DEPLOYING SONIC ON JUNIPER NETWORKS PTX10008 PACKET TRANSPORT ROUTER 2021-07-13
←
→
Page content transcription
If your browser does not render page correctly, please read the page content below
Deploying SONiC on Juniper Networks PTX10008 Packet Transport Router Published 2021-07-13
ii Juniper Networks, Inc. 1133 Innovation Way Sunnyvale, California 94089 USA 408-745-2000 www.juniper.net Juniper Networks, the Juniper Networks logo, Juniper, and Junos are registered trademarks of Juniper Networks, Inc. in the United States and other countries. All other trademarks, service marks, registered marks, or registered service marks are the property of their respective owners. Juniper Networks assumes no responsibility for any inaccuracies in this document. Juniper Networks reserves the right to change, modify, transfer, or otherwise revise this publication without notice. Deploying SONiC on Juniper Networks PTX10008 Packet Transport Router Copyright © 2021 Juniper Networks, Inc. All rights reserved. The information in this document is current as of the date on the title page. YEAR 2000 NOTICE Juniper Networks hardware and software products are Year 2000 compliant. Junos OS has no known time-related limitations through the year 2038. However, the NTP application is known to have some difficulty in the year 2036. END USER LICENSE AGREEMENT The Juniper Networks product that is the subject of this technical documentation consists of (or is intended for use with) Juniper Networks software. Use of such software is subject to the terms and conditions of the End User License Agreement (“EULA”) posted at https://support.juniper.net/support/eula/. By downloading, installing or using such software, you agree to the terms and conditions of that EULA.
iii
Table of Contents
1 Deploying SONiC on Juniper Networks PTX10008 Router
Overview | 7
Disaggregation Overview | 7
Benefits of the Juniper Networks’ PTX10008 Multi-PFE Platform | 7
SONiC Architecture | 8
Hardware Abstraction Layer (HAL) | 10
Multi-PFE Modular Chassis Architecture | 10
Features and Protocols Available on SONiC | 12
Install, Upgrade, and Recover SONiC | 16
Install SONiC on PTX10008 Router | 16
Upgrade SONiC on PTX10008 Router | 24
Routing Stack Options in Juniper Networks’ Platforms Running SONiC | 26
Understanding Containerized RPD | 26
Benefits of cRPD with SONiC | 27
cRPD Multi-channel KRT Support in SONiC | 27
Configure KRT multi-channels on cRPD in SONiC | 28
Configure Traceoptions on cRPD in SONiC | 29
Sample Output | 29
Configure Features in SONiC | 30
Configuring cRPD | 31
Configuring the Router | 31
Configuring Interfaces and Ports | 32
Enabling FEC Mode | 35
Enabling FEC Counters | 35
Configuring Access Control Lists (ACLs) | 36
Configuring BGP | 37
Configuring MPLS | 37
Configuring Priority-Based Flow Control | 38iv
Configuring WRED | 41
Configuring Explicit Congestion Notification | 43
Configuring Port Mirroring | 44
Configuring Media Access Control Security | 45
Configuring MACsec with Pre-shared Key | 46
Displaying the MACSec Status | 48
Monitor the Multi-PFE SONiC Platform | 49
show chassis modules | 50
show chassis fabric | 51
show chassis linecards | 51
show chassis alarms | 52
show chassis alarm-messages | 52
show chassis environment cb | 52
show chassis environment fpc | 54
show chassis environment sib | 57
show interfaces counters fec | 59
show interfaces status | 59
show interfaces transceiver presence | 60
show interfaces transceiver eeprom | 61
SAI API and Attributes Supported on the Multi-PFE SONiC Platform | 62
Access Control List (ACL) | 63
Class of Service Mapping | 67
Class of Service Queue | 67
Class of Service Scheduler Group | 68
Class of Service Scheduler | 69
Buffer API | 69
Host Interface | 70
Link Aggregation Group | 74
MACsec | 74
Mirroring | 77
MPLS | 79
Neighbor | 79
Next-hop | 79v Next-hop Group | 80 Policer | 80 Port | 81 Router Interface | 84 Routing | 86 Switching | 86 WRED | 89 Known Issues and Limitations | 90 SONiC | 90 Class of Service | 91 cRPD | 92 Interfaces and Chassis | 92 Install and Upgrade | 93 MACsec | 94
1 CHAPTER Deploying SONiC on Juniper Networks PTX10008 Router Overview | 7 Features and Protocols Available on SONiC | 12 Install, Upgrade, and Recover SONiC | 16 Routing Stack Options in Juniper Networks’ Platforms Running SONiC | 26 Configure Features in SONiC | 30 Monitor the Multi-PFE SONiC Platform | 49 SAI API and Attributes Supported on the Multi-PFE SONiC Platform | 62 Known Issues and Limitations | 90
7
Overview
IN THIS SECTION
Disaggregation Overview | 7
Benefits of the Juniper Networks’ PTX10008 Multi-PFE Platform | 7
SONiC Architecture | 8
Hardware Abstraction Layer (HAL) | 10
Multi-PFE Modular Chassis Architecture | 10
Disaggregation Overview
Disaggregating hardware from software for cloud, multi-cloud, and distributed edge cloud solutions provides
cloud and service providers with open programmability, choice, automation, and a broad network ecosystem.
Juniper Networks commits to this disaggregation strategy by integrating Software for Open Networking
in the Cloud (SONiC) with Juniper hardware, such as the Juniper Networks PTX10008 Packet Transport
Router.
NOTE: This document focuses on PTX10008 router running SONiC. Juniper Networks' also
offers SONiC on select QFX Series platforms. For information on installing SONiC on QFX Series
platforms, see Juniper Networks Platform Support for SONiC readme document.
Benefits of the Juniper Networks’ PTX10008 Multi-PFE Platform
This section describes the following key benefits of PTX10008 multi-PFE platform running SONiC:
• Centralized SONiC architecture with SONiC running only on the Routing Engine (RE).
• Provides superior switching performance and scale, often handling 1.5 million FIB entries.
• Supports high speed (100G and 400G) Ethernet interfaces.
• Offers greater port density with minimal cabling complexity.8 • Supports advanced features like MPLS and field-replaceable units (FRUs). • Simplifies management and abstracts the complexity of the platform. • Scales well without having a route adjacency for every line card in the multi-PFE chassis. • Single BGP instance on the RE as opposed to one per packet forwarding engine (PFE) on the line card. SONiC Architecture SONiC is an open source Network Operating System (NOS) based on Linux (Debian Linux) that runs on network devices. SONiC offers a full-suite of network functionality, like BGP. SONiC provides a standardized interface called the Switch Abstraction Interface (SAI) to program networking ASICs, which is hardware independent layer. While SONiC provides several infrastructure daemons and libraries, the SAI is by far its most important component. In Juniper Network’s PTX10008 router, SAI connects to a SONiC agent in the hardware abstraction layer (HAL). Figure 1 on page 9 illustrates the SONiC architecture on Juniper Networks’ PTX10008 router.
