Security Configuration

User Management

User View

Table 1 User View

Command	Purpose
show user policy	Show password strength enhancement policy.
show login policy	Show login security protection policy.
show privilege view view_name [COMMAND]	Show the privilege level of configuration views or commands.
show privilege rule	Show command privilege level rules.

show user policy

[Command]

show user policy

[Purpose]

Show password strength enhancement policy.

[View]

Privileged User View

[Use Cases]

sonic-232# show user policy
STATE       EXPIRATION    EXPIRATION WARNING    HISTORY CNT    LEN MIN  REJECT USER PASSW MATCH    LOWER CLASS    UPPER CLASS    DIGITS CLASS    SPECIAL CLASS
--------  ------------  --------------------  -------------  ---------  -------------------------  -------------  -------------  --------------  ---------------
disabled            30                    15             10          8  true                       true           true           true            true

show login policy

[Command]

show login policy

[Purpose]

Show login security protection policy.

[View]

Privileged User View

[Use Cases]

sonic# show login policy
+---------+---------------+-------------+---------------------+
| State   |   Retry count |   Lock time |   Session hold time |
+=========+===============+=============+=====================+
| disable |             3 |         300 |                 600 |
+---------+---------------+-------------+---------------------+

show privilege view view_name [COMMAND]

[Command]

show privilege view view_name [COMMAND]

[Purpose]

Show the privilege level of configuration views or commands.

[Parameters]

Parameter	Description
view_name	Configure view，use * to query all view permissions(bfd-peer-view/bfd-profile-accelerate-view/bfd-profile-view/bfd-view/bgp-evpn-view/bgp-evpn-vni-view/bgp-ipv4-flowspec-view/bgp-ipv4-labeled-unicast-view/bgp-ipv4-multicast-view/bgp-ipv4-unicast-view/bgp-ipv6-flowspec-view/bgp-ipv6-labeled-unicast-view/bgp-ipv6-multicast-view/bgp-ipv6-view/bgp-view/bgp-vrf-policy-view/cluster-cfg-view/cluster-info-view/collector-cfg-view/config-pmap-c-copp-system-policy-view/configure-acl-nexthop-group-view/configure-acl-user-defined-view/configure-acl-view/configure-arp-to-host-view/configure-buffer-profile-view/configure-cmap-view/configure-dhcp-relay-view/configure-diffservmap-view/configure-erspan-mirror-view/configure-if-view/configure-lagif-view/configure-loif-view/configure-mclag-view/configure-mgmt-view/configure-mstp-view/configure-nat-binding-view/configure-pmap-c-view/configure-pmap-copp-copp-system-policy/configure-pmap-view/configure-sla-view/configure-span-mirror-view/configure-track-view/configure-traffic-behavior-view/configure-view/configure-vlan-view/configure-vlanif-view/configure-vxlanif-view/configure-wred-view/dialout-sub-view/dialout-dst-view/enable-view/configure-roce-view/grpc-client-view/interface-view/isis-view/keychain-key-view/keychain-view/ospf-view/ospf6-view/pbr-map-view/rip-view/routemap-view/vrf-view).
COMMAND	Commands, using * to query all command permission levels in the view.

[View]

Privileged User View

[Use Cases]

sonic# show privilege view enable-view show version
----------------------------------------------------------------
VIEW:enable-view                                privilege:show
        commands in this view                                   privilege
        show version                                            show

show privilege rule

[Command]

show privilege rule

[Purpose]

Show command privilege level rules.

[View]

Privileged User View

[Use Cases]

sonic# show privilege rule
----------------------------------------------------------------------
VIEW                          CMD-PATTERN                   PRIVILEGE
----------------------------------------------------------------------
enable-view                   show version                  show
----------------------------------------------------------------------

User Config

Table 2 User Config

Command	Purpose
user user_name password	Add new users and configure passwords.
user user_name privilege-level level	Configure user privilege level.
user policy security-enhance	Enable password strength enhancement strategy.
user policy password expiration time	Configure password expiration time.
user policy password min-len length	Configure minimum password length.
user policy login enable	Enable login security protection policy.
user policy login lock-time time	Configure user login retry lock time.
user policy login retry-count count	Configure the number of user login retry.
user policy login session-hold-time time	Configure user session duration.
cmd-privilege level level view view_name command	Configure command privilege level.

user user_name password

[Command]

user user_name password

[Purpose]

Add a new user and set the password.

[Parameters]

Parameter	Description
user_name	username

[View]

Global Configuration View

[Notes]

Create a new user and set the password, using this user to log in will directly enter CISCO-LIKE CLI. Run command no user user_name to delete user configuration.

[Use Cases]

sonic# configure terminal
sonic(config)# user test1 password
New password:
Retype new password:
passwd: password updated successfully


Log in to the switch under this user:
public@Asterfusion:~$ ssh test1@10.250.0.161
test1@10.250.0.161's password:
Linux sonic-161 5.10.0-8-2-amd64 #1 SMP Debian 5.10.46-4 (2021-08-03) x86_64
    _          _                _   _   ___   ____
   / \    ___ | |_   ___  _ __ | \ | | / _ \ / ___|
  / _ \  / __|| __| / _ \| '__||  \| || | | |\___ \
 / ___ \ \__ \| |_ |  __/| |   | |\  || |_| | ___) |
/_/   \_\|___/ \__| \___||_|   |_| \_| \___/ |____/

------- Asterfusion Network Operating System -------

Help:    http://www.asterfusion.com/

Last login: Mon Sep 15 05:59:13 2025 from 10.250.0.240
sonic#

user user_name privilege-level level

[Command]

user user_name privilege-level level

[Purpose]

Configure user privilege level.

[Parameters]

Parameter	Description
user_name	username
level	Privilege level, there are four levels of permissions,none level, show level, config level, and sys_admin level. Users at different levels have different permissions to run commands, with none level having the lowest permissions and sys admin level having the highest permissions

[View]

Global Configuration View

[Use Cases]

sonic# configure terminal
sonic(confnig)# user us1 privilege-level config

user policy security-enhance

[Command]

user policy security-enhance

[Purpose]

Enable password strength enhancement strategy.

[View]

Global Configuration View

[Notes]

Run command no user policy security-enhance to disable password strength enhancement strategy.

