No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

NE20E-S2 V800R010C10SPC500 Configuration Guide - IP Services 01

This is NE20E-S2 V800R010C10SPC500 Configuration Guide - IP Services
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Example for Configuring IPv6 SEND

Example for Configuring IPv6 SEND

This section provides examples for configuring IPv6 SEND.

Networking Requirements

As shown in Figure 12-7, IPv6 SEND is configured on Device A. Assume that Device B is an attacker. When Device B sends messages to Device A, Device A regards them invalid and discards them.

Figure 12-7 Networking diagram for configuring IPv6 SEND
NOTE:

Interfaces 1 in this example are GE 0/1/0.


Precautions

None.

Configuration Roadmap

The configuration roadmap is as follows:

  1. Configure a CGA IPv6 address and a common IPv6 address on Device A.

  2. Enable the strict security mode on an interface of Device A.

  3. Configure an IPv6 address for an interface on Device B.

Data Preparation

To complete the configuration, you need the following data:

  • RSA key pair name

  • Modifier value and security level of a CGA address

  • CGA IPv6 address

  • IPv6 address of Device B

Procedure

  1. Configure a CGA IPv6 address on Device A.

    <HUAWEIA> system-view
    [~HUAWEIA] sysname DeviceA
    [*HUAWEIA] commit
    [*DeviceA] rsa key-pair label huawei
    [*DeviceA] interface gigabitethernet 0/1/0
    [*DeviceA-GigabitEthernet0/1/0] undo shutdown
    [*DeviceA-GigabitEthernet0/1/0] ipv6 enable
    [*DeviceA-GigabitEthernet0/1/0] ipv6 security rsakey-pair huawei
    [*DeviceA-GigabitEthernet0/1/0] ipv6 security modifier sec-level 1
    [*DeviceA-GigabitEthernet0/1/0] ipv6 address fe80::3 link-local cga
    [*DeviceA-GigabitEthernet0/1/0] ipv6 address 2001:db8:2::2/64 cga
    [*DeviceA-GigabitEthernet0/1/0] ipv6 address 2001:db8:1::1/64

  2. Enable the strict security mode on an interface of Device A.

    [*DeviceA-GigabitEthernet0/1/0] ipv6 nd security strict
    [*DeviceA-GigabitEthernet0/1/0] commit

  3. Configure an IPv6 address of Device B.

    <HUAWEIB> system-view
    [~HUAWEIB] sysname DeviceB
    [*HUAWEIB] commit
    [*DeviceB] ipv6
    [*DeviceB] interface gigabitethernet 0/1/0
    [*DeviceB-GigabitEthernet0/1/0] undo shutdown
    [*DeviceB-GigabitEthernet0/1/0] ipv6 enable
    [*DeviceB-GigabitEthernet0/1/0] ipv6 address auto link-local
    [*DeviceB-GigabitEthernet0/1/0] ipv6 address 2001:db8:2::2/64
    [*DeviceB-GigabitEthernet0/1/0] ipv6 address 2001:db8:1::2/64
    [*DeviceB-GigabitEthernet0/1/0] commit

  4. Verify the configuration.

    If the configuration is successful, you can view that the IPv6 address and IPv6 SEND have been configured and the interface status and IPv6 protocol status are Up.

    # View information about GE 0/1/0 on Device A.

    [~DeviceA-GigabitEthernet0/1/0] display this ipv6 interface
    GigabitEthernet0/1/0 current state : UP
    IPv6 protocol current state : UP
    IPv6 is enabled, link-local address is FE80::3057:B5D6:6BD6:6CA8
      Global unicast address(es):
        2001:db8:2::2092:84CE:827B:D5A4, subnet is 2001:db8:2::/64
        2001:db8:1::1, subnet is 2001:db8:1::/64
      Joined group address(es):
        FF02::1:FF7B:D5A4
        FF02::2
        FF02::1
        FF02::1:FFD6:6CA8
      MTU is 1500 bytes
      ND DAD is enabled, number of DAD attempts: 1
      ND reachable time is 1200000 milliseconds
      ND retransmit interval is 1000 milliseconds
      Hosts use stateless autoconfig for addresses

    # View the IPv6 SEND configuration on GE 0/1/0 of Device A.

    [~DeviceA-GigabitEthernet0/1/0] display ipv6 security interface gigabitethernet 0/1/0
     (L) : Link local address
     SEND information for the interface : GigabitEthernet0/1/0
    ----------------------------------------------------------------------------
     IPv6 address                                   PrefixLength Collision Count
    ----------------------------------------------------------------------------
     FE80::3057:B5D6:6BD6:6CA8 (L)                  10           0
     2001:db8:2::2092:84CE:827B:D5A4                64           0
    ----------------------------------------------------------------------------
     SEND sec value : 1
     SEND security modifier value : 585D:9EA0:328:2792:B763:1DE3:BBC4:D22D
     SEND RSA key label bound : huawei
     SEND ND minimum key length value : 512
     SEND ND maximum key length value : 2048
     SEND ND Timestamp delta value : 300
     SEND ND Timestamp fuzz value : 1
     SEND ND Timestamp drift value : 1
     SEND ND fully secured mode : enabled

