DEPLOYING SONIC ON JUNIPER NETWORKS PTX10008 PACKET TRANSPORT ROUTER 2021-07-13

 
CONTINUE READING
Deploying SONiC on Juniper Networks
PTX10008 Packet Transport Router

 Published
2021-07-13
ii

  Juniper Networks, Inc.
  1133 Innovation Way
  Sunnyvale, California 94089
  USA
  408-745-2000
  www.juniper.net

Juniper Networks, the Juniper Networks logo, Juniper, and Junos are registered trademarks of Juniper Networks, Inc. in
the United States and other countries. All other trademarks, service marks, registered marks, or registered service marks
are the property of their respective owners.

Juniper Networks assumes no responsibility for any inaccuracies in this document. Juniper Networks reserves the right
to change, modify, transfer, or otherwise revise this publication without notice.

Deploying SONiC on Juniper Networks PTX10008 Packet Transport Router
Copyright © 2021 Juniper Networks, Inc. All rights reserved.

The information in this document is current as of the date on the title page.

YEAR 2000 NOTICE

Juniper Networks hardware and software products are Year 2000 compliant. Junos OS has no known time-related
limitations through the year 2038. However, the NTP application is known to have some difficulty in the year 2036.

END USER LICENSE AGREEMENT

The Juniper Networks product that is the subject of this technical documentation consists of (or is intended for use with)
Juniper Networks software. Use of such software is subject to the terms and conditions of the End User License Agreement
(“EULA”) posted at https://support.juniper.net/support/eula/. By downloading, installing or using such software, you
agree to the terms and conditions of that EULA.
iii

Table of Contents

1    Deploying SONiC on Juniper Networks PTX10008 Router
     Overview | 7

        Disaggregation Overview | 7

        Benefits of the Juniper Networks’ PTX10008 Multi-PFE Platform | 7

        SONiC Architecture | 8

        Hardware Abstraction Layer (HAL) | 10

        Multi-PFE Modular Chassis Architecture | 10

     Features and Protocols Available on SONiC | 12

     Install, Upgrade, and Recover SONiC | 16

        Install SONiC on PTX10008 Router | 16

        Upgrade SONiC on PTX10008 Router | 24

     Routing Stack Options in Juniper Networks’ Platforms Running SONiC | 26

        Understanding Containerized RPD | 26

        Benefits of cRPD with SONiC | 27

        cRPD Multi-channel KRT Support in SONiC | 27

           Configure KRT multi-channels on cRPD in SONiC | 28

           Configure Traceoptions on cRPD in SONiC | 29

           Sample Output | 29

     Configure Features in SONiC | 30

        Configuring cRPD | 31

        Configuring the Router | 31

        Configuring Interfaces and Ports | 32

        Enabling FEC Mode | 35

        Enabling FEC Counters | 35

        Configuring Access Control Lists (ACLs) | 36

        Configuring BGP | 37

        Configuring MPLS | 37

        Configuring Priority-Based Flow Control | 38
iv

   Configuring WRED | 41

   Configuring Explicit Congestion Notification | 43

   Configuring Port Mirroring | 44

   Configuring Media Access Control Security | 45

       Configuring MACsec with Pre-shared Key | 46

       Displaying the MACSec Status | 48

Monitor the Multi-PFE SONiC Platform | 49

   show chassis modules | 50

   show chassis fabric | 51

   show chassis linecards | 51

   show chassis alarms | 52

   show chassis alarm-messages | 52

   show chassis environment cb | 52

   show chassis environment fpc | 54

   show chassis environment sib | 57

   show interfaces counters fec | 59

   show interfaces status | 59

   show interfaces transceiver presence | 60

   show interfaces transceiver eeprom | 61

SAI API and Attributes Supported on the Multi-PFE SONiC Platform | 62

   Access Control List (ACL) | 63

   Class of Service Mapping | 67

   Class of Service Queue | 67

   Class of Service Scheduler Group | 68

   Class of Service Scheduler | 69

   Buffer API | 69

   Host Interface | 70

   Link Aggregation Group | 74

   MACsec | 74

   Mirroring | 77

   MPLS | 79

   Neighbor | 79

   Next-hop | 79
v

   Next-hop Group | 80

   Policer | 80

   Port | 81

   Router Interface | 84

   Routing | 86

   Switching | 86

   WRED | 89

Known Issues and Limitations | 90

   SONiC | 90

   Class of Service | 91

   cRPD | 92

   Interfaces and Chassis | 92

   Install and Upgrade | 93

   MACsec | 94
1 CHAPTER

Deploying SONiC on Juniper Networks
PTX10008 Router

Overview | 7

Features and Protocols Available on SONiC | 12

Install, Upgrade, and Recover SONiC | 16

Routing Stack Options in Juniper Networks’ Platforms Running SONiC | 26

Configure Features in SONiC | 30

Monitor the Multi-PFE SONiC Platform | 49

SAI API and Attributes Supported on the Multi-PFE SONiC Platform | 62

Known Issues and Limitations | 90
7

Overview

     IN THIS SECTION

          Disaggregation Overview | 7

          Benefits of the Juniper Networks’ PTX10008 Multi-PFE Platform | 7

          SONiC Architecture | 8

          Hardware Abstraction Layer (HAL) | 10

          Multi-PFE Modular Chassis Architecture | 10

 Disaggregation Overview

 Disaggregating hardware from software for cloud, multi-cloud, and distributed edge cloud solutions provides
 cloud and service providers with open programmability, choice, automation, and a broad network ecosystem.
 Juniper Networks commits to this disaggregation strategy by integrating Software for Open Networking
 in the Cloud (SONiC) with Juniper hardware, such as the Juniper Networks PTX10008 Packet Transport
 Router.

       NOTE: This document focuses on PTX10008 router running SONiC. Juniper Networks' also
       offers SONiC on select QFX Series platforms. For information on installing SONiC on QFX Series
       platforms, see Juniper Networks Platform Support for SONiC readme document.

 Benefits of the Juniper Networks’ PTX10008 Multi-PFE Platform

 This section describes the following key benefits of PTX10008 multi-PFE platform running SONiC:

 • Centralized SONiC architecture with SONiC running only on the Routing Engine (RE).

 • Provides superior switching performance and scale, often handling 1.5 million FIB entries.

 • Supports high speed (100G and 400G) Ethernet interfaces.

 • Offers greater port density with minimal cabling complexity.
8

• Supports advanced features like MPLS and field-replaceable units (FRUs).

• Simplifies management and abstracts the complexity of the platform.

• Scales well without having a route adjacency for every line card in the multi-PFE chassis.

• Single BGP instance on the RE as opposed to one per packet forwarding engine (PFE) on the line card.

SONiC Architecture

SONiC is an open source Network Operating System (NOS) based on Linux (Debian Linux) that runs on
network devices. SONiC offers a full-suite of network functionality, like BGP. SONiC provides a standardized
interface called the Switch Abstraction Interface (SAI) to program networking ASICs, which is hardware
independent layer. While SONiC provides several infrastructure daemons and libraries, the SAI is by far
its most important component. In Juniper Network’s PTX10008 router, SAI connects to a SONiC agent in
the hardware abstraction layer (HAL).

