Content

SAVA commands· 1

display ipv6 sava· 1

display ipv6 sava packet-drop statistics· 2

ipv6 sava access-group· 3

ipv6 sava enable· 3

ipv6 sava log enable spoofing-packet 4

ipv6 sava import remote-route-tag· 5

reset ipv6 sava packet-drop statistics· 6

SAVA commands

For S7500X-G switch series, only LSCM2 series SC MPUs, SD interface cards, and SF interface cards support SAVA. If you configure SAVA on LSCM1GT48SC0 cards, SE interface cards, or LSCM2 series SC interface cards, the device will prompt that SAVA is not supported.

This feature is available only when the system operates in expert mode. For more information about system operating modes, see device management in Fundamentals Configuration Guide.

display ipv6 sava

Use display ipv6 sava to display SAVA entries.

Syntax

In standalone mode:‌

display ipv6 sava [ interface interface-type interface-number | slot slot-number ]

In IRF mode:

display ipv6 sava [ interface interface-type interface-number | chassis chassis-number slot slot-number ]

Views

Any view

Predefined user roles

network-admin

network-operator

mdc-admin

mdc-operator

Parameters

interface interface-type interface-number: Specifies an interface by its type and number. If you do not specify an interface, this command displays SAVA entries for all interfaces.

slot slot-number: Specifies a card by its slot number. If you do not specify a card, this command displays SAVA entries on the active MPU. (In standalone mode.)

chassis chassis-number slot slot-number: Specifies a card on an IRF member device. The chassis-number argument represents the member ID of the IRF member device. The slot-number argument represents the slot number of the card. If you do not specify a card, this command displays SAVA entries on the global active MPU. (In IRF mode.) ‌

Examples

# Display SAVA entries. ‌

<Sysname> display ipv6 sava

IPv6 SAVA entry count: 2

Destination: 2011::                    Prefix length: 64

Interface: Vlan-int10                  Flags: L

 

Destination: 2012::                    Prefix length: 64

Interface: Vlan-int20                  Flags: L

Table 1 Command output

Field	Description
IPv6 SAVA entry count	Number of SAVA entries.
Destination	Destination IPv6 address.
Prefix length	Prefix length of the IPv6 address.
Interface	Interface name.
Flag	Flag of the SAVA entry: ·     L—Local entry. ·     R—Remote entry. ·     G—Access group entry.

‌

display ipv6 sava packet-drop statistics

Use display ipv6 sava packet-drop statistics to display SAVA packet drop statistics.

Syntax

display ipv6 sava packet-drop statistics [ interface interface-type interface-number ]

Views

Any view

Predefined user roles

network-admin

network-operator

mdc-admin

mdc-operator

Parameters

interface interface-type interface-number: Specifies an interface by its type and number. If you do not specify an interface, this command displays SAVA packet drop statistics for all interfaces.

Examples

# Display SAVA packet drop statistics. ‌

<Sysname> display ipv6 sava packet-drop statistics

Vlan-interface10:

  Packets:0               Bytes: 0

 

Vlan-interface20:

  Packets:10              Bytes: 1500

Table 2 Command output

Field	Description
Packets	Number of packets dropped by SAVA.
Bytes	Number of bytes dropped by SAVA.

‌

Related commands

reset ipv6 sava packet-drop statistics

ipv6 sava access-group

Use ipv6 sava access-group to add an interface to an access group.

Use undo ipv6 sava access-group to remove an interface from an access group.

Syntax

ipv6 sava access-group group-name

undo ipv6 sava access-group

Default

An interface does not belong to any access group.

Views

Interface view

Predefined user roles

network-admin

mdc-admin

Parameters

group-name: Specifies an access group by its name, a case-sensitive string of 1 to 255 characters.

Usage guidelines

If the device has multiple interfaces connected to the same LAN, the device might receive packets from users in the LAN on different interfaces. However, each interface creates SAVA entries only based on its local routes. When an interface receives a packet from the LAN for which the interface has no matching SAVA entry, the packet will be discarded.

To resolve this issue, you can add the interfaces to a SAVA access group. The interfaces in the SAVA access group will synchronize SAVA entries that are created based on local routes with each other. This avoids unexpected packet drop caused by asymmetric routing.

All interfaces in a SAVA access group must belong to the public network or the same VPN instance.

An interface can be added only to one SAVA access group. If you execute this command multiple times, the most recent configuration takes effect.

A SAVA access group can contain a maximum of eight interfaces.

