- Table of Contents
-
- 12-Security Command Reference
- 00-Preface
- 01-DAE proxy commands
- 02-Password control commands
- 03-Keychain commands
- 04-Public key management commands
- 05-PKI commands
- 06-IPsec commands
- 07-SSH commands
- 08-SSL commands
- 09-Session management commands
- 10-Object group commands
- 11-Attack detection and prevention commands
- 12-IP-based attack prevention commands
- 13-IP source guard commands
- 14-ARP attack protection commands
- 15-ND attack defense commands
- 16-uRPF commands
- 17-SAVA commands
- 18-SAVNET commands
- 19-Crypto engine commands
- 20-Trust level commands
- Related Documents
-
Title | Size | Download |
---|---|---|
18-SAVNET commands | 355.77 KB |
display bgp ipv6 savnet ingress-neighbor-as
display bgp ipv6 savnet prefix
display ipv6 savnet packet-drop statistics
ipv6 savnet log enable spoofing-packet
ipv6 savnet packet-drop enable
reset ipv6 savnet packet-drop statistics
SAVNET commands
address-family ipv6 savnet
Use address-family ipv6 savnet to create the BGP IPv6 SAVNET address family and enter its view, or enter the view of the existing BGP IPv6 SAVNET address family.
Use undo address-family ipv6 savnet to delete the BGP IPv6 SAVNET address family and all its configuration.
Syntax
address-family ipv6 savnet
undo address-family ipv6 savnet
Default
The BGP IPv6 SAVNET address family does not exist.
Views
BGP instance view
Predefined user roles
network-admin
Usage guidelines
Application scenarios
The BGP IPv6 SAVNET address family is used for SAVNET networks. SAVNET devices can generate SAVNET entries by exchanging BGP IPv6 SAVNET routes that carry the protocol information.
Restrictions and guidelines
The configuration in BGP IPv6 SAVNET address family view takes effect only on routes and peers in the BGP IPv6 SAVNET address family.
Examples
# Create the BGP IPv6 SAVNET address family in BGP instance view and enter BGP IPv6 SAVNET address family view.
<Sysname> system-view
[Sysname] bgp 100
[Sysname-bgp-default] address-family ipv6 savnet
[Sysname-bgp-default-savnet-ipv6]
destination-probing enable
Use destination-probing enable to enable SAVNET destination prefix probing.
Use undo destination-probing enable to disable SAVNET destination prefix probing.
Syntax
destination-probing enable
undo destination-probing enable
Default
SAVNET destination prefix probing is disabled.
Views
BGP IPv6 SAVNET address family view
Predefined user roles
network-admin
Usage guidelines
Operating mechanism
When SAVNET destination prefix probing is disabled, the device only forwards but cannot generate DPP routes. With this feature enabled, the device can generate DPP routes.
Restrictions and guidelines
This command does not affect the agent DPP route feature. SAVNET devices can generate agent DPP routes even when SAVNET destination prefix probing is disabled.
Examples
# Enable SAVNET destination prefix probing.
<Sysname> system-view
[Sysname] bgp 100
[Sysname-bgp-default] address-family ipv6 savnet
[Sysname-bgp-default-savnet-ipv6] destination-probing enable
destination-probing interval
Use destination-probing interval to set the DPP route sending interval.
Use undo destination-probing interval to restore the default.
Syntax
destination-probing interval [ interval ]
undo destination-probing interval
Default
The DPP route sending interval is 3600 seconds.
Views
BGP IPv6 SAVNET address family view
Predefined user roles
network-admin
Parameters
interval: Sets an interval, in the value range of 30 to 86400 seconds.
Usage guidelines
Operating mechanism
With this command configured on a device, the device periodically sends DPP routes at the specified interval.
Restrictions and guidelines
As a best practice, configure the SAVNET entry aging time to be at least twice the DPP route sending interval configured on the route generating device. Otherwise, SAVNET entries might age out incorrectly because of long DPP route sending interval.
If a large number of DPP routes need to be sent, do not set the sending interval of DPP routes too short. A too short sending interval might overwhelm BGP IPv6 SAVNET peers with DPP routes, causing them unable to process the received DPP routes timely.
Examples
# Set the DPP route sending interval to 100 seconds.
<Sysname> system-view
[Sysname] bgp 100
[Sysname-bgp-default] address-family ipv6 savnet
[Sysname-bgp-default-savnet-ipv6] destination-probing interval 100
Make sure the SAVNET entry aging time is at least twice the DPP route sending interval configured on the DPP routes’ source device. Continue? [y/n]
Related commands
destination-probing enable
savnet-entry expire-time
display bgp ipv6 savnet dpp
Use display bgp ipv6 savnet dpp to display information about BGP IPv6 SAVNET Destination Prefix Probing (DPP) routes.
Syntax
display bgp [ instance instance-name ] ipv6 savnet dpp [ [ route-distinguisher route-distinguisher ] [ savnet-route route-length | savnet-prefix ] | statistics ]
display bgp [ instance instance-name ] ipv6 savnet dpp [ route-distinguisher route-distinguisher ] time-range min-time max-time
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
instance instance-name: Specifies a BGP instance by its name, a case-sensitive string of 1 to 31 characters. If you do not specify this option, the command displays DPP route information of the default instance.
route-distinguisher route-distinguisher: Specifies the route distinguisher of DPP routes, a string of 3 to 21 characters in the format of Router ID:0.
savnet-route route-length: Specifies a DPP route and the route length. A DPP route is a string of 1 to 512 characters. The length of a DPP route is an integer in the range of 0 to 65535, in bits.
savnet-prefix: Specifies a DPP route by a prefix in the format of savnet-route/route-length, which is a case-insensitive string of 1 to 512 characters.
statistics: Displays statistics for DPP routes.
time-range min-time max-time: Displays DPP routes that have existed for a time period in the specified time period range since the last update. The min-time and max-time arguments represent the minimum and maximum time periods, respectively, and are in <0-10000>d<0-23>h<0-59>m<0-59>s format. The d, h, m, and s letters represent days, hours, minutes, and seconds, respectively. <0-10000>, <0-23>, <0-59>, and <0-59> represent the value ranges for d, h, m, and s, respectively. The value for the max-time argument must be greater than that for the min-time argument.
Usage guidelines
If no parameters are specified, this command displays brief information about all BGP IPv6 SAVNET DPP routes.
Examples
# Display brief information about all BGP IPv6 SAVNET DPP routes.
<Sysname> display bgp ipv6 savnet dpp
BGP local router ID is 8.5.6.7
Status codes: * - valid, > - best, d - dampened, h - history,
s - suppressed, S - stale, i - internal, e - external
a - additional-path
Origin: i - IGP, e - EGP, ? - incomplete
Total number of SAVNET routes: 3
Total number of routes from all peers: 1
Route distinguisher: 3.4.5.6:0
Total number of routes: 1
* >i Network : [2][2][1][3.4.5.6][64][101::]/120
NextHop : 0.0.0.0 LocPrf : 100
MED : 0
Path/Ogn: i
Route distinguisher: 8.5.6.7:0
Total number of routes: 2
* > Network : [2][2][1][8.5.6.7][64][10::]/120
NextHop : 0.0.0.0 LocPrf : 100
MED : 0
Path/Ogn: i
* >i Network : [2][2][1][3.3.3.3][128][1::1]/184
NextHop : 0.0.0.0 LocPrf : 100
MED : 0
Path/Ogn: i
Route distinguisher: 100:0
Total number of routes: 1
* >i Network : [2][2][2][3.3.3.3][100][200][300]/144
NextHop : 0.0.0.0 LocPrf : 100
MED : 0
Path/Ogn: i
# Display brief information about all BGP IPv6 SAVNET DPP routes whose duration since the last route update is within a specified time range.
