SAVI Configuration

introduction introduction savi (source address validation improvement) is a mechanism used on access devices to validate the authenticity of ipv6 neighbor discovery (nd) protocol packets it is based on nd snooping, dhcp snooping, and static binding entries, and it helps prevent unauthorized packets from entering the internal network explanation of principles explanation of principles the method of user legitimacy validation involves comparing nd packets with the device's static binding entries, nd snooping entries, and dhcp snooping security entries if there is a match between the source ipv6 address and the source mac address in any of these entries, the nd packet is considered legitimate and allowed to be forwarded otherwise, if no match is found, the packet is deemed unauthorized and discarded it's important to note that router advertisement (ra) packets are not subject to savi checks and are controlled by the ra guard functionality additionally, router solicitation (rs) packets with link local source addresses are allowed to pass through without further validation savi configuration savi configuration configure tasks instructions enable savi required configure savi trusted ports optional enabling savi enabling savi operation command description enter the system configuration view configure terminal enter the vlan view vlan id enable savi function savi enable configuring savi trusted ports configuring savi trusted ports for ports configured as savi trusted, if a specific vlan on that port has savi functionality enabled, any nd packets received on that interface with the corresponding vlan id will not undergo savi validation instead, they will be allowed to pass through without savi checks operation command description enter the system configuration view configure terminal enter the interface view interface ethernet interface id configure savi trusted ports savi trusted interface vlan vlan id configuration example configuration example network requirements network requirements users access the network through the switch, all users are known to be under the same vlan100, and all users access the network in ipv6 the administrator wants to enable security features on the switch to prevent illegal users from accessing the network through private ip addresses, where pc 2 statically configures ip addresses to simulate illegal private ip users procedure omit vlan creation and vlanif interface configuration enable dhcp relay function sonic(config)# dhcp relay test1 v6 sonic(config dhcp relay test v6)# down link interface vlan 100 sonic(config dhcp relay test v6)# up link interface 49 sonic(config dhcp relay test v6)# server ip 4005 1 sonic(config dhcp relay test v6)# loopback interface loopback 0 sonic(config dhcp relay test v6)# exit enabling dhcp snooping sonic(config)# dhcp snooping enable sonic(config)# interface vlan 100 sonic(config vlanif 100)# dhcp snooping enable configure the interface connected to dhcp server as a dhcp snooping trusted port sonic(config)# interface ethernet 49 sonic(config if 49)# dhcp snooping enable sonic(config if 49)# dhcp snooping trusted enabling nd snooping sonic(config)# nd snooping enable sonic(config)# interface vlan 100 sonic(config vlanif 100)# nd snooping enable turn on savi function sonic(config)# vlan 100 sonic(config vlan 100)# savi enable verify configuration view device configuration \# view savi function configuration sonic# show savi config + + + \| interfaces | check mode | +==============+==============+ \| vlan100 | true | + + + pc 1, pc 3 can access the network normally, pc 2 cannot access the network, and the packet loss statistics of the security function are counted