所选语种没有对应资源,请选择:

本站点使用Cookies,继续浏览表示您同意我们使用Cookies。Cookies和隐私政策>

提示

尊敬的用户,您的IE浏览器版本过低,为获取更好的浏览体验,请升级您的IE浏览器。

升级

NE20E-S2 V800R010C10SPC500 配置指南 - IP业务 01

本文档是NE20E-S2 V800R010C10SPC500 配置指南 - IP业务
评分并提供意见反馈 :
华为采用机器翻译与人工审校相结合的方式将此文档翻译成不同语言,希望能帮助您更容易理解此文档的内容。 请注意:即使是最好的机器翻译,其准确度也不及专业翻译人员的水平。 华为对于翻译的准确性不承担任何责任,并建议您参考英文文档(已提供链接)。
配置IPv6安全邻居发现示例

配置IPv6安全邻居发现示例

本举例介绍IPv6安全邻居发现功能的配置过程。

组网需求

图12-7所示,DeviceA配置了IPv6安全邻居发现功能,假设DeviceB作为攻击者。当DeviceB向DeviceA发送报文时,DeviceA将该报文视为非法报文而丢弃。

图12-7 配置IPv6安全邻居发现功能组网图
说明:

本例中interface1代表GE0/1/0


配置注意事项

配置思路

采用如下的思路配置IPv6安全邻居发现功能:

  1. DeviceA上配置CGA类型的IPv6地址和普通IPv6地址。

  2. DeviceA上使能接口的严格安全模式功能。

  3. DeviceB上配置接口的IPv6地址。

数据准备

为完成此配置举例,需要准备如下数据:

  • RSA密钥对名字

  • CGA地址的修正值和安全级别

  • CGA类型的IPv6地址

  • DeviceB的IPv6地址

操作步骤

  1. 配置DeviceA的CGA类型的IPv6地址

    <HUAWEIA> system-view
    [~HUAWEIA] sysname DeviceA
    [*HUAWEIA] commit
    [*DeviceA] rsa key-pair label huawei
    [*DeviceA] interface gigabitethernet 0/1/0
    [*DeviceA-GigabitEthernet0/1/0] undo shutdown
    [*DeviceA-GigabitEthernet0/1/0] ipv6 enable
    [*DeviceA-GigabitEthernet0/1/0] ipv6 security rsakey-pair huawei
    [*DeviceA-GigabitEthernet0/1/0] ipv6 security modifier sec-level 1
    [*DeviceA-GigabitEthernet0/1/0] ipv6 address fe80::3 link-local cga
    [*DeviceA-GigabitEthernet0/1/0] ipv6 address 2001:db8:2::2/64 cga
    [*DeviceA-GigabitEthernet0/1/0] ipv6 address 2001:db8:2001:db8:1::1/64

  2. 使能DeviceA接口的严格安全模式功能

    [*DeviceA-GigabitEthernet0/1/0] ipv6 nd security strict
    [*DeviceA-GigabitEthernet0/1/0] commit

  3. 配置DeviceB的IPv6地址

    <HUAWEIB> system-view
    [~HUAWEIB] sysname DeviceB
    [*HUAWEIB] commit
    [*DeviceB] ipv6
    [*DeviceB] interface gigabitethernet 0/1/0
    [*DeviceB-GigabitEthernet0/1/0] undo shutdown
    [*DeviceB-GigabitEthernet0/1/0] ipv6 enable
    [*DeviceB-GigabitEthernet0/1/0] ipv6 address auto link-local
    [*DeviceB-GigabitEthernet0/1/0] ipv6 address 2001:db8:2::2/64
    [*DeviceB-GigabitEthernet0/1/0] ipv6 address 2001:db8:1::2/64
    [*DeviceB-GigabitEthernet0/1/0] commit

  4. 验证配置结果

    如果配置成功,可以查看配置的IPv6地址,以及接口状态为Up,IPv6协议状态为Up,IPv6安全邻居发现功能配置信息。

    # 显示DeviceA的GE0/1/0接口的信息。

    [~DeviceA-GigabitEthernet0/1/0] display this ipv6 interface
    GigabitEthernet0/1/0 current state : UP
    IPv6 protocol current state : UP
    IPv6 is enabled, link-local address is FE80::3057:B5D6:6BD6:6CA8
      Global unicast address(es):
        2001:db8:2::2092:84CE:827B:D5A4, subnet is 2001:db8:2::/64
        2001:db8:1::1, subnet is 2001:db8:1::/64
      Joined group address(es):
        FF02::1:FF7B:D5A4
        FF02::2
        FF02::1
        FF02::1:FFD6:6CA8
      MTU is 1500 bytes
      ND DAD is enabled, number of DAD attempts: 1
      ND reachable time is 1200000 milliseconds
      ND retransmit interval is 1000 milliseconds
      Hosts use stateless autoconfig for addresses

    # 显示DeviceA的GE0/1/0接口的IPv6安全邻居发现功能的配置信息。

    [~DeviceA-GigabitEthernet0/1/0] display ipv6 security interface gigabitethernet 0/1/0
     (L) : Link local address
     SEND information for the interface : GigabitEthernet0/1/0
    ----------------------------------------------------------------------------
     IPv6 address                                   PrefixLength Collision Count
    ----------------------------------------------------------------------------
     FE80::3057:B5D6:6BD6:6CA8 (L)                  10           0
     2001:db8:2::2092:84CE:827B:D5A4                64           0
    ----------------------------------------------------------------------------
     SEND sec value : 1
     SEND security modifier value : 585D:9EA0:328:2792:B763:1DE3:BBC4:D22D
     SEND RSA key label bound : huawei
     SEND ND minimum key length value : 512
     SEND ND maximum key length value : 2048
     SEND ND Timestamp delta value : 300
     SEND ND Timestamp fuzz value : 1
     SEND ND Timestamp drift value : 1
     SEND ND fully secured mode : enabled

