Security Configuration Guide

dhcp snooping configuration dhcp snooping configuration introduction introduction dhcp snooping monitors dhcp request and trusted port received dhcp ack messages, recording dhcp snooping entries including client mac addresses, assigned ip addresses, vlans, and other information explanation of principles explanation of principles trusted ports for dhcp snooping trusted ports for dhcp snooping when dhcp snooping is enabled, devices forward dhcp client's dhcp request messages through trusted ports to legitimate dhcp servers, and the device generates snooping binding table (snp) entries based on the dhcp ack response from the server dhcp snooping categorizes ports into two security levels, and they are handled differently upon receiving dhcp messages trusted ports trusted ports receiving dhcp ack messages from dhcp servers generate snp entries based on the contents of the messages untrusted ports untrusted ports only forward dhcp ack messages from dhcp servers and do not generate snp entries dhcp snooping table dhcp snooping table snp entries contain information such as vlan, mac, ip, interface, etc these entries are recorded by monitoring dhcp ack messages received through trusted ports the entries are removed based on dhcp release messages received on ports with dhcp snooping enabled since the dhcp snooping binding table records the correspondence between dhcp client ip addresses and mac addresses, this information enables the following functionalities dynamic arp inspection (dai) dai uses dhcp snooping entries to determine the legitimacy of the user sending arp packets, thus preventing arp attacks from unauthorized users source address validation improvement (savi) savi uses dhcp snooping entries to validate the legitimacy of users sending nd (neighbor discovery) packets, preventing nd attacks from unauthorized users ip source guard (ipsg) ipsg filters ip packets on ports dynamically obtained from the dhcp snooping table, preventing unauthorized packets from passing through those ports dhcp snooping configuration dhcp snooping configuration configure tasks instructions description enable dhcp snooping required configure port as trust state required enabling dhcp snooping function enabling dhcp snooping function enabling the dhcp snooping function requires a two step process first, enabling the global dhcp snooping functionality, and then enabling dhcp snooping for specific interfaces or vlans operation command description enter the system configuration view configure terminal enable dhcp snooping dhcp snooping enable{v4|v6} enter the corresponding view interface view interface ethernet interface id vlan view vlan id enable dhcp snooping dhcp snooping enable configuring ports as trusted configuring ports as trusted to ensure that the device generates snp entries only for dhcp ack packets received from legitimate dhcp servers, you need to set the interfaces connected directly or indirectly to trusted dhcp servers as trusted interfaces other interfaces should be set as untrusted interfaces this guarantees that, after enabling the respective security features, only terminals that obtain ip addresses from legitimate dhcp servers can access the network, preventing unauthorized access from self deployed dhcp servers operation command description enter the system configuration view configure terminal enter the corresponding view interface view interface ethernet interface id vlan view vlan id configure ports as trusted dhcp snooping trusted display and maintenance display and maintenance operation command description display dhcp snooping related configurations show dhcp snooping config display dhcp snooping table show snooping table configuration example configuration example network requirements a company wants to assign ip addresses to terminals in the network through a dhcp server in order to facilitate management, and at the same time needs to prohibit users from accessing the network through statically configured ip addresses procedure create vlan 100 and configure the ip address sonic(config)# vlan 100 sonic(config)# interface ethernet 1 sonic(config if 1)# switchport access vlan 100 sonic(config)# interface ethernet 2 sonic(config if 2)# switchport access vlan 100 sonic(config)# interface vlan 100 sonic(config vlanif 100)# ip address 10 1 2 1/24 enable dhcp relay function sonic(config)# dhcp relay test v4 sonic(config dhcp relay test v4)# down link interface vlan 100 sonic(config dhcp relay test v4)# up link interface 5 sonic(config dhcp relay test v4)# server ip 10 10 1 1 sonic(config dhcp relay test v4)# loopback interface loopback 0 sonic(config dhcp relay test v4)# exit enabling dhcp snooping