Security Configuration

ACL Configuration

show acl table

[Command]
show acl table [ table_name ]

[Purpose]
Show existing ACL tables

[Parameter]

Parameter	Description
table_name	Specify the table name

[View]
System view

[Use Cases]

sonic# show acl table
Name        Type     Binding   Description  Stage
------- ----------- --------- ------------- -------
TABLE_2      L3      Ethernet8 TABLE_2      ingress

show acl rule

[Command]
show acl rule [ table_name ] [ rule_id ]

[Purpose]
Show existing ACL rules

[Parameter]

Parameter	Description
table_name	Specify the table name
rule_id	Specify the rule name

[View]
System view

[Use Cases]

sonic# show acl rule
Table     Rule         Priority  Action  Match
------- ------------ ---------- -------- -----------------------
DATAACL  RULE_1        9999        DROP   SRC_IP: 10.0.0.2/32
DATAACL  RULE_2        9998        DROP   DST_IP: 192.168.0.16/32
DATAACL  RULE_3        9997        DROP   L4_SRC_PORT: 4661
DATAACL  RULE_4        9996        DROP   IP_PROTOCOL: 126
DATAACL  RULE_13       9987        DROP   IP_PROTOCOL: 1

sonic# show acl rule TABLE_1 RULE_1
Table   Rule        Priority  Action  Match
------- ------ ---------- -------- --------------------
TABLE_1 RULE_1      100       DROP    SRC_IP: 200.0.0.2/24

show counters acl

[Command]
show counters acl [ acl_table_name ] [ rule_id ]

[Purpose]
Show ACL hit count

[Parameter]

Parameter	Description
acl_table_name	ACL Table Name
rule_id	rule id

[View]
System view

[Notes]
Allows multiple tables and rules to be entered, either as individual tables or as table + rule. Table and table are separated by ”,”, rule and rule are separated by ”,”; table and rule are separated by spaces.

[Use Cases]

sonic# show counters acl TABLE_1,TABLE_2
RULE NAME   TABLE NAME     PRIO    PACKETS COUNT  BYTES COUNT
----------- ------------ ------ --------------- -------------
RULE_1      TABLE_1         100     N/A            N/A
rule_2      TABLE_2          2      N/A            N/A
rule_1      TABLE_2          1      N/A            N/A

clear counters acl

[Command]
clear counters acl

[Purpose]
Clear ACL hit count

[Use Cases]

sonic# clear counters acl

access-list

[Command]
access-list { table_type } { table_name } { table_stage }
no access-list { table_name }

[Purpose]
Create ACL table and enter ACL view

[Parameter]

Parameter	Description
table_type	ACL table type, optional L3, L3v6, CTRLPLANE
table_name	ACL Table Name
table_stage	Specify the inbound/outbound direction, ingress/egress

[View]
System configuration view

[Notes]
ACL table is for ports. Binding ports means that the ACL table is effective for traffic on those ports. An ACL table can bind multiple ports, and multiple ACL tables can exist on a single port, i.e., a “many-to-many” relationship.

[Use Cases]

sonic# configure terminal
sonic(config)# access-list l3 TABLE_1 ingress

rule

[Command]
rule {rule_id rule_id } [{packet-action {deny|permit|trap-to-cpu|copy-to-cpu}|redirect-action}] [src-mac src_mac ] [ethernet-type ethernet_type ] [vlan-pri vlan_pri ] [src-ip src_ip ] [dst-ip dst_ip ] [icmp-type icmp_type ] [icmp-code icmp_code ] [icmp-name icmp_name ] [src-port src_port ] [dst-port dst_port ] [ip-type ip_type ]
no rule { rule_id }

[Purpose]
Add ACL rules

[Parameter]

Parameter	Description
rule_id	Rule ID, value range: 0-500; simultaneously indicates rule priority (higher numbers indicate higher priority), values must be unique
packet_action	Packet processing actions for matched rules: deny- Discard permit- Allow passage trap-to-cpu - Forward to CPU for processing copy-to-cpu - Allow passage while simultaneously copying the packet to the CPU for processing
ethernet_type	Ethertype, format: hexadecimal number
vlan_pri	VLAN priority, value range: 0-7
src_ip	Source IP address, format: A.B.C.D/M
dst_ip	Destination IP address, format: A.B.C.D/M
icmp_type	ICMP message type, value range: 0-16
icmp_code	ICMP message code, value range: 0-5
icmp_name	ICMP message name
src_port	Source L4 port
dst_port	Destination L4 port
ip_type	Ip type

[View]
ACL view

[Notes]
Multiple ACL rules can exist per table. rule_id The higher the value, the higher the priority, the same table does not allow the configuration of the same priority rules.

