Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Configure Features in SONiC

 

This section describes the features that you can configure on the Juniper Networks’ PTX10008 router running SONiC.

Configuring cRPD

Juniper Networks’ PTX10008 router supports configuring cRPD in SONiC through the config_db.json configuration utility. The config_db.json utility is a local redis database (redis-db). You need to do a config save and config load for the configurations to take effect in cRPD.

Note

The config save command is equivalent to the commit command in cRPD.

When the SONiC system boots up, configurations are loaded from /etc/sonic/config_db.json file into the redis database.

Configuring the Router

This section shows a sample router device configuration using cRPD in SONiC.

To configure the router on SONiC, modify the DEVICE_METADATA hierarchy statements in the /etc/sonic/config_db.json file.

Configuring Interfaces and Ports

This section shows a sample interface and port configuration using cRPD in SONiC.

To configure interfaces and ports on SONiC, modify the INTERFACE hierarchy statements in the /etc/sonic/config_db.json file.

When a physical port is configured to be channelized, then all the channelized ports need to be configured with a valid speed setting. In the following example, a speed of 10000 is configured on the channelized ports:

Enabling FEC Mode

This section shows a sample port configuration to enable forward error correction (FEC) mode in SONiC.

On PTX10008 routers, FEC is enabled by default on the interfaces. For any module where FEC is disabled by default, then you can enable FEC mode to the SONiC port configuration in port_config.ini file.

Enabling FEC Counters

Once FEC mode is enabled, the FEC counters starts accumulating data. The FEC counters are tied to the port statistics through the FLEX COUNTER configuration in config_db.json file.

Use the show interfaces counters fec command to monitor FEC counters. See Monitor the Multi-PFE SONiC Platform for information.

Configuring Access Control Lists (ACLs)

This section shows a sample ACL configuration using cRPD in SONiC.

Note

ACL is also known as firewall filters.

To configure ACL on SONiC, modify the ACL_TABLE and ACL_RULE statements in the /etc/sonic/config_db.json file.

Configuring BGP

This section shows a sample BGP configuration using cRPD in SONiC.

To configure BGP on SONiC, modify the BGP_NEIGHBOR statements in the /etc/sonic/config_db.json file.

Configuring MPLS

This section shows a sample MPLS configuration using cRPD in SONiC. MPLS is not enabled in FRR, the default SONiC routing stack. MPLS functionality is currently only available through cRPD routing stack.

To enable MPLS on SONiC, modify the INTERFACE statement in the /etc/sonic/config_db.json file.

You can enable and disable MPLS on the interfaces using the following SONiC configuration utility:

Configuring Priority-Based Flow Control

Priority-Based Flow Control (PFC) is a link-level flow control mechanism defined by IEEE 802.1Qbb that allows independent flow control for each class of service to ensure that no frame loss from congestion occurs in data center networks. PFC is an enhancement of the Ethernet PAUSE mechanism, but PFC controls classes of flows, whereas Ethernet PAUSE indiscriminately pauses all the traffic on a link. Also known as priority flow control.

On Juniper Networks PTX10008 router running SONiC, a maximum of two PFC designated queues per port is supported.

You can use PFC watchdog to detect and resolve PFC pause storms. PFC watchdog is activated by SONiC configuration on a PFC enabled interface. PFC watchdog detection, mitigation, and recovery functionality is handled by the forwarding plane. PFC watchdog detection and recovery intervals are configured at the chassis level and not at the port level.

Note

Juniper Networks PTX10008 router running SONiC supports PFC and PFC watchdog features in 201911-r2 and later releases.

Note

The SONiC CLI only shows the configuration status and the pause storms detection and recovery statistics.

Note

The PFC and PFC Watchdog is supported on the physical interface and not on AE interfaces.

To configure PFC on SONiC, you need to:

  1. Map the code-point to a PFC enabled Queue.
  2. Enable PFC on the Interface.

To configure xon/xoff values, a buffer must be associated with the queue.

  1. Create a buffer pool.
  2. Create a buffer profile that refers to the buffer pool and specifies the desired xon/xoff values.Note

    xon/xoff values are expressed in bytes, and are relative to the size of the default buffer for the queue’s interface. For more details, see Class of Service section in Known Issues and Limitations.

  3. Associate the buffer pool with the queue.

The following is a sample to configure PFC watchdog on the interface:

Note

In the PFC Watchdog configuration, only drop is supported as an action. Forward is not supported as an action.

Configuring WRED

Weighted random early detection (WRED) drop profiles define the drop probability of packets of different packet loss probabilities (PLPs) as the output queue fills. During periods of congestion, as the output queue fills, the switch drops incoming packets as determined by a drop profile, until the output queue becomes less congested. Depending on the drop probabilities, a drop profile can drop many packets long before the buffer becomes full, or it can drop only a few packets even if the buffer is almost full.

To configure WRED in SONiC, you need to:

  1. Configure WRED profile.
  2. Attach the WRED profile under a queue.

    The minimum or maximum thresholds in the WRED profile are byte values that are relative to the buffer size. The buffer size can come either from the default buffer for the queue’s interface, or from an explicitly configured buffer size. For more details, see Class of Service section in Known Issues and Limitations. To explicitly configure the buffer size used with the threshold values, perform the following additional steps:

  3. Configure a buffer pool with a size relative to the minimum or maximum thresholds in the WRED profile.
  4. Configure a buffer profile that references the buffer pool.
  5. Associate the buffer pool with the queue.

