Content

SAVA commands· 1

display ipv6 sava· 1

display ipv6 sava packet-drop statistics· 2

ipv6 sava access-group· 2

ipv6 sava enable· 3

ipv6 sava log enable spoofing-packet 4

ipv6 sava import remote-route-tag· 5

ipv6 sava packet-drop enable· 5

reset ipv6 sava packet-drop statistics· 6

SAVA commands

display ipv6 sava

Use display ipv6 sava to display SAVA entries.

Syntax

display ipv6 sava [ interface interface-type interface-number ] [ slot slot-number ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

interface interface-type interface-number: Specifies an interface by its type and number. If you do not specify an interface, this command displays SAVA entries for all interfaces.

slot slot-number: Specifies a card by its slot number. If you do not specify a card, this command displays SAVA entries on the active MPU.

Examples

# Display SAVA entries.

<Sysname> display ipv6 sava

IPv6 SAVA entry count: 2

Destination: 2011::                    Prefix length: 64

Interface: XGE3/0/1                    Flags: L

VPN instance: --

 

Destination: 2012::                    Prefix length: 64

Interface: XGE3/0/2                    Flags: L

VPN instance: --

Table 1 Command output

Field	Description
IPv6 SAVA entry count	Number of SAVA entries.
Destination	Destination IPv6 address.
Prefix length	Prefix length of the IPv6 address.
Interface	Interface name.
Flag	Flag of the SAVA entry: ·     L—Local entry. ·     R—Remote entry. ·     G—Access group entry.
VPN instance	Name of the VPN instance associated with the interface in the SAVA entry. If the interface is not associated with a VPN instance, this field displays two hyphens (--).

‌

display ipv6 sava packet-drop statistics

Use display ipv6 sava packet-drop statistics to display SAVA packet drop statistics.

Syntax

display ipv6 sava packet-drop statistics [ interface interface-type interface-number ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

interface interface-type interface-number: Specifies an interface by its type and number. If you do not specify an interface, this command displays SAVA packet drop statistics for all interfaces.

Examples

# Display SAVA packet drop statistics.

<Sysname> display ipv6 sava packet-drop statistics

Ten-GigabitEthernet3/0/1:

  Packets:0               Bytes: 0

 

Ten-GigabitEthernet3/0/2:

  Packets:10              Bytes: 1500

Table 2 Command output

Field	Description
Packets	Number of packets dropped by SAVA.
Bytes	Number of bytes dropped by SAVA.

‌

Related commands

reset ipv6 sava packet-drop statistics

ipv6 sava access-group

Use ipv6 sava access-group to add an interface to an access group.

Use undo ipv6 sava access-group to remove an interface from an access group.

Syntax

ipv6 sava access-group group-name

undo ipv6 sava access-group

Default

An interface does not belong to any access group.

Views

Interface view

Predefined user roles

network-admin

Parameters

group-name: Specifies an access group by its name, a case-sensitive string of 1 to 255 characters.

Usage guidelines

If the device has multiple interfaces connected to the same LAN, the device might receive packets from users in the LAN on different interfaces. However, each interface creates SAVA entries only based on its local routes. When an interface receives a packet from the LAN for which the interface has no matching SAVA entry, the packet will be discarded.

To resolve this issue, you can add the interfaces to a SAVA access group. The interfaces in the SAVA access group will synchronize SAVA entries that are created based on local routes with each other. This avoids unexpected packet drop caused by asymmetric routing.

All interfaces in a SAVA access group must belong to the public network or the same VPN instance.

An interface can be added only to one SAVA access group. If you execute this command multiple times, the most recent configuration takes effect.

A SAVA access group can contain a maximum of eight interfaces.

Examples

# Add Ten-GigabitEthernet3/0/1 10 to SAVA access group aaa.

<Sysname> system-view

[Sysname] interface ten-gigabitethernet 3/0/1

[Sysname-Ten-GigabitEthernet3/0/1] ipv6 sava access-group aaa

Related commands

ipv6 sava enable

ipv6 sava enable

Use ipv6 sava enable to enable SAVA.

Use undo ipv6 sava enable to disable SAVA.

Syntax

ipv6 sava enable

undo ipv6 sava enable

Default

SAVA is disabled.

Views

Interface view

Predefined user roles

network-admin

Usage guidelines

SAVA is mutually exclusive with uPRF and microsegmentation. Do not configure SAVA together with uRPF or microsegmentation.

If the device has a large number of routing entries, it might take a long time for the device to complete SAVA entry creation. Before SAVA entry creation completes, valid IPv6 packets might be dropped.

Examples

# Enable Ten-GigabitEthernet3/0/1 on VLAN-interface 10.

<Sysname> system-view

[Sysname] interface ten-gigabitethernet 3/0/1

[Sysname-Ten-GigabitEthernet3/0/1] ipv6 sava enable

Related commands

display ipv6 sava

ipv6 sava access-group

ipv6 sava log enable spoofing-packet

Use ipv6 sava log enable spoofing-packet to enable SAVA logging.

