Configuration and Settings

Platform Configuration and Settings

This section provides information about the platform and how to set various required configurations for the platform.

Know your Device

The configurations provided in this reference design document (C-BNG IPoE implementation) are generated on the UfiSpace S9600-72XC platform. The UfiSpace S9600-72XC is a multi-function, disaggregated white box aggregation routing platform that is equipped with Broadcom’s Qumran2c chipset. It features 64x25GE [1GbE/10GbE/25GbE] and 8x100GE [40GbE/100GbE] high-speed ports with a switching capacity of up to 2.4Tbs.

The RBFS C-BNG software is installed on top of the UfiSpace S9600-72XC.

Although the specific device used here is UfiSpace S9600-72XC, the configuration will stay exactly the same for any other device that supports the C-BNG image.

For more information about the hardware specifications of UfiSpace S9600-72XC, see the Platform Guide.

Prerequisites

  • Access to BNG Blaster, an open-source network testing platform for access and routing protocols. For information on obtaining and building BNG Blaster, see https://rtbrick.github.io/bngblaster/.

  • Access to FreeRADIUS, a free RADIUS suite. For accessing FreeRADIUS, see https://freeradius.org/.

  • Access to Syslog server.

Restore Configuration

Depending on the deployment scenario, a running configuration can be applied or restored as needed.

To enable configuration restore, enter the set system load-last-config true command as shown below.

supervisor@rtbrick>C-BNG.rtbrick.net: cfg> set system load-last-config true
supervisor@rtbrick>C-BNG.rtbrick.net: cfg> commit

For more information, see the section "Running Configuration" of the RBFS NOC Troubleshooting Guide.

General Configuration

To enable testing some basic primitives need to be configured. These general configurations include loopback interface for identifying and accessing the device on network, NTP for setting accurate time across a whole network of devices, TACACS+ for user authentication, user management for user configuration, license for accessing RBFS, Resmon for resource monitoring, and Syslog configurations for exporting the log message to the external log management server.

Configure License

Without any license installed on your system, you can evaluate RBFS for 7 days. You need to get an evaluation license or purchase an actual license within 7 days to use the full functionality of RBFS.

The following steps provide the commands to install an RBFS license key. For more information about license configuration, see Installing License.

Switch to config mode using the switch-mode config command to continue with the RBFS configurations.

supervisor@rtbrick>C-BNG.rtbrick.net: op> switch-mode config
supervisor@rtbrick>C-BNG.rtbrick.net: cfg>

Install the license encrypted string (that is received from RtBrick) using the RBFS CLI.

supervisor@rtbrick>C-BNG.rtbrick.net: cfg> set system license <license-key>

RBFS license configuration is shown below:

supervisor@rtbrick>C-BNG.rtbrick.net: op> show config system license
AAAAWsfg&jdkfs4D34H5@2evf...

As shown below, the "show system license" command displays the expiration date for the current license.

supervisor@rtbrick>C-BNG.rtbrick.net: op> show system license
License Validity:
  License index 1:
    Start date : Tue Feb 28 09:44:27 GMT +0000 2023
    End date   : Mon Mar 04 09:44:27 GMT +0000 2024
supervisor@rtbrick>C-BNG.rtbrick.net: op>

Configure Instance

Instance default will be available by default without any configurations.

Create the instance inband_mgmt by entering the following commands.

set instance inband_mgmt
set instance inband_mgmt address-family ipv4 unicast
commit

The configurations of the instance inband_mgmt are shown below.

supervisor@rtbrick>C-BNG.rtbrick.net: cfg> show config instance inband_mgmt
{
  "rtbrick-config:instance": [
    {
      "name": "inband_mgmt",
      "address-family": [
        {
          "afi": "ipv4",
          "safi": "unicast"
        }
      ]
    }
  ]
}

Below are the configurations available for the available instances.

supervisor@rtbrick>C-BNG.rtbrick.net: cfg> show instance detail
Instance: default
  Instance ID: 0
  State: Active
  AFI        SAFI             State
  ipv4       unicast          Active
  ipv4       multicast        Active
  ipv4       labeled-unicast  Active
  ipv6       unicast          Active
  ipv6       multicast        Active
  ipv6       labeled-unicast  Active
  mpls       unicast          Active
Instance: inband_mgmt
  Instance ID: 3
  State: Active
  AFI        SAFI             State
  ipv4       unicast          Active

Configure Loopback Interface

Loopback Interface configuration is required as it is the best way to identify a network device and is always reachable. Also, protocols use the loopback address to determine protocol-specific properties for the device.

