< Home

Example for Configuring the SAVI Function in an SLAAC-Only Scenario

Networking Requirements

As shown in Figure 1, SwitchA functions as an access device to connect to hosts in an enterprise department. No DHCPv6 server is deployed on the network, and hosts in the department can obtain IPv6 addresses using only SLAAC. If an attacker sends a large number of invalid ND protocol packets or invalid IPv6 data packets, communication of authorized users may be interrupted, and user accounts and passwords may be embezzled. To prevent these problems, the administrator wants to configure SwitchA to defend against invalid ND protocol packets and invalid IPv6 data packets (with invalid source addresses) and provides users with stable services on a secure network.

Figure 1 Networking diagram for configuring the SAVI function in an SLAAC-Only scenario

Configuration Roadmap

  1. Configure ND snooping so that bindings between address and ports can be generated for validity of the source addresses in ND protocol packets and IPv6 data packets.

  2. Enable the SAVI function so that the device can check the validity of the source addresses in ND protocol packets based on the ND snooping binding entries and filter out invalid packets.

  3. Enable IP source guard so that the device can check the validity of the source addresses in IPv6 data packets based on the ND snooping binding entries and filter out invalid packets.

Procedure

  1. Enable the SAVI function. 

    <HUAWEI> system-view
[HUAWEI] sysname SwitchA
[SwitchA] savi enable

  2. Create VLAN 2. 

    [SwitchA] vlan batch 2

  3. Add GE0/0/1, GE0/0/2, and GE0/0/3 to VLAN 2. 

    [SwitchA] interface gigabitethernet 0/0/1
[SwitchA-GigabitEthernet0/0/1] port link-type access
[SwitchA-GigabitEthernet0/0/1] port default vlan 2
[SwitchA-GigabitEthernet0/0/1] quit
[SwitchA] interface gigabitethernet 0/0/2
[SwitchA-GigabitEthernet0/0/2] port link-type access
[SwitchA-GigabitEthernet0/0/2] port default vlan 2
[SwitchA-GigabitEthernet0/0/2] quit
[SwitchA] interface gigabitethernet 0/0/3
[SwitchA-GigabitEthernet0/0/3] port link-type trunk
[SwitchA-GigabitEthernet0/0/3] port trunk allow-pass vlan 2
[SwitchA-GigabitEthernet0/0/3] quit

  4. Configure ND snooping.

    # Enable ND snooping globally.

    [SwitchA] nd snooping enable

    # Enable ND snooping for VLAN 2.

    [SwitchA] vlan 2
[SwitchA-vlan2] nd snooping enable

    # Enable validity check for NA and NS packets in VLAN 2.

    [SwitchA-vlan2] nd snooping check na enable
[SwitchA-vlan2] nd snooping check ns enable
[SwitchA-vlan2] quit

    # Configure GE0/0/3 connecting to the ND server as a trusted interface.

    [SwitchA] interface gigabitethernet 0/0/3
[SwitchA-GigabitEthernet0/0/3] nd snooping trusted
[SwitchA-GigabitEthernet0/0/3] quit

  5. Enable IP source guard for VLAN 2. 

    [SwitchA] vlan 2
[SwitchA-vlan2] ip source check user-bind enable
[SwitchA-vlan2] quit

  6. Verify the configuration.

    # Run the display this command in the system view to verify that the SAVI function and ND snooping are enabled globally.
    [SwitchA] display this                                                               
...
#                                                                               
nd snooping enable                                                            
savi enable
#
...
    # Run the display this command in the VLAN view. The command output shows that ND snooping, ND6 protocol packet validity check, and IP source guard have been enabled in VLAN 2. 
    [SwitchA] vlan 2
    [SwitchA-vlan2] display this
#                                                                               
vlan 2                                                                          
 nd snooping enable                                                           
 nd snooping check ns enable                                                    
 nd snooping check na enable  
 ipv4 source check user-bind enable  
 ipv6 source check user-bind enable 
#                                                                               
return                

    [SwitchA-vlan2] quit
    # Run the display this command in the interface view to verify that GE0/0/3 connecting to the ND server are configured as a trusted interface.
    [SwitchA] interface gigabitethernet 0/0/3
    [SwitchA-GigabitEthernet0/0/3] display this
#                                                                               
interface GigabitEthernet0/0/3                                                  
 port link-type trunk                                                           
 port trunk allow-pass vlan 2                                                   
 nd snooping trusted                                                            
#                                                                               
return

Configuration Files

SwitchA configuration file

#
sysname SwitchA
#                                                                               
vlan batch 2
#
nd snooping enable                                                            
savi enable
#
vlan 2                                                                          
 nd snooping enable                                                           
 nd snooping check ns enable                                                    
 nd snooping check na enable  
 ipv4 source check user-bind enable 
 ipv6 source check user-bind enable 
#   
interface GigabitEthernet0/0/1
 port link-type access
 port default vlan 2
#   
interface GigabitEthernet0/0/2
 port link-type access
 port default vlan 2
#
interface GigabitEthernet0/0/3
 port link-type trunk                                                           
 port trunk allow-pass vlan 2                                                   
 nd snooping trusted                                                            
#   
return
Parent Topic: Configuration Examples for SAVI
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
< Previous topic Next topic >