sonic(config)# dhcp snooping enable sonic(config)# interface vlan 100 sonic(config vlanif 100)# dhcp snooping enable configure the interface to which the dhcp server is connected as a trusted port sonic(config)# interface ethernet 5 sonic(config if 5)# dhcp snooping enable sonic(config if 5)# dhcp snooping trusted enables dai and ipsg to check the legitimacy of user messages sonic(config)# interface vlan 100 sonic(config vlanif 100)# ipv4 source check enable sonic(config vlanif 100)# arp anti attack check enable verify configuration check the obtained ip address on the user's pc modify the ip address on the user's pc to a static configuration, ping the external network address and the pc's gateway address, respectively, the ping operation failed view the packet loss statistics of the security features on the device sonic# show user bind counter interface drop packets \ vlan100 4028 nd snooping configuration nd snooping configuration introduction introduction the nd snooping (neighbor discovery snooping) feature is designed for layer 2 switching environments and serves a similar purpose to dhcp snooping in ipv6 networks it records information such as the source ipv6 address, source mac address, and incoming port of packets the entries generated by this feature coexist in the snooping table along with those created by dhcp snooping explanation of principles explanation of principles the device supports learning nd snooping entries through two methods by listening to duplicate address detection (dad) packets received on interfaces where nd snooping is enabled this process helps establish the nd snooping dynamic binding table by monitoring the neighbor discovery protocol (ndp) table entries on the device these entries can also be used to update the nd snooping dynamic binding table through the creation of the nd snooping dynamic binding table, the device can filter out unauthorized nd packets received from untrusted interfaces this effectively prevents potential nd attacks nd snooping configuration nd snooping configuration operation command description enter the system configuration view configure terminal enable nd snooping function nd snooping enable enter vlan view vlan id enable nd snooping function nd snooping enable configuration example configuration example network requirements in order to facilitate the management wish to unify the allocation of ipv6 addresses by means of automatic configuration, it is also required support for obtaining ipv6 addresses through stateful means support for obtaining ipv6 addresses in a stateless manner disable users from accessing the network through statically configured ipv6 addresses procedure create vlan 100 and configure the ip address sonic(config)# vlan 100 sonic(config)# interface ethernet 1 sonic(config if 1)# switchport access vlan 100 sonic(config)# interface ethernet 2 sonic(config if 2)# switchport access vlan 100 sonic(config)# interface vlan 100 sonic(config vlanif 100)# ip address fd00 100 1/64 configure the parameters of ra messages sent by the device sonic(config vlanif 100)# ipv6 nd ra managed flag on sonic(config vlanif 100)# ipv6 nd ra autonomous on sonic(config vlanif 100)# ipv6 nd ra other flag on sonic(config vlanif 100)# ipv6 nd ra prefix fd00 200 1/64 sonic(config vlanif 100)# ipv6 nd ra route information /0 high sonic(config vlanif 100)# ipv6 nd ra route information fd00 100 1/64 sonic(config vlanif 100)# ipv6 nd ra route information fd00 200 1/64 configure the dhcpv6 relay function of the device sonic(config)# dhcp relay test v6 sonic(config dhcp relay test v6)# down link interface vlan 100 sonic(config dhcp relay test v6)# up link interface 5 sonic(config dhcp relay test v6)# server ip fd00 1001 1501 2001 sonic(config dhcp relay test v6)# loopback interface loopback 0 sonic(config dhcp relay test v6)# exit enable dhcp snooping, nd snooping function sonic(config)# dhcp snooping enable sonic(config)# nd snooping enable sonic(config)# interface vlan 100 sonic(config vlanif 100)# dhcp snooping enable sonic(config vlanif 100)# nd snooping enable configure the interface to which the dhcp server is connected as a trusted port sonic(config)# interface ethernet 5 sonic(config if 5)# dhcp snooping enable sonic(config if 5)# dhcp snooping trusted enable the security function to check the legitimacy of user messages sonic(config)# interface vlan 100 sonic(config vlanif 100)# ipv4 source check enable sonic(config vlanif 100)# arp anti attack check enable sonic(config vlanif 100)# ipv6 source check enable sonic(config vlanif 100)# savi enable verify configuration view the obtained ip address on the pc c \users\test\\>ipconfig windows ip configuration ethernet adapters ethernet connect to a