[Use Cases]

sonic# configure terminal
sonic(config)# access-list l3 TABLE_1 ingress
sonic(config-l3-acl-table_1)# rule 1 source-ip 10.0.0.3/24 packet-action permit

Traffic Suppression And Storm Control Configuration

show interface storm-suppress

[Command]
show interface storm-suppress

[Purpose]
Display interface storm suppression

[View]
System view

[Use Cases]

sonic# show interface storm_suppress
Name       Broadcast Broadcast_Rate Multicast  Multicast_Rate Unkown Unkown_Rate
----- ----------- ------------ ----------- --------------- -------- ----------
Ethernet54 Enable    100Kpps   NA              NA             NA     NA

storm-suppress multicast

[Command]
storm-suppress multicast {bytes bytes |packets packets }
no storm-suppress multicast

[Purpose]
Configure the maximum multicast packet traffic allowed to pass under the interface

[Parameter]

Parameter	Description
bytes	Value range: 0-16383875, unit: kBps
packets	Value range: 0-16383875, unit: kpps

[View]
Interface view

[Use Cases]

sonic(config)# interface ethernet 1
sonic(config-if-1)# storm-suppress multicast packets 100

storm-suppress broadcast

[Command]
storm-suppress broadcast {bytes bytes**|packets** packets }
no storm-suppress broadcast

[Purpose]
Configure the maximum amount of broadcast packet traffic allowed to pass under the interface

[Parameter]

Parameter	Description
bytes	Value range: 0-16383875, unit: kBps
packets	Value range: 0-16383875, unit: kpps

[View]
Interface view

[Use Cases]

sonic(config)# interface ethernet 1
sonic(config-if-1)# storm-suppress broadcast packets 100

storm-suppress unknown

[Command]
storm-suppress unknown {bytes bytes |packets packets }
no storm-suppress unknown

[Purpose]
Configure the maximum amount of unknown unicast traffic allowed to pass under the interface

[Parameter]

Parameter	Description
bytes	Value range: 0-16383875, unit: kBps
packets	Value range: 0-16383875, unit: kpps

[View]
Interface view

[Use Cases]

sonic(config)# interface ethernet 1
sonic(config-if-1)# storm-suppress unknown packets 100

DHCP Snooping Configuration

show dhcp snooping config

[Command]
show dhcp snooping config

[Purpose]
View DHCP snooping related configuration status

[View]
System view

[Use Cases]

sonic# show dhcp snooping config
GLOBAL MODE V4 : enable
GLOBAL MODE V6 : enable
GLOBAL SNP MAX NUMBER :
GLOBAL LEASE TIME : 172800
+-------------+----------------+-----------+------------------+
| Interface   | dhcp_snooping  | Trusted   | Snp Max Number   |
+=============+================+===========+==================+
| Ethernet50  | enable         | true      |                  |
+-------------+----------------+-----------+------------------+
| Vlan800     | enable         |           |                  |
+-------------+----------------+-----------+------------------+
| Vlan400     | enable         |           |                  |
+-------------+----------------+-----------+------------------+
| Ethernet49  | enable         | true      |                  |
+-------------+----------------+-----------+------------------+

show snooping table

[Command]
show snooping table

[Purpose]
View all snooping table entry details

[View]
System view

[Notes]
Snooping table entries include those learned by DHCP Snooping and ND Snooping. When this feature is enabled, the device can sync snooping table entries from other devices configured as neighbors, ensuring consistency across the network.

