Use address-family ipv6 savnet to create the BGP IPv6 SAVNET address family and enter its view, or enter the view of the existing BGP IPv6 SAVNET address family.

Use undo address-family ipv6 savnet to delete the BGP IPv6 SAVNET address family and all its configuration.

Syntax

address-family ipv6 savnet

undo address-family ipv6 savnet

Default

The BGP IPv6 SAVNET address family does not exist.

Views

BGP instance view

Predefined user roles

network-admin

Usage guidelines

Application scenarios

The BGP IPv6 SAVNET address family is used for SAVNET networks. SAVNET devices can generate SAVNET entries by exchanging BGP IPv6 SAVNET routes that carry the protocol information.

Restrictions and guidelines

The configuration in BGP IPv6 SAVNET address family view takes effect only on routes and peers in the BGP IPv6 SAVNET address family.

Examples

# Create the BGP IPv6 SAVNET address family in BGP instance view and enter BGP IPv6 SAVNET address family view.

<Sysname> system-view

[Sysname] bgp 100

[Sysname-bgp-default] address-family ipv6 savnet

[Sysname-bgp-default-savnet-ipv6]

destination-probing enable

Use destination-probing enable to enable SAVNET destination prefix probing.

Use undo destination-probing enable to disable SAVNET destination prefix probing.

Syntax

destination-probing enable

undo destination-probing enable

Default

SAVNET destination prefix probing is disabled.

Views

BGP IPv6 SAVNET address family view

Predefined user roles

network-admin

Usage guidelines

Operating mechanism

When SAVNET destination prefix probing is disabled, the device only forwards but cannot generate DPP routes. With this feature enabled, the device can generate DPP routes.

Restrictions and guidelines

This command does not affect the agent DPP route feature. SAVNET devices can generate agent DPP routes even when SAVNET destination prefix probing is disabled.

Examples

# Enable SAVNET destination prefix probing.

<Sysname> system-view

[Sysname] bgp 100

[Sysname-bgp-default] address-family ipv6 savnet

[Sysname-bgp-default-savnet-ipv6] destination-probing enable

destination-probing interval

Use destination-probing interval to set the DPP route sending interval.

Use undo destination-probing interval to restore the default.

Syntax

destination-probing interval [ interval ]

undo destination-probing interval

Default

The DPP route sending interval is 3600 seconds.

Views

BGP IPv6 SAVNET address family view

Predefined user roles

network-admin

Parameters

interval: Sets an interval, in the value range of 30 to 86400 seconds.

Usage guidelines

Operating mechanism

With this command configured on a device, the device periodically sends DPP routes at the specified interval.

Restrictions and guidelines

As a best practice, configure the SAVNET entry aging time to be at least twice the DPP route sending interval configured on the route generating device. Otherwise, SAVNET entries might age out incorrectly because of long DPP route sending interval.

If a large number of DPP routes need to be sent, do not set the sending interval of DPP routes too short. A too short sending interval might overwhelm BGP IPv6 SAVNET peers with DPP routes, causing them unable to process the received DPP routes timely.

Examples

# Set the DPP route sending interval to 100 seconds.

<Sysname> system-view

[Sysname] bgp 100

[Sysname-bgp-default] address-family ipv6 savnet

[Sysname-bgp-default-savnet-ipv6] destination-probing interval 100

Make sure the SAVNET entry aging time is at least twice the DPP route sending interval configured on the DPP routes’ source device. Continue? [y/n]

Related commands

destination-probing enable

savnet-entry expire-time

display bgp ipv6 savnet dpp

Use display bgp ipv6 savnet dpp to display information about BGP IPv6 SAVNET Destination Prefix Probing (DPP) routes.

Syntax

display bgp [ instance instance-name ] ipv6 savnet dpp [ [ route-distinguisher route-distinguisher ] [ savnet-route route-length | savnet-prefix ] | statistics ]

display bgp [ instance instance-name ] ipv6 savnet dpp [ route-distinguisher route-distinguisher ] time-range min-time max-time

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

instance instance-name: Specifies a BGP instance by its name, a case-sensitive string of 1 to 31 characters. If you do not specify this option, the command displays DPP route information of the default instance.

route-distinguisher route-distinguisher: Specifies the route distinguisher of DPP routes, a string of 3 to 21 characters in the format of Router ID:0.

savnet-route route-length: Specifies a DPP route and the route length. A DPP route is a string of 1 to 512 characters. The length of a DPP route is an integer in the range of 0 to 65535, in bits.

savnet-prefix: Specifies a DPP route by a prefix in the format of savnet-route/route-length, which is a case-insensitive string of 1 to 512 characters.

statistics: Displays statistics for DPP routes.

time-range min-time max-time: Displays DPP routes that have existed for a time period in the specified time period range since the last update. The min-time and max-time arguments represent the minimum and maximum time periods, respectively, and are in <0-10000>d<0-23>h<0-59>m<0-59>s format. The d, h, m, and s letters represent days, hours, minutes, and seconds, respectively. <0-10000>, <0-23>, <0-59>, and <0-59> represent the value ranges for d, h, m, and s, respectively. The value for the max-time argument must be greater than that for the min-time argument.

Usage guidelines

If no parameters are specified, this command displays brief information about all BGP IPv6 SAVNET DPP routes.

Examples

# Display brief information about all BGP IPv6 SAVNET DPP routes.

<Sysname> display bgp ipv6 savnet dpp

BGP local router ID is 8.5.6.7

Status codes: * - valid, > - best, d - dampened, h - history,

s - suppressed, S - stale, i - internal, e - external

a - additional-path

Origin: i - IGP, e - EGP, ? - incomplete

Total number of SAVNET routes: 3

Total number of routes from all peers: 1

Route distinguisher: 3.4.5.6:0

Total number of routes: 1

* >i Network : [2][2][1][3.4.5.6][64][101::]/120

NextHop : 0.0.0.0 LocPrf : 100

MED : 0

Path/Ogn: i

Route distinguisher: 8.5.6.7:0

Total number of routes: 2

* > Network : [2][2][1][8.5.6.7][64][10::]/120

NextHop : 0.0.0.0 LocPrf : 100

MED : 0

Path/Ogn: i

* >i Network : [2][2][1][3.3.3.3][128][1::1]/184

NextHop : 0.0.0.0 LocPrf : 100

MED : 0

Path/Ogn: i

Route distinguisher: 100:0

Total number of routes: 1

* >i Network : [2][2][2][3.3.3.3][100][200][300]/144

NextHop : 0.0.0.0 LocPrf : 100

MED : 0

Path/Ogn: i

# Display brief information about all BGP IPv6 SAVNET DPP routes whose duration since the last route update is within a specified time range.

<Sysname> display bgp ipv6 savnet dpp time-range 1d1h1m1s 7d3h1m1s

BGP local router ID is 8.5.6.7

Status codes: * - valid, > - best, d - dampened, h - history,

s - suppressed, S - stale, i - internal, e - external

a - additional-path

Origin: i - IGP, e - EGP, ? - incomplete

Total number of SAVNET routes: 2

Total number of routes from all peers: 2

Route distinguisher: 3.4.5.6:0

Total number of routes: 1

* >i Network : [2][2][1][3.4.5.6][64][101::]/120

NextHop : :: LocPrf : 100

MED : 0 Route age : 06d01h12m44s

Table 1 Command output

Field	Description
BGP local router ID	Locally configured router ID of the device.
Status codes	Route status code: · * - valid—Valid route. · > - best—Optimal route · d - dampened—Dampened route. · h - history—History route. · s - suppressed—Suppressed route. · S - stale—Stale route. · i - internal—Internal route. · e - external—External route. · a - additional-path—Add-Path optimal route.
Origin	Origin of the route: · i - IGP—Originated in the local AS. · e - EGP—Learned through Exterior Gateway Protocol (EGP). · ? - incomplete—Unknown origin. The origin of routes redistributed from the IGP protocol is incomplete.
Total number of SAVNET routes	Total number of SAVNET routes for all route distinguishers.
Total number of routes from all peers	Total number of SAVNET routes received from all BGP IPv6 SAVNET peers.
Route distinguisher	Information of the DPP routes with the specified route distinguisher.
Total number of routes	Total number of DPP routes with the specified routing distinguisher.
Network	DPP route: · Intra-domain DPP route: [2][2][DPP route subprotocol type][origin router ID][prefix length][prefix IPv6 address]. The value for the DPP route subprotocol type is 1. · Inter-domain DPP route: [2][2][DPP route subprotocol type][origin router ID][source AS number][validation AS number][ingress neighbor AS list]. The value for the DPP route subprotocol type is 2.
NextHop	Next hop address, which is 0.0.0.0. This field is meaningless for DPP routes.
LocPrf	Local preference value.
MED	Multi-Exit Discriminator (MED) attribute value.
Path/Ogn	The AS_Path attribute of the route and the ORIGIN attribute of the route information, where: · The AS_PATH attribute records all the ASs that this route has passed through, which can avoid routing loops. This field can display a maximum of 16 AS numbers, and the omitted part is represented by ellipsis (...). The omitted part can be viewed by displaying the detailed information of the route. · The ORIGIN attribute marks how this BGP route is generated.
Route age	Time elapsed since the last update of the route, in <0-10000>d<0-23>h<0-59>m<0-59>s format. d, h, m, and s represent days, hours, minutes, and seconds, respectively. <0-10000>, <0-23>, <0-59>, and <0-59> represent the value ranges for d, h, m, and s, respectively.