9 Figure 1: SONiC Architecture SONiC’s architecture uses Redis as its centralized database that is made available to all SONiC processes and stores configuration and state information. SAI runs a Redis service that is built on top of the Redis database. The SONiC process, syncd, contains the SAI library. All SAI programming requests are initiated by syncd, usually in response to Redis from various SONiC processes. Syncd is the primary SONiC entry point into platform-specific services. The syncd process programs the networking ASIC through the SAI API. Linux routing protocols add routes to the routing table using the NetLink API. FpmSyncd opens a NetLink socket and waits for kernel notification about route additions and deletions. FpmSyncd monitors the changes to the routing table and publishes those changes to Redis in real time. Redis then propagates the route changes to syncd, which uses SAI to update forwarding information (FIB) to all the FPCs. The SONiC agent (in the Juniper HAL) is the platform-specific backend to the SAI API. The SONiC agent receives SAI programming requests from syncd in the SONiC container.
10 By bringing SONiC to multi-PFE chassis, Juniper Networks provides a simpler, better-performing network solution for the most demanding cloud and service provider environments—without sacrificing the flexibility of an open, disaggregated NOS. Figure 2 on page 10 shows how a route is added in SONiC. Figure 2: Adding Routes in SONiC Hardware Abstraction Layer (HAL) The SONiC image supported on Juniper Networks’ platform includes the platform drivers and Juniper's Hardware Abstraction Layer (HAL). Juniper’s HAL includes the implementation of Switch Abstraction Interface (SAI) for the Juniper Triton ASIC and the line card Packet Forwarding Engine (PFE) software. Multi-PFE Modular Chassis Architecture Shifting from a single to a multi-PFE chassis does introduce some changes. Figure 1 shows the standard SONiC architecture. SONiC is typically deployed on a fixed-form platform with a single networking ASIC. The standard SONiC architecture on Juniper’s platform is supported on the QFX5200 and QFX5210 series switches providing the SONiC infrastructure and routing services. There are two approaches to running SONiC on a multi-PFE architecture.
11 • Running SONiC as a cluster, where SONiC instances run on the line cards. In this case, each line card is considered as a SONiC device running routing protocols. • Running SONiC on the Linux node (called the Routing Engine) and not on the line cards, like in traditional multi-PFE modular chassis, such as the Juniper’s PTX10008 router. In this case, the entire system becomes a cluster within a chassis. Each line card in the system is a Linux node. Removing a line card from the chassis only results in losing the ports but not the SONiC node in the network topology. Juniper’s PTX10008 router, the newest 400G modular chassis, brings all the benefits of SONiC to data center networks by deploying SONiC on the PTX10008 router (multi-PFE architecture). Figure 3 on page 11 illustrates Juniper Networks’ PTX10008 router’s multi-PFE modular chassis architecture running SONiC. Figure 3: Multi-PFE Modular Chassis Juniper’s multi-PFE SONiC architecture provides simplicity, manageability, resiliency, performance, and scale required in data center spine network deployment. When running SONiC on multi-PFE architecture, a cell-based design such as those in the Juniper Networks’ PTX10008 router, packets are forwarded across the fabric cards (spine nodes) very efficiently. Comparing this to the flow-based ethernet ECMP mechanism, unequal fabric link utilization is seen depending on the average flow size, and where those flows are hashed across the fabric. In some cases, where high throughput is required, packet drop can be significant enough to make related applications to stop working. You can prevent this by oversizing the system, but then it can also lead to a significant increase in cost. A cell-based design, like the PTX10008 router, allows operators to run the system at a higher utilization without worrying about dropping the traffic on a single overutilized fabric link. PTX10008 router supports MPLS required to expand SONiC deployment across the infrastructure. With the current version of SONiC, which focuses primarily on switch and IP connectivity, Juniper has added
12 complete software support for MPLS from configuration to SAI. Using containerized Routing Protocol Daemon (cRPD) in SONiC, all types of MPLS routes can be programmed, even with ECMP support. Features and Protocols Available on SONiC The section describes the key features and protocols available on the Juniper Networks’ PTX10008 router running SONiC. Table 1 on page 13 lists the key features and protocols available on the Juniper Networks’ PTX10008 router running SONiC.
13
Table 1: Features and Protocols Available on SONiC
Category Features/Protocols Description
Class of DSCP Define the Differentiated Services code point (DSCP) mapping that is applied
Service to the packets.
(CoS)
Schedulers, Shaping, You use schedulers to define the properties of output queues. These properties
and Queuing include the amount of interface bandwidth assigned to the queue, the size of
the memory buffer allocated for storing packets, the priority of the queue, and
the random early detection (RED) drop profiles associated with the queue. Output
queues are mapped to forwarding classes, and classifiers map incoming traffic
into forwarding classes based on IEEE 802.1p or DSCP code points.
You can shape traffic for a specific port on a router or for a specific CoS queue.
Output queue scheduling defines the class-of-service (CoS) properties of output
queues.
WRED Weighted random early detection (WRED) drop profiles define the drop
probability of packets of different packet loss probabilities (PLPs) as the output
queue fills. During periods of congestion, as the output queue fills, the switch
drops incoming packets as determined by a drop profile, until the output queue
becomes less congested.
Depending on the drop probabilities, a drop profile can drop many packets long
before the buffer becomes full, or it can drop only a few packets even if the
buffer is almost full.
Priority-Based Flow Priority-Based Flow Control (PFC) is a link-level flow control mechanism defined
Control by IEEE 802.1Qbb that allows independent flow control for each class of service
to ensure that no frame loss from congestion occurs in data center networks.
PFC is an enhancement of the Ethernet PAUSE mechanism, but PFC controls
classes of flows, whereas Ethernet PAUSE indiscriminately pauses all of the
traffic on a link. Also known as priority flow control.
PFC Watchdog Use the PFC watchdog to detect and resolve PFC pause storms. PFC watchdog
is activated by SONiC configuration on a PFC enabled interface.
Explicit Congestion Explicit congestion notification (ECN) enables end-to-end congestion notification
Notification between two endpoints on TCP/IP based networks. The two endpoints are an
ECN-enabled sender and an ECN-enabled receiver. ECN must be enabled on
both endpoints and on all the intermediate devices between the endpoints for
ECN to work properly. Any device in the transmission path that does not support
ECN breaks the end-to-end ECN functionality.