<Sysname> display bgp ipv6 savnet dpp time-range 1d1h1m1s 7d3h1m1s
BGP local router ID is 8.5.6.7
Status codes: * - valid, > - best, d - dampened, h - history,
s - suppressed, S - stale, i - internal, e - external
a - additional-path
Origin: i - IGP, e - EGP, ? - incomplete
Total number of SAVNET routes: 2
Total number of routes from all peers: 2
Route distinguisher: 3.4.5.6:0
Total number of routes: 1
* >i Network : [2][2][1][3.4.5.6][64][101::]/120
NextHop : :: LocPrf : 100
MED : 0 Route age : 06d01h12m44s
Table 1 Command output
Field |
Description |
BGP local router ID |
Locally configured router ID of the device. |
Status codes |
Route status code: · * - valid—Valid route. · > - best—Optimal route · d - dampened—Dampened route. · h - history—History route. · s - suppressed—Suppressed route. · S - stale—Stale route. · i - internal—Internal route. · e - external—External route. · a - additional-path—Add-Path optimal route. |
Origin |
Origin of the route: · i - IGP—Originated in the local AS. · e - EGP—Learned through Exterior Gateway Protocol (EGP). · ? - incomplete—Unknown origin. The origin of routes redistributed from the IGP protocol is incomplete. |
Total number of SAVNET routes |
Total number of SAVNET routes for all route distinguishers. |
Total number of routes from all peers |
Total number of SAVNET routes received from all BGP IPv6 SAVNET peers. |
Route distinguisher |
Information of the DPP routes with the specified route distinguisher. |
Total number of routes |
Total number of DPP routes with the specified routing distinguisher. |
Network |
DPP route: · Intra-domain DPP route: [2][2][DPP route subprotocol type][origin router ID][prefix length][prefix IPv6 address]. The value for the DPP route subprotocol type is 1. · Inter-domain DPP route: [2][2][DPP route subprotocol type][origin router ID][source AS number][validation AS number][ingress neighbor AS list]. The value for the DPP route subprotocol type is 2. |
NextHop |
Next hop address, which is 0.0.0.0. This field is meaningless for DPP routes. |
LocPrf |
Local preference value. |
MED |
Multi-Exit Discriminator (MED) attribute value. |
Path/Ogn |
The AS_Path attribute of the route and the ORIGIN attribute of the route information, where: · The AS_PATH attribute records all the ASs that this route has passed through, which can avoid routing loops. This field can display a maximum of 16 AS numbers, and the omitted part is represented by ellipsis (...). The omitted part can be viewed by displaying the detailed information of the route. · The ORIGIN attribute marks how this BGP route is generated. |
Route age |
Time elapsed since the last update of the route, in <0-10000>d<0-23>h<0-59>m<0-59>s format. d, h, m, and s represent days, hours, minutes, and seconds, respectively. <0-10000>, <0-23>, <0-59>, and <0-59> represent the value ranges for d, h, m, and s, respectively. |
# Display detailed information for DPP route [2][2][1][192.168.56.12][128][156::1]/184.
<Sysname> display bgp ipv6 savnet dpp [2][2][1][192.168.56.12][128][156::1]/184
BGP local router ID: 8.5.6.7
Local AS number: 100
Route distinguisher: 192.168.56.12:0
Total number of routes: 1
Paths: 1 available, 1 best
BGP routing table information of [2][2][1][192.168.56.12][128][156::1]/184:
From : 100::1 (192.168.56.12)
Rely nexthop : ::1
Original nexthop: 0.0.0.0
Out interface : NULL0
Route age : 00h01m42s
OutLabel : NULL
RxPathID : 0x0
TxPathID : 0xffffffff
AS-path : (null)
Origin : igp
Attribute value : MED 0, localpref 100, pref-val 32768
State : valid, internal, best
Source type : local
IP precedence : N/A
QoS local ID : N/A
Traffic index : N/A
Route type : SAVNET DPP
Origin routerID : 192.168.56.12
Sequence num : 26
IfIndexIn : 258
In interface : Ten-GigabitEthernet3/0/1
IfIndexOut : 259
Out interface : Ten-GigabitEthernet3/0/2, advertised
LastSend : 00h00m56s
Path RID list : 192.168.56.12
Agent RID list : (null)
Table 2 Command output
Field |
Description |
BGP local router ID |
Locally configured router ID of the device. |
Local AS number |
Local AS number. |
Route distinguisher |
Information of the DPP routes with the specified route distinguisher. |
Total number of routes |
Total number of DPP routes with the specified routing distinguisher. |
Paths |
Route quantity information. · Available—Number of effective routes. · best—Number of optimal routes. |
BGP routing table information of [2][2][1][192.168.56.12][128][156::1]/184 |
Detailed information of DPP route [2][2][1][192.168.56.12][128][156::1]/184. |
From |
IP address of the BGP peer that advertised this route. |
Rely nexthop |
Next hop IP address after route recursion. This field has no meaning for routes in the SAVNET address family. |
Original nexthop |
Original next hop address of the route, with a value of ::. |
Route age |
Period of time since the last update of the route. |
OutLabel |
Outgoing label value of the route. |
RxPathID |
Add-Path ID value of the received route. |
TxPathID |
Add-Path ID value of the sent route. |
AS-path |
AS_PATH attribute of the route. It records all the ASs that the route passes through, which can prevent routing loops. |
Origin |
Origin of the route. Values include: · igp—Originated in the local AS. · egp—Learned through Exterior Gateway Protocol (EGP). · incomplete—Unknown origin. The origin of routes redistributed from the IGP protocol is incomplete. |
Attribute value |
BGP route attributes: · MED—MED value associated with the destination network. · localpref—Local preference value. · pref-val—Preferred value. |
State |
Current state of the route: · valid · Internal · External · local · best |
Source type |
Source type of the route. |
IP precedence |
IP precedence in the range of 0 to 7. N/A indicates that the route does not support this field. |
QoS local ID |
QoS local ID in the range of 1 to 4095. N/A indicates that the route does not support this field. |
Traffic index |
Traffic index value, in the range of 1 to 64. N/A indicates that the route does not support this field. |
Route type |
Type of the SAVNET route, which is SAVNET DPP, indicating DPP routes. |
Origin routerID |
Origin router ID. This field is available only for intra-domain DPP routes. |
Source AS number |
This field is available only for inter-domain DPP routes. |
Validation AS number |
This field is available only for inter-domain DPP routes. |
Ingress neighbor AS list |
This field is available only for inter-domain DPP routes. |
Sequence num |
Sequence number of the DPP route, used to distinguish between new and old DPP routes. The recipient only processes DPP routes with a higher DPP route sequence number than the ones it has already received. The exception is that the recipient will always process a DPP route with sequence number 0 to avoid the inability to receive DPP routes when the sequence number overflows and resets to 0. |
IfindexIn |
Index of the interface that received the DPP route. |
In interface |
Name of the interface that received the DPP route. |
IfIndexOut |
Index of the interface that sent the DPP route. |
Out interface |
Name of the interface that sent the DPP route, and the route sending result. |
LastSend |
Time elapsed since the last sending of the DPP route, in the format of xxhxxmxxs, where h represents hours, m represents minutes, and s represents seconds. |
Path RID list |
List of the router IDs of the devices that a non-agent DPP route passes, the closer the peer to the receiver, the higher its position in the list. |
Agent RID list |
List of the router IDs of the devices that an agent DPP route passes, the closer the peer to the receiver, the higher its position in the list. If the current route is not an agent DPP route, this field displays (null). |
# Display statistics about DPP routes.
<Sysname> display bgp ipv6 savnet dpp statistics
Total number of SAVNET routes: 3
Total number of routes from all peers: 3
Route distinguisher: 3.4.5.6:0
Total number of routes: 3
Table 3 Command output
Field |
Description |
Total number of SAVNET routes |
Total number of SAVNET routes for all route distinguishers. |
Total number of routes from all peers |
Total number of SAVNET routes received from all BGP IPv6 SAVNET peers. |
Route distinguisher |
Information of the DPP routes with the specified route distinguisher. |
Total number of routes |
Total number of DPP routes with the specified routing distinguisher. |
Related commands
import-route (Layer 3—IP Routing Command Reference)
display bgp ipv6 savnet ingress-neighbor-as
Use display bgp ipv6 savnet ingress-neighbor-as to display ingress neighbor AS information for inter-domain SAVNET.
Syntax
display bgp [ instance instance-name ] ipv6 savnet ingress-neighbor-as [ validation-as as-number ]
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
instance instance-name: Specifies a BGP instance. The instance-name argument represents a BGP instance name, a case-sensitive string of 1 to 31 characters. If you do not specify a BGP instance, this command displays information for the default BGP instance. validation-as as-number: Specify a validation AS by the AS number. If you do not specify this option, the command displays ingress neighbor AS information for all validation ASs.
Examples
# Display information about all ingress neighbor ASs in BGP instance IPv6 SAVNET address family.
<Sysname> display bgp ipv6 savnet ingress-neighbor-as
Validation AS number: 200
Ingress neighbor AS: 10 Origin: local
Ingress neighbor AS: 20 Origin: remote
Validation AS number: 300
Ingress neighbor AS: 40 Origin: local
Ingress neighbor AS: 50 Origin: remote
Table 4 Command output
Field |
Description |
Ingress neighbor AS |
Ingress neighbor AS number |
Origin |
Origin of the ingress neighbor AS number. Options include: · local—Ingress neighbor AS number collected from the local device. · remote—Ingress neighbor AS number collected from other ASBRs. |
Related commands
savnet validation-as
display bgp ipv6 savnet prefix
Use display bgp ipv6 savnet prefix to display destination prefixes that can form DPP routes.
Syntax
display bgp [ instance instance-name ] ipv6 savnet prefix [ ipv6-address prefix-length ]
display bgp [ instance instance-name ] ipv6 savnet prefix time-range min-time max-time
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
instance instance-name: Specifies a BGP instance by its name, a case-sensitive string of 1 to 31 characters. If you do not specify this option, the command displays information about the default instance.
ipv6-address prefix-length: Displays brief information about the destination prefix that exactly matches the specified destination network address and prefix length. The prefix-length argument specifies a prefix length in the range of 0 to 128. If you do not specify this option, the command displays information about all destination prefixes.
time-range min-time max-time: Displays destination prefixes that have existed for a time period in the specified time period range since the last update. The min-time and max-time arguments represent the minimum and maximum time periods, respectively, and are in <0-10000>d<0-23>h<0-59>m<0-59>s format. The d, h, m, and s letters represent days, hours, minutes, and seconds, respectively. <0-10000>, <0-23>, <0-59>, and <0-59> represent the value ranges for d, h, m, and s, respectively. The value for the max-time argument must be greater than that for the min-time argument.
