Login
- Table of Contents
-
- 12-Security Command Reference
- 00-Preface
- 01-DAE proxy commands
- 02-Password control commands
- 03-Keychain commands
- 04-Public key management commands
- 05-PKI commands
- 06-IPsec commands
- 07-SSH commands
- 08-SSL commands
- 09-Session management commands
- 10-Object group commands
- 11-Attack detection and prevention commands
- 12-IP-based attack prevention commands
- 13-IP source guard commands
- 14-ARP attack protection commands
- 15-ND attack defense commands
- 16-uRPF commands
- 17-SAVA commands
- 18-SAVA-P commands
- 19-Crypto engine commands
- 20-Trust level commands
- Related Documents
-
| Title | Size | Download |
|---|---|---|
| 18-SAVA-P commands | 65.69 KB |
Contents
display ipv6 sava protocol entry
display ipv6 sava protocol packet-drop statistics
ipv6 sava protocol log enable spoofing-packet
reset ipv6 sava protocol packet-drop statistics
SAVA-P commands
display ipv6 sava protocol entry
Use display ipv6 sava protocol entry to display SAVA-P entries.
Syntax
display ipv6 sava protocol entry [ interface interface-type interface-number ] [ vpn-instance vpn-instance-name ] [ slot slot-number ]
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
interface interface-type interface-number: Specifies an interface by its type and number. If you do not specify an interface, this command displays SAVA-P entries for all interfaces.
vpn-instance vpn-instance-name: Specifies the MPLS L3VPN instance to which the interface belongs. The vpn-instance-name argument represents the VPN instance name, a case-sensitive string of 1 to 31 characters. To display SAVA-P entries of interfaces on the public network, do not specify this option.
slot slot-number: Specifies a card by its slot number. If you do not specify a card, this command displays SAVA-P entries on the active MPU.
Examples
# Display SAVA-P entries.
<Sysname> display ipv6 sava protocol entry
IPv6 SAVA protocol entry count: 4
Destination/Prefix length Interface VPN instance
2::9/128 XGE3/0/1 --
11:12::/64 XGE3/0/2 vpn1
2002::/64 XGE3/0/2 vpn1
2003::2/128 XGE3/0/3 vpn2
Table 1 Command output
|
Field |
Description |
|
IPv6 SAVA protocol entry count |
Number of SAVA-P entries. |
|
Destination/Prefix length |
IPv6 address (source prefix)/prefix length of the IPv6 address. |
|
Interface |
Interface name. |
|
VPN instance |
Name of the VPN instance associated with the interface in the SAVA-P entry. If the interface is on the public network, this field displays two hyphens (--). |
display ipv6 sava protocol packet-drop statistics
Use display ipv6 sava protocol packet-drop statistics to display SAVA-P packet drop statistics.
Syntax
display ipv6 sava protocol packet-drop statistics [ interface interface-type interface-number ]
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
interface interface-type interface-number: Specifies an interface by its type and number. If you do not specify an interface, this command displays SAVA-P packet drop statistics for all interfaces.
Examples
# Display SAVA-P packet drop statistics.
<Sysname> display ipv6 sava protocol packet-drop statistics
Ten-GigabitEthernet3/0/1:
Packets:0 Bytes: 0
Ten-GigabitEthernet3/0/2:
Packets:10 Bytes: 1500
Table 2 Command output
|
Field |
Description |
|
Packets |
Number of packets dropped by SAVA-P. |
|
Bytes |
Number of bytes dropped by SAVA-P. |
Related commands
reset ipv6 sava protocol packet-drop statistics
ipv6 sava protocol enable
Use ipv6 sava protocol enable to enable SAVA-P.
Use undo ipv6 sava protocol enable to disable SAVA-P.
Syntax
ipv6 sava protocol enable
undo ipv6 sava protocol enable
Default
SAVA-P is disabled.
Views
System view
Predefined user roles
network-admin
Usage guidelines
Source Address Validation Architecture Protocol (SAVA-P) is a protocol for preventing IPv6 source address spoofing attacks. A SAVA-P enabled device creates SAVA-P entries based on SAVA-P packets and packet incoming interfaces to verify the validity of IPv6 packet source prefixes. Upon receiving an IPv6 packet on an interface, the device searches for a SAVA-P entry with the prefix of the packet's source IPv6 address and the incoming interface. If no match is found, the device drops the packet.
Examples
# Enable SAVA-P.
<Sysname> system-view
[Sysname] ipv6 sava protocol enable
Related commands
ipv6 sava protocol id
ipv6 sava protocol port-type
ipv6 sava protocol id
Use ipv6 sava protocol id to specify the router ID and IPv6 transport address for the SAVA-P device.
Use undo ipv6 sava protocol id to restore the default.
Syntax
ipv6 sava protocol id router-id transport-address ipv6-address
undo ipv6 sava protocol id
Default
The router ID and IPv6 transport address for the SAVA-P device is not specified.
Views
System view
Predefined user roles
network-admin
Parameters
router-id: Specifies the global router ID in dotted decimal format. The value range for this argument is 0.0.0.1 to 255.255.255.254.
transport-address ipv6-address: Specifies the IPv6 transport address for the SAVA-P device.
