DEPLOYING SONIC ON JUNIPER NETWORKS PTX10008 PACKET TRANSPORT ROUTER 2021-07-13
←
→
Page content transcription
If your browser does not render page correctly, please read the page content below
Deploying SONiC on Juniper Networks PTX10008 Packet Transport Router Published 2021-07-13
ii Juniper Networks, Inc. 1133 Innovation Way Sunnyvale, California 94089 USA 408-745-2000 www.juniper.net Juniper Networks, the Juniper Networks logo, Juniper, and Junos are registered trademarks of Juniper Networks, Inc. in the United States and other countries. All other trademarks, service marks, registered marks, or registered service marks are the property of their respective owners. Juniper Networks assumes no responsibility for any inaccuracies in this document. Juniper Networks reserves the right to change, modify, transfer, or otherwise revise this publication without notice. Deploying SONiC on Juniper Networks PTX10008 Packet Transport Router Copyright © 2021 Juniper Networks, Inc. All rights reserved. The information in this document is current as of the date on the title page. YEAR 2000 NOTICE Juniper Networks hardware and software products are Year 2000 compliant. Junos OS has no known time-related limitations through the year 2038. However, the NTP application is known to have some difficulty in the year 2036. END USER LICENSE AGREEMENT The Juniper Networks product that is the subject of this technical documentation consists of (or is intended for use with) Juniper Networks software. Use of such software is subject to the terms and conditions of the End User License Agreement (“EULA”) posted at https://support.juniper.net/support/eula/. By downloading, installing or using such software, you agree to the terms and conditions of that EULA.
iii Table of Contents 1 Deploying SONiC on Juniper Networks PTX10008 Router Overview | 7 Disaggregation Overview | 7 Benefits of the Juniper Networks’ PTX10008 Multi-PFE Platform | 7 SONiC Architecture | 8 Hardware Abstraction Layer (HAL) | 10 Multi-PFE Modular Chassis Architecture | 10 Features and Protocols Available on SONiC | 12 Install, Upgrade, and Recover SONiC | 16 Install SONiC on PTX10008 Router | 16 Upgrade SONiC on PTX10008 Router | 24 Routing Stack Options in Juniper Networks’ Platforms Running SONiC | 26 Understanding Containerized RPD | 26 Benefits of cRPD with SONiC | 27 cRPD Multi-channel KRT Support in SONiC | 27 Configure KRT multi-channels on cRPD in SONiC | 28 Configure Traceoptions on cRPD in SONiC | 29 Sample Output | 29 Configure Features in SONiC | 30 Configuring cRPD | 31 Configuring the Router | 31 Configuring Interfaces and Ports | 32 Enabling FEC Mode | 35 Enabling FEC Counters | 35 Configuring Access Control Lists (ACLs) | 36 Configuring BGP | 37 Configuring MPLS | 37 Configuring Priority-Based Flow Control | 38
iv Configuring WRED | 41 Configuring Explicit Congestion Notification | 43 Configuring Port Mirroring | 44 Configuring Media Access Control Security | 45 Configuring MACsec with Pre-shared Key | 46 Displaying the MACSec Status | 48 Monitor the Multi-PFE SONiC Platform | 49 show chassis modules | 50 show chassis fabric | 51 show chassis linecards | 51 show chassis alarms | 52 show chassis alarm-messages | 52 show chassis environment cb | 52 show chassis environment fpc | 54 show chassis environment sib | 57 show interfaces counters fec | 59 show interfaces status | 59 show interfaces transceiver presence | 60 show interfaces transceiver eeprom | 61 SAI API and Attributes Supported on the Multi-PFE SONiC Platform | 62 Access Control List (ACL) | 63 Class of Service Mapping | 67 Class of Service Queue | 67 Class of Service Scheduler Group | 68 Class of Service Scheduler | 69 Buffer API | 69 Host Interface | 70 Link Aggregation Group | 74 MACsec | 74 Mirroring | 77 MPLS | 79 Neighbor | 79 Next-hop | 79
v Next-hop Group | 80 Policer | 80 Port | 81 Router Interface | 84 Routing | 86 Switching | 86 WRED | 89 Known Issues and Limitations | 90 SONiC | 90 Class of Service | 91 cRPD | 92 Interfaces and Chassis | 92 Install and Upgrade | 93 MACsec | 94
1 CHAPTER Deploying SONiC on Juniper Networks PTX10008 Router Overview | 7 Features and Protocols Available on SONiC | 12 Install, Upgrade, and Recover SONiC | 16 Routing Stack Options in Juniper Networks’ Platforms Running SONiC | 26 Configure Features in SONiC | 30 Monitor the Multi-PFE SONiC Platform | 49 SAI API and Attributes Supported on the Multi-PFE SONiC Platform | 62 Known Issues and Limitations | 90
7 Overview IN THIS SECTION Disaggregation Overview | 7 Benefits of the Juniper Networks’ PTX10008 Multi-PFE Platform | 7 SONiC Architecture | 8 Hardware Abstraction Layer (HAL) | 10 Multi-PFE Modular Chassis Architecture | 10 Disaggregation Overview Disaggregating hardware from software for cloud, multi-cloud, and distributed edge cloud solutions provides cloud and service providers with open programmability, choice, automation, and a broad network ecosystem. Juniper Networks commits to this disaggregation strategy by integrating Software for Open Networking in the Cloud (SONiC) with Juniper hardware, such as the Juniper Networks PTX10008 Packet Transport Router. NOTE: This document focuses on PTX10008 router running SONiC. Juniper Networks' also offers SONiC on select QFX Series platforms. For information on installing SONiC on QFX Series platforms, see Juniper Networks Platform Support for SONiC readme document. Benefits of the Juniper Networks’ PTX10008 Multi-PFE Platform This section describes the following key benefits of PTX10008 multi-PFE platform running SONiC: • Centralized SONiC architecture with SONiC running only on the Routing Engine (RE). • Provides superior switching performance and scale, often handling 1.5 million FIB entries. • Supports high speed (100G and 400G) Ethernet interfaces. • Offers greater port density with minimal cabling complexity.