Usage guidelines
This command displays the destination prefix information that is imported from the IP routing table and can form DPP routes.
Examples
# Display brief information about all destination prefixes that can form DPP routes.
<Sysname> display bgp ipv6 savnet prefix
Total number of routes: 1
BGP local router ID is 8.5.6.7
Status codes: * - valid, > - best, d - dampened, h - history,
s - suppressed, S - stale, i - internal, e - external
a - additional-path
Origin: i - IGP, e - EGP, ? - incomplete
* > Network : 10:: PrefixLen : 64
# Display brief information about all destination prefixes that can form DPP routes and whose duration since the last update is within a specified time range.
<Sysname> display bgp ipv6 savnet prefix time-range 1d1h1m1s 7d3h1m1s
Total number of routes: 1
BGP local router ID is 8.5.6.7
Status codes: * - valid, > - best, d - dampened, h - history,
s - suppressed, S - stale, i - internal, e - external
a - additional-path
Origin: i - IGP, e - EGP, ? - incomplete
* > Network : 10:: PrefixLen : 64
Route age: 06d01h12m44s
Table 5 Command output
Field |
Description |
Total number of routes |
Total number of destination prefix routes. |
BGP local router ID |
Locally configured router ID of the device. |
Status codes |
Route state code. This field is meaningless for destination prefix information. |
Origin |
Origin of the route information. This field is meaningless for destination prefix information. |
Network |
Destination network address. |
PrefixLen |
Prefix length of the destination network address. |
Route age |
Time elapsed since the last update of the destination prefix, in <0-10000>d<0-23>h<0-59>m<0-59>s format. d, h, m, and s represent days, hours, minutes, and seconds, respectively. <0-10000>, <0-23>, <0-59>, and <0-59> represent the value ranges for d, h, m, and s, respectively. |
# Display detailed information for destination prefix 156::1/128.
<Sysname> display bgp ipv6 savnet prefix 156::1 128
BGP local router ID: 192.168.56.12
Local AS number: 100
Paths: 2 available, 2 best
BGP routing table information of 156::1/128:
Imported route.
Original nexthop: FE80::1092:20FF:FE78:1D16
Out interface : GigabitEthernet2/0/1
Route age : 00h51m37s
OutLabel : NULL
RxPathID : 0x0
TxPathID : 0xffffffff
AS-path : (null)
Origin : incomplete
Attribute value : MED 20, pref-val 32768
State : valid, local, best
Source type : local
IP precedence : N/A
QoS local ID : N/A
Traffic index : N/A
Route type : SAVNET PREFIX
OnSavnetPeerList: Yes
Table 6 Command output
Field |
Description |
BGP local router ID |
Locally configured router ID of the device. |
Local AS number |
Local AS number. |
Route distinguisher |
Information of the DPP routes with the specified route distinguisher. |
Total number of routes |
Total number of DPP routes with the specified routing distinguisher. |
Paths |
Route number information. · Available—Number of effective routes. · best—Number of optimal routes. |
BGP routing table information of 156::1/128 |
Detailed information of destination prefix 156::1/128. |
Imported route |
Imported route. This field is meaningless for the destination prefix. |
Original nexthop |
Original next hop address of the route. This field is meaningless for the destination prefix. |
Out interface |
Name of the interface that will send the DPP route after the DPP route is generated based on the destination prefix. |
Route age |
Period of time since the last update of the route. |
OutLabel |
Outbound label value of the route. This field is meaningless for the destination prefix. |
RxPathID |
Add-Path ID value of the received route. This field is meaningless for the destination prefix. |
TxPathID |
Add-Path ID value of the sent route. This field is meaningless for the destination prefix. |
AS-path |
AS_PATH attribute of the route. This field is meaningless for the destination prefix. |
Origin |
Origin of the route information. This field is meaningless for the destination prefix. |
Attribute value |
BGP route attributes. This field is meaningless for the destination prefix. |
State |
Current state of the route. This field is meaningless for the destination prefix. |
Source type |
Source type of the route. This field is meaningless for the destination prefix. |
IP precedence |
IP precedence of the route. This field is meaningless for the destination prefix. |
QoS local ID |
QoS Local ID attribute of the route. This field is meaningless for the destination prefix. |
Traffic index |
Traffic index value, in the range of 1 to 64. This field is meaningless for the destination prefix. |
Route type |
Type of the SAVNET route, which is SAVNET PREFIX, indicating a destination prefix that can form a DPP route. |
OnSavnetPeerList |
Whether the DPP route corresponding to this prefix can be advertised to neighbors. · Yes. · No. |
display bgp ipv6 savnet sav
Use display bgp ipv6 savnet sav to display the SAVNET entries generated by the SAVNET module upon BGP notifications.
Syntax
display bgp [ instance instance-name ] ipv6 savnet sav
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
instance instance-name: Specifies a BGP instance by its name, a case-sensitive string of 1 to 31 characters. If you do not specify this option, the command displays information about the default instance.
Examples
# Display all SAVNET entries generated by BGP notification to the SAVNET module.
<Sysname> display bgp ipv6 savnet sav
Total number of routes: 1
BGP local router ID is 192.168.1.136
Status codes: * - valid, > - best, d - dampened, h - history
s - suppressed, S - stale, i - internal, e - external
a – additional-path
Origin: i - IGP, e - EGP, ? - incomplete
* >e Network : 10:: PrefixLen : 64
In-Intf : Ten-GigabitEthernet3/0/1
Table 7 Command output
Field |
Description |
Total number of routes |
Number of SAVNET entries. |
BGP local router ID |
Locally configured router ID of the device. |
Status codes |
Route state code. This field is meaningless for SAVNET entry information. |
Origin |
Origin of the route information. This field is meaningless for SAVNET entry information. |
Network |
Destination network address of the SAVNET entry. |
PrefixLen |
Prefix length of the destination network address of the SAVNET entry. |
In-Intf |
Name of the incoming interface of the SAVNET entry. |
display bgp ipv6 savnet spa
Use display bgp ipv6 savnet spa to display BGP IPv6 SAVNET Source Prefix Advertising (SPA) routing information.
Syntax
display bgp [ instance instance-name ] ipv6 savnet spa [ peer ipv6-address { advertised-routes | received-routes } [ { savnet-route route-length | savnet-prefix } [ verbose ] | statistics ] | route-distinguisher route-distinguisher [ savnet-route route-length | savnet-prefix ] | { savnet-route route-length | savnet-prefix } [ advertise-info ] | statistics ]
display bgp [ instance instance-name ] ipv6 savnet spa [ route-distinguisher route-distinguisher ] time-range min-time max-time
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
instance instance-name: Specifies a BGP instance by its name, a case-sensitive string of 1 to 31 characters. If you do not specify this option, the command displays information about the default instance.
peer ipv6-address: Displays the SPA route information advertised to or received from the specified peer. The ipv6-address argument represents the IPv6 address of a peer.
advertised-routes: Displays SPA route information advertised to the specified peer.
received-routes: Displays SPA route information received from the specified peer.
verbose: Displays detailed SAP route information. If you do not specify this keyword, the command displays brief information.
statistics: Displays statistics for SPA routes.
route-distinguisher route-distinguisher: Displays SPA routing information for the specified route distinguisher. The route-distinguisher argument represents the route distinguisher value, a string of 3 to 21 characters. The format is Router ID:0 for intra-domain SPA and AS number:0 for inter-domain SPA.
savnet-route route-length: Displays the advertisement information for the specified SPA route. The savnet-route argument represents the SPA route, a string of 1 to 512 characters. The route-length argument represents the length of the SPA route, in the range of 0 to 65535, in bits.
savnet-prefix: Displays advertisement information for the specified SPA route. savnet-prefix represents the SPA route in the format of savnet-route/route-length, which is a case-insensitive string of 1 to 512 characters.
advertise-info: Displays advertisement information of SPA routes.
time-range min-time max-time: Displays SPA routes that have existed for a time period in the specified time period range since the last update. The min-time and max-time arguments represent the minimum and maximum time periods, respectively, and are in <0-10000>d<0-23>h<0-59>m<0-59>s format. The d, h, m, and s letters represent days, hours, minutes, and seconds, respectively. <0-10000>, <0-23>, <0-59>, and <0-59> represent the value ranges for d, h, m, and s, respectively. The value for the max-time argument must be greater than that for the min-time argument.
Usage guidelines
If you do not specify any parameters, this command displays brief information about all SPA routes.
