所选语种没有对应资源,请选择:
企业业务网站
选择区域/语言
Huawei Global - English
技术支持 文档中心
NE20E-S V800R011C10 配置指南 - IP业务 02
评分并提供意见反馈 :
华为采用机器翻译与人工审校相结合的方式将此文档翻译成不同语言,希望能帮助您更容易理解此文档的内容。 请注意:即使是最好的机器翻译,其准确度也不及专业翻译人员的水平。 华为对于翻译的准确性不承担任何责任,并建议您参考英文文档(已提供链接)。
配置IPv6安全邻居发现示例

配置IPv6安全邻居发现示例

本举例介绍IPv6安全邻居发现功能的配置过程。

组网需求

图13-10所示,DeviceA配置了IPv6安全邻居发现功能,假设DeviceB作为攻击者。当DeviceB向DeviceA发送报文时,DeviceA将该报文视为非法报文而丢弃。

图13-10 配置IPv6安全邻居发现功能组网图

本例中interface1代表GE0/1/0


配置注意事项

配置思路

采用如下的思路配置IPv6安全邻居发现功能:

  1. DeviceA上配置CGA类型的IPv6地址和普通IPv6地址。

  2. DeviceA上使能接口的严格安全模式功能。

  3. DeviceB上配置接口的IPv6地址。

数据准备

为完成此配置举例,需要准备如下数据:

  • RSA密钥对名字

  • CGA地址的修正值和安全级别

  • CGA类型的IPv6地址

  • DeviceB的IPv6地址

操作步骤

  1. 配置DeviceA的CGA类型的IPv6地址 

    <HUAWEIA> system-view
    [~HUAWEIA] sysname DeviceA
    [*HUAWEIA] commit
    [*DeviceA] rsa key-pair label huawei
    [*DeviceA] interface gigabitethernet 0/1/0
    [*DeviceA-GigabitEthernet0/1/0] undo shutdown
    [*DeviceA-GigabitEthernet0/1/0] ipv6 enable
    [*DeviceA-GigabitEthernet0/1/0] ipv6 security rsakey-pair huawei
    [*DeviceA-GigabitEthernet0/1/0] ipv6 security modifier sec-level 1
    [*DeviceA-GigabitEthernet0/1/0] ipv6 address fe80::3 link-local cga
    [*DeviceA-GigabitEthernet0/1/0] ipv6 address 2001:db8:2::/64 cga
    [*DeviceA-GigabitEthernet0/1/0] ipv6 address 2001:db8:1::1/64

  2. 使能DeviceA接口的严格安全模式功能 

    [*DeviceA-GigabitEthernet0/1/0] ipv6 nd security strict
    [*DeviceA-GigabitEthernet0/1/0] commit

  3. 配置DeviceB的IPv6地址 

    <HUAWEIB> system-view
    [~HUAWEIB] sysname DeviceB
    [*HUAWEIB] commit
    [*DeviceB] ipv6
    [*DeviceB] interface gigabitethernet 0/1/0
    [*DeviceB-GigabitEthernet0/1/0] undo shutdown
    [*DeviceB-GigabitEthernet0/1/0] ipv6 enable
    [*DeviceB-GigabitEthernet0/1/0] ipv6 address auto link-local
    [*DeviceB-GigabitEthernet0/1/0] ipv6 address 2001:db8:2::2/64
    [*DeviceB-GigabitEthernet0/1/0] ipv6 address 2001:db8:1::2/64
    [*DeviceB-GigabitEthernet0/1/0] commit

  4. 验证配置结果

    如果配置成功,可以查看配置的IPv6地址,以及接口状态为Up,IPv6协议状态为Up,IPv6安全邻居发现功能配置信息。

    # 显示DeviceA的GE0/1/0接口的信息。

    [~DeviceA-GigabitEthernet0/1/0] display this ipv6 interface
    GigabitEthernet0/1/0 current state : UP
IPv6 protocol current state : UP
IPv6 is enabled, link-local address is FE80::3057:B5D6:6BD6:6CA8
  Global unicast address(es):
    2001:db8:2::2092:84CE:827B:D5A4, subnet is 2001:db8:2::/64
    2001:db8:1::1, subnet is 2001:db8:1::/64
  Joined group address(es):
    FF02::1:FF7B:D5A4
    FF02::2
    FF02::1
    FF02::1:FFD6:6CA8
  MTU is 1500 bytes
  ND DAD is enabled, number of DAD attempts: 1
  ND reachable time is 1200000 milliseconds
  ND retransmit interval is 1000 milliseconds
  Hosts use stateless autoconfig for addresses

    # 显示DeviceA的GE0/1/0接口的IPv6安全邻居发现功能的配置信息。

    [~DeviceA-GigabitEthernet0/1/0] display ipv6 security interface gigabitethernet 0/1/0
     (L) : Link local address
 SEND information for the interface : GigabitEthernet0/1/0
----------------------------------------------------------------------------
 IPv6 address                                   PrefixLength Collision Count
----------------------------------------------------------------------------
 FE80::3057:B5D6:6BD6:6CA8 (L)                  10           0
 2001:db8:2::2092:84CE:827B:D5A4                64           0
----------------------------------------------------------------------------
 SEND sec value : 1
 SEND security modifier value : 585D:9EA0:328:2792:B763:1DE3:BBC4:D22D
 SEND RSA key label bound : huawei
 SEND ND minimum key length value : 512
 SEND ND maximum key length value : 2048
 SEND ND Timestamp delta value : 300
 SEND ND Timestamp fuzz value : 1
 SEND ND Timestamp drift value : 1
 SEND ND fully secured mode : enabled

