Login
- Table of Contents
-
- 13-Security Command Reference
- 00-Preface
- 01-DAE proxy commands
- 02-Password control commands
- 03-Keychain commands
- 04-Public key management commands
- 05-PKI commands
- 06-IPsec commands
- 07-SSH commands
- 08-SSL commands
- 09-Session management commands
- 10-Object group commands
- 11-Attack detection and prevention commands
- 12-IP-based attack prevention commands
- 13-IP source guard commands
- 14-ARP attack protection commands
- 15-ND attack defense commands
- 16-uRPF commands
- 17-SAVA commands
- 18-Crypto engine commands
- 19-SMA commands
- 20-Trust level commands
- 21-Encryption card user management commands
- 22-SAVNET commands
- 23-MACsec commands
- Related Documents
-
| Title | Size | Download |
|---|---|---|
| 19-SMA commands | 92.86 KB |
Contents
display sma-anti-spoof ipv6 address-prefix
display sma-anti-spoof ipv6 packet-tag
sma-anti-spoof ipv6 address-domain
sma-anti-spoof ipv6 filter enable
sma-anti-spoof ipv6 sub-alliance
SMA commands
display sma-anti-spoof ipv6 address-prefix
Use display sma-anti-spoof ipv6 address-prefix to display IPv6 prefix information.
Syntax
In standalone mode:
display sma-anti-spoof ipv6 address-prefix [ acs address-domain-level level-value ] [ slot slot-number [ cpu cpu-number ] ]
In IRF mode:
display sma-anti-spoof ipv6 address-prefix [ acs address-domain-level level-value ] [ chassis chassis-number slot slot-number [ cpu cpu-number ] ]
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
acs address-domain-level level-value: Specifies ACSs at the specified AD level. The level-value argument represents the AD level in the range of 0 to 3.
slot slot-number: Specifies a card by its slot number. If you do not specify a card, this command displays IPv6 prefix information on the active MPU. (In standalone mode.)
chassis chassis-number slot slot-number: Specifies a card on an IRF member device. The chassis-number argument represents the member ID of the IRF member device. The slot-number argument represents the slot number of the card. If you do not specify a card, this command displays IPv6 prefix information on the global active MPU. (In IRF mode.)
cpu cpu-number: Specifies a CPU by its number. This option is available only if multiple CPUs are available on the specified slot.
Examples
# Display IPv6 prefix information.
<Sysname> display sma-anti-spoof ipv6 address-prefix
Alliance number: 1
ACS address-domain level: 1
Address-domain ID: 1023
IPv6 prefix: AA:AA::/64
Effective at: May 1 14:12:49 2021
Address-domain level: 3
Common level: 0
Address-domain cnt: 4
Address-domain list: 12 34 56 78
Table 1 Command output
|
Field |
Description |
|
Alliance number |
Trust alliance ID. |
|
ACS address-domain level |
AD level of the ACS. |
|
Address-domain ID |
AD ID of the IPv6 prefix. |
|
IPv6 prefix |
IPv6 prefix list of the AD. |
|
Effective at |
Time when the IPv6 prefix starts to take effect. Letter i in the round brackets indicates that the prefix takes effect immediately when the AER receives the prefix. |
|
Address-domain level |
AD level of the IPv6 prefix. |
|
Common level |
Highest level of the common AD for the AER and IPv6 prefix. |
|
Address-domain cnt |
Number of ADs through which SMA packets with the IPv6 prefix is transmitted. |
|
Address-domain list |
List of ADs through which SMA packets with the IPv6 prefix is transmitted. |
display sma-anti-spoof ipv6 packet-tag
Use display sma-anti-spoof ipv6 packet-tag to display SMA tag information for all AD pairs.
Syntax
In standalone mode:
display sma-anti-spoof ipv6 packet-tag [ acs address-domain-level level-value ] [ slot slot-number [ cpu cpu-number ] ]
In IRF mode:
display sma-anti-spoof ipv6 packet-tag [ acs address-domain-level level-value ] [ chassis chassis-number slot slot-number [ cpu cpu-number ] ]
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
acs address-domain-level level-value: Specifies ACSs at the specified AD level. The level-value argument represents the AD level in the range of 0 to 3.
slot slot-number: Specifies a card by its slot number. If you do not specify a card, this command displays SMA tag information on the active MPU. (In standalone mode.)
chassis chassis-number slot slot-number: Specifies a card on an IRF member device. The chassis-number argument represents the member ID of the IRF member device. The slot-number argument represents the slot number of the card. If you do not specify a card, this command displays SMA tag information on the global active MPU. (In IRF mode.)
cpu cpu-number: Specifies a CPU by its number. This option is available only if multiple CPUs are available on the specified slot.