Examples
# Display brief information about all BGP IPv6 SAVNET SPA routes.
<Sysname> display bgp ipv6 savnet spa
BGP local router ID is 3.4.5.6
Status codes: * - valid, > - best, d - dampened, h - history,
s - suppressed, S - stale, i - internal, e - external
a - additional-path
Origin: i - IGP, e - EGP, ? - incomplete
Total number of SAVNET routes: 2
Total number of routes from all peers: 2
Route distinguisher: 3.4.5.6:0
Total number of routes: 2
* > Network : [1][1][3.4.5.6][64][10::]/120
NextHop : :: LocPrf : 100
MIIG-Tag: 1 MIIG-Type : 1
MED : 0
Path/Ogn: i
* > Network : [1][1][3.4.5.6][64][100::]/120
NextHop : :: LocPrf : 100
MIIG-Tag: 0 MIIG-Type : 0
MED : 0
Path/Ogn: i
Route distinguisher: 100:0
Total number of routes: 1
* > Network : [1][2][100][64][10::]/120
NextHop : :: LocPrf : 100
MIIG-Tag: 0 MIIG-Type : 0
MED : 0
Path/Ogn: i
# Display brief information about all BGP IPv6 SAVNET SPA routes whose duration since the last route update are within a specified time range.
<Sysname> display bgp ipv6 savnet spa time-range 1d1h1m1s 7d3h1m1s
BGP local router ID is 3.4.5.6
Status codes: * - valid, > - best, d - dampened, h - history,
s - suppressed, S - stale, i - internal, e - external
a - additional-path
Origin: i - IGP, e - EGP, ? - incomplete
Total number of SAVNET routes: 1
Total number of routes from all peers: 1
Route distinguisher: 3.4.5.6:0
Total number of routes: 1
* > Network : [1][1][3.4.5.6][64][10::]/120
NextHop : :: LocPrf : 100
MIIG-Tag: 0 MIIG-Type : 0
MED : 0 Route age : 06d01h12m44s
Table 8 Command output
Field |
Description |
BGP local router ID |
Locally configured router ID of the device. |
Status codes |
Route status code: · * - valid—Valid route. · > - best—Optimal route · d - dampened—Dampened route. · h - history—History route. · s - suppressed—Suppressed route. · S - stale—Stale route. · i - internal—Internal route. · e - external—External route. · a - additional-path—Add-Path optimal route. |
Origin |
Origin of the route. Values include: · i - IGP—Originated in the local AS.. · e - EGP—Learned through Exterior Gateway Protocol (EGP). · ? - incomplete—Unknown origin. The origin of routes redistributed from the IGP protocol is incomplete. |
Total number of SAVNET routes |
Total number of SAVNET routes for all route distinguishers. |
Total number of routes from all peers |
Total number of SAVNET routes received from all BGP IPv6 SAVNET peers. |
Route distinguisher |
Information of the SPA routes with the specified route distinguisher. |
Total number of routes |
Total number of SPA routes with the specified route distinguisher. |
Network |
SPA route: · Intra-domain SPA route: The value is [1][1][origin router ID][prefix length][IPv6 prefix address]. · Inter-domain SPA route: The value is [1][2][source AS number][prefix length][IPv6 prefix address]. |
NextHop |
Next hop IPv6 address. The value is ::. This field is meaningless for SPA routes. |
LocPrf |
Local preference value. |
MIIG-Tag |
Access tag value carried in the route. This field displays 0 if no access tag is configured. |
MIIG-Type |
Access tag type carried in the route. Options include: · 1—Single-homed. · 2—Complete multi-homed. This field displays 0 if no access tag is configured. |
MED |
Multi-Exit Discriminator (MED) attribute value. |
Path/Ogn |
The AS_Path attribute of the route and the ORIGIN attribute of the route information, where: · AS_PATH records all the ASs that this route has passed through, which can avoid routing loops. This field can display a maximum of 16 AS numbers, and the omitted part is represented by ellipsis (...). The omitted part can be viewed by displaying the detailed information of the route. · The ORIGIN attribute marks how this BGP route is generated. |
Route age |
Time elapsed since the last update of the route, in <0-10000>d<0-23>h<0-59>m<0-59>s format. d, h, m, and s represent days, hours, minutes, and seconds, respectively. <0-10000>, <0-23>, <0-59>, and <0-59> represent the value ranges for d, h, m, and s, respectively. |
# Display detailed information about SPA route [1][1][192.168.56.12][64][10::]/120.
<Sysname> display bgp ipv6 savnet spa [1][1][192.168.56.12][64][10::]/120
BGP local router ID: 8.5.6.7
Local AS number: 100
Route distinguisher: 192.168.56.12:0
Total number of routes: 1
Paths: 1 available, 1 best
BGP routing table information of [1][1][192.168.56.12][64][10::]/120:
RR-client route.
From : 100::1 (192.168.56.12)
Rely nexthop : ::
Original nexthop: ::
Route age : 15h00m59s
OutLabel : NULL
RxPathID : 0x0
TxPathID : 0x0
AS-path : (null)
Origin : incomplete
Attribute value : MED 0, localpref 100, pref-val 32768
State : valid, local, best
Source type : local
Originator : 3.3.3.3
Cluster list : 2.2.2.2
IP precedence : N/A
QoS local ID : N/A
Traffic index : N/A
Route type : SAVNET SPA
Origin routerID : 192.168.56.12
MIIG-Tag : 77
MIIG-Type : 1
MIIG-Flags : 0x1
Table 9 Command output
Field |
Description |
BGP local router ID |
Locally configured router ID of the device. |
Local AS number |
Local AS number. |
Route distinguisher |
Information of the SPA routes with the specified route distinguisher. |
Total number of routes |
Total number of SPA routes with the specified route distinguisher. |
Paths |
Route number information. · Available—Number of effective routes. · best—Number of optimal routes. |
BGP routing table information of [1][1][192.168.56.12][64][10::]/120 |
Detailed information of SPA route [1][1][192.168.56.12][64][10::]/120. |
RR-client route |
Route reflected from the route reflector. |
From |
IP address of the BGP peer that advertised this route. |
Rely nexthop |
Next hop IP address after route recursion. This field has no meaning for routes in the SAVNET address family. |
Original nexthop |
Original next hop address of the route, with a value of ::. |
Route age |
Period of time since the last update of the route. |
OutLabel |
Outgoing label value of the route. |
RxPathID |
Add-Path ID value of the received route. |
TxPathID |
Add-Path ID value of the sent route. |
AS-path |
AS_PATH attribute of the route. It records all the ASs that the route passes through, which can prevent routing loops. |
Origin |
Origin of the route. Values include: · igp—Originated in the local AS. · egp—Learned through Exterior Gateway Protocol (EGP). · incomplete—Unknown origin. The origin of routes redistributed from the IGP protocol is incomplete. |
Attribute value |
BGP route attribute information, including: · MED—MED value associated with the destination network. · localpref—Local preference value. · pref-val—Prefered value. |
State |
Current state of the route: · valid · Internal · External · local · best |
H3C is short for New H3C in English, and I am the H3C AI Assistant. |
Source type of the route. |
Originator |
Peer that generated this route. |
Cluster list |
The cluster ID list attribute of the route. |
IP precedence |
IP precedence in the range of 0 to 7. N/A indicates that the route does not support this field. |
QoS local ID |
QoS local ID in the range of 1 to 4095. N/A indicates that the route does not support this field. |
Traffic index |
Traffic index value, in the range of 1 to 64. N/A indicates that the route does not support this field. |
Route type |
Type of the SAVNET route, which is SAVNET SPA, indicating SPA route. |
Origin routerID |
Router ID of the origin SAVNET device that sent the route. This field is available only for intra-domain SPA routes. |
Source AS number |
This field is available only for inter-domain SPA routes. |
MIIG-Tag |
Access tag value carried in the route. This field displays 0 if no access tag is configured. |
MIIG-Type |
Access tag type carried in the route. Options include: · 1—Single-homed. · 2—Complete multi-homed. This field displays 0 if no access tag is configured. |
MIIG-Flags |
Access attribute tag. Options include: · 0x1—The route prefix can be used as a source prefix. · 0x2—The route prefix can be used as a destination prefix. · 0x3—The route prefix can be used as both a source and a destination prefix. This field displays 0 if no access tag is configured. |
# Display the advertisement information of SPA route [1][1][3.4.5.6][64][10::]/120.
<Sysname> display bgp ipv6 savnet spa [1][1][3.4.5.6][64][10::]/120 advertise-info
BGP local router ID: 3.4.5.6
Local AS number: 100
Route distinguisher: 3.4.5.6:0
Total number of routes: 1
Paths: 1 best
BGP routing table information of [1][1][3.4.5.6][64][10::]/120(TxPathID:0):
Advertised to peers (1 in total):
100::2
Table 10 Command output
Field |
Description |
BGP local router ID |
Locally configured router ID of the device. |
Local AS number |
Local AS number. |
Route distinguisher |
Information of the SPA routes with the specified route distinguisher. |
Total number of routes |
Total number of SPA routes with the specified routing distinguisher. |
Paths |
Number of optimal routes. |
BGP routing table information of [1][1][3.4.5.6][64][10::]/120(TxPathID:0) |
SPA route advertisement information. |
Advertised to peers (1 in total) |
Peers to which the route has been sent and total number of the peers. |
# Display statistics about the SPA routes advertised to peer 1::1.
<Sysname> display bgp ipv6 savnet spa peer 1::1 advertised-routes statistics
Advertised routes total: 1
# Display statistics about the SPA routes received from peer 1::1.
<Sysname> display bgp ipv6 savnet spa peer 1::1 received-routes statistics
Received routes total: 1
Table 11 Command output
Field |
Description |
Advertised routes total |
Total number of SPA routes advertised to the peer. |
Received routes total |
Total number of SPA routes received from the peer. |
# Display statistics about SPA routes.
<Sysname> display bgp ipv6 savnet spa statistics
Total number of SAVNET routes: 2
Total number of routes from all peers: 2
Route distinguisher: 3.4.5.6:0
Total number of routes: 2
Table 12 Command output
Field |
Description |
Total number of SAVNET routes |
Total number of SAVNET routes for all route distinguishers. |
Total number of routes from all peers |
Total number of SAVNET routes received from all BGP IPv6 SAVNET peers. |
Route distinguisher |
Information of the SPA routes with the specified route distinguisher. |
Total number of routes |
Total number of SPA routes with the specified routing distinguisher. |
Related commands
import-route (Layer 3—IP Routing Command Reference)
display ipv6 savnet entry
Use display ipv6 savnet entry to display SAVNET entry information.