[Use Cases]

sonic# show snooping table
+---------+--------------------+-------------+------------+-----------+-----------------+-------------+-------+
| vlan    | smac               | sip         | lease_time | interface | time-stamp      | switch_id   | flag  |
+=========+====================+=============+============+===========+=================+=============+=======+
| Vlan400 | 3c:22:fb:55:a0:99  | 30.11.64.21 | 7200       | N/A       | 1478434670738451| 30.11.0.89  | remote|
+---------+--------------------+-------------+------------+-----------+-----------------+-------------+------ +
| Vlan400 | 72:fe:15:7e:42:4f  | 30.11.64.18 | 6000       | N/A       | 1478433013541307| 30.11.0.84  | local |
+---------+--------------------+-------------+------------+-----------+-----------------+-------------+-------+

Description of the show snooping table command output

Item	Description
VLAN	VLAN to which the entry belongs
SMAC	Terminal MAC address
SIP	Terminal IP address
lease time	Aging time of the entry
interface	Physical interface where the terminal is located
time-stamp	Timestamp when the entry was learned, for internal system use
switch_id	IP address of the loopback interface of the device to which the terminal is currently connected
flag	Identifier for the device to which the terminal is currently connected. If it is the local device, it is labeled as local, and if it’s another device within the cluster, it is labeled as remote.

show snooping count

[Command]
show snooping count

[Purpose]
View the number of snooping table entries

[View]
System view

[Use Cases]

sonic# show snooping count
total_v4_counter=10
local_v4_counter=3
remote_v4_counter=7
total_v6_counter=43
local_v6_counter=10
remote_v6_counter=33

show snooping status

[Command]
show snooping status

[Purpose]
View snooping table entry synchronization status

[View]
System view

[Use Cases]

sonic# show snooping status
Switch ID : 30.11.0.84
Source IP address :30.11.0.84
Coherent Status : yes
Sequence Number : 1362
Device Mode : client
Neighbors Status Summary :
------------------------------neighbors----------------------------------
Switch ID    Active   Sequence Number     Connect_active_number
30.11.0.80    yes       1362          6
30.11.0.81    yes       1362          6

Description of the show snooping status command output

Item	Description
Coherent Status	Whether the current table entry is the latest synchronization status yes Synchronization completed no To be updated
Active	Connection status between device and neighbor yes Connection is normal no Connection exception
Sequence Number	Number of table entry synchronization between device and neighbors
Connect_active_number	Number of clients that need to establish connections with neighbor devices

snp-sync enable {client|server}

[Command]
snp-sync enable {client|server} [ switch_id ]
no snp-sync enable

[Purpose]
Configure the synchronization properties of the device and enable DHCP Snooping synchronization function

[Parameter]

Parameter	Description
client	The device directly connected to the DHCP client (client device) will synchronize all learned snooping entries to the server device, and also synchronize the snooping entries that other clients have synchronized to the server.
server	Non-directly connected devices (to DHCP clients) receive all snooping entries synchronized from client devices
switch_id	Device IP, typically the loopback0 IP address of the device, used to uniquely identify a device

[View]
System configuration view

[Use Cases]

sonic# configure terminal
sonic(config)# snp-sync enable client 192.168.2.2

snp-sync neighbor

[Command]
snp-sync neighbor A.B.C.D / A::B
no snp-sync neighbor A.B.C.D / A::B

[Purpose]
Add the IP address of the device that needs to synchronize snooping table entries

[Parameter]

Parameter	Description
A.B.C.D / A::B	The configured switch_id of the device to be connected

[View]
System configuration view

[Notes]
For the server to establish connection with the client, please make sure that BGP neighbors have been established between the devices that need to synchronize snooping table entries, switch-id three layers can be reached.

[Use Cases]

sonic(config)# snp-sync neighbor 192.168.3.2

snp-sync peer

[Command]
snp-sync peer A.B.C.D|A::B
no snp-sync peer A.B.C.D|A::B

[Purpose]
Add the IP address of the device that needs to synchronize snooping table entries

[Parameter]

Parameter	Description
A.B.C.D / A::B	The configured switch_id of the device to be connected

[View]
System configuration view

[Notes]
Configure this command on the server device to establish a connection between the server and the server. Make sure that BGP neighbors have been established between the devices that need to synchronize snooping table entries, switch-id three-layer reachable.

[Use Cases]

sonic(config)# snp-sync peer 192.168.3.2

dhcp snooping enable {v4|v6}

[Command]
dhcp snooping enable {v4|v6}
no dhcp snooping enable

[Purpose]
Enable DHCP snooping function

[Parameter]

Parameter	Description
v4|v6	Enable DHCP Snooping function of IPv4 of IPv6

[View]
System configuration view

[Notes]
After enabling the global DHCP snooping function, user also need to enable the DHCP snooping function under the interface and VLAN view. This function should be used in combination with DHCP Relay.