Examples
# Display SMA tag information for all AD pairs.
<Sysname> display sma-anti-spoof ipv6 packet-tag
Alliance number: 1
ACS address-domain level: 1
Source address-domain ID: 10
Destination address-domain ID: 11
Tag: 0xABCD
Transition interval: 10s
Table 2 Command output
|
Field |
Description |
|
Alliance number |
Trust alliance ID. |
|
ACS address-domain level |
AD level for the ACS. |
|
Source address-domain ID |
Source AD ID. |
|
Destination address-domain ID |
Destination AD ID. |
|
Tag |
SMA tag, a binary number of up to 128 bits, displayed in hexadecimal format. For example, 0xABCD. |
|
Transition interval |
Tag aging timer in seconds. The tag ages out after the timer expires. |
sma-anti-spoof ipv6 address-domain
Use sma-anti-spoof ipv6 address-domain to specify an AD for the AER.
Use undo sma-anti-spoof ipv6 address-domain to remove the AD specified for the AER.
Syntax
sma-anti-spoof ipv6 address-domain domain-id
undo sma-anti-spoof ipv6 address-domain
Default
No AD is specified for an AER.
Views
System view
Predefined user roles
network-admin
Parameters
domain-id: Specify the AD ID in the range of 1 to 2147483647.
Usage guidelines
The address domain (AD) concept is introduced to support the hierarchy structure of a trust or sub-trust alliance. You can divide ADs in the same sub-alliance into a maximum of four levels to form a hierarchy structure. Smaller the level number, higher the level. For example, create level 0 for a city, create level 1 for an institution in the city, and create level 2 for a building or department of the institution.
An ACS is required in each AD at every level to perform the following tasks:
· Exchanges information with ACSs in other ADs at the same level.
· Sends alliance mapping, IPv6 prefix, and tag information to AERs of the local AD.
The administrator manages members in an AD through ACS and updates IPv6 prefix and state machine information.
At different AD levels in a sub-alliance, you must specify a unique ID for each AD and the ID cannot be the same as the ID of the sub-alliance.
Each AD ID has a corresponding AD level, which is also defined by the administrator through ACS.
Examples
# Specify AD 1 for the AER.
<Sysname> system-view
[Sysname] sma-anti-spoof ipv6 address-domain 1
sma-anti-spoof ipv6 enable
Use sma-anti-spoof ipv6 enable to enable SMA.
Use undo sma-anti-spoof ipv6 enable to disable SMA.
Syntax
sma-anti-spoof ipv6 enable
undo sma-anti-spoof ipv6 enable
Default
SMA is disabled.
Views
System view
Predefined user roles
network-admin
Usage guidelines
You must enable SMA for all SMA configurations to take effect.
Examples
# Enable SMA.
<Sysname> system-view
[Sysname] sma-anti-spoof ipv6 enable
Related commands
sma-anti-spoof ipv6 filter enable
sma-anti-spoof ipv6 server
sma-anti-spoof ipv6 filter enable
Use sma-anti-spoof ipv6 filter enable to enable AER packet filtering.
Use undo sma-anti-spoof ipv6 filter enable to disable AER packet filtering.
Syntax
sma-anti-spoof ipv6 filter enable
undo sma-anti-spoof ipv6 filter enable
Default
AER packet filtering is disabled.
Views
System view
Predefined user roles
network-admin
Usage guidelines
In an SMA network, upon receiving a packet to the ACS, the AER removes the SMA-Option from the packet and then directly forwards the packet to the ACS without verifying the packet tag. This prevents ACS communication failures caused by AER errors. However, packet forwarding without tag verification might cause security issues.
To solve the issue, you can enable AER packet filtering for the AER to verify the validity of tags in packets destined to its ACS and drop packets that fail the verification.
As a best practice, enable this feature only when the network is insecure.
This feature takes effect only when SMA is enabled. To enable SMA, execute the sma-anti-spoof ipv6 enable command.
Examples
# Enable AER packet filtering.
<Sysname> system-view
[Sysname] sma-anti-spoof ipv6 filter enable
Related commands
sma-anti-spoof ipv6 enable
sma-anti-spoof ipv6 port-type
Use sma-anti-spoof ipv6 port-type to configure an SMA interface type.
Use undo sma-anti-spoof ipv6 port-type to restore the default.
Syntax
sma-anti-spoof ipv6 port-type { egress level level-value | ingress }
undo sma-anti-spoof ipv6 port-type
Default
An interface is not an SMA interface and does not perform SMA.