‌

# Display detailed information for DPP route [2][2][1][192.168.56.12][128][156::1]/184.

<Sysname> display bgp ipv6 savnet dpp [2][2][1][192.168.56.12][128][156::1]/184

BGP local router ID: 8.5.6.7

Local AS number: 100

Route distinguisher: 192.168.56.12:0

Total number of routes: 1

Paths: 1 available, 1 best

BGP routing table information of [2][2][1][192.168.56.12][128][156::1]/184:

From : 100::1 (192.168.56.12)

Rely nexthop : ::1

Original nexthop: 0.0.0.0

Out interface : NULL0

Route age : 00h01m42s

OutLabel : NULL

RxPathID : 0x0

TxPathID : 0xffffffff

AS-path : (null)

Origin : igp

Attribute value : MED 0, localpref 100, pref-val 32768

State : valid, internal, best

Source type : local

IP precedence : N/A

QoS local ID : N/A

Traffic index : N/A

Route type : SAVNET DPP

Origin routerID : 192.168.56.12

Sequence num : 26

IfIndexIn : 258

In interface : Ten-GigabitEthernet3/0/1

IfIndexOut : 259

Out interface : Ten-GigabitEthernet3/0/2, advertised

LastSend : 00h00m56s

Path RID list : 192.168.56.12

Agent RID list : (null)

Table 2 Command output

Field	Description
BGP local router ID	Locally configured router ID of the device.
Local AS number	Local AS number.
Route distinguisher	Information of the DPP routes with the specified route distinguisher.
Total number of routes	Total number of DPP routes with the specified routing distinguisher.
Paths	Route quantity information. · Available—Number of effective routes. · best—Number of optimal routes.
BGP routing table information of [2][2][1][192.168.56.12][128][156::1]/184	Detailed information of DPP route [2][2][1][192.168.56.12][128][156::1]/184.
From	IP address of the BGP peer that advertised this route.
Rely nexthop	Next hop IP address after route recursion. This field has no meaning for routes in the SAVNET address family.
Original nexthop	Original next hop address of the route, with a value of ::.
Route age	Period of time since the last update of the route.
OutLabel	Outgoing label value of the route.
RxPathID	Add-Path ID value of the received route.
TxPathID	Add-Path ID value of the sent route.
AS-path	AS_PATH attribute of the route. It records all the ASs that the route passes through, which can prevent routing loops.
Origin	Origin of the route. Values include: · igp—Originated in the local AS. · egp—Learned through Exterior Gateway Protocol (EGP). · incomplete—Unknown origin. The origin of routes redistributed from the IGP protocol is incomplete.
Attribute value	BGP route attributes: · MED—MED value associated with the destination network. · localpref—Local preference value. · pref-val—Preferred value.
State	Current state of the route: · valid · Internal · External · local · best
Source type	Source type of the route.
IP precedence	IP precedence in the range of 0 to 7. N/A indicates that the route does not support this field.
QoS local ID	QoS local ID in the range of 1 to 4095. N/A indicates that the route does not support this field.
Traffic index	Traffic index value, in the range of 1 to 64. N/A indicates that the route does not support this field.
Route type	Type of the SAVNET route, which is SAVNET DPP, indicating DPP routes.
Origin routerID	Origin router ID. This field is available only for intra-domain DPP routes.
Source AS number	This field is available only for inter-domain DPP routes.
Validation AS number	This field is available only for inter-domain DPP routes.
Ingress neighbor AS list	This field is available only for inter-domain DPP routes.
Sequence num	Sequence number of the DPP route, used to distinguish between new and old DPP routes. The recipient only processes DPP routes with a higher DPP route sequence number than the ones it has already received. The exception is that the recipient will always process a DPP route with sequence number 0 to avoid the inability to receive DPP routes when the sequence number overflows and resets to 0.
IfindexIn	Index of the interface that received the DPP route.
In interface	Name of the interface that received the DPP route.
IfIndexOut	Index of the interface that sent the DPP route.
Out interface	Name of the interface that sent the DPP route, and the route sending result.
LastSend	Time elapsed since the last sending of the DPP route, in the format of xxhxxmxxs, where h represents hours, m represents minutes, and s represents seconds.
Path RID list	List of the router IDs of the devices that a non-agent DPP route passes, the closer the peer to the receiver, the higher its position in the list.
Agent RID list	List of the router IDs of the devices that an agent DPP route passes, the closer the peer to the receiver, the higher its position in the list. If the current route is not an agent DPP route, this field displays (null).

‌

# Display statistics about DPP routes.

<Sysname> display bgp ipv6 savnet dpp statistics

Total number of SAVNET routes: 3

Total number of routes from all peers: 3

Route distinguisher: 3.4.5.6:0

Total number of routes: 3

Table 3 Command output

Field	Description
Total number of SAVNET routes	Total number of SAVNET routes for all route distinguishers.
Total number of routes from all peers	Total number of SAVNET routes received from all BGP IPv6 SAVNET peers.
Route distinguisher	Information of the DPP routes with the specified route distinguisher.
Total number of routes	Total number of DPP routes with the specified routing distinguisher.

‌

Related commands

import-route (Layer 3—IP Routing Command Reference)

display bgp ipv6 savnet ingress-neighbor-as

Use display bgp ipv6 savnet ingress-neighbor-as to display ingress neighbor AS information for inter-domain SAVNET.

Syntax

display bgp [ instance instance-name ] ipv6 savnet ingress-neighbor-as [ validation-as as-number ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

instance instance-name: Specifies a BGP instance. The instance-name argument represents a BGP instance name, a case-sensitive string of 1 to 31 characters. If you do not specify a BGP instance, this command displays information for the default BGP instance. validation-as as-number: Specify a validation AS by the AS number. If you do not specify this option, the command displays ingress neighbor AS information for all validation ASs.

Examples

# Display information about all ingress neighbor ASs in BGP instance IPv6 SAVNET address family.

<Sysname> display bgp ipv6 savnet ingress-neighbor-as

Validation AS number: 200

Ingress neighbor AS: 10 Origin: local

Ingress neighbor AS: 20 Origin: remote

Validation AS number: 300

Ingress neighbor AS: 40 Origin: local

Ingress neighbor AS: 50 Origin: remote

Table 4 Command output

Field

Description

Ingress neighbor AS

Ingress neighbor AS number

Origin

Origin of the ingress neighbor AS number. Options include:

· local—Ingress neighbor AS number collected from the local device.

· remote—Ingress neighbor AS number collected from other ASBRs.

Related commands

savnet validation-as

display bgp ipv6 savnet prefix

Use display bgp ipv6 savnet prefix to display destination prefixes that can form DPP routes.

Syntax

display bgp [ instance instance-name ] ipv6 savnet prefix [ ipv6-address prefix-length ]

display bgp [ instance instance-name ] ipv6 savnet prefix time-range min-time max-time

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

instance instance-name: Specifies a BGP instance by its name, a case-sensitive string of 1 to 31 characters. If you do not specify this option, the command displays information about the default instance.

ipv6-address prefix-length: Displays brief information about the destination prefix that exactly matches the specified destination network address and prefix length. The prefix-length argument specifies a prefix length in the range of 0 to 128. If you do not specify this option, the command displays information about all destination prefixes.

time-range min-time max-time: Displays destination prefixes that have existed for a time period in the specified time period range since the last update. The min-time and max-time arguments represent the minimum and maximum time periods, respectively, and are in <0-10000>d<0-23>h<0-59>m<0-59>s format. The d, h, m, and s letters represent days, hours, minutes, and seconds, respectively. <0-10000>, <0-23>, <0-59>, and <0-59> represent the value ranges for d, h, m, and s, respectively. The value for the max-time argument must be greater than that for the min-time argument.

Usage guidelines

This command displays the destination prefix information that is imported from the IP routing table and can form DPP routes.

Examples

# Display brief information about all destination prefixes that can form DPP routes.

<Sysname> display bgp ipv6 savnet prefix

Total number of routes: 1

BGP local router ID is 8.5.6.7

Status codes: * - valid, > - best, d - dampened, h - history,

s - suppressed, S - stale, i - internal, e - external

a - additional-path

Origin: i - IGP, e - EGP, ? - incomplete

* > Network : 10:: PrefixLen : 64

# Display brief information about all destination prefixes that can form DPP routes and whose duration since the last update is within a specified time range.