The following steps provide the commands to configure the loopback interface. For more information about Loopback Interface configuration, see the Interfaces User Guide.

Configure loopback interface on the device.

set interface lo-0/0/1 unit 0 address ipv4 192.0.2.64/32
set interface lo-0/0/1 unit 1 address ipv4 192.0.2.74/32
set interface lo-0/0/1 unit 2 instance inband_mgmt
set interface lo-0/0/1 unit 2 address ipv4 192.0.2.128/32
set interface lo-0/0/1 unit 3 instance inband_mgmt
set interface lo-0/0/1 unit 3 address ipv4 192.0.2.131/32
commit
The configuration commands should be followed by the commit command to save the configurations into the device.
supervisor@rtbrick>C-BNG.rtbrick.net: cfg> commit

Loopback Interface configuration is shown below:

supervisor@rtbrick>C-BNG.rtbrick.net: cfg> show config interface lo-0/0/1
{
  "rtbrick-config:interface": [
    {
      "name": "lo-0/0/1",
      "unit": [
        {
          "unit-id": 0,
          "address": {
            "ipv4": [
              {
                "prefix4": "192.0.2.64/32"
              }
            ]
          }
        },
        {
          "unit-id": 1,
          "address": {
            "ipv4": [
              {
                "prefix4": "192.0.2.74/32"
              }
            ]
          }
        },
        {
          "unit-id": 2,
          "instance": "inband_mgmt",
          "address": {
            "ipv4": [
              {
                "prefix4": "192.0.2.128/32"
              }
            ]
          }
        },
        {
          "unit-id": 3,
          "instance": "inband_mgmt",
          "address": {
            "ipv4": [
              {
                "prefix4": "192.0.2.131/32"
              }
            ]
          }
        }
      ]
    }
  ]
}

Configure IP Addresses for Core Interfaces

Enter the following commands to configure IP addresses for the core interfaces.

set interface ifp-0/1/31 unit 10
set interface ifp-0/1/31 unit 10 vlan 10
set interface ifp-0/1/31 unit 10 address ipv4 192.0.2.1/27
set interface ifp-0/1/31 unit 10 address ipv6 2001:db8::1/64
set interface ifp-0/1/31 unit 100
set interface ifp-0/1/31 unit 100 vlan 100
set interface ifp-0/1/31 unit 100 address ipv4 192.0.2.33/27
set interface ifp-0/1/31 unit 200
set interface ifp-0/1/31 unit 200 instance inband_mgmt
set interface ifp-0/1/31 unit 200 vlan 200
set interface ifp-0/1/31 unit 200 address ipv4 192.0.2.97/27
commit

Below configuration shows the IP address configurations for the core interfaces.

{
    "rtbrick-config:interface": [
      {
        "name": "ifp-0/1/31",
        "unit": [
          {
            "unit-id": 10,
            "vlan": 10,
            "address": {
              "ipv4": [
                {
                  "prefix4": "192.0.2.1/27"
                }
              ],
              "ipv6": [
                {
                  "prefix6": "2001:db8::1/64"
                }
              ]
            }
          },
          {
            "unit-id": 100,
            "vlan": 100,
            "address": {
              "ipv4": [
                {
                  "prefix4": "192.0.2.33/27"
                }
              ]
            }
          },
          {
            "unit-id": 200,
            "instance": "inband_mgmt",
            "vlan": 200,
            "address": {
              "ipv4": [
                {
                  "prefix4": "192.0.2.97/27"
                }
              ]
            }
          }
        ]
      }
    ]
  }
}

Configure Static Routes to Enable Reachability to the NTP and TACACS Servers

Below are static routes configured to enable reachability to the NTP (192.0.2.129) and TACACS (192.0.2.130) servers. On the Service Node, 192.0.2.98 is the interface address on VLAN 200. It is explained later in this document how to configure IP addresses on Service Node. For details, see [config-interface-sn].

set instance inband_mgmt static route ipv4 192.0.2.129/32 unicast np1
set instance inband_mgmt static route ipv4 192.0.2.130/32 unicast np1
set instance inband_mgmt static nexthop-profile np1
set instance inband_mgmt static nexthop-profile np1 nexthop 192.0.2.98
set instance inband_mgmt static nexthop-profile np1 lookup-instance inband_mgmt
set instance inband_mgmt static nexthop-profile np1 lookup-afi ipv4
set instance inband_mgmt static nexthop-profile np1 lookup-safi unicast
commit