Figure 1 on page 9 illustrates the SONiC architecture on Juniper Networks’ PTX10008 router.
9

Figure 1: SONiC Architecture

SONiC’s architecture uses Redis as its centralized database that is made available to all SONiC processes
and stores configuration and state information. SAI runs a Redis service that is built on top of the Redis
database.

The SONiC process, syncd, contains the SAI library. All SAI programming requests are initiated by syncd,
usually in response to Redis from various SONiC processes. Syncd is the primary SONiC entry point into
platform-specific services. The syncd process programs the networking ASIC through the SAI API.

Linux routing protocols add routes to the routing table using the NetLink API. FpmSyncd opens a NetLink
socket and waits for kernel notification about route additions and deletions. FpmSyncd monitors the
changes to the routing table and publishes those changes to Redis in real time. Redis then propagates the
route changes to syncd, which uses SAI to update forwarding information (FIB) to all the FPCs.

The SONiC agent (in the Juniper HAL) is the platform-specific backend to the SAI API. The SONiC agent
receives SAI programming requests from syncd in the SONiC container.
10

By bringing SONiC to multi-PFE chassis, Juniper Networks provides a simpler, better-performing network
solution for the most demanding cloud and service provider environments—without sacrificing the flexibility
of an open, disaggregated NOS.

Figure 2 on page 10 shows how a route is added in SONiC.

Figure 2: Adding Routes in SONiC

Hardware Abstraction Layer (HAL)

The SONiC image supported on Juniper Networks’ platform includes the platform drivers and Juniper's
Hardware Abstraction Layer (HAL). Juniper’s HAL includes the implementation of Switch Abstraction
Interface (SAI) for the Juniper Triton ASIC and the line card Packet Forwarding Engine (PFE) software.

Multi-PFE Modular Chassis Architecture

Shifting from a single to a multi-PFE chassis does introduce some changes. Figure 1 shows the standard
SONiC architecture. SONiC is typically deployed on a fixed-form platform with a single networking ASIC.
The standard SONiC architecture on Juniper’s platform is supported on the QFX5200 and QFX5210 series
switches providing the SONiC infrastructure and routing services.

There are two approaches to running SONiC on a multi-PFE architecture.
11

• Running SONiC as a cluster, where SONiC instances run on the line cards. In this case, each line card is
  considered as a SONiC device running routing protocols.

• Running SONiC on the Linux node (called the Routing Engine) and not on the line cards, like in traditional
  multi-PFE modular chassis, such as the Juniper’s PTX10008 router. In this case, the entire system becomes
  a cluster within a chassis. Each line card in the system is a Linux node. Removing a line card from the
  chassis only results in losing the ports but not the SONiC node in the network topology.

Juniper’s PTX10008 router, the newest 400G modular chassis, brings all the benefits of SONiC to data
center networks by deploying SONiC on the PTX10008 router (multi-PFE architecture). Figure 3 on page 11
illustrates Juniper Networks’ PTX10008 router’s multi-PFE modular chassis architecture running SONiC.

Figure 3: Multi-PFE Modular Chassis

Juniper’s multi-PFE SONiC architecture provides simplicity, manageability, resiliency, performance, and
scale required in data center spine network deployment.

When running SONiC on multi-PFE architecture, a cell-based design such as those in the Juniper Networks’
PTX10008 router, packets are forwarded across the fabric cards (spine nodes) very efficiently. Comparing
this to the flow-based ethernet ECMP mechanism, unequal fabric link utilization is seen depending on the
average flow size, and where those flows are hashed across the fabric. In some cases, where high throughput
is required, packet drop can be significant enough to make related applications to stop working. You can
prevent this by oversizing the system, but then it can also lead to a significant increase in cost. A cell-based
design, like the PTX10008 router, allows operators to run the system at a higher utilization without worrying
about dropping the traffic on a single overutilized fabric link.

PTX10008 router supports MPLS required to expand SONiC deployment across the infrastructure. With
the current version of SONiC, which focuses primarily on switch and IP connectivity, Juniper has added
12

 complete software support for MPLS from configuration to SAI. Using containerized Routing Protocol
 Daemon (cRPD) in SONiC, all types of MPLS routes can be programmed, even with ECMP support.

Features and Protocols Available on SONiC

 The section describes the key features and protocols available on the Juniper Networks’ PTX10008 router
 running SONiC.

 Table 1 on page 13 lists the key features and protocols available on the Juniper Networks’ PTX10008
 router running SONiC.
13

Table 1: Features and Protocols Available on SONiC

 Category   Features/Protocols     Description

 Class of   DSCP                   Define the Differentiated Services code point (DSCP) mapping that is applied
 Service                           to the packets.
 (CoS)
            Schedulers, Shaping,   You use schedulers to define the properties of output queues. These properties
            and Queuing            include the amount of interface bandwidth assigned to the queue, the size of
                                   the memory buffer allocated for storing packets, the priority of the queue, and
                                   the random early detection (RED) drop profiles associated with the queue. Output
                                   queues are mapped to forwarding classes, and classifiers map incoming traffic
                                   into forwarding classes based on IEEE 802.1p or DSCP code points.

                                   You can shape traffic for a specific port on a router or for a specific CoS queue.

                                   Output queue scheduling defines the class-of-service (CoS) properties of output
                                   queues.

            WRED                   Weighted random early detection (WRED) drop profiles define the drop
                                   probability of packets of different packet loss probabilities (PLPs) as the output
                                   queue fills. During periods of congestion, as the output queue fills, the switch
                                   drops incoming packets as determined by a drop profile, until the output queue
                                   becomes less congested.

                                   Depending on the drop probabilities, a drop profile can drop many packets long
                                   before the buffer becomes full, or it can drop only a few packets even if the
                                   buffer is almost full.

            Priority-Based Flow    Priority-Based Flow Control (PFC) is a link-level flow control mechanism defined
            Control                by IEEE 802.1Qbb that allows independent flow control for each class of service
                                   to ensure that no frame loss from congestion occurs in data center networks.
                                   PFC is an enhancement of the Ethernet PAUSE mechanism, but PFC controls
                                   classes of flows, whereas Ethernet PAUSE indiscriminately pauses all of the
                                   traffic on a link. Also known as priority flow control.

            PFC Watchdog           Use the PFC watchdog to detect and resolve PFC pause storms. PFC watchdog
                                   is activated by SONiC configuration on a PFC enabled interface.

            Explicit Congestion    Explicit congestion notification (ECN) enables end-to-end congestion notification
            Notification           between two endpoints on TCP/IP based networks. The two endpoints are an
                                   ECN-enabled sender and an ECN-enabled receiver. ECN must be enabled on
                                   both endpoints and on all the intermediate devices between the endpoints for
                                   ECN to work properly. Any device in the transmission path that does not support
                                   ECN breaks the end-to-end ECN functionality.