DHCP DHCP Relay Forwards DHCP packets between clients and servers.14
Table 1: Features and Protocols Available on SONiC (continued)
Category Features/Protocols Description
Access ACL ACL provide a means of protecting your router from excessive traffic transiting
Control the router to a network destination or destined for the Routing Engine.
List (ACL)
NOTE: Juniper Networks’ PTX10008 router running SONiC supports ACL only
at the ingress (IPv4 and IPv6) level. Egress is not supported.
ACL is also known as firewall filters.
Layer 2 Link Layer Discovery Allows network devices that operate at the lower layers of a protocol stack (such
Protocol (LLDP) as Layer 2 bridges and switches) to learn some of the capabilities and
characteristics of LAN devices available to higher layer protocols, such as IP
addresses. The information gathered through LLDP operation is stored in a
network device and is queried with SNMP.
MACSec Media Access Control security (MACsec) provides point-to-point security on
Ethernet links. MACsec is defined by IEEE standard 802.1AE.
MAC Table Aging Modify the timeout interval for the MAC table.
MTU Setting Specify the maximum transmission unit (MTU) size for the media or protocol.
The default MTU size depends on the device type. Changing the media MTU or
protocol MTU causes an interface to be deleted and added again.
Link Aggregation LACP is one method of bundling several physical interfaces to form one logical
Control Protocol aggregated Ethernet interface. LACP is a subcomponent of the IEEE 802.3ad
(LACP) standard and is used as a discovery protocol.
Link Aggregation IEEE 802.3ad link aggregation enables you to group Ethernet interfaces to form
Group (LAG) a single link layer interface, also known as a link aggregation group (LAG) or
bundle. Supports up to 512 bundles; up to 64 member links per bundle.
Layer 3 IPv4 Supports IPv4 address family.
IPv6 Supports IPv6 address family.
Dual Stack Supports dual-stack (IPv4 and IPv6). Dual stack device is a device with network
interfaces that can originate and understand both IPv4 and IPv6 packets.
ECMP 128 Supports 128 equal-cost paths for external BGP peers.
Logging Syslog Stores system log messages such as events and sends it to a syslog server.15
Table 1: Features and Protocols Available on SONiC (continued)
Category Features/Protocols Description
Network Time Synchronize the clocks of routers and other hardware devices on the Internet.
Protocol (NTP)
SNMP Enables the monitoring of network devices from a central location.
SSH/SSHv2 Enables SSH (secure shell) to connect to remote devices securely over a network.
TACACS+ Enables TACACS+ authentication, which is a method of authenticating users
who attempt to access the router or switch.
Management VRF Enable a dedicated management virtual routing and forwarding (VRF) instance.
FTP/SFTP Allows File Transfer Protocol (FTP) requests from remote systems to the local
device. Secure File Transfer Protocol (SFTP) is a network protocol that provides
file access, file transfer, and file management over any reliable data stream.
Warm Restart Allows you to restart various SONiC components without impacting the data
plane.
NOTE: Warm restart at system level is not supported.
Protocols BGP BGP exchanges routing information among routers in different autonomous
systems.
MPLS MPLS configuration in SONiC is supported only through cRPD for forwarding
packets to the destination in MPLS network.
Routing cRPD cRPD is the routing protocol process (rpd) that can run in Linux-based
Stack environments.
NOTE: The SONiC SAI APIs and attributes supported on Juniper Networks’ PTX10008 router
are in compliance with SONiC 201911 release. For more information, see “SAI API and Attributes
Supported on the Multi-PFE SONiC Platform” on page 62.16
Install, Upgrade, and Recover SONiC
IN THIS SECTION
Install SONiC on PTX10008 Router | 16
Upgrade SONiC on PTX10008 Router | 24
This section describes how to install, upgrade, and recover Open Network Install Environment (ONIE) and
SONiC on the Juniper Networks’ PTX10008 router. Open Network Installation Environment (ONIE) is an
open source installation environment for installing and booting all the software components.
NOTE: The Juniper Networks’ PTX10008 router is shipped with SONiC images pre-installed.
The SONiC installation and recovery process on PTX10008 router are the same and the installation results
in clean installation, which means all the prior configurations are removed, including that of the network
management port. Access to the console port is required before beginning the installation and recovery
process.
For SKUs supporting SONiC, see the PTX10008 Packet Transport Router datasheet at
https://www.juniper.net/us/en/products-services/routing/ptx-series/ptx10000/.
Install SONiC on PTX10008 Router
This section describes how to install SONiC on the Juniper Networks’ PTX10008 router.
NOTE: The install, upgrade, and recovery of SONiC happens in the Primary SSD, as defined by
the BIOS.17
To install SONiC on the Juniper Networks’ PTX10008 router, you need to:
1. Download the install image juniper-sonic-ptx10k-media-usb-.img (for example
juniper-sonic-ptx10k-media-usb-201911-R1.7.img), from
https://support.juniper.net/support/downloads/?p=ptx10008 by selecting the operating system as
SONiC.
NOTE: The juniper-sonic-ptx10k-media-usb-.img image installs both ONIE and
SONiC on the PTX10008 router.
2. Copy the juniper-sonic-ptx10k-media-usb-.img install image to a USB memory drive and
then insert the USB memory drive to the router’s USB port.
3. Power on the router and access the console.
$ telnet console-port
Trying 10.9.187.145...
Connected to console-port.
Escape character is '^]'.
+----------------------------------------------------------------------------+
Booting from Flash A
FPGA Reset Reason = 0x80
Primary BIOS version CBEP_P_VAL1_00.15.01
Total Memory Size = 64GB
Checking Primary BIOS code integrity...Passed!
ME is in normal operational state
Press Esc for boot options
ME is in normal operational state
4. Go to the boot options in the BIOS configuration by pressing the Esc key, as displayed in the console
screen.
5. Select Setup Utility option from menu.
Enter Select SubMenu
> Continue
> Boot Manager
> Device Management
> Setup Utility
> Administer Secure Boot18
6. Select Boot from the Setup Utility menu.
Go to Setup Utility.
InsydeH2O Setup Utility Rev. 5.0
Main Advanced Security Power >Boot Exit
7. Select UEFI Boot Order option from the InsydeH20 Setup Utility menu.
InsydeH2O Setup Utility Rev. 5.0
Main Advanced Security Power >Boot Exit
Quick Boot Enabled
Quiet Boot Enabled
Network Stack Enabled
PXE Boot capability UEFI:IPv4
Power Up In Standby Disabled
Add Boot Options Auto
ACPI Selection Acpi5.0
USB Boot Enabled
UEFI OS Fast Boot Enabled
USB Hot Key Support Disabled
Timeout 5
Automatic Failover Enabled
Juniper Boot Mode UEFI Boot Order
>EFI
8. Press F10 to exit and save the changes.
9. Select Boot Manager option from the menu and then select USB media for boot.
Secure boot is not enforced
Welcome to GRUB!
