Packet I/O on IOS XR
This section illustrates how, with the Packet I/O functionality, you can use Linux applications to manage communication with the IOS XR interfaces. It describes how the OS environment must be set up to establish packet I/O communication with hosted applications.
Exposed IOS-XR Interfaces in Linux
The secondary IPv4 addresses that are configured for an XR interface are now synchronized into the Linux operating system automatically. With this secondary IPv4 address synchronization, the third party applications that are deployed on Cisco IOS XR can now use the secondary IPv4 addresses. Prior to this release, only primary IPv4 addresses were supported and the secondary IPv4 addresses had to be configured manually in the Linux operating system.
Exposed XR interfaces (EXIs) and address-only interfaces support secondary IPv4 address synchronization:
-
EXIs have secondary IP addresses added to their corresponding Linux interface
-
Address-only interfaces have secondary IP addresses added to the Linux loopback device. For additional information on address-only interfaces, see show linux networking interfaces address-only.
The restrictions of secondary IPv4 addresses synchronization are:
-
Secondary IPv4 addresses are not synchronized from Linux to XR for Linux-managed interfaces.
-
The ifconfig Linux command only displays the first configured IPv4 address. To view the complete list of IPv4 addresses, use the ip addr show Linux command.
For additional information on secondary IPv4 addresses, see ipv4 address (network).
You can run bash commands at the IOS XR router prompt to view the interfaces and IP addresses stored in global VRF. When you access the Cisco IOS XR Linux shell, you directly enter the global VRF.
SUMMARY STEPS
- From your Linux box, access the IOS XR console through SSH, and log in.
- View the ethernet interfaces on IOS XR.
- Check the IP and MAC addresses of the interface that is in
Up
state. Here, interfacesHundredGigE0/0/0/24
andMgmtEth0/RP0/CPU0/0
are in theUp
state. - Verify that the bash command runs in global VRF to view the network interfaces.
- Access the Linux shell.
- (Optional) View the IP routes used by the
to_xr
interfaces.
DETAILED STEPS
Step 1 |
From your Linux box, access the IOS XR console through SSH, and log in. Example:
|
||
Step 2 |
View the ethernet interfaces on IOS XR. Example:
|
||
Step 3 |
Check the IP and MAC addresses of the interface that is in Example:
|
||
Step 4 |
Verify that the bash command runs in global VRF to view the network interfaces. Example:
The |
||
Step 5 |
Access the Linux shell. Example:
|
||
Step 6 |
(Optional) View the IP routes used by the Example:
|
Setting up Virtual IP Addresses
Feature Name |
Release Information |
Description |
---|---|---|
Virtual IP address in the Linux networking stack |
Release 7.5.2 |
Virtual IP addresses allow a single IP address to connect to the current active RP after an RP switchover event. In addition, this functionality enables your network stack to support virtual IP addresses for third-party applications and IOS XR applications that use the Linux networking stack. The following commands are modified: |
Interfaces configured on IOS XR are programmed into the Linux kernel. These interfaces allow Linux applications to run as if they were running on a regular Linux system. This packet I/O capability ensures that off-the-shelf Linux applications can be run alongside IOS XR, allowing operators to use their existing tools and automate deployments with IOS XR.
The IP address on the Linux interfaces, MTU settings, MAC address are inherited from the corresponding settings of the IOS XR interface. Accessing the global VRF network namespace ensures that when you issue the bash command, the default or the global VRF in IOS XR is reflected in the kernel. This ensures default reachability based on the routing capabilities of IOS XR and the packet I/O infrastructure.
Virtual addresses can be configured to access a router from the management network such as gRPC using a single virtual IP address. On a device with two or more RPs, the virtual address refers to the management interface that is currently active. This functionality can be used across RP failover without the information of which RP is currently active. This is applicable to the Linux packet path.
Procedure
Command or Action | Purpose |
---|---|
You can use the following commands to verify the IP Address in the Linux networking stack: |
|
Program Routes in Linux
The basic routes required to allow applications to send or receive traffic can be programmed into the kernel. The Linux network stack that is part of the kernel is used by normal Linux applications to send/receive packets. In an IOS XR stack, IOS XR acts as the network stack for the system. Therefore to allow the Linux network stack to connect into and use the IOS XR network stack, basic routes must be programmed into the Linux Kernel.
Procedure
Step 1 |
View the routes from the bash shell. Example:
|
Step 2 |
Programme the routes in the kernel. Two types of routes can be programmed in the kernel:
|
Configure VRFs in Linux
VRFs configured in IOS XR are automatically synchronized to the kernel. In the kernel, the VRFs appear as network namespaces (netns). For every globally-configured VRF, a Linux network namespace is created. With this capability it is possible to isolate Linux applications or processes into specific VRFs like an out-of-band management VRF and open-up sockets or send or receive traffic only on interfaces in that VRF.