[Use Cases]

sonic(config)# dhcp snooping enable v4
sonic(config)# interface ethernet 1
sonic(config-if-1)# dhcp snooping enable

dhcp-snooping trusted

[Command]
dhcp-snooping trusted
no dhcp-snooping trusted

[Purpose]
Configure the interface to a trusted state

[View]
Interface view, VLAN view

[Usage Scenario]
The trusted port forwards the received DHCP packets normally and learns the DHCP Snooping table entries through the DHCP ACK and DHCP OFFER packets responded by the DHCP server, usually the interface directly or indirectly connected to the DHCP server trusted by the administrator is set as the trusted port, and other port devices are untrusted ports. Physical ports, VLAN interfaces, and link aggregation ports can all be configured in trust mode.

[Use Cases]

sonic(config)# interface ethernet 1
sonic(config-if-1)# dhcp snooping trusted

dhcp-snooping enable

[Command]
dhcp-snooping enable

no dhcp-snooping enable

[Purpose]
Enable the interface DHCP snooping function

[View]
Interface view, VLAN view

[Use Cases]

sonic(config)# interface ethernet 1
sonic(config-if-1)# dhcp-snooping enable

ND Snooping Configuration

show nd snooping config

[Command]
show nd snooping config

[Purpose]
View ND snooping configuration

[View]
System view

[Use Cases]

GLOBAL MODE : enable
GLOBAL SNP MAX NUMBER :
GLOBAL DEFAULT LEASE TIME :
+-------------+---------------+-----------+------------------+
| Interface   | ND Snooping   | Trusted   | Snp Max Number   |
+=============+===============+===========+==================+
| Ethernet1   | disable       | false     |                  |
+-------------+---------------+-----------+------------------+

nd snooping enable

[Command]
nd snooping enable
no nd snooping enable

[Purpose]
Enable ND snooping function globally

[View]
System configuration view, Interface view, VLAN Interface view

[Notes]
After ND Snooping is enabled on the device, the interface with ND Snooping enabled will learn the ND Snooping table entry when it receives NS packets from DAD. If the device is enabled with SAVI and IPSGv6, the ND and DHCPv6 packets will be matched according to the ND Snooping table entry. After enabling the global ND Snooping function, user also need to enable the ND Snooping function under the interface and Vlan view.

[Use Cases]

sonic(config)# nd snooping enable

User Binding Rule Configuration

show user-bind counter

[Command]
show user-bind counter [ interface_name ] clear user-bind counter

[Purpose]
Show packet loss statistics for packets inspection function

[View]
System view

[Notes]
Statistics of packets dropped due to unhit table entries after enabling IPSG/IPSGv6/ARP detection/SAVI function.

[Use Cases]

sonic# show user-bind counter
Interface   Drop Packets
----------- --------------
Vlan400          0

show user-bind rule

[Command]
show user-bind rule

[Purpose]
View static binding table information

[View]
System view

[Use Cases]

sonic# show user-bind rule
VLAN     MAC               IP        Interface
------- ----------------- --------- -----------
Vlan100  00:11:22:33:11:11 10.1.1.10 Ethernet1

show user-bind config

[Command]
show user-bind config

[Purpose]
Display packet inspection function alarms and alarm threshold related configuration

[View]
System view

[Use Cases]

sonic# show user-bind config
+------------+--------+-------------------+
| Interface  | Alarm  | Alarm threshold   |
+============+========+===================+
| Vlan400    | true   | 100               |
+------------+--------+-------------------+

user-bind rule

[Command]
user-bind rule { A.B.C.D | A::B } nn:nn:nn:nn:nn:nn { interface_id } { vlan_id }
no user-bind rule { A.B.C.D | A::B } nn:nn:nn:nn:nn:nn { interface_id } { vlan_id }

[Purpose]
Configure static binding tables

[Parameter]

Parameter	Description
A.B.C.D | A::B	<A::B>
nn:nn:nn:nn:nn:nn	MAC address
interface_id	Interface id
vlan_id	VLAN ID

[View]
System configuration view

[User Scenario] For terminals with statically configured IP address, snooping table entries cannot be generated, and all packets are discarded when the packet inspection function is enabled. In order not to affect the online operation of such terminals, user need to use this command to configure the static binding table.