    # View information about GE 0/1/0 on Device B.

    [~DeviceB-GigabitEthernet0/1/0] display this ipv6 interface
    GigabitEthernet0/1/0 current state : UP
    IPv6 protocol current state : UP
    IPv6 is enabled, link-local address is FE80::2E0:E6FF:FE13:8100
      Global unicast address(es):
        2001:db8:2::2, subnet is 2001:db8:2::/64
        2001:db8:1::2, subnet is 2001:db8:1::/64
      Joined group address(es):
        FF02::1:FF00:2
        FF02::2
        FF02::1
        FF02::1:FF13:8100
      MTU is 1500 bytes
      ND DAD is enabled, number of DAD attempts: 1
      ND reachable time is 1200000 milliseconds
      ND retransmit interval is 1000 milliseconds
      Hosts use stateless autoconfig for addresses

    # Ping the CGA link-local address of Device A from Device B. The ping fails because IPv6 SEND is configured on Device A.

    [~DeviceB-GigabitEthernet0/1/0] ping ipv6 FE80::3057:B5D6:6BD6:6CA8 -i gigabitethernet 0/1/0
      PING FE80::3057:B5D6:6BD6:6CA8 : 56  data bytes, press CTRL_C to break
        Request time out
        Request time out
        Request time out
        Request time out
        Request time out
    
      --- FE80::3057:B5D6:6BD6:6CA8 ping statistics ---
        5 packet(s) transmitted
        0 packet(s) received
        100.00% packet loss
        round-trip min/avg/max = 0/0/0 ms
                                

    # Ping the CGA global unicast address of Device A from Device B. The ping fails because IPv6 SEND is configured on Device A.

    [~DeviceB-GigabitEthernet0/1/0] ping ipv6 2001:db8:2::2092:84CE:827B:D5A4
      PING 2001:db8:2::2092:84CE:827B:D5A4 : 56  data bytes, press CTRL_C to break
        Request time out
        Request time out
        Request time out
        Request time out
        Request time out
    
      --- 2001:db8:2::2092:84CE:827B:D5A4 ping statistics ---
        5 packet(s) transmitted
        0 packet(s) received
        100.00% packet loss
        round-trip min/avg/max = 0/0/0 ms
                                  

    # Ping the common global unicast address of Device A from Device B. The ping fails because IPv6 SEND is configured on Device A.

    [~DeviceB-GigabitEthernet0/1/0] ping ipv6 2001:db8:1::1
      PING 2001:db8:1::1 : 56  data bytes, press CTRL_C to break
        Request time out
        Request time out
        Request time out
        Request time out
        Request time out
    
      --- 2001:db8:2::2092:84CE:827B:D5A4 ping statistics ---
        5 packet(s) transmitted
        0 packet(s) received
        100.00% packet loss
        round-trip min/avg/max = 0/0/0 ms
                                  

    # Disable IPv6 SEND on Device A. The ping from Device B to Device A is successful. The following part provides an example of pinging the CGA global unicast address of Device A.

    [*DeviceA-GigabitEthernet0/1/0] undo ipv6 nd security strict
    [*DeviceA-GigabitEthernet0/1/0] commit
    [*DeviceB-GigabitEthernet0/1/0] ping ipv6 2001:db8:2::2092:84CE:827B:D5A4
      PING 2001:db8:2::2092:84CE:827B:D5A4 : 56  data bytes, press CTRL_C to break
        Reply from 2001:db8:2::2092:84CE:827B:D5A4
        bytes=56 Sequence=1 hop limit=64  time = 1 ms
        Reply from 2001:db8:2::2092:84CE:827B:D5A4
        bytes=56 Sequence=2 hop limit=64  time = 20 ms
        Reply from 2001:db8:2::2092:84CE:827B:D5A4
        bytes=56 Sequence=3 hop limit=64  time = 1 ms
        Reply from 2001:db8:2::2092:84CE:827B:D5A4
        bytes=56 Sequence=4 hop limit=64  time = 1 ms
        Reply from 2001:db8:2::2092:84CE:827B:D5A4
        bytes=56 Sequence=5 hop limit=64  time = 1 ms
    
      --- 2001:db8:2::2092:84CE:827B:D5A4 ping statistics ---
        5 packet(s) transmitted
        5 packet(s) received
        0.00% packet loss
        round-trip min/avg/max = 1/4/20 ms
                                    

Configuration Files

  • Configuration file of Device A

    #
     sysname DeviceA
    #
    ipv6
    #
    rsa key-pair label huawei
    #
    interface GigabitEthernet0/1/0
     undo shutdown
     ipv6 enable
     ipv6 security rsakey-pair huawei
     ipv6 security modifier sec-level 1
     ipv6 address 2001:db8:2::/64 cga
     ipv6 address 2001:db8:1::1/64
     ipv6 address fe80::3 link-local cga
     ipv6 nd security strict
    #
    return
  • Configuration file of Device B

    #
     sysname DeviceB
    #
    ipv6
    #
    interface GigabitEthernet0/1/0
     undo shutdown
     ipv6 enable
     ipv6 address 2001:db8:2::2/64
     ipv6 address 2001:db8:1::2/64
     ipv6 address auto link-local
    #
    return
Translation
Download
Updated: 2019-01-02

Document ID: EDOC1100055376

Views: 15913

Downloads: 33

Average rating:
This Document Applies to these Products
Related Version
Related Documents
Share
Previous Next