[Use Cases]

sonic# configure terminal
sonic(config)# user policy security-enhance

user policy password expiration time

[Command]

user policy password expiration time

[Purpose]

Configure password expiration time

[Parameters]

Parameter	Description
time	Password expiration time, measured in days, with a range of 30-365 days and a default value is 180 days

[View]

Global Configuration View

[Notes]

When the password strength enhancement policy is enabled, newly created users will be asked to change their password when the configured password expires. Run command no user policy password expiration to restore the password expiration time to the default value.

[Use Cases]

sonic# configure terminal
sonic(config)# user policy password expiration 30

user policy password min-len length

[Command]

user policy password min-len length

[Purpose]

Configure minimum password length.

[Parameters]

Parameter	Description
length	The minimum password length ranges from 6 to 32, with a default value of 8

[View]

Global Configuration View

[Notes]

When the password strength enhancement strategy is enabled, create a new user,and require the password length to meet the minimum password length. Run command no user policy min-len to restore the minimum password length to the default value.

[Use Cases]

sonic# configure terminal
sonic(config)# user policy password min-len 6

user policy login enable

[Command]

user policy login enable

[Purpose]

Enable login security protection policy.

[View]

Global Configuration View

[Notes]

Run command user policy login disable to disable login security protection policy.

[Use Cases]

sonic# configure terminal
sonic(config)# user policy login enable

user policy login lock-time time

[Command]

user policy login lock-time time

[Purpose]

Configure user login retry lock time.

[Parameters]

Parameter	Description
time	Lock time in seconds, the range is from 60 to9999, the default value is 300

[View]

Global Configuration View

[Notes]

Run command no user policy login lock-time to restore the lock time to its default value.

[Use Cases]

sonic# configure terminal
sonic(config)# user policy login lock-time 100

user policy login retry-count count

[Command]

user policy login retry-count count

[Purpose]

Configure the number of user login retry.

[Parameters]

Parameter	Description
count	Retry count，the range is from 2 to99, the default value is 3

[View]

Global Configuration View

[Notes]

Under the login security policy, when the number of failed login attempts reaches the retry limit, the account will enter a login retry lockout period. During this time, even if the username and password are correct, the user will not be able to log in successfully. After the lockout period expires, the user can attempt to login again. Run command no user policy retry-count to restore the retry count to its default value.

[Use Cases]

sonic# configure terminal
sonic(config)# user policy login retry-count 5

user policy login session-hold-time time

[Command]

user policy login session-hold-time time

[Purpose]

Configure user session duration.

[Parameters]

Parameter	Description
time	Session hold time, with values ranging from 0 0r 60 to 99999, in seconds， the default value is 600, A value of 0 indicates that the session will remain active and will not automatically exit。

[View]

Global Configuration View

[Notes]

Run command no user policy login session-hold-time to restore the session hold time to its default value.

[Use Cases]

sonic# configure terminal
sonic(config)# user policy login session-hold-time 1000

cmd-privilege level level view view_name COMMAND

[Command]

cmd-privilege level level view view_name COMMAND

[Purpose]

Configure command privilege level.

[Parameters]

Parameter	Description
level	Privilege level, there are four levels of permissions,none level, show level, config level, and sys_admin level. Users at different levels have different permissions to run commands, with none level having the lowest permissions and sys admin level having the highest permissions.
view_name	Configure view(bfd-peer-view/bfd-profile-accelerate-view/bfd-profile-view/bfd-view/bgp-evpn-view/bgp-evpn-vni-view/bgp-ipv4-flowspec-view/bgp-ipv4-labeled-unicast-view/bgp-ipv4-multicast-view/bgp-ipv4-unicast-view/bgp-ipv6-flowspec-view/bgp-ipv6-labeled-unicast-view/bgp-ipv6-multicast-view/bgp-ipv6-view/bgp-view/bgp-vrf-policy-view/cluster-cfg-view/cluster-info-view/collector-cfg-view/config-pmap-c-copp-system-policy-view/configure-acl-nexthop-group-view/configure-acl-user-defined-view/configure-acl-view/configure-arp-to-host-view/configure-buffer-profile-view/configure-cmap-view/configure-dhcp-relay-view/configure-diffservmap-view/configure-erspan-mirror-view/configure-if-view/configure-lagif-view/configure-loif-view/configure-mclag-view/configure-mgmt-view/configure-mstp-view/configure-nat-binding-view/configure-pmap-c-view/configure-pmap-copp-copp-system-policy/configure-pmap-view/configure-sla-view/configure-span-mirror-view/configure-track-view/configure-traffic-behavior-view/configure-view/configure-vlan-view/configure-vlanif-view/configure-vxlanif-view/configure-wred-view/dialout-sub-view/dialout-dst-view/configure-roce-view/enable-view/grpc-client-view/interface-view/isis-view/keychain-key-view/keychain-view/ospf-view/ospf6-view/pbr-map-view/rip-view/routemap-view/vrf-view)
COMMAND	Command, match with the longest prefix to take effect

[View]

Global Configuration View

[Notes]

Run command nocmd-privilege level privilege view view_name command to delete command permissions for configuration.

[Use Cases]

sonic# configure terminal
sonic(config)# cmd-privilege level none view enable-view show version

AAA

AAA View

Table 3 AAA View

Command	Purpose
show aaa	Display AAA configuration.

show aaa

[Command]

show aaa

[Purpose]

Display AAA configuration.

[View]

Privileged User View

[Use Cases]

sonic# show aaa
AAA accounting command local (default)
AAA authentication login local (default)
AAA authentication failthrough False (default)
AAA authorization command local (default)

AAA Config

Table 4 AAA Config

Command	Purpose
aaa authentication-mode failthrough {enable|disable|default}	Configure authentication failthrough feature of AAA.
aaa authentication-mode login {tacacs+|local|tacacs+,local|local,tacacs+|radius,local|local,radius|radius|default}	Set authentication mode of AAA.
aaa accounting-mode {tacacs+|local|tacacs+,local|local,tacacs+|default}	Set accounting mode of AAA.

aaa authentication-mode failthrough {enable|disable|default}

[Command]

aaa authentication-mode failthrough {enable|disable|default}

[Purpose]

Configure authentication failthrough feature of AAA.

[View]

Global Configuration View

[Notes]

This feature is disabled by default. When it is enabled, during multi-level authentication, if the first level of authentication fails, it will continue to the second level. Otherwise, it will end directly.