8 • Supports advanced features like MPLS and field-replaceable units (FRUs). • Simplifies management and abstracts the complexity of the platform. • Scales well without having a route adjacency for every line card in the multi-PFE chassis. • Single BGP instance on the RE as opposed to one per packet forwarding engine (PFE) on the line card. SONiC Architecture SONiC is an open source Network Operating System (NOS) based on Linux (Debian Linux) that runs on network devices. SONiC offers a full-suite of network functionality, like BGP. SONiC provides a standardized interface called the Switch Abstraction Interface (SAI) to program networking ASICs, which is hardware independent layer. While SONiC provides several infrastructure daemons and libraries, the SAI is by far its most important component. In Juniper Network’s PTX10008 router, SAI connects to a SONiC agent in the hardware abstraction layer (HAL). Figure 1 on page 9 illustrates the SONiC architecture on Juniper Networks’ PTX10008 router.
9 Figure 1: SONiC Architecture SONiC’s architecture uses Redis as its centralized database that is made available to all SONiC processes and stores configuration and state information. SAI runs a Redis service that is built on top of the Redis database. The SONiC process, syncd, contains the SAI library. All SAI programming requests are initiated by syncd, usually in response to Redis from various SONiC processes. Syncd is the primary SONiC entry point into platform-specific services. The syncd process programs the networking ASIC through the SAI API. Linux routing protocols add routes to the routing table using the NetLink API. FpmSyncd opens a NetLink socket and waits for kernel notification about route additions and deletions. FpmSyncd monitors the changes to the routing table and publishes those changes to Redis in real time. Redis then propagates the route changes to syncd, which uses SAI to update forwarding information (FIB) to all the FPCs. The SONiC agent (in the Juniper HAL) is the platform-specific backend to the SAI API. The SONiC agent receives SAI programming requests from syncd in the SONiC container.
10 By bringing SONiC to multi-PFE chassis, Juniper Networks provides a simpler, better-performing network solution for the most demanding cloud and service provider environments—without sacrificing the flexibility of an open, disaggregated NOS. Figure 2 on page 10 shows how a route is added in SONiC. Figure 2: Adding Routes in SONiC Hardware Abstraction Layer (HAL) The SONiC image supported on Juniper Networks’ platform includes the platform drivers and Juniper's Hardware Abstraction Layer (HAL). Juniper’s HAL includes the implementation of Switch Abstraction Interface (SAI) for the Juniper Triton ASIC and the line card Packet Forwarding Engine (PFE) software. Multi-PFE Modular Chassis Architecture Shifting from a single to a multi-PFE chassis does introduce some changes. Figure 1 shows the standard SONiC architecture. SONiC is typically deployed on a fixed-form platform with a single networking ASIC. The standard SONiC architecture on Juniper’s platform is supported on the QFX5200 and QFX5210 series switches providing the SONiC infrastructure and routing services. There are two approaches to running SONiC on a multi-PFE architecture.
11 • Running SONiC as a cluster, where SONiC instances run on the line cards. In this case, each line card is considered as a SONiC device running routing protocols. • Running SONiC on the Linux node (called the Routing Engine) and not on the line cards, like in traditional multi-PFE modular chassis, such as the Juniper’s PTX10008 router. In this case, the entire system becomes a cluster within a chassis. Each line card in the system is a Linux node. Removing a line card from the chassis only results in losing the ports but not the SONiC node in the network topology. Juniper’s PTX10008 router, the newest 400G modular chassis, brings all the benefits of SONiC to data center networks by deploying SONiC on the PTX10008 router (multi-PFE architecture). Figure 3 on page 11 illustrates Juniper Networks’ PTX10008 router’s multi-PFE modular chassis architecture running SONiC. Figure 3: Multi-PFE Modular Chassis Juniper’s multi-PFE SONiC architecture provides simplicity, manageability, resiliency, performance, and scale required in data center spine network deployment. When running SONiC on multi-PFE architecture, a cell-based design such as those in the Juniper Networks’ PTX10008 router, packets are forwarded across the fabric cards (spine nodes) very efficiently. Comparing this to the flow-based ethernet ECMP mechanism, unequal fabric link utilization is seen depending on the average flow size, and where those flows are hashed across the fabric. In some cases, where high throughput is required, packet drop can be significant enough to make related applications to stop working. You can prevent this by oversizing the system, but then it can also lead to a significant increase in cost. A cell-based design, like the PTX10008 router, allows operators to run the system at a higher utilization without worrying about dropping the traffic on a single overutilized fabric link. PTX10008 router supports MPLS required to expand SONiC deployment across the infrastructure. With the current version of SONiC, which focuses primarily on switch and IP connectivity, Juniper has added
12 complete software support for MPLS from configuration to SAI. Using containerized Routing Protocol Daemon (cRPD) in SONiC, all types of MPLS routes can be programmed, even with ECMP support. Features and Protocols Available on SONiC The section describes the key features and protocols available on the Juniper Networks’ PTX10008 router running SONiC. Table 1 on page 13 lists the key features and protocols available on the Juniper Networks’ PTX10008 router running SONiC.
13 Table 1: Features and Protocols Available on SONiC Category Features/Protocols Description Class of DSCP Define the Differentiated Services code point (DSCP) mapping that is applied Service to the packets. (CoS) Schedulers, Shaping, You use schedulers to define the properties of output queues. These properties and Queuing include the amount of interface bandwidth assigned to the queue, the size of the memory buffer allocated for storing packets, the priority of the queue, and the random early detection (RED) drop profiles associated with the queue. Output queues are mapped to forwarding classes, and classifiers map incoming traffic into forwarding classes based on IEEE 802.1p or DSCP code points. You can shape traffic for a specific port on a router or for a specific CoS queue. Output queue scheduling defines the class-of-service (CoS) properties of output queues. WRED Weighted random early detection (WRED) drop profiles define the drop probability of packets of different packet loss probabilities (PLPs) as the output queue fills. During periods of congestion, as the output queue fills, the switch drops incoming packets as determined by a drop profile, until the output queue becomes less congested. Depending on the drop probabilities, a drop profile can drop many packets long before the buffer becomes full, or it can drop only a few packets even if the buffer is almost full. Priority-Based Flow Priority-Based Flow Control (PFC) is a link-level flow control mechanism defined Control by IEEE 802.1Qbb that allows independent flow control for each class of service to ensure that no frame loss from congestion occurs in data center networks. PFC is an enhancement of the Ethernet PAUSE mechanism, but PFC controls classes of flows, whereas Ethernet PAUSE indiscriminately pauses all of the traffic on a link. Also known as priority flow control. PFC Watchdog Use the PFC watchdog to detect and resolve PFC pause storms. PFC watchdog is activated by SONiC configuration on a PFC enabled interface. Explicit Congestion Explicit congestion notification (ECN) enables end-to-end congestion notification Notification between two endpoints on TCP/IP based networks. The two endpoints are an ECN-enabled sender and an ECN-enabled receiver. ECN must be enabled on both endpoints and on all the intermediate devices between the endpoints for ECN to work properly. Any device in the transmission path that does not support ECN breaks the end-to-end ECN functionality. DHCP DHCP Relay Forwards DHCP packets between clients and servers.
