Topics in Cumulus Networks® 1970-01-01T00:00:00Z 488 319 25 59 0 72 7521404 iptables connection tracking for the control plane? 2017-05-19T05:41:42Z 2017-05-18T15:40:00Z Chris Marget chris_marget I understand that many iptables features (connection tracking, etc...) are not supported by the underlying switching hardware on switches running Cumulus Linux.<br /><br />It feels like I should still be able to use these features to protect the control plane, but I'm finding that&nbsp;cl-acltool is refusing to install them.<br /><br />Perhaps there's a different way (something other than /etc/cumulus/acl/policy.d) to get these rules installed?<br /><br />Maybe I'm confused and these features can't be used, even on the INPUT/OUTPUT chains?<br /><br />How else are people protecting (filtering, not CoPP) TCP listeners exposed by the control plane? I see that sshd is compiled with libwrap, but I'd feel better with something that's universally applicable (bgpd does not have libwrap) and runs a bit lower in the stack.<br /><br />Thanks! question 7 3 1 comment 7518966 1Gb Breakout on Mellanox SN2100 2017-05-17T09:54:55Z 2017-05-15T07:23:39Z Karl Latiss karl_latiss Running Cumulus Linux 3.3 on Mellanox 2100 switch with a 40GB QSFP optical module and MPO to 8xLC breakout cables.<br /><br />Using<br /><br />net add interface swp1 breakout 4X<br /><br />I can only breakout into a maximum 4x. Is it possible to breakout into 8x ? The upstream connections in this case will be 1Gb. question 6 3 1 comment 7514413 hsflowd cannot send sample on Cumulux VX 3.3! 2017-05-15T18:23:50Z 2017-05-08T09:37:50Z Tuan Anh Do tuan_anh_do_6ol2n6e9e8vzr I have used Cumulus VX to evaluate switch monitor using hsflowd. When configure as suggest from:<br /><a href="" rel="nofollow" target="_blank" title="Link https//docscumulusnetworkscom/display/DOCS/MonitoringSystemStatisticsandNetworkTrafficwithsFlow"></a><br /><br />My setting is:<br /><br />cat /etc/hsflowd.conf<br /><br /># hsflowd configuration file<br />sflow {<br />&nbsp; DNSSD = off<br />&nbsp; agent = eth0<br />&nbsp; polling = 30<br />&nbsp; sampling = 512<br /><br />&nbsp; sampling.100M = 100<br />&nbsp; sampling.1G = 1000<br />&nbsp; sampling.10G = 10000<br />&nbsp; sampling.40G = 40000<br /><br />&nbsp; collector {<br />&nbsp; &nbsp; ip =<br />&nbsp; &nbsp; &nbsp;udpport = 6343<br />&nbsp; }<br />}<br /><br />The hsflowd start success but with error:<br /><br /><b>myExec(/usr/lib/cumulus/portsamp) exitStatus=1 so assuming ULOG/NFLOG is 1:1</b><br /><br />and when i wireshark, it show nothing.&nbsp;<br /><br />I have search in the forum and there is only one URL mention about this problem:<br /><br /><a href="" rel="nofollow" target="_blank" title="Link https//getsatisfactioncumulusnetworkscom/cumulus/topics/couldnt-get-flow-in-nfsen-from-cumulusvx"></a><br /><br />i do as this link suggest:&nbsp;<br /><b><br />sudo iptables -I FORWARD -j NFLOG --nflog-group 1 --nflog-prefix SFLOW&nbsp;<br /></b><br />but the problem is not gone, still have the log:&nbsp;<br /><br /><b>myExec(/usr/lib/cumulus/portsamp) exitStatus=1 so assuming ULOG/NFLOG is 1:1</b> problem 3 2 1 comment 7517820 Spanning Tree 2017-05-15T14:28:31Z 2017-05-12T18:44:35Z "B" brent_stevenson_jxwvlp2bujti5 <p>It looks as though I may be having a problem with STP on the Cumulus switches.</p><p>DistA is root and DistB is backup. With a sustained ping running (from DistA to AccessC), I&nbsp;disabled the&nbsp;link between DistA and AccessC.&nbsp; I lost one ping initially, and&nbsp;the route&nbsp;via DistB kicked in.&nbsp; However,&nbsp; it worked for about a minute, but&nbsp;then&nbsp;timed out.</p><p>Is there some sort of timer that needs to be manipulated?</p><p>All three switches in the above scenario described are Cumulus switches.&nbsp;</p><p>&nbsp;&nbsp; DistA =========== DistB<br />&nbsp;&nbsp; -&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &nbsp;-<br />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; -&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &nbsp;-<br />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; -&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &nbsp;-<br />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;-AccessC-</p><p><br /></p><p>However, I substituted AccessC with a different 3rd party open OS (Linux-based) running MST, and the failover&nbsp;worked fine with the Cumulus distribution switches.