[Use Cases]

sonic# configure
sonic(config)# aaa authentication-mode failthrough enable

aaa authentication-mode login {tacacs+|local|tacacs+,local|local,tacacs+|radius,local|local,radius|radius|default}

[Command]

aaa authentication-mode login {tacacs+|local|tacacs+,local|local,tacacs+|radius,local|local,radius|radius|default}

[Purpose]

Set authentication mode of AAA.

[View]

Global Configuration View

[Notes]

The default mode is local. The comma separated patterns indicate multi-level authentication.

[Use Cases]

sonic# configure
sonic(config)# aaa authentication-mode login tacacs+,local

aaa accounting-mode {tacacs+|local|tacacs+,local|local,tacacs+|default}

[Command]

aaa accounting-mode {tacacs+|local|tacacs+,local|local,tacacs+|default}

[Purpose]

Set accounting mode of AAA.

[View]

Global Configuration View

[Notes]

The default mode is local. The comma separated patterns indicate multi-level accounting.

[Use Cases]

sonic# configure
sonic(config)# aaa accounting-mode tacacs+

RADIUS

RADIUS View

Table 5 RADIUS View

Command	Purpose
show radius	Display RADIUS configuration.

show radius

[Command]

show radius

[Purpose]

Display RADIUS configuration.

[View]

Privileged User View

[Use Cases]

sonic# show radius
RADIUS global auth_type pap (default)
RADIUS global retransmit 3 (default)
RADIUS global timeout 5 (default)
RADIUS global passkey <EMPTY_STRING> (default)

RADIUS Config

Table 6 RADIUS Config

Command	Purpose
radius server server-ip [priority priority|port port_number|use-mgmt-vrf] shared-secret	Configure a RADIUS server.
radius nasip ip address	Configure nasip address

radius server server-ip [priority priority|port port_number|use-mgmt-vrf] shared-secret

[Command]

radius server server-ip [priority priority|port port_number|use-mgmt-vrf] shared-secret

[Purpose]

Configure a RADIUS server.

[Parameters]

Parameter	Description
server-ip	RADIUS Server IP address.
port_number	Specify the port number to be used, ranging from 1-65535, with a default value of 1812

[View]

Global Configuration View

[Notes]

You will be prompted to enter the key after the command is entered. Run command no radius server server-ip to delete RADIUS server configuration.

[Use Cases]

sonic# configure
sonic(config)# radius server 10.250.0.244 shared-secret

radius nasip ip address

[Command]

radius nasip ip_address

[Purpose]

Configure the NAS-IP address of the RADIUS.

[Parameters]

Parameter	Description
ip_address	NAS-IP address, supports IPv4 or IPv6, default address is 127.0.0.1

[View]

Global Configuration View

[Notes]

Run no radius nasip to restore the nasip address of the radius to its default value

[Use Cases]

sonic# configure
sonic(config)# radius nasip 1.1.1.1

TACACS+

TACACS+ View

Table 7 TACACS+ View

Command	Purpose
show tacacs	Display TACACS configuration.

show tacacs

[Command]

show tacacs

[Purpose]

Display TACACS configuration.

[View]

Privileged User View

[Use Cases]

sonic# show tacacs
TACPLUS global auth_type pap (default)
TACPLUS global timeout 5 (default)
TACPLUS global passkey <EMPTY_STRING> (default)

TACACS+ Config

Table 8 TACACS+ Config

Command	Purpose
tacacs-server authtype {chap|pap|mschap|login}	Specify the authentication type of the TACACS server.
tacacs-server default {authtype|passkey|timeout}	Restore to the default TACACS configuration.
tacacs-server passkey	Configure the global key for TACACS.
tacacs-server cipher ciphertext	Configure the global key for TACACS with ciphertext
tacacs-server timeout interval	Configure the global timeout for TACACS.
tacacs-server server-ip [cipher ciphertext|timeout interval|key|auth-type type|port tcp_port|pri priority|use-mgmt-vrf]	Configure a TACACS server.

tacacs-server authtype {chap|pap|mschap|login}

[Command]

tacacs-server authtype {chap|pap|mschap|login}

[Purpose]

Specify the authentication type of the TACACS server.

[View]

Global Configuration View

[Use Cases]

sonic# configure
sonic(config)# tacacs-server authtype chap

tacacs-server default {authtype|passkey|timeout}

[Command]

tacacs-server default {authtype|passkey|timeout}

[Purpose]

Restore to the default TACACS configuration.

[View]

Global Configuration View

[Use Cases]

sonic# configure
sonic(config)# tacacs-server default authtype

tacacs-server passkey

[Command]

tacacs-server passkey

[Purpose]

Configure the global key for TACACS.

[View]

Global Configuration View

[Use Cases]

sonic# configure
sonic(config)# tacacs-server passkey
Please enter passkey:
sonic(config)#

tacacs-server cipher ciphertext

[Command]

tacacs-server cipher ciphertext

[Purpose]

Configure the global key for TACACS with ciphertext.

[Parameters]

Parameter	Description
ciphertext	The passkey of ciphertext.

[View]

Global Configuration View

[Use Cases]

sonic# configure
sonic(config)# tacacs-server cipher U2FsdGVkX1/k50xAcc66gpXcarr94pu8i3HUSpUsK7U=

tacacs-server timeout interval

[Command]

tacacs-server timeout interval

[Purpose]

Configure the global timeout for TACACS.

[Parameters]

Parameter	Description
interval	Specify the interval in seconds. The range is from 0 to 60.

[View]

Global Configuration View

[Use Cases]

sonic# configure
sonic(config)# tacacs-server timeout 60

tacacs-server server-ip [cipher ciphertext|timeout interval|key|auth-type type|port tcp_port|pri priority|use-mgmt-vrf]

[Command]

tacacs-server server-ip [cipher ciphertext|timeout interval|key|auth-type type|port tcp_port|pri priority|use-mgmt-vrf]

[Purpose]

Configure a TACACS server.

[Parameters]

Parameter	Description
server-ip	TACACS Server IP address.
ciphertext	The passkey of ciphertext.
interval	Specify the interval in seconds. The default is 5.
type	Specify the authentication type. Optional chap, pap, mschap, login.
tcp_port	Specify the TCP port number, the default is 49.and the range is [1,65535]
priority	Specify the priority, the default is 1.