<Sysname> display bgp ipv6 savnet prefix time-range 1d1h1m1s 7d3h1m1s

Total number of routes: 1

BGP local router ID is 8.5.6.7

Status codes: * - valid, > - best, d - dampened, h - history,

s - suppressed, S - stale, i - internal, e - external

a - additional-path

Origin: i - IGP, e - EGP, ? - incomplete

* > Network : 10:: PrefixLen : 64

Route age: 06d01h12m44s

Table 5 Command output

Field	Description
Total number of routes	Total number of destination prefix routes.
BGP local router ID	Locally configured router ID of the device.
Status codes	Route state code. This field is meaningless for destination prefix information.
Origin	Origin of the route information. This field is meaningless for destination prefix information.
Network	Destination network address.
PrefixLen	Prefix length of the destination network address.
Route age	Time elapsed since the last update of the destination prefix, in <0-10000>d<0-23>h<0-59>m<0-59>s format. d, h, m, and s represent days, hours, minutes, and seconds, respectively. <0-10000>, <0-23>, <0-59>, and <0-59> represent the value ranges for d, h, m, and s, respectively.

‌

# Display detailed information for destination prefix 156::1/128.

<Sysname> display bgp ipv6 savnet prefix 156::1 128

BGP local router ID: 192.168.56.12

Local AS number: 100

Paths: 2 available, 2 best

BGP routing table information of 156::1/128:

Imported route.

Original nexthop: FE80::1092:20FF:FE78:1D16

Out interface : GigabitEthernet2/0/1

Route age : 00h51m37s

OutLabel : NULL

RxPathID : 0x0

TxPathID : 0xffffffff

AS-path : (null)

Origin : incomplete

Attribute value : MED 20, pref-val 32768

State : valid, local, best

Source type : local

IP precedence : N/A

QoS local ID : N/A

Traffic index : N/A

Route type : SAVNET PREFIX

OnSavnetPeerList: Yes

Table 6 Command output

Field	Description
BGP local router ID	Locally configured router ID of the device.
Local AS number	Local AS number.
Route distinguisher	Information of the DPP routes with the specified route distinguisher.
Total number of routes	Total number of DPP routes with the specified routing distinguisher.
Paths	Route number information. · Available—Number of effective routes. · best—Number of optimal routes.
BGP routing table information of 156::1/128	Detailed information of destination prefix 156::1/128.
Imported route	Imported route. This field is meaningless for the destination prefix.
Original nexthop	Original next hop address of the route. This field is meaningless for the destination prefix.
Out interface	Name of the interface that will send the DPP route after the DPP route is generated based on the destination prefix.
Route age	Period of time since the last update of the route.
OutLabel	Outbound label value of the route. This field is meaningless for the destination prefix.
RxPathID	Add-Path ID value of the received route. This field is meaningless for the destination prefix.
TxPathID	Add-Path ID value of the sent route. This field is meaningless for the destination prefix.
AS-path	AS_PATH attribute of the route. This field is meaningless for the destination prefix.
Origin	Origin of the route information. This field is meaningless for the destination prefix.
Attribute value	BGP route attributes. This field is meaningless for the destination prefix.
State	Current state of the route. This field is meaningless for the destination prefix.
Source type	Source type of the route. This field is meaningless for the destination prefix.
IP precedence	IP precedence of the route. This field is meaningless for the destination prefix.
QoS local ID	QoS Local ID attribute of the route. This field is meaningless for the destination prefix.
Traffic index	Traffic index value, in the range of 1 to 64. This field is meaningless for the destination prefix.
Route type	Type of the SAVNET route, which is SAVNET PREFIX, indicating a destination prefix that can form a DPP route.
OnSavnetPeerList	Whether the DPP route corresponding to this prefix can be advertised to neighbors. · Yes. · No.

‌

display bgp ipv6 savnet sav

Use display bgp ipv6 savnet sav to display the SAVNET entries generated by the SAVNET module upon BGP notifications.

Syntax

display bgp [ instance instance-name ] ipv6 savnet sav

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

Examples

# Display all SAVNET entries generated by BGP notification to the SAVNET module.

<Sysname> display bgp ipv6 savnet sav

Total number of routes: 1

BGP local router ID is 192.168.1.136

Status codes: * - valid, > - best, d - dampened, h - history

s - suppressed, S - stale, i - internal, e - external

a – additional-path

Origin: i - IGP, e - EGP, ? - incomplete

* >e Network : 10:: PrefixLen : 64

In-Intf : Ten-GigabitEthernet3/0/1

Table 7 Command output

Field	Description
Total number of routes	Number of SAVNET entries.
BGP local router ID	Locally configured router ID of the device.
Status codes	Route state code. This field is meaningless for SAVNET entry information.
Origin	Origin of the route information. This field is meaningless for SAVNET entry information.
Network	Destination network address of the SAVNET entry.
PrefixLen	Prefix length of the destination network address of the SAVNET entry.
In-Intf	Name of the incoming interface of the SAVNET entry.

‌

display bgp ipv6 savnet spa

Use display bgp ipv6 savnet spa to display BGP IPv6 SAVNET Source Prefix Advertising (SPA) routing information.

Syntax

display bgp [ instance instance-name ] ipv6 savnet spa [ peer ipv6-address { advertised-routes | received-routes } [ { savnet-route route-length | savnet-prefix } [ verbose ] | statistics ] | route-distinguisher route-distinguisher [ savnet-route route-length | savnet-prefix ] | { savnet-route route-length | savnet-prefix } [ advertise-info ] | statistics ]

display bgp [ instance instance-name ] ipv6 savnet spa [ route-distinguisher route-distinguisher ] time-range min-time max-time

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

peer ipv6-address: Displays the SPA route information advertised to or received from the specified peer. The ipv6-address argument represents the IPv6 address of a peer.

advertised-routes: Displays SPA route information advertised to the specified peer.

received-routes: Displays SPA route information received from the specified peer.

verbose: Displays detailed SAP route information. If you do not specify this keyword, the command displays brief information.

statistics: Displays statistics for SPA routes.

route-distinguisher route-distinguisher: Displays SPA routing information for the specified route distinguisher. The route-distinguisher argument represents the route distinguisher value, a string of 3 to 21 characters. The format is Router ID:0 for intra-domain SPA and AS number:0 for inter-domain SPA.

savnet-route route-length: Displays the advertisement information for the specified SPA route. The savnet-route argument represents the SPA route, a string of 1 to 512 characters. The route-length argument represents the length of the SPA route, in the range of 0 to 65535, in bits.

savnet-prefix: Displays advertisement information for the specified SPA route. savnet-prefix represents the SPA route in the format of savnet-route/route-length, which is a case-insensitive string of 1 to 512 characters.

advertise-info: Displays advertisement information of SPA routes.

time-range min-time max-time: Displays SPA routes that have existed for a time period in the specified time period range since the last update. The min-time and max-time arguments represent the minimum and maximum time periods, respectively, and are in <0-10000>d<0-23>h<0-59>m<0-59>s format. The d, h, m, and s letters represent days, hours, minutes, and seconds, respectively. <0-10000>, <0-23>, <0-59>, and <0-59> represent the value ranges for d, h, m, and s, respectively. The value for the max-time argument must be greater than that for the min-time argument.

Usage guidelines

If you do not specify any parameters, this command displays brief information about all SPA routes.

Examples

# Display brief information about all BGP IPv6 SAVNET SPA routes.

<Sysname> display bgp ipv6 savnet spa

BGP local router ID is 3.4.5.6

Status codes: * - valid, > - best, d - dampened, h - history,

s - suppressed, S - stale, i - internal, e - external

a - additional-path

Origin: i - IGP, e - EGP, ? - incomplete

Total number of SAVNET routes: 2

Total number of routes from all peers: 2

Route distinguisher: 3.4.5.6:0

Total number of routes: 2

* > Network : [1][1][3.4.5.6][64][10::]/120

NextHop : :: LocPrf : 100

MIIG-Tag: 1 MIIG-Type : 1

MED : 0

Path/Ogn: i

* > Network : [1][1][3.4.5.6][64][100::]/120

NextHop : :: LocPrf : 100

MIIG-Tag: 0 MIIG-Type : 0

MED : 0

Path/Ogn: i

Route distinguisher: 100:0

Total number of routes: 1

* > Network : [1][2][100][64][10::]/120

NextHop : :: LocPrf : 100

MIIG-Tag: 0 MIIG-Type : 0

MED : 0

Path/Ogn: i

# Display brief information about all BGP IPv6 SAVNET SPA routes whose duration since the last route update are within a specified time range.