 DHCP       DHCP Relay             Forwards DHCP packets between clients and servers.
14

Table 1: Features and Protocols Available on SONiC (continued)

 Category     Features/Protocols     Description

 Access       ACL                    ACL provide a means of protecting your router from excessive traffic transiting
 Control                             the router to a network destination or destined for the Routing Engine.
 List (ACL)
                                     NOTE: Juniper Networks’ PTX10008 router running SONiC supports ACL only
                                     at the ingress (IPv4 and IPv6) level. Egress is not supported.

                                     ACL is also known as firewall filters.

 Layer 2      Link Layer Discovery   Allows network devices that operate at the lower layers of a protocol stack (such
              Protocol (LLDP)        as Layer 2 bridges and switches) to learn some of the capabilities and
                                     characteristics of LAN devices available to higher layer protocols, such as IP
                                     addresses. The information gathered through LLDP operation is stored in a
                                     network device and is queried with SNMP.

              MACSec                 Media Access Control security (MACsec) provides point-to-point security on
                                     Ethernet links. MACsec is defined by IEEE standard 802.1AE.

              MAC Table Aging        Modify the timeout interval for the MAC table.

              MTU Setting            Specify the maximum transmission unit (MTU) size for the media or protocol.
                                     The default MTU size depends on the device type. Changing the media MTU or
                                     protocol MTU causes an interface to be deleted and added again.

              Link Aggregation       LACP is one method of bundling several physical interfaces to form one logical
              Control Protocol       aggregated Ethernet interface. LACP is a subcomponent of the IEEE 802.3ad
              (LACP)                 standard and is used as a discovery protocol.

              Link Aggregation       IEEE 802.3ad link aggregation enables you to group Ethernet interfaces to form
              Group (LAG)            a single link layer interface, also known as a link aggregation group (LAG) or
                                     bundle. Supports up to 512 bundles; up to 64 member links per bundle.

 Layer 3      IPv4                   Supports IPv4 address family.

              IPv6                   Supports IPv6 address family.

              Dual Stack             Supports dual-stack (IPv4 and IPv6). Dual stack device is a device with network
                                     interfaces that can originate and understand both IPv4 and IPv6 packets.

              ECMP 128               Supports 128 equal-cost paths for external BGP peers.

 Logging      Syslog                 Stores system log messages such as events and sends it to a syslog server.
15

Table 1: Features and Protocols Available on SONiC (continued)

 Category    Features/Protocols   Description

             Network Time         Synchronize the clocks of routers and other hardware devices on the Internet.
             Protocol (NTP)

             SNMP                 Enables the monitoring of network devices from a central location.

             SSH/SSHv2            Enables SSH (secure shell) to connect to remote devices securely over a network.

             TACACS+              Enables TACACS+ authentication, which is a method of authenticating users
                                  who attempt to access the router or switch.

             Management VRF       Enable a dedicated management virtual routing and forwarding (VRF) instance.

             FTP/SFTP             Allows File Transfer Protocol (FTP) requests from remote systems to the local
                                  device. Secure File Transfer Protocol (SFTP) is a network protocol that provides
                                  file access, file transfer, and file management over any reliable data stream.

             Warm Restart         Allows you to restart various SONiC components without impacting the data
                                  plane.

                                  NOTE: Warm restart at system level is not supported.

 Protocols   BGP                  BGP exchanges routing information among routers in different autonomous
                                  systems.

             MPLS                 MPLS configuration in SONiC is supported only through cRPD for forwarding
                                  packets to the destination in MPLS network.

 Routing     cRPD                 cRPD is the routing protocol process (rpd) that can run in Linux-based
 Stack                            environments.

      NOTE: The SONiC SAI APIs and attributes supported on Juniper Networks’ PTX10008 router
      are in compliance with SONiC 201911 release. For more information, see “SAI API and Attributes
      Supported on the Multi-PFE SONiC Platform” on page 62.
16

Install, Upgrade, and Recover SONiC

     IN THIS SECTION

          Install SONiC on PTX10008 Router | 16

          Upgrade SONiC on PTX10008 Router | 24

 This section describes how to install, upgrade, and recover Open Network Install Environment (ONIE) and
 SONiC on the Juniper Networks’ PTX10008 router. Open Network Installation Environment (ONIE) is an
 open source installation environment for installing and booting all the software components.

       NOTE: The Juniper Networks’ PTX10008 router is shipped with SONiC images pre-installed.

 The SONiC installation and recovery process on PTX10008 router are the same and the installation results
 in clean installation, which means all the prior configurations are removed, including that of the network
 management port. Access to the console port is required before beginning the installation and recovery
 process.

 For SKUs supporting SONiC, see the PTX10008 Packet Transport Router datasheet at
 https://www.juniper.net/us/en/products-services/routing/ptx-series/ptx10000/.

 Install SONiC on PTX10008 Router

 This section describes how to install SONiC on the Juniper Networks’ PTX10008 router.

       NOTE: The install, upgrade, and recovery of SONiC happens in the Primary SSD, as defined by
       the BIOS.
17

To install SONiC on the Juniper Networks’ PTX10008 router, you need to:

1. Download the install image juniper-sonic-ptx10k-media-usb-.img (for example
   juniper-sonic-ptx10k-media-usb-201911-R1.7.img), from
   https://support.juniper.net/support/downloads/?p=ptx10008 by selecting the operating system as
   SONiC.

         NOTE: The juniper-sonic-ptx10k-media-usb-.img image installs both ONIE and
         SONiC on the PTX10008 router.

2. Copy the juniper-sonic-ptx10k-media-usb-.img install image to a USB memory drive and
   then insert the USB memory drive to the router’s USB port.

3. Power on the router and access the console.

     $ telnet console-port
     Trying 10.9.187.145...
     Connected to console-port.
     Escape character is '^]'.
     +----------------------------------------------------------------------------+
     Booting from Flash A
     FPGA Reset Reason = 0x80
     Primary BIOS version CBEP_P_VAL1_00.15.01
     Total Memory Size = 64GB
     Checking Primary BIOS code integrity...Passed!
     ME is in normal operational state
     Press Esc for boot options
     ME is in normal operational state

4. Go to the boot options in the BIOS configuration by pressing the Esc key, as displayed in the console
   screen.

5. Select Setup Utility option from menu.

     Enter Select SubMenu
     > Continue
     > Boot Manager
     > Device Management
     > Setup Utility
     > Administer Secure Boot
18

6. Select Boot from the Setup Utility menu.

     Go to Setup Utility.
     InsydeH2O Setup Utility                              Rev. 5.0
     Main   Advanced    Security     Power    >Boot   Exit

7. Select UEFI Boot Order option from the InsydeH20 Setup Utility menu.

     InsydeH2O Setup Utility                              Rev. 5.0
     Main   Advanced    Security     Power    >Boot   Exit

     Quick Boot                      Enabled
     Quiet Boot                      Enabled
     Network Stack                   Enabled
     PXE Boot capability             UEFI:IPv4
     Power Up In Standby             Disabled
     Add Boot Options                Auto
     ACPI Selection                  Acpi5.0
     USB Boot                        Enabled
     UEFI OS Fast Boot               Enabled
     USB Hot Key Support             Disabled
     Timeout                         5
     Automatic Failover              Enabled
     Juniper Boot Mode               UEFI Boot Order
     >EFI

