09-Security Command Reference

HomeSupportReference GuidesCommand ReferencesH3C S6520X & S6520-SI & S5560X-HI & S5000-EI & MS4600 Command References-R6615Pxx-6W10109-Security Command Reference
22-SAVA commands
Title Size Download
22-SAVA commands 63.50 KB

SAVA commands

display ipv6 sava

Use display ipv6 sava to display SAVA entries.

Syntax

display ipv6 sava [ interface interface-type interface-number ] [ slot slot-number ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

interface interface-type interface-number: Specifies an interface by its type and number. If you do not specify an interface, this command displays SAVA entries for all interfaces.

slot slot-number: Specifies an IRF member device by its member ID. If you do not specify a member device, this command displays SAVA entries on the master device.

Examples

# Display SAVA entries.

<Sysname> display ipv6 sava

IPv6 SAVA entry count: 2

Destination: 2011::                    Prefix length: 64

Interface: Vlan-int10                  Flags: L

 

Destination: 2012::                    Prefix length: 64

Interface: Vlan-int20                  Flags: L

Table 1 Command output

Field

Description

IPv6 SAVA entry count

Number of SAVA entries.

Destination

Destination IPv6 address.

Prefix length

Prefix length of the IPv6 address.

Interface

Interface name.

Flag

Flag of the SAVA entry:

·     L—Local entry.

·     R—Remote entry.

·     G—Access group entry.

 

display ipv6 sava packet-drop statistics

Use display ipv6 sava packet-drop statistics to display SAVA packet drop statistics.

Syntax

display ipv6 sava packet-drop statistics [ interface interface-type interface-number ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

interface interface-type interface-number: Specifies an interface by its type and number. If you do not specify an interface, this command displays SAVA packet drop statistics for all interfaces.

Examples

# Display SAVA packet drop statistics.

<Sysname> display ipv6 sava packet-drop statistics

Vlan-interface10:

  Packets:0               Bytes: 0

 

Vlan-interface20:

  Packets:10              Bytes: 1500

Table 2 Command output

Field

Description

Packets

Number of packets dropped by SAVA.

Bytes

Number of bytes dropped by SAVA.

 

Related commands

reset ipv6 sava packet-drop statistics

ipv6 sava access-group

Use ipv6 sava access-group to add an interface to an access group.

Use undo ipv6 sava access-group to remove an interface from an access group.

Syntax

ipv6 sava access-group group-name

undo ipv6 sava access-group

Default

An interface does not belong to any access group.

Views

Interface view

Predefined user roles

network-admin

Parameters

group-name: Specifies an access group by its name, a case-sensitive string of 1 to 255 characters.

Usage guidelines

If the device has multiple interfaces connected to the same LAN, the device might receive packets from users in the LAN on different interfaces. However, each interface creates SAVA entries only based on its local routes. When an interface receives a packet from the LAN for which the interface has no matching SAVA entry, the packet will be discarded.

To resolve this issue, you can add the interfaces to a SAVA access group. The interfaces in the SAVA access group will synchronize SAVA entries that are created based on local routes with each other. This avoids unexpected packet drop caused by asymmetric routing.

All interfaces in a SAVA access group must belong to the public network or the same VPN instance.

An interface can be added only to one SAVA access group. If you execute this command multiple times, the most recent configuration takes effect.

A SAVA access group can contain a maximum of eight interfaces.

Examples

# Add VLAN-interface 10 to SAVA access group aaa.

<Sysname> system-view

[Sysname] interface vlan-interface 10

[Sysname-Vlan-interface10] ipv6 sava access-group aaa

Related commands

ipv6 sava enable

ipv6 sava enable

Use ipv6 sava enable to enable SAVA.

Use undo ipv6 sava enable to disable SAVA.

Syntax

ipv6 sava enable

undo ipv6 sava enable

Default

SAVA is disabled.

Views

Interface view

Predefined user roles

network-admin

Usage guidelines

SAVA is mutually exclusive with uPRF and microsegmentation. Do not configure SAVA together with uRPF or microsegmentation.

If the device has a large number of routing entries, it might take a long time for the device to complete SAVA entry creation. Before SAVA entry creation completes, valid IPv6 packets might be dropped.