specific dns suffix ipv6 address fd00 100 a570 ipv6 address fd00 200 a495\ f96e 6573\ c383 temporary ipv6 address fd00 200 6d18\ d132 77ef 42da local link ipv6 address fe80 a495\ f96e 6573\ c383%12 ipv4 address 192 168 0 144 subnet mask 255 255 240 0 default gateway fe80 201 2ff\ fe03 800 192 168 0 1 use the show snooping table command to view the snooping table entries on the device, the stateful ip addresses and stateless ip addresses have corresponding snooping table entries modify the ip address on the user's pc to a static configuration, ping the external network address and the ipv6 address of the device's svi port, respectively, can not ping through view the packet loss statistics of the security features on the device sonic# show user bind counter interface drop packets \ vlan100 48 snooping table synchronization configuration snooping table synchronization configuration introduction introduction snooping entries include dhcp snooping entries, nd snooping entries, and user static binding entries, collectively referred to as snp entries these entries play a crucial role in performing security functions in a typical clustered networking environment, leaf devices act as distributed gateways, connecting multiple aps mobile terminals may migrate between aps under different leaf devices to minimize migration time, snooping entries can be synchronized across all devices in the network consequently, after migration, there is no need to acquire ip addresses or relearn snooping entries; legitimate access to the network can be achieved through security authentication similarly, user statically configured binding entries can also be synchronized using the snp synchronization mechanism, reducing the need for redundant configuration across different devices explanation of principles explanation of principles a protocol interaction is established between leaf devices and spine devices to facilitate snp table synchronization typically, a more powerful spine device is chosen as the server for snp table synchronization, while the leaf devices act as clients when a client receives a dhcp ack message or an nd protocol's dad message, it learns new entries for the snp table and simultaneously sends update messages to the designated spine server the spine device then propagates these update messages to the remaining leaf devices within the network consequently, all devices within the network gain access to the updated snp table entries generally, interaction messages for table synchronization between devices are encapsulated using loopback addresses, ensuring that the loopback addresses between devices are reachable at the layer 3 within the network snp server configuration snp server configuration configure tasks instructions description enable snp table synchronization function required configure the snp neighbor ip address required configure the snp peer ip address required enabling snp table synchronization table synchronization enabling snp table synchronization table synchronization enable the snp table synchronization function on the device and specify the device attributes by default, the ipv4 address of the device's loopback0 interface is used as the source ip address for protocol interaction messages it's also possible to specify a specific interface ip as the source address note this ip address needs to be reachable via layer 3 routing from the neighbor ip and peer ip to ensure normal interaction of protocol messages operation command description enter the system configuration view configure terminal enable snp table synchronization function snp sync enable server \[ip address] configuring snp neighbor address configuring snp neighbor address the snp neighbor is another device with the snp server attribute it's important to note that this ip address should match the source ip address configured when enabling snp table synchronization on the neighbor device operation command description enter the system configuration view configure terminal configure snp neighbor ip address snp sync neighbor ip address configuring snp peer address configuring snp peer address snp peer is a device with the attribute of being a client, typically a leaf device please note that this ip address should be consistent with the source ip address used when enabling snp table synchronization for the configured peer device operation command description enter the system configuration view configure terminal configure snp peer ip address snp sync peer ip address snp client configuration snp client configuration in most cases, the leaf device directly connected to end user terminals is chosen as the client in the snp table synchronization process operation command description