<Sysname> display bgp ipv6 savnet spa time-range 1d1h1m1s 7d3h1m1s

BGP local router ID is 3.4.5.6

Status codes: * - valid, > - best, d - dampened, h - history,

s - suppressed, S - stale, i - internal, e - external

a - additional-path

Origin: i - IGP, e - EGP, ? - incomplete

Total number of SAVNET routes: 1

Total number of routes from all peers: 1

Route distinguisher: 3.4.5.6:0

Total number of routes: 1

* > Network : [1][1][3.4.5.6][64][10::]/120

NextHop : :: LocPrf : 100

MIIG-Tag: 0 MIIG-Type : 0

MED : 0 Route age : 06d01h12m44s

Table 8 Command output

Field	Description
BGP local router ID	Locally configured router ID of the device.
Status codes	Route status code: · * - valid—Valid route. · > - best—Optimal route · d - dampened—Dampened route. · h - history—History route. · s - suppressed—Suppressed route. · S - stale—Stale route. · i - internal—Internal route. · e - external—External route. · a - additional-path—Add-Path optimal route.
Origin	Origin of the route. Values include: · i - IGP—Originated in the local AS.. · e - EGP—Learned through Exterior Gateway Protocol (EGP). · ? - incomplete—Unknown origin. The origin of routes redistributed from the IGP protocol is incomplete.
Total number of SAVNET routes	Total number of SAVNET routes for all route distinguishers.
Total number of routes from all peers	Total number of SAVNET routes received from all BGP IPv6 SAVNET peers.
Route distinguisher	Information of the SPA routes with the specified route distinguisher.
Total number of routes	Total number of SPA routes with the specified route distinguisher.
Network	SPA route: · Intra-domain SPA route: The value is [1][1][origin router ID][prefix length][IPv6 prefix address]. · Inter-domain SPA route: The value is [1][2][source AS number][prefix length][IPv6 prefix address].
NextHop	Next hop IPv6 address. The value is ::. This field is meaningless for SPA routes.
LocPrf	Local preference value.
MIIG-Tag	Access tag value carried in the route. This field displays 0 if no access tag is configured.
MIIG-Type	Access tag type carried in the route. Options include: · 1—Single-homed. · 2—Complete multi-homed. This field displays 0 if no access tag is configured.
MED	Multi-Exit Discriminator (MED) attribute value.
Path/Ogn	The AS_Path attribute of the route and the ORIGIN attribute of the route information, where: · AS_PATH records all the ASs that this route has passed through, which can avoid routing loops. This field can display a maximum of 16 AS numbers, and the omitted part is represented by ellipsis (...). The omitted part can be viewed by displaying the detailed information of the route. · The ORIGIN attribute marks how this BGP route is generated.
Route age	Time elapsed since the last update of the route, in <0-10000>d<0-23>h<0-59>m<0-59>s format. d, h, m, and s represent days, hours, minutes, and seconds, respectively. <0-10000>, <0-23>, <0-59>, and <0-59> represent the value ranges for d, h, m, and s, respectively.

‌

# Display detailed information about SPA route [1][1][192.168.56.12][64][10::]/120.

<Sysname> display bgp ipv6 savnet spa [1][1][192.168.56.12][64][10::]/120

BGP local router ID: 8.5.6.7

Local AS number: 100

Route distinguisher: 192.168.56.12:0

Total number of routes: 1

Paths: 1 available, 1 best

BGP routing table information of [1][1][192.168.56.12][64][10::]/120:

RR-client route.

From : 100::1 (192.168.56.12)

Rely nexthop : ::

Original nexthop: ::

Route age : 15h00m59s

OutLabel : NULL

RxPathID : 0x0

TxPathID : 0x0

AS-path : (null)

Origin : incomplete

Attribute value : MED 0, localpref 100, pref-val 32768

State : valid, local, best

Source type : local

Originator : 3.3.3.3

Cluster list : 2.2.2.2

IP precedence : N/A

QoS local ID : N/A

Traffic index : N/A

Route type : SAVNET SPA

Origin routerID : 192.168.56.12

MIIG-Tag : 77

MIIG-Type : 1

MIIG-Flags : 0x1

Table 9 Command output

Field	Description
BGP local router ID	Locally configured router ID of the device.
Local AS number	Local AS number.
Route distinguisher	Information of the SPA routes with the specified route distinguisher.
Total number of routes	Total number of SPA routes with the specified route distinguisher.
Paths	Route number information. · Available—Number of effective routes. · best—Number of optimal routes.
BGP routing table information of [1][1][192.168.56.12][64][10::]/120	Detailed information of SPA route [1][1][192.168.56.12][64][10::]/120.
RR-client route	Route reflected from the route reflector.
From	IP address of the BGP peer that advertised this route.
Rely nexthop	Next hop IP address after route recursion. This field has no meaning for routes in the SAVNET address family.
Original nexthop	Original next hop address of the route, with a value of ::.
Route age	Period of time since the last update of the route.
OutLabel	Outgoing label value of the route.
RxPathID	Add-Path ID value of the received route.
TxPathID	Add-Path ID value of the sent route.
AS-path	AS_PATH attribute of the route. It records all the ASs that the route passes through, which can prevent routing loops.
Origin	Origin of the route. Values include: · igp—Originated in the local AS. · egp—Learned through Exterior Gateway Protocol (EGP). · incomplete—Unknown origin. The origin of routes redistributed from the IGP protocol is incomplete.
Attribute value	BGP route attribute information, including: · MED—MED value associated with the destination network. · localpref—Local preference value. · pref-val—Prefered value.
State	Current state of the route: · valid · Internal · External · local · best
H3C is short for New H3C in English, and I am the H3C AI Assistant.	Source type of the route.
Originator	Peer that generated this route.
Cluster list	The cluster ID list attribute of the route.
IP precedence	IP precedence in the range of 0 to 7. N/A indicates that the route does not support this field.
QoS local ID	QoS local ID in the range of 1 to 4095. N/A indicates that the route does not support this field.
Traffic index	Traffic index value, in the range of 1 to 64. N/A indicates that the route does not support this field.
Route type	Type of the SAVNET route, which is SAVNET SPA, indicating SPA route.
Origin routerID	Router ID of the origin SAVNET device that sent the route. This field is available only for intra-domain SPA routes.
Source AS number	This field is available only for inter-domain SPA routes.
MIIG-Tag	Access tag value carried in the route. This field displays 0 if no access tag is configured.
MIIG-Type	Access tag type carried in the route. Options include: · 1—Single-homed. · 2—Complete multi-homed. This field displays 0 if no access tag is configured.
MIIG-Flags	Access attribute tag. Options include: · 0x1—The route prefix can be used as a source prefix. · 0x2—The route prefix can be used as a destination prefix. · 0x3—The route prefix can be used as both a source and a destination prefix. This field displays 0 if no access tag is configured.

‌

# Display the advertisement information of SPA route [1][1][3.4.5.6][64][10::]/120.

<Sysname> display bgp ipv6 savnet spa [1][1][3.4.5.6][64][10::]/120 advertise-info

BGP local router ID: 3.4.5.6

Local AS number: 100

Route distinguisher: 3.4.5.6:0

Total number of routes: 1

Paths: 1 best

BGP routing table information of [1][1][3.4.5.6][64][10::]/120(TxPathID:0):

Advertised to peers (1 in total):

100::2

Table 10 Command output

Field	Description
BGP local router ID	Locally configured router ID of the device.
Local AS number	Local AS number.
Route distinguisher	Information of the SPA routes with the specified route distinguisher.
Total number of routes	Total number of SPA routes with the specified routing distinguisher.
Paths	Number of optimal routes.
BGP routing table information of [1][1][3.4.5.6][64][10::]/120(TxPathID:0)	SPA route advertisement information.
Advertised to peers (1 in total)	Peers to which the route has been sent and total number of the peers.

‌

# Display statistics about the SPA routes advertised to peer 1::1.

<Sysname> display bgp ipv6 savnet spa peer 1::1 advertised-routes statistics

Advertised routes total: 1

# Display statistics about the SPA routes received from peer 1::1.

<Sysname> display bgp ipv6 savnet spa peer 1::1 received-routes statistics

Received routes total: 1

Table 11 Command output

Field	Description
Advertised routes total	Total number of SPA routes advertised to the peer.
Received routes total	Total number of SPA routes received from the peer.

‌

# Display statistics about SPA routes.

<Sysname> display bgp ipv6 savnet spa statistics

Total number of SAVNET routes: 2

Total number of routes from all peers: 2

Route distinguisher: 3.4.5.6:0

Total number of routes: 2

Table 12 Command output

Field	Description
Total number of SAVNET routes	Total number of SAVNET routes for all route distinguishers.
Total number of routes from all peers	Total number of SAVNET routes received from all BGP IPv6 SAVNET peers.
Route distinguisher	Information of the SPA routes with the specified route distinguisher.
Total number of routes	Total number of SPA routes with the specified routing distinguisher.