</p><p>Any thoughts?</p><p>Thanks.</p> question 1 2 1 comment 7514701 How to apt-get upgrade a specific version? 2017-05-12T13:34:35Z 2017-05-08T17:19:23Z Will McLendon will_mclendon Hello,<br /><br />we currently run Cumulus 3.2.1 in our production environment, and use VX in VirtualBox to simulate changes and test our ansible automation. &nbsp;The issue is now that 3.3 is out, whenever an apt-get upgrade is done on the VX images during deployment, they upgrade to 3.3.0. &nbsp;And this command is recommended to be run after most / all additional installs (NCLU and EVPN, for example)<br /><br />Since a given Cumulus release is a culmination of specific versions of multiple packages, and not a single binary like other vendors, is there anyway to specify that I effectively want 'the latest 3.2.1 packages' only?<br /><br />This seems like it could be a big challenge for orgs trying to test / proof out changes in lab environments.<br /><br />With real hardware I could have it download a 3.2.1 image via ONIE, but if memory serves there are 3.2.1 patches that came out after the binary was released -- and again, the method to get them was simply 'apt-get upgrade'<br /><br />thanks. question 2 3 1 comment 7517120 3.3 Install time 2017-05-11T20:07:29Z 2017-05-11T19:19:12Z JB joshua_bowers Want to say I &lt;3 the install time of 3.3 on the arm switches. It's crazy reduced from what it was. And the install progress bar is snazzy too. praise 1 2 3 comment 7515509 VXLan / EVPN enabled hypervisors with quagga 1.0.0+cl3u11 in a leaf spine architecture 2017-05-11T19:42:01Z 2017-05-09T17:06:15Z Hendrik Sokolowski hendrik_sokolowski Hey there,<br /><br />we're currently planning to redesign our datacenter network with cumulus enabled switches in a leaf-spine architecture.<br /><br />At the moment we're having a test-setup with cumulus vx vms (2 spines, 2 leafs) and two guest-vms that should communicate through a custom vxlan.<br /><br />For this setup I grabbed the quagga deamon in version 1.0.0+cl3u11 and deployed it to the guest-vms.&nbsp;<br /><br />I configured an unnumbered eBGP setup and as far as I can see the BGP sessions are properly established for ipv4, ipv6 and evpn.<br /><br />I created two vxlan interfaces, one on each guest, and assigned them to a bridge br0. I assigned an ip address on both systems and expected to be able to ping each other host.<br /><br />Unfortunately the pings are not successful. I see the requests arrive on the other host and also the replies going out but they do not reach the first host.<br /><br />I created a github repository with configs and cl-support files. You can find it here:<br /><br /><a href="" rel="nofollow"></a><br /><br />Could you give me some markers what am I missing here?<br /><br />Regards<br /><br />Hendrik problem 3 2 1 comment 7500778 MAC address ACL 2017-05-11T12:40:31Z 2017-04-18T09:01:17Z machiasiaweb machiasiaweb_machi_ma Hello,<br /><br />I am designing a MAC address ACL which protect host with KNOW mac address plug into the switch.<br /><br />Could you please advise does following ebtables config is correct or not?<br /><br />e.g. Only allow host with MAC address 00:00:aa:bb:cc:12 to access in/out <br /><br />--------------------<br />cat /etc/cumulus/acl/policy.d/swp1macacl.rule<br /><br />[ebtables]<br />-A FORWARD -i swp1 -s 00:00:aa:bb:cc:12 -d any -j ACCEPT<br />-A FORWARD -i swp1 -j DROP<br />--------------------<br /><br /><br />command to deploy:<br /><br />sudo cl-acltool -i -P /etc/cumulus/acl/policy.d/swp1macacl.rule<br /><br /><br />Thanks! question 5 3 1 comment 6766526 Can you please let me know if Cumulus linux already supports policy based routing based on DSCP etc as of now or in future road map? 2017-05-11T12:36:38Z 2015-09-03T16:40:50Z Naresh Thukkani naresh_thukkani Can you please let me know if Cumulus linux already supports policy based routing based on DSCP etc as of now or in future road map? question 7 6 1 comment 7516617 Apply PBR via Quagga 2017-05-11T03:37:37Z 2017-05-11T03:37:37Z machiasiaweb machiasiaweb_machi_ma Hello,<br /><br />I am writing PBR by using Quagga. &nbsp; <br /><br />Question<br />1) However, I think suppose it require apply to route-map into interface? &nbsp;I am using VRR now. &nbsp;Could you please advise how to apply it?