GNU GRUB version 2.02
+----------------------------------------------------------------------------+
Use the ^ and v keys to select which entry is highlighted.
Press enter to boot the selected OS, `e' to edit the commands
before booting or `c' for a command-line.
+----------------------------------------------------------------------------+
ONIE: Rescue
*ONIE: Embed ONIE
ONIE: Embedding ONIE ...19
10. Select ONIE: Embed ONIE option to proceed with ONIE boot.
Platform : x86_64-juniper_ptx10k-r0
Version : 2020.02.0.1-dirty
Build Date: 2020-02-25T15:12+00:00
Info: Mounting kernel filesystems... done.
Info: Mounting ONIE-BOOT on /mnt/onie-boot ...
Info: Mounting EFI System on /boot/efi …
[…]
ONIE: Build Date : 2020-02-25T15:12+00:00
Installing ONIE on: /dev/sda
ONIE: Success: Firmware update URL: file:///lib/onie/onie-updater
ONIE: Success: Firmware update version: 2020.02.0.1-dirty
ONIE: Rebooting...
discover: ONIE embed mode detected.
Stopping: discover...start-stop-daemon: warning: killing process 1300: No such
process
done.
Stopping: dropbear ssh daemon... done.
Stopping: telnetd... done.
Stopping: klogd... done.
Stopping: syslogd... done.
Info: Unmounting kernel filesystems
umount: can't unmount /: Invalid argument
The system is going down NOW!
Sent SIGTERM to all processes
Sent SIGKILL to all processes
Requesting system reboot
reboot: Restarting system
+----------------------------------------------------------------------------+
Booting from Flash A
FPGA Reset Reason = 0x1
Primary BIOS version CBEP_P_VAL1_00.15.01
Total Memory Size = 64GB
Checking Primary BIOS code integrity...Passed!
Press Esc for boot options
ME is in normal operational state
[…]
Booting ONIE: Open Network Install Environment...
Secure boot is not enforced
Welcome to GRUB!
GNU GRUB version 2.02
+----------------------------------------------------------------------------+
Use the ^ and v keys to select which entry is highlighted.20
Press enter to boot the selected OS, `e' to edit the commands
before booting or `c' for a command-line.
*ONIE: Install OS21
Starting: discover... done.
Please press Enter to activate this console. Info: eth0: Checking link... down.
ONIE: eth0: link down. Skipping configuration.
Info: eth1: Checking link... up.
Info: Trying DHCPv4 on interface: eth1
ONIE: Using DHCPv4 addr: eth1: 10.9.168.253 / 255.255.255.0
Info: eth2: Checking link... down.
ONIE: eth2: link down. Skipping configuration.
Info: eth3: Checking link... down.
ONIE: eth3: link down. Skipping configuration.
ONIE: Failed to configure eth0 interface
ONIE: Failed to configure eth2 interface
ONIE: Failed to configure eth3 interface
ONIE: Starting ONEXT4-fs (sdc7): couldn't mount as ext3 due to feature
incompatibilities
IE Service Discovery
[…]
12. After the SONiC OS is installed successfully, the system reboots, and loads the SONiC OS automatically.
Info: Attempting file://dev/sda/onie-installer ...
ONIE: Executing installer: file://dev/sda/onie-installer
Verifying image checksum ... OK.
Preparing image archive ... OK.
Installing SONiC in ONIE
ONIE Installer: platform: x86_64-juniper-r0
onie_platform: x86_64-juniper_ptx10k-r0
Partition #1 is in use.
Partition #2 is in use.
Partition #3 is available
Creating new SONiC-OS partition /dev/sdb3 ...
Warning: The kernel is still using the old partition table.
The new table will be used at the next reboot.
The operation has completed successfully.
mke2fs 1.42.13 (17-May-2015)
Discarding device blocks: 4096/8388608 528384/83886087344128/8388608
done
Creating filesystem with 8388608 4k blocks and 2097152 inodes
Filesystem UUID: 9fdb43cf-35fa-4e1d-b403-a3bffacb7a9e
Superblock backups stored on blocks:
32768, 98304, 163840, 229376, 294912, 819200, 884736, 1605632, 2654208,
4096000, 796262422 Allocating group tables: 0/256 done Writing inode tables: 0/256 done Creating journal (32768 blocks): done Writing superblocks and filesystem accounting information: 0/256 done Installing SONiC to /tmp/tmp.4GacD0/image-201904.0-dirty-20200226.091.. Archive: fs.zip creating: boot/ inflating: boot/vmlinuz-4.9.0-9-2-amd64 inflating: boot/config-4.9.0-9-2-amd64 inflating: boot/bzImage-ptx10k-rcb.dtb inflating: boot/initrd.img-4.9.0-9-2-amd64 inflating: boot/System.map-4.9.0-9-2-amd64 creating: platform/ inflating: platform/firsttime creating: platform/x86_64-grub/ inflating: platform/x86_64-grub/grub-pc-bin_2.02~beta3-5+deb9u2_amd64.deb inflating: fs.squashfs Success: Support tarball created: /tmp/onie-support-juniper_ptx10k.tar.bz2 Installed SONiC base image SONiC-OS successfully ONIE: NOS install successful: file://dev/sda/onie-installer ONIE: Rebooting... discover: installer mode detected. Stopping: discover...start-stop-daemon: warning: killing process 1379: No such process done. Stopping: dropbear ssh daemon... done. Stopping: telnetd... done. Stopping: klogd... done. Stopping: syslogd... done. Info: Unmounting kernel filesystems umount: can't unmount /: Invalid argument The system is going down NOW! Sent SIGTERM to all processes Sent SIGKILL to all processes Requesting system reboot reboot: Restarting system +----------------------------------------------------------------------------+ Booting from Flash A FPGA Reset Reason = 0x81 Primary BIOS version CBEP_P_VAL1_00.15.01 Total Memory Size = 64GB Checking Primary BIOS code integrity...Passed!
23
Press Esc for boot options
ME is in normal operational state
Booting SONiC-OS...24
Upgrade SONiC on PTX10008 Router
This section describes how to upgrade SONiC on the Juniper Networks’ PTX10008 router. Software
upgrade is the procedure of updating the SONiC to a latest release without losing any of the existing
configuration. While console access is always preferred, it is not mandatory for this procedure.
NOTE: The install, upgrade, and recovery of SONiC happens in the Primary SSD, as defined by
the BIOS.