[View]

Global Configuration View

[Notes]

Run command no tacacs-server A.B.C.D to delete the TACACS server.

[Use Cases]

sonic# configure
sonic(config)# tacacs-server 10.250.0.244 timeout 5 key auth-type chap port 2 pri 2 use-mgmt-vrf
Please enter passkey:
sonic(config)#

ACL

ACL View

Table 9 ACL View

Command	Purpose
show acl table [table_name]	Display existing ACL tables.
show acl rule [table_name] [rule_id]	Display existing ACL rules.
show counters acl [table_name] [rule-id]	Display ACL counters
clear counters acl	Clear ACL counters
show time-range {all	timer-name}

show acl table [table_name]

[Command]

show acl table [table_name]

[Purpose]

Display existing ACL tables.

[Parameters]

Parameter	Description
table_name	Specify the table name.

[View]

Privileged User View

[Use Cases]

sonic# show acl table
Name     Type         Binding    Description    Stage
-------  -----------  ---------  -------------  -------
TABLE_2  L3           Ethernet8  TABLE_2        ingress
TABLE_1  VXLAN_STATS             TABLE_1        ingress
sonic# show acl table TABLE_1
Name     Type         Binding    Description    Stage
-------  -----------  ---------  -------------  -------
TABLE_1  VXLAN_STATS             TABLE_1        ingress

show acl rule [table_name] [rule_id]

[Command]

show acl rule [table_name] [rule_id]

[Purpose]

Display existing ACL rules.

[Parameters]

Parameter	Description
table_name	Specify the table name.
rule_id	Specify the rule name.

[View]

Privileged User View

[Use Cases]

sonic# show acl rule
Table   Rule          Priority    Action    Match
-------  ------------  ----------  --------  -----------------------
DATAACL  RULE_1        9999        DROP      SRC_IP: 10.0.0.2/32
DATAACL  RULE_2        9998        DROP      DST_IP: 192.168.0.16/32
DATAACL  RULE_3        9997        DROP      L4_SRC_PORT: 4661
DATAACL  RULE_4        9996        DROP      IP_PROTOCOL: 126
DATAACL  RULE_13       9987        DROP      IP_PROTOCOL: 1
                                             SRC_IP: 10.0.0.2/32
sonic# show acl rule TABLE_1 RULE_1
Table   Rule      Priority  Action    Match
-------  ------  ----------  --------  --------------------
TABLE_1  RULE_1         100  DROP      SRC_IP: 200.0.0.2/24

show counters acl [table_name] [rule-id]

[Command]

show counters acl [table_name] [rule-id]

[Purpose]

Display ACL counters.

[Parameters]

Parameter	Description
table_name	Specify the table name.
rule_id	Specify the rule name.

[View]

Privileged User View

[Notes]

Specify multiple tables or rules separated by commas.

[Use Cases]

sonic# show counters acl TABLE_1,TABLE_2
RULE NAME    TABLE NAME      PRIO  PACKETS COUNT    BYTES COUNT
-----------  ------------  ------  ---------------  -------------
RULE_1       TABLE_1          100  N/A              N/A
rule_2       TABLE_2            2  N/A              N/A
rule_1       TABLE_2            1  N/A              N/A

clear counters acl

[Command]

clear counters acl

[Purpose]

Clear ACL counters.

[View]

Privileged User View

[Use Cases]

sonic# clear counters acl

show time-range {all|timer-name}

[Command]

show time-range {all|timer-name}

[Purpose]

Display ACL effective time configures.

[View]

Privileged User View

[Use Cases]

sonic# show time-range all
sonic# show time-range timer-1

ACL Config

Control-plane ACL

Table 10 Control-plane ACL

Command	Purpose
access-list table_name ctrlplane protocol	Add a control-plane ACL table.
rule rule_id packet-action {accept|deny} [source-ip sip|source-ipv6 sipv6] [time-range timer-name]	Add an ACL rule.
rule default_drop [interface all]	Config drop rule

access-list table_name ctrlplane protocol

[Command]

access-list table_name ctrlplane protocol

[Purpose]

Add a control-plane ACL table.

[Parameters]

Parameter	Description
table_name	ACL table name.
protocol	Specify one or more control plane protocols, optionally NTP/SNMP/SSH/BGP/TELNET. Specify multiple protocols separated by commas.

[View]

Global Configuration View

[Notes]

Run command no access-list table_name to delete the ACL table.

[Use Cases]

sonic# configure terminal
sonic(config)# access-list test1 ctrlplane ssh
sonic(config-ctrlplane-acl-test1)#

rule rule_id packet-action {accept|deny} [source-ip sip|source-ipv6 sipv6] [time-range timer-name]

[Command]

rule rule_id packet-action {accept|deny} [source-ip sip|source-ipv6 sipv6] [time-range timer-name]

[Purpose]

Add an ACL rule.

[Parameters]

Parameter	Description
rule_id	ACL rule id, also indicates the priority, range from 0 to 500. The larger the value, the higher the priority.
sip	Source IP, A.B.C.D(/M)
sipv6	Source IPv6, X:X::X:X(/M)
timer-name	ACL time range name

[View]

ACL table Configuration View

[Notes]

Rules with the same priority is not allowed in one ACL table. Run command no rule rule-id to delete the ACL rule.

[Use Cases]

sonic# configure terminal
sonic(config)# access-list test1 ctrlplane SSH
sonic(config-ctrlplane-acl-test1)# rule 100 packet-action deny source-ip 192.168.10.85
sonic(config-ctrlplane-acl-test1)# rule 1 source-ip 192.168.30.138 packet-action deny time-range timer-1
sonic(config-ctrlplane-acl-test1)# show this
!
access-list test1 ctrlplane SSH
 rule 100 packet-action deny source-ip 192.168.10.85
rule 1 source-ip 192.168.30.138 packet-action deny time-range timer-1

rule default_drop [interface all]

[Command]

Rule default_drop [interface all]

[Purpose]

Add drop rule.

[Parameters]

Parameter	Description
interface all	Drop all protocol packets of interfaces. Without this parameter, only protocol packets of eth0 port are discarded by default

[View]

ACL table Configuration View

[Notes]

Run command no ruledefault_drop to delete drop rule.