<br /><br />2) Also another question it looks now it will routing to external first even 2 subnet is belongs to next switch. &nbsp;How can I do internal vlan routing?<br /><br />Following is my config<br /><br />========== quagga config ==================<br /><br />!<br />access-list 100 permit ip any<br />access-list 101 permit ip any<br />!<br />route-map 101traffic permit 10<br />&nbsp;match ip address 101<br />&nbsp;set ip next-hop<br />!<br />route-map 100traffic permit 10<br />&nbsp;match ip address 100<br />&nbsp;set ip next-hop<br />!<br /><br />========== Cumulus config ===============<br /><br />auto vlan400<br />iface vlan400<br />&nbsp; &nbsp; &nbsp; &nbsp; mstpctl-portadminedge no<br />&nbsp; &nbsp; &nbsp; &nbsp; mstpctl-portnetwork no<br />&nbsp; &nbsp; &nbsp; &nbsp; address-virtual 00:00:5e:00:01:01<br />&nbsp; &nbsp; &nbsp; &nbsp; vlan-id 400<br />&nbsp; &nbsp; &nbsp; &nbsp; alias Vlan 400 IP<br />&nbsp; &nbsp; &nbsp; &nbsp; mstpctl-bpduguard no<br />&nbsp; &nbsp; &nbsp; &nbsp; vlan-raw-device bridge<br /><br />auto vlan450<br />iface vlan450<br />&nbsp; &nbsp; &nbsp; &nbsp; mstpctl-portadminedge no<br />&nbsp; &nbsp; &nbsp; &nbsp; mstpctl-portnetwork no<br />&nbsp; &nbsp; &nbsp; &nbsp; address-virtual 00:00:5e:00:01:02<br />&nbsp; &nbsp; &nbsp; &nbsp;&nbsp;vlan-id 450<br />&nbsp; &nbsp; &nbsp; &nbsp; alias Vlan 450 IP<br />&nbsp; &nbsp; &nbsp; &nbsp; mstpctl-bpduguard no<br />&nbsp; &nbsp; &nbsp; &nbsp; vlan-raw-device bridge<br /><br />auto bridge<br />iface bridge<br />&nbsp; &nbsp; &nbsp; &nbsp; bridge-vlan-aware yes<br />&nbsp; &nbsp; &nbsp; &nbsp; mstpctl-treeprio 36864<br />&nbsp; &nbsp; &nbsp; &nbsp; bridge-vids 300 400 450<br />&nbsp; &nbsp; &nbsp; &nbsp; alias 0203-leaf-1 bridge<br />&nbsp; &nbsp; &nbsp; &nbsp; bridge-stp yes<br />&nbsp; &nbsp; &nbsp; &nbsp; bridge-ports glob swp1-35 swp37 swp38 swp39 swp40 swp41 peerlink uplink ng4<br /><br />=========================================<br /><br />Thanks! question 0 2 2 create 7515636 EVPN -- vtep interface down? 2017-05-10T19:14:57Z 2017-05-09T20:01:57Z Will McLendon will_mclendon Hello,<br /><br />EDIT: &nbsp;forgot to say, this is with the new VX 3.3.0 image on VirtualBox<br /><br />i'm attempting to test EVPN with Cumulus VX and while my BGP sessions are UP with EVPN address-family, I never learn any EVPN routes, and 'net show evpn vni' never shows any remote VTEPs.<br /><br />As best as I can tell this is because my VTEP interface that I created is actually down -- for example:<br /><br />wmclendon@leaf01:mgmt-vrf:~$ ip link show vtep1000017: vtep10000: &lt;NO-CARRIER,BROADCAST,MULTICAST,UP&gt; mtu 1500 qdisc noqueue master bridge state DOWN mode DEFAULT group default<br />&nbsp; &nbsp; link/ether ea:14:c3:f6:e8:78 brd ff:ff:ff:ff:ff:ff protodown on<br /><br />or:<br /><br />wmclendon@leaf01:mgmt-vrf:~$ net show interface vtep10000<br />&nbsp; &nbsp; Name &nbsp; &nbsp; &nbsp; MAC &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;Speed &nbsp; &nbsp;MTU &nbsp; &nbsp;Mode<br />-- &nbsp;--------- &nbsp;----------------- &nbsp;------- &nbsp;----- &nbsp;---------<br />DN &nbsp;vtep10000 &nbsp;ea:14:c3:f6:e8:78 &nbsp;N/A &nbsp; &nbsp; &nbsp;1500 &nbsp; Access/L2<br /><br /><br />I can't figure out why it would be down with no-carrier as a virtual interface. &nbsp;the config of the VTEP interface and the interface facing the attached host are as follows:<br /><br />auto vtep10000<br />iface vtep10000<br />&nbsp; &nbsp; &nbsp; &nbsp; bridge-access 1000<br />&nbsp; &nbsp; &nbsp; &nbsp; bridge-learning off<br />&nbsp; &nbsp; &nbsp; &nbsp; vxlan-id 10000<br />&nbsp; &nbsp; &nbsp; &nbsp; vxlan-local-tunnelip<br /><br />auto swp11<br />iface swp11<br /> &nbsp; &nbsp; &nbsp; &nbsp; bridge-vids 1000<br /> &nbsp; &nbsp; &nbsp; &nbsp; bridge-pvid 1000<br /><br /><br />both ports have been added to the bridge as well.