The configuration of the static routes is shown below:

supervisor@rtbrick>C-BNG.rtbrick.net: cfg> show config instance inband_mgmt static
{
  "rtbrick-config:static": {
    "route": {
      "ipv4": [
        {
          "prefix4": "192.0.2.129/32",
          "safi": "unicast",
          "nexthop-profile": "np1"
        },
        {
          "prefix4": "192.0.2.130/32",
          "safi": "unicast",
          "nexthop-profile": "np1"
        }
      ]
    },
    "nexthop-profile": [
      {
        "name": "np1",
        "nexthop": "192.0.2.98",
        "lookup-instance": "inband_mgmt",
        "lookup-afi": "ipv4",
        "lookup-safi": "unicast"
      }
    ]
  }
}

Configure NTP

Configuring NTP (Network Time Protocol) provides time synchronization across a whole network of devices. An NTP network consists devices (clients) which are to be synchronized with the NTP server that provides accurate time to the client devices.

The following steps provide the commands to configure Network Time Protocol (NTP) for the device. For more information about NTP configuration, see the NTP User Guide.

Enabling NTP Service:

To access the NTP service running in the ONL, this service has to be enabled in inband-management. On configuring this, the hosts reachable in inband instance via the physical interface can access this service.

Configure NTP server and NTP service on the device.

set system ntp server ntp1
set system ntp server ntp1 ipv4-address 192.0.2.129
set inband-management instance inband_mgmt
set inband-management instance inband_mgmt ntp true
commit

NTP configuration is shown below:

supervisor@rtbrick>C-BNG.rtbrick.net: cfg> show config inband-management
{
    "rtbrick-config:inband-management": {
      "instance": [
        {
          "name": "inband_mgmt",
          "ntp": "true"
        }
      ]
    }
  }
supervisor@rtbrick>C-BNG.rtbrick.net: cfg> show config system ntp
{
    "rtbrick-config:ntp": {
      "server": [
        {
          "server-name": "ntp1",
          "ipv4-address": "192.0.2.129"
        }
      ]
    }
  }

User Authentication

RBFS supports user authentication through a centralized TACACS+ server and with a local authentication system. The following authentication process typically occurs when a user attempts to access the network.

  1. When a user logs in through SSH, the SSH Daemon (sshd) invokes the Pluggable Authentication Module (PAM) to trigger authentication process.

  2. PAM requests TACACS+ authentication (except for the user with the supervisor privileges).

  3. TACACS+ server provides 'grant access' node if the user authentication is successful.

  4. If the user is not allowed using the TACACS+ authentication, it is required to undergo an additional authentication phase. PAM looks up local users. Upon successful authentication, PAM generates RTB PAM token; includes user role in 'scope'.

Define Users on TACACS+ Server

Administrator needs to define users and associate them with the predefined roles on the TACACS+ server. Optionally, RBFS CLI commands can be restricted using the rtb-allow-cmds and rtb-deny-cmds.

The tac_plus.conf file contains configuration information for the tac_plus(tacacs+) daemon. This file is stored at the following location:

/etc/tacacs+/tac_plus.conf

To view the TACACS+ server configuration file, enter the following command.

sudo cat /etc/tacacs+/tac_plus.conf

For more information about TACACS+ server configuration, see

This Reference Design document uses the default local user supervisor for the configurations, whereas other users, defined in the TACACS server, can log into RBFS by using their usernames and passwords.

The following TACACS+ configuration shows the details of the TACACS users.

  • Click here to download the tac_plus.conf file.

Configure TACACS+ on RBFS

After defining the users on the TACACS+ server, configure the TACACS+ server on C-BNG. This configuration allows the remote TACACS+ server to communicate with the C-BNG and to validate user access on the network.

The following steps provide the commands to configure TACACS+. For more information about TACACS+ configuration, see the Configure TACACS+ on RBFS.

To access the TACACS+ service running in the ONL, this service has to be enabled in inband management. On configuring this, the hosts reachable in inband instance via the physical interface can access this service.

set system secure-management-status true
set system authorization tacacs 192.0.2.130 inband secret-plain-text RtBrick_Little_Secret
set inband-management instance inband_mgmt tacacs true
commit

In the above configuration, the command set inband-management instance inband_mgmt tacacs true is used to enable TACACS+ under the instance called inband_mgmt.