8. Press F10 to exit and save the changes.

9. Select Boot Manager option from the menu and then select USB media for boot.

     Secure boot is not enforced
     Welcome to GRUB!
     GNU GRUB    version 2.02
     +----------------------------------------------------------------------------+
     Use the ^ and v keys to select which entry is highlighted.
            Press enter to boot the selected OS, `e' to edit the commands
            before booting or `c' for a command-line.
     +----------------------------------------------------------------------------+
            ONIE: Rescue
            *ONIE: Embed ONIE
     ONIE: Embedding ONIE ...
19

10. Select ONIE: Embed ONIE option to proceed with ONIE boot.

     Platform   : x86_64-juniper_ptx10k-r0
     Version    : 2020.02.0.1-dirty
     Build Date: 2020-02-25T15:12+00:00
     Info: Mounting kernel filesystems... done.
     Info: Mounting ONIE-BOOT on /mnt/onie-boot ...
     Info: Mounting EFI System on /boot/efi …
     […]
     ONIE: Build Date       : 2020-02-25T15:12+00:00
     Installing ONIE on: /dev/sda
     ONIE: Success: Firmware update URL: file:///lib/onie/onie-updater
     ONIE: Success: Firmware update version: 2020.02.0.1-dirty
     ONIE: Rebooting...
     discover: ONIE embed mode detected.
     Stopping: discover...start-stop-daemon: warning: killing process 1300: No such
      process
     done.
     Stopping: dropbear ssh daemon... done.
     Stopping: telnetd... done.
     Stopping: klogd... done.
     Stopping: syslogd... done.
     Info: Unmounting kernel filesystems
     umount: can't unmount /: Invalid argument
     The system is going down NOW!
     Sent SIGTERM to all processes
     Sent SIGKILL to all processes
     Requesting system reboot
     reboot: Restarting system
     +----------------------------------------------------------------------------+
     Booting from Flash A
     FPGA Reset Reason = 0x1
     Primary BIOS version CBEP_P_VAL1_00.15.01
     Total Memory Size = 64GB
     Checking Primary BIOS code integrity...Passed!
     Press Esc for boot options
     ME is in normal operational state
     […]
     Booting ONIE: Open Network Install Environment...
     Secure boot is not enforced
     Welcome to GRUB!
     GNU GRUB   version 2.02
     +----------------------------------------------------------------------------+
     Use the ^ and v keys to select which entry is highlighted.
20

     Press enter to boot the selected OS, `e' to edit the commands
     before booting or `c' for a command-line.
             *ONIE: Install OS
21

     Starting: discover... done.

     Please press Enter to activate this console. Info: eth0:                Checking link... down.
     ONIE: eth0: link down.         Skipping configuration.
     Info: eth1:      Checking link... up.
     Info: Trying DHCPv4 on interface: eth1
     ONIE: Using DHCPv4 addr: eth1: 10.9.168.253 / 255.255.255.0
     Info: eth2:      Checking link... down.
     ONIE: eth2: link down.         Skipping configuration.
     Info: eth3:      Checking link... down.
     ONIE: eth3: link down.         Skipping configuration.
     ONIE: Failed to configure eth0 interface
     ONIE: Failed to configure eth2 interface
     ONIE: Failed to configure eth3 interface
     ONIE: Starting ONEXT4-fs (sdc7): couldn't mount as ext3 due to feature
     incompatibilities
     IE Service Discovery
     […]

12. After the SONiC OS is installed successfully, the system reboots, and loads the SONiC OS automatically.

     Info: Attempting file://dev/sda/onie-installer ...
     ONIE: Executing installer: file://dev/sda/onie-installer
     Verifying image checksum ... OK.
     Preparing image archive ... OK.
     Installing SONiC in ONIE
     ONIE Installer: platform: x86_64-juniper-r0
     onie_platform: x86_64-juniper_ptx10k-r0
     Partition #1 is in use.
     Partition #2 is in use.
     Partition #3 is available
     Creating new SONiC-OS partition /dev/sdb3 ...
     Warning: The kernel is still using the old partition table.
     The new table will be used at the next reboot.
     The operation has completed successfully.
     mke2fs 1.42.13 (17-May-2015)
     Discarding device blocks:            4096/8388608 528384/83886087344128/8388608
               done
     Creating filesystem with 8388608 4k blocks and 2097152 inodes
     Filesystem UUID: 9fdb43cf-35fa-4e1d-b403-a3bffacb7a9e
     Superblock backups stored on blocks:
     32768, 98304, 163840, 229376, 294912, 819200, 884736, 1605632, 2654208,
     4096000, 7962624
22

Allocating group tables:     0/256       done
Writing inode tables:    0/256        done
Creating journal (32768 blocks): done
Writing superblocks and filesystem accounting information:    0/256       done

Installing SONiC to /tmp/tmp.4GacD0/image-201904.0-dirty-20200226.091..
Archive:   fs.zip
   creating: boot/
  inflating: boot/vmlinuz-4.9.0-9-2-amd64
  inflating: boot/config-4.9.0-9-2-amd64
  inflating: boot/bzImage-ptx10k-rcb.dtb
  inflating: boot/initrd.img-4.9.0-9-2-amd64
  inflating: boot/System.map-4.9.0-9-2-amd64
   creating: platform/
  inflating: platform/firsttime
   creating: platform/x86_64-grub/
  inflating: platform/x86_64-grub/grub-pc-bin_2.02~beta3-5+deb9u2_amd64.deb
  inflating: fs.squashfs
Success: Support tarball created: /tmp/onie-support-juniper_ptx10k.tar.bz2
Installed SONiC base image SONiC-OS successfully
ONIE: NOS install successful: file://dev/sda/onie-installer
ONIE: Rebooting...
discover: installer mode detected.
Stopping: discover...start-stop-daemon: warning: killing process 1379: No such
 process
done.
Stopping: dropbear ssh daemon... done.
Stopping: telnetd... done.
Stopping: klogd... done.
Stopping: syslogd... done.
Info: Unmounting kernel filesystems
umount: can't unmount /: Invalid argument
The system is going down NOW!
Sent SIGTERM to all processes
Sent SIGKILL to all processes
Requesting system reboot
reboot: Restarting system
+----------------------------------------------------------------------------+
Booting from Flash A
FPGA Reset Reason = 0x81
Primary BIOS version CBEP_P_VAL1_00.15.01
Total Memory Size = 64GB
Checking Primary BIOS code integrity...Passed!
23

     Press Esc for boot options
     ME is in normal operational state
     Booting SONiC-OS...
24

Upgrade SONiC on PTX10008 Router

This section describes how to upgrade SONiC on the Juniper Networks’ PTX10008 router. Software
upgrade is the procedure of updating the SONiC to a latest release without losing any of the existing
configuration. While console access is always preferred, it is not mandatory for this procedure.

      NOTE: The install, upgrade, and recovery of SONiC happens in the Primary SSD, as defined by
      the BIOS.

