Configuration and Settings
Platform Configuration and Settings
This section provides information about the platform and how to set various required configurations for the platform.
Know your Device
The configurations provided in this reference design document (C-BNG IPoE implementation) are generated on the UfiSpace S9600-72XC platform. The UfiSpace S9600-72XC is a multi-function, disaggregated white box aggregation routing platform that is equipped with Broadcom’s Qumran2c chipset. It features 64x25GE [1GbE/10GbE/25GbE] and 8x100GE [40GbE/100GbE] high-speed ports with a switching capacity of up to 2.4Tbs.
The RBFS C-BNG software is installed on top of the UfiSpace S9600-72XC.
Although the specific device used here is UfiSpace S9600-72XC, the configuration will stay exactly the same for any other device that supports the C-BNG image. |
For more information about the hardware specifications of UfiSpace S9600-72XC, see the Platform Guide.
Prerequisites
-
Access to BNG Blaster, an open-source network testing platform for access and routing protocols. For information on obtaining and building BNG Blaster, see https://rtbrick.github.io/bngblaster/.
-
Access to FreeRADIUS, a free RADIUS suite. For accessing FreeRADIUS, see https://freeradius.org/.
-
Access to Syslog server.
Restore Configuration
Depending on the deployment scenario, a running configuration can be applied or restored as needed.
To enable configuration restore, enter the set system load-last-config true
command as shown below.
supervisor@rtbrick>C-BNG.rtbrick.net: cfg> set system load-last-config true supervisor@rtbrick>C-BNG.rtbrick.net: cfg> commit
For more information, see the section "Running Configuration" of the RBFS NOC Troubleshooting Guide.
General Configuration
To enable testing some basic primitives need to be configured. These general configurations include loopback interface for identifying and accessing the device on network, NTP for setting accurate time across a whole network of devices, TACACS+ for user authentication, user management for user configuration, license for accessing RBFS, Resmon for resource monitoring, and Syslog configurations for exporting the log message to the external log management server.
Configure License
Without any license installed on your system, you can evaluate RBFS for 7 days. You need to get an evaluation license or purchase an actual license within 7 days to use the full functionality of RBFS.
The following steps provide the commands to install an RBFS license key. For more information about license configuration, see Installing License.
Switch to config mode using the switch-mode config command to continue with the RBFS configurations.
supervisor@rtbrick>C-BNG.rtbrick.net: op> switch-mode config supervisor@rtbrick>C-BNG.rtbrick.net: cfg>
Install the license encrypted string (that is received from RtBrick) using the RBFS CLI.
supervisor@rtbrick>C-BNG.rtbrick.net: cfg> set system license <license-key>
RBFS license configuration is shown below:
supervisor@rtbrick>C-BNG.rtbrick.net: op> show config system license AAAAWsfg&jdkfs4D34H5@2evf...
As shown below, the "show system license" command displays the expiration date for the current license.
supervisor@rtbrick>C-BNG.rtbrick.net: op> show system license License Validity: License index 1: Start date : Tue Feb 28 09:44:27 GMT +0000 2023 End date : Mon Mar 04 09:44:27 GMT +0000 2024 supervisor@rtbrick>C-BNG.rtbrick.net: op>
Configure Instance
Instance default
will be available by default without any configurations.
Create the instance inband_mgmt
by entering the following commands.
set instance inband_mgmt set instance inband_mgmt address-family ipv4 unicast commit
The configurations of the instance inband_mgmt
are shown below.
supervisor@rtbrick>C-BNG.rtbrick.net: cfg> show config instance inband_mgmt { "rtbrick-config:instance": [ { "name": "inband_mgmt", "address-family": [ { "afi": "ipv4", "safi": "unicast" } ] } ] }
Below are the configurations available for the available instances.
supervisor@rtbrick>C-BNG.rtbrick.net: cfg> show instance detail Instance: default Instance ID: 0 State: Active AFI SAFI State ipv4 unicast Active ipv4 multicast Active ipv4 labeled-unicast Active ipv6 unicast Active ipv6 multicast Active ipv6 labeled-unicast Active mpls unicast Active Instance: inband_mgmt Instance ID: 3 State: Active AFI SAFI State ipv4 unicast Active
Configure Loopback Interface
Loopback Interface configuration is required as it is the best way to identify a network device and is always reachable. Also, protocols use the loopback address to determine protocol-specific properties for the device.
