配置IPv6安全邻居发现示例
配置IPv6安全邻居发现示例
组网需求
如图1所示,为了提高网络中设备SwitchA的安全性,在SwitchA上配置了IPv6安全邻居发现功能。这样当网络中未配置IPv6安全邻居发现的设备SwitchB向SwitchA发送报文时,SwitchA将该报文视为非法报文而丢弃。
配置思路
采用如下的思路配置IPv6安全邻居发现功能:
- 在SwitchA上配置CGA类型的IPv6地址和普通IPv6地址。
- 在SwitchA上使能接口的严格安全模式功能。
- 在SwitchB上配置接口的IPv6地址。
操作步骤
- 配置SwitchA的CGA类型的IPv6地址
<HUAWEI> system-view [~HUAWEI] sysname SwitchA [*HUAWEI] commit [~SwitchA] rsa key-pair label switch [*SwitchA] interface 10ge 1/0/1 [*SwitchA-10GE1/0/1] undo portswitch [*SwitchA-10GE1/0/1] ipv6 enable [*SwitchA-10GE1/0/1] ipv6 security rsakey-pair switch [*SwitchA-10GE1/0/1] ipv6 security modifier sec-level 1 [*SwitchA-10GE1/0/1] ipv6 address fe80::3 link-local cga [*SwitchA-10GE1/0/1] ipv6 address fc00:2::/64 cga [*SwitchA-10GE1/0/1] ipv6 address fc00:1::1/64
- 使能SwitchA接口的严格安全模式功能
[*SwitchA-10GE1/0/1] ipv6 nd security strict [*SwitchA-10GE1/0/1] commit
- 配置SwitchB的IPv6地址
<HUAWEI> system-view [~HUAWEI] sysname SwitchB [*HUAWEI] commit [~SwitchB] interface 10ge 1/0/1 [~SwitchB-10GE1/0/1] undo portswitch [*SwitchB-10GE1/0/1] ipv6 enable [*SwitchB-10GE1/0/1] ipv6 address auto link-local [*SwitchB-10GE1/0/1] ipv6 address fc00:2::2/64 [*SwitchB-10GE1/0/1] ipv6 address fc00:1::2/64 [*SwitchB-10GE1/0/1] commit
- 验证配置结果
如果配置成功,可以查看配置的IPv6地址,以及接口状态为Up,IPv6协议状态为Up,IPv6安全邻居发现功能配置信息。
# 显示SwitchA的10GE1/0/1接口的信息。
[~SwitchA-10GE1/0/1] display this ipv6 interface 10GE1/0/1 current state : UP IPv6 protocol current state : UP IPv6 is enabled, link-local address is FE80::3057:B5D6:6BD6:6CA8 Global unicast address(es): FC00:1::1, subnet is FC00:1::/64 FC00:2::2092:84CE:827B:D5A4, subnet is FC00:2::/64 Joined group address(es): FF02::1:FF00:1 FF02::1:FF7B:D5A4 FF02::1:FFD6:6CA8 FF02::2 FF02::1 MTU is 1500 bytes ND DAD is enabled, number of DAD attempts: 1 ND reachable time is 1200000 milliseconds ND retransmit interval is 1000 milliseconds Hosts use stateless autoconfig for addresses
# 显示SwitchA的10GE1/0/1接口的IPv6安全邻居发现功能的配置信息。
[~SwitchA-10GE1/0/1] display ipv6 security interface 10ge 1/0/1 (L) : Link local address SEND: Security ND SEND information for the interface : 10GE1/0/1 ---------------------------------------------------------------------------- IPv6 address PrefixLength Collision Count ---------------------------------------------------------------------------- FE80::3057:B5D6:6BD6:6CA8 (L) 10 0 FC00:2::2092:84CE:827B:D5A4 64 0 ---------------------------------------------------------------------------- SEND sec value : 1 SEND security modifier value : 585D:9EA0:328:2792:B763:1DE3:BBC4:D22D SEND RSA key label bound : switch SEND ND minimum key length value : 512 SEND ND maximum key length value : 2048 SEND ND Timestamp delta value : 300 SEND ND Timestamp fuzz value : 1 SEND ND Timestamp drift value : 1 SEND ND fully secured mode : enable