14 Table 1: Features and Protocols Available on SONiC (continued) Category Features/Protocols Description Access ACL ACL provide a means of protecting your router from excessive traffic transiting Control the router to a network destination or destined for the Routing Engine. List (ACL) NOTE: Juniper Networks’ PTX10008 router running SONiC supports ACL only at the ingress (IPv4 and IPv6) level. Egress is not supported. ACL is also known as firewall filters. Layer 2 Link Layer Discovery Allows network devices that operate at the lower layers of a protocol stack (such Protocol (LLDP) as Layer 2 bridges and switches) to learn some of the capabilities and characteristics of LAN devices available to higher layer protocols, such as IP addresses. The information gathered through LLDP operation is stored in a network device and is queried with SNMP. MACSec Media Access Control security (MACsec) provides point-to-point security on Ethernet links. MACsec is defined by IEEE standard 802.1AE. MAC Table Aging Modify the timeout interval for the MAC table. MTU Setting Specify the maximum transmission unit (MTU) size for the media or protocol. The default MTU size depends on the device type. Changing the media MTU or protocol MTU causes an interface to be deleted and added again. Link Aggregation LACP is one method of bundling several physical interfaces to form one logical Control Protocol aggregated Ethernet interface. LACP is a subcomponent of the IEEE 802.3ad (LACP) standard and is used as a discovery protocol. Link Aggregation IEEE 802.3ad link aggregation enables you to group Ethernet interfaces to form Group (LAG) a single link layer interface, also known as a link aggregation group (LAG) or bundle. Supports up to 512 bundles; up to 64 member links per bundle. Layer 3 IPv4 Supports IPv4 address family. IPv6 Supports IPv6 address family. Dual Stack Supports dual-stack (IPv4 and IPv6). Dual stack device is a device with network interfaces that can originate and understand both IPv4 and IPv6 packets. ECMP 128 Supports 128 equal-cost paths for external BGP peers. Logging Syslog Stores system log messages such as events and sends it to a syslog server.
15 Table 1: Features and Protocols Available on SONiC (continued) Category Features/Protocols Description Network Time Synchronize the clocks of routers and other hardware devices on the Internet. Protocol (NTP) SNMP Enables the monitoring of network devices from a central location. SSH/SSHv2 Enables SSH (secure shell) to connect to remote devices securely over a network. TACACS+ Enables TACACS+ authentication, which is a method of authenticating users who attempt to access the router or switch. Management VRF Enable a dedicated management virtual routing and forwarding (VRF) instance. FTP/SFTP Allows File Transfer Protocol (FTP) requests from remote systems to the local device. Secure File Transfer Protocol (SFTP) is a network protocol that provides file access, file transfer, and file management over any reliable data stream. Warm Restart Allows you to restart various SONiC components without impacting the data plane. NOTE: Warm restart at system level is not supported. Protocols BGP BGP exchanges routing information among routers in different autonomous systems. MPLS MPLS configuration in SONiC is supported only through cRPD for forwarding packets to the destination in MPLS network. Routing cRPD cRPD is the routing protocol process (rpd) that can run in Linux-based Stack environments. NOTE: The SONiC SAI APIs and attributes supported on Juniper Networks’ PTX10008 router are in compliance with SONiC 201911 release. For more information, see “SAI API and Attributes Supported on the Multi-PFE SONiC Platform” on page 62.
16 Install, Upgrade, and Recover SONiC IN THIS SECTION Install SONiC on PTX10008 Router | 16 Upgrade SONiC on PTX10008 Router | 24 This section describes how to install, upgrade, and recover Open Network Install Environment (ONIE) and SONiC on the Juniper Networks’ PTX10008 router. Open Network Installation Environment (ONIE) is an open source installation environment for installing and booting all the software components. NOTE: The Juniper Networks’ PTX10008 router is shipped with SONiC images pre-installed. The SONiC installation and recovery process on PTX10008 router are the same and the installation results in clean installation, which means all the prior configurations are removed, including that of the network management port. Access to the console port is required before beginning the installation and recovery process. For SKUs supporting SONiC, see the PTX10008 Packet Transport Router datasheet at https://www.juniper.net/us/en/products-services/routing/ptx-series/ptx10000/. Install SONiC on PTX10008 Router This section describes how to install SONiC on the Juniper Networks’ PTX10008 router. NOTE: The install, upgrade, and recovery of SONiC happens in the Primary SSD, as defined by the BIOS.
17 To install SONiC on the Juniper Networks’ PTX10008 router, you need to: 1. Download the install image juniper-sonic-ptx10k-media-usb-.img (for example juniper-sonic-ptx10k-media-usb-201911-R1.7.img), from https://support.juniper.net/support/downloads/?p=ptx10008 by selecting the operating system as SONiC. NOTE: The juniper-sonic-ptx10k-media-usb-.img image installs both ONIE and SONiC on the PTX10008 router. 2. Copy the juniper-sonic-ptx10k-media-usb-.img install image to a USB memory drive and then insert the USB memory drive to the router’s USB port. 3. Power on the router and access the console. $ telnet console-port Trying 10.9.187.145... Connected to console-port. Escape character is '^]'. +----------------------------------------------------------------------------+ Booting from Flash A FPGA Reset Reason = 0x80 Primary BIOS version CBEP_P_VAL1_00.15.01 Total Memory Size = 64GB Checking Primary BIOS code integrity...Passed! ME is in normal operational state Press Esc for boot options ME is in normal operational state 4. Go to the boot options in the BIOS configuration by pressing the Esc key, as displayed in the console screen. 5. Select Setup Utility option from menu. Enter Select SubMenu > Continue > Boot Manager > Device Management > Setup Utility > Administer Secure Boot
18 6. Select Boot from the Setup Utility menu. Go to Setup Utility. InsydeH2O Setup Utility Rev. 5.0 Main Advanced Security Power >Boot Exit 7. Select UEFI Boot Order option from the InsydeH20 Setup Utility menu. InsydeH2O Setup Utility Rev. 5.0 Main Advanced Security Power >Boot Exit Quick Boot Enabled Quiet Boot Enabled Network Stack Enabled PXE Boot capability UEFI:IPv4 Power Up In Standby Disabled Add Boot Options Auto ACPI Selection Acpi5.0 USB Boot Enabled UEFI OS Fast Boot Enabled USB Hot Key Support Disabled Timeout 5 Automatic Failover Enabled Juniper Boot Mode UEFI Boot Order >EFI 8. Press F10 to exit and save the changes. 9. Select Boot Manager option from the menu and then select USB media for boot. Secure boot is not enforced Welcome to GRUB! GNU GRUB version 2.02 +----------------------------------------------------------------------------+ Use the ^ and v keys to select which entry is highlighted. Press enter to boot the selected OS, `e' to edit the commands before booting or `c' for a command-line. +----------------------------------------------------------------------------+ ONIE: Rescue *ONIE: Embed ONIE ONIE: Embedding ONIE ...