[Use Cases]

sonic(config)# user-bind rule 10.1.1.10 00:11:22:33:11:11 1 800

user-bind alarm enable

[Command]
user-bind alarm enable
no user-bind alarm enable

[Purpose]
Enable the packet inspection alarm function

[View]
Interface view,VLAN view

[User Scenario] When this feature is enabled, when the packets discarded on the device due to the packet inspection function exceed the alarm threshold, a log is recorded. By default, the alarm threshold is 100.

[Use Cases]

sonic(config)# interface ethernet 1
sonic(config-if-1)# user-bind alarm enable

user-bind alarm threshold

[Command]
user-bind alarm threshold

[Purpose]
Configure the alarm threshold for the packet inspection function

[View]
Interface view,VLAN view

[User Scenario] When this feature is enabled, when the packets discarded on the device due to the packet inspection function exceed the alarm threshold, a log is recorded. By default, the alarm threshold is 100.

[Use Cases]

sonic(config)# interface ethernet 1
sonic(config-if-1)# user-bind alarm threshold 200

IPv6 RA Guard Configuration

show raguard policy

[Command]
show raguard policy

[Purpose]
View the configuration of the RA Guard policy

[View]
System view

[Use Cases]

sonic# show raguard policy
+----------+--------------------------------------------------+
| VLAN     |POLICY                                            |
+==========+==================================================+
| Vlan800  | {'prefix@': 'fd00:803::/64,fd00:403::/64'}       |
+-------- -+--------------------------------------------------+

show raguard role

[Command]
show raguard role

[Purpose]
View RA Guard interface role configuration

[View]
System view

[Use Cases]

sonic# show raguard role
+-------------+---------+
| PORT        | ROLE    |
+=============+=========+
| Ethernet5   | user    |
+-------------+---------+

raguard role

[Command]
raguard role {user|router|hybrid}
no raguard role {user|router|hybrid}

[Purpose]
Configure the interface role for the RA Guard function

[Parameter]

Parameter	Description
user	Specify the interface role as user and discard RA packets
router	Specify the interface role as router and forward RA packets
hybrid	Mixed mode, according to policy specifications to determine whether to discard RA packets

[View]
Interface view

[Use Cases]

sonic(config)# interface ethernet 1
sonic(config-if-1)# raguard role user

raguard policy src-ip

[Command]
raguard policy src-ip A::B
no raguard policy param src-ip
no raguard policy

[Purpose]
Configure the matching rules for the source IPv6 address of RA packets

[Parameter]

Parameter	Description
A::B	IPv6 address, support for multiple IPv6 addresses in, separated configuration

[View]
VLAN view

[Use Cases]

sonic(config)# vlan 100
sonic(config-vlan-100)# raguard policy src-ip fe80::1a17:25ff:fe37:6722,
 fe80::1a17:25ff:fe37:6723

raguard policy src-mac

[Command]
raguard policy src-mac HH:HH:HH:HH:HH:HH
no raguard policy param src-mac
no raguard policy

[Purpose]
Configure the matching rules for the source MAC address of RA packets

[Parameter]

Parameter	Description
HH:HH:HH:HH:HH:HH	MAC address, support to configure multiple MAC addresses separated by ”,”

[View]
VLAN view

[Use Cases]

sonic(config)# vlan 100
sonic(config-vlan-100)# raguard policy src-mac 00:00:01:02:03:11

raguard policy {hop-limit-high| hop-limit-low}

[Command]
raguard policy {hop-limit-high| hop-limit-low} value
no raguard policy param {hop-limit-high| hop-limit-low} value
no raguard policy

[Purpose]
Configure the maximum and minimum value matching rules for the hop limit in RA packets

[Parameter]

Parameter	Description
value	Value range: 0-255

[View]
VLAN view

[Use Cases]

sonic(config)# vlan 100
sonic(config-vlan-100)# raguard policy hop-limit-high 10

raguard policy managed-flag

[Command]
raguard policy managed-flag {on|off}
no raguard policy param managed-flag
no raguard policy

[Purpose]
Configure the matching rules for the M flag bit in RA packets

[View]
VLAN view

[Use Cases]

sonic(config)# vlan 100
sonic(config-vlan-100)# raguard policy managed-flag on

raguard policy other-flag

[Command]
raguard policy other-flag {on|off}
no raguard policy param managed-flag
no raguard policy

[Purpose]
Configure the matching rules for the O flag bit in RA packets

[View]
VLAN view

[Use Cases]

sonic(config)# vlan 100
sonic(config-vlan-100)# raguard policy other-flag on

raguard policy prefix

[Command]
raguard policy prefix A::B/M
no raguard policy param prefix
no raguard policy