To upgrade the SONiC OS on the Juniper Networks’ PTX10008 router to a later release, you need to:

1. Download the SONiC image juniper-sonic-ptx10k-.bin (for example,
   juniper-sonic-ptx10k-201911-R1.6.bin) from
   https://support.juniper.net/support/downloads/?p=ptx10008 by selecting the operating system as
   SONiC.

2. Copy the SONiC installer image to the /usr/bin/ directory in the existing SONiC system.

3. You must be logged in as a root user to proceed with the upgrade. If you are logged in to SONiC as a
   non-root user, you will need to switch to the root user by entering the following command:

       admin@ptx10k8:~$sudo -i

4. Navigate to the directory /usr/bin/ where the juniper-sonic-ptx10k-.bin file is located.

       root@ptx10k8:~# cd /usr/bin/

5. Install the juniper-sonic-ptx10k-.bin file.

       root@ptx10k8:/usr/bin/# sonic_installer install ./juniper-sonic-ptx10k-.bin

6. When prompted to install the new image, enter Y to continue the upgrade installation.

     New image will be installed, continue? [y/N]: y
     Installing image SONiC-OS-juniper-sonic-ptx10k-jnpr_201911-0-20201113.123528
     and setting it as default...
     Command: bash ./juniper-sonic-ptx10k-201911-R1.6.bin
25

Verifying image checksum ... OK.
Preparing image archive ... OK.
Installing SONiC in SONiC
ONIE Installer: platform: x86_64-juniper-r0
onie_platform: x86_64-juniper_ptx10k-r0
Removing old SONiC installation
/host/image-juniper-sonic-ptx10k-jnpr_201911-0-20201110.103709
Installing SONiC to /host/image-juniper-sonic-ptx10k-jnpr_201911-0-20201113.123528
Archive:       fs.zip
    creating: /host/image-juniper-sonic-ptx10k-jnpr_201911-0-20201113.123528/boot/

   inflating:
/host/image-juniper-sonic-ptx10k-jnpr_201911-0-20201113.123528/boot/bzImage-ptx10k-rcb.dtb

   inflating:
/host/image-juniper-sonic-ptx10k-jnpr_201911-0-20201113.123528/boot/initrd.img-4.9.0-11-2-amd64

   inflating:
/host/image-juniper-sonic-ptx10k-jnpr_201911-0-20201113.123528/boot/System.map-4.9.0-11-2-amd64

   inflating:
/host/image-juniper-sonic-ptx10k-jnpr_201911-0-20201113.123528/boot/config-4.9.0-11-2-amd64

   inflating:
/host/image-juniper-sonic-ptx10k-jnpr_201911-0-20201113.123528/boot/vmlinuz-4.9.0-11-2-amd64

    creating:
/host/image-juniper-sonic-ptx10k-jnpr_201911-0-20201113.123528/platform/
 extracting:
/host/image-juniper-sonic-ptx10k-jnpr_201911-0-20201113.123528/platform/firsttime

    creating:
/host/image-juniper-sonic-ptx10k-jnpr_201911-0-20201113.123528/platform/x86_64-grub/

   inflating:
/host/image-juniper-sonic-ptx10k-jnpr_201911-0-20201113.123528/platform/x86_64-grub/grub-pc-bin_2.02~beta3-5+deb9u2_amd64.deb

   inflating:
/host/image-juniper-sonic-ptx10k-jnpr_201911-0-20201113.123528/fs.squashfs
Installed SONiC base image SONiC-OS successfully

Command: grub-set-default --boot-directory=/host 0

Command: rm -rf /host/old_config
26

      Command: cp -ar /etc/sonic /host/old_config

      Command: sync;sync;sync

      Command: sleep 3

      Done

 7. Reboot the system to activate the new software.

        root@ptx10k8:/usr/bin/# reboot

Routing Stack Options in Juniper Networks’ Platforms
Running SONiC

     IN THIS SECTION

          Understanding Containerized RPD | 26

          Benefits of cRPD with SONiC | 27

          cRPD Multi-channel KRT Support in SONiC | 27

 Understanding Containerized RPD

 SONiC on Juniper Networks PTX100008 router supports containerized Routing Protocol Daemon (cRPD).
 cRPD is Juniper’s routing protocol container. SONiC also supports the Free Range Routing (FRR) routing
 stack.

 Juniper’s cRPD contains the routing protocol process (rpd) that can run in Linux-based environments and
 management daemon (mgd) that allows the system administrator to run rpd-related CLI for configuration
 purposes. The rpd process runs as user space application and learns route state through various routing
 protocols and maintains the complete set in the Routing Information Base (RIB), also known as routing
 table. The rpd process is also responsible for downloading the routes into the Forwarding Information
27

Base (FIB) also known as forwarding table based on local selection criteria. Whereas the Packet Forwarding
Engine (PFE) in Juniper Networks PTX10008 router holds the FIB and does packet forwarding for cRPD.
The host Linux kernel stores the FIB and performs packet forwarding. cRPD can also be deployed to provide
control plane-only services such as BGP route reflection.

The default routing stack offered in Juniper Networks’ PTX100008 router running SONiC is cRPD. cRPD
is a fully supported, feature rich, fast converging and scalable routing stack. However, you can also use
FRR as the routing stack.

Benefits of cRPD with SONiC

This section lists the following key benefits of cRPD in Juniper Networks’ PTX10008 multi-PFE platform
running SONiC:

• Feature rich with BGP filters, route policies, stable and high performance.

• Telemetry information on state, health, and performance with gRPC streaming.

• Containers reduces the time required for service boot up from several minutes to a few seconds resulting
  in faster deployment.

• Run cRPD on any Linux server that supports docker.

• With a small footprint and minimum resource reservation requirements, cRPD can easily scale to keep
  up with demand.

• Provides significantly higher density without requiring resource reservation on the host than what is
  offered by VM-based solutions.

For more information on cRPD, see cRPD Deployment Guide for Linux Server.

cRPD Multi-channel KRT Support in SONiC

    IN THIS SECTION

         Configure KRT multi-channels on cRPD in SONiC | 28

         Configure Traceoptions on cRPD in SONiC | 29

         Sample Output | 29
28

cRPD in SONiC supports multiple Kernel Routing Table (KRT) channels to download route table information
to forwarding table (FIB). The two KRT channels supported are NetLink-based native Linux kernel FIB and
FPMSyncd-based SONiC FIB.

        NOTE: Export policy with install-nexthop is not supported for routes which undergo resolution
        (routes pointing to indirect-nexthop in RPD).

This section describes the following:

Configure KRT multi-channels on cRPD in SONiC

You can configure KRT multi-channels at the [edit routing-options forwarding-table] hierarchy level as
shown below:

    routing-options {
        forwarding-table {
            export abc;
            channel channel-name {
                protocol {
                    protocol-type netlink-fpm
                    destination tcp-addr:port
                    source-id source-id
                }
                export policy-name
            }
        }
    }

        NOTE: In Junos OS Release 21.1R1, the configuration statements under the [edit routing-options
        forwarding-table channel channel-name] hierarchy level is only available for cRPD in SONiC
        platform.