To upgrade the SONiC OS on the Juniper Networks’ PTX10008 router to a later release, you need to:
1. Download the SONiC image juniper-sonic-ptx10k-.bin (for example,
juniper-sonic-ptx10k-201911-R1.6.bin) from
https://support.juniper.net/support/downloads/?p=ptx10008 by selecting the operating system as
SONiC.
2. Copy the SONiC installer image to the /usr/bin/ directory in the existing SONiC system.
3. You must be logged in as a root user to proceed with the upgrade. If you are logged in to SONiC as a
non-root user, you will need to switch to the root user by entering the following command:
admin@ptx10k8:~$sudo -i
4. Navigate to the directory /usr/bin/ where the juniper-sonic-ptx10k-.bin file is located.
root@ptx10k8:~# cd /usr/bin/
5. Install the juniper-sonic-ptx10k-.bin file.
root@ptx10k8:/usr/bin/# sonic_installer install ./juniper-sonic-ptx10k-.bin
6. When prompted to install the new image, enter Y to continue the upgrade installation.
New image will be installed, continue? [y/N]: y
Installing image SONiC-OS-juniper-sonic-ptx10k-jnpr_201911-0-20201113.123528
and setting it as default...
Command: bash ./juniper-sonic-ptx10k-201911-R1.6.bin25
Verifying image checksum ... OK.
Preparing image archive ... OK.
Installing SONiC in SONiC
ONIE Installer: platform: x86_64-juniper-r0
onie_platform: x86_64-juniper_ptx10k-r0
Removing old SONiC installation
/host/image-juniper-sonic-ptx10k-jnpr_201911-0-20201110.103709
Installing SONiC to /host/image-juniper-sonic-ptx10k-jnpr_201911-0-20201113.123528
Archive: fs.zip
creating: /host/image-juniper-sonic-ptx10k-jnpr_201911-0-20201113.123528/boot/
inflating:
/host/image-juniper-sonic-ptx10k-jnpr_201911-0-20201113.123528/boot/bzImage-ptx10k-rcb.dtb
inflating:
/host/image-juniper-sonic-ptx10k-jnpr_201911-0-20201113.123528/boot/initrd.img-4.9.0-11-2-amd64
inflating:
/host/image-juniper-sonic-ptx10k-jnpr_201911-0-20201113.123528/boot/System.map-4.9.0-11-2-amd64
inflating:
/host/image-juniper-sonic-ptx10k-jnpr_201911-0-20201113.123528/boot/config-4.9.0-11-2-amd64
inflating:
/host/image-juniper-sonic-ptx10k-jnpr_201911-0-20201113.123528/boot/vmlinuz-4.9.0-11-2-amd64
creating:
/host/image-juniper-sonic-ptx10k-jnpr_201911-0-20201113.123528/platform/
extracting:
/host/image-juniper-sonic-ptx10k-jnpr_201911-0-20201113.123528/platform/firsttime
creating:
/host/image-juniper-sonic-ptx10k-jnpr_201911-0-20201113.123528/platform/x86_64-grub/
inflating:
/host/image-juniper-sonic-ptx10k-jnpr_201911-0-20201113.123528/platform/x86_64-grub/grub-pc-bin_2.02~beta3-5+deb9u2_amd64.deb
inflating:
/host/image-juniper-sonic-ptx10k-jnpr_201911-0-20201113.123528/fs.squashfs
Installed SONiC base image SONiC-OS successfully
Command: grub-set-default --boot-directory=/host 0
Command: rm -rf /host/old_config26
Command: cp -ar /etc/sonic /host/old_config
Command: sync;sync;sync
Command: sleep 3
Done
7. Reboot the system to activate the new software.
root@ptx10k8:/usr/bin/# reboot
Routing Stack Options in Juniper Networks’ Platforms
Running SONiC
IN THIS SECTION
Understanding Containerized RPD | 26
Benefits of cRPD with SONiC | 27
cRPD Multi-channel KRT Support in SONiC | 27
Understanding Containerized RPD
SONiC on Juniper Networks PTX100008 router supports containerized Routing Protocol Daemon (cRPD).
cRPD is Juniper’s routing protocol container. SONiC also supports the Free Range Routing (FRR) routing
stack.
Juniper’s cRPD contains the routing protocol process (rpd) that can run in Linux-based environments and
management daemon (mgd) that allows the system administrator to run rpd-related CLI for configuration
purposes. The rpd process runs as user space application and learns route state through various routing
protocols and maintains the complete set in the Routing Information Base (RIB), also known as routing
table. The rpd process is also responsible for downloading the routes into the Forwarding Information27
Base (FIB) also known as forwarding table based on local selection criteria. Whereas the Packet Forwarding
Engine (PFE) in Juniper Networks PTX10008 router holds the FIB and does packet forwarding for cRPD.
The host Linux kernel stores the FIB and performs packet forwarding. cRPD can also be deployed to provide
control plane-only services such as BGP route reflection.
The default routing stack offered in Juniper Networks’ PTX100008 router running SONiC is cRPD. cRPD
is a fully supported, feature rich, fast converging and scalable routing stack. However, you can also use
FRR as the routing stack.
Benefits of cRPD with SONiC
This section lists the following key benefits of cRPD in Juniper Networks’ PTX10008 multi-PFE platform
running SONiC:
• Feature rich with BGP filters, route policies, stable and high performance.
• Telemetry information on state, health, and performance with gRPC streaming.
• Containers reduces the time required for service boot up from several minutes to a few seconds resulting
in faster deployment.
• Run cRPD on any Linux server that supports docker.
• With a small footprint and minimum resource reservation requirements, cRPD can easily scale to keep
up with demand.
• Provides significantly higher density without requiring resource reservation on the host than what is
offered by VM-based solutions.
For more information on cRPD, see cRPD Deployment Guide for Linux Server.
cRPD Multi-channel KRT Support in SONiC
IN THIS SECTION
Configure KRT multi-channels on cRPD in SONiC | 28
Configure Traceoptions on cRPD in SONiC | 29
Sample Output | 2928
cRPD in SONiC supports multiple Kernel Routing Table (KRT) channels to download route table information
to forwarding table (FIB). The two KRT channels supported are NetLink-based native Linux kernel FIB and
FPMSyncd-based SONiC FIB.
NOTE: Export policy with install-nexthop is not supported for routes which undergo resolution
(routes pointing to indirect-nexthop in RPD).
This section describes the following:
Configure KRT multi-channels on cRPD in SONiC
You can configure KRT multi-channels at the [edit routing-options forwarding-table] hierarchy level as
shown below:
routing-options {
forwarding-table {
export abc;
channel channel-name {
protocol {
protocol-type netlink-fpm
destination tcp-addr:port
source-id source-id
}
export policy-name
}
}
}
NOTE: In Junos OS Release 21.1R1, the configuration statements under the [edit routing-options
forwarding-table channel channel-name] hierarchy level is only available for cRPD in SONiC
platform.