Usage guidelines
A router ID uniquely identifies the SAVA-P device sending the SPA or DPP packet that contains the source or destination prefixes.
Two SAVA-P devices connecting with each other are SAVA-P neighbors. Each SAVA-P device sends a hello packet carrying its local transport address to the other device. By comparing the local and peer transport addresses, the device with the lower transport address is selected as the TCP server, and the other device is selected as the TCP client. Then the devices establish a TCP connection.
As a best practice, specify the router ID as the IPv4 address of a loopback interface on the SAVA-P device. Reachability is not required for the IP address.
As a best practice, specify the transport address as the IPv6 address of a loopback interface on a SAVA-P device. For successful TCP establishment, make sure the IP address is reachable.
If you execute this command multiple times, the most recent configuration takes effect.
Examples
# Specify router ID 10.1.1.3 and IPv6 transport address 2001::1/64 for the SAVA-P device.
<Sysname> system-view
[Sysname] ipv6 sava protocol id 10.1.1.3 transport-address 2001::1/64
Related commands
ipv6 sava protocol enable
ipv6 sava protocol log enable spoofing-packet
Use ipv6 sava protocol log enable spoofing-packet to enable SAVA-P logging.
Use undo ipv6 sava protocol log enable spoofing-packet to disable SAVA-P logging.
Syntax
ipv6 sava protocol log enable spoofing-packet [ interval interval | number number ] *
undo ipv6 sava protocol log enable spoofing-packet
Default
Views
System view
Predefined user roles
network-admin
Parameters
interval interval: Specifies the interval at which the device outputs SAVA-P logs, in seconds. The value can be 0 or in the range of 5 to 3600, and the default is 60. If you set the interval to 0 seconds, the device outputs a SAVA-P log immediately after detecting an IPv6 source address spoofing packet.
number number: Specifies the maximum number of SAVA-P logs that can be outputted each time, in the range of 1 to 128. The default is 128.
Usage guidelines
To identify and troubleshoot issues, enable SAVA-P logging.
This feature enables the device to generate SAVA-P log messages when spoofing packets are detected by SAVA-P.
The log messages are sent to the information center and output according to the configured log destinations and output rules. For more information about the information center, see Network Management and Monitoring Configuration Guide.
A card can output a maximum of 128 SAVA-P logs each time.
Examples
<Sysname> system-view
[Sysname] ipv6 sava protocol log enable spoofing-packet interval 10 number 20
Related commands
ipv6 sava protocol enable
ipv6 sava protocol type
ipv6 sava protocol port-type
Use ipv6 sava protocol port-type to specify the SAVA-P interface type for an interface.
Use undo ipv6 sava protocol port-type to restore the default.
Syntax
ipv6 sava protocol port-type { nni | uni }
undo ipv6 sava protocol port-type
Default
The SAVA-P interface type is not specified for an interface.
Views
Interface view
Predefined user roles
network-admin
Parameters
nni: Specifies the network-to-network interface type.
uni: Specifies the user network interface type.
Usage guidelines
If you configure the interfaces connecting two SAVA-P devices as a NNI, the two devices become SAVA-P neighbors. After you configure the router ID and transport address on the devices, the SAVA-P entry creation process is as follows:
1. Each device sends a hello packet carrying its local transport address to the other device.
2. By comparing the local and peer transport address, the device with a lower transport address is smaller is selected as the TCP server, and the other device is selected as the TCP client.
3. The devices establish a TCP connection.
4. A device transmits source prefixes (all direct routes learned locally and the indirect routes reaching the user access network) by sending a SPA packet. Then the other device creates SAVA-P entries based on the source prefixes (transmitted source prefixes as well as its local source prefixes) and the packet incoming interface.
After you configure the interface connecting the user network as a UNI, the device will generate a user-side prefix entry based on the interface learned indirect route reaching the user access network. The device sends the prefix to the SAVA-P neighbor through the NNI interface. The SAVA-P neighbor creates a SAVA-P entry based on the prefix and the packet incoming interface.
If you specify the SAVA-P interface type as NNI for an interface, do not enable SAVA on the interface. For more information about SAVA, see SAVA configuration in Security Configuration Guide.
Examples
# Specify SAVA-P interface Ten-GigabitEthernet3/0/1 as a NNI.
<Sysname> system-view
[Sysname] interface ten-gigabitethernet 3/0/1
[Sysname-Ten-GigabitEthernet3/0/1] ipv6 sava protocol port-type nni
Related commands
display ipv6 sava protocol entry
ipv6 sava protocol enable
reset ipv6 sava protocol packet-drop statistics
Use reset ipv6 sava protocol packet-drop statistics to clear SAVA-P packet drop statistics.
Syntax
reset ipv6 sava protocol packet-drop statistics [ interface interface-type interface-number ]
Views
User view
Predefined user roles
network-admin
Parameters
interface interface-type interface-number: Specifies an interface by its type and number. If you do not specify an interface, this command clears SAVA-P packet drop statistics for all interfaces.
Examples
# Clear SAVA-P packet drop statistics.
<Sysname> reset ipv6 sava protocol packet-drop statistics
Related commands
display ipv6 sava protocol packet-drop statistics
