所选语种没有对应资源,请选择:

本站点使用Cookies,继续浏览表示您同意我们使用Cookies。Cookies和隐私政策>

提示

尊敬的用户,您的IE浏览器版本过低,为获取更好的浏览体验,请升级您的IE浏览器。

升级

CloudEngine 12800, 12800E V200R005C00 配置指南-IP业务

本文档介绍了IP业务的配置,具体包括IPv4基础配置、ARP配置、DHCP配置、DNS配置、UDP Helper配置、IP性能配置、IPv6基础配置、DHCPv6配置、IPv6 DNS配置和IPv6过渡技术配置。
评分并提供意见反馈 :
华为采用机器翻译与人工审校相结合的方式将此文档翻译成不同语言,希望能帮助您更容易理解此文档的内容。 请注意:即使是最好的机器翻译,其准确度也不及专业翻译人员的水平。 华为对于翻译的准确性不承担任何责任,并建议您参考英文文档(已提供链接)。
配置IPv6安全邻居发现示例

配置IPv6安全邻居发现示例

组网需求

图7-17所示,为了提高网络中设备SwitchA的安全性,在SwitchA上配置了IPv6安全邻居发现功能。这样当网络中未配置IPv6安全邻居发现的设备SwitchB向SwitchA发送报文时,SwitchA将该报文视为非法报文而丢弃。

图7-17 配置IPv6安全邻居发现功能组网图

配置思路

采用如下的思路配置IPv6安全邻居发现功能:

  1. SwitchA上配置CGA类型的IPv6地址和普通IPv6地址。

  2. SwitchA上使能接口的严格安全模式功能。

  3. SwitchB上配置接口的IPv6地址。

操作步骤

  1. 配置SwitchA的CGA类型的IPv6地址

    <HUAWEI> system-view
    [~HUAWEI] sysname SwitchA
    [*HUAWEI] commit
    [~SwitchA] rsa key-pair label huawei
    [*SwitchA] interface 10ge 1/0/1
    [*SwitchA-10GE1/0/1] undo portswitch
    [*SwitchA-10GE1/0/1] ipv6 enable
    [*SwitchA-10GE1/0/1] ipv6 security rsakey-pair huawei
    [*SwitchA-10GE1/0/1] ipv6 security modifier sec-level 1
    [*SwitchA-10GE1/0/1] ipv6 address fe80::3 link-local cga
    [*SwitchA-10GE1/0/1] ipv6 address fc00:2::/64 cga
    [*SwitchA-10GE1/0/1] ipv6 address fc00:1::1/64

  2. 使能SwitchA接口的严格安全模式功能

    [*SwitchA-10GE1/0/1] ipv6 nd security strict
    [*SwitchA-10GE1/0/1] commit

  3. 配置SwitchB的IPv6地址

    <HUAWEI> system-view
    [~HUAWEI] sysname SwitchB
    [*HUAWEI] commit
    [~SwitchB] interface 10ge 1/0/1
    [~SwitchB-10GE1/0/1] undo portswitch
    [*SwitchB-10GE1/0/1] ipv6 enable
    [*SwitchB-10GE1/0/1] ipv6 address auto link-local
    [*SwitchB-10GE1/0/1] ipv6 address fc00:2::2/64
    [*SwitchB-10GE1/0/1] ipv6 address fc00:1::2/64
    [*SwitchB-10GE1/0/1] commit

  4. 验证配置结果

    如果配置成功,可以查看配置的IPv6地址,以及接口状态为Up,IPv6协议状态为Up,IPv6安全邻居发现功能配置信息。

    # 显示SwitchA的10GE1/0/1接口的信息。

    [~SwitchA-10GE1/0/1] display this ipv6 interface
    10GE1/0/1 current state : UP
    IPv6 protocol current state : UP
    IPv6 is enabled, link-local address is FE80::3057:B5D6:6BD6:6CA8
      Global unicast address(es):
        FC00:1::1, subnet is FC00:1::/64
        FC00:2::2092:84CE:827B:D5A4, subnet is FC00:2::/64
      Joined group address(es):
        FF02::1:FF00:1
        FF02::1:FF7B:D5A4
        FF02::1:FFD6:6CA8
        FF02::2
        FF02::1
      MTU is 1500 bytes
      ND DAD is enabled, number of DAD attempts: 1
      ND reachable time is 1200000 milliseconds
      ND retransmit interval is 1000 milliseconds
      Hosts use stateless autoconfig for addresses

    # 显示SwitchA的10GE1/0/1接口的IPv6安全邻居发现功能的配置信息。

    [~SwitchA-10GE1/0/1] display ipv6 security interface 10ge 1/0/1
     (L) : Link local address
     SEND: Security ND
     SEND information for the interface : 10GE1/0/1
    ----------------------------------------------------------------------------
     IPv6 address                                   PrefixLength Collision Count
    ----------------------------------------------------------------------------
     FE80::3057:B5D6:6BD6:6CA8 (L)                  10           0
     FC00:2::2092:84CE:827B:D5A4                    64           0
    ----------------------------------------------------------------------------
     SEND sec value : 1
     SEND security modifier value : 585D:9EA0:328:2792:B763:1DE3:BBC4:D22D
     SEND RSA key label bound : huawei
     SEND ND minimum key length value : 512
     SEND ND maximum key length value : 2048
     SEND ND Timestamp delta value : 300
     SEND ND Timestamp fuzz value : 1
     SEND ND Timestamp drift value : 1
     SEND ND fully secured mode : enable