Host Linux channel uses the export policy under the [edit routing-options forwarding-table export]
hierarchy level.
FPMSyncd channel uses the policy at [edit routing-options forwarding-table channel channel-name export]
hierarchy level.29
Configure Traceoptions on cRPD in SONiC
You can enable debugging by configuring traceoptions on cRPD in SONiC at the [edit routing-options
forwarding-table traceoptions flag] hierarchy level. The following new flags are supported on cRPD in
SONiC:
• fpm—FIB agent-related operations
• table—Table operations
• mfs—Multi-fib service operations
The following is a sample traceoptions configuration on cRPD in SONiC:
routing-options {
router-id 2.2.2.2;
autonomous-system 200;
forwarding-table {
traceoptions {
file krt_mc_debug.log;
flag fpm;
flag mfs;
flag table;
}
}
}
Sample Output
The following is a sample output where routes are advertised to linux (NetLink-based) kernel and to SONiC
through FPMSyncd:
user@host# run show route 192.168.1.1/24 extensive
inet.0: 17 destinations, 19 routes (16 active, 0 holddown, 1 hidden)
192.168.1.1/24 (1 entry, 1 announced)
TSI:
KRT-MFS Advt. to KRT-Netlink,KRT-FPM
KRT-FPM in-kernel 192.168.1.1/24 -> {Ethernet13}
*Direct Preference: 0
Next hop type: Interface, Next hop index: 0
Address: 0x55eb0b0153dc
Next-hop reference count: 230
Next hop: via Ethernet13, selected
State:
Local AS: 200
Age: 5d 11:35:21
Validation State: unverified
Task: IF
Announcement bits (4): 1-KRT MFS 3-KRT 4-KRT-FPM
AS path: I
Thread: junos-main
You can see that the route 192.168.1.1/24 is downloaded to the linux (KRT-Netlink) kernel and is also
downloaded to SONiC (KRT-FPM) through FPMSyncd.
Configure Features in SONiC
IN THIS SECTION
Configuring cRPD | 31
Configuring the Router | 31
Configuring Interfaces and Ports | 32
Enabling FEC Mode | 35
Enabling FEC Counters | 35
Configuring Access Control Lists (ACLs) | 36
Configuring BGP | 37
Configuring MPLS | 37
Configuring Priority-Based Flow Control | 38
Configuring WRED | 41
Configuring Explicit Congestion Notification | 43
Configuring Port Mirroring | 44
Configuring Media Access Control Security | 45
This section describes the features that you can configure on the Juniper Networks’ PTX10008 router
running SONiC.31
Configuring cRPD
Juniper Networks’ PTX10008 router supports configuring cRPD in SONiC through the config_db.json
configuration utility. The config_db.json utility is a local redis database (redis-db). You need to do a config
save and config load for the configurations to take effect in cRPD.
NOTE: The config save command is equivalent to the commit command in cRPD.
When the SONiC system boots up, configurations are loaded from /etc/sonic/config_db.json file into the
redis database.
Configuring the Router
This section shows a sample router device configuration using cRPD in SONiC.
To configure the router on SONiC, modify the DEVICE_METADATA hierarchy statements in the
/etc/sonic/config_db.json file.
"DEVICE_METADATA": {
"localhost": {
"bgp_asn": "65100",
"default_bgp_status": "up",
"default_pfcwd_status": "disable",
"deployment_id": "1",
"docker_routing_config_mode": "fpm",
"hostname": "vsonic",
"hwsku": "PTX10008",
"mac": "30:b6:4f:94:61:2e",
"platform": "x86_64-kvm_x86_64-r0",
"type": "LeafRouter"
}
},
"DEVICE_NEIGHBOR_METADATA": {
"JUNIPER10K3T1": {
"hwsku": "PTX10008",
"lo_addr": "None",
"mgmt_addr": "10.216.171.5",
"type": "LeafRouter"32
}
},
Configuring Interfaces and Ports
This section shows a sample interface and port configuration using cRPD in SONiC.
To configure interfaces and ports on SONiC, modify the INTERFACE hierarchy statements in the
/etc/sonic/config_db.json file.
"INTERFACE": {
"Ethernet3": {
"mpls": "enable"
},
"Ethernet4": {
"mpls": "enable"
},
"Ethernet5": {
"mpls": "enable"
},
"PortChannel0001": {},
"Ethernet3|1.21.23.2/24": {},
"Ethernet4|1.22.23.2/24": {},
"Ethernet5|1.23.23.2/24": {},
"PortChannel0001|20.1.1.1/24": {}
},
"PORT": {
"Ethernet1": {
"admin_status": "up",
"alias": "et-0/0/1",
"lanes": "1"
},
"Ethernet2": {
"admin_status": "up",
"alias": "et-0/0/3",
"lanes": "2"
},
"Ethernet3": {33
"admin_status": "up",
"alias": "et-0/0/5",
"lanes": "3"
},
"Ethernet4": {
"admin_status": "up",
"alias": "et-0/0/7",
"flow_control": "on",
"lanes": "4"
},
"Ethernet5": {
"admin_status": "up",
"alias": "et-0/0/9",
"lanes": "5"
}
},
"PORTCHANNEL": {
"PortChannel0001": {
"admin_status": "up",
"members": [
"Ethernet1",
"Ethernet2"
],
"min_links": "1",
"mtu": "1500"
}
},
"PORTCHANNEL_MEMBER": {
"PortChannel0001|Ethernet1": {},
"PortChannel0001|Ethernet2": {}
}
When a physical port is configured to be channelized, then all the channelized ports need to be configured
with a valid speed setting. In the following example, a speed of 10000 is configured on the channelized
ports:
"Ethernet13": {
"admin_status": "up",
"alias": "et-1/0/34:0",34
"lanes": "13",
"mtu": "1500",
"speed": "10000"
},
"Ethernet14": {
"admin_status": "up",
"alias": "et-1/0/34:1",
"lanes": "14",
"mtu": "1500",
"speed": "10000"
},
"Ethernet15": {
"admin_status": "up",
"alias": "et-1/0/34:2",
"lanes": "15",
"mtu": "1500",
"speed": "10000"
},
"Ethernet16": {
"admin_status": "up",
"alias": "et-1/0/34:3",
"lanes": "16",35
"mtu": "1500",
"speed": "10000"
},
Enabling FEC Mode
This section shows a sample port configuration to enable forward error correction (FEC) mode in SONiC.