Host Linux channel uses the export policy under the [edit routing-options forwarding-table export]
hierarchy level.

FPMSyncd channel uses the policy at [edit routing-options forwarding-table channel channel-name export]
hierarchy level.
29

Configure Traceoptions on cRPD in SONiC

You can enable debugging by configuring traceoptions on cRPD in SONiC at the [edit routing-options
forwarding-table traceoptions flag] hierarchy level. The following new flags are supported on cRPD in
SONiC:

• fpm—FIB agent-related operations

• table—Table operations

• mfs—Multi-fib service operations

The following is a sample traceoptions configuration on cRPD in SONiC:

    routing-options {
        router-id 2.2.2.2;
        autonomous-system 200;
        forwarding-table {
            traceoptions {
                file krt_mc_debug.log;
                flag fpm;
                flag mfs;
                flag table;
            }
        }
    }

Sample Output

The following is a sample output where routes are advertised to linux (NetLink-based) kernel and to SONiC
through FPMSyncd:

  user@host# run show route 192.168.1.1/24 extensive

  inet.0: 17 destinations, 19 routes (16 active, 0 holddown, 1 hidden)
  192.168.1.1/24 (1 entry, 1 announced)
  TSI:
  KRT-MFS Advt. to KRT-Netlink,KRT-FPM
  KRT-FPM in-kernel 192.168.1.1/24 -> {Ethernet13}
                  *Direct Preference: 0
                              Next hop type: Interface, Next hop index: 0
                              Address: 0x55eb0b0153dc
                              Next-hop reference count: 2
30

                        Next hop: via Ethernet13, selected
                        State: 
                        Local AS:       200
                        Age: 5d 11:35:21
                        Validation State: unverified
                        Task: IF
                        Announcement bits (4): 1-KRT MFS 3-KRT 4-KRT-FPM
                        AS path: I
                        Thread: junos-main

 You can see that the route 192.168.1.1/24 is downloaded to the linux (KRT-Netlink) kernel and is also
 downloaded to SONiC (KRT-FPM) through FPMSyncd.

Configure Features in SONiC

     IN THIS SECTION

          Configuring cRPD | 31

          Configuring the Router | 31

          Configuring Interfaces and Ports | 32

          Enabling FEC Mode | 35

          Enabling FEC Counters | 35

          Configuring Access Control Lists (ACLs) | 36

          Configuring BGP | 37

          Configuring MPLS | 37

          Configuring Priority-Based Flow Control | 38

          Configuring WRED | 41

          Configuring Explicit Congestion Notification | 43

          Configuring Port Mirroring | 44

          Configuring Media Access Control Security | 45

 This section describes the features that you can configure on the Juniper Networks’ PTX10008 router
 running SONiC.
31

Configuring cRPD

Juniper Networks’ PTX10008 router supports configuring cRPD in SONiC through the config_db.json
configuration utility. The config_db.json utility is a local redis database (redis-db). You need to do a config
save and config load for the configurations to take effect in cRPD.

      NOTE: The config save command is equivalent to the commit command in cRPD.

When the SONiC system boots up, configurations are loaded from /etc/sonic/config_db.json file into the
redis database.

Configuring the Router

This section shows a sample router device configuration using cRPD in SONiC.

To configure the router on SONiC, modify the DEVICE_METADATA hierarchy statements in the
/etc/sonic/config_db.json file.

  "DEVICE_METADATA": {
             "localhost": {
                  "bgp_asn": "65100",
                  "default_bgp_status": "up",
                  "default_pfcwd_status": "disable",
                  "deployment_id": "1",
                  "docker_routing_config_mode": "fpm",
                  "hostname": "vsonic",
                  "hwsku": "PTX10008",
                  "mac": "30:b6:4f:94:61:2e",
                  "platform": "x86_64-kvm_x86_64-r0",
                  "type": "LeafRouter"
             }
       },
       "DEVICE_NEIGHBOR_METADATA": {
             "JUNIPER10K3T1": {
                  "hwsku": "PTX10008",
                  "lo_addr": "None",
                  "mgmt_addr": "10.216.171.5",
                  "type": "LeafRouter"
32

            }
       },

Configuring Interfaces and Ports

This section shows a sample interface and port configuration using cRPD in SONiC.

To configure interfaces and ports on SONiC, modify the INTERFACE hierarchy statements in the
/etc/sonic/config_db.json file.

  "INTERFACE": {
            "Ethernet3": {
                 "mpls": "enable"
            },
            "Ethernet4": {
                 "mpls": "enable"
            },
            "Ethernet5": {
                 "mpls": "enable"
            },
            "PortChannel0001": {},
            "Ethernet3|1.21.23.2/24": {},
            "Ethernet4|1.22.23.2/24": {},
            "Ethernet5|1.23.23.2/24": {},
            "PortChannel0001|20.1.1.1/24": {}
       },
       "PORT": {
            "Ethernet1": {
                 "admin_status": "up",
                 "alias": "et-0/0/1",
                 "lanes": "1"
            },
            "Ethernet2": {
                 "admin_status": "up",
                 "alias": "et-0/0/3",
                 "lanes": "2"
            },
            "Ethernet3": {
33

                 "admin_status": "up",
                 "alias": "et-0/0/5",
                 "lanes": "3"
            },
            "Ethernet4": {
                 "admin_status": "up",
                 "alias": "et-0/0/7",
                 "flow_control": "on",
                 "lanes": "4"
            },
            "Ethernet5": {
                 "admin_status": "up",
                 "alias": "et-0/0/9",
                 "lanes": "5"
            }
       },
       "PORTCHANNEL": {
            "PortChannel0001": {
                 "admin_status": "up",
                 "members": [
                      "Ethernet1",
                      "Ethernet2"
                 ],
                 "min_links": "1",
                 "mtu": "1500"
            }
       },
       "PORTCHANNEL_MEMBER": {
            "PortChannel0001|Ethernet1": {},
            "PortChannel0001|Ethernet2": {}
       }

When a physical port is configured to be channelized, then all the channelized ports need to be configured
with a valid speed setting. In the following example, a speed of 10000 is configured on the channelized
ports:

  "Ethernet13": {

                 "admin_status": "up",

                 "alias": "et-1/0/34:0",
34

     "lanes": "13",

     "mtu": "1500",

     "speed": "10000"

},

"Ethernet14": {

     "admin_status": "up",

     "alias": "et-1/0/34:1",

     "lanes": "14",

     "mtu": "1500",

     "speed": "10000"

},

"Ethernet15": {

     "admin_status": "up",

     "alias": "et-1/0/34:2",

     "lanes": "15",

     "mtu": "1500",

     "speed": "10000"

},

"Ethernet16": {

     "admin_status": "up",

     "alias": "et-1/0/34:3",

     "lanes": "16",
35

                 "mtu": "1500",

                 "speed": "10000"

            },

Enabling FEC Mode

This section shows a sample port configuration to enable forward error correction (FEC) mode in SONiC.

On PTX10008 routers, FEC is enabled by default on the interfaces. For any module where FEC is disabled
by default, then you can enable FEC mode to the SONiC port configuration in port_config.ini file.

