SAVI Configuration
Explanation of Principles
Section titled “Explanation of Principles”The method of user legitimacy validation involves comparing ND packets with the device’s static binding entries, ND Snooping entries, and DHCP Snooping security entries. If there is a match between the source IPv6 address and the source MAC address in any of these entries, the ND packet is considered legitimate and allowed to be forwarded. Otherwise, if no match is found, the packet is deemed unauthorized and discarded. It’s important to note that Router Advertisement (RA) packets are not subject to SAVI checks and are controlled by the RA Guard functionality. Additionally, Router Solicitation (RS) packets with Link-local source addresses are allowed to pass through without further validation.
SAVI Configuration
Section titled “SAVI Configuration”| Configure Tasks | Instructions |
|---|---|
| Enable SAVI | Required |
| Configure SAVI trusted ports | Optional |
Enabling SAVI
Section titled “Enabling SAVI”| Operation | Command | Description |
|---|---|---|
| Enter the system configuration view | configure terminal | |
| Enter the VLAN view | vlan ID | |
| Enable SAVI function | savi enable |
Configuring SAVI Trusted Ports
Section titled “Configuring SAVI Trusted Ports”For ports configured as SAVI trusted, if a specific VLAN on that port has SAVI functionality enabled, any ND packets received on that interface with the corresponding VLAN ID will not undergo SAVI validation. Instead, they will be allowed to pass through without SAVI checks.
| Operation | Command | Description |
|---|---|---|
| Enter the system configuration view | configure terminal | |
| Enter the interface view | interface ethernet interface-id | |
| Configure SAVI trusted ports | savi trusted-interface vlan vlan-id |
Configuration Example
Section titled “Configuration Example”Network requirements
Users access the network through the switch, all users are known to be under the same VLAN100, and all users access the network in IPv6. The administrator wants to enable security features on the switch to prevent illegal users from accessing the network through private IP addresses, where: PC 2 statically configures IP addresses to simulate illegal private IP users.
Procedure
- Omit VLAN creation and VLANif interface configuration
- Enable DHCP relay function
sonic(config)# dhcp-relay test1 v6sonic(config-dhcp-relay-test__v6)# down_link interface vlan 100sonic(config-dhcp-relay-test__v6)# up_link interface 49sonic(config-dhcp-relay-test__v6)# server_ip 4005::1sonic(config-dhcp-relay-test__v6)# loopback_interface loopback 0sonic(config-dhcp-relay-test__v6)# exit- Enabling DHCP Snooping
sonic(config)# dhcp snooping enablesonic(config)# interface vlan 100sonic(config-vlanif-100)# dhcp-snooping enable- Configure the interface connected to DHCP Server as a DHCP Snooping trusted port
sonic(config)# interface ethernet 49sonic(config-if-49)# dhcp-snooping enablesonic(config-if-49)# dhcp-snooping trusted- Enabling ND Snooping
sonic(config)# nd snooping enablesonic(config)# interface vlan 100sonic(config-vlanif-100)# nd snooping enable- Turn on SAVI function
sonic(config)# vlan 100sonic(config-vlan-100)# savi enableVerify configuration
- View device configuration. # View SAVI function configuration
sonic# show savi config+--------------+--------------+| Interfaces | Check mode |+==============+==============+| Vlan100 | true |+--------------+--------------+- PC 1, PC 3 can access the network normally, PC 2 cannot access the network, and the packet loss statistics of the security function are counted.