On PTX10008 routers, FEC is enabled by default on the interfaces. For any module where FEC is disabled
by default, then you can enable FEC mode to the SONiC port configuration in port_config.ini file.
"PORT": {
"Ethernet1": {
"admin_status": "up",
"alias": "et-0/0/1",
"lanes": "1",
"fec": "rs"
}
Enabling FEC Counters
Once FEC mode is enabled, the FEC counters starts accumulating data. The FEC counters are tied to the
port statistics through the FLEX COUNTER configuration in config_db.json file.
"FLEX_COUNTER_TABLE": {
"PFCWD": {
"FLEX_COUNTER_STATUS": "enable"
},
"PORT": {
"FLEX_COUNTER_STATUS": "enable"
},
"QUEUE": {36
"FLEX_COUNTER_STATUS": "enable"
}
}
Use the show interfaces counters fec command to monitor FEC counters. See “Monitor the Multi-PFE
SONiC Platform” on page 49 for information.
Configuring Access Control Lists (ACLs)
This section shows a sample ACL configuration using cRPD in SONiC.
NOTE: ACL is also known as firewall filters.
To configure ACL on SONiC, modify the ACL_TABLE and ACL_RULE statements in the
/etc/sonic/config_db.json file.
ACL_TABLE": {
"acl-test": {
"policy_desc": "test_acl",
"ports": [
"Ethernet3",
"Ethernet4"
],
"stage": "ingress",
"type": "l3"
}
},
"ACL_RULE": {
"acl-test|rule_0": {
"PRIORITY": "1000",
"PACKET_ACTION": "DROP",
"SRC_IP": "1.21.23.1"
},
"acl-test|rule_1": {
"PRIORITY": "1001",
"PACKET_ACTION": "DROP",
"SRC_IP": "1.21.23.4"37
}
},
Configuring BGP
This section shows a sample BGP configuration using cRPD in SONiC.
To configure BGP on SONiC, modify the BGP_NEIGHBOR statements in the /etc/sonic/config_db.json
file.
"BGP_NEIGHBOR": {
"1.21.23.1": {
"admin_status": "up",
"asn": "64800",
"holdtime": "180",
"keepalive": "60",
"local_addr": "1.21.23.2",
"name": "JUNIPER10K3T2",
"nhopself": "0",
"rrclient": "0"
}
}
Configuring MPLS
This section shows a sample MPLS configuration using cRPD in SONiC. MPLS is not enabled in FRR, the
default SONiC routing stack. MPLS functionality is currently only available through cRPD routing stack.
To enable MPLS on SONiC, modify the INTERFACE statement in the /etc/sonic/config_db.json file.
"INTERFACE": {
"Ethernet3": {
"mpls": "enable"38
},
}
You can enable and disable MPLS on the interfaces using the following SONiC configuration utility:
config interface mpls add rif-name
config interface mpls remove rif-name
Configuring Priority-Based Flow Control
Priority-Based Flow Control (PFC) is a link-level flow control mechanism defined by IEEE 802.1Qbb that
allows independent flow control for each class of service to ensure that no frame loss from congestion
occurs in data center networks. PFC is an enhancement of the Ethernet PAUSE mechanism, but PFC
controls classes of flows, whereas Ethernet PAUSE indiscriminately pauses all the traffic on a link. Also
known as priority flow control.
On Juniper Networks PTX10008 router running SONiC, a maximum of two PFC designated queues per
port is supported.
You can use PFC watchdog to detect and resolve PFC pause storms. PFC watchdog is activated by SONiC
configuration on a PFC enabled interface. PFC watchdog detection, mitigation, and recovery functionality
is handled by the forwarding plane. PFC watchdog detection and recovery intervals are configured at the
chassis level and not at the port level.
NOTE: Juniper Networks PTX10008 router running SONiC supports PFC and PFC watchdog
features in 201911-r2 and later releases.
NOTE: The SONiC CLI only shows the configuration status and the pause storms detection and
recovery statistics.
NOTE: The PFC and PFC Watchdog is supported on the physical interface and not on AE
interfaces.39
To configure PFC on SONiC, you need to:
1. Map the code-point to a PFC enabled Queue.
"MAP_PFC_PRIORITY_TO_QUEUE": {
"AZURE": {
"3": "3",
"4": "4"
}
}
2. Enable PFC on the Interface.
"PORT_QOS_MAP": {
"Ethernet4,Ethernet22,Ethernet23": {
….
"pfc_enable": "3,4"
}
}
To configure xon/xoff values, a buffer must be associated with the queue.
1. Create a buffer pool.
"BUFFER_POOL": {
"ingress_lossless_pool": {
"xoff": "4194112",
"type": "ingress",
"mode": "dynamic",
"size": "10875072"
}
}
2. Create a buffer profile that refers to the buffer pool and specifies the desired xon/xoff values.
NOTE: xon/xoff values are expressed in bytes, and are relative to the size of the default
buffer for the queue’s interface. For more details, see Class of Service section in Known Issues
and Limitations.40
"BUFFER_PROFILE": {
"pg_lossless_40000_40m_profile": {
"xon_offset": "2288",
"dynamic_th": "-3",
"xon": "35776000",
"xoff": "71552000",
"pool": "[BUFFER_POOL|ingress_lossless_pool]",
"size": "1248"
}
}
3. Associate the buffer pool with the queue.
"BUFFER_QUEUE": {
"Ethernet4,Ethernet22,Ethernet23|3-4": {
"profile": "[BUFFER_PROFILE|pg_lossless_40000_40m_profile]"
},
}
The following is a sample to configure PFC watchdog on the interface:
"PFC_WD": {
"Ethernet6": {
"action": "drop",
"detection_time": "200",
"restoration_time": "400"
},
"Ethernet42": {
"action": "drop",
"detection_time": "200",
"restoration_time": "400"
},
"Ethernet67": {
"action": "drop",
"detection_time": "200",
"restoration_time": "400"
}
},41
NOTE: In the PFC Watchdog configuration, only drop is supported as an action. Forward is not
supported as an action.
Configuring WRED
Weighted random early detection (WRED) drop profiles define the drop probability of packets of different
packet loss probabilities (PLPs) as the output queue fills. During periods of congestion, as the output queue
fills, the switch drops incoming packets as determined by a drop profile, until the output queue becomes
less congested. Depending on the drop probabilities, a drop profile can drop many packets long before
the buffer becomes full, or it can drop only a few packets even if the buffer is almost full.
