure is as follows:

Disable the DNS ALG function and delete the DNS mapping configuration.

<Huawei> system view
[Huawei] undo nat dns-map www.bz2z.com 220.180.111.161 80 tcp
[Huawei] undo nat dns-map bz2z.com 220.180.111.161 80 tcp

Assume that the interface connecting to the public network is GE0/0/0 and the interface connecting to the internal network is GE0/0/1. Check the configuration of the interface connecting to the public network.

[Huawei] interface gigabitethernet 0/0/0
[Huawei-GigabitEthernet0/0/0] display this
#
interface GigabitEthernet0/0/0 
 ip address 202.100.1.10 255.255.255.0 
 nat server protocol tcp global current-interface 80 inside 192.168.1.100 80 
 nat outbound 3001 
[Huawei-GigabitEthernet0/0/0] quit

Configure NAT server on the interface connecting to the internal network. Change the keyword current-interface in the NAT server configuration to the specified public network interface.

[Huawei-GigabitEthernet0/0/1] nat server protocol tcp global interface gigabitethernet 0/0/0 80 inside 192.168.1.100 80

After the preceding configurations are complete, the CPU usage is reduced and internal network hosts can normally access the internal network server.

Yes, a default user network route (UNR) is generated.

If a router is configured as a DHCP client and an interface is configured to obtain an IP address dynamically (using the ip address dhcp-alloc command), a default UNR route is generated after the interface successfully obtains an IP address.

A SIP user connects to a SIP server through an AR router. After outbound NAT is configured on the AR router, NAT ALG for SIP is disabled and SIP protocol packets cannot traverse the NAT-enabled router. As a result, the SIP user and SIP server cannot communicate with each other and the SIP user cannot be registered.

When a registration request packet sent from the SIP user to the SIP server passes through the AR router, a NAT mapping entry recording packet information is generated, and the entry and aging time are updated when the AR router receives a new registration request packet. When the aging time expires, the router automatically clears NAT mapping entries that are not updated. Therefore, the SIP user who fails to be registered sends registration request packets continuously. If the outbound NAT configuration is deleted, the router does not directly clear the corresponding NAT mapping entry, and automatically clears the entry after the aging time expires. However, registration request packets sent by the SIP user continuously update the NAT mapping entry and aging time. As a result, the router cannot automatically clear the NAT mapping entry and the SIP user cannot be registered.

After configuring outbound NAT, you can run the nat alg command to enable NAT ALG for SIP to maintain communication between the SIP server and SIP user, and run the reset nat session all command to forcibly clear NAT mapping entries and immediately modify the NAT configuration. Alternatively, after disabling outbound NAT, run the reset nat session all command to forcibly clear NAT mapping entries to restore communication between the SIP user and SIP server.

NOTICE:

Clearing NAT mapping entries may temporarily affect communication on some packet transmission links.

ACL-based traffic policies cannot be configured on high-end LAN cards (8FE1GE and 24GE cards). Therefore, when the nat outbound command is run to configure outbound NAT with an address pool, the configuration fails.

You can run the set workmode lan-card l3centralize command to disable the routing and forwarding function on a high-end LAN card. You can divert the packets received on the high-end LAN card to the sub-core CPU for packet forwarding. ACL-based traffic policies and the NAT function then can be configured on the high-end LAN card.

After the NAT server is configured based on the IP address and port number, the mapping takes ineffective. Perform the following operations to locate the fault:

1. Access the internal server to determine whether the internal server can communicate.
2. Check whether there are reachable routes between the device configured with the NAT server and the external host and internal server.
3. Check whether the NAT server configuration is correct.
4. Check whether the mapped external port number is available, and replace the external port to check whether the internal server can be accessed.
5. Run the display nat session command on the device configured with the NAT server to check whether there are entries before and after mapping. Obtain packets and check whether addresses in packets for access of external users are translated on the device configured with the NAT server.

In the display cpu-usage command output, the VALP process is relevant to NAT. The CPU usage of the VALP process is high because the device enabled with NAT ALG sends packets to the control plane. To reduce the CPU usage, delete unnecessary ALG configuration.