19 10. Select ONIE: Embed ONIE option to proceed with ONIE boot. Platform : x86_64-juniper_ptx10k-r0 Version : 2020.02.0.1-dirty Build Date: 2020-02-25T15:12+00:00 Info: Mounting kernel filesystems... done. Info: Mounting ONIE-BOOT on /mnt/onie-boot ... Info: Mounting EFI System on /boot/efi … […] ONIE: Build Date : 2020-02-25T15:12+00:00 Installing ONIE on: /dev/sda ONIE: Success: Firmware update URL: file:///lib/onie/onie-updater ONIE: Success: Firmware update version: 2020.02.0.1-dirty ONIE: Rebooting... discover: ONIE embed mode detected. Stopping: discover...start-stop-daemon: warning: killing process 1300: No such process done. Stopping: dropbear ssh daemon... done. Stopping: telnetd... done. Stopping: klogd... done. Stopping: syslogd... done. Info: Unmounting kernel filesystems umount: can't unmount /: Invalid argument The system is going down NOW! Sent SIGTERM to all processes Sent SIGKILL to all processes Requesting system reboot reboot: Restarting system +----------------------------------------------------------------------------+ Booting from Flash A FPGA Reset Reason = 0x1 Primary BIOS version CBEP_P_VAL1_00.15.01 Total Memory Size = 64GB Checking Primary BIOS code integrity...Passed! Press Esc for boot options ME is in normal operational state […] Booting ONIE: Open Network Install Environment... Secure boot is not enforced Welcome to GRUB! GNU GRUB version 2.02 +----------------------------------------------------------------------------+ Use the ^ and v keys to select which entry is highlighted.
20 Press enter to boot the selected OS, `e' to edit the commands before booting or `c' for a command-line. *ONIE: Install OS
21 Starting: discover... done. Please press Enter to activate this console. Info: eth0: Checking link... down. ONIE: eth0: link down. Skipping configuration. Info: eth1: Checking link... up. Info: Trying DHCPv4 on interface: eth1 ONIE: Using DHCPv4 addr: eth1: 10.9.168.253 / 255.255.255.0 Info: eth2: Checking link... down. ONIE: eth2: link down. Skipping configuration. Info: eth3: Checking link... down. ONIE: eth3: link down. Skipping configuration. ONIE: Failed to configure eth0 interface ONIE: Failed to configure eth2 interface ONIE: Failed to configure eth3 interface ONIE: Starting ONEXT4-fs (sdc7): couldn't mount as ext3 due to feature incompatibilities IE Service Discovery […] 12. After the SONiC OS is installed successfully, the system reboots, and loads the SONiC OS automatically. Info: Attempting file://dev/sda/onie-installer ... ONIE: Executing installer: file://dev/sda/onie-installer Verifying image checksum ... OK. Preparing image archive ... OK. Installing SONiC in ONIE ONIE Installer: platform: x86_64-juniper-r0 onie_platform: x86_64-juniper_ptx10k-r0 Partition #1 is in use. Partition #2 is in use. Partition #3 is available Creating new SONiC-OS partition /dev/sdb3 ... Warning: The kernel is still using the old partition table. The new table will be used at the next reboot. The operation has completed successfully. mke2fs 1.42.13 (17-May-2015) Discarding device blocks: 4096/8388608 528384/83886087344128/8388608 done Creating filesystem with 8388608 4k blocks and 2097152 inodes Filesystem UUID: 9fdb43cf-35fa-4e1d-b403-a3bffacb7a9e Superblock backups stored on blocks: 32768, 98304, 163840, 229376, 294912, 819200, 884736, 1605632, 2654208, 4096000, 7962624
22 Allocating group tables: 0/256 done Writing inode tables: 0/256 done Creating journal (32768 blocks): done Writing superblocks and filesystem accounting information: 0/256 done Installing SONiC to /tmp/tmp.4GacD0/image-201904.0-dirty-20200226.091.. Archive: fs.zip creating: boot/ inflating: boot/vmlinuz-4.9.0-9-2-amd64 inflating: boot/config-4.9.0-9-2-amd64 inflating: boot/bzImage-ptx10k-rcb.dtb inflating: boot/initrd.img-4.9.0-9-2-amd64 inflating: boot/System.map-4.9.0-9-2-amd64 creating: platform/ inflating: platform/firsttime creating: platform/x86_64-grub/ inflating: platform/x86_64-grub/grub-pc-bin_2.02~beta3-5+deb9u2_amd64.deb inflating: fs.squashfs Success: Support tarball created: /tmp/onie-support-juniper_ptx10k.tar.bz2 Installed SONiC base image SONiC-OS successfully ONIE: NOS install successful: file://dev/sda/onie-installer ONIE: Rebooting... discover: installer mode detected. Stopping: discover...start-stop-daemon: warning: killing process 1379: No such process done. Stopping: dropbear ssh daemon... done. Stopping: telnetd... done. Stopping: klogd... done. Stopping: syslogd... done. Info: Unmounting kernel filesystems umount: can't unmount /: Invalid argument The system is going down NOW! Sent SIGTERM to all processes Sent SIGKILL to all processes Requesting system reboot reboot: Restarting system +----------------------------------------------------------------------------+ Booting from Flash A FPGA Reset Reason = 0x81 Primary BIOS version CBEP_P_VAL1_00.15.01 Total Memory Size = 64GB Checking Primary BIOS code integrity...Passed!