Every VRF, when synchronized with the Linux kernel, is programmed as a network namespace with the same name as a VRF but with
the string vrf
prefixed to it. The default VRF in IOS XR has the name default
. This name gets programmed as vrf-default
in the Linux kernel.
The following example shows how to configure a custom VRF blue
:
Procedure
Step 1 |
Identify the current network namespace or VRF. Example:
|
Step 2 |
Configure a custom VRF Example:
|
Step 3 |
Verify that the VRF Example:
|
Step 4 |
Verify that the VRF Example:
|
Step 5 |
Access VRF Example:
to-xr interface because there is no IOS XR interface in this VRF.
|
Step 6 |
Configure an interface in the VRF Example:vrf-blue from IOS XR:
|
Step 7 |
Verify that the HundredGigE 0/0/0/24 interface is configured in the VRF Example:
|
Step 8 |
Verify that the interface is configured in the VRF Example:
|
Open Linux Sockets
The socket entries are programmed into the Local Packet Transport Services (LPTS) infrastructure that distributes the information through the line cards. Any packet received on a line card interface triggers an LPTS lookup to send the packet to the application opening the socket. Because the required interfaces and routes already appear in the kernel, the applications can open the sockets — TCP or UDP.
Procedure
Step 1 |
Verify that applications open up sockets. Example:
|
Step 2 |
Verify that the socket is open. Example:
Netcat starts listening on port 5000, which appears as an IPv4 TCP socket in the netstat output like a typical Linux kernel. This socket gets programmed to LPTS, creating a corresponding entry in the hardware to the lookup tcp port 5000. The incoming traffic is redirected to the kernel of the active RP where the netcat runs. |
Send and Receive Traffic
Connect to the nc socket from an external server. For example, the nc socket was started in the vrf-default
network namespace. So, connect over an interface that is in the same VRF.
[root@localhost ~]#nc -vz 192.168.122.22 5000
Ncat: Version 7.50 ( https://nmap.org/ncat )
Ncat: Connected to 192.168.122.22:5000.
Ncat: 0 bytes sent, 0 bytes received in 0.01 seconds.
Manage IOS XR Interfaces through Linux
The Linux system contains a number of individual network namespaces. Each namespace contains a set of interfaces that map to a single interface in the XR control plane. These interfaces represent the exposed XR interfaces (eXI). By default, all interfaces in IOS XR are managed through the IOS XR configuration (CLI or YANG models), and the attributes of the interface (IP address, MTU, and state) are inherited from the corresponding configuration and the state of the interface in XR.
With the new Packet I/O functionality, it is possible to have an IOS XR interface completely managed by Linux. This also means that one or more of the interfaces can be configured to be managed by Linux, and standard automation tools can be used on Linux servers can be used to manage interfaces in IOS XR.
Note |
Secondary IPv4 addresses cannot be managed by Linux. |
Configure an Interface to be Linux-Managed
This section shows how to configure an interface to be Linux-managed.
Procedure
Step 1 |
Check the available exposed-interfaces in the system. Example:
|
Step 2 |
Configure the interface to be managed by Linux. Example:
|
Step 3 |
View the interface details and the VRF. Example:
|
Step 4 |
Verify the configuration in XR. Example:
|
Step 5 |
Verify the configuration from Linux. Example:
|
Configure New IP address on the Interface in Linux
This section shows how to configure a new IP address on the Linux-managed interface.
Procedure
Step 1 |
Configure the IP address on the interface. Example:
|
Step 2 |
Verify that the new IP address is configured. Example:
|
Configure Custom MTU Setting
This section shows how to bring up the interface and configure a custom MTU in a Linux-managed interface.
Procedure
Step 1 |
Configure the MTU setting. Example:
|
Step 2 |
Verify that the MTU setting has been updated in Linux. Example:
|
Step 3 |
Check the effect on the IOS XR configuration with the change in MTU setting on this interface. Example:
The output indicates that the interface acts as a regular Linux interface, and IOS XR configuration receives inputs from Linux. |
Configure Traffic Protection for Linux Networking
Traffic protection provides a mechanism to configure Linux firewalls using IOS XR configuration. These rules can be used to restrict traffic to Linux applications. You can restrict traffic to Linux applications using native Linux firewalls or configuring IOS XR Linux traffic protection. It is not recommended to use both mechanisms at the same time. Any combination of remote address, local address and ingress interface can be specified as rules to either allow or deny traffic. However, at least one parameter must be specified for the traffic protection rule to be valid.
Note |
If traffic is received on a protocol or port combination that has no traffic protection rules configured, then all traffic is allowed by default. |
This example explains how to configure a traffic protection rule on IOS XR to deny all traffic on port 999 except for traffic arriving on interface HundredGigE0/0/0/25.
Procedure
Step 1 |
Configure traffic protection rules. Example:
where —
|
Step 2 |
Verify that the traffic protection rule is applied successfully. Example:
|