enter the system configuration view configure terminal configure snp neighbor ip address snp sync neighbor ip address the neighbor is the server device in the snp context display and maintenance display and maintenance operation command description display snp table synchronization status show snooping status configuration example configuration example network requirements terminals accessed by different devices belong to the same network segment, and the gateway information of terminals remains unchanged during migration, and ip addresses are not reassigned via dhcp it is required that snp table entries can be synchronized between devices, and the new device can still open the security function to check the legality of messages sent by terminals after migration procedure leaf a configuration \# omit the interface and ip address configuration process \# establish bgp neighbors sonic(config)# router bgp 65200 sonic(config router)# bgp router id 10 15 1 1 sonic(config router)# no bgp ebgp requires policy sonic(config router)# neighbor peer v4 ebgp peer group sonic(config router)# neighbor 10 20 1 1 sonic(config router)# neighbor 10 20 1 1 bfd sonic(config router)# neighbor 10 20 1 1 description spinea sonic(config router)# neighbor 10 20 1 1 peer group peer v4 ebgp sonic(config router)# neighbor 10 20 1 2 sonic(config router)# neighbor 10 20 1 2 bfd sonic(config router)# neighbor 10 20 1 2 description spineb sonic(config router)# neighbor 10 20 1 2 peer group peer v4 ebgp sonic(config router)# address family ipv4 unicast \# declare the route aboute loopback0 address sonic(config router af)# network 30 11 0 85/32 sonic(config router af)# neighbor peer v4 ebgp activate \# configure snp entry synchronization sonic(config)# snp sync enable client 10 15 1 1 10 15 1 1 sonic(config)# snp sync neighbor 10 20 1 1 sonic(config)# snp sync neighbor 10 20 1 2 \# enable the dhcp relay and dhcp snooping functions sonic(config)# dhcp relay test v4 sonic(config dhcp relay test v4)# down link interface vlan 100 sonic(config dhcp relay test v4)# up link interface 5 sonic(config dhcp relay test v4)# server ip 192 168 0 10 sonic(config dhcp relay test v4)# loopback interface loopback 0 sonic(config dhcp relay test v4)# exit sonic(config)# dhcp snooping enable sonic(config)# interface vlan 100 sonic(config vlanif 100)# dhcp snooping enable \# configure the interface to which the dhcp server is connected as a trusted port sonic(config)# interface ethernet 5 sonic(config if 5)# dhcp snooping enable sonic(config if 5)# dhcp snooping trusted leaf b and leaf a are similar in configuration spine a configuration \# omit the interface and ip address configuration process \# establish bgp neighbors sonic(config)# router bgp 65100 sonic(config router)# bgp router id 10 20 1 1 sonic(config router)# no bgp ebgp requires policy sonic(config router)# neighbor peer v4 ebgp peer group sonic(config router)# neighbor 10 15 1 1 sonic(config router)# neighbor 10 15 1 1 bfd sonic(config router)# neighbor 10 15 1 1 description leafa sonic(config router)# neighbor 10 15 1 1 peer group peer v4 ebgp sonic(config router)# neighbor 10 15 1 2 sonic(config router)# neighbor 10 15 1 2 bfd sonic(config router)# neighbor 10 15 1 2 description leafb sonic(config router)# neighbor 10 15 1 2 peer group peer v4 ebgp sonic(config router)# address family ipv4 unicast \# declare the route aboute loopback0 address sonic(config router af)# network 10 20 1 1/32 sonic(config router af)# neighbor peer v4 ebgp activate \# configure snp entry synchronization sonic(config)# snp sync enable server 10 20 1 1 10 20 1 1 sonic(config)# snp sync peer 10 20 1 2 sonic(config)# snp sync neighbor 10 10 1 1 sonic(config)# snp sync neighbor 10 10 1 2 verify configuration view the snp entry synchronization status of the leaf device sonic# show snooping status switch id 10 15 1 1 source ip address 10 15 1 1 coherent status yes sequence number 10526 device mode client neighbors status summary switch id active sequence number connect active number \ neighbors 10 20 1 1 yes 10526 2 10 20 1 2 yes 10526 2 total number of snooping table 2 view the snp entry synchronization status of the spine device sonic# show snooping status switch id 10 20 1 1 source ip address 10 20 1 1 coherent status yes sequence number 10526 connect active number 2 device mode server neighbors and peers status summary switch id active sequence number connect active number \ peers 10 20 1 2 yes 10526 2 \ neighbors 10 15 1 1 yes 10526 1 10 15 1 2 yes 10526 1 arp attack detection configuration arp attack detection configuration introduction introduction arp attack detection is one of the common methods to prevent arp spoofing it is used to detect