- Table of Contents
-
- 09-Security Command Reference
- 00-Preface
- 01-AAA commands
- 02-Password control commands
- 03-Keychain commands
- 04-Public key management commands
- 05-PKI commands
- 06-IPsec commands
- 07-SSH commands
- 08-SSL commands
- 09-Object group commands
- 10-Attack detection and prevention commands
- 11-TCP attack prevention commands
- 12-IP source guard commands
- 13-ARP attack protection commands
- 14-ND attack defense commands
- 15-uRPF commands
- 16-SAVA commands
- 17-Crypto engine commands
- 18-FIPS commands
- 19-MACsec commands
- 20-SAVI commands
- Related Documents
-
Title | Size | Download |
---|---|---|
16-SAVA commands | 65.13 KB |
Content
display ipv6 sava packet-drop statistics
ipv6 sava log enable spoofing-packet
SAVA commands
display ipv6 sava
Use display ipv6 sava to display SAVA entries.
Syntax
display ipv6 sava [ interface interface-type interface-number ] [ slot slot-number ]
In IRF mode:
display ipv6 sava [ interface interface-type interface-number ] [ chassis chassis-number slot slot-number ]
Views
Predefined user roles
mdc-admin
mdc-operator
Parameters
interface interface-type interface-number: Specifies an interface by its type and number. If you do not specify an interface, this command displays SAVA entries for all interfaces.
slot slot-number: Specifies a card by its slot number. If you do not specify a card, this command displays SAVA entries on the active MPU. (In standalone mode.)
chassis chassis-number slot slot-number: Specifies a card on an IRF member device. The chassis-number argument represents the member ID of the IRF member device. The slot-number argument represents the slot number of the card. If you do not specify a card, this command displays SAVA entries on the global active MPU. (In IRF mode.)
Examples
# Display SAVA entries.
<Sysname> display ipv6 sava
IPv6 SAVA entry count: 2
Destination: 2011:: Prefix length: 64
Interface: Vlan-int10 Flags: L
Destination: 2012:: Prefix length: 64
Interface: Vlan-int20 Flags: L
Table 1 Command output
Field |
Description |
IPv6 SAVA entry count |
Number of SAVA entries. |
Destination |
Destination IPv6 address. |
Prefix length |
Prefix length of the IPv6 address. |
Interface |
Interface name. |
Flag |
Flag of the SAVA entry: · L—Local entry. · R—Remote entry. · G—Access group entry. |
display ipv6 sava packet-drop statistics
Use display ipv6 sava packet-drop statistics to display SAVA packet drop statistics.
Syntax
display ipv6 sava packet-drop statistics [ interface interface-type interface-number ]
Views
Predefined user roles
mdc-admin
mdc-operator
Parameters
interface interface-type interface-number: Specifies an interface by its type and number. If you do not specify an interface, this command displays SAVA packet drop statistics for all interfaces.
Examples
# Display SAVA packet drop statistics.
<Sysname> display ipv6 sava packet-drop statistics
Vlan-interface10:
Packets:0 Bytes: 0
Vlan-interface20:
Packets:10 Bytes: 1500
Table 2 Command output
Field |
Description |
Packets |
Number of packets dropped by SAVA. |
Bytes |
Number of bytes dropped by SAVA. |
Related commands
reset ipv6 sava packet-drop statistics
ipv6 sava access-group
Use ipv6 sava access-group to add an interface to an access group.
Use undo ipv6 sava access-group to remove an interface from an access group.
Syntax
ipv6 sava access-group group-name
Default
An interface does not belong to any access group.
Views
Predefined user roles
mdc-admin
Parameters
group-name: Specifies an access group by its name, a case-sensitive string of 1 to 255 characters.
Usage guidelines
All interfaces in a SAVA access group must belong to the public network or the same VPN instance.
A SAVA access group can contain a maximum of eight interfaces.
Examples
# Add VLAN-interface 10 to SAVA access group aaa.
<Sysname> system-view
[Sysname] interface vlan-interface 10
[Sysname-Vlan-interface10] ipv6 sava access-group aaa
Related commands
ipv6 sava enable
Use ipv6 sava enable to enable SAVA.
Use undo ipv6 sava enable to disable SAVA.
Syntax
Default
Views
Predefined user roles
mdc-admin
Usage guidelines
If the device has a large number of routing entries, it might take a long time for the device to complete SAVA entry creation. Before SAVA entry creation completes, valid IPv6 packets might be dropped.
Examples
# Enable SAVA on VLAN-interface 10.
<Sysname> system-view
[Sysname] interface vlan-interface 10
[Sysname-Vlan-interface10] ipv6 sava enable
Related commands
ipv6 sava log enable spoofing-packet
Use ipv6 sava log enable spoofing-packet to enable SAVA logging.
Use undo ipv6 sava log enable spoofing-packet to disable SAVA logging.
Syntax
ipv6 sava log enable spoofing-packet [ interval interval | number number ]*
undo ipv6 sava log enable spoofing-packet
Default
Views
Predefined user roles
mdc-admin
Parameters
interval interval: Specifies the interval at which the device outputs SAVA logs, in seconds. The value can be 0 or in the range of 5 to 3600, and the default is 60. If you set the interval to 0 seconds, the device outputs a SAVA log immediately after detecting an IPv6 source address spoofing packet.
number number: Specifies the maximum number of SAVA logs that can be outputted each time, in the range of 1 to 128. The default is 128.
Usage guidelines
To identify and troubleshoot issues, enable SAVA logging.
This feature enables the device to output SAVA logs when SAVA detects spoofing packets.
A card can output a maximum of 128 SAVA logs each time. (In standalone mode.) (In IRF mode.)
Examples
<Sysname> system-view
[Sysname] ipv6 sava log enable spoofing-packet
ipv6 sava import remote-route-tag
Use ipv6 sava import remote-route-tag to enable an interface to create SAVA entries based on synchronized remote routes.
Use undo ipv6 sava import remote-route-tag to restore the default.
Syntax
ipv6 sava import remote-route-tag tag
undo ipv6 sava import remote-route-tag
Default
An interface does not create SAVA entries based on synchronized remote routes.
Views
Predefined user roles
mdc-admin
Parameters
tag: Specifies a tag of synchronized remote routes, in the range of 1 to 4294967295.
Usage guidelines
If you execute this command multiple times, the most recent configuration takes effect.
Examples
<Sysname> system-view
[Sysname] interface vlan-interface 10
[Sysname-Vlan-interface10] ipv6 sava import remote-route-tag 100
reset ipv6 sava packet-drop statistics
Use reset ipv6 sava packet-drop statistics to clear SAVA packet drop statistics.
Syntax
reset ipv6 sava packet-drop statistics [ interface interface-type interface-number ]
Views
Predefined user roles
mdc-admin
Parameters
interface interface-type interface-number: Specifies an interface by its type and number. If you do not specify an interface, this command clears SAVA packet drop statistics for all interfaces.
Examples
# Clear SAVA packet drop statistics.
<Sysname> reset ipv6 sava packet-drop statistics
Related commands