The following steps provide the commands to configure the loopback interface. For more information about Loopback Interface configuration, see the Interfaces User Guide.
Configure loopback interface on the device.
set interface lo-0/0/1 unit 0 address ipv4 192.0.2.64/32 set interface lo-0/0/1 unit 1 address ipv4 192.0.2.74/32 set interface lo-0/0/1 unit 2 instance inband_mgmt set interface lo-0/0/1 unit 2 address ipv4 192.0.2.128/32 set interface lo-0/0/1 unit 3 instance inband_mgmt set interface lo-0/0/1 unit 3 address ipv4 192.0.2.131/32 commit
The configuration commands should be followed by the commit command to save the configurations into the device.
|
supervisor@rtbrick>C-BNG.rtbrick.net: cfg> commit
Loopback Interface configuration is shown below:
supervisor@rtbrick>C-BNG.rtbrick.net: cfg> show config interface lo-0/0/1 { "rtbrick-config:interface": [ { "name": "lo-0/0/1", "unit": [ { "unit-id": 0, "address": { "ipv4": [ { "prefix4": "192.0.2.64/32" } ] } }, { "unit-id": 1, "address": { "ipv4": [ { "prefix4": "192.0.2.74/32" } ] } }, { "unit-id": 2, "instance": "inband_mgmt", "address": { "ipv4": [ { "prefix4": "192.0.2.128/32" } ] } }, { "unit-id": 3, "instance": "inband_mgmt", "address": { "ipv4": [ { "prefix4": "192.0.2.131/32" } ] } } ] } ] }
Configure IP Addresses for Core Interfaces
Enter the following commands to configure IP addresses for the core interfaces.
set interface ifp-0/1/31 unit 10 set interface ifp-0/1/31 unit 10 vlan 10 set interface ifp-0/1/31 unit 10 address ipv4 192.0.2.1/27 set interface ifp-0/1/31 unit 10 address ipv6 2001:db8::1/64 set interface ifp-0/1/31 unit 100 set interface ifp-0/1/31 unit 100 vlan 100 set interface ifp-0/1/31 unit 100 address ipv4 192.0.2.33/27 set interface ifp-0/1/31 unit 200 set interface ifp-0/1/31 unit 200 instance inband_mgmt set interface ifp-0/1/31 unit 200 vlan 200 set interface ifp-0/1/31 unit 200 address ipv4 192.0.2.97/27 commit
Below configuration shows the IP address configurations for the core interfaces.
{ "rtbrick-config:interface": [ { "name": "ifp-0/1/31", "unit": [ { "unit-id": 10, "vlan": 10, "address": { "ipv4": [ { "prefix4": "192.0.2.1/27" } ], "ipv6": [ { "prefix6": "2001:db8::1/64" } ] } }, { "unit-id": 100, "vlan": 100, "address": { "ipv4": [ { "prefix4": "192.0.2.33/27" } ] } }, { "unit-id": 200, "instance": "inband_mgmt", "vlan": 200, "address": { "ipv4": [ { "prefix4": "192.0.2.97/27" } ] } } ] } ] } }
Configure Static Routes to Enable Reachability to the NTP and TACACS Servers
Below are static routes configured to enable reachability to the NTP (192.0.2.129) and TACACS (192.0.2.130) servers. On the Service Node, 192.0.2.98 is the interface address on VLAN 200. It is explained later in this document how to configure IP addresses on Service Node. For details, see [config-interface-sn].