[Use Cases]

sonic# configure terminal
sonic(config)# access-list test1 ctrlplane SSH
sonic(config-ctrlplane-acl-test1)# rule default_drop interface all
sonic(config-ctrlplane-acl-test1)# show this
!
access-list test1 ctrlplane SSH
 rule default drop interface all

Data-plane ACL

Table 11 Data-plane ACL

Command	Purpose
access-list table_name {l2|l3|l3v6|mirror|mirrorv6|flow_control} {ingress|egress}	Add a data-plane ACL table.
bind interface {{ethernet|link-aggregation} interface_name|all}}	Apply the ACL table to the interface.
rule rule_id ACITON RULE [time-range timer-name]	Create an ACL rule.

access-list table_name {l2|l3|l3v6|mirror|mirrorv6|flow_control} {ingress|egress}

[Command]

access-list table_name {l2|l3|l3v6|mirror|mirrorv6|flow_control} {ingress|egress}

[Purpose]

Add a data-plane ACL table.

[Parameters]

Parameter	Description
table_name	ACL table name.

[View]

Global Configuration View

[Notes]

ACLs of type L2/L3/L3v6 are used for Layer 2/Layer 3/Layer 3 IPv6 traffic forwarding, respectively. Mirror/Mirrorv6 are used to local mirror SPAN and remotely mirror ERSPAN. Flow_Control are usually used together with Policer module to implement rate limiting for specific flows. Run command no access-list table_name to delete the ACL table.

[Use Cases]

sonic# configure terminal
sonic(config)# access-list TABLE_1 flow_control ingress
sonic(config)# access-list TABLE_3 l3 egress

bind interface {{ethernet|link-aggregation} interface_name|all}}

[Command]

bind interface {{ethernet|link-aggregation} interface_name|all}}

[Purpose]

Apply the ACL table to the interface.

[Parameters]

Parameter	Description
interface_name	Interface name (eg.0/1)
all	Binds to all interfaces.

[View]

ACL table Configuration View

[Notes]

ACL table is for ports. When you bind an ACL table to some ports, it means that the ACL table is valid for the traffic on these ports. An ACL table can be bound to multiple ports, and a port can also have multiple ACL tables, which means a “many-to-many” relationship. Run command no bind interface {{ethernet|link-aggregation} interface_name|all}} to unbind the interface.

[Use Cases]

sonic# configure terminal
sonic(config)# access-list TABLE_1 l3 ingress
sonic(config-l3-acl-table_1)# bind interface ethernet 0/1
sonic(config-l3-acl-table_1)# bind interface all

rule rule_id action rule [time-range timer-name]

[Command]

rule rule_id packet-action {drop|deny|permit|trap-to-cpu|copy-to-cpu} RULE [time-range timer-name] Drop/deny/forward/trap to CPU/trap to CPU and forward. (ingress).

rule rule_id packet-action {deny|permit|trap-to-cpu|copy-to-cpu} RULE [time-range timer-name] Deny/forward (engress).

rule rule_id redirect-action {{ethernet|link-aggregation} interface_name|A.B.C.D|X:X::X:X} RULE [time-range timer-name] Redirect (ingress only).

rule rule_id set-tc tc RULE [time-range timer-name] Set COS (ingress only).

rule rule_id set-dscp dscp RULE [time-range timer-name] Set DSCP.

rule rule_id set-pcp pcp rule [time-range timer-name] Set VLAN priority.

rule rule_id traffic-behavior traffic_behavior_name RULE [time-range timer-name] Limit the speed for a specific stream (Flow Control only).

rule rule_id action mirror-session session-id Configure traffic mirroring for specific flows.

[Purpose]

Create an ACL rule.

[Parameters]

Parameter	Description
rule_id	ACL rule id, also indicates the priority, range from 0 to 500. The larger the value, the higher the priority.

Different ACL table types support different match fields:

• L2 ACL Table

Field	Description
outer-vlan outer-vlan	range [1,4094]
ethernet-type eth-type	HEX<0-FFFF>
source-mac smac	HH:HH:HH:HH:HH:HH or nn:nn:nn:nn:nn:nn/mask(nn:nn:nn:nn:nn:nn) (ingress only)
destination-mac dmac	HH:HH:HH:HH:HH:HH or nn:nn:nn:nn:nn:nn/mask(nn:nn:nn:nn:nn:nn) (ingress only)
vlan-pri vlan-pri	range 0-7

• L3 ACL Table

Field	Description
vlan-pri vlan-pri	range 0-7
outer-vlan outer-vlan	range [1,4094]
ip-protocol ip-protocol	range 0-255
source-port sport	range 0-65535
destination-port dport	range 0-65535
tcp-flags tcp-flags	range 0-63
source-ip sip	A.B.C.D(/M)
destination-ip dip	A.B.C.D(/M)
icmp-type icmp-type	range 0-16
icmp-code icmp-code	range 0-5
ethernet-type eth-type	HEX<0-FFFF>(ingress only)
ecn ecn	range 0-3
dscp dscp	range 0-63
ip-precedence ip-precedence	range 0-7
ip-type ip-type	any/ip/non_ip/ipv4any/non_ipv4/ipv6any/non_ipv6/arp/arp_request/arp_reply

• L3v6 ACL Table

Field	Description
ip-protocol ip-protocol	range 0-255 (ingress only)
source-port sport	range 0-65535(Only supported on CX308P-48Y-N-V2, CX532P-N-V2 and CX732Q-N-V2)
destination-port dport	range 0-65535 (Only supported on CX308P-48Y-N-V2, CX532P-N-V2 and CX732Q-N-V2)
source-ipv6 sipv6	X:X::X:X(/M) (Only match high 64 bit addresses)
destination-ipv6 dipv6	X:X::X:X(/M) (Only match high 64 bit addresses)
icmpv6-type icmpv6-type	range 1-137 (ingress only)
icmpv6-code icmpv6-code	range 0-4 (ingress only)
ethernet-type eth-type	HEX <0-FFFF> (ingress only)
dscp dscp	range 0-63
flow-label flow-label	HEX <0-FFFF> (ingress only)

• Mirror ACL Table

Field	Description
outer-vlan outer-vlan	range [1,4094]
source-port sport	range 0-65535
destination-port dport	range 0-65535
tcp-flags tcp-flags	range 0-63
source-ip sip	A.B.C.D(/M)
destination-ip dip	A.B.C.D(/M)
icmp-type icmp-type	range 0-16
icmp-code icmp-code	range 0-5
dscp dscp	range 0-63
ip-type ip-type	any/ip/non_ip/ipv4any/non_ipv4/ ipv6any/non_ipv6/arp/arp_request/arp_reply
bth-opcode bth-opcode	range 0-255
aeth-syndrome aeth-syndrome	range 0-255

