- Table of Contents
-
- 12-Security Command Reference
- 00-Preface
- 01-Security zone commands
- 02-AAA commands
- 03-Portal commands
- 04-User profile commands
- 05-Password control commands
- 06-Keychain commands
- 07-Public key management commands
- 08-PKI commands
- 09-IPsec commands
- 10-Group domain VPN commands
- 11-SSH commands
- 12-SSL commands
- 13-SSL VPN commands
- 14-ASPF commands
- 15-APR commands
- 16-mGRE commands
- 17-Session management commands
- 18-Connection limit commands
- 19-Object group commands
- 20-Object policy commands
- 21-Attack detection and prevention commands
- 22-ARP attack protection commands
- 23-uRPF commands
- 24-Crypto engine commands
- 25-FIPS commands
- 26-Security policy commands
- 27-SAVA commands
- Related Documents
-
Title | Size | Download |
---|---|---|
27-SAVA commands | 78.63 KB |
Content
display ipv6 sava packet-drop statistics
ipv6 sava log enable spoofing-packet
SAVA commands
display ipv6 sava
Use display ipv6 sava to display SAVA entries.
Syntax
display ipv6 sava [ interface interface-type interface-number ] [ slot slot-number ]
In IRF mode:
display ipv6 sava [ interface interface-type interface-number ] [ chassis chassis-number slot slot-number ]
Views
Predefined user roles
mdc-admin
mdc-operator
Parameters
interface interface-type interface-number: Specifies an interface by its type and number. If you do not specify an interface, this command displays SAVA entries for all interfaces.
slot slot-number: Specifies a card by its slot number. If you do not specify a card, this command displays SAVA entries on the active MPU. (In standalone mode.)
chassis chassis-number slot slot-number: Specifies a card on an IRF member device. The chassis-number argument represents the member ID of the IRF member device. The slot-number argument represents the slot number of the card. If you do not specify a card, this command displays SAVA entries on the global active MPU. (In IRF mode.)
Examples
# Display SAVA entries.
<Sysname> display ipv6 sava
IPv6 SAVA entry count: 2
Destination: 2011:: Prefix length: 64
Interface: GE2/0/1 Flags: L
VPN instance: --
Destination: 2012:: Prefix length: 64
Interface: GE2/0/2 Flags: L
VPN instance: --
Table 1 Command output
Field |
Description |
IPv6 SAVA entry count |
Number of SAVA entries. |
Destination |
Destination IPv6 address. |
Prefix length |
Prefix length of the IPv6 address. |
Interface |
Interface name. |
Flag |
Flag of the SAVA entry: · L—Local entry. · R—Remote entry. · G—Access group entry. |
VPN instance |
Name of the VPN instance associated with the interface in the SAVA entry. If the interface is not associated with a VPN instance, this field displays two hyphens (--). |
display ipv6 sava packet-drop statistics
Use display ipv6 sava packet-drop statistics to display SAVA packet drop statistics.
Syntax
display ipv6 sava packet-drop statistics [ interface interface-type interface-number ]
Views
Predefined user roles
mdc-admin
mdc-operator
Parameters
interface interface-type interface-number: Specifies an interface by its type and number. If you do not specify an interface, this command displays SAVA packet drop statistics for all interfaces.
Examples
# Display SAVA packet drop statistics.
<Sysname> display ipv6 sava packet-drop statistics
GigabitEthernet2/0/1:
Packets:0 Bytes: 0
GigabitEthernet2/0/2:
Packets:10 Bytes: 1500
Table 2 Command output
Field |
Description |
Packets |
Number of packets dropped by SAVA. |
Bytes |
Number of bytes dropped by SAVA. |
Related commands
reset ipv6 sava packet-drop statistics
ipv6 sava access-group
Use ipv6 sava access-group to add an interface to an access group.
Use undo ipv6 sava access-group to remove an interface from an access group.
Syntax
ipv6 sava access-group group-name
Default
An interface does not belong to any access group.