set instance inband_mgmt static route ipv4 192.0.2.129/32 unicast np1 set instance inband_mgmt static route ipv4 192.0.2.130/32 unicast np1 set instance inband_mgmt static nexthop-profile np1 set instance inband_mgmt static nexthop-profile np1 nexthop 192.0.2.98 set instance inband_mgmt static nexthop-profile np1 lookup-instance inband_mgmt set instance inband_mgmt static nexthop-profile np1 lookup-afi ipv4 set instance inband_mgmt static nexthop-profile np1 lookup-safi unicast commit
The configuration of the static routes is shown below:
supervisor@rtbrick>C-BNG.rtbrick.net: cfg> show config instance inband_mgmt static { "rtbrick-config:static": { "route": { "ipv4": [ { "prefix4": "192.0.2.129/32", "safi": "unicast", "nexthop-profile": "np1" }, { "prefix4": "192.0.2.130/32", "safi": "unicast", "nexthop-profile": "np1" } ] }, "nexthop-profile": [ { "name": "np1", "nexthop": "192.0.2.98", "lookup-instance": "inband_mgmt", "lookup-afi": "ipv4", "lookup-safi": "unicast" } ] } }
Configure NTP
Configuring NTP (Network Time Protocol) provides time synchronization across a whole network of devices. An NTP network consists devices (clients) which are to be synchronized with the NTP server that provides accurate time to the client devices.
The following steps provide the commands to configure Network Time Protocol (NTP) for the device. For more information about NTP configuration, see the NTP User Guide.
Enabling NTP Service:
To access the NTP service running in the ONL, this service has to be enabled in inband-management. On configuring this, the hosts reachable in inband instance via the physical interface can access this service.
Configure NTP server and NTP service on the device.
set system ntp server ntp1 set system ntp server ntp1 ipv4-address 192.0.2.129 set inband-management instance inband_mgmt set inband-management instance inband_mgmt ntp true commit
NTP configuration is shown below:
supervisor@rtbrick>C-BNG.rtbrick.net: cfg> show config inband-management { "rtbrick-config:inband-management": { "instance": [ { "name": "inband_mgmt", "ntp": "true" } ] } }
supervisor@rtbrick>C-BNG.rtbrick.net: cfg> show config system ntp { "rtbrick-config:ntp": { "server": [ { "server-name": "ntp1", "ipv4-address": "192.0.2.129" } ] } }
User Authentication
RBFS supports user authentication through a centralized TACACS+ server and with a local authentication system. The following authentication process typically occurs when a user attempts to access the network.
-
When a user logs in through
SSH
, the SSH Daemon (sshd
) invokes the Pluggable Authentication Module (PAM) to trigger authentication process. -
PAM requests TACACS+ authentication (except for the user with the
supervisor
privileges). -
TACACS+ server provides 'grant access' node if the user authentication is successful.
-
If the user is not allowed using the TACACS+ authentication, it is required to undergo an additional authentication phase. PAM looks up local users. Upon successful authentication, PAM generates RTB PAM token; includes user role in 'scope'.
Define Users on TACACS+ Server
Administrator needs to define users and associate them with the predefined roles on the TACACS+ server. Optionally, RBFS CLI commands can be restricted using the rtb-allow-cmds
and rtb-deny-cmds
.
The tac_plus.conf
file contains configuration information for the tac_plus
(tacacs+) daemon. This file is stored at the following location:
/etc/tacacs+/tac_plus.conf
To view the TACACS+ server configuration file, enter the following command.
sudo cat /etc/tacacs+/tac_plus.conf
For more information about TACACS+ server configuration, see
This Reference Design document uses the default local user supervisor
for the configurations, whereas other users, defined in the TACACS server, can log into RBFS by using their usernames and passwords.
The following TACACS+ configuration shows the details of the TACACS users.
-
Click here to download the
tac_plus.conf
file.
Configure TACACS+ on RBFS
After defining the users on the TACACS+ server, configure the TACACS+ server on C-BNG. This configuration allows the remote TACACS+ server to communicate with the C-BNG and to validate user access on the network.
The following steps provide the commands to configure TACACS+. For more information about TACACS+ configuration, see the Configure TACACS+ on RBFS.
To access the TACACS+ service running in the ONL, this service has to be enabled in inband management. On configuring this, the hosts reachable in inband instance via the physical interface can access this service.
set system secure-management-status true set system authorization tacacs 192.0.2.130 inband secret-plain-text RtBrick_Little_Secret set inband-management instance inband_mgmt tacacs true commit
In the above configuration, the command set inband-management instance inband_mgmt tacacs true
is used to enable TACACS+ under the instance called inband_mgmt
.