To configure WRED in SONiC, you need to:
1. Configure WRED profile.
"WRED_PROFILE": {
"AZURE": {
"ecn": "ecn_all",
"green_drop_probability": "10",
"green_max_threshold": "4097152",
"green_min_threshold": "1048576",
"red_drop_probability": "50",
"red_max_threshold": "8097152",
"red_min_threshold": "4048576",
"wred_green_enable": "true",
"wred_red_enable": "true",
"wred_yellow_enable": "true",
"yellow_drop_probability": "30",
"yellow_max_threshold": "6097152",
"yellow_min_threshold": "3048576"
}
}
2. Attach the WRED profile under a queue.
"QUEUE": {42
"Ethernet4,Ethernet22,Ethernet23|3" : {
"scheduler" : "[SCHEDULER|scheduler.1]",
"wred_profile" : "[WRED_PROFILE|AZURE]"
}
The minimum or maximum thresholds in the WRED profile are byte values that are relative to the buffer
size. The buffer size can come either from the default buffer for the queue’s interface, or from an
explicitly configured buffer size. For more details, see Class of Service section in Known Issues and
Limitations. To explicitly configure the buffer size used with the threshold values, perform the following
additional steps:
3. Configure a buffer pool with a size relative to the minimum or maximum thresholds in the WRED profile.
"BUFFER_POOL": {
"ingress_pool": {
"type": "ingress",
"size": "10875072"
}
}
4. Configure a buffer profile that references the buffer pool.
"BUFFER_PROFILE": {
"ingress_profile": {
"dynamic_th": "3",
"pool": "[BUFFER_POOL|ingress_pool]",
"size": "0"
}
}
5. Associate the buffer pool with the queue.
"BUFFER_QUEUE": {
"Ethernet4,Ethernet22,Ethernet23|3-4": {
"profile": "[BUFFER_PROFILE|ingress_profile]"
}
}43
Configuring Explicit Congestion Notification
Explicit congestion notification (ECN) enables end-to-end congestion notification between two endpoints
on TCP/IP based networks. The two endpoints are an ECN-enabled sender and an ECN-enabled receiver.
ECN must be enabled on both endpoints and on all the intermediate devices between the endpoints for
ECN to work properly. Any device in the transmission path that does not support ECN breaks the end-to-end
ECN functionality.
NOTE: Juniper Networks PTX10008 router running SONiC supports ECN in 201911-r2 and
later releases.
On Juniper Networks PTX10008 router running SONiC, ECN is controlled using the WRED drop profile
configuration.
NOTE: ECN is supported only on the physical interface and not on AE interfaces.
WRED profiles are used to enable ECN. Without ECN enabled, a WRED profile drops packets based on
how full the buffer is. With ECN enabled, packets are marked rather than being dropped.
To configure ECN on SONiC, you need to:
1. Configure WRED profile. See “Configuring WRED” on page 41.
2. Enable ECN in the WRED profile.
"WRED_PROFILE": {
"AZURE": {
"ecn": "ecn_all",
…
}
}44
Configuring Port Mirroring
Port mirroring is also known as Everflow in SONiC. You use port mirroring to send traffic to devices that
analyze traffic for purposes such as monitoring compliance, enforcing policies, detecting intrusions,
monitoring, and predicting traffic patterns, correlating events, and so on. Port mirroring is needed when
you want to perform traffic analysis because a device normally sends packets only to the port to which
the destination device is connected.
NOTE: Juniper Networks PTX10008 router running SONiC supports port mirroring (Everflow)
in 201911-r2 and later releases.
To configure port mirroring, you need to configure a port-mirroring instance.
You send the packets through a mirror session. The egress packet is GRE encapsulated. You can also apply
policing to the sampled packets.
The following is a sample to configure port mirroring (Everflow) in SONiC:
"MIRROR_SESSION": {
"everflow0": {
"src_ip": "192.168.1.1",
"dst_ip": "192.168.2.1"
}
},
"ACL_TABLE": {
"EVERFLOW": {
"policy_desc" : "EVERFLOW_ALWAYS_ON",
"type": "MIRROR",
"ports": [
"Ethernet4",
]
}
}
"ACL_RULE": {
"EVERFLOW |rule_1": {
"priority": "9999",
"mirror_action": "everflow0",
"dscp": "16/31"
},
}45
ACL and mirroring-related configurations are defined in MIRROR_SESSION,ACL_TABLE, and ACL_RULE
tables.
Configuring Media Access Control Security
Media Access Control security (MACsec) provides point-to-point security on Ethernet links. MACsec is
defined by IEEE standard 802.1AE. You can use MACsec in combination with other security protocols,
such as IP Security (IPsec) and Secure Sockets Layer (SSL), to provide end-to-end network security.
MACsec can identify and prevent most security threats, including denial of service, intrusion,
man-in-the-middle, masquerading, passive wiretapping, and playback attacks. MACsec secures an Ethernet
link for almost all traffic, including frames from the Link Layer Discovery Protocol (LLDP), Link Aggregation
Control Protocol (LACP), Dynamic Host Configuration Protocol (DHCP), Address Resolution Protocol
(ARP), and other protocols that are not typically secured on an Ethernet link because of limitations with
other security solutions.
Juniper Networks' PTX10008 router running SONiC supports MACsec. The PTX10008 router with up to
400G line rate MACsec works seamlessly on SONiC.
NOTE: Juniper Networks PTX10008 router running SONiC supports MACsec in 201911-r2 and
later releases.
To configure MACsec on a port in SONiC, you need to include the port name to the MACSEC_PORT
stanza in /etc/sonic/config_db.json as shown below:
MACSEC_PORT {
Ethernet,
...
}
Use the following CLI commands to enable and disable MACsec dynamically on SONiC as an alternative
to config_db.json:
config macsec add Ethernet
config macsec remove Ethernet46
To configure the MACsec security behavior in wpa-supplicant, a configuration file must be added for each
SONiC port that is enabled for MACsec. The wpa-supplicant configuration file should be named as
/etc/sonic/macsec/Ethernet.conf.
The content of the wpa-supplicant configuration file syntax is documented by the wpa-supplicant project
as follows:
update_config=1
ctrl_interface=/var/run/wpa_supplicant
eapol_version=3
ap_scan=0
NOTE: The content of the wpa_supplicant configuration file is fixed and should not be modified.
Configuring MACsec with Pre-shared Key
MACsec security keys and sessions are managed by the MACsec Key Agreement (MKA) protocol software
stack.
You can configure MACsec with a pre-shared key as shown below:
network={
key_mgmt=NONE
eapol_flags=0
macsec_policy=1
macsec_integ_only=0
macsec_ciphersuite=1
macsec_port=1
....macsec_include_sci=0
mka_cak=0123456789ABCDEF0123456789ABCDEF0123456789ABCDEF0123456789ABCDEF
mka_ckn=6162636465666768696A6B6C6D6E6F707172737475767778797A303132333435
mka_priority=1
}You can also read