23 Press Esc for boot options ME is in normal operational state Booting SONiC-OS...
24 Upgrade SONiC on PTX10008 Router This section describes how to upgrade SONiC on the Juniper Networks’ PTX10008 router. Software upgrade is the procedure of updating the SONiC to a latest release without losing any of the existing configuration. While console access is always preferred, it is not mandatory for this procedure. NOTE: The install, upgrade, and recovery of SONiC happens in the Primary SSD, as defined by the BIOS. To upgrade the SONiC OS on the Juniper Networks’ PTX10008 router to a later release, you need to: 1. Download the SONiC image juniper-sonic-ptx10k-.bin (for example, juniper-sonic-ptx10k-201911-R1.6.bin) from https://support.juniper.net/support/downloads/?p=ptx10008 by selecting the operating system as SONiC. 2. Copy the SONiC installer image to the /usr/bin/ directory in the existing SONiC system. 3. You must be logged in as a root user to proceed with the upgrade. If you are logged in to SONiC as a non-root user, you will need to switch to the root user by entering the following command: admin@ptx10k8:~$sudo -i 4. Navigate to the directory /usr/bin/ where the juniper-sonic-ptx10k-.bin file is located. root@ptx10k8:~# cd /usr/bin/ 5. Install the juniper-sonic-ptx10k-.bin file. root@ptx10k8:/usr/bin/# sonic_installer install ./juniper-sonic-ptx10k-.bin 6. When prompted to install the new image, enter Y to continue the upgrade installation. New image will be installed, continue? [y/N]: y Installing image SONiC-OS-juniper-sonic-ptx10k-jnpr_201911-0-20201113.123528 and setting it as default... Command: bash ./juniper-sonic-ptx10k-201911-R1.6.bin
25 Verifying image checksum ... OK. Preparing image archive ... OK. Installing SONiC in SONiC ONIE Installer: platform: x86_64-juniper-r0 onie_platform: x86_64-juniper_ptx10k-r0 Removing old SONiC installation /host/image-juniper-sonic-ptx10k-jnpr_201911-0-20201110.103709 Installing SONiC to /host/image-juniper-sonic-ptx10k-jnpr_201911-0-20201113.123528 Archive: fs.zip creating: /host/image-juniper-sonic-ptx10k-jnpr_201911-0-20201113.123528/boot/ inflating: /host/image-juniper-sonic-ptx10k-jnpr_201911-0-20201113.123528/boot/bzImage-ptx10k-rcb.dtb inflating: /host/image-juniper-sonic-ptx10k-jnpr_201911-0-20201113.123528/boot/initrd.img-4.9.0-11-2-amd64 inflating: /host/image-juniper-sonic-ptx10k-jnpr_201911-0-20201113.123528/boot/System.map-4.9.0-11-2-amd64 inflating: /host/image-juniper-sonic-ptx10k-jnpr_201911-0-20201113.123528/boot/config-4.9.0-11-2-amd64 inflating: /host/image-juniper-sonic-ptx10k-jnpr_201911-0-20201113.123528/boot/vmlinuz-4.9.0-11-2-amd64 creating: /host/image-juniper-sonic-ptx10k-jnpr_201911-0-20201113.123528/platform/ extracting: /host/image-juniper-sonic-ptx10k-jnpr_201911-0-20201113.123528/platform/firsttime creating: /host/image-juniper-sonic-ptx10k-jnpr_201911-0-20201113.123528/platform/x86_64-grub/ inflating: /host/image-juniper-sonic-ptx10k-jnpr_201911-0-20201113.123528/platform/x86_64-grub/grub-pc-bin_2.02~beta3-5+deb9u2_amd64.deb inflating: /host/image-juniper-sonic-ptx10k-jnpr_201911-0-20201113.123528/fs.squashfs Installed SONiC base image SONiC-OS successfully Command: grub-set-default --boot-directory=/host 0 Command: rm -rf /host/old_config
26 Command: cp -ar /etc/sonic /host/old_config Command: sync;sync;sync Command: sleep 3 Done 7. Reboot the system to activate the new software. root@ptx10k8:/usr/bin/# reboot Routing Stack Options in Juniper Networks’ Platforms Running SONiC IN THIS SECTION Understanding Containerized RPD | 26 Benefits of cRPD with SONiC | 27 cRPD Multi-channel KRT Support in SONiC | 27 Understanding Containerized RPD SONiC on Juniper Networks PTX100008 router supports containerized Routing Protocol Daemon (cRPD). cRPD is Juniper’s routing protocol container. SONiC also supports the Free Range Routing (FRR) routing stack. Juniper’s cRPD contains the routing protocol process (rpd) that can run in Linux-based environments and management daemon (mgd) that allows the system administrator to run rpd-related CLI for configuration purposes. The rpd process runs as user space application and learns route state through various routing protocols and maintains the complete set in the Routing Information Base (RIB), also known as routing table. The rpd process is also responsible for downloading the routes into the Forwarding Information
27 Base (FIB) also known as forwarding table based on local selection criteria. Whereas the Packet Forwarding Engine (PFE) in Juniper Networks PTX10008 router holds the FIB and does packet forwarding for cRPD. The host Linux kernel stores the FIB and performs packet forwarding. cRPD can also be deployed to provide control plane-only services such as BGP route reflection. The default routing stack offered in Juniper Networks’ PTX100008 router running SONiC is cRPD. cRPD is a fully supported, feature rich, fast converging and scalable routing stack. However, you can also use FRR as the routing stack. Benefits of cRPD with SONiC This section lists the following key benefits of cRPD in Juniper Networks’ PTX10008 multi-PFE platform running SONiC: • Feature rich with BGP filters, route policies, stable and high performance. • Telemetry information on state, health, and performance with gRPC streaming. • Containers reduces the time required for service boot up from several minutes to a few seconds resulting in faster deployment. • Run cRPD on any Linux server that supports docker. • With a small footprint and minimum resource reservation requirements, cRPD can easily scale to keep up with demand. • Provides significantly higher density without requiring resource reservation on the host than what is offered by VM-based solutions. For more information on cRPD, see cRPD Deployment Guide for Linux Server. cRPD Multi-channel KRT Support in SONiC IN THIS SECTION Configure KRT multi-channels on cRPD in SONiC | 28 Configure Traceoptions on cRPD in SONiC | 29 Sample Output | 29
28 cRPD in SONiC supports multiple Kernel Routing Table (KRT) channels to download route table information to forwarding table (FIB). The two KRT channels supported are NetLink-based native Linux kernel FIB and FPMSyncd-based SONiC FIB. NOTE: Export policy with install-nexthop is not supported for routes which undergo resolution (routes pointing to indirect-nexthop in RPD). This section describes the following: Configure KRT multi-channels on cRPD in SONiC You can configure KRT multi-channels at the [edit routing-options forwarding-table] hierarchy level as shown below: routing-options { forwarding-table { export abc; channel channel-name { protocol { protocol-type netlink-fpm destination tcp-addr:port source-id source-id } export policy-name } } } NOTE: In Junos OS Release 21.1R1, the configuration statements under the [edit routing-options forwarding-table channel channel-name] hierarchy level is only available for cRPD in SONiC platform. Host Linux channel uses the export policy under the [edit routing-options forwarding-table export] hierarchy level. FPMSyncd channel uses the policy at [edit routing-options forwarding-table channel channel-name export] hierarchy level.