# 显示SwitchB的10GE1/0/1接口的信息。
[~SwitchB-10GE1/0/1] display this ipv6 interface 10GE1/0/1 current state : UP IPv6 protocol current state : UP IPv6 is enabled, link-local address is FE80::2E0:E6FF:FE13:8100 Global unicast address(es): FC00:1::2, subnet is FC00:1::/64 FC00:2::2, subnet is FC00:2::/64 Joined group address(es): FF02::1:FF00:2 FF02::1:FF13:8100 FF02::2 FF02::1 MTU is 1500 bytes ND DAD is enabled, number of DAD attempts: 1 ND reachable time is 1200000 milliseconds ND retransmit interval is 1000 milliseconds Hosts use stateless autoconfig for addresses
# 从SwitchB ping SwitchA的CGA类型的链路本地地址,由于SwitchA配置了IPv6安全邻居发现功能,无法ping通。
[~SwitchB-10GE1/0/1] ping ipv6 FE80::3057:B5D6:6BD6:6CA8 -i 10ge 1/0/1 PING FE80::3057:B5D6:6BD6:6CA8 : 56 data bytes, press CTRL_C to break Request time out Request time out Request time out Request time out Request time out --- FE80::3057:B5D6:6BD6:6CA8 ping statistics --- 5 packet(s) transmitted 0 packet(s) received 100.00% packet loss round-trip min/avg/max = 0/0/0 ms
# 从SwitchB ping SwitchA的CGA类型的全球单播地址,由于SwitchA配置了IPv6安全邻居发现功能,无法ping通。
[~SwitchB-10GE1/0/1] ping ipv6 FC00:2::2092:84CE:827B:D5A4 PING FC00:2::2092:84CE:827B:D5A4 : 56 data bytes, press CTRL_C to break Request time out Request time out Request time out Request time out Request time out --- FC00:2::2092:84CE:827B:D5A4 ping statistics --- 5 packet(s) transmitted 0 packet(s) received 100.00% packet loss round-trip min/avg/max = 0/0/0 ms
# 从SwitchB ping SwitchA的普通全球单播地址,由于SwitchA配置了IPv6安全邻居发现功能,也无法ping通。
[~SwitchB-10GE1/0/1] ping ipv6 FC00:1::1 PING FC00:1::1 : 56 data bytes, press CTRL_C to break Request time out Request time out Request time out Request time out Request time out --- FC00:1::1 ping statistics --- 5 packet(s) transmitted 0 packet(s) received 100.00% packet loss round-trip min/avg/max = 0/0/0 ms
# 去使能SwitchA的IPv6安全邻居发现功能后,从SwitchB ping SwitchA的IPv6地址,可以ping通。以ping SwitchA的CGA类型的全球单播地址为例。
[~SwitchA-10GE1/0/1] undo ipv6 nd security strict [*SwitchA-10GE1/0/1] commit
[~SwitchB-10GE1/0/1] ping ipv6 FC00:2::2092:84CE:827B:D5A4 PING FC00:2::2092:84CE:827B:D5A4 : 56 data bytes, press CTRL_C to break Reply from FC00:2::2092:84CE:827B:D5A4 bytes=56 Sequence=1 hop limit=64 time = 1 ms Reply from FC00:2::2092:84CE:827B:D5A4 bytes=56 Sequence=2 hop limit=64 time = 20 ms Reply from FC00:2::2092:84CE:827B:D5A4 bytes=56 Sequence=3 hop limit=64 time = 1 ms Reply from FC00:2::2092:84CE:827B:D5A4 bytes=56 Sequence=4 hop limit=64 time = 1 ms Reply from FC00:2::2092:84CE:827B:D5A4 bytes=56 Sequence=5 hop limit=64 time = 1 ms --- FC00:2::2092:84CE:827B:D5A4 ping statistics --- 5 packet(s) transmitted 5 packet(s) received 0.00% packet loss round-trip min/avg/max = 1/4/20 ms
配置文件
- SwitchA的配置文件
# sysname SwitchA # interface 10GE1/0/1 undo portswitch ipv6 enable ipv6 security rsakey-pair switch ipv6 security modifier sec-level 1 ipv6 address FC00:1::1/64 ipv6 address FC00:2::/64 cga ipv6 address FE80::3 link-local cga ipv6 nd security strict # return - SwitchB的配置文件
# sysname SwitchB # interface 10GE1/0/1 undo portswitch ipv6 enable ipv6 address FC00:1::2/64 ipv6 address FC00:2::2/64 ipv6 address auto link-local # return
阅读剩余
版权声明:
作者:SE_YT
链接:https://www.cnesa.cn/6361.html
文章版权归作者所有,未经允许请勿转载。
THE END
