09-Security Command Reference

HomeSupportResource CenterSwitchesS6812 & S6813 SeriesS6812 & S6813 SeriesTechnical DocumentsReference GuidesCommand ReferencesH3C S6812 & S6813 Switch Series Command Reference-R6615Pxx-6W10009-Security Command Reference
21-SAVI commands
Title Size Download
21-SAVI commands 46.85 KB

SAVI commands

ipv6 savi down-delay

Use ipv6 savi down-delay to set the entry deletion delay.

Use undo ipv6 savi down-delay to restore the default.

Syntax

ipv6 savi down-delay delay-time

undo ipv6 savi down-delay

Default

The entry deletion delay is 30 seconds.

Views

System view

Predefined user roles

network-admin

Parameters

delay-time: Specifies the entry deletion delay in the range of 0 to 21474836 seconds.

Usage guidelines

The entry deletion delay is the period of time that the device waits before deleting the DHCPv6 snooping entries and ND snooping entries for a down port.

Examples

# Set the entry deletion delay to 100 seconds.

<Sysname> system-view

[Sysname] ipv6 savi down-delay 100

ipv6 savi log enable

Use ipv6 savi log enable to enable packet spoofing logging or filtering entry logging.

undo ipv6 savi log enable to disable packet spoofing logging or filtering entry logging.

Syntax

ipv6 savi log enable { spoofing-packet [ interval interval | total-number number ] * | filter-entry }

undo ipv6 savi log enable { spoofing-packet | filter-entry }

Default

Packet spoofing logging and filtering entry logging are disabled.

Views

System view

Predefined user roles

network-admin

Parameters

spoofing-packet [ interval interval | total-number number ]: Enables packet spoofing logging.

·     interval interval: Sets the log output interval in seconds. The value of the interval argument can be 0 or in the range of 5 to 3600. The default value is 60 seconds. If you set this parameter to 0, the device outputs a log message immediately after it is generated.

·     total-number number: Sets the maximum number of log messages that can be output per interval. The value range for the number argument is 1 to 128, and the default value is 128.

filter-entry: Enables filtering entry logging.

Usage guidelines

Packet spoofing logging enables the device to generate log messages for the spoofed packets detected by SAVI.

Filtering entries are effective bindings used for filtering IPv6 packets by the source IPv6 address. Filtering entry logging enables the device to generate log messages for filtering entries. A log message contains the IPv6 address, MAC address, VLAN, and interface of a filtering entry.

The device sends packet spoofing and filtering entry log messages to the information center. With the information center, you can set log message filtering and output rules, including output destinations. For more information about using the information center, see Network Management and Monitoring Configuration Guide.

A device can output a maximum of 128 packet spoofing log messages. If this limit is crossed, the device drops excess log messages. To ensure device performance, set the log output interval and maximum number of log messages output per interval appropriately.

Examples

# Enable packet spoofing logging.

<Sysname> system-view

[Sysname] ipv6 savi log enable spoofing-packet

ipv6 savi strict

Use ipv6 savi strict to enable Source Address Validation Improvement (SAVI).

Use undo ipv6 savi strict to disable SAVI.

Syntax

ipv6 savi strict

undo ipv6 savi strict

Default

SAVI is disabled.

Views

System view

Predefined user roles

network-admin

Examples

# Enable SAVI.

<Sysname> system-view

[Sysname] ipv6 savi strict

Related commands

ipv6 verify source

  • Cloud & AI
  • InterConnect
  • Intelligent Computing
  • Security
  • SMB Products
  • Intelligent Terminal Products
  • Product Support Services
  • Technical Service Solutions
All Services
  • Resource Center
  • Policy
  • Online Help
All Support
  • Become a Partner
  • Partner Resources
  • Partner Business Management
All Partners
  • Profile
  • News & Events
  • Online Exhibition Center
  • Contact Us
All About Us
新华三官网