[Purpose]
Configure the matching rules for the IPv6 prefixes carried by RA packets

[Parameter]

Parameter	Description
A::B/M	IPv6 prefix information, support multiple IPv6 addresses separated by ”,”

[View]
VLAN view

[Use Cases]

sonic(config)# vlan 100
sonic(config-vlan-100)# raguard policy prefix

raguard policy router-pref-max

[Command]
raguard policy router-pref-max {low|medium|high}
no raguard policy param router-pref-max
no raguard policy

[Purpose]
Configure the highest priority matching rule for routing RA packets

[View]
VLAN view

[Usage Scenario]
When an interface configured with this policy receives RA packets, it will check the routing priority carried by the packet, and RA packets with a priority less than or equal to that configured by the rule will be forwarded, otherwise they will be dropped.

[Use Cases]

sonic(config)# vlan 100
sonic(config-vlan-100)# raguard policy router-pref-max medium

IPSG Configuration

show ipv4-source-check config

[Command]
show ipv4-source-check config

[Purpose]
View the IP packet inspection function configuration information

[View]
System view

[Use Cases]

sonic# show ipv4-source-check config
+--------------+-------------+
| Interfaces   | Check mode  |
+==============+=============+
| Vlan43       | true        |
+--------------+-------------+

show ipv6-source-check config

[Command]
show ipv6-source-check config

[Purpose]
View the configuration information of IPv6 packet inspection function

[View]
System view

[Use Cases]

sonic# show ipv6-source-check config
+--------------+--------------+
| Interfaces   | Check mode   |
+==============+==============+
| Vlan43       | true         |
+--------------+--------------+

ipv4-source-check enable

[Command]
ipv4-source-check enable
no ipv4-source-check enable

[Purpose]
Enable IPv4 packet inspection function

[View]
VLAN view,Interface view

[Usage Scenario]
When the IP packet inspection function is enabled, the device will compare the source IP and source MAC of the received IPv4 packet with the information in the snooping table entry and User-bind table entry, if it can hit, it means the user of the IPv4 packet is a legal user and allows the IPv4 packet of this user to pass, otherwise it is considered an illegal user and drops the IP packet.

[Use Cases]

sonic(config)# vlan 100
sonic(config-vlan-100)# ipv4-source-check enable

ipv4-source-check trusted-interface

[Command]
ipv4-source-check trusted-interface vlan vlan_id
ipv4-source-check trusted-interface
no ipv4-source-check trusted-interface vlan vlan_id
no ipv4-source-check trusted-interface

[Purpose]
Configuring IPSG trusted ports or trusted VLAN

[View]
Interface view

[Usage Scenario]
When configured as an IPSG trusted port, IPv4 packets received from this port will not be IPSG checked and will all be allowed to pass.

[Use Cases]

sonic(config)# interface ethernet 1
sonic(config-if-1)# ipv4-source-check trusted-interface vlan 10

ipv6-source-check enable

[Command]
ipv6-source-check enable
no ipv6-source-check enable

[Purpose]
Enable IPv6 packet inspection function

[View]
VLAN view,Interface view

[Usage Scenario]
When the IP packet inspection function is enabled, the device will compare the source IP, source MAC, snooping table entry and User-bind table entry of the received IPv6 packet, if it can hit, it means the user of the IPv6 packet is a legitimate user and allows the IPv6 packet of this user to pass, otherwise it is considered an illegal user and drops the IP packet.

[Use Cases]

sonic(config)# vlan 100
sonic(config-vlan-100)# ipv6-source-check enable

ipv6-source-check trusted-interface

[Command]
ipv6-source-check trusted-interface vlan vlan_id
ipv6-source-check trusted-interface
no ipv6-source-check trusted-interface vlan vlan_id
no ipv6-source-check trusted-interface

[Purpose]
Configuring IPSG trusted ports or trusted VLAN

[View]
Interface view

[Usage Scenario]
When configured as an IPSG trusted port, IPv6 messages received from this port will not be IPSG checked and will all be allowed to pass.