‌

Related commands

import-route (Layer 3—IP Routing Command Reference)

display ipv6 savnet entry

Use display ipv6 savnet entry to display SAVNET entry information.

Syntax

display ipv6 savnet entry [ [ interface interface-type interface-number ] [ slot slot-number ] | vpn-instance vpn-instance-name ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

interface interface-type interface-number: Specifies an interface by its type and number. If you do not specify this option, the command displays SAVNET entries for all interfaces.

vpn-instance vpn-instance-name: Specifies the MPLS L3VPN instance to which the interface belongs. The vpn-instance-name argument represents the VPN instance name, a case-sensitive string of 1 to 31 characters. If you do not specify this option, the public network is specified.

slot slot-number: Specifies a card by its slot number. If you do not specify a card, this command displays SAVNET entries on the active MPU. ‌

Examples

# Display SAVNET entry information for all interfaces in the public network. ‌

<Sysname> display ipv6 savnet entry

IPv6 savnet entry count: 4

Destination/Prefix length Type Interface VPN instance

2::9/128 BGP XGE3/0/1 --

11:12::/64 Static XGE3/0/2 --

2002::/64 Static XGE3/0/2 --

2003::2/128 Static XGE3/0/3 --

Table 13 Command output

Field	Description
IPv6 savnet entry count	Number of SAVNET entries.
Destination/Prefix length	IPv6 source prefix/prefix length.
Type	SAVNET entry type: · BGP—Entry dynamically generated through BGP. · Static—Entry manually generated by executing the ipv6 savnet entry command.
Interface	Interface name.
VPN instance	Name of the VPN Instance to which the SAVNET entry belongs. If the SAVNET entry belongs to the public network, this field displays two hyphens (--).

‌

display ipv6 savnet packet-drop statistics

Use display ipv6 savnet packet-drop statistics to display SAVNET packet drop statistics.

Syntax

display ipv6 savnet packet-drop statistics [ interface interface-type interface-number ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

interface interface-type interface-number: Specifies an interface by its type and number. If you do not specify this option, the command displays statistics about SAVNET-dropped packets on all interfaces.

Examples

# Display SAVNET packet drop statistics. ‌

<Sysname> display ipv6 savnet packet-drop statistics

Ten-GigabitEthernet3/0/1:

Packets:0 Bytes: 0

Ten-GigabitEthernet3/0/2:

Packets:10 Bytes: 1500

Table 14 Command output

Field	Description
Packets	Number of packets dropped by SAVNET.
Bytes	Number of bytes dropped by SAVNET.

‌

Related commands

reset ipv6 savnet packet-drop statistics

display isis savnet sav-table

Use display isis savnet sav-table to display the SAV route entries sent to the SAVNET module by IS-IS.

Syntax

display isis [ process-id ] savnet sav-table ipv6 [ ipv6-address [ prefix-length ] ] [ interface-type interface-number ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

process-id: Specifies an IS-IS process to display the route entries sent by it to the SAVNET module. The process-id argument represents the IS-IS process ID, a value in the range of 1 to 65535. If you do not specify a process, this command displays the route entries sent to the SAVNET module by all IS-IS processes.

ipv6-address [ prefix-length ]: Specifies a route entry sent by IS-IS to the SAVNET module. The ipv6-address and prefix-length arguments represent the destination IPv6 address and prefix length in the entry. If you do not specify a destination IPv6 address, this command displays all route entries sent by IS-IS. If you specify a destination IPv6 address without specifying a prefix length, this command displays the entry that has the longest match with the specified destination IPv6 address.

interface-type interface-number: Specifies an interface to display all route entries sent by IS-IS with the specified interface as the outgoing interface to the SAVNET module. If you do not specify an outgoing interface, this command does not filter route entries by their outgoing interface.

Examples

# Display the route entries sent by IS-IS process 1 to the SAVNET module.

<Sysname> display 1 isis savnet sav-table ipv6

SAVNET sav-table information for IS-IS(1)

-----------------------------------------

Destination/Prefix length: 1::1/128

Total: 1

Interface : XGE3/0/1 Flag: F

Destination/Prefix length: 2::2/128

Total: 1

Interface : XGE3/0/1 Flag: F

Destination/Prefix length: 2024::/64

Total: 1

Interface : XGE3/0/1 Flag: F

Table 15 Command output

Field	Description
Destination/Prefix length	Destination network prefix and prefix length.
Total	Total number of outgoing interfaces through which the destination network is reachable.
Interface	SAVNET-enabled IPv6 IS-IS interface.
Flag	Prefix status flag: · F—The entry already issued to SAVNET. · D—To be deleted.

ipv6 savnet deny

Use ipv6 savnet deny to specify an interface for generation of SAVNET denylist entries.

Use undo ipv6 savnet deny to restore the default.

Syntax

ipv6 savnet deny { consumer consumer-name | productor productor-name }

undo ipv6 savnet deny { consumer | productor productor-name }

Default

No interfaces are specified for generation of SAVNET denylist entries.

Views

Interface view

Predefined user roles

network-admin

Parameters

consumer consumer-name: Specifies the interface as a consumer of a source prefix producer. The consumer-name argument represents the consumer name, a case-sensitive string of 1 to 30 characters. An interface is a consumer of a source prefix producer if its consumer name is the same as the name of the source prefix producer.

productor productor-name: Specifies the interface as the source prefix producer. The productor-name argument represents a producer name, a case-sensitive string of 1 to 30 characters.

Usage guidelines

Operating mechanism

Use this command to specify interfaces for generation of SAVNET denylist entries.

The device creates SAVNET denylist entries upon receiving an IPv6 BGP unicast route, as follows:

1. Identifies the outgoing interface leading to the next hop of the route.

2. Determines whether the outgoing interface acts as source prefix producers.

3. If the outgoing interface acts as source prefix producers, the device identifies the consumer interfaces of each source prefix producer.

An interface is the consumer of a source prefix producer if its consumer name is the same as the producer name.

4. For each consumer of each source prefix producer, generates a SAVNET denylist entry.

In each entry, the source prefix is the destination address of the IPv6 BGP unicast route, the incoming interface is a consumer interface.

Restrictions and guidelines

You can execute the ipv6 savnet deny productor command multiple times to specify multiple interfaces as source prefix producers.

You can configure an interface as source prefix producers or as a consumer for generation of SAVNET denylist entries, but not both.

This feature is mutually exclusive with the SAVA feature. You cannot use them simultaneously. For more information about SAVA, see SAVA configuration in Security Configuration Guide.

Before you execute this command on a SAVNET interface, you must set its interface type to NNI.

This command is available only on the following interfaces:

· Layer 3 Ethernet interfaces.

· Layer 3 Ethernet subinterfaces.

· Layer 3 aggregate interfaces.

· Layer 3 aggregate subinterfaces.

· VLAN interfaces.

· FlexE interfaces.

Examples

# Configure interface Ten-GigabitEthernet 3/0/1 as a consumer of the source prefix producer test for generation of SAVNET denylist entries.

<Sysname> system-view

[Sysname] interface ten-gigabitethernet 3/0/1

[Sysname-Ten-GigabitEthernet3/0/1] ipv6 savnet deny consumer test

# Configure VLAN-interface 100 as a consumer of the source prefix producer test for generation of SAVNET denylist entries.

<Sysname> system-view

[Sysname] interface vlan-interface 100

[Sysname-Vlan-interface100] ipv6 savnet deny consumer test

Related commands

ipv6 savnet port-type

savnet denylist enable

ipv6 savnet entry

Use ipv6 savnet entry to manually deploy SAVNET entries to the driver.

Use undo ipv6 savnet entry to delete SAVNET entries manually deployed to the driver.

Syntax

ipv6 savnet entry prefix ipv6-address prefix-length

undo ipv6 savnet entry prefix ipv6-address prefix-length

Default

No manually deployed SAVNET entries exist in the driver.

Views

Interface view

Predefined user roles

network-admin

Parameters

prefix ipv6-address prefix-length: Specifies the prefix address and prefix length for the SAVNET entry or the first SAVNET entry. The value range for the prefix-length argument is 1 to 128.

Usage guidelines

Before manually deploying SAVNET entries to the driver on an interface, you must first configure the SAVNET access tag for the interface.

Examples

# Manually deploy SAVNET entries to the driver.

<Sysname> system-view

[Sysname] interface ten-gigabitethernet 3/0/1

[Sysname-Ten-GigabitEthernet3/0/1] ipv6 savnet entry prefix 1:1::1:1 10

ipv6 savnet log enable spoofing-packet

Use ipv6 savnet log enable spoofing-packet to enable SAVNET logging.

Use undo ipv6 savnet log enable spoofing-packet to disable SAVNET logging.

Syntax

ipv6 savnet log enable spoofing-packet [ interval interval | number number ] *

undo ipv6 savnet log enable spoofing-packet

Default

SAVNET logging is disabled.