Syntax
display ipv6 savnet entry [ [ interface interface-type interface-number ] [ slot slot-number ] | vpn-instance vpn-instance-name ]
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
interface interface-type interface-number: Specifies an interface by its type and number. If you do not specify this option, the command displays SAVNET entries for all interfaces.
vpn-instance vpn-instance-name: Specifies the MPLS L3VPN instance to which the interface belongs. The vpn-instance-name argument represents the VPN instance name, a case-sensitive string of 1 to 31 characters. If you do not specify this option, the public network is specified.
slot slot-number: Specifies a card by its slot number. If you do not specify a card, this command displays SAVNET entries on the active MPU.
Examples
# Display SAVNET entry information for all interfaces in the public network.
<Sysname> display ipv6 savnet entry
IPv6 savnet entry count: 4
Destination/Prefix length Type Interface VPN instance
2::9/128 BGP XGE3/0/1 --
11:12::/64 Static XGE3/0/2 --
2002::/64 Static XGE3/0/2 --
2003::2/128 Static XGE3/0/3 --
Table 13 Command output
Field |
Description |
|
IPv6 savnet entry count |
Number of SAVNET entries. |
|
Destination/Prefix length |
IPv6 source prefix/prefix length. |
|
Type |
SAVNET entry type: · BGP—Entry dynamically generated through BGP. · Static—Entry manually generated by executing the ipv6 savnet entry command. |
|
Interface |
Interface name. |
|
VPN instance |
Name of the VPN Instance to which the SAVNET entry belongs. If the SAVNET entry belongs to the public network, this field displays two hyphens (--). |
|
display ipv6 savnet packet-drop statistics
Use display ipv6 savnet packet-drop statistics to display SAVNET packet drop statistics.
Syntax
display ipv6 savnet packet-drop statistics [ interface interface-type interface-number ]
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
interface interface-type interface-number: Specifies an interface by its type and number. If you do not specify this option, the command displays statistics about SAVNET-dropped packets on all interfaces.
Examples
# Display SAVNET packet drop statistics.
<Sysname> display ipv6 savnet packet-drop statistics
Ten-GigabitEthernet3/0/1:
Packets:0 Bytes: 0
Ten-GigabitEthernet3/0/2:
Packets:10 Bytes: 1500
Table 14 Command output
Field |
Description |
Packets |
Number of packets dropped by SAVNET. |
Bytes |
Number of bytes dropped by SAVNET. |
Related commands
reset ipv6 savnet packet-drop statistics
display isis savnet sav-table
Use display isis savnet sav-table to display the SAV route entries sent to the SAVNET module by IS-IS.
Syntax
display isis [ process-id ] savnet sav-table ipv6 [ ipv6-address [ prefix-length ] ] [ interface-type interface-number ]
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
process-id: Specifies an IS-IS process to display the route entries sent by it to the SAVNET module. The process-id argument represents the IS-IS process ID, a value in the range of 1 to 65535. If you do not specify a process, this command displays the route entries sent to the SAVNET module by all IS-IS processes.
ipv6-address [ prefix-length ]: Specifies a route entry sent by IS-IS to the SAVNET module. The ipv6-address and prefix-length arguments represent the destination IPv6 address and prefix length in the entry. If you do not specify a destination IPv6 address, this command displays all route entries sent by IS-IS. If you specify a destination IPv6 address without specifying a prefix length, this command displays the entry that has the longest match with the specified destination IPv6 address.
interface-type interface-number: Specifies an interface to display all route entries sent by IS-IS with the specified interface as the outgoing interface to the SAVNET module. If you do not specify an outgoing interface, this command does not filter route entries by their outgoing interface.
Examples
# Display the route entries sent by IS-IS process 1 to the SAVNET module.
<Sysname> display 1 isis savnet sav-table ipv6
SAVNET sav-table information for IS-IS(1)
-----------------------------------------
Destination/Prefix length: 1::1/128
Total: 1
Interface : XGE3/0/1 Flag: F
Destination/Prefix length: 2::2/128
Total: 1
Interface : XGE3/0/1 Flag: F
Destination/Prefix length: 2024::/64
Total: 1
Interface : XGE3/0/1 Flag: F
Table 15 Command output
Field |
Description |
Destination/Prefix length |
Destination network prefix and prefix length. |
Total |
Total number of outgoing interfaces through which the destination network is reachable. |
Interface |
SAVNET-enabled IPv6 IS-IS interface. |
Flag |
Prefix status flag: · F—The entry already issued to SAVNET. · D—To be deleted. |
ipv6 savnet deny
Use ipv6 savnet deny to specify an interface for generation of SAVNET denylist entries.
Use undo ipv6 savnet deny to restore the default.
Syntax
ipv6 savnet deny { consumer consumer-name | productor productor-name }
undo ipv6 savnet deny { consumer | productor productor-name }
Default
No interfaces are specified for generation of SAVNET denylist entries.
Views
Interface view
Predefined user roles
network-admin
Parameters
consumer consumer-name: Specifies the interface as a consumer of a source prefix producer. The consumer-name argument represents the consumer name, a case-sensitive string of 1 to 30 characters. An interface is a consumer of a source prefix producer if its consumer name is the same as the name of the source prefix producer.
productor productor-name: Specifies the interface as the source prefix producer. The productor-name argument represents a producer name, a case-sensitive string of 1 to 30 characters.
Usage guidelines
Operating mechanism
Use this command to specify interfaces for generation of SAVNET denylist entries.
The device creates SAVNET denylist entries upon receiving an IPv6 BGP unicast route, as follows:
1. Identifies the outgoing interface leading to the next hop of the route.
2. Determines whether the outgoing interface acts as source prefix producers.
3. If the outgoing interface acts as source prefix producers, the device identifies the consumer interfaces of each source prefix producer.
An interface is the consumer of a source prefix producer if its consumer name is the same as the producer name.
4. For each consumer of each source prefix producer, generates a SAVNET denylist entry.
In each entry, the source prefix is the destination address of the IPv6 BGP unicast route, the incoming interface is a consumer interface.
Restrictions and guidelines
You can execute the ipv6 savnet deny productor command multiple times to specify multiple interfaces as source prefix producers.
You can configure an interface as source prefix producers or as a consumer for generation of SAVNET denylist entries, but not both.
This feature is mutually exclusive with the SAVA feature. You cannot use them simultaneously. For more information about SAVA, see SAVA configuration in Security Configuration Guide.
Before you execute this command on a SAVNET interface, you must set its interface type to NNI.
This command is available only on the following interfaces:
· Layer 3 Ethernet interfaces.
· Layer 3 Ethernet subinterfaces.
· Layer 3 aggregate interfaces.
· Layer 3 aggregate subinterfaces.
· VLAN interfaces.
· FlexE interfaces.
Examples
# Configure interface Ten-GigabitEthernet 3/0/1 as a consumer of the source prefix producer test for generation of SAVNET denylist entries.
<Sysname> system-view
[Sysname] interface ten-gigabitethernet 3/0/1
[Sysname-Ten-GigabitEthernet3/0/1] ipv6 savnet deny consumer test
# Configure VLAN-interface 100 as a consumer of the source prefix producer test for generation of SAVNET denylist entries.
<Sysname> system-view
[Sysname] interface vlan-interface 100
[Sysname-Vlan-interface100] ipv6 savnet deny consumer test
Related commands
ipv6 savnet port-type
savnet denylist enable
ipv6 savnet entry
Use ipv6 savnet entry to manually deploy SAVNET entries to the driver.
Use undo ipv6 savnet entry to delete SAVNET entries manually deployed to the driver.
Syntax
ipv6 savnet entry prefix ipv6-address prefix-length
undo ipv6 savnet entry prefix ipv6-address prefix-length
Default
No manually deployed SAVNET entries exist in the driver.
Views
Interface view
Predefined user roles
network-admin
Parameters
prefix ipv6-address prefix-length: Specifies the prefix address and prefix length for the SAVNET entry or the first SAVNET entry. The value range for the prefix-length argument is 1 to 128.
Usage guidelines
Before manually deploying SAVNET entries to the driver on an interface, you must first configure the SAVNET access tag for the interface.