TACACS+ configuration is shown below:

supervisor@rtbrick>C-BNG.rtbrick.net: cfg> show config system authorization
{
  "rtbrick-config:authorization": {
    "tacacs": [
      {
        "ipv4-address": "192.0.2.130",
        "type": "inband",
        "secret-encrypted-text": "$22464b2c7336cfe71e596c447be28d598b9b7b37f92faea157fd5058e5fe0d769"
      }
    ]
  }
}

Configuration for enabling TACACS+ under the instance inband_mgmt is shown below:

"rtbrick-config:inband-management": {
      "instance": [
        {
          "name": "inband_mgmt",
          "tacacs": "true"
        }
      ]
    },

Enabling TACACS+ Service on the Service Node

Enter the following commands to enable the TACACS service on the Service Node.

~$ sudo /bin/systemctl enable tacacs_plus.service
~$ sudo /bin/systemctl start tacacs_plus.service

Validating TACACS+ authentication

The following scenario shows a successful authentication for the user bob with password bob.

~$ ssh bob@C-BNG.rtbrick.net
bob@C-BNG.rtbrick.net's password:
Last login: Mon Apr 3 16:13:40 2023 from C-BNG.rtbrick.net
bob@rtbrick>C-BNG.rtbrick.net: op>

The following scenario shows an unsuccessful password authentication for the user bob with password bob123.

~$ ssh bob@rtbrick>C-BNG.rtbrick.net:
bob@C-BNG.rtbrick.net's password:
Permission denied, please try again.
bob@C-BNG.rtbrick.net's password:

The following scenario shows an unsuccessful authentication for an undefined user frank.

~$ ssh frank@rtbrick>C-BNG.rtbrick.net:
frank@C-BNG.rtbrick.net's password:
Permission denied, please try again.
frank@C-BNG.rtbrick.net's password:
accounting file = /var/log/tac_plus.acct
key = RtBrick_Little_Secret

Configure User Management

Configuring Local User Management enables administrators to create, manage, and secure the users and groups. It allows creation of privileges that are configurable for user-defined and predefined roles.

The following steps provide the commands to configure user management. For more information about license configuration, see the Local User Management.

  1. To create a role, configure the RBAC privilege and the command privilege. To configure the RBAC privilege for both table and object:

set system user admin role supervisor
set system user admin shell /bin/bash
set system user admin password-hashed-text $6$XNkmuMRI.5.R/NBJ$XDfZec7gEM3z/3lYn8mDDWimRZ/68xawia.pTMdrGqoYHEE3nWHB08DeaPNQTwHW6WjB1aX6.xjYjh8CNCy4g1
commit

For information about Configuring hashed password, see Configure Hashed Password.

Authentication configuration of a password hashed text and an SSH public key is shown below:

{
  "ietf-restconf:data": {
    "rtbrick-config:system": {
      "user": [
        {
          "username": "admin",
          "shell": "/usr/local/bin/cli",
          "password-hashed-text": "$5$L2DaOYYuddhBV$9RA5MX9RQzLC9fIKJzbnoFBb88w9rkSXl7GVrVJ9PY7",
          "ssh-pub-key": [
            "ssh-rsa AAAAWsfg&jdkfs4D34H5@2evf....."
            ]
        }
      ]
    }
  }
}

Configure Syslog

RBFS supports sending log messages to a Syslog server. The Syslog configuration can be performed in RBFS.

To configure logging for bgp by using Syslog, enter the following commands.

set log module bgp
set log module bgp level debug
set log module bgp plugin-alias
set log module bgp plugin-alias alias-name syslog
set log module bgp plugin-alias level debug
commit
For event logging, CtrlD only supports Graylog and Syslog. Graylog must be disabled in order to enable Syslog. In addition, Graylog attributes must be replaced with Syslog attributes.

Sylog configuration for the module bgp is shown below:

supervisor@rtbrick>C-BNG.rtbrick.net: cfg> show config log
{
  "rtbrick-config:log": {
    "module": [
      {
        "module-name": "bgp",
        "level": "debug",
        "plugin-alias": {
          "alias-name": "syslog",
          "level": "debug"
        }
      }
    ]
  }
}

Accessing the ONL to Configure Syslog

The steps described in this section are performed on the ONL (Open Network Linux). For logging into the ONL, use SSH port 1022.

ssh supervisor@<C-BNG-management-ip> -p 1022

After logging into the ONL, go to the following location of CtrlD and edit the config.json file.

  • /etc/rtbrick/ctrld/config.json

Specify the Syslog configurations as shown below in the config.json file.

{
    "rbms_enable": false,
    "graylog_enable": false,
    "syslog_enable": true,
    "syslog_network": "udp",
    "syslog_urls": [
      "198.51.100.49:516"
    ],
    "syslog_severity_level": 7,
    "auth_enabled": false
}
  • For documentation purposes, the IP address 198.51.100.49 has been used as the IP address of the Syslog endpoint. This IP address should be updated with the actual Syslog server’s IP address.

  • Syslog messages can be transported using UDP or TCP protocol. In this configuration, Syslog messages are transported using udp.

After making configuration changes in the config.json, restart CtrlD service as shown below.

supervisor@onl>C-BNG.rtbrick.net:~ $ sudo service rtbrick-ctrld restart
[sudo] password for supervisor:
[ ok ] Stopping rtbrick ctrld service:.
[ ok ] Starting rtbrick ctrld service:.

Monitor Resources (Resmon)

Resource monitoring enables administrators to collect and analyze the health information and usage data of various hardware resources such as CPU, memory, processes, disks, sensors, optics, and so on.

Run show cpu usage, show memory usage and show disk usage to see the CPU, memory and disk utilization respectively.

supervisor@rtbrick>C-BNG.rtbrick.net: cfg> show cpu usage
Name         Total       User     System       Nice   I/O Wait       Idle        IRQ   Soft IRQ
cpu            11%         9%         1%         0%         0%        88%         0%         0%
cpu0           10%         8%         1%         0%         0%        89%         0%         0%
cpu1           44%        43%         1%         0%         0%        55%         0%         0%
cpu2           34%        32%         2%         0%         0%        66%         0%         0%
cpu3           11%         9%         2%         0%         0%        89%         0%         0%
cpu4            3%         1%         2%         0%         0%        96%         0%         0%
cpu5            4%         3%         1%         0%         0%        96%         0%         0%
cpu6           13%        11%         2%         0%         0%        87%         0%         0%
cpu7           24%        22%         1%         0%         0%        75%         0%         0%
cpu8            4%         2%         2%         0%         0%        95%         0%         0%
cpu9            2%         1%         1%         0%         0%        97%         0%         0%
cpu10           6%         4%         2%         0%         0%        93%         0%         0%
cpu11           3%         2%         1%         0%         0%        96%         0%         0%
cpu12           8%         6%         2%         0%         0%        91%         0%         0%
cpu13           3%         3%         0%         0%         0%        96%         0%         0%
cpu14           6%         4%         2%         0%         0%        93%         0%         0%
cpu15           8%         5%         2%         0%         0%        91%         0%         0%
supervisor@rtbrick>C-BNG.rtbrick.net: cfg> show memory usage
Name     Total            Used             Free         Shared       Buffers      Cached
RAM      31.03 GiB        8.51 GiB         17.04 GiB    1.19 GiB     112.66 MiB   5.37 GiB
SWAP     0 bytes          0 bytes          0 bytes      n/a          n/a          n/a
supervisor@rtbrick>C-BNG.rtbrick.net: cfg> show disk usage
Filesystem               Type             Size         Used         Available    Mountpoint          Usage %
none                     tmpfs            492 KiB      0 bytes      492 KiB      /dev                0.0
tmpfs                    tmpfs            15.51 GiB    17.23 MiB    15.5 GiB     /run                0.11
tmpfs                    tmpfs            6 GiB        828.75 MiB   5.19 GiB     /shm                13.49
tmpfs                    tmpfs            15.51 GiB    182.96 MiB   15.33 GiB    /dev/shm            1.15
tmpfs                    tmpfs            5 MiB        0 bytes      5 MiB        /run/lock           0.0
devtmpfs                 devtmpfs         1 MiB        0 bytes      1 MiB        /dev/mem            0.0
/dev/sda10               ext4             15.62 GiB    50.61 MiB    14.76 GiB    /var/log            0.33
/dev/sda6                ext4             29.4 GiB     4.24 GiB     23.65 GiB    /platform           15.2
tmpfs                    tmpfs            3.1 GiB      0 bytes      3.1 GiB      /run/user/1000      0.0
tmpfs                    tmpfs            3.1 GiB      0 bytes      3.1 GiB      /run/user/1001      0.0
tmpfs                    tmpfs            15.51 GiB    0 bytes      15.51 GiB    /sys/fs/cgroup      0.0
/dev/sda11               ext4             43.79 GiB    51.89 MiB    41.49 GiB    /var/crash          0.12
tmpfs                    tmpfs            3.1 GiB      1.02 MiB     3.1 GiB      /var/run-ext/onl/r  0.03
/var/cache/rtbrick/imag  overlay          29.4 GiB     4.24 GiB     23.65 GiB    /                   15.2

The show command can also be used to view other resource details. For information about the resmon configuration and operational commands, see the RBFS Resource Monitoring Guide.