[Use Cases]

sonic(config)# interface ethernet 1
sonic(config-if-1)# ipv6-source-check trusted-interface vlan 10

SAVI Configuration

show savi config

[Command]
show savi config

[Purpose]
View SAVI function configuration information

[View]
System view

[Use Cases]

sonic# show savi config
+--------------+-------------+
| Interfaces   | Check mode  |
+==============+=============+
| Vlan100      | false       |
+--------------+-------------+
| Vlan200      | true        |
+--------------+-------------+

savi enable

[Command]
savi enable
no savi enable

[Purpose]
Enable the SAVI detection function of the interface

[View]
VLAN view

[Usage Scenario]
After enabling SAVI function, the device will compare the source IP, source MAC, snooping table entry and User-bind table entry of the received ND protocol packets, DHCPv6 protocol packets, and if it can hit, the packets will be passed, otherwise the packets will be dropped.

[Use Cases]

sonic(config)# vlan 100
sonic(config-vlan-100)# savi enable

ARP Detection Configuration

show anti-attack-check config

[Command]
show anti-attack-ckeck config

[Purpose]
View ARP detection configuration

[View]
System view

[Use Cases]

sonic# show anti-attack-check config
+--------------+--------------+
| Interfaces   | Check mode   |
+==============+==============+
| Vlan43       | true         |
+--------------+--------------+

arp anti-attack-check enable

[Command]
arp anti-attack-check enable
no arp anti-attack-check enable

[Purpose]
Enable the ARP detection function

[View]
VLAN view,Interface view

[Usage Scenario]
After enabling ARP Snooping detection function, the device will compare the source IP, source MAC, snooping table entry and User-bind table entry of the received ARP packet, if it can hit, the user of the ARP packet is a legitimate user and the ARP packet of this user is allowed to pass, otherwise it is considered an illegal user and the ARP packet is dropped.

[Use Cases]

sonic(config)# vlan 100
sonic(config-vlan-100)# arp anti-attack-check enable

arp anti-attack-check trusted-interface

[Command]
arp anti-attack-check trusted-interface vlan vlan_id
arp anti-attack-check trusted-interface
no arp anti-attack-check trusted-interface vlan vlan_id
no arp anti-attack-check trusted-interface

[Purpose]
Configuring ARP detection trusted ports or trusted VLAN

[View]
Interface view

[Notes]
After configured as an ARP detection trusted port, ARP packets received from this port will not be checked and all are allowed to pass.

[Use Cases]

sonic(config)# interface ethernet 1
sonic(config-if-1)# arp anti-attack-check trusted-interface vlan 10

MAC Detection Configuration

show mac-scan config

[Command]
show mac-scan config

[Purpose]
Display mac-scan configuration

[View]
System view

[Use Cases]

sonic# show mac-scan config
status:disabled
period:10
checkneigh:enabled
remote:disabled
+-------------+
| INTERFACE   |
+=============+
| Vlan200     |
+-------------+

mac-scan enable

[Command]
mac-scan enable
no mac-scan enable

[Purpose]
Enable MAC detection function

[View]
System configuration view, VLAN view

[Notes]
Enabling this feature allows sending ARP Request packets based on Snooping entries, User-bind entries, and ARP entries with corresponding IP addresses. This is often used for scenarios such as bringing dumb terminals or servers online. It helps proactively update the device’s MAC and ARP table entries.

[Use Cases]

sonic(config)# mac-scan enable

mac-scan remote enable

[Command]
mac-scan remote enable
no mac-scan remote enable

[Purpose]
Enable MAC remote terminal detection function

[View]
System configuration view

[Usage Scenario]
By default, the detection process only operates on IP addresses in the Snooping table with the “Local” attribute. When remote devices update their table entries, the update information might not be transmitted to this device in a timely manner due to the large-scale network topology, resulting in potential loss of device traffic. Enabling this configuration can help expedite the onboarding process for terminals when they migrate to new devices.

[Use Cases]

sonic(config)# mac-scan remote enable

mac-scan no-response delete

[Command]
mac-scan no-response delete
no mac-scan no-response delete

[Purpose]
Enables the ability to delete Snooping entries based on the results of MAC probes

[View]
System configuration view

[Usage Scenario]
By default, the device only deletes the Snooping table entry when it receives a release message from the terminal. Enabling this feature allows the device to delete entries for which the type is “local” if it doesn’t receive a response after three detections.