Views

System view

Predefined user roles

network-admin

Parameters

interval interval: Specifies the interval for outputting SAVNET log messages. The value range of the interval is 0 and 5 to 3600, in seconds. The default value is 60. When the interval value is 0, it means that the device will output a log message immediately when a spoofed packet is detected by SAVNET.

number number: Specifies the maximum number of log messages that can be output in each output interval. The value range is 1 to 128, and the default value is 128.

Usage guidelines

Operating mechanism

The SAVNET logging feature facilitates troubleshooting. When SAVNET detects a spoofed packet, the device will generate a log message (referred to as SAVNET log message). The generated log messages are sent to the information center, which specifies the log message output rules and destinations. For more information about the information center, see Network Management and Monitoring Configuration Guide.

Recommended configuration

When the device outputs a large amount of SAVNET detection log messages, it will reduce device performance and affect log viewing and troubleshooting. You can perform the following tasks as needed:

· Disable SAVNET logging.

· Increase the SAVNET log output interval to reduce the output frequency.

· Decrease the number of log messages that can be output in each interval. The exceeding log messages will not be displayed.

Restrictions and guidelines

‌‌A card can output a maximum of 128 SAVNET log messages each time.

Examples

# Enable logging for SAVNET detection of spoofed packets.

<Sysname> system-view

[Sysname] ipv6 savnet log enable spoofing-packet interval 10 number 20

Related commands

ipv6 savnet port-type

ipv6 savnet miig-tag

Use ipv6 savnet miig-tag to configure an SAVNET access tag for an interface.

Use undo ipv6 savnet miig-tag to delete the SAVNET access tag configured on an interface.

Syntax

ipv6 savnet miig-tag tag-value { single-homed | complete-multi-homed }

undo ipv6 savnet miig-tag tag-value { single-homed | complete-multi-homed }

Default

No SAVNET access tag is configured on an interface.

Views

Interface view

Predefined user roles

network-admin

Parameters

tag-value: Specifies a tag value, an integer in the range of 1 to 4294967295.

{ single-homed | complete-multi-homed }: Specifies an access type. The single-homed keyword indicates single-homed, and the complete-multi-homed keyword indicates complete multi-homed.

Usage guidelines

Application scenarios

By default, a SAVNET device generate SAVNET entries only when it receives DPP routes. Because generation of DPP routes requires existence of non-direct entries or PBR in the FIB, DPP routes are often only generated on backbone network devices deployed with SAVNET. As shown in Figure 1, CE devices connected to the PE devices at the edge of the backbone network cannot generate DPP routes. Thus, the PE devices cannot generate SAVNET entries containing interfaces connected to the access subnets.

Figure 1 SAVNET access scenarios

‌

A mechanism has been developed to configure SAVNET devices to generate SAVNET entries using only SPA routes, helping PE devices in the access scenarios filter source address spoofed packets. This mechanism supports both single-homed and multi-homed access scenarios.

Operating mechanism

In an access scenario, after you configure an access tag for the user-side interface on a PE, the tag information can be carried in the SPA route. Based on the carried access tag information, the PE device can generate a SAVNET entry. The specific operating mechanism is as follows:

1. After you execute the ipv6 savnet miig-tag command on the user-side interface of the PE, this interface is configured with an access tag, including the access tag value and access type information.

2. When you execute the import-route command to import a route for obtaining source prefix information and generating an SPA route, the generated SPA route carries the access tag information (including tag value and access type) if all of the following conditions are met:

¡ You have specified the route-policy route-policy-name option in the import-route command.

¡ You have configured the apply tag command for the route policy specified by the route-policy route-policy-name option.

The tag value is that specified by the apply tag command and the access type is that specified by the ipv6 savnet miig-tag command.

3. When the PE device generates or receives the SPA route carrying the access tag information, it checks whether an interface with access tag information matching that carried in the SPA route exists locally:

¡ If an interface exists, the device generates a SAVNET entry with the source prefix as that carried in the SPA route and the incoming interface as this interface.

¡ If no interface exists, the device does not generate a SAVNET entry.

4. When the device receives an updated SPA route, the SAVNET entry generated based on the SPA route will be updated.

Restrictions and guidelines

If you have configured the same access tag value for different interfaces, you must also configure the same access type for the interfaces.

Before configuring the access tag information for an interface, you must first specify the SAVNET interface type of that interface. If you use the ipv6 savnet port-type command to restore the SAVNET interface type setting of an interface, the access tag information configured for that interface will also be deleted.

If an SPA route carrying tag information is generated, it can be advertised directly. You do not need to configure the outgoing interface of the corresponding IP route as a UNI.

Examples

# Configure an SAVNET access tag with tag value 100 and access type complete multi-homed for interface Ten-GigabitEthernet 3/0/1.

<Sysname> system-view

[Sysname] interface ten-gigabitethernet 3/0/1

[Sysname-Ten-GigabitEthernet3/0/1] ipv6 savnet miig-tag 100 complete-multi-homed

Related commands

apply tag (Layer 3—IP Routing Command Reference)

import-route (Layer 3—IP Routing Command Reference)

ipv6 savnet packet-drop enable

Use ipv6 savnet packet-drop enable to enable dropping of SAVNET-detected spoofed packets.

Use undo ipv6 savnet packet-drop enable to disable dropping of SAVNET-detected spoofed packets.

Syntax

ipv6 savnet packet-drop enable

undo ipv6 savnet packet-drop enable

Default

Dropping of SAVNET-detected spoofed packets is enabled.

Views

System view

Predefined user roles

network-admin

Usage guidelines

Application scenarios

SAVNET entries are generated based on routes in the BGP IPv6 SAVNET address family view. When a large number of BGP routes exist on a SAVNET device, the device takes a long time to complete creation of all SAVNET entries. Before SAVNET entry creation completes, some valid IPv6 packets might be incorrectly dropped because the corresponding SAVNET entries have not been generated.

To resolve this issue, you can use the undo ipv6 savnet packet-drop enable command to disable dropping of SAVNET-detected spoofed packets during the SAVNET entry generation period. Thus, the SAVNET device will not drop packets that have no matching SAVNET entries, reducing incorrect dropping of valid packets. When all SAVNET entries are created, you can use the ipv6 savnet packet-drop enable command to enable dropping of SAVNET-detected spoofed packets.

Examples

# Disable dropping of SAVNET-detected spoofed packets.

<Sysname> system-view

[Sysname] undo ipv6 savnet packet-drop enable

ipv6 savnet port-type

Use ipv6 savnet port-type to specify the SAVNET interface type.

Use undo ipv6 savnet port-type to restore the default.

Syntax

ipv6 savnet port-type { nni | uni }

undo ipv6 savnet port-type

Default

No SAVNET interface type is configured.

Views

Interface view

Predefined user roles

network-admin

Parameters

nni: Specifies the network-to-network interface (NNI) type.

uni: Specifies the user network interface (UNI) type.

Usage guidelines

Application scenarios

After SAVNET entries are generated on the SAVNET devices through the BGP SPA and DPP routing protocols, the interfaces connected between the SAVNET neighbors need to be configured as NNI interfaces in order for the SAVNET entries to take effect.

· If the source IP address of a packet matches the SAVNET entry prefix on the input interface or does not match the SAVNET entry prefix of any interface on the device, the packet is permitted.

· If the source IP address of a packet does not match the SAVNET entry prefix of the input interface, but matches the SAVNET entry prefix of another interface, the packet is dropped.

An SPA route is generated by executing the import-route command in BGP IPv6 SAVNET address family view. The prefixes in the generated routes are the ones imported by the import-route command. If the outgoing interface of an import route is a UNI interface configured by this command, the SPA route generated based on that import route can be advertised to BGP IPv6 SAVNET peers.

Restrictions and guidelines

This feature is exclusive with the SAVA feature. For more information about SAVA configuration, see Security Configuration Guide.

This feature is supported on only Layer 3 Ethernet interfaces, Layer 3 Ethernet subinterfaces, Layer 3 aggregate interfaces, Layer 3 aggregate subinterfaces, VLAN interfaces, and FlexE interfaces.

Examples

# Configure the SAVNET interface type of interface Ten-GigabitEthernet 3/0/1 as NNI. ‌

<Sysname> system-view

[Sysname] interface ten-gigabitethernet 3/0/1

[Sysname-Ten-GigabitEthernet3/0/1] ipv6 savnet port-type nni

Related commands

display ipv6 savnet entry

isis ipv6 savnet enable

Use isis ipv6 savnet enable to enable SAVNET computation on an IPv6 IS-IS interface.

Use undo isis ipv6 savnet enable to disable SAVNET computation on an IPv6 IS-IS interface.

Syntax

isis ipv6 savnet enable

undo isis ipv6 savnet enable

Default

SAVNET computation is disabled on IPv6 IS-IS interfaces.