  "PORT": {
            "Ethernet1": {
                 "admin_status": "up",
                 "alias": "et-0/0/1",
                 "lanes": "1",
                 "fec": "rs"
            }

Enabling FEC Counters

Once FEC mode is enabled, the FEC counters starts accumulating data. The FEC counters are tied to the
port statistics through the FLEX COUNTER configuration in config_db.json file.

  "FLEX_COUNTER_TABLE": {
            "PFCWD": {
                 "FLEX_COUNTER_STATUS": "enable"
            },
            "PORT": {
                 "FLEX_COUNTER_STATUS": "enable"
            },
            "QUEUE": {
36

                 "FLEX_COUNTER_STATUS": "enable"
            }
       }

Use the show interfaces counters fec command to monitor FEC counters. See “Monitor the Multi-PFE
SONiC Platform” on page 49 for information.

Configuring Access Control Lists (ACLs)

This section shows a sample ACL configuration using cRPD in SONiC.

     NOTE: ACL is also known as firewall filters.

To configure ACL on SONiC, modify the ACL_TABLE and ACL_RULE statements in the
/etc/sonic/config_db.json file.

  ACL_TABLE": {
            "acl-test": {
                 "policy_desc": "test_acl",
                 "ports": [
                      "Ethernet3",
                      "Ethernet4"
                 ],
                 "stage": "ingress",
                 "type": "l3"
            }
       },
  "ACL_RULE": {
            "acl-test|rule_0": {
                 "PRIORITY": "1000",
                 "PACKET_ACTION": "DROP",
                 "SRC_IP": "1.21.23.1"
            },
            "acl-test|rule_1": {
                 "PRIORITY": "1001",
                 "PACKET_ACTION": "DROP",
                 "SRC_IP": "1.21.23.4"
37

            }
       },

Configuring BGP

This section shows a sample BGP configuration using cRPD in SONiC.

To configure BGP on SONiC, modify the BGP_NEIGHBOR statements in the /etc/sonic/config_db.json
file.

  "BGP_NEIGHBOR": {
            "1.21.23.1": {
                 "admin_status": "up",
                 "asn": "64800",
                 "holdtime": "180",
                 "keepalive": "60",
                 "local_addr": "1.21.23.2",
                 "name": "JUNIPER10K3T2",
                 "nhopself": "0",
                 "rrclient": "0"
            }
       }

Configuring MPLS

This section shows a sample MPLS configuration using cRPD in SONiC. MPLS is not enabled in FRR, the
default SONiC routing stack. MPLS functionality is currently only available through cRPD routing stack.

To enable MPLS on SONiC, modify the INTERFACE statement in the /etc/sonic/config_db.json file.

  "INTERFACE": {
            "Ethernet3": {
                 "mpls": "enable"
38

              },
  }

You can enable and disable MPLS on the interfaces using the following SONiC configuration utility:

      config interface mpls add rif-name
      config interface mpls remove rif-name

Configuring Priority-Based Flow Control

Priority-Based Flow Control (PFC) is a link-level flow control mechanism defined by IEEE 802.1Qbb that
allows independent flow control for each class of service to ensure that no frame loss from congestion
occurs in data center networks. PFC is an enhancement of the Ethernet PAUSE mechanism, but PFC
controls classes of flows, whereas Ethernet PAUSE indiscriminately pauses all the traffic on a link. Also
known as priority flow control.

On Juniper Networks PTX10008 router running SONiC, a maximum of two PFC designated queues per
port is supported.

You can use PFC watchdog to detect and resolve PFC pause storms. PFC watchdog is activated by SONiC
configuration on a PFC enabled interface. PFC watchdog detection, mitigation, and recovery functionality
is handled by the forwarding plane. PFC watchdog detection and recovery intervals are configured at the
chassis level and not at the port level.

       NOTE: Juniper Networks PTX10008 router running SONiC supports PFC and PFC watchdog
       features in 201911-r2 and later releases.

       NOTE: The SONiC CLI only shows the configuration status and the pause storms detection and
       recovery statistics.

       NOTE: The PFC and PFC Watchdog is supported on the physical interface and not on AE
       interfaces.
39

To configure PFC on SONiC, you need to:

1. Map the code-point to a PFC enabled Queue.

     "MAP_PFC_PRIORITY_TO_QUEUE": {
                   "AZURE": {
                      "3": "3",
                      "4": "4"
               }
          }

2. Enable PFC on the Interface.

     "PORT_QOS_MAP": {
                               "Ethernet4,Ethernet22,Ethernet23": {
                                   ….
                                 "pfc_enable": "3,4"
                           }
         }

To configure xon/xoff values, a buffer must be associated with the queue.

1. Create a buffer pool.

     "BUFFER_POOL": {
               "ingress_lossless_pool": {
                     "xoff": "4194112",
                     "type": "ingress",
                     "mode": "dynamic",
                     "size": "10875072"
               }
          }

2. Create a buffer profile that refers to the buffer pool and specifies the desired xon/xoff values.

         NOTE: xon/xoff values are expressed in bytes, and are relative to the size of the default
         buffer for the queue’s interface. For more details, see Class of Service section in Known Issues
         and Limitations.
40

     "BUFFER_PROFILE": {
                "pg_lossless_40000_40m_profile": {
                     "xon_offset": "2288",
                     "dynamic_th": "-3",
                     "xon": "35776000",
                     "xoff": "71552000",
                     "pool": "[BUFFER_POOL|ingress_lossless_pool]",
                     "size": "1248"
                }
            }

3. Associate the buffer pool with the queue.

     "BUFFER_QUEUE": {
                "Ethernet4,Ethernet22,Ethernet23|3-4": {
                     "profile": "[BUFFER_PROFILE|pg_lossless_40000_40m_profile]"
                },
            }

The following is a sample to configure PFC watchdog on the interface:

    "PFC_WD": {
                         "Ethernet6": {
                                               "action": "drop",
                                               "detection_time": "200",
                          "restoration_time": "400"
                         },
                         "Ethernet42": {
                                               "action": "drop",
                                               "detection_time": "200",
                          "restoration_time": "400"
                         },
                         "Ethernet67": {
                                               "action": "drop",
                                               "detection_time": "200",
                          "restoration_time": "400"
                         }
       },
41

      NOTE: In the PFC Watchdog configuration, only drop is supported as an action. Forward is not
      supported as an action.

Configuring WRED

Weighted random early detection (WRED) drop profiles define the drop probability of packets of different
packet loss probabilities (PLPs) as the output queue fills. During periods of congestion, as the output queue
fills, the switch drops incoming packets as determined by a drop profile, until the output queue becomes
less congested. Depending on the drop probabilities, a drop profile can drop many packets long before
the buffer becomes full, or it can drop only a few packets even if the buffer is almost full.