arp packets based on dhcp snooping and static binding entries on access devices, preventing arp attacks from unauthorized users explanation of principles explanation of principles the method for user legitimacy check involves matching the sender's ip address and source mac address in the arp packet with the static binding entries and dhcp snooping secure entries on the device if there is a match between the sender's ip address and source mac address in the arp packet and any of the entries on the device, the arp packet is considered legitimate and will be forwarded otherwise, if no match is found, the packet is considered illegitimate and will be dropped arp trust interfaces do not undergo user legitimacy checks, while arp untrusted interfaces require user legitimacy checks to prevent attacks from spoofed users arp attack detection configuration arp attack detection configuration configure tasks instructions index enable arp attack detection required configure arp attack detection trusted ports optional enabling arp attack detection enabling arp attack detection operation command description enter the system configuration view configure terminal enter the vlan view vlan id enable arp attack detection arp anti attack check enable configuring arp attack detection trusted ports configuring arp attack detection trusted ports for interfaces configured as trusted for arp attack detection, if a specific vlan on that interface has arp attack detection enabled, then arp packets carrying that vlan id will bypass arp attack detection and be forwarded without any checks operation command description enter the system configuration view configure terminal enter the interface view interface ethernet interface id configure arp attack detection trusted ports arp anti attack check trusted interface vlan vlan id configuration examples configuration examples network requirements users access the network through the switch, all users are known to be under the same vlan100, and all users obtain ip addresses through dhcp server the administrator wants to enable the dai function on the switch to prevent any illegal users from attacking the device by sending illegal arp messages, which requires pc 1 is a dumb terminal and requires static ip address configuration pc 4 is a trusted user and does not perform dai checks procedure omit vlan creation and vlanif interface configuration enable dhcp relay function sonic(config)# dhcp relay test v4 sonic(config dhcp relay test v4)# down link interface vlan 100 sonic(config dhcp relay test v4)# up link interface 49 sonic(config dhcp relay test v4)# server ip 10 10 1 1 sonic(config dhcp relay test v4)# loopback interface loopback 0 sonic(config dhcp relay test v4)# exit enable dhcp snooping sonic(config)# dhcp snooping enable sonic(config)# interface vlan 100 sonic(config vlanif 100)# dhcp snooping enable configure the interface to which the dhcp server is connected as a trusted port sonic(config)# interface ethernet 49 sonic(config if 49)# dhcp snooping enable sonic(config if 49)# dhcp snooping trusted enable dai function and configure ethernet4 port as a trusted port sonic(config)# vlan 100 sonic(config vlan 100)# arp anti attack check trusted interface ethernet4 sonic(config vlan 100)# arp anti attack check enable add a static table entry corresponding to the ip address and mac of pc 1 sonic(config)# user bind rule 10 100 3 1 00 00 00 01 00 01 1 100 verify configuration view device configuration \# view snooping static binding table entries sonic# show user bind rule vlan mac ip interface \ vlan100 00 00 00 01 00 01 10 100 3 1 ethernet1 total 1 \# view dai function configuration sonic# show anti attack check config + + + \| interfaces | check mode | +==============+==============+ \| vlan100 | true | + + + pc 2 as the attacker, all outgoing arp messages are discarded ipsg configuration ipsg configuration introduction introduction ip source guard (ipsg) is a defense mechanism against ip address spoofing attacks it checks whether a user on a specific vlan interface is a legitimate user based on the source ip address and source mac address in the ip packet ipsg prevents malicious hosts from forging the ip addresses of legitimate hosts, ensuring that unauthorized hosts cannot access or attack the network by specifying their own ip addresses explanation of principles explanation of principles the method for user legitimacy checks involves comparing the source ip address and source mac address in the ip packet with the static binding entries, dhcp snooping entries, and nd snooping security entries on the device if there is a match with any of these entries, the ip packet is considered legitimate and forwarded otherwise, the