TACACS+ configuration is shown below:
supervisor@rtbrick>C-BNG.rtbrick.net: cfg> show config system authorization { "rtbrick-config:authorization": { "tacacs": [ { "ipv4-address": "192.0.2.130", "type": "inband", "secret-encrypted-text": "$22464b2c7336cfe71e596c447be28d598b9b7b37f92faea157fd5058e5fe0d769" } ] } }
Configuration for enabling TACACS+ under the instance inband_mgmt
is shown below:
"rtbrick-config:inband-management": { "instance": [ { "name": "inband_mgmt", "tacacs": "true" } ] },
Enabling TACACS+ Service on the Service Node
Enter the following commands to enable the TACACS service on the Service Node.
~$ sudo /bin/systemctl enable tacacs_plus.service ~$ sudo /bin/systemctl start tacacs_plus.service
Validating TACACS+ authentication
The following scenario shows a successful authentication for the user bob
with password bob
.
~$ ssh bob@C-BNG.rtbrick.net bob@C-BNG.rtbrick.net's password: Last login: Mon Apr 3 16:13:40 2023 from C-BNG.rtbrick.net bob@rtbrick>C-BNG.rtbrick.net: op>
The following scenario shows an unsuccessful password authentication for the user bob
with password bob123
.
~$ ssh bob@rtbrick>C-BNG.rtbrick.net: bob@C-BNG.rtbrick.net's password: Permission denied, please try again. bob@C-BNG.rtbrick.net's password:
The following scenario shows an unsuccessful authentication for an undefined user frank
.
~$ ssh frank@rtbrick>C-BNG.rtbrick.net: frank@C-BNG.rtbrick.net's password: Permission denied, please try again. frank@C-BNG.rtbrick.net's password: accounting file = /var/log/tac_plus.acct key = RtBrick_Little_Secret
Configure User Management
Configuring Local User Management enables administrators to create, manage, and secure the users and groups. It allows creation of privileges that are configurable for user-defined and predefined roles.
The following steps provide the commands to configure user management. For more information about license configuration, see the Local User Management.
-
To create a role, configure the RBAC privilege and the command privilege. To configure the RBAC privilege for both table and object:
set system user admin role supervisor set system user admin shell /bin/bash set system user admin password-hashed-text $6$XNkmuMRI.5.R/NBJ$XDfZec7gEM3z/3lYn8mDDWimRZ/68xawia.pTMdrGqoYHEE3nWHB08DeaPNQTwHW6WjB1aX6.xjYjh8CNCy4g1 commit
For information about Configuring hashed password, see Configure Hashed Password.
Authentication configuration of a password hashed text and an SSH public key is shown below:
{ "ietf-restconf:data": { "rtbrick-config:system": { "user": [ { "username": "admin", "shell": "/usr/local/bin/cli", "password-hashed-text": "$5$L2DaOYYuddhBV$9RA5MX9RQzLC9fIKJzbnoFBb88w9rkSXl7GVrVJ9PY7", "ssh-pub-key": [ "ssh-rsa AAAAWsfg&jdkfs4D34H5@2evf....." ] } ] } } }
Configure Syslog
RBFS supports sending log messages to a Syslog server. The Syslog configuration can be performed in RBFS.
To configure logging for bgp
by using Syslog, enter the following commands.
set log module bgp set log module bgp level debug set log module bgp plugin-alias set log module bgp plugin-alias alias-name syslog set log module bgp plugin-alias level debug commit
For event logging, CtrlD only supports Graylog and Syslog. Graylog must be disabled in order to enable Syslog. In addition, Graylog attributes must be replaced with Syslog attributes. |
Sylog configuration for the module bgp
is shown below:
supervisor@rtbrick>C-BNG.rtbrick.net: cfg> show config log { "rtbrick-config:log": { "module": [ { "module-name": "bgp", "level": "debug", "plugin-alias": { "alias-name": "syslog", "level": "debug" } } ] } }
Accessing the ONL to Configure Syslog
The steps described in this section are performed on the ONL (Open Network Linux). For logging into the ONL, use SSH port 1022.
ssh supervisor@<C-BNG-management-ip> -p 1022
After logging into the ONL, go to the following location of CtrlD and edit the config.json
file.
-
/etc/rtbrick/ctrld/config.json
Specify the Syslog configurations as shown below in the config.json
file.