Examples

# Enable SAVA on VLAN-interface 10.

<Sysname> system-view

[Sysname] interface vlan-interface 10

[Sysname-Vlan-interface10] ipv6 sava enable

Related commands

display ipv6 sava

ipv6 sava access-group

ipv6 sava log enable spoofing-packet

Use ipv6 sava log enable spoofing-packet to enable SAVA logging.

Use undo ipv6 sava log enable spoofing-packet to disable SAVA logging.

Syntax

ipv6 sava log enable spoofing-packet [ interval interval | number number ]*

undo ipv6 sava log enable spoofing-packet

Default

SAVA logging is disabled.

Views

System view

Predefined user roles

network-admin

Parameters

interval interval: Specifies the interval at which the device outputs SAVA logs, in seconds. The value can be 0 or in the range of 5 to 3600, and the default is 60. If you set the interval to 0 seconds, the device outputs a SAVA log immediately after detecting an IPv6 source address spoofing packet.

number number: Specifies the maximum number of SAVA logs that can be outputted each time, in the range of 1 to 128. The default is 128.

Usage guidelines

To identify and troubleshoot issues, enable SAVA logging.

This feature enables the device to output SAVA logs when SAVA detects spoofing packets.

With the information center, you can configure log destinations and output rules. For more information about the information center, see Network Management and Monitoring Configuration Guide.

Outputting a large number of SAVA logs might degrade device performance and cause inconvenience for fault location. You can limit the number of SAVA logs that the device outputs each time.

An IRF member device can output a maximum of 128 SAVA logs each time.

Examples

# Enable SAVA logging.

<Sysname> system-view

[Sysname] ipv6 sava log enable spoofing-packet

ipv6 sava import remote-route-tag

Use ipv6 sava import remote-route-tag to enable an interface to create SAVA entries based on synchronized remote routes.

Use undo ipv6 sava import remote-route-tag to restore the default.

Syntax

ipv6 sava import remote-route-tag tag

undo ipv6 sava import remote-route-tag

Default

An interface does not create SAVA entries based on synchronized remote routes.

Views

Interface view

Predefined user roles

network-admin

Parameters

tag: Specifies a tag of synchronized remote routes, in the range of 1 to 4294967295.

Usage guidelines

This command enables an interface to create SAVA entries based on synchronized remote entries with the specified route tag.

Use this command if the LAN connects to the backbone network through multiple access devices and LAN-side interfaces on the border devices do not have prefix information of all users in the LAN. This task ensures that the border devices have the same SAVA entries to avoid mistaken packet drop.

Each border device adds a route tag to local routes based on which SAVA entries are created and then advertises the tagged local routes to the other border devices through a routing protocol. The other border devices will create SAVA entries upon receiving the tagged routes advertised by other border devices.

If you execute this command multiple times, the most recent configuration takes effect.

Examples

# Configure the device to create SAVA entries based on synchronized remote entries with tag 10 on VLAN-interface 10.

<Sysname> system-view

[Sysname] interface vlan-interface 10

[Sysname-Vlan-interface10] ipv6 sava import remote-route-tag 100

reset ipv6 sava packet-drop statistics

Use reset ipv6 sava packet-drop statistics to clear SAVA packet drop statistics.

Syntax

reset ipv6 sava packet-drop statistics [ interface interface-type interface-number ]

Views

User view

Predefined user roles

network-admin

Parameters

interface interface-type interface-number: Specifies an interface by its type and number. If you do not specify an interface, this command clears SAVA packet drop statistics for all interfaces.

Examples

# Clear SAVA packet drop statistics.

<Sysname> reset ipv6 sava packet-drop statistics

Related commands

display ipv6 sava packet-drop statistics

  • Cloud & AI
  • InterConnect
  • Intelligent Computing
  • Security
  • SMB Products
  • Intelligent Terminal Products
  • Product Support Services
  • Technical Service Solutions
All Services
  • Resource Center
  • Policy
  • Online Help
All Support
  • Become a Partner
  • Partner Resources
  • Partner Business Management
All Partners
  • Profile
  • News & Events
  • Online Exhibition Center
  • Contact Us
All About Us
新华三官网