packet is considered illegitimate and discarded for ip trusted interfaces, user legitimacy checks are not performed for non trusted interfaces, user legitimacy checks are necessary to prevent spoofed user attacks ipsg configuration ipsg configuration configure tasks instructions index enable ipsg required configure ipsg trusted ports optional enabling ipsg enabling ipsg operation command description enter the system configuration view configure terminal enter the vlan view vlan id enable ipsg function ipv4 source check enable ipv6 source check enable configuring ipsg trusted ports configuring ipsg trusted ports for interfaces configured as ip source guard (ipsg) trusted interfaces, if ipsg is enabled for a specific vlan on that interface, then all ip packets received on that interface with the corresponding vlan id are allowed to pass through without any further inspection operation command description enter the system configuration view configure terminal enter the interface view interface ethernet interface id configure ipsg trusted ports ipv4 source check trusted interface vlan vlan id ipv6 source check trusted interface vlan vlan id configuration example configuration example network requirements users access the network through the switch, all users are known to be under the same vlan100, and all users access the network with ipv4 and ipv6 dual stack, the administrator wants to enable the security function on the switch to prevent illegal users from accessing the network through private ip addresses, where pc 4 is a silent terminal and needs to access the network by manually configuring the ip address pc 2 is an illegal user with a simulated private ip address procedure omit the creation of vlan and vlanif interface configuration enable dhcp relay function sonic(config)# dhcp relay test v4 sonic(config dhcp relay test v4)# down link interface vlan 100 sonic(config dhcp relay test v4)# up link interface 49 sonic(config dhcp relay test v4)# server ip 10 10 1 1 sonic(config dhcp relay test v4)# loopback interface loopback 0 sonic(config dhcp relay test v4)# exit sonic(config)# dhcp relay test1 v6 sonic(config dhcp relay test v6)# down link interface vlan 100 sonic(config dhcp relay test v6)# up link interface 49 sonic(config dhcp relay test v6)# server ip 4005 1 sonic(config dhcp relay test v6)# loopback interface loopback 0 sonic(config dhcp relay test v6)# exit enabling dhcp snooping sonic(config)# dhcp snooping enable sonic(config)# interface vlan 100 sonic(config vlanif 100)# dhcp snooping enable configure the interface connected to dhcp server as a trusted port sonic(config)# interface ethernet 49 sonic(config if 49)# dhcp snooping enable sonic(config if 49)# dhcp snooping trusted enable ipsg function and configure ethernet4 port as a trusted port sonic(config)# vlan 100 sonic(config vlan 100)# ipv4 source check enable sonic(config vlan 100)# ipv6 source check enable sonic(config vlan 100)# ipv4 source check trusted interface ethernet4 sonic(config vlan 100)# ipv6 source check trusted interface ethernet4 verify configuration view device configuration \# view ipsg feature configuration sonic# ipv4 source check config + + + + \| interfaces | check mode | trusted interfaces | +==============+==============+======================+ \| vlan100 | true | \['ethernet1'] | + + + + \# view ipsgv6 feature configuration sonic# ipv6 source check config + + + + \| interfaces | check mode | trusted interfaces | +==============+==============+======================+ \| vlan100 | true | \['ethernet1'] | + + + + pc1, pc3, pc4 can access the network normally, pc2 cannot access the network, and the packet loss statistics of the security function are counted savi configuration savi configuration introduction introduction savi (source address validation improvement) is a mechanism used on access devices to validate the authenticity of ipv6 neighbor discovery (nd) protocol packets it is based on nd snooping, dhcp snooping, and static binding entries, and it helps prevent unauthorized packets from entering the internal network explanation of principles explanation of principles the method of user legitimacy validation involves comparing nd packets with the device's static binding entries, nd snooping entries, and dhcp snooping security entries if there is a match between the source ipv6 address and the source mac address in any of these entries, the nd packet is considered legitimate and allowed to be forwarded otherwise, if no match is found, the packet is deemed unauthorized and discarded it's important to note that router advertisement (ra) packets are not subject to savi checks and are controlled by the ra guard functionality additionally, router