29 Configure Traceoptions on cRPD in SONiC You can enable debugging by configuring traceoptions on cRPD in SONiC at the [edit routing-options forwarding-table traceoptions flag] hierarchy level. The following new flags are supported on cRPD in SONiC: • fpm—FIB agent-related operations • table—Table operations • mfs—Multi-fib service operations The following is a sample traceoptions configuration on cRPD in SONiC: routing-options { router-id 2.2.2.2; autonomous-system 200; forwarding-table { traceoptions { file krt_mc_debug.log; flag fpm; flag mfs; flag table; } } } Sample Output The following is a sample output where routes are advertised to linux (NetLink-based) kernel and to SONiC through FPMSyncd: user@host# run show route 192.168.1.1/24 extensive inet.0: 17 destinations, 19 routes (16 active, 0 holddown, 1 hidden) 192.168.1.1/24 (1 entry, 1 announced) TSI: KRT-MFS Advt. to KRT-Netlink,KRT-FPM KRT-FPM in-kernel 192.168.1.1/24 -> {Ethernet13} *Direct Preference: 0 Next hop type: Interface, Next hop index: 0 Address: 0x55eb0b0153dc Next-hop reference count: 2
30 Next hop: via Ethernet13, selected State: Local AS: 200 Age: 5d 11:35:21 Validation State: unverified Task: IF Announcement bits (4): 1-KRT MFS 3-KRT 4-KRT-FPM AS path: I Thread: junos-main You can see that the route 192.168.1.1/24 is downloaded to the linux (KRT-Netlink) kernel and is also downloaded to SONiC (KRT-FPM) through FPMSyncd. Configure Features in SONiC IN THIS SECTION Configuring cRPD | 31 Configuring the Router | 31 Configuring Interfaces and Ports | 32 Enabling FEC Mode | 35 Enabling FEC Counters | 35 Configuring Access Control Lists (ACLs) | 36 Configuring BGP | 37 Configuring MPLS | 37 Configuring Priority-Based Flow Control | 38 Configuring WRED | 41 Configuring Explicit Congestion Notification | 43 Configuring Port Mirroring | 44 Configuring Media Access Control Security | 45 This section describes the features that you can configure on the Juniper Networks’ PTX10008 router running SONiC.
31 Configuring cRPD Juniper Networks’ PTX10008 router supports configuring cRPD in SONiC through the config_db.json configuration utility. The config_db.json utility is a local redis database (redis-db). You need to do a config save and config load for the configurations to take effect in cRPD. NOTE: The config save command is equivalent to the commit command in cRPD. When the SONiC system boots up, configurations are loaded from /etc/sonic/config_db.json file into the redis database. Configuring the Router This section shows a sample router device configuration using cRPD in SONiC. To configure the router on SONiC, modify the DEVICE_METADATA hierarchy statements in the /etc/sonic/config_db.json file. "DEVICE_METADATA": { "localhost": { "bgp_asn": "65100", "default_bgp_status": "up", "default_pfcwd_status": "disable", "deployment_id": "1", "docker_routing_config_mode": "fpm", "hostname": "vsonic", "hwsku": "PTX10008", "mac": "30:b6:4f:94:61:2e", "platform": "x86_64-kvm_x86_64-r0", "type": "LeafRouter" } }, "DEVICE_NEIGHBOR_METADATA": { "JUNIPER10K3T1": { "hwsku": "PTX10008", "lo_addr": "None", "mgmt_addr": "10.216.171.5", "type": "LeafRouter"
32 } }, Configuring Interfaces and Ports This section shows a sample interface and port configuration using cRPD in SONiC. To configure interfaces and ports on SONiC, modify the INTERFACE hierarchy statements in the /etc/sonic/config_db.json file. "INTERFACE": { "Ethernet3": { "mpls": "enable" }, "Ethernet4": { "mpls": "enable" }, "Ethernet5": { "mpls": "enable" }, "PortChannel0001": {}, "Ethernet3|1.21.23.2/24": {}, "Ethernet4|1.22.23.2/24": {}, "Ethernet5|1.23.23.2/24": {}, "PortChannel0001|20.1.1.1/24": {} }, "PORT": { "Ethernet1": { "admin_status": "up", "alias": "et-0/0/1", "lanes": "1" }, "Ethernet2": { "admin_status": "up", "alias": "et-0/0/3", "lanes": "2" }, "Ethernet3": {
33 "admin_status": "up", "alias": "et-0/0/5", "lanes": "3" }, "Ethernet4": { "admin_status": "up", "alias": "et-0/0/7", "flow_control": "on", "lanes": "4" }, "Ethernet5": { "admin_status": "up", "alias": "et-0/0/9", "lanes": "5" } }, "PORTCHANNEL": { "PortChannel0001": { "admin_status": "up", "members": [ "Ethernet1", "Ethernet2" ], "min_links": "1", "mtu": "1500" } }, "PORTCHANNEL_MEMBER": { "PortChannel0001|Ethernet1": {}, "PortChannel0001|Ethernet2": {} } When a physical port is configured to be channelized, then all the channelized ports need to be configured with a valid speed setting. In the following example, a speed of 10000 is configured on the channelized ports: "Ethernet13": { "admin_status": "up", "alias": "et-1/0/34:0",