Use undo ipv6 sava log enable spoofing-packet to disable SAVA logging.

Syntax

ipv6 sava log enable spoofing-packet [ interval interval | number number ]*

undo ipv6 sava log enable spoofing-packet

Default

SAVA logging is disabled.

Views

System view

Predefined user roles

network-admin

Parameters

interval interval: Specifies the interval at which the device outputs SAVA logs, in seconds. The value can be 0 or in the range of 5 to 3600, and the default is 60. If you set the interval to 0 seconds, the device outputs a SAVA log immediately after detecting an IPv6 source address spoofing packet.

number number: Specifies the maximum number of SAVA logs that can be outputted each time, in the range of 1 to 128. The default is 128.

Usage guidelines

To identify and troubleshoot issues, enable SAVA logging.

This feature enables the device to output SAVA logs when SAVA detects spoofing packets.

With the information center, you can configure log destinations and output rules. For more information about the information center, see Network Management and Monitoring Configuration Guide.

Due to hardware performance, the device still generates SAVA logs for a short time after you disable SAVA logging.

Outputting a large number of SAVA logs might degrade device performance and cause inconvenience for fault location. You can limit the number of SAVA logs that the device outputs each time.

A card can output a maximum of 128 SAVA logs each time.

Examples

# Enable SAVA logging.

<Sysname> system-view

[Sysname] ipv6 sava log enable spoofing-packet

ipv6 sava import remote-route-tag

Use ipv6 sava import remote-route-tag to enable an interface to create SAVA entries based on synchronized remote routes.

Use undo ipv6 sava import remote-route-tag to restore the default.

Syntax

ipv6 sava import remote-route-tag tag

undo ipv6 sava import remote-route-tag

Default

An interface does not create SAVA entries based on synchronized remote routes.

Views

Interface view

Predefined user roles

network-admin

Parameters

tag: Specifies a tag of synchronized remote routes, in the range of 1 to 4294967295.

Usage guidelines

This command enables an interface to create SAVA entries based on synchronized remote entries with the specified route tag.

Use this command if the LAN connects to the backbone network through multiple access devices and LAN-side interfaces on the border devices do not have prefix information of all users in the LAN. This task ensures that the border devices have the same SAVA entries to avoid mistaken packet drop.

Each border device adds a route tag to local routes based on which SAVA entries are created and then advertises the tagged local routes to the other border devices through a routing protocol. The other border devices will create SAVA entries upon receiving the tagged routes advertised by other border devices.

If you execute this command multiple times, the most recent configuration takes effect.

Examples

# Configure the device to create SAVA entries based on synchronized remote entries with tag 10 on Ten-GigabitEthernet3/0/1.

<Sysname> system-view

[Sysname] interface ten-gigabitethernet 3/0/1

[Sysname-Ten-GigabitEthernet3/0/1] ipv6 sava import remote-route-tag 100

ipv6 sava packet-drop enable

Use ipv6 sava enable to enable dropping of SAVA-detected spoofing packets.

Use undo ipv6 sava enable to disable dropping of SAVA-detected spoofing packets.

Syntax

ipv6 sava packet-drop enable

undo ipv6 sava packet-drop enable

Default

Dropping of SAVA-detected spoofing packets is enabled.

Views

System view

Predefined user roles

network-admin

Usage guidelines

By default, when a SAVA-enabled interface receives an IPv6 packet and no matching SAVA entry containing the packet's source IPv6 address exists on the device, the packet is dropped. The device creates SAVA entries based on corresponding routing entries. If the device has a large number of routing entries, it might take a long time for the device to complete SAVA entry creation. Before SAVA entry creation completes, valid IPv6 packets might be dropped. To resolve this issue, use the undo ipv6 sava packet-drop enable command to disable dropping of SAVA-detected spoofing packets. In this way, before enabling dropping of SAVA-detected spoofing packets, you can analyze and adjust network configurations according to the output spoofing packet logs.

Examples

# Disable dropping of SAVA-detected spoofing packets.

<Sysname> system-view

[Sysname] undo ipv6 sava packet-drop enable

Related commands

ipv6 sava log enable spoofing-packet

reset ipv6 sava packet-drop statistics

Use reset ipv6 sava packet-drop statistics to clear SAVA packet drop statistics.

Syntax

reset ipv6 sava packet-drop statistics [ interface interface-type interface-number ]

Views

User view

Predefined user roles

network-admin

Parameters

interface interface-type interface-number: Specifies an interface by its type and number. If you do not specify an interface, this command clears SAVA packet drop statistics for all interfaces.

Examples

# Clear SAVA packet drop statistics.

<Sysname> reset ipv6 sava packet-drop statistics

Related commands

display ipv6 sava packet-drop statistics