Examples
# Manually deploy SAVNET entries to the driver.
<Sysname> system-view
[Sysname] interface ten-gigabitethernet 3/0/1
[Sysname-Ten-GigabitEthernet3/0/1] ipv6 savnet entry prefix 1:1::1:1 10
ipv6 savnet log enable spoofing-packet
Use ipv6 savnet log enable spoofing-packet to enable SAVNET logging.
Use undo ipv6 savnet log enable spoofing-packet to disable SAVNET logging.
Syntax
ipv6 savnet log enable spoofing-packet [ interval interval | number number ] *
undo ipv6 savnet log enable spoofing-packet
Default
SAVNET logging is disabled.
Views
System view
Predefined user roles
network-admin
Parameters
interval interval: Specifies the interval for outputting SAVNET log messages. The value range of the interval is 0 and 5 to 3600, in seconds. The default value is 60. When the interval value is 0, it means that the device will output a log message immediately when a spoofed packet is detected by SAVNET.
number number: Specifies the maximum number of log messages that can be output in each output interval. The value range is 1 to 128, and the default value is 128.
Usage guidelines
Operating mechanism
The SAVNET logging feature facilitates troubleshooting. When SAVNET detects a spoofed packet, the device will generate a log message (referred to as SAVNET log message). The generated log messages are sent to the information center, which specifies the log message output rules and destinations. For more information about the information center, see Network Management and Monitoring Configuration Guide.
Recommended configuration
When the device outputs a large amount of SAVNET detection log messages, it will reduce device performance and affect log viewing and troubleshooting. You can perform the following tasks as needed:
· Disable SAVNET logging.
· Increase the SAVNET log output interval to reduce the output frequency.
· Decrease the number of log messages that can be output in each interval. The exceeding log messages will not be displayed.
Restrictions and guidelines
A card can output a maximum of 128 SAVNET log messages each time.
Examples
# Enable logging for SAVNET detection of spoofed packets.
<Sysname> system-view
[Sysname] ipv6 savnet log enable spoofing-packet interval 10 number 20
Related commands
ipv6 savnet port-type
ipv6 savnet miig-tag
Use ipv6 savnet miig-tag to configure an SAVNET access tag for an interface.
Use undo ipv6 savnet miig-tag to delete the SAVNET access tag configured on an interface.
Syntax
ipv6 savnet miig-tag tag-value { single-homed | complete-multi-homed }
undo ipv6 savnet miig-tag tag-value { single-homed | complete-multi-homed }
Default
No SAVNET access tag is configured on an interface.
Views
Interface view
Predefined user roles
network-admin
Parameters
tag-value: Specifies a tag value, an integer in the range of 1 to 4294967295.
{ single-homed | complete-multi-homed }: Specifies an access type. The single-homed keyword indicates single-homed, and the complete-multi-homed keyword indicates complete multi-homed.
Usage guidelines
Application scenarios
By default, a SAVNET device generate SAVNET entries only when it receives DPP routes. Because generation of DPP routes requires existence of non-direct entries or PBR in the FIB, DPP routes are often only generated on backbone network devices deployed with SAVNET. As shown in Figure 1, CE devices connected to the PE devices at the edge of the backbone network cannot generate DPP routes. Thus, the PE devices cannot generate SAVNET entries containing interfaces connected to the access subnets.
Figure 1 SAVNET access scenarios
A mechanism has been developed to configure SAVNET devices to generate SAVNET entries using only SPA routes, helping PE devices in the access scenarios filter source address spoofed packets. This mechanism supports both single-homed and multi-homed access scenarios.
Operating mechanism
In an access scenario, after you configure an access tag for the user-side interface on a PE, the tag information can be carried in the SPA route. Based on the carried access tag information, the PE device can generate a SAVNET entry. The specific operating mechanism is as follows:
1. After you execute the ipv6 savnet miig-tag command on the user-side interface of the PE, this interface is configured with an access tag, including the access tag value and access type information.
2. When you execute the import-route command to import a route for obtaining source prefix information and generating an SPA route, the generated SPA route carries the access tag information (including tag value and access type) if all of the following conditions are met:
¡ You have specified the route-policy route-policy-name option in the import-route command.
¡ You have configured the apply tag command for the route policy specified by the route-policy route-policy-name option.
The tag value is that specified by the apply tag command and the access type is that specified by the ipv6 savnet miig-tag command.
3. When the PE device generates or receives the SPA route carrying the access tag information, it checks whether an interface with access tag information matching that carried in the SPA route exists locally:
¡ If an interface exists, the device generates a SAVNET entry with the source prefix as that carried in the SPA route and the incoming interface as this interface.
¡ If no interface exists, the device does not generate a SAVNET entry.
4. When the device receives an updated SPA route, the SAVNET entry generated based on the SPA route will be updated.
Restrictions and guidelines
If you have configured the same access tag value for different interfaces, you must also configure the same access type for the interfaces.
Before configuring the access tag information for an interface, you must first specify the SAVNET interface type of that interface. If you use the ipv6 savnet port-type command to restore the SAVNET interface type setting of an interface, the access tag information configured for that interface will also be deleted.
If an SPA route carrying tag information is generated, it can be advertised directly. You do not need to configure the outgoing interface of the corresponding IP route as a UNI.
Examples
# Configure an SAVNET access tag with tag value 100 and access type complete multi-homed for interface Ten-GigabitEthernet 3/0/1.
<Sysname> system-view
[Sysname] interface ten-gigabitethernet 3/0/1
[Sysname-Ten-GigabitEthernet3/0/1] ipv6 savnet miig-tag 100 complete-multi-homed
Related commands
apply tag (Layer 3—IP Routing Command Reference)
import-route (Layer 3—IP Routing Command Reference)
ipv6 savnet packet-drop enable
Use ipv6 savnet packet-drop enable to enable dropping of SAVNET-detected spoofed packets.
Use undo ipv6 savnet packet-drop enable to disable dropping of SAVNET-detected spoofed packets.
Syntax
ipv6 savnet packet-drop enable
undo ipv6 savnet packet-drop enable
Default
Dropping of SAVNET-detected spoofed packets is enabled.
Views
System view
Predefined user roles
network-admin
Usage guidelines
Application scenarios
SAVNET entries are generated based on routes in the BGP IPv6 SAVNET address family view. When a large number of BGP routes exist on a SAVNET device, the device takes a long time to complete creation of all SAVNET entries. Before SAVNET entry creation completes, some valid IPv6 packets might be incorrectly dropped because the corresponding SAVNET entries have not been generated.
To resolve this issue, you can use the undo ipv6 savnet packet-drop enable command to disable dropping of SAVNET-detected spoofed packets during the SAVNET entry generation period. Thus, the SAVNET device will not drop packets that have no matching SAVNET entries, reducing incorrect dropping of valid packets. When all SAVNET entries are created, you can use the ipv6 savnet packet-drop enable command to enable dropping of SAVNET-detected spoofed packets.
Examples
# Disable dropping of SAVNET-detected spoofed packets.
<Sysname> system-view
[Sysname] undo ipv6 savnet packet-drop enable
ipv6 savnet port-type
Use ipv6 savnet port-type to specify the SAVNET interface type.
Use undo ipv6 savnet port-type to restore the default.
Syntax
ipv6 savnet port-type { nni | uni }
undo ipv6 savnet port-type
Default
No SAVNET interface type is configured.
Views
Interface view
Predefined user roles
network-admin
Parameters
nni: Specifies the network-to-network interface (NNI) type.
uni: Specifies the user network interface (UNI) type.
Usage guidelines
Application scenarios
After SAVNET entries are generated on the SAVNET devices through the BGP SPA and DPP routing protocols, the interfaces connected between the SAVNET neighbors need to be configured as NNI interfaces in order for the SAVNET entries to take effect.
· If the source IP address of a packet matches the SAVNET entry prefix on the input interface or does not match the SAVNET entry prefix of any interface on the device, the packet is permitted.
· If the source IP address of a packet does not match the SAVNET entry prefix of the input interface, but matches the SAVNET entry prefix of another interface, the packet is dropped.
An SPA route is generated by executing the import-route command in BGP IPv6 SAVNET address family view. The prefixes in the generated routes are the ones imported by the import-route command. If the outgoing interface of an import route is a UNI interface configured by this command, the SPA route generated based on that import route can be advertised to BGP IPv6 SAVNET peers.
Restrictions and guidelines
This feature is exclusive with the SAVA feature. For more information about SAVA configuration, see Security Configuration Guide.
This feature is supported on only Layer 3 Ethernet interfaces, Layer 3 Ethernet subinterfaces, Layer 3 aggregate interfaces, Layer 3 aggregate subinterfaces, VLAN interfaces, and FlexE interfaces.
Examples
# Configure the SAVNET interface type of interface Ten-GigabitEthernet 3/0/1 as NNI.
<Sysname> system-view
[Sysname] interface ten-gigabitethernet 3/0/1
[Sysname-Ten-GigabitEthernet3/0/1] ipv6 savnet port-type nni
Related commands
display ipv6 savnet entry
isis ipv6 savnet enable
Use isis ipv6 savnet enable to enable SAVNET computation on an IPv6 IS-IS interface.