34 "lanes": "13", "mtu": "1500", "speed": "10000" }, "Ethernet14": { "admin_status": "up", "alias": "et-1/0/34:1", "lanes": "14", "mtu": "1500", "speed": "10000" }, "Ethernet15": { "admin_status": "up", "alias": "et-1/0/34:2", "lanes": "15", "mtu": "1500", "speed": "10000" }, "Ethernet16": { "admin_status": "up", "alias": "et-1/0/34:3", "lanes": "16",
35 "mtu": "1500", "speed": "10000" }, Enabling FEC Mode This section shows a sample port configuration to enable forward error correction (FEC) mode in SONiC. On PTX10008 routers, FEC is enabled by default on the interfaces. For any module where FEC is disabled by default, then you can enable FEC mode to the SONiC port configuration in port_config.ini file. "PORT": { "Ethernet1": { "admin_status": "up", "alias": "et-0/0/1", "lanes": "1", "fec": "rs" } Enabling FEC Counters Once FEC mode is enabled, the FEC counters starts accumulating data. The FEC counters are tied to the port statistics through the FLEX COUNTER configuration in config_db.json file. "FLEX_COUNTER_TABLE": { "PFCWD": { "FLEX_COUNTER_STATUS": "enable" }, "PORT": { "FLEX_COUNTER_STATUS": "enable" }, "QUEUE": {
36 "FLEX_COUNTER_STATUS": "enable" } } Use the show interfaces counters fec command to monitor FEC counters. See “Monitor the Multi-PFE SONiC Platform” on page 49 for information. Configuring Access Control Lists (ACLs) This section shows a sample ACL configuration using cRPD in SONiC. NOTE: ACL is also known as firewall filters. To configure ACL on SONiC, modify the ACL_TABLE and ACL_RULE statements in the /etc/sonic/config_db.json file. ACL_TABLE": { "acl-test": { "policy_desc": "test_acl", "ports": [ "Ethernet3", "Ethernet4" ], "stage": "ingress", "type": "l3" } }, "ACL_RULE": { "acl-test|rule_0": { "PRIORITY": "1000", "PACKET_ACTION": "DROP", "SRC_IP": "1.21.23.1" }, "acl-test|rule_1": { "PRIORITY": "1001", "PACKET_ACTION": "DROP", "SRC_IP": "1.21.23.4"
37 } }, Configuring BGP This section shows a sample BGP configuration using cRPD in SONiC. To configure BGP on SONiC, modify the BGP_NEIGHBOR statements in the /etc/sonic/config_db.json file. "BGP_NEIGHBOR": { "1.21.23.1": { "admin_status": "up", "asn": "64800", "holdtime": "180", "keepalive": "60", "local_addr": "1.21.23.2", "name": "JUNIPER10K3T2", "nhopself": "0", "rrclient": "0" } } Configuring MPLS This section shows a sample MPLS configuration using cRPD in SONiC. MPLS is not enabled in FRR, the default SONiC routing stack. MPLS functionality is currently only available through cRPD routing stack. To enable MPLS on SONiC, modify the INTERFACE statement in the /etc/sonic/config_db.json file. "INTERFACE": { "Ethernet3": { "mpls": "enable"
38 }, } You can enable and disable MPLS on the interfaces using the following SONiC configuration utility: config interface mpls add rif-name config interface mpls remove rif-name Configuring Priority-Based Flow Control Priority-Based Flow Control (PFC) is a link-level flow control mechanism defined by IEEE 802.1Qbb that allows independent flow control for each class of service to ensure that no frame loss from congestion occurs in data center networks. PFC is an enhancement of the Ethernet PAUSE mechanism, but PFC controls classes of flows, whereas Ethernet PAUSE indiscriminately pauses all the traffic on a link. Also known as priority flow control. On Juniper Networks PTX10008 router running SONiC, a maximum of two PFC designated queues per port is supported. You can use PFC watchdog to detect and resolve PFC pause storms. PFC watchdog is activated by SONiC configuration on a PFC enabled interface. PFC watchdog detection, mitigation, and recovery functionality is handled by the forwarding plane. PFC watchdog detection and recovery intervals are configured at the chassis level and not at the port level. NOTE: Juniper Networks PTX10008 router running SONiC supports PFC and PFC watchdog features in 201911-r2 and later releases. NOTE: The SONiC CLI only shows the configuration status and the pause storms detection and recovery statistics. NOTE: The PFC and PFC Watchdog is supported on the physical interface and not on AE interfaces.
39 To configure PFC on SONiC, you need to: 1. Map the code-point to a PFC enabled Queue. "MAP_PFC_PRIORITY_TO_QUEUE": { "AZURE": { "3": "3", "4": "4" } } 2. Enable PFC on the Interface. "PORT_QOS_MAP": { "Ethernet4,Ethernet22,Ethernet23": { …. "pfc_enable": "3,4" } } To configure xon/xoff values, a buffer must be associated with the queue. 1. Create a buffer pool. "BUFFER_POOL": { "ingress_lossless_pool": { "xoff": "4194112", "type": "ingress", "mode": "dynamic", "size": "10875072" } } 2. Create a buffer profile that refers to the buffer pool and specifies the desired xon/xoff values. NOTE: xon/xoff values are expressed in bytes, and are relative to the size of the default buffer for the queue’s interface. For more details, see Class of Service section in Known Issues and Limitations.