Views
Layer 3 Ethernet interface view
Layer 3 Ethernet subinterface view
Layer 3 aggregate interface view
Layer 3 aggregate subinterface view
VLAN interface view
FlexE service interface view
Predefined user roles
network-admin
Parameters
egress: Configures an interface as an SMA egress interface.
level level-value: Specifies the highest AD level for the SMA egress interface. The value range is 0 to 3. A smaller value represents a higher level.
ingress: Configures an interface as an SMA ingress interface.
Usage guidelines
To ensure correct packet classification, tag adding, tag checking, and packet forwarding, you must configure the SMA interface type. SMA interfaces include the following types:
· Ingress interface—Connected to an SMA-disabled router in the local AD.
· Egress interface—Connected to an AER in another AD.
Examples
# Configure Ten-GigabitEthernet 3/1/1 as an SMA egress interface at level 0.
<Sysname> system-view
[Sysname] interface ten-gigabitethernet 3/1/1
[Sysname-Ten-GigabitEthernet3/1/1] sma-anti-spoof ipv6 port-type egress level 0
Related commands
sma-anti-spoof ipv6 enable
sma-anti-spoof ipv6 server
Use sma-anti-spoof ipv6 server to configure a link between an AER and its ACS.
Use undo sma-anti-spoof ipv6 server to restore the default.
Syntax
sma-anti-spoof ipv6 server ipv6-address client client-ipv6-address [ ssl-client-policy policy-name ] address-domain-level level-value
undo sma-anti-spoof ipv6 server address-domain-level level-value
Default
No link is configured between an AER and its ACS.
Views
System view
Predefined user roles
network-admin
Parameters
ipv6-address: Specifies the ACS IPv6 address.
client client-ipv6-address: Specifies the IPv6 address of the AER client.
ssl-client-policy policy-name: Specifies an existing SSL client policy by its name, a case-insensitive string of 1 to 31 characters. If you do not specify this option, the command establishes a TCP link.
address-domain-level level-value: Specifies the AD level of the ACS server, in the range of 0 to 3.
Usage guidelines
Use the sma-anti-spoof ipv6 enable command to enable SMA before you use this command to configure a link between an AER and its ACS. If you specify a nonexistent SSL client policy, the SSL link between the AER and ACS cannot be established.
As a best practice for security purposes, configure an SSL link when the network is insecure.
For the AER to communicate with the ACS server, you must use this command to specify the AD level of the ACS server based on the AD level obtained from the network topology. If you do not do so or specify an inconsistent AD level, the AER cannot communicate with the ACS.
The AER can communicate with only one ACS server at an AD level.
You can specify only one AD level for an ACS server.
Examples
# Configure the AER to establish an SSL link with the ACS at 1::1 by using SSL client policy ssl, specify the client address as 1::2, and specify the ACS AD level as 1.
<Sysname> system-view
[Sysname] sma-anti-spoof ipv6 server 1::1 client 1::2 ssl-client-policy ssl address-domain-level 1
# Configure the AER to establish a TCP link with the ACS at 1::1, specify the client address as 1::2, and specify the ACS AD level as 1.
<Sysname> system-view
[Sysname] sma-anti-spoof ipv6 server 1::1 client 1::2 address-domain-level 1
Related commands
sma-anti-spoof ipv6 enable
sma-anti-spoof ipv6 sub-alliance
Use sma-anti-spoof ipv6 sub-alliance to specify a sub-trust alliance for the AER.
Use undo sma-anti-spoof ipv6 sub-alliance to remove the specified sub-trust alliance for the AER.
Syntax
sma-anti-spoof ipv6 sub-alliance sub-alli-number
undo sma-anti-spoof ipv6 sub-alliance
Default
No sub-trust alliance is specified for an AER.
Views
System view
Predefined user roles
network-admin
Parameters
sub-alli-number: Specifies the sub-trust alliance ID in the range of 1 to 255.
Usage guidelines
In a trust alliance, each AER must maintain 2(n-1) state machines, where n represents the number of ASs in the alliance. This requires great maintenance efforts and a huge storage space if a large number of ASs exist in an alliance. To solve the issue, SMA allows you to divide a trust alliance into multiple sub-trust alliances.
In a sub-trust alliance, an AS that connects to the AER in another sub-alliance is called an edge AS. The main edge AS elected by the ACS registers with the trust alliance on behalf of the sub-alliance, and only the main edge AS maintains the state machines. The main edge AS sends the sub-alliance tag to all the ACSs in the sub-alliance, and the ACSs send the tag to AERs. This significantly reduces the workload on AERs.
Examples
# Specify sub-trust alliance 1 to the AER.
<Sysname> system-view
[Sysname] sma-anti-spoof ipv6 sub-alliance 1
Related commands
sma-anti-spoof ipv6 enable