Use undo isis ipv6 savnet enable to disable SAVNET computation on an IPv6 IS-IS interface.
Syntax
isis ipv6 savnet enable
undo isis ipv6 savnet enable
Default
SAVNET computation is disabled on IPv6 IS-IS interfaces.
Views
Interface view
Predefined user roles
network-admin
Usage guidelines
Application scenarios
IP source address spoofing attacks are a prevalent threat to network security, against which ACLs and unicast reverse path forwarding (uRPF) are typically used. Although both ACL and uRPF mitigate IP source address spoofing attacks, they each have notable limitations, as follows:
· High maintenance costs—ACL rules require manual maintenance, which is both tedious and error-prone.
· Risks posed by misconfiguration—Incorrect ACL configuration can block legitimate traffic or mistakenly permit malicious traffic to pass through.
· False-positive risk—uRPF validates source addresses based on the FIB. On networks with asymmetric routing, strict uRPF check might erroneously block legitimate traffic, while loose uRPF check might permit malicious traffic to pass through.
IS-IS SAVNET provides an optimized SAVNET solution to resolve these issues. In this solution, the SAVNET module automatically generates and updates accurate SAVNET entries based on IS-IS routing information to validate IPv6 source prefixes.
Operating mechanism
After you enable IS-IS SAVNET on each device in an IS-IS routing domain, IS-IS SAVNET operates on each device as follows:
1. Each device computes IS-IS routes and generates route entries. Each entry contains one destination prefix and one or multiple outgoing interfaces, in {destination prefix x; outgoing interface 1, outgoing interface 2, ...} format.
2. The IS-IS module sends the generated route entries to the SAVNET module, in {destination prefix x; interface 1}, {destination prefix x; interface 2} format.
3. The SAVNET module generates SAVNET entries based on the received route entries, and then uses these entries to validate IPv6 packets.
4. When a path in the IS-IS routing domain changes, IS-IS regenerates a {destination prefix; outgoing interface} entry and sends it to the SAVNET module, which then updates the SAVNET entry based on the received entry.
Restrictions and guidelines
1. Execute the savnet enable command on each device in the IS-IS routing domain.
2. Execute the isis ipv6 savnet enable command on each NNI SAVNET interface.
Examples
# Enable SAVNET computation on IPv6 IS-IS interface Ten-GigabitEthernet 3/0/1.
<Sysname> system-view
[Sysname] interface ten-gigabitethernet 3/0/1
[Sysname-Ten-GigabitEthernet3/0/1] isis ipv6 enable 1
[Sysname-Ten-GigabitEthernet3/0/1] isis ipv6 savnet enable
Related commands
savnet enable
peer designate-router
Use peer designate-router to specify the designated router (DR) device.
Use undo peer designate-router to cancel the specification of the DR device .
Syntax
peer { group-name | ipv6-address [ prefix-length ] } designate-router
undo peer { group-name | ipv6-address [ prefix-length ] } designate-router
Default
No DR device is specified.
Views
BGP IPv6 SAVNET address family view
Predefined user roles
network-admin
Parameters
group-name: Specifies a peer group by its name, a case-sensitive string of 1 to 47 characters. The specified peer group must already exist.
ipv6-address: Specifies a peer by its IPv6 address. The specified peer must already exist.
prefix-length: Specifies a prefix length in the range of 0 to 128. You can use the ipv6-address and prefix-length arguments together to specify a subnet. If you specify a subnet, this command applies to all dynamic peers in the subnet. If you do not specify this parameter, the command applies to the specified peer.
Usage guidelines
Application scenarios
Use this command to specify the DR device in the local AS for inter-domain SAVNET traffic validation.
Restrictions and guidelines
You must manually designate which device in an AS will act as the DR device. Then, all non-DR devices must use this command to specify the DR device to properly send inter-domain DPP information to the DR or receive inter-domain SPA and DPP information forwarded by the DR.
Only an IBGP peer or peer group can be designated as a DR. An EBGP peer or peer groups cannot be designated as a DR.
After this command is executed, the session between the local device and the specified peer/peer group will be disconnected and then reestablished.
Examples
# Specify peer 1::1 as the DR device.
<Sysname> system-view
[Sysname] bgp 100
[Sysname-bgp-default] address-family ipv6 savnet
[Sysname-bgp-default-savnet-ipv6] peer 1::1 designate-router
Related commands
savnet validation-as
reset ipv6 savnet packet-drop statistics
Use reset ipv6 savnet packet-drop statistics to clear SAVNET packet drop statistics.
Syntax
reset ipv6 savnet packet-drop statistics [ interface interface-type interface-number ]
Views
User view
Predefined user roles
network-admin
Parameters
interface interface-type interface-number: Specifies an interface by its type and number. If you do not specify this option, the command clears statistics about SAVNET-dropped packets on all interfaces.
Examples
# Clear the SAVNET packet drop statistics on all interfaces.
<Sysname> reset ipv6 savnet packet-drop statistics
Related commands
display ipv6 savnet packet-drop statistics
savnet allowlist enable
Use savnet allowlist enable to enable the SAVNET allowlist.
Use undo savnet allowlist enable to restore the default.
Syntax
savnet allowlist enable
undo savnet allowlist enable
Default
SAVNET allowlist is disabled.
Views
BGP IPv6 unicast address family view
Predefined user roles
network-admin
Usage guidelines
Application scenarios
Use this feature on an intra-domain SAVNET network to generate SAVNET allowlist entries based on IGP routes.
Operating mechanism
On an intra-domain SAVNET network that generates SAVNET entries based on IGP routes, the IGP delivers the received destination prefixes (prefixes in IGP routes) to the BGP module on the same device. The BGP module then creates SAV routes, with their protocol type set to the IGP name. You can view these routes by executing the display bgp ipv6 savnet sav command.
The following information describes how the device creates SAVNET entries based on the SAVNET allowlist mechanism when it receives an IPv6 BGP unicast route from a remote SAVNET device:
1. The device searches the BGP SAV routes injected by IGPs for a match based on the destination address and incoming interface of the IPv6 BGP unicast route.
2. If a match is found, the device determines that a legitimate path is available to reach that destination address. Then, the device generates a SAVNET allowlist entry for that route. In this entry, the source prefix is the destination address of the IPv6 BGP unicast route, and the incoming interface is the outgoing interface in the matching IGP-type SAV route. If multiple matching IGP-type SAV routes are available, the device generates one SAVNET allowlist entry for each matching SAV route.
If the device receives a packet after it generates SAVNET entries, the device processes the packet as follows:
· If the source IP address and incoming interface of the packet both match a SAVNET denylist entry, the device discards the packet. If the matching entry is allowlisted, the device receives and processes the packet.
· If the source IP address of the packet matches a SAVNET denylist entry but its incoming interface does not match the entry, the device receives and processes the packet. If the matching entry is allowlisted, the device discards the packet.
· If the source IP address of the packet does not match any SAVNET entry, the device takes action depending on the type of its incoming interface. If the packet arrives at an NNI interface, the device permits the packet to pass through. If the packet arrives at a UNI interface, the device discards the packet.
· On consumer interfaces of the SAVNET denylist, the device compares incoming packets only with SAVNET denylist entries.
Examples
# In BGP IPv6 unicast address family view, enable the SAVNET allowlist.
<Sysname> system-view
[Sysname] bgp 100
[Sysname-bgp-default] address-family ipv6 unicast
[Sysname-bgp-default-ipv6] savnet allowlist enable
Related commands
isis ipv6 savnet enable
savnet allowlist route-policy
Use savnet allowlist route-policy to control generation of the SAVNET allowlist through a routing policy.
Use undo savnet allowlist route-policy to restore the default.
Syntax
savnet allowlist route-policy route-policy-name
undo savnet allowlist route-policy
Default
The device does not use a routing policy to control generation of the SAVNET allowlist.
Views
BGP IPv6 unicast address family view
Predefined user roles
network-admin
Parameters
route-policy-name: Specifies a routing policy by its name, a case-sensitive string of 1 to 63 characters.
Usage guidelines
After you enable the SAVNET allowlist by using the savnet allowlist enable command, all IPv6 BGP routes are by default available for generating SAVNET allowlist entries. To generate SAVNET allowlist entries flexibly only for some of the IPv6 BGP routes, use a routing policy. The device will generate SAVNET allowlist entries only for IPv6 BGP unicast routes that do not match the routing policy. If an IPv6 BGP route matches the routing policy, the device does not use it to generate a SAVNET allowlist entry.
Examples
# In BGP IPv6 unicast address family view, specify routing policy test to control generation of SAVNET allowlist entries.
<Sysname> system-view
[Sysname] bgp 100
[Sysname-bgp-default] address-family ipv6 unicast
[Sysname-bgp-default-ipv6] savnet allowlist route-policy test
Related commands
savnet allowlist enable
savnet denylist enable
Use savnet denylist enable to enable the SAVNET denylist.
Use undo savnet denylist enable to restore the default.
Syntax
savnet denylist enable
undo savnet denylist enable
Default
The SAVNET denylist is disabled.
Views
BGP IPv6 unicast address family view
Predefined user roles
network-admin
Usage guidelines
Application scenarios
Use this feature on an intra-domain SAVNET network to generate SAVNET denylist entries based on IGP routes.