<br /><br />I've searched around and can't find any documentation / reason as to why the VTEP interface is down or potential causes / solutions.<br /><br />Thanks,<br /><br />Will question 9 2 1 comment 7515150 Duplicate IP | SNMP Duplicate IPv4 Adress Detected 2017-05-10T03:31:31Z 2017-05-09T07:44:04Z Jon H jon_h_6555209 When starting the snmpd service I can see the following in the syslog:<br />Duplicate IPv4 address detected, some interfaces may not be visible in IP-MIB <br /><br /> I have searched high and low for a solution but unable to find anything particularly helpful. Most articles found are based around a small network where you are likely to have an idea already of what the duplicate ip may be. <br /><br /> What is the most effective way to find a duplicate IP with Cumulus Linux? <br /><br /> I understand you can use arp and grep like so:<br /> arp -an | grep <br /><br /> By comparing the output you can see if the MAC address differs. In this instance again you would need to have some kind of inkling of which IP is duplicated. <br /><br /> I have tried using arping, again this requires some inkling as to the duplicated IP: This is also not the easiest to use with the management VRF enabled and requires you to specify the source address/interface, which causes complications when scripting. <br /><br /> I have tested using:<br /> arp -a <br /><br /> I extract the ip/mac pairs from the results and compare these for duplicates, I am not finding anything. <br /><br /> I have also tried to do an SNMP walk and again extracted the ip/mac pairs, again I am not seeing anything duplicated. <br /><br /> Are there any other tools that would be useful to identify the issue? question 1 2 1 comment 7512226 What is meaning of 'vlan-raw-device bridge'? 2017-05-09T05:52:44Z 2017-05-04T14:23:05Z machiasiaweb machiasiaweb_machi_ma Hello,<br /><br />While studying VRR setup at<br /><br /><a href="" rel="nofollow" target="_blank" title="Link https//docscumulusnetworkscom/display/DOCS/VirtualRouterRedundancy-VRR"></a><br /><br />====================<br /><code>auto bridge</code><br /><code>iface bridge</code><br /><code>&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;</code><code>bridge-vids 500</code><br /><code>&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;</code><code>bridge-vlan-aware yes</code><br />&nbsp;<br /><code>auto vlan500</code><br /><code>iface vlan500</code><br /><code>&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;</code><code>address 192&#46;168&#46;0&#46;252/24</code><br /><code>&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;</code><code>address 2001:aa::1/48</code><br /><code>&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;</code><code>address-virtual 00:00:5e:00:01:01 2001:aa::1/48 192&#46;168&#46;0&#46;254/24</code><br /><code>&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;</code><code>vlan-id 500</code><br /><code>&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;</code><code>vlan-raw-device bridge</code><br />==================<br /><br />I found there are one parameter '<code>vlan-raw-device bridge</code>'<br /><br />but I could not what is meaning about this.&nbsp; Could anyone can advise?<br /><br />Thanks! question 4 2 1 comment 7310233 Access Broadcom Shell via Cumulus? 2017-05-05T22:47:44Z 2016-09-14T22:45:15Z Bryan Martin bryan_martin_2gl8wtno345vs I am using Cumulus 2.5.7 on a Supermicro&nbsp;SSE-X3648 with a Broadcom Trident 2. Is it possible to access the Broadcom Shell via Cumulus Linux?<br /><br />Thanks! question 2 3 1 comment 7510374 How can set the Cumulus VX with VM in Virtual box? 2017-05-04T04:35:28Z 2017-05-02T06:05:15Z Jinho_IN4A jinho_kim_7625843 Hi..&nbsp;<br /><br />I want to make below configuration on Virtual Box.<br />I have install the Virtualbox and created the CumulusVX vm on it.<br />but, i don't know how can i connect the each VM to SWP# port.<br />Would you please give your great idea how can i make it?<br /><img src="" title="Image:" /><br /><br />Kevin question 6 3 1 comment