PLVision developed SONiC Lite as a customized version of Community SONiC designed specifically for edge and campus deployments. As Community SONiC was created directly for the DC networking infrastructure, this open NOS features set is focused on sustaining a reliable, sustainable, and cost-effective performance of the Data Center. With SONiC Lite as a SONiC-based NOS for access switches, we needed to add features necessary for its performance in the corresponding deployments, with PNAC being the primary objective for our product.
Though PNAC is not a sole universal answer to the potential security challenges in the edge networks, it is one of the security measures SONiC needs to have to operate on the access and management switches alongside other features. Learn more here about SONiC Lite features highlights.
PNAC step-by-step configuration for SONiC Lite
Port-based network access control allows a network administrator to restrict the use of IEEE 802 LAN service access points (ports) to secure communication between authenticated and authorized devices. The hostapd (https://w1.fi/hostapd/) is used under hood in SONiC Lite.
The authentication and authorization rules can be configured according to hostapd documentation in /etc/hostapd/hostapd.eap_user file located inside nac Docker container for local auth.
PNAC Configuration example:
| Step | Explanation | Example | Command signature |
| Step 1 | Enable NAC feature in the system | sudo config feature state nac enabled | config feature state <feature-name> <state> |
| Step 2 | Configure NAC admin state | sudo config nac enable | sudo config nac enable |
| Step 3 | Configure NAC admin state on interface | sudo config nac interface enable Ethernet0 | sudo config nac interface enable <interface_name> |
| Step 4 | Display NAC configuration | show nac show nac interface all | show nac show nac interface <interface_name|all> |
Feature can be configured in 3 simple steps:
Step 1: Enable feature
sudo config feature state nac enabled
Check if feature is enabled
admin@sonic:~$ show feature config
| Feature | State | AutoRestart | Owner |
| ————– | ————– | ————– | ————– |
| bgp | enabled | enabled | local |
| database | always_enabled | always_enabled | local |
| dhcp_relay | enabled | enabled | local |
| lldp | enabled | enabled | local |
| mgmt-framework | enabled | enabled | local |
| nac | enabled | enabled | local |
| pmon | enabled | enabled | local |
| stp | enabled | enabled | local |
| swss | enabled | enabled | local |
| syncd | enabled | enabled | local |
| teamd | enabled | enabled | local |
| telemetry | disabled | local |
Step 2: Enable nac globally
sudo config nac enable
Step 3: Enable nac on port
sudo config nac interface enable Ethernet0
Check nac status
admin@sonic:~$ show nac
NAC Global Information:
NAC Admin State: up
NAC Type : port
NAC Authentication Type : local
admin@sonic:~$ show nac interface Ethernet0
Once port in aunteficated
admin@sonic:~$ show nac interface Ethernet0
For more details, please follow PNAC HLD here.
Cut your OpEx with SONiC-based version for the edge deployments
Want to find out more about SONiC Lite functionality and the hardware compatibility list for this product? Fill in the application to get the product brief.
- Total Cost of Ownership: Proprietary vs. Open-Source Based Networks - March 21, 2024
- SONiC Lite: NOS for Cost-Efficient Management and Access Switches - March 7, 2024
- PNAC in SONiC - February 15, 2024