Views

Interface view

Predefined user roles

network-admin

Usage guidelines

Application scenarios

IP source address spoofing attacks are a prevalent threat to network security, against which ACLs and unicast reverse path forwarding (uRPF) are typically used. Although both ACL and uRPF mitigate IP source address spoofing attacks, they each have notable limitations, as follows:

· High maintenance costs—ACL rules require manual maintenance, which is both tedious and error-prone.

· Risks posed by misconfiguration—Incorrect ACL configuration can block legitimate traffic or mistakenly permit malicious traffic to pass through.

· False-positive risk—uRPF validates source addresses based on the FIB. On networks with asymmetric routing, strict uRPF check might erroneously block legitimate traffic, while loose uRPF check might permit malicious traffic to pass through.

IS-IS SAVNET provides an optimized SAVNET solution to resolve these issues. In this solution, the SAVNET module automatically generates and updates accurate SAVNET entries based on IS-IS routing information to validate IPv6 source prefixes.

Operating mechanism

After you enable IS-IS SAVNET on each device in an IS-IS routing domain, IS-IS SAVNET operates on each device as follows:

1. Each device computes IS-IS routes and generates route entries. Each entry contains one destination prefix and one or multiple outgoing interfaces, in {destination prefix x; outgoing interface 1, outgoing interface 2, ...} format.

2. The IS-IS module sends the generated route entries to the SAVNET module, in {destination prefix x; interface 1}, {destination prefix x; interface 2} format.

3. The SAVNET module generates SAVNET entries based on the received route entries, and then uses these entries to validate IPv6 packets.

4. When a path in the IS-IS routing domain changes, IS-IS regenerates a {destination prefix; outgoing interface} entry and sends it to the SAVNET module, which then updates the SAVNET entry based on the received entry.

Restrictions and guidelines

To have the IS-IS module generate and issue {destination prefix; outgoing interface} entries to the SAVNET module, you must perform the following steps:

1. Execute the savnet enable command on each device in the IS-IS routing domain.

2. Execute the isis ipv6 savnet enable command on each NNI SAVNET interface.

Examples

# Enable SAVNET computation on IPv6 IS-IS interface Ten-GigabitEthernet 3/0/1.

<Sysname> system-view

[Sysname] interface ten-gigabitethernet 3/0/1

[Sysname-Ten-GigabitEthernet3/0/1] isis ipv6 enable 1

[Sysname-Ten-GigabitEthernet3/0/1] isis ipv6 savnet enable

Related commands

savnet enable

peer designate-router

Use peer designate-router to specify the designated router (DR) device.

Use undo peer designate-router to cancel the specification of the DR device .

Syntax

peer { group-name | ipv6-address [ prefix-length ] } designate-router

undo peer { group-name | ipv6-address [ prefix-length ] } designate-router

Default

No DR device is specified.

Views

BGP IPv6 SAVNET address family view

Predefined user roles

network-admin

Parameters

group-name: Specifies a peer group by its name, a case-sensitive string of 1 to 47 characters. The specified peer group must already exist.

ipv6-address: Specifies a peer by its IPv6 address. The specified peer must already exist.

prefix-length: Specifies a prefix length in the range of 0 to 128. You can use the ipv6-address and prefix-length arguments together to specify a subnet. If you specify a subnet, this command applies to all dynamic peers in the subnet. If you do not specify this parameter, the command applies to the specified peer.

Usage guidelines

Application scenarios

Use this command to specify the DR device in the local AS for inter-domain SAVNET traffic validation.

Restrictions and guidelines

You must manually designate which device in an AS will act as the DR device. Then, all non-DR devices must use this command to specify the DR device to properly send inter-domain DPP information to the DR or receive inter-domain SPA and DPP information forwarded by the DR.

Only an IBGP peer or peer group can be designated as a DR. An EBGP peer or peer groups cannot be designated as a DR.

After this command is executed, the session between the local device and the specified peer/peer group will be disconnected and then reestablished.

Examples

# Specify peer 1::1 as the DR device.

<Sysname> system-view

[Sysname] bgp 100

[Sysname-bgp-default] address-family ipv6 savnet

[Sysname-bgp-default-savnet-ipv6] peer 1::1 designate-router

Related commands

savnet validation-as

reset ipv6 savnet packet-drop statistics

Use reset ipv6 savnet packet-drop statistics to clear SAVNET packet drop statistics.

Syntax

reset ipv6 savnet packet-drop statistics [ interface interface-type interface-number ]

Views

User view

Predefined user roles

network-admin

Parameters

interface interface-type interface-number: Specifies an interface by its type and number. If you do not specify this option, the command clears statistics about SAVNET-dropped packets on all interfaces.

Examples

# Clear the SAVNET packet drop statistics on all interfaces.

<Sysname> reset ipv6 savnet packet-drop statistics

Related commands

display ipv6 savnet packet-drop statistics

savnet allowlist enable

Use savnet allowlist enable to enable the SAVNET allowlist.

Use undo savnet allowlist enable to restore the default.

Syntax

savnet allowlist enable

undo savnet allowlist enable

Default

SAVNET allowlist is disabled.

Views

BGP IPv6 unicast address family view

Predefined user roles

network-admin

Usage guidelines

Application scenarios

Use this feature on an intra-domain SAVNET network to generate SAVNET allowlist entries based on IGP routes.

Operating mechanism

On an intra-domain SAVNET network that generates SAVNET entries based on IGP routes, the IGP delivers the received destination prefixes (prefixes in IGP routes) to the BGP module on the same device. The BGP module then creates SAV routes, with their protocol type set to the IGP name. You can view these routes by executing the display bgp ipv6 savnet sav command.

The following information describes how the device creates SAVNET entries based on the SAVNET allowlist mechanism when it receives an IPv6 BGP unicast route from a remote SAVNET device:

1. The device searches the BGP SAV routes injected by IGPs for a match based on the destination address and incoming interface of the IPv6 BGP unicast route.

2. If a match is found, the device determines that a legitimate path is available to reach that destination address. Then, the device generates a SAVNET allowlist entry for that route. In this entry, the source prefix is the destination address of the IPv6 BGP unicast route, and the incoming interface is the outgoing interface in the matching IGP-type SAV route. If multiple matching IGP-type SAV routes are available, the device generates one SAVNET allowlist entry for each matching SAV route.

If the device receives a packet after it generates SAVNET entries, the device processes the packet as follows:

· If the source IP address and incoming interface of the packet both match a SAVNET denylist entry, the device discards the packet. If the matching entry is allowlisted, the device receives and processes the packet.

· If the source IP address of the packet matches a SAVNET denylist entry but its incoming interface does not match the entry, the device receives and processes the packet. If the matching entry is allowlisted, the device discards the packet.

· If the source IP address of the packet does not match any SAVNET entry, the device takes action depending on the type of its incoming interface. If the packet arrives at an NNI interface, the device permits the packet to pass through. If the packet arrives at a UNI interface, the device discards the packet.

· On consumer interfaces of the SAVNET denylist, the device compares incoming packets only with SAVNET denylist entries.

Examples

# In BGP IPv6 unicast address family view, enable the SAVNET allowlist.

<Sysname> system-view

[Sysname] bgp 100

[Sysname-bgp-default] address-family ipv6 unicast

[Sysname-bgp-default-ipv6] savnet allowlist enable

Related commands

isis ipv6 savnet enable

savnet allowlist route-policy

Use savnet allowlist route-policy to control generation of the SAVNET allowlist through a routing policy.

Use undo savnet allowlist route-policy to restore the default.

Syntax

savnet allowlist route-policy route-policy-name

undo savnet allowlist route-policy

Default

The device does not use a routing policy to control generation of the SAVNET allowlist.

Views

BGP IPv6 unicast address family view

Predefined user roles

network-admin

Parameters

route-policy-name: Specifies a routing policy by its name, a case-sensitive string of 1 to 63 characters.

Usage guidelines

After you enable the SAVNET allowlist by using the savnet allowlist enable command, all IPv6 BGP routes are by default available for generating SAVNET allowlist entries. To generate SAVNET allowlist entries flexibly only for some of the IPv6 BGP routes, use a routing policy. The device will generate SAVNET allowlist entries only for IPv6 BGP unicast routes that do not match the routing policy. If an IPv6 BGP route matches the routing policy, the device does not use it to generate a SAVNET allowlist entry.

Examples

# In BGP IPv6 unicast address family view, specify routing policy test to control generation of SAVNET allowlist entries.

<Sysname> system-view

[Sysname] bgp 100

[Sysname-bgp-default] address-family ipv6 unicast

[Sysname-bgp-default-ipv6] savnet allowlist route-policy test

Related commands

savnet allowlist enable

savnet denylist enable

Use savnet denylist enable to enable the SAVNET denylist.

Use undo savnet denylist enable to restore the default.