    # 显示SwitchB的10GE1/0/1接口的信息。

    [~SwitchB-10GE1/0/1] display this ipv6 interface
    10GE1/0/1 current state : UP
    IPv6 protocol current state : UP
    IPv6 is enabled, link-local address is FE80::2E0:E6FF:FE13:8100
      Global unicast address(es):
        FC00:1::2, subnet is FC00:1::/64
        FC00:2::2, subnet is FC00:2::/64
      Joined group address(es):
        FF02::1:FF00:2
        FF02::1:FF13:8100
        FF02::2
        FF02::1
      MTU is 1500 bytes
      ND DAD is enabled, number of DAD attempts: 1
      ND reachable time is 1200000 milliseconds
      ND retransmit interval is 1000 milliseconds
      Hosts use stateless autoconfig for addresses

    # 从SwitchB ping SwitchA的CGA类型的链路本地地址,由于SwitchA配置了IPv6安全邻居发现功能,无法ping通。

    [~SwitchB-10GE1/0/1] ping ipv6 FE80::3057:B5D6:6BD6:6CA8 -i 10ge 1/0/1
      PING FE80::3057:B5D6:6BD6:6CA8 : 56  data bytes, press CTRL_C to break
        Request time out
        Request time out
        Request time out
        Request time out
        Request time out
    
      --- FE80::3057:B5D6:6BD6:6CA8 ping statistics ---
        5 packet(s) transmitted
        0 packet(s) received
        100.00% packet loss
        round-trip min/avg/max = 0/0/0 ms

    # 从SwitchB ping SwitchA的CGA类型的全球单播地址,由于SwitchA配置了IPv6安全邻居发现功能,无法ping通。

    [~SwitchB-10GE1/0/1] ping ipv6 FC00:2::2092:84CE:827B:D5A4
      PING FC00:2::2092:84CE:827B:D5A4 : 56  data bytes, press CTRL_C to break
        Request time out
        Request time out
        Request time out
        Request time out
        Request time out
    
      --- FC00:2::2092:84CE:827B:D5A4 ping statistics ---
        5 packet(s) transmitted
        0 packet(s) received
        100.00% packet loss
        round-trip min/avg/max = 0/0/0 ms

    # 从SwitchB ping SwitchA的普通全球单播地址,由于SwitchA配置了IPv6安全邻居发现功能,也无法ping通。

    [~SwitchB-10GE1/0/1] ping ipv6 FC00:1::1
      PING FC00:1::1 : 56  data bytes, press CTRL_C to break
        Request time out
        Request time out
        Request time out
        Request time out
        Request time out
    
      --- FC00:1::1 ping statistics ---
        5 packet(s) transmitted
        0 packet(s) received
        100.00% packet loss
        round-trip min/avg/max = 0/0/0 ms

    # 去使能SwitchA的IPv6安全邻居发现功能后,从SwitchB ping SwitchA的IPv6地址,可以ping通。以ping SwitchA的CGA类型的全球单播地址为例。

    [~SwitchA-10GE1/0/1] undo ipv6 nd security strict
    [*SwitchA-10GE1/0/1] commit
    [~SwitchB-10GE1/0/1] ping ipv6 FC00:2::2092:84CE:827B:D5A4
      PING FC00:2::2092:84CE:827B:D5A4 : 56  data bytes, press CTRL_C to break
        Reply from FC00:2::2092:84CE:827B:D5A4
        bytes=56 Sequence=1 hop limit=64  time = 1 ms
        Reply from FC00:2::2092:84CE:827B:D5A4
        bytes=56 Sequence=2 hop limit=64  time = 20 ms
        Reply from FC00:2::2092:84CE:827B:D5A4
        bytes=56 Sequence=3 hop limit=64  time = 1 ms
        Reply from FC00:2::2092:84CE:827B:D5A4
        bytes=56 Sequence=4 hop limit=64  time = 1 ms
        Reply from FC00:2::2092:84CE:827B:D5A4
        bytes=56 Sequence=5 hop limit=64  time = 1 ms
    
      --- FC00:2::2092:84CE:827B:D5A4 ping statistics ---
        5 packet(s) transmitted
        5 packet(s) received
        0.00% packet loss
        round-trip min/avg/max = 1/4/20 ms

配置文件

  • SwitchA的配置文件

    #
    sysname SwitchA
    #
    interface 10GE1/0/1
     undo portswitch
     ipv6 enable
     ipv6 security rsakey-pair huawei
     ipv6 security modifier sec-level 1
     ipv6 address FC00:1::1/64
     ipv6 address FC00:2::/64 cga
     ipv6 address FE80::3 link-local cga
     ipv6 nd security strict
    #
    return
  • SwitchB的配置文件

    #
    sysname SwitchB
    #
    interface 10GE1/0/1
     undo portswitch
     ipv6 enable
     ipv6 address FC00:1::2/64
     ipv6 address FC00:2::2/64
     ipv6 address auto link-local
    #
    return
翻译
下载文档
更新时间:2019-04-19

文档编号:EDOC1100039516

浏览量:7794

下载量:203

平均得分:
本文档适用于这些产品
相关版本
相关文档
Share
上一页 下一页