    # 显示DeviceB的GE0/1/0接口的信息。

    [~DeviceB-GigabitEthernet0/1/0] display this ipv6 interface
    GigabitEthernet0/1/0 current state : UP
    IPv6 protocol current state : UP
    IPv6 is enabled, link-local address is FE80::2E0:E6FF:FE13:8100
      Global unicast address(es):
        2001:db8:2::2, subnet is 2001:db8:2::/64
        2001:db8:1::2, subnet is 2001:db8:1::/64
      Joined group address(es):
        FF02::1:FF00:2
        FF02::2
        FF02::1
        FF02::1:FF13:8100
      MTU is 1500 bytes
      ND DAD is enabled, number of DAD attempts: 1
      ND reachable time is 1200000 milliseconds
      ND retransmit interval is 1000 milliseconds
      Hosts use stateless autoconfig for addresses

    # 从DeviceB ping DeviceA的CGA类型的链路本地地址,由于DeviceA配置了IPv6安全邻居发现功能,无法ping通。

    [~DeviceB-GigabitEthernet0/1/0] ping ipv6 FE80::3057:B5D6:6BD6:6CA8 -i gigabitethernet 0/1/0
      PING FE80::3057:B5D6:6BD6:6CA8 : 56  data bytes, press CTRL_C to break
        Request time out
        Request time out
        Request time out
        Request time out
        Request time out
    
      --- FE80::3057:B5D6:6BD6:6CA8 ping statistics ---
        5 packet(s) transmitted
        0 packet(s) received
        100.00% packet loss
        round-trip min/avg/max = 0/0/0 ms
                                

    # 从DeviceB ping DeviceA的CGA类型的全球单播地址,由于DeviceA配置了IPv6安全邻居发现功能,无法ping通。

    [~DeviceB-GigabitEthernet0/1/0] ping ipv6 2001:db8:2::2092:84CE:827B:D5A4
      PING 2001:db8:2::2092:84CE:827B:D5A4 : 56  data bytes, press CTRL_C to break
        Request time out
        Request time out
        Request time out
        Request time out
        Request time out
    
      --- 2001:db8:2::2092:84CE:827B:D5A4 ping statistics ---
        5 packet(s) transmitted
        0 packet(s) received
        100.00% packet loss
        round-trip min/avg/max = 0/0/0 ms
                                  

    # 从DeviceB ping DeviceA的普通全球单播地址,由于DeviceA配置了IPv6安全邻居发现功能,也无法ping通。

    [~DeviceB-GigabitEthernet0/1/0] ping ipv6 2001:db8:1::1
      PING 2001:db8:1::1 : 56  data bytes, press CTRL_C to break
        Request time out
        Request time out
        Request time out
        Request time out
        Request time out
    
      --- 2001:db8:2::2092:84CE:827B:D5A4 ping statistics ---
        5 packet(s) transmitted
        0 packet(s) received
        100.00% packet loss
        round-trip min/avg/max = 0/0/0 ms
                                  

    # 去使能DeviceA的IPv6安全邻居发现功能后,从DeviceB ping DeviceA的IPv6,可以ping通。以ping DeviceA的CGA类型的全球单播地址为例。

    [*DeviceA-GigabitEthernet0/1/0] undo ipv6 nd security strict
    [*DeviceA-GigabitEthernet0/1/0] commit
    [*DeviceB-GigabitEthernet0/1/0] ping ipv6 2001:db8:2::2092:84CE:827B:D5A4
      PING 2001:db8:2::2092:84CE:827B:D5A4 : 56  data bytes, press CTRL_C to break
        Reply from 2001:db8:2::2092:84CE:827B:D5A4
        bytes=56 Sequence=1 hop limit=64  time = 1 ms
        Reply from 2001:db8:2::2092:84CE:827B:D5A4
        bytes=56 Sequence=2 hop limit=64  time = 20 ms
        Reply from 2001:db8:2::2092:84CE:827B:D5A4
        bytes=56 Sequence=3 hop limit=64  time = 1 ms
        Reply from 2001:db8:2::2092:84CE:827B:D5A4
        bytes=56 Sequence=4 hop limit=64  time = 1 ms
        Reply from 2001:db8:2::2092:84CE:827B:D5A4
        bytes=56 Sequence=5 hop limit=64  time = 1 ms
    
      --- 2001:db8:2::2092:84CE:827B:D5A4 ping statistics ---
        5 packet(s) transmitted
        5 packet(s) received
        0.00% packet loss
        round-trip min/avg/max = 1/4/20 ms
                                    

配置文件

  • DeviceA的配置文件

    #
     sysname DeviceA
    #
    ipv6
    #
    rsa key-pair label huawei
    #
    interface GigabitEthernet0/1/0
     undo shutdown
     ipv6 enable
     ipv6 security rsakey-pair huawei
     ipv6 security modifier sec-level 1
     ipv6 address 2001:db8:2::/64 cga
     ipv6 address 2001:db8:1::1/64
     ipv6 address fe80::3 link-local cga
     ipv6 nd security strict
    #
    return
  • DeviceB的配置文件

    #
     sysname DeviceB
    #
    ipv6
    #
    interface GigabitEthernet0/1/0
     undo shutdown
     ipv6 enable
     ipv6 address 2001:db8:2::2/64
     ipv6 address 2001:db8:1::2/64
     ipv6 address auto link-local
    #
    return
翻译
下载文档
更新时间:2018-12-29

文档编号:EDOC1100057893

浏览量:1591

下载量:11

平均得分:
本文档适用于这些产品
相关版本
相关文档
Share
上一页 下一页