Syntax

savnet denylist enable

undo savnet denylist enable

Default

The SAVNET denylist is disabled.

Views

BGP IPv6 unicast address family view

Predefined user roles

network-admin

Usage guidelines

Application scenarios

Use this feature on an intra-domain SAVNET network to generate SAVNET denylist entries based on IGP routes.

Operating mechanism

On an intra-domain SAVNET network that delivers SAVNET information through an IGP, the IGP delivers the received destination prefixes (prefixes in IGP routes) to the BGP module on the same device. The BGP module then creates SAVNET routes, with their protocol type set to the IGP name. You can view these routes by executing the display bgp ipv6 savnet sav command.

The following information describes how the SAVNET denylist mechanism operates.

The device creates SAVNET denylist entries upon receiving an IPv6 BGP unicast route, as follows:

1. Identifies the outgoing interface leading to the next hop of the route.

2. Determines whether the outgoing interface acts as source prefix producers.

3. If the outgoing interface acts as source prefix producers, the device identifies the consumer interfaces of each source prefix producer. An interface is the consumer of a source prefix producer if its consumer name is the same as the producer name.

4. For each consumer of each source prefix producer, generates a SAVNET denylist entry.

In each entry, the source prefix is the destination address of the IPv6 BGP unicast route, the incoming interface is a consumer interface.

To specify an interface as a source prefix producer, use the ipv6 savnet deny productor command. To specify an interface as the consumer of a producer, execute the ipv6 savnet deny consumer command.

If the device receives a packet after it generates SAVNET entries, the device processes the packet as follows:

· On consumer interfaces of the SAVNET denylist, the device compares incoming packets only with SAVNET denylist entries.

Examples

# Enable the SAVNET denylist in BGP IPv6 unicast address family view.

<Sysname> system-view

[Sysname] bgp 100

[Sysname-bgp-default] address-family ipv6 unicast

[Sysname-bgp-default-ipv6] savnet denylist enable

Related commands

ipv6 savnet deny

savnet denylist route-policy

Use savnet denylist route-policy to control generation of the SAVNET denylist through a routing policy.

Use undo savnet denylist route-policy to restore the default.

Syntax

savnet denylist route-policy route-policy-name

undo savnet denylist route-policy

Default

The device does not use a routing policy to control generation of the SAVNET denylist.

Views

BGP IPv6 unicast address family view

Predefined user roles

network-admin

Parameters

route-policy-name: Specifies a routing policy by its name, a case-sensitive string of 1 to 63 characters.

Usage guidelines

After you enable the SAVNET denylist by using the savnet denylist enable command, all IPv6 BGP routes are by default available for generating SAVNET denylist entries. To generate SAVNET denylist entries flexibly only for some of the IPv6 BGP routes, use a routing policy. The device will generate SAVNET denylist entries only for IPv6 BGP unicast routes that match the routing policy.

Examples

# In BGP IPv6 unicast address family view, specify routing policy test to control generation of SAVNET denylist entries.

<Sysname> system-view

[Sysname] bgp 100

[Sysname-bgp-default] address-family ipv6 unicast

[Sysname-bgp-default-ipv6] savnet denylist route-policy test

Related commands

savnet denylist enable

savnet enable

Use savnet enable to enable SAVNET computation on an IS-IS process.

Use undo savnet enable to disable SAVNET computation on an IS-IS process.

Syntax

savnet enable

undo savnet enable

Default

SAVNET computation is disabled on IS-IS processes.

Views

IS-IS IPv6 unicast address family view

Predefined user roles

network-admin

Usage guidelines

Application scenarios

· High maintenance costs—ACL rules require manual maintenance, which is both tedious and error-prone.

· Risks posed by misconfiguration—Incorrect ACL configuration can block legitimate traffic or mistakenly permit malicious traffic to pass through.

Operating mechanism

After you enable IS-IS SAVNET on each device in an IS-IS routing domain, IS-IS SAVNET operates on each device as follows:

2. The IS-IS module sends the generated route entries to the SAVNET module, in {destination prefix x; interface 1}, {destination prefix x; interface 2} format.

3. The SAVNET module generates SAVNET entries based on the received route entries, and then uses these entries to validate IPv6 packets.

Restrictions and guidelines

To have the IS-IS module generate and issue {destination prefix; outgoing interface} entries to the SAVNET module, you must perform the following steps:

1. Execute the savnet enable command on each device in the IS-IS routing domain.

2. Execute the isis ipv6 savnet enable command on each NNI SAVNET interface.

Examples

# Enable SAVNET computation on IS-IS process 1.

<Sysname> system-view

[Sysname] isis 1

[Sysname-isis-1] address-family ipv6

[Sysname-isis-1-ipv6] savnet enable

Related commands

isis ipv6 savnet enable

savnet-entry expire-time

Use savnet-entry expire-time to set the SAVNET entry aging time.

Use undo savnet-entry expire-time to restore the default.

Syntax

savnet-entry expire-time time

undo savnet-entry expire-time

Default

The SAVNET entry aging time is 7200 seconds.

Views

BGP IPv6 SAVNET address family view

Predefined user roles

network-admin

Parameters

time: Sets a SAVNET entry aging time, in the value range of 60 to 172800 seconds.

Usage guidelines

Operating mechanism

To avoid traffic forwarding issues caused by retention of outdated SAVNET entries after the network topology changes, you can configure this command. SAVNET entries generated through BGP use the specified aging time and are maintained or updated through continuous reception of DPP routes. Entries that are not maintained or updated because no DPP routes are received before the aging timer expires will age out.

Restrictions and guidelines

Examples

# Set the SAVNET entry aging time to 100 seconds.

<Sysname> system-view

[Sysname] bgp 100

[Sysname-bgp-default] address-family ipv6 savnet

[Sysname-bgp-default-savnet-ipv6] savnet-entry expire-time 100

Make sure the SAVNET entry aging time is at least twice the DPP route sending interval configured on the DPP routes’ source device. Continue? [y/n]

savnet validation-as

Use savnet validation-as to configure the validation AS numbers when the local AS acts as the source AS.

Use undo savnet validation-as to cancel the validation AS number configuration.

Syntax

savnet validation-as { as-number&<1-8> }

undo savnet validation-as [ as-number&<1-8> ]

Default

No validation AS number is configured when the local AS acts as the source AS.

Views

BGP IPv6 SAVNET address family view

Predefined user roles

network-admin

Parameters

as-number&<1-8>: The as-number argument specifies a validation AS number in the range of 1 to 4294967295. The &<1-8> argument indicates that you can specify a maximum of eight validation AS numbers.

Usage guidelines

Application scenarios

This command is used to implement the inter-domain traffic validation of SAVNET.

Operating mechanism

All ASBRs in the source AS must execute the savnet validation-as command. On non-DR ASBRs in the source AS, specify the DR (by using the peer designate-router command) and the validation AS number (by using the savnet validation-as command). Then, these ASBRs collect the ingress neighbor AS numbers in the AS_PATHs from the source AS to the validation AS, and send the collected ingress neighbor AS numbers to the DR in the source AS.

On the DR device in the source AS, after the validation AS number is specified using the savnet validation-as command, the DR collects the ingress neighbor AS numbers from its BGP routes. Then, the DR in the source AS consolidates all the ingress neighbor AS numbers to form an ingress neighbor AS list, and sends the list to the peer DR device through an inter-domain DPP route.

Restrictions and guidelines

The specified validation AS number cannot be the same as the local AS number.

You can use this command multiple times to configure multiple validation AS numbers for the local AS acting as the source AS.

Examples

# Configure AS 200 as the validation AS number when the local AS acts as the source AS.

<Sysname> system-view

[Sysname] bgp 100

[Sysname-bgp-default] address-family ipv6 savnet

[Sysname-bgp-default-savnet-ipv6] savnet validation-as 200

Related commands

peer designate-router

12-Security Command Reference

SAVNET commands

Application scenarios

Restrictions and guidelines

Operating mechanism

Restrictions and guidelines

Operating mechanism

Restrictions and guidelines

Operating mechanism

Restrictions and guidelines

Operating mechanism

Recommended configuration

Restrictions and guidelines

ipv6 savnet miig-tag

Application scenarios

Operating mechanism

Restrictions and guidelines

Application scenarios

Application scenarios

Restrictions and guidelines

Application scenarios

Operating mechanism

Restrictions and guidelines

Application scenarios

Restrictions and guidelines

Application scenarios

Operating mechanism

Application scenarios

Operating mechanism

Application scenarios

Operating mechanism

Restrictions and guidelines

Operating mechanism

Restrictions and guidelines

Application scenarios

Operating mechanism

Restrictions and guidelines

Intelligent Terminal Products

Product Support Services

Technical Service Solutions

Resource Center

Policy

Online Help

Become a Partner

Partner Policy & Program

Global Learning

Partner Sales Resources

Service Business

News & Events

Contact Us