To configure WRED in SONiC, you need to:

1. Configure WRED profile.

     "WRED_PROFILE": {
                "AZURE": {
                     "ecn": "ecn_all",
                     "green_drop_probability": "10",
                     "green_max_threshold": "4097152",
                     "green_min_threshold": "1048576",
                     "red_drop_probability": "50",
                     "red_max_threshold": "8097152",
                     "red_min_threshold": "4048576",
                     "wred_green_enable": "true",
                     "wred_red_enable": "true",
                     "wred_yellow_enable": "true",
                     "yellow_drop_probability": "30",
                     "yellow_max_threshold": "6097152",
                     "yellow_min_threshold": "3048576"
                }
         }

2. Attach the WRED profile under a queue.

     "QUEUE": {
42

                   "Ethernet4,Ethernet22,Ethernet23|3" : {
                       "scheduler"          :    "[SCHEDULER|scheduler.1]",
                       "wred_profile"       :    "[WRED_PROFILE|AZURE]"
               }

   The minimum or maximum thresholds in the WRED profile are byte values that are relative to the buffer
   size. The buffer size can come either from the default buffer for the queue’s interface, or from an
   explicitly configured buffer size. For more details, see Class of Service section in Known Issues and
   Limitations. To explicitly configure the buffer size used with the threshold values, perform the following
   additional steps:

3. Configure a buffer pool with a size relative to the minimum or maximum thresholds in the WRED profile.

     "BUFFER_POOL": {
               "ingress_pool": {
                     "type": "ingress",
                     "size": "10875072"
               }
          }

4. Configure a buffer profile that references the buffer pool.

     "BUFFER_PROFILE": {
               "ingress_profile": {
                     "dynamic_th": "3",
                     "pool": "[BUFFER_POOL|ingress_pool]",
                     "size": "0"
               }
          }

5. Associate the buffer pool with the queue.

     "BUFFER_QUEUE": {
               "Ethernet4,Ethernet22,Ethernet23|3-4": {
                     "profile": "[BUFFER_PROFILE|ingress_profile]"
               }
          }
43

Configuring Explicit Congestion Notification

Explicit congestion notification (ECN) enables end-to-end congestion notification between two endpoints
on TCP/IP based networks. The two endpoints are an ECN-enabled sender and an ECN-enabled receiver.
ECN must be enabled on both endpoints and on all the intermediate devices between the endpoints for
ECN to work properly. Any device in the transmission path that does not support ECN breaks the end-to-end
ECN functionality.

      NOTE: Juniper Networks PTX10008 router running SONiC supports ECN in 201911-r2 and
      later releases.

On Juniper Networks PTX10008 router running SONiC, ECN is controlled using the WRED drop profile
configuration.

      NOTE: ECN is supported only on the physical interface and not on AE interfaces.

WRED profiles are used to enable ECN. Without ECN enabled, a WRED profile drops packets based on
how full the buffer is. With ECN enabled, packets are marked rather than being dropped.

To configure ECN on SONiC, you need to:

1. Configure WRED profile. See “Configuring WRED” on page 41.

2. Enable ECN in the WRED profile.

     "WRED_PROFILE": {
                "AZURE": {
                    "ecn": "ecn_all",
        …
            }
      }
44

Configuring Port Mirroring

Port mirroring is also known as Everflow in SONiC. You use port mirroring to send traffic to devices that
analyze traffic for purposes such as monitoring compliance, enforcing policies, detecting intrusions,
monitoring, and predicting traffic patterns, correlating events, and so on. Port mirroring is needed when
you want to perform traffic analysis because a device normally sends packets only to the port to which
the destination device is connected.

      NOTE: Juniper Networks PTX10008 router running SONiC supports port mirroring (Everflow)
      in 201911-r2 and later releases.

To configure port mirroring, you need to configure a port-mirroring instance.

You send the packets through a mirror session. The egress packet is GRE encapsulated. You can also apply
policing to the sampled packets.

The following is a sample to configure port mirroring (Everflow) in SONiC:

  "MIRROR_SESSION": {
            "everflow0": {
                      "src_ip": "192.168.1.1",
                      "dst_ip": "192.168.2.1"
            }
       },

  "ACL_TABLE": {
            "EVERFLOW": {
                      "policy_desc" : "EVERFLOW_ALWAYS_ON",
                      "type": "MIRROR",
                      "ports": [
                                "Ethernet4",
                      ]
            }
       }
  "ACL_RULE": {
            "EVERFLOW |rule_1": {
            "priority": "9999",
            "mirror_action": "everflow0",
            "dscp": "16/31"
            },
      }
45

ACL and mirroring-related configurations are defined in MIRROR_SESSION,ACL_TABLE, and ACL_RULE
tables.

Configuring Media Access Control Security

Media Access Control security (MACsec) provides point-to-point security on Ethernet links. MACsec is
defined by IEEE standard 802.1AE. You can use MACsec in combination with other security protocols,
such as IP Security (IPsec) and Secure Sockets Layer (SSL), to provide end-to-end network security.

MACsec can identify and prevent most security threats, including denial of service, intrusion,
man-in-the-middle, masquerading, passive wiretapping, and playback attacks. MACsec secures an Ethernet
link for almost all traffic, including frames from the Link Layer Discovery Protocol (LLDP), Link Aggregation
Control Protocol (LACP), Dynamic Host Configuration Protocol (DHCP), Address Resolution Protocol
(ARP), and other protocols that are not typically secured on an Ethernet link because of limitations with
other security solutions.

Juniper Networks' PTX10008 router running SONiC supports MACsec. The PTX10008 router with up to
400G line rate MACsec works seamlessly on SONiC.

      NOTE: Juniper Networks PTX10008 router running SONiC supports MACsec in 201911-r2 and
      later releases.

To configure MACsec on a port in SONiC, you need to include the port name to the MACSEC_PORT
stanza in /etc/sonic/config_db.json as shown below:

  MACSEC_PORT {
  Ethernet,
  ...
  }

Use the following CLI commands to enable and disable MACsec dynamically on SONiC as an alternative
to config_db.json:

config macsec add Ethernet

config macsec remove Ethernet
46

To configure the MACsec security behavior in wpa-supplicant, a configuration file must be added for each
SONiC port that is enabled for MACsec. The wpa-supplicant configuration file should be named as
/etc/sonic/macsec/Ethernet.conf.

The content of the wpa-supplicant configuration file syntax is documented by the wpa-supplicant project
as follows:

  update_config=1
  ctrl_interface=/var/run/wpa_supplicant
  eapol_version=3
  ap_scan=0

      NOTE: The content of the wpa_supplicant configuration file is fixed and should not be modified.

Configuring MACsec with Pre-shared Key

MACsec security keys and sessions are managed by the MACsec Key Agreement (MKA) protocol software
stack.

You can configure MACsec with a pre-shared key as shown below:

  network={
       key_mgmt=NONE
       eapol_flags=0
       macsec_policy=1
       macsec_integ_only=0
       macsec_ciphersuite=1
       macsec_port=1
  ....macsec_include_sci=0
       mka_cak=0123456789ABCDEF0123456789ABCDEF0123456789ABCDEF0123456789ABCDEF
       mka_ckn=6162636465666768696A6B6C6D6E6F707172737475767778797A303132333435
       mka_priority=1
  }
You can also read