Operating mechanism
On an intra-domain SAVNET network that delivers SAVNET information through an IGP, the IGP delivers the received destination prefixes (prefixes in IGP routes) to the BGP module on the same device. The BGP module then creates SAVNET routes, with their protocol type set to the IGP name. You can view these routes by executing the display bgp ipv6 savnet sav command.
The following information describes how the SAVNET denylist mechanism operates.
The device creates SAVNET denylist entries upon receiving an IPv6 BGP unicast route, as follows:
1. Identifies the outgoing interface leading to the next hop of the route.
2. Determines whether the outgoing interface acts as source prefix producers.
3. If the outgoing interface acts as source prefix producers, the device identifies the consumer interfaces of each source prefix producer. An interface is the consumer of a source prefix producer if its consumer name is the same as the producer name.
4. For each consumer of each source prefix producer, generates a SAVNET denylist entry.
In each entry, the source prefix is the destination address of the IPv6 BGP unicast route, the incoming interface is a consumer interface.
To specify an interface as a source prefix producer, use the ipv6 savnet deny productor command. To specify an interface as the consumer of a producer, execute the ipv6 savnet deny consumer command.
If the device receives a packet after it generates SAVNET entries, the device processes the packet as follows:
· If the source IP address and incoming interface of the packet both match a SAVNET denylist entry, the device discards the packet. If the matching entry is allowlisted, the device receives and processes the packet.
· If the source IP address of the packet matches a SAVNET denylist entry but its incoming interface does not match the entry, the device receives and processes the packet. If the matching entry is allowlisted, the device discards the packet.
· If the source IP address of the packet does not match any SAVNET entry, the device takes action depending on the type of its incoming interface. If the packet arrives at an NNI interface, the device permits the packet to pass through. If the packet arrives at a UNI interface, the device discards the packet.
· On consumer interfaces of the SAVNET denylist, the device compares incoming packets only with SAVNET denylist entries.
Examples
# Enable the SAVNET denylist in BGP IPv6 unicast address family view.
<Sysname> system-view
[Sysname] bgp 100
[Sysname-bgp-default] address-family ipv6 unicast
[Sysname-bgp-default-ipv6] savnet denylist enable
Related commands
ipv6 savnet deny
savnet denylist route-policy
savnet denylist route-policy
Use savnet denylist route-policy to control generation of the SAVNET denylist through a routing policy.
Use undo savnet denylist route-policy to restore the default.
Syntax
savnet denylist route-policy route-policy-name
undo savnet denylist route-policy
Default
The device does not use a routing policy to control generation of the SAVNET denylist.
Views
BGP IPv6 unicast address family view
Predefined user roles
network-admin
Parameters
route-policy-name: Specifies a routing policy by its name, a case-sensitive string of 1 to 63 characters.
Usage guidelines
After you enable the SAVNET denylist by using the savnet denylist enable command, all IPv6 BGP routes are by default available for generating SAVNET denylist entries. To generate SAVNET denylist entries flexibly only for some of the IPv6 BGP routes, use a routing policy. The device will generate SAVNET denylist entries only for IPv6 BGP unicast routes that match the routing policy.
Examples
# In BGP IPv6 unicast address family view, specify routing policy test to control generation of SAVNET denylist entries.
<Sysname> system-view
[Sysname] bgp 100
[Sysname-bgp-default] address-family ipv6 unicast
[Sysname-bgp-default-ipv6] savnet denylist route-policy test
Related commands
savnet denylist enable
savnet enable
Use savnet enable to enable SAVNET computation on an IS-IS process.
Use undo savnet enable to disable SAVNET computation on an IS-IS process.
Syntax
savnet enable
undo savnet enable
Default
SAVNET computation is disabled on IS-IS processes.
Views
IS-IS IPv6 unicast address family view
Predefined user roles
network-admin
Usage guidelines
Application scenarios
· High maintenance costs—ACL rules require manual maintenance, which is both tedious and error-prone.
· Risks posed by misconfiguration—Incorrect ACL configuration can block legitimate traffic or mistakenly permit malicious traffic to pass through.
· False-positive risk—uRPF validates source addresses based on the FIB. On networks with asymmetric routing, strict uRPF check might erroneously block legitimate traffic, while loose uRPF check might permit malicious traffic to pass through.
IS-IS SAVNET provides an optimized SAVNET solution to resolve these issues. In this solution, the SAVNET module automatically generates and updates accurate SAVNET entries based on IS-IS routing information to validate IPv6 source prefixes.
Operating mechanism
After you enable IS-IS SAVNET on each device in an IS-IS routing domain, IS-IS SAVNET operates on each device as follows:
1. Each device computes IS-IS routes and generates route entries. Each entry contains one destination prefix and one or multiple outgoing interfaces, in {destination prefix x; outgoing interface 1, outgoing interface 2, ...} format.
2. The IS-IS module sends the generated route entries to the SAVNET module, in {destination prefix x; interface 1}, {destination prefix x; interface 2} format.
3. The SAVNET module generates SAVNET entries based on the received route entries, and then uses these entries to validate IPv6 packets.
4. When a path in the IS-IS routing domain changes, IS-IS regenerates a {destination prefix; outgoing interface} entry and sends it to the SAVNET module, which then updates the SAVNET entry based on the received entry.
Restrictions and guidelines
To have the IS-IS module generate and issue {destination prefix; outgoing interface} entries to the SAVNET module, you must perform the following steps:
1. Execute the savnet enable command on each device in the IS-IS routing domain.
2. Execute the isis ipv6 savnet enable command on each NNI SAVNET interface.
Examples
# Enable SAVNET computation on IS-IS process 1.
<Sysname> system-view
[Sysname] isis 1
[Sysname-isis-1] address-family ipv6
[Sysname-isis-1-ipv6] savnet enable
Related commands
isis ipv6 savnet enable
savnet-entry expire-time
Use savnet-entry expire-time to set the SAVNET entry aging time.
Use undo savnet-entry expire-time to restore the default.
Syntax
savnet-entry expire-time time
undo savnet-entry expire-time
Default
The SAVNET entry aging time is 7200 seconds.
Views
BGP IPv6 SAVNET address family view
Predefined user roles
network-admin
Parameters
time: Sets a SAVNET entry aging time, in the value range of 60 to 172800 seconds.
Usage guidelines
Operating mechanism
To avoid traffic forwarding issues caused by retention of outdated SAVNET entries after the network topology changes, you can configure this command. SAVNET entries generated through BGP use the specified aging time and are maintained or updated through continuous reception of DPP routes. Entries that are not maintained or updated because no DPP routes are received before the aging timer expires will age out.
Restrictions and guidelines
As a best practice, configure the SAVNET entry aging time to be at least twice the DPP route sending interval configured on the route generating device. Otherwise, SAVNET entries might age out incorrectly because of long DPP route sending interval.
Examples
# Set the SAVNET entry aging time to 100 seconds.
<Sysname> system-view
[Sysname] bgp 100
[Sysname-bgp-default] address-family ipv6 savnet
[Sysname-bgp-default-savnet-ipv6] savnet-entry expire-time 100
Make sure the SAVNET entry aging time is at least twice the DPP route sending interval configured on the DPP routes’ source device. Continue? [y/n]
savnet validation-as
Use savnet validation-as to configure the validation AS numbers when the local AS acts as the source AS.
Use undo savnet validation-as to cancel the validation AS number configuration.
Syntax
savnet validation-as { as-number&<1-8> }
undo savnet validation-as [ as-number&<1-8> ]
Default
No validation AS number is configured when the local AS acts as the source AS.
Views
BGP IPv6 SAVNET address family view
Predefined user roles
network-admin
Parameters
as-number&<1-8>: The as-number argument specifies a validation AS number in the range of 1 to 4294967295. The &<1-8> argument indicates that you can specify a maximum of eight validation AS numbers.
Usage guidelines
Application scenarios
This command is used to implement the inter-domain traffic validation of SAVNET.
Operating mechanism
All ASBRs in the source AS must execute the savnet validation-as command. On non-DR ASBRs in the source AS, specify the DR (by using the peer designate-router command) and the validation AS number (by using the savnet validation-as command). Then, these ASBRs collect the ingress neighbor AS numbers in the AS_PATHs from the source AS to the validation AS, and send the collected ingress neighbor AS numbers to the DR in the source AS.
On the DR device in the source AS, after the validation AS number is specified using the savnet validation-as command, the DR collects the ingress neighbor AS numbers from its BGP routes. Then, the DR in the source AS consolidates all the ingress neighbor AS numbers to form an ingress neighbor AS list, and sends the list to the peer DR device through an inter-domain DPP route.
Restrictions and guidelines
The specified validation AS number cannot be the same as the local AS number.
You can use this command multiple times to configure multiple validation AS numbers for the local AS acting as the source AS.
Examples
# Configure AS 200 as the validation AS number when the local AS acts as the source AS.
<Sysname> system-view
[Sysname] bgp 100
[Sysname-bgp-default] address-family ipv6 savnet
[Sysname-bgp-default-savnet-ipv6] savnet validation-as 200
Related commands
peer designate-router