40 "BUFFER_PROFILE": { "pg_lossless_40000_40m_profile": { "xon_offset": "2288", "dynamic_th": "-3", "xon": "35776000", "xoff": "71552000", "pool": "[BUFFER_POOL|ingress_lossless_pool]", "size": "1248" } } 3. Associate the buffer pool with the queue. "BUFFER_QUEUE": { "Ethernet4,Ethernet22,Ethernet23|3-4": { "profile": "[BUFFER_PROFILE|pg_lossless_40000_40m_profile]" }, } The following is a sample to configure PFC watchdog on the interface: "PFC_WD": { "Ethernet6": { "action": "drop", "detection_time": "200", "restoration_time": "400" }, "Ethernet42": { "action": "drop", "detection_time": "200", "restoration_time": "400" }, "Ethernet67": { "action": "drop", "detection_time": "200", "restoration_time": "400" } },
41 NOTE: In the PFC Watchdog configuration, only drop is supported as an action. Forward is not supported as an action. Configuring WRED Weighted random early detection (WRED) drop profiles define the drop probability of packets of different packet loss probabilities (PLPs) as the output queue fills. During periods of congestion, as the output queue fills, the switch drops incoming packets as determined by a drop profile, until the output queue becomes less congested. Depending on the drop probabilities, a drop profile can drop many packets long before the buffer becomes full, or it can drop only a few packets even if the buffer is almost full. To configure WRED in SONiC, you need to: 1. Configure WRED profile. "WRED_PROFILE": { "AZURE": { "ecn": "ecn_all", "green_drop_probability": "10", "green_max_threshold": "4097152", "green_min_threshold": "1048576", "red_drop_probability": "50", "red_max_threshold": "8097152", "red_min_threshold": "4048576", "wred_green_enable": "true", "wred_red_enable": "true", "wred_yellow_enable": "true", "yellow_drop_probability": "30", "yellow_max_threshold": "6097152", "yellow_min_threshold": "3048576" } } 2. Attach the WRED profile under a queue. "QUEUE": {
42 "Ethernet4,Ethernet22,Ethernet23|3" : { "scheduler" : "[SCHEDULER|scheduler.1]", "wred_profile" : "[WRED_PROFILE|AZURE]" } The minimum or maximum thresholds in the WRED profile are byte values that are relative to the buffer size. The buffer size can come either from the default buffer for the queue’s interface, or from an explicitly configured buffer size. For more details, see Class of Service section in Known Issues and Limitations. To explicitly configure the buffer size used with the threshold values, perform the following additional steps: 3. Configure a buffer pool with a size relative to the minimum or maximum thresholds in the WRED profile. "BUFFER_POOL": { "ingress_pool": { "type": "ingress", "size": "10875072" } } 4. Configure a buffer profile that references the buffer pool. "BUFFER_PROFILE": { "ingress_profile": { "dynamic_th": "3", "pool": "[BUFFER_POOL|ingress_pool]", "size": "0" } } 5. Associate the buffer pool with the queue. "BUFFER_QUEUE": { "Ethernet4,Ethernet22,Ethernet23|3-4": { "profile": "[BUFFER_PROFILE|ingress_profile]" } }
43 Configuring Explicit Congestion Notification Explicit congestion notification (ECN) enables end-to-end congestion notification between two endpoints on TCP/IP based networks. The two endpoints are an ECN-enabled sender and an ECN-enabled receiver. ECN must be enabled on both endpoints and on all the intermediate devices between the endpoints for ECN to work properly. Any device in the transmission path that does not support ECN breaks the end-to-end ECN functionality. NOTE: Juniper Networks PTX10008 router running SONiC supports ECN in 201911-r2 and later releases. On Juniper Networks PTX10008 router running SONiC, ECN is controlled using the WRED drop profile configuration. NOTE: ECN is supported only on the physical interface and not on AE interfaces. WRED profiles are used to enable ECN. Without ECN enabled, a WRED profile drops packets based on how full the buffer is. With ECN enabled, packets are marked rather than being dropped. To configure ECN on SONiC, you need to: 1. Configure WRED profile. See “Configuring WRED” on page 41. 2. Enable ECN in the WRED profile. "WRED_PROFILE": { "AZURE": { "ecn": "ecn_all", … } }
44 Configuring Port Mirroring Port mirroring is also known as Everflow in SONiC. You use port mirroring to send traffic to devices that analyze traffic for purposes such as monitoring compliance, enforcing policies, detecting intrusions, monitoring, and predicting traffic patterns, correlating events, and so on. Port mirroring is needed when you want to perform traffic analysis because a device normally sends packets only to the port to which the destination device is connected. NOTE: Juniper Networks PTX10008 router running SONiC supports port mirroring (Everflow) in 201911-r2 and later releases. To configure port mirroring, you need to configure a port-mirroring instance. You send the packets through a mirror session. The egress packet is GRE encapsulated. You can also apply policing to the sampled packets. The following is a sample to configure port mirroring (Everflow) in SONiC: "MIRROR_SESSION": { "everflow0": { "src_ip": "192.168.1.1", "dst_ip": "192.168.2.1" } }, "ACL_TABLE": { "EVERFLOW": { "policy_desc" : "EVERFLOW_ALWAYS_ON", "type": "MIRROR", "ports": [ "Ethernet4", ] } } "ACL_RULE": { "EVERFLOW |rule_1": { "priority": "9999", "mirror_action": "everflow0", "dscp": "16/31" }, }
45 ACL and mirroring-related configurations are defined in MIRROR_SESSION,ACL_TABLE, and ACL_RULE tables. Configuring Media Access Control Security Media Access Control security (MACsec) provides point-to-point security on Ethernet links. MACsec is defined by IEEE standard 802.1AE. You can use MACsec in combination with other security protocols, such as IP Security (IPsec) and Secure Sockets Layer (SSL), to provide end-to-end network security. MACsec can identify and prevent most security threats, including denial of service, intrusion, man-in-the-middle, masquerading, passive wiretapping, and playback attacks. MACsec secures an Ethernet link for almost all traffic, including frames from the Link Layer Discovery Protocol (LLDP), Link Aggregation Control Protocol (LACP), Dynamic Host Configuration Protocol (DHCP), Address Resolution Protocol (ARP), and other protocols that are not typically secured on an Ethernet link because of limitations with other security solutions. Juniper Networks' PTX10008 router running SONiC supports MACsec. The PTX10008 router with up to 400G line rate MACsec works seamlessly on SONiC. NOTE: Juniper Networks PTX10008 router running SONiC supports MACsec in 201911-r2 and later releases. To configure MACsec on a port in SONiC, you need to include the port name to the MACSEC_PORT stanza in /etc/sonic/config_db.json as shown below: MACSEC_PORT { Ethernet, ... } Use the following CLI commands to enable and disable MACsec dynamically on SONiC as an alternative to config_db.json: config macsec add Ethernet config macsec remove Ethernet
46 To configure the MACsec security behavior in wpa-supplicant, a configuration file must be added for each SONiC port that is enabled for MACsec. The wpa-supplicant configuration file should be named as /etc/sonic/macsec/Ethernet.conf. The content of the wpa-supplicant configuration file syntax is documented by the wpa-supplicant project as follows: update_config=1 ctrl_interface=/var/run/wpa_supplicant eapol_version=3 ap_scan=0 NOTE: The content of the wpa_supplicant configuration file is fixed and should not be modified. Configuring MACsec with Pre-shared Key MACsec security keys and sessions are managed by the MACsec Key Agreement (MKA) protocol software stack. You can configure MACsec with a pre-shared key as shown below: network={ key_mgmt=NONE eapol_flags=0 macsec_policy=1 macsec_integ_only=0 macsec_ciphersuite=1 macsec_port=1 ....macsec_include_sci=0 mka_cak=0123456789ABCDEF0123456789ABCDEF0123456789ABCDEF0123456789ABCDEF mka_ckn=6162636465666768696A6B6C6D6E6F707172737475767778797A303132333435 mka_priority=1 }
You can also read