{ "rbms_enable": false, "graylog_enable": false, "syslog_enable": true, "syslog_network": "udp", "syslog_urls": [ "198.51.100.49:516" ], "syslog_severity_level": 7, "auth_enabled": false }
|
After making configuration changes in the config.json
, restart CtrlD service as shown below.
supervisor@onl>C-BNG.rtbrick.net:~ $ sudo service rtbrick-ctrld restart [sudo] password for supervisor: [ ok ] Stopping rtbrick ctrld service:. [ ok ] Starting rtbrick ctrld service:.
Monitor Resources (Resmon)
Resource monitoring enables administrators to collect and analyze the health information and usage data of various hardware resources such as CPU, memory, processes, disks, sensors, optics, and so on.
Run show cpu usage
, show memory usage
and show disk usage
to see the CPU, memory and disk utilization respectively.
supervisor@rtbrick>C-BNG.rtbrick.net: cfg> show cpu usage Name Total User System Nice I/O Wait Idle IRQ Soft IRQ cpu 11% 9% 1% 0% 0% 88% 0% 0% cpu0 10% 8% 1% 0% 0% 89% 0% 0% cpu1 44% 43% 1% 0% 0% 55% 0% 0% cpu2 34% 32% 2% 0% 0% 66% 0% 0% cpu3 11% 9% 2% 0% 0% 89% 0% 0% cpu4 3% 1% 2% 0% 0% 96% 0% 0% cpu5 4% 3% 1% 0% 0% 96% 0% 0% cpu6 13% 11% 2% 0% 0% 87% 0% 0% cpu7 24% 22% 1% 0% 0% 75% 0% 0% cpu8 4% 2% 2% 0% 0% 95% 0% 0% cpu9 2% 1% 1% 0% 0% 97% 0% 0% cpu10 6% 4% 2% 0% 0% 93% 0% 0% cpu11 3% 2% 1% 0% 0% 96% 0% 0% cpu12 8% 6% 2% 0% 0% 91% 0% 0% cpu13 3% 3% 0% 0% 0% 96% 0% 0% cpu14 6% 4% 2% 0% 0% 93% 0% 0% cpu15 8% 5% 2% 0% 0% 91% 0% 0% supervisor@rtbrick>C-BNG.rtbrick.net: cfg> show memory usage Name Total Used Free Shared Buffers Cached RAM 31.03 GiB 8.51 GiB 17.04 GiB 1.19 GiB 112.66 MiB 5.37 GiB SWAP 0 bytes 0 bytes 0 bytes n/a n/a n/a supervisor@rtbrick>C-BNG.rtbrick.net: cfg> show disk usage Filesystem Type Size Used Available Mountpoint Usage % none tmpfs 492 KiB 0 bytes 492 KiB /dev 0.0 tmpfs tmpfs 15.51 GiB 17.23 MiB 15.5 GiB /run 0.11 tmpfs tmpfs 6 GiB 828.75 MiB 5.19 GiB /shm 13.49 tmpfs tmpfs 15.51 GiB 182.96 MiB 15.33 GiB /dev/shm 1.15 tmpfs tmpfs 5 MiB 0 bytes 5 MiB /run/lock 0.0 devtmpfs devtmpfs 1 MiB 0 bytes 1 MiB /dev/mem 0.0 /dev/sda10 ext4 15.62 GiB 50.61 MiB 14.76 GiB /var/log 0.33 /dev/sda6 ext4 29.4 GiB 4.24 GiB 23.65 GiB /platform 15.2 tmpfs tmpfs 3.1 GiB 0 bytes 3.1 GiB /run/user/1000 0.0 tmpfs tmpfs 3.1 GiB 0 bytes 3.1 GiB /run/user/1001 0.0 tmpfs tmpfs 15.51 GiB 0 bytes 15.51 GiB /sys/fs/cgroup 0.0 /dev/sda11 ext4 43.79 GiB 51.89 MiB 41.49 GiB /var/crash 0.12 tmpfs tmpfs 3.1 GiB 1.02 MiB 3.1 GiB /var/run-ext/onl/r 0.03 /var/cache/rtbrick/imag overlay 29.4 GiB 4.24 GiB 23.65 GiB / 15.2
The show command can also be used to view other resource details. For information about the resmon configuration and operational commands, see the RBFS Resource Monitoring Guide.