- Released At: 25-06-2022
- Page Views:
- Downloads:
- Table of Contents
- Related Documents
-
|
WLAN SAVI Technology White Paper |
|
|
|
Copyright © 2022 New H3C Technologies Co., Ltd. All rights reserved.
No part of this manual may be reproduced or transmitted in any form or by any means without prior written consent of New H3C Technologies Co., Ltd.
Except for the trademarks of New H3C Technologies Co., Ltd., any trademarks that may be mentioned in this document are the property of their respective owners.
This document provides generic technical information, some of which might not be applicable to your products.
The information in this document is subject to change without notice.
Wireless client roaming support
Flexible validity check based on the IPv6 address assignment method
Client MAC-IP binding generation
WLAN SAVI validity check for non-roaming clients
WLAN SAVI validity check for roaming clients
WLAN SAVI configuration example
Overview
Technical background
WLAN Source Address Validation Improvement (SAVI) filters the packets received by APs to prevent the packets sent by illegal clients from passing through. With WLAN SAVI enabled, an AP records the binding between the MAC address and IP address of each authenticated wireless client. When the AP receives data traffic from a wireless client, it forwards the traffic only if the MAC address and IP address of the wireless client match the binding created for the wireless client.
Benefits
IP spoofing prevention
With WLAN SAVI enabled, an AP records the binding between the MAC address and IP address of each authenticated wireless client. To prevent IP spoofing, the AP forwards the traffic sent by a wireless client only if the MAC address and IP address of the wireless client match the binding created for the wireless client.
Wireless client roaming support
When a wireless client roams between APs, its MAC-IP binding is synchronized to the destination AP.
Flexible validity check based on the IPv6 address assignment method
WLAN SAVI allows you to set the validity check mode on a per-VLAN basis. You can configure WLAN SAVI to perform validity check according to the MAC-IP bindings created based on DHCPv6 packets in a VLAN where wireless clients obtain IPv6 addresses through DHCPv6. For a VLAN where wireless clients generate IPv6 addresses based on the prefix, configure WLAN SAVI to perform validity check according to the MAC-IP bindings created based on ND packets.
WLAN SAVI implementation
Client MAC-IP binding generation
An AP creates MAC-IP bindings for wireless clients as follows:
1. A wireless client accesses the network, performs authentication, and obtains an IP address through DHCPv4, DHCPv6, or ND.
2. The AP creates a MAC-IP binding depending on the IP address assignment method.
¡ For an IPv4 client, the AP intercepts the DHCPv4 packets sent by the client to obtain the IPv4 address assigned to the client and create a MAC-IP binding.
¡ For an IPv6 client, the AP acts as follows:
- In DHCPv6 mode, the AP intercepts the DHCPv6 packets sent between the client and the DHCPv6 server to obtain the IPv6 address assigned to the client and create a MAC-IP binding. The AP cannot create a MAC-IP binding based on the IPv6 prefix obtained from the DHCPv6 packets.
- In ND mode, the AP listens for RA, NS, and NA packets to obtain the IPv6 address assigned to the client and create a MAC-IP binding.
3. The AP reports the MAC-IP binding to the AC for central management.
Figure 1 Client MAC-IP binding generation process
WLAN SAVI validity check for non-roaming clients
For non-roaming clients, an AP forwards the traffic sent by a wireless client only if the MAC address and IP address of the wireless client match the binding created for the wireless client. If a mismatch occurs, the AP drops the traffic.
WLAN SAVI validity check for roaming clients
When a wireless client roams between APs, its MAC-IP binding is synchronized to the destination AP as follows:
1. The client connects to AP 1.
2. AP 1 creates a MAC-IP binding for the client as described in "Client MAC-IP binding generation."
3. The client roams to AP 2.
4. The AC sends the MAC-IP binding created for the client to AP 2.
5. The AC deletes the MAC-IP binding from AP 1.
Figure 2 WLAN SAVI validity check for roaming clients
WLAN SAVI configuration example
As shown in Figure 3, the clients access the wireless network with the SSID service, and the switch acts as a DHCP server to assign IP addresses to the clients. WLAN SAVI is enabled to deny access of illegal clients.
After Client 1 and Client 2 obtain IP addresses from the DHCP server, the AP creates MAC-IP bindings for the clients and forwards the packets sent by them. When Client 3 accesses the network by using the IP address of Client 1, the AP drops the packets sent by Client 3.