[Use Cases]

sonic(config)# mac-scan no-response delete

mac-scan period

[Command]
mac-scan period period

[Purpose]
Configure the interval for sending probe packets

[Parameter]

Parameter	Description
period	Value range: 1, 1000, unit: ms, deault 10

[View]
System configuration view

[Notes]
The default time interval is: 10ms

[Use Cases]

sonic(config)# mac-scan period 1000

mac-scan ip-ranges

[Command]
mac-scan ip-ranges string

[Purpose]
Configure terminal detection based on subnet

[Parameter]

Parameter	Description
IP Range	For example: 80.0.0.1-90.0.0.2
IP Range within Subnet	For example: 91.0.0.1/24-91.0.0.5/24
IP Subnet	For example: 92.0.0.3/24
Single IP	For example: 93.0.0.2

[View]
VLAN view

[Notes]
When this configuration coexists with the SNP table, scan the IPs one by one in intervals, with each SNP followed by an IP range from the subnet. If a new SNP table is generated, prioritize scanning the new SNP table entries

[Use Cases]

sonic(config)# vlan 20
sonic(config-vlan-20)# mac-scan ip-ranges 10.1.1.2

Copp Speed limit

show copp

[Command]
show copp

[Purpose]
View the mapping of packets types and queues

[View]
System

[Usage Scenario]
In a network, there are various types of packets sent to the CPU, both normal and potentially malicious. If too many packets are sent to the CPU, it can lead to high CPU utilization, performance degradation, and even system interruption. COPP (Control Plane Policing) rate-limits packets that need to be sent to the CPU based on specified queue rates. This ensures that the rate of packets sent to the CPU remains within the CPU’s normal operational capacity, preventing system disruptions.

[Use Cases]

sonic# show copp
TrapId       Queue  MeterType  CIR   ACTION
------------- ------- ----------- ------- --------
ttl_error      0    packets   150pps  trap
mtu_error      0    packets   150pps  drop
default        0    packets   2500pps trap
acl            0    packets   1250pps trap
ip2me          1    packets   2500pps trap
snmp           1    packets   2500pps trap
iccp           1    packets   3750pps trap
telnet         1    packets   2500pps trap
ssh            1    packets   3750pps trap
pim            2    packets   1250pps trap
ptp            2    packets   1250pps trap
igmp           2    packets   1250pps trap
mld            2    packets   1250pps trap
sample_packet  2    packets   1250pps trap
dhcp           3    packets   4500pps copy
dhcpv6         3    packets   4500pps copy
lldp           4    packets   400pps  trap
isis           4    packets   1250pps trap
bgp            4    packets   4500pps trap
arp            5    packets   4500pps copy
icmp           5    packets   1250pps trap
ndp            5    packets   4500pps copy
eapol          6    packets   1000pps trap
lacp           6    packets   800pps  trap
snp            6    packets   4500pps trap
stp            6    packets   800pps  trap
bfd            7    packets   2000pps trap
vrrp           7    packets   1250pps copy
vrrpv6         7    packets   1250pps copy
ospfv6         7    packets   4500pps trap
ospf           7    packets   4500pps trap
bfdv6          7    packets   2000pps trap

show queue cpu-port

[Command]
show queue cpu-port

[Purpose]
View CPU queue statistics

[View]
System view

[Use Cases]

sonic# show queue cpu-port
 Port  RxQ  Counter/pkts  Drop/pkts  Rate/pkts
------ ----- -------------- ----------- -----------
  CPU  ALL0        0      0          0.00/s
  CPU  ALL1        0      0          0.00/s
  CPU  ALL2        0      0          0.00/s
  CPU  ALL3        0      0          0.00/s
  CPU  ALL4      2085     0          0.10/s
  CPU  ALL5        0      0          0.00/s
  CPU  ALL6      31298    0          0.50/s
  CPU  ALL7        0      0          0.00/s

copp packet-type cir trap-action [{trap|copy}]

[Command]
copp packet-type packet_type cir value trap-action [{trap|copy}]

[Purpose]

Configure the rate limit for protocol packets sent to the CPU

[Parameter]

Parameter	Description
packet_type	Protocol packet types
value	Value range: 125-10000, unit: pps
trap	Send only to the CPU
copy	Send to the CPU and forward

[View]
System configuration view

[Notes]
All protocol messages requiring transmission to the CPU have default rate limits. Unless there are specific requirements, it is not recommended to modify them. Excessive rate limits may fill the CPU processing channel with the current protocol messages, preventing protocol messages mapped to other queues from being transmitted to the CPU.

[Use Cases]

sonic(config)# copp packet-type dhcp cir 5000 trap-action copy