• Mirrorv6 ACL Table

Field	Description
source-ipv6 sipv6	X:X::X:X(/M)
destination-ipv6 dipv6	X:X::X:X(/M)
bth-opcode bth-opcode	range 0-255
aeth-syndrome aeth-syndrome	range 0-255

• Flow_Control ACL Table

outer-vlan outer-vlan	range [1,4094]
ip-protocol ip-protocol	range 0-255
source-port sport	range 0-65535
destination-port dport	range 0-65535
source-ip sip	A.B.C.D(/M)
destination-ip dip	A.B.C.D(/M)
source-mac smac	HH:HH:HH:HH:HH:HH or nn:nn:nn:nn:nn:nn/mask(nn:nn:nn:nn:nn:nn) (ingress only)
destination-mac dmac	HH:HH:HH:HH:HH:HH or nn:nn:nn:nn:nn:nn/mask(nn:nn:nn:nn:nn:nn) (ingress only)
in-ports port-list	Specify a list of bound interfaces, with multiple interfaces separated by commas.

[View]

ACL table Configuration View

[Notes]

An ACL rule can only be added to one table, but a table can have more than one rule, that is, rule and table is a “many-to-one” relationship. Rules with the same priority is not allowed in one ACL table. Run command no rule rule-id to delete the ACL rule.

[Use Cases]

sonic# configure terminal
sonic(config)# access-list TABLE_1 l3 ingress
sonic(config-l3-acl-table_1)# rule 1 source-ip 10.0.0.3/24 packet-action permit
sonic(config-l3-acl-table_1)# rule 1 source-ip 192.168.30.138 set-tc 6 time-range timer-1

Policy routing based on ACL

Table 12 Policy routing based on ACL

Command	Purpose
access-list nexthop-group group_number	Add a next-hop group.
ip-address {A.B.C.D|X:X::X:X}	Add next hops to the next-hop group.
access-list table_name {l3|l3v6} ingress	Add an ACL table.
bind interface {{ethernet|link-aggregation} interface_name|all}}	Apply the ACL table to the interface.
rule rule_id redirect-actionnexthop-group group_number [RULE] [time-range timer-name]	Add a policy route based on ACL.

access-list nexthop-group group_number

[Command]

access-list nexthop-group group_number

[Purpose]

Add a next-hop group.

[Parameters]

Parameter	Description
group_number	Next-hop group number, the range is 1~12.

[View]

Global Configuration View

[Notes]

Run command no access-list nexthop-group group_number to delete the nexthop-group.

[Use Cases]

sonic# configure terminal
sonic(config)# access-list nexthop-group 1
sonic(config-acl-nexthop-group-1)#

ip-address {A.B.C.D|X:X::X:X}

[Command]

ip-address {A.B.C.D|X:X::X:X}

[Purpose]

Add next hops to the next-hop group.

[Parameters]

Parameter	Description
A.B.C.D	IPv4 address
X:X::X:X	IPv6 address

[View]

Next-hop Group Configuration View

[Notes]

The next-hop address is required to be reachable, and the configuration takes effect after commit. Run command no ip-address {A.B.C.D|X:X::X:X } to delete next hops address.

[Use Cases]

sonic# configure terminal
sonic(config)# access-list nexthop-group 1
sonic(config-acl-nexthop-group-1)# ip-address 1.0.0.1
sonic(config-acl-nexthop-group-1)# ip-address 2.0.0.1
sonic(config-acl-nexthop-group-1)# ip-address 2000::1
sonic(config-acl-nexthop-group-1)# ip-address 2001::1
sonic(config-acl-nexthop-group-1)# commit
sonic(config-acl-nexthop-group-1)# show this
!
access-list nexthop-group 1
 ip-address 1.0.0.1
 ip-address 2.0.0.1
 ip-address 2000::1
 ip-address 2001::1
 commit

access-list table_name {l3|l3v6} ingress

[Command]

access-list table_name {l3|l3v6} ingress

[Purpose]

Add an ACL table.

[Parameters]

Parameter	Description
table_name	ACL table name.

[View]

Global Configuration View

[Notes]

Run command no access-list table_name to delete the ACL table.

[Use Cases]

sonic# configure terminal
sonic(config)# access-list test l3 ingress

bind interface {{ethernet|link-aggregation} interface_name|all}}

[Command]

bind interface {{ethernet|link-aggregation} interface_name|all}}

[Purpose]

Apply the ACL table to the interface.

[Parameters]

Parameter	Description
interface_name	Interface name (eg.0/1)
all	Binds to all interfaces.

[View]

ACL table Configuration View

[Notes]

Run command no bind interface {{ethernet|link-aggregation} interface_name|all}} to unbind the interface.

[Use Cases]

sonic# configure terminal
sonic(config)# access-list test l3 ingress
sonic(config-l3-acl-test)# bind interface ethernet 0/1
sonic(config-l3-acl-test)# rule 10 destination-ip 96.0.0.7 redirect-action nexthop-group 1

rule rule_id redirect-action nexthop-group group_number [RULE] [time-range timer-name]

[Command]

rule rule_id redirect-actionnexthop-group group_number [RULE] [time-range timer-name]

[Purpose]

Add a policy route based on ACL.

[Parameters]

Parameter	Description
rule_id	ACL rule id, also indicates the priority, range from 0 to 500. The larger the value, the higher the priority.
group_number	Next-hop group number, the range is 1~12.

Different ACL table types support different match fields:

• L3 ACL Table

Field	Description
vlan-pri vlan-pri	range 0-7
outer-vlan outer-vlan	range [1,4094]
ip-protocol ip-protocol	range 0-255
source-port sport	range 0-65535
destination-port dport	range 0-65535
tcp-flags tcp-flags	HEX<0-FF>
source-ip sip	A.B.C.D(/M)
destination-ip dip	A.B.C.D(/M)
icmp-type icmp-type	range 0-16
icmp-code icmp-code	range 0-5
ethernet-type eth-type	HEX<0-FFFF>
ecn ecn	range 0-3
dscp dscp	range 0-63

• L3v6 ACL Table

Field	Description
ip-protocol ip-protocol	range 0-255
**source-port sport	range 0-65535
destination-port dport	range 0-65535
tcp-flags tcp-flags	HEX<0-FF>
source-ipv6 sipv6	X:X::X:X(/M)
destination-ipv6 dipv6	X:X::X:X(/M)
icmpv6-type icmpv6-type	range 1-137
icmpv6-code icmpv6-code	range 0-4
ethernet-type eth-type	HEX<0-FFFF>

[View]

ACL table Configuration View

[Notes]

Rules with the same priority is not allowed in one ACL table. Run command no rule rule-id to delete the ACL rule.