Views
Predefined user roles
mdc-admin
Parameters
group-name: Specifies an access group by its name, a case-sensitive string of 1 to 255 characters.
Usage guidelines
All interfaces in a SAVA access group must belong to the public network or the same VPN instance.
A SAVA access group can contain a maximum of eight interfaces.
Examples
# Add GigabitEthernet2/0/1 10 to SAVA access group aaa.
<Sysname> system-view
[Sysname] interface gigabitethernet 2/0/1
[Sysname-GigabitEthernet2/0/1] ipv6 sava access-group aaa
Related commands
ipv6 sava enable
Use ipv6 sava enable to enable SAVA.
Use undo ipv6 sava enable to disable SAVA.
Syntax
Default
Views
Predefined user roles
mdc-admin
Usage guidelines
SAVA is mutually exclusive with uPRF. Do not configure SAVA together with uRPF.
If the device has a large number of routing entries, it might take a long time for the device to complete SAVA entry creation. Before SAVA entry creation completes, valid IPv6 packets might be dropped.
Examples
# Enable GigabitEthernet2/0/1 on VLAN-interface 10.
<Sysname> system-view
[Sysname] interface gigabitethernet 2/0/1
[Sysname-GigabitEthernet2/0/1] ipv6 sava enable
Related commands
ipv6 sava log enable spoofing-packet
Use ipv6 sava log enable spoofing-packet to enable SAVA logging.
Use undo ipv6 sava log enable spoofing-packet to disable SAVA logging.
Syntax
ipv6 sava log enable spoofing-packet [ interval interval | number number ]*
undo ipv6 sava log enable spoofing-packet
Default
Views
Predefined user roles
mdc-admin
Parameters
interval interval: Specifies the interval at which the device outputs SAVA logs, in seconds. The value can be 0 or in the range of 5 to 3600, and the default is 60. If you set the interval to 0 seconds, the device outputs a SAVA log immediately after detecting an IPv6 source address spoofing packet.
number number: Specifies the maximum number of SAVA logs that can be outputted each time, in the range of 1 to 128. The default is 128.
Usage guidelines
To identify and troubleshoot issues, enable SAVA logging.
This feature enables the device to output SAVA logs when SAVA detects spoofing packets.
A card can output a maximum of 128 SAVA logs each time. (In standalone mode.) (In IRF mode.)
Examples
<Sysname> system-view
[Sysname] ipv6 sava log enable spoofing-packet
ipv6 sava import remote-route-tag
Use ipv6 sava import remote-route-tag to enable an interface to create SAVA entries based on synchronized remote routes.
Use undo ipv6 sava import remote-route-tag to restore the default.
Syntax
ipv6 sava import remote-route-tag tag
undo ipv6 sava import remote-route-tag
Default
An interface does not create SAVA entries based on synchronized remote routes.
Views
Predefined user roles
mdc-admin
Parameters
tag: Specifies a tag of synchronized remote routes, in the range of 1 to 4294967295.
Usage guidelines
If you execute this command multiple times, the most recent configuration takes effect.
Examples
# Configure the device to create SAVA entries based on synchronized remote entries with tag 10 on GigabitEthernet2/0/1.
<Sysname> system-view
[Sysname] interface gigabitethernet 2/0/1
[Sysname-GigabitEthernet2/0/1] ipv6 sava import remote-route-tag 100
reset ipv6 sava packet-drop statistics
Use reset ipv6 sava packet-drop statistics to clear SAVA packet drop statistics.
Syntax
reset ipv6 sava packet-drop statistics [ interface interface-type interface-number ]
Views
Predefined user roles
mdc-admin
Parameters
interface interface-type interface-number: Specifies an interface by its type and number. If you do not specify an interface, this command clears SAVA packet drop statistics for all interfaces.
Examples
# Clear SAVA packet drop statistics.
<Sysname> reset ipv6 sava packet-drop statistics
Related commands
display ipv6 sava packet-drop statistics