    # 显示DeviceB的GE0/1/0接口的信息。

    [~DeviceB-GigabitEthernet0/1/0] display this ipv6 interface
    GigabitEthernet0/1/0 current state : UP
IPv6 protocol current state : UP
IPv6 is enabled, link-local address is FE80::2E0:E6FF:FE13:8100
  Global unicast address(es):
    2001:db8:2::2, subnet is 2001:db8:2::/64
    2001:db8:1::2, subnet is 2001:db8:1::/64
  Joined group address(es):
    FF02::1:FF00:2
    FF02::2
    FF02::1
    FF02::1:FF13:8100
  MTU is 1500 bytes
  ND DAD is enabled, number of DAD attempts: 1
  ND reachable time is 1200000 milliseconds
  ND retransmit interval is 1000 milliseconds
  Hosts use stateless autoconfig for addresses

    # 从DeviceB ping DeviceA的CGA类型的链路本地地址,由于DeviceA配置了IPv6安全邻居发现功能,无法ping通。

    [~DeviceB-GigabitEthernet0/1/0] ping ipv6 FE80::3057:B5D6:6BD6:6CA8 -i gigabitethernet 0/1/0
      PING FE80::3057:B5D6:6BD6:6CA8 : 56  data bytes, press CTRL_C to break
    Request time out
    Request time out
    Request time out
    Request time out
    Request time out

  --- FE80::3057:B5D6:6BD6:6CA8 ping statistics ---
    5 packet(s) transmitted
    0 packet(s) received
    100.00% packet loss
    round-trip min/avg/max = 0/0/0 ms

    # 从DeviceB ping DeviceA的CGA类型的全球单播地址,由于DeviceA配置了IPv6安全邻居发现功能,无法ping通。

    [~DeviceB-GigabitEthernet0/1/0] ping ipv6 2001:db8:2::2092:84CE:827B:D5A4
      PING 2001:db8:2::2092:84CE:827B:D5A4 : 56  data bytes, press CTRL_C to break
    Request time out
    Request time out
    Request time out
    Request time out
    Request time out

  --- 2001:db8:2::2092:84CE:827B:D5A4 ping statistics ---
    5 packet(s) transmitted
    0 packet(s) received
    100.00% packet loss
    round-trip min/avg/max = 0/0/0 ms

    # 从DeviceB ping DeviceA的普通全球单播地址,由于DeviceA配置了IPv6安全邻居发现功能,也无法ping通。

    [~DeviceB-GigabitEthernet0/1/0] ping ipv6 2001:db8:1::1
      PING 2001:db8:1::1 : 56  data bytes, press CTRL_C to break
    Request time out
    Request time out
    Request time out
    Request time out
    Request time out

  --- 2001:db8:2::2092:84CE:827B:D5A4 ping statistics ---
    5 packet(s) transmitted
    0 packet(s) received
    100.00% packet loss
    round-trip min/avg/max = 0/0/0 ms

    # 去使能DeviceA的IPv6安全邻居发现功能后,从DeviceB ping DeviceA的IPv6,可以ping通。以ping DeviceA的CGA类型的全球单播地址为例。

    [*DeviceA-GigabitEthernet0/1/0] undo ipv6 nd security strict
    [*DeviceA-GigabitEthernet0/1/0] commit
    [*DeviceB-GigabitEthernet0/1/0] ping ipv6 2001:db8:2::2092:84CE:827B:D5A4
      PING 2001:db8:2::2092:84CE:827B:D5A4 : 56  data bytes, press CTRL_C to break
    Reply from 2001:db8:2::2092:84CE:827B:D5A4
    bytes=56 Sequence=1 hop limit=64  time = 1 ms
    Reply from 2001:db8:2::2092:84CE:827B:D5A4
    bytes=56 Sequence=2 hop limit=64  time = 20 ms
    Reply from 2001:db8:2::2092:84CE:827B:D5A4
    bytes=56 Sequence=3 hop limit=64  time = 1 ms
    Reply from 2001:db8:2::2092:84CE:827B:D5A4
    bytes=56 Sequence=4 hop limit=64  time = 1 ms
    Reply from 2001:db8:2::2092:84CE:827B:D5A4
    bytes=56 Sequence=5 hop limit=64  time = 1 ms

  --- 2001:db8:2::2092:84CE:827B:D5A4 ping statistics ---
    5 packet(s) transmitted
    5 packet(s) received
    0.00% packet loss
    round-trip min/avg/max = 1/4/20 ms

配置文件

  • DeviceA的配置文件

    #
 sysname DeviceA
#
ipv6
#
rsa key-pair label huawei
#
interface GigabitEthernet0/1/0
 undo shutdown
 ipv6 enable
 ipv6 security rsakey-pair huawei
 ipv6 security modifier sec-level 1
 ipv6 address 2001:db8:2::/64 cga
 ipv6 address 2001:db8:1::1/64
 ipv6 address fe80::3 link-local cga
 ipv6 nd security strict
#
return

  • DeviceB的配置文件

    #
 sysname DeviceB
#
ipv6
#
interface GigabitEthernet0/1/0
 undo shutdown
 ipv6 enable
 ipv6 address 2001:db8:2::2/64
 ipv6 address 2001:db8:1::2/64
 ipv6 address auto link-local
#
return
翻译
English
下载文档
更新时间:2020-02-07

文档编号:EDOC1100125614

浏览量:14224

下载量:65

平均得分:
本文档适用于这些产品

相关版本

相关文档

分享
上一页 下一页

版权所有 © 华为技术有限公司 1998-2022。 保留一切权利。粤A2-20044005号

您正离开华为站点,前往: