The SSR software is a set of daemons (processes) that run within a Linux operating system. There are many standard Linux components leveraged by SSR (e.g., NTP, sshd, dnf, etc.) that require network access. These components (hereafter referred to as host components) will send traffic via Linux's routing table unless instructed otherwise. This document describes the best practice for routing that traffic from the underlying Linux host operating system into the SSR routing domain, for subsequent traffic forwarding using the SSR paradigm.
When running on the host platform, the SSR has its own routing table in addition to the one that is running within Linux.
This document applies specifically to SSR routers. The SSR conductor does not require any special configuration to affect Linux host networking, since it does not forward packets using any technique other than Linux host networking to begin with.
To forward traffic between Linux and SSR, we will use an interface type known as a Kernel Network Interface, or KNI. This is used to connect userspace applications with kernel networking.
By default, the SSR creates a KNI interface ("kni254") that is used to route packets to Linux as part of its host-service configuration. (A host-service is configured on a network-interface, and is used to forward various traffic types such as SSH and HTTP/HTTPS to Linux applications.) This kni254 interface is, by default, only used for inbound traffic (from Linux to the SSR) for host-services. By following the steps below, we can leverage the kni254 interface to send outbound traffic to the SSR.
Create services (or modify existing services) for network access, adding an
access-policy that permits the tenant
_internal_ tenant is associated with all inbound requests arriving from Linux to SSR via kni254.
description "internet reachability"
Traffic originating from Linux and traveling through a KNI interface will have a source address of 169.254.127.127, which is a link-local address. You must ensure that
source-nat is enabled on the egress interface used to carry this traffic out of the SSR platform.
If you want to selectively forward via SSR, you can edit
/etc/sysconfig/network-scripts/route-kni254 from its default route of
0.0.0.0/0 with any address/prefix you wish. Additionally, you can edit the
route-kni254 file to contain as many individual route statements as you like; it is important to only edit this file while the SSR is stopped, however, since it will cache the contents of the file when it starts, and restore the copy it cached when software is stopped.
- Stop the SSR software on the router. There are many ways to accomplish this, one of which is to type
sudo systemctl stop 128Tfrom the Linux shell prompt.note
You must ensure you are in a position to access the Linux subsystem on an SSR router even when the SSR software is not running.
- Add a route to the internet in a route file associated with
kni254(the following should all be typed on one line):
sudo echo 0.0.0.0/0 via 169.254.127.126 dev kni254 metric 200 > /etc/sysconfig/network-scripts/route-kni254
- Start the SSR software:
sudo systemctl start 128T
The loopback-static-route plugin can be installed and enabled on the SSR router to dynamically manage Linux routes.
host device-interface can be configured with a vlan-enabled network interface. Doing so creates a unique linux interface that is managed for each network-interface, but only one underlying KNI will be created on the system. If there is no non-vlan network-interface on the device-interface, an implicit underlying “base” interface is instantiated for the KNI, and linux VLAN interfaces are stacked on it.
Output reflecting KNI interfaces with a VLAN of 200 configured:
admin@t124-dut1.Fabric128# show device-interface
Sat 2019-02-16 18:45:18 UTC
MAC Address: b2:9c:1f:9a:d9:7a
Admin Status: up
Operational Status: up
Redundancy Status: non-redundant
base state: good
vlan state: good
Completed in 0.24 seconds
admin@t124-dut1.Fabric128# show platform device-interfaces
Sat 2019-02-16 18:45:56 UTC
Device Interface Information
Driver Version: unavailable
MAC Address: be:0c:c2:1e:79:be
Firmware Version: unavailable
Statistics Supported: unavailable
Test Info Supported: unavailable
EEPROM Access Supported: unavailable
Register Dump Supported: unavailable
base info: good
vlan info: good
Completed in 1.29 seconds