[Use Cases]

sonic# configure terminal
sonic(config)# access-list TABLE_1 l3 ingress

Set a time period for ACL

Table 13 Set a time period for ACL

Command	Purpose
time-range timer_name xx:xx to xx:xx days	Create a time period based on a periodic time range.
time-range timer_name from xx:xx xxxx/xx/xx to xx:xx xxxx/xx/xx	Create a time period based on an absolute time range.

time-range timer_name xx:xx to xx:xx days

[Command]

time-range timer_name xx:xx to xx:xx days

[Purpose]

Create a time period based on a periodic time range.

[Parameters]

Parameter	Description
timer_name	Time-range name, the maximum length is 32 characters.
xx:xx	24-hour time, such as 18:49.
days	The optional values for the weekly effective time are as follows: 1）0-6 ：Corresponds to Sunday through Saturday. It can be configured as follows： 0-6 or 0,1,2,3,4,5,6 2）Mon/Tue/Wed/Thu/Fri/Sat/Sun：It can be configured as follows: Configuration takes effect on Monday of the week：Mon Configuration takes effect on Monday and Wednesday of the week：Mon, Wed 3）daily: Take effect on every day 4）off-day：Take effect on Sun and Sat 5）working-day：Take effect from Mon to Fri

[View]

Global Configuration View

[Notes]

Multiple periodic time ranges can be configured on the same timer-name. Run command no time-range timer_name to delete the ACL timer. Run command no time-range timer_name xx:xx to xx:xx days to delete a single time range under the ACL timer.

[Use Cases]

sonic# configure terminal
sonic(config)# time-range timer-1 23:59 to 11:38 0,1
sonic(config)# time-range timer-1 11:40 to 11:45 0-1
sonic(config)# time-range timer-1 11:40 to 11:45 2
sonic(config)# time-range timer-1 11:50 to 11:55 Mon,Wed
sonic(config)# time-range timer-1 12:05 to 12:15 daily
sonic(config)# time-range timer-1 13:05 to 13:15 off-day
sonic(config)# time-range timer-1 14:05 to 14:15 working-day

time-range timer_name from xx:xx xxxx/xx/xx to xx:xx xxxx/xx/xx

[Command]

time-range timer_name from xx:xx xxxx/xx/xx to xx:xx xxxx/xx/xx

[Purpose]

Create a time period based on an absolute time range.

[Parameters]

Parameter	Description
timer_name	Time-range name, the maximum length is 32 characters.
xx:xx	24-hour time, such as 18:49.
xxxx/xx/xx	Effective date, the format is Y/m/d.

[View]

Global Configuration View

[Notes]

Multiple absolute time ranges can be configured on the same timer-name. Absolute time range and periodic time range can be configured on the same timer-name. The effective time is the intersection of these two time range configurations Run command no time-range timer_name to delete the ACL timer. Run command no time-range from xx:xx xxxx/xx/xx to xx:xx xxxx/xx/xx to delete a single time range under the ACL timer

[Use Cases]

sonic# configure terminal
sonic(config)# time-range timer-1 from 11:00 2024/10/14 to 11:00 2024/10/20
sonic(config)# time-range timer-1 from 11:00 2024/10/25 to 11:00 2024/10/28

CoPP

CoPP View

Table 14 CoPP View

Command	Purpose
show policy-map [policy_map_name]	Display the CoPP configuration.
show copp status	Display the CoPP status.

show policy-map [policy_map_name]

[Command]

show policy-map [policy_map_name]

[Purpose]

Display the CoPP configuration.

[Parameters]

Parameter	Description
policy_map_name	CoPP policy name.

[View]

Privileged User View

[Use Cases]

sonic# show policy-map
!
policy-map type copp copp-system-policy
 class copp-system-arp
  bandwidth 1000000 12800

show copp status

[Command]

show copp status

[Purpose]

Display the CoPP status.

[View]

Privileged User View

[Use Cases]

sonic# show copp status
Class                        Status
---------------------------  -----------------------------------------------------
copp-system-arp              cbs: 64000
                             cir: 256000
                             meter_type: bytes
                             mode: sr_tcm
                             queue: 5
                             red_action: drop
                             trap_action: copy
                             trap_ids: arp_req,arp_resp
                             trap_priority: 5

CoPP Config

Table 15 CoPP Config

Command	Purpose
policy-map type copp copp-system-policy	Enter CoPP Configuration View.
class system_class_name	Specify the type of message targeted by CoPP.
bandwidth cir cbs	Set CoPP rate limiting.
arp broadcast disable	Configure CoPP action for ARP packets as trap.
ndp broadcast disable	Configure CoPP action for ND packets as trap.
igmp enable	Configure CoPP action for IGMP packets as forward.
pim enable	Configure CoPP action for PIM packets as forward.
isis enable	Configure CoPP action for ISIS packets as forward.
vrrp enable	Configure CoPP action for VRRP packets as forward.
ospf enable	Configure CoPP action for OSPF packets as forward.

policy-map type copp copp-system-policy

[Command]

policy-map type copp copp-system-policy

[Purpose]

Enter CoPP Configuration View.

[View]

Global Configuration View

[Use Cases]

sonic(config)# policy-map type copp copp-system-policy
sonic(config-pmap-copp-copp-system-policy)#

class system_class_name

[Command]

class system_class_name

[Purpose]

Specify the type of message targeted by CoPP.