Examples

# Add VLAN-interface 10 to SAVA access group aaa. ‌

<Sysname> system-view

[Sysname] interface vlan-interface 10

[Sysname-Vlan-interface10] ipv6 sava access-group aaa

Related commands

ipv6 sava enable

ipv6 sava enable

Use ipv6 sava enable to enable SAVA.

Use undo ipv6 sava enable to disable SAVA.

Syntax

ipv6 sava enable

undo ipv6 sava enable

Default

SAVA is disabled.

Views

Interface view

Predefined user roles

network-admin

mdc-admin

Usage guidelines

SAVA is mutually exclusive with uPRF and microsegmentation. Do not configure SAVA together with uRPF or microsegmentation.

If the device has a large number of routing entries, it might take a long time for the device to complete SAVA entry creation. Before SAVA entry creation completes, valid IPv6 packets might be dropped.

Examples

# Enable SAVA on VLAN-interface 10. ‌

<Sysname> system-view

[Sysname] interface vlan-interface 10

[Sysname-Vlan-interface10] ipv6 sava enable

Related commands

display ipv6 sava

ipv6 sava access-group

ipv6 sava log enable spoofing-packet

Use ipv6 sava log enable spoofing-packet to enable SAVA logging.

Use undo ipv6 sava log enable spoofing-packet to disable SAVA logging.

Syntax

ipv6 sava log enable spoofing-packet [ interval interval | number number ]*

undo ipv6 sava log enable spoofing-packet

Default

SAVA logging is disabled.

Views

System view

Predefined user roles

network-admin

mdc-admin

Parameters

interval interval: Specifies the interval at which the device outputs SAVA logs, in seconds. The value can be 0 or in the range of 5 to 3600, and the default is 60. If you set the interval to 0 seconds, the device outputs a SAVA log immediately after detecting an IPv6 source address spoofing packet.

number number: Specifies the maximum number of SAVA logs that can be outputted each time, in the range of 1 to 128. The default is 128.

Usage guidelines

To identify and troubleshoot issues, enable SAVA logging.

This feature enables the device to output SAVA logs when SAVA detects spoofing packets.

With the information center, you can configure log destinations and output rules. For more information about the information center, see Network Management and Monitoring Configuration Guide.

Outputting a large number of SAVA logs might degrade device performance and cause inconvenience for fault location. You can limit the number of SAVA logs that the device outputs each time.

A card can output a maximum of 128 SAVA logs each time.

Examples

# Enable SAVA logging.

<Sysname> system-view

[Sysname] ipv6 sava log enable spoofing-packet

ipv6 sava import remote-route-tag

Use ipv6 sava import remote-route-tag to enable an interface to create SAVA entries based on synchronized remote routes.

Use undo ipv6 sava import remote-route-tag to restore the default.

Syntax

ipv6 sava import remote-route-tag tag

undo ipv6 sava import remote-route-tag

Default

An interface does not create SAVA entries based on synchronized remote routes.

Views

Interface view

Predefined user roles

network-admin

mdc-admin

Parameters

tag: Specifies a tag of synchronized remote routes, in the range of 1 to 4294967295.

Usage guidelines

This command enables an interface to create SAVA entries based on synchronized remote entries with the specified route tag.

Use this command if the LAN connects to the backbone network through multiple access devices and LAN-side interfaces on the border devices do not have prefix information of all users in the LAN. This task ensures that the border devices have the same SAVA entries to avoid mistaken packet drop.

Each border device adds a route tag to local routes based on which SAVA entries are created and then advertises the tagged local routes to the other border devices through a routing protocol. The other border devices will create SAVA entries upon receiving the tagged routes advertised by other border devices.

If you execute this command multiple times, the most recent configuration takes effect.

Examples

# Configure the device to create SAVA entries based on synchronized remote entries with tag 10 on VLAN-interface 10. ‌

<Sysname> system-view

[Sysname] interface vlan-interface 10

[Sysname-Vlan-interface10] ipv6 sava import remote-route-tag 100

reset ipv6 sava packet-drop statistics

Use reset ipv6 sava packet-drop statistics to clear SAVA packet drop statistics.

Syntax

reset ipv6 sava packet-drop statistics [ interface interface-type interface-number ]

Views

User view

Predefined user roles

network-admin

mdc-admin

Parameters

interface interface-type interface-number: Specifies an interface by its type and number. If you do not specify an interface, this command clears SAVA packet drop statistics for all interfaces.

Examples

# Clear SAVA packet drop statistics.

<Sysname> reset ipv6 sava packet-drop statistics

Related commands

display ipv6 sava packet-drop statistics