solicitation (rs) packets with link local source addresses are allowed to pass through without further validation savi configuration savi configuration configure tasks instructions index index enable savi required configure savi trusted ports optional enabling savi enabling savi operation command description enter the system configuration view configure terminal enter the vlan view vlan id enable savi function savi enable configuring savi trusted ports configuring savi trusted ports for ports configured as savi trusted, if a specific vlan on that port has savi functionality enabled, any nd packets received on that interface with the corresponding vlan id will not undergo savi validation instead, they will be allowed to pass through without savi checks operation command description enter the system configuration view configure terminal enter the interface view interface ethernet interface id configure savi trusted ports savi trusted interface vlan vlan id configuration example configuration example network requirements users access the network through the switch, all users are known to be under the same vlan100, and all users access the network in ipv6 the administrator wants to enable security features on the switch to prevent illegal users from accessing the network through private ip addresses, where pc 2 statically configures ip addresses to simulate illegal private ip users procedure omit vlan creation and vlanif interface configuration enable dhcp relay function sonic(config)# dhcp relay test1 v6 sonic(config dhcp relay test v6)# down link interface vlan 100 sonic(config dhcp relay test v6)# up link interface 49 sonic(config dhcp relay test v6)# server ip 4005 1 sonic(config dhcp relay test v6)# loopback interface loopback 0 sonic(config dhcp relay test v6)# exit enabling dhcp snooping sonic(config)# dhcp snooping enable sonic(config)# interface vlan 100 sonic(config vlanif 100)# dhcp snooping enable configure the interface connected to dhcp server as a dhcp snooping trusted port sonic(config)# interface ethernet 49 sonic(config if 49)# dhcp snooping enable sonic(config if 49)# dhcp snooping trusted enabling nd snooping sonic(config)# nd snooping enable sonic(config)# interface vlan 100 sonic(config vlanif 100)# nd snooping enable turn on savi function sonic(config)# vlan 100 sonic(config vlan 100)# savi enable verify configuration view device configuration \# view savi function configuration sonic# show savi config + + + \| interfaces | check mode | +==============+==============+ \| vlan100 | true | + + + pc 1, pc 3 can access the network normally, pc 2 cannot access the network, and the packet loss statistics of the security function are counted ra guard configuration ra guard configuration introduction introduction ra guard functionality is used on layer 2 access devices to prevent router advertisement (ra) message spoofing attacks when a layer 2 access device receives an ra message with a unicast or multicast mac address, the ra guard functionality processes the ra message as follows if the port is not configured with a port role, the ra message is directly forwarded if the port role is a router, the ra message is directly forwarded if the port role is a user, the ra message is directly discarded if the port role is hybrid, the port's ra guard policy is matched if the ra guard policy has configured matching rules, the ra message must match all rules successfully to be forwarded otherwise, the message is discarded if the ra guard policy does not have matching rules configured, all ra messages are discarded configuration example configuration example network requirements to prevent route announcement message (ra message) spoofing attack, you need to configure ra guard policy rules on the device interface ethernet 2 is connected to an unknown device, and the user wants the interface to match and filter ra messages according to ra guard policy rules interface ethernet 1 is connected to a user who wants the ra messages received on this interface to be discarded directly interface ethernet 3 is connected to a device and the user wants the interface to fully trust ra messages to be forwarded directly procedure create a vlan and add an interface sonic(config)# vlan 100 sonic(config)# port group ethernet 1 3 sonic(config port group 1 3)# switchport access vlan 100 configure the interface role sonic(config)# interface ethernet 1 sonic(config if 1)# raguard role user sonic(config)# interface ethernet 2 sonic(config if 1)# raguard role hybrid sonic(config)# interface ethernet 3 sonic(config if 1)# raguard role router configure ra guard policy sonic(config)# vlan 100 sonic(config vlan 100)# raguard policy src ip fe80 1a17 25ff\ fe37 6722