[Parameters]

Parameter

Description

system_class_name

Specify the type of message. (copp-system-ttl_err/copp-system-bgp/copp-system-bfd/copp-system-ospf/copp-system-vrrp/copp-system-isis/copp-system-lacp/copp-system-stp/copp-system-arp/copp-system-neigh_discovery/ /copp-system-macsec/copp-system-lldp/copp-system-udld/copp-system-igmp/copp-system-dhcp_relay/copp-system-sflow/copp-system-ip2me/copp-system-nat/copp-system-pvrst/copp-system-pim/copp-system-vrrpv6/copp-system-mld/ /copp-system-ssh/copp-system-snmp/copp-system-l3_mtu_error/copp-system-ldp)

[View]

CoPP Configuration View

[Use Cases]

sonic(config-pmap-copp-copp-system-policy)# class copp-system-arp
sonic(config-pmap-c-copp-system-policy-copp-system-arp)#

bandwidth cir cbs

[Command]

bandwidth cir cbs

[Purpose]

Set CoPP rate limiting.

[Parameters]

Parameter	Description
cir	Specify the CIR(Committed Information Rate) in byte/sec. The range is 1000 ~ 400000000000.
cbs	Specify CBS (Committed Burst Size) in byte. The range is 1000 ~ 400000000000.

[View]

CoPP-Class Map Configuration View

[Notes]

Run command no bandwidth delete the customized CoPP configuration and the system will revert to the default CoPP configuration.

[Use Cases]

sonic(config-pmap-copp-copp-system-policy)# class copp-system-arp
sonic(config-pmap-c-copp-system-policy-copp-system-arp)# bandwidth 1000000 12800

arp broadcast disable

[Command]

arp broadcast disable

[Purpose]

Configure CoPP action for ARP packets as trap.

[View]

Global Configuration View

[Notes]

The action trap means upload to CPU, and copy means both upload to CPU and forward. The default action for ARP packets is copy. Run command no arp broadcast disable to configure CoPP action for ARP packets as copy

[Use Cases]

sonic(config)# arp broadcast disable
sonic(config)# no arp broadcast disable

ndp broadcast disable

[Command]

ndp broadcast disable

[Purpose]

Configure CoPP action for ND packets as trap.

[View]

Global Configuration View

[Notes]

The action trap means upload to CPU, and copy means both upload to CPU and forward. The default action for ND packets is copy. Run command no ndp broadcast disable to configure CoPP action for ND packets as copy

[Use Cases]

sonic(config)# ndp broadcast disable
sonic(config)# no ndp broadcast disable

igmp enable

[Command]

igmp enable

[Purpose]

Configure CoPP action for IGMP packets as copy.

[View]

Global Configuration View

[Notes]

The action forward means forward the packets, and copy means both upload to CPU and forward. The default action for IGMP packets is forward. Run command no igmp enable to configure CoPP action for IGMP packets as forward

[Use Cases]

sonic(config)# igmp enable
sonic(config)# no igmp enable

pim enable

[Command]

pim enable

[Purpose]

Configure CoPP action for PIM packets as copy.

[View]

Global Configuration View

[Notes]

The action forward means forward the packets, and copy means both upload to CPU and forward. The default action for PIM packets is forward. Run command no pim enable to configure CoPP action for PIM packets as forward.

[Use Cases]

sonic(config)# pim enable
sonic(config)# no pim enable

isis enable

[Command]

isis enable

[Purpose]

Configure CoPP action for ISIS packets as copy.

[View]

Global Configuration View

[Notes]

The action forward means forward the packets, and copy means both upload to CPU and forward. The default action for ISIS packets is forward. Run command no isis enable to configure CoPP action for ISIS packets as forward.

[Use Cases]

sonic(config)# isis enable
sonic(config)# no isis enable

vrrp enable

[Command]

vrrp enable

[Purpose]

Configure CoPP action for VRRP packets as copy.

[View]

Global Configuration View

[Notes]

The action forward means forward the packets, and copy means both upload to CPU and forward. The default action for VRRP packets is forward. Run command no vrrp enable to configure CoPP action for VRRP packets as forward.

[Use Cases]

sonic(config)# vrrp enable
sonic(config)# no vrrp enable

ospf enable

[Command]

ospf enable

[Purpose]

Configure CoPP action for OSPF packets as copy.

[View]

Global Configuration View

[Notes]

The action forward means forward the packets, and copy means both upload to CPU and forward. The default action for OSPF packets is forward. Run command no ospf enable to configure CoPP action for OSPF packets as forward.

[Use Cases]

sonic(config)# ospf enable
sonic(config)# no ospf enable

Storm Suppress

Storm Suppress View

Table 16 Storm Suppress View

Command	Purpose
show storm-suppress	Display the storm suppression configuration.

show storm-suppress

[Command]

show storm-suppress

[Purpose]

Display the storm suppression configuration.

[View]

Privileged User View

[Use Cases]

sonic# show storm-suppress
interface    packet_type    meter_type      cir    cbs
-----------  -------------  ------------  -----  -----
Ethernet0    BROADCAST      PACKETS         100   1000
Ethernet0    UNKNOWN        PACKETS         100   1000
Ethernet48   BROADCAST      PACKETS         100   1000
Ethernet48   UNKNOWN        PACKETS         100   100

Storm Suppress Config

Table 17 Storm Suppress Config

Command	Purpose
storm-suppress {unknown-unicast|broadcast|multicast} {bytes|packets} limit_value [cbs cbs_value]	Configure a storm suppression policy.

storm-suppress {unknown-unicast|broadcast|multicast} {bytes|packets} limit_value [cbs cbs_value]

[Command]

storm-suppress {unknown-unicast|broadcast|multicast} {bytes|packets} limit_value [cbs cbs_value]

[Purpose]

Configure a storm suppression policy for BUM.

[Parameters]

Parameter	Description
limit_value	Specify the rate-limit value, which ranges from 65000 ~ 2400000000000 bit/sec in bytes mode and 70 ~ 2300000000 pkts/sec in packets mode.
cbs_value	Specify the Committed Burst Size, which is the amount of committed burst traffic that can pass instantaneously. The range of values is 1000 ~ 1500000000 bytes in bytes mode and 8 ~ 11000000 packets in packets mode.

[View]

Physical Interface Configuration View

[Notes]

Run command no storm-suppress {unknown-unicast|broadcast|multicast} {bytes|packets} to delete the storm suppression policy.

[Use Cases]

sonic# configure
sonic(config)# interface ethernet 0/0
sonic(config-if-0/0)# storm-suppress unknown-unicast bytes 6555555 cbs 1355646
sonic(config-if-0/0)# storm-suppress broadcast packets 100