Configuring Explicit Congestion Notification

Explicit congestion notification (ECN) enables end-to-end congestion notification between two endpoints on TCP/IP based networks. The two endpoints are an ECN-enabled sender and an ECN-enabled receiver. ECN must be enabled on both endpoints and on all the intermediate devices between the endpoints for ECN to work properly. Any device in the transmission path that does not support ECN breaks the end-to-end ECN functionality.

Note

Juniper Networks PTX10008 router running SONiC supports ECN in 201911-r2 and later releases.

On Juniper Networks PTX10008 router running SONiC, ECN is controlled using the WRED drop profile configuration.

Note

ECN is supported only on the physical interface and not on AE interfaces.

WRED profiles are used to enable ECN. Without ECN enabled, a WRED profile drops packets based on how full the buffer is. With ECN enabled, packets are marked rather than being dropped.

To configure ECN on SONiC, you need to:

  1. Configure WRED profile. See Configuring WRED.
  2. Enable ECN in the WRED profile.

Configuring Port Mirroring

Port mirroring is also known as Everflow in SONiC. You use port mirroring to send traffic to devices that analyze traffic for purposes such as monitoring compliance, enforcing policies, detecting intrusions, monitoring, and predicting traffic patterns, correlating events, and so on. Port mirroring is needed when you want to perform traffic analysis because a device normally sends packets only to the port to which the destination device is connected.

Note

Juniper Networks PTX10008 router running SONiC supports port mirroring (Everflow) in 201911-r2 and later releases.

To configure port mirroring, you need to configure a port-mirroring instance.

You send the packets through a mirror session. The egress packet is GRE encapsulated. You can also apply policing to the sampled packets.

The following is a sample to configure port mirroring (Everflow) in SONiC:

ACL and mirroring-related configurations are defined in MIRROR_SESSION,ACL_TABLE, and ACL_RULE tables.

Configuring Media Access Control Security

Media Access Control security (MACsec) provides point-to-point security on Ethernet links. MACsec is defined by IEEE standard 802.1AE. You can use MACsec in combination with other security protocols, such as IP Security (IPsec) and Secure Sockets Layer (SSL), to provide end-to-end network security.

MACsec can identify and prevent most security threats, including denial of service, intrusion, man-in-the-middle, masquerading, passive wiretapping, and playback attacks. MACsec secures an Ethernet link for almost all traffic, including frames from the Link Layer Discovery Protocol (LLDP), Link Aggregation Control Protocol (LACP), Dynamic Host Configuration Protocol (DHCP), Address Resolution Protocol (ARP), and other protocols that are not typically secured on an Ethernet link because of limitations with other security solutions.

Juniper Networks' PTX10008 router running SONiC supports MACsec. The PTX10008 router with up to 400G line rate MACsec works seamlessly on SONiC.

Note

Juniper Networks PTX10008 router running SONiC supports MACsec in 201911-r2 and later releases.

To configure MACsec on a port in SONiC, you need to include the port name to the MACSEC_PORT stanza in /etc/sonic/config_db.json as shown below:

Use the following CLI commands to enable and disable MACsec dynamically on SONiC as an alternative to config_db.json:

config macsec add Ethernet<#>

config macsec remove Ethernet<#>

To configure the MACsec security behavior in wpa-supplicant, a configuration file must be added for each SONiC port that is enabled for MACsec. The wpa-supplicant configuration file should be named as /etc/sonic/macsec/Ethernet<#>.conf.

The content of the wpa-supplicant configuration file syntax is documented by the wpa-supplicant project as follows:

Note

The content of the wpa_supplicant configuration file is fixed and should not be modified.

Configuring MACsec with Pre-shared Key

MACsec security keys and sessions are managed by the MACsec Key Agreement (MKA) protocol software stack.

You can configure MACsec with a pre-shared key as shown below:

The following table describes the attributes of the pre-shared key:

Attribute

Description

macsec_policy

Determines the policy for the MACsec secure session. Valid values for this attribute are:

  • 0 = MACsec not in use (default)

  • 1 = MACsec enabled-should secure, accept key server's advice to determine whether to use a secure session or not.

macsec_integ_only

Determines how MACsec are transmitted. Valid values for this attribute are:

  • 0 = Encrypt traffic (default)

  • 1 = Integrity only

macsec_ciphersuite

Determines the ciphersuite for the MACsec secure session. Valid values for this attribute are:

  • 0 = GCM-AES-128 (default)

  • 1 = GCM-AES-256

  • 2 = GCM-AES-XPN-128

  • 3 = GCM-AES-XPN-256

macsec_port

Sets the port component of the MACsec SCI. Valid values for this attribute are in the range: 1-65534 (default is 1).

macsec_include_sci

Determines if the SCI value should be included in the MACsec header. Valid values for this attribute are:

  • 0 = SCI not included

  • 1 = SCI included (default)

mka_cak

Sets the MKA pre-shared CAK (Connectivity Association Key). This attribute is a 32-byte hexstring for non-XPN cipher suites and a 64-byte hexstring for XPN cipher suites.

mka_ckn

Sets the MKA pre-shared CKN (Connectivity Association Key Name). This attribute is a 64-byte hexstring.

mka_priority

Sets the priority of MKA Actor. Valid values for this attribute are in the range: 0-255 (default is 255).

Displaying the MACSec Status

To display the current active MACsec connections, use the show interfaces macsec connections CLI command from the SONiC host as shown below:

To display statistics for the current active MACsec connections, use the show interfaces macsec statistics CLI command from the SONiC host as shown below: