2. System management

2.1. Configuring basic system information

2.1.1. Configuring a host name

The SR Linux device must have a host name configured. The default host name is srlinux. The host name normally appears on all CLI prompts on the device, although you can override this with the environment prompt CLI command.

The host name should be a unique name on the network, and can be a fully qualified domain name (FQDN), or an unqualified single-label name. If the host name is a single-label name (for example, srlinux), the system may use its domain name, if configured, to infer its own FQDN.

Example:

The following shows the configuration for a host name on the SR Linux device.

--{ candidate shared default }--[  ]--
info system name
    system {
        name {
            host-name 3-node_srlinux-A
        }
    }

2.1.2. Configuring a domain name

The SR Linux device uses its host name, combined with a domain name to form its fully qualified domain name (FQDN). It is expected that the FQDN exists within the DNS server(s) used by SR Linux, though this is not a requirement.

Assuming the SR Linux FQDN is in the DNS server, you can use the FQDN to reach the SR Linux device without knowing its management address. A domain name is not mandatory, but if specified, it is added to the DNS search list by default.

Example:

The following shows the configuration for a domain name on the SR Linux device. In this example, the device FQDN is set to 3-node_srlinux-A.mv.usa.nokia.com.

--{ candidate shared default }--[  ]--
info system name
    system {
        name {
            host-name 3-node_srlinux-A
            domain-name mv.usa.nokia.com
        }
    }

2.1.3. Configuring DNS settings

The SR Linux device uses DNS to resolve host names within the configuration, or for operational commands, such as ping. You can specify up to three DNS servers for the SR Linux device to use, with either IPv4 or IPv6 addressing.

You can also specify a search list of DNS suffixes that the device can use to resolve single-label names; for example, for a search list of nokia1.com and nokia2.com, a ping for host srlinux does a DNS lookup for srlinux.nokia1.com, and if unsuccessful, does a DNS lookup for srlinux.nokia2.com.

The SR Linux device supports configuration of static DNS entries. Static DNS entries allow resolution of host names that may not be in the DNS servers used by the SR Linux device. Using a static DNS entry, you can map multiple addresses (both IPv4 and IPv6) to one host name. The SR Linux linux_mgr application adds the static DNS entries to the /etc/hosts file in the underlying Linux OS.

Example:

In the following example, the SR Linux device is configured to use two DNS servers to resolve host names, a search list of DNS suffixes for resolving single-label names, and IPv4 and IPv6 static DNS entries for a host.

DNS requests are sourced from the mgmt network-instance (see Configuring the management network-instance).

--{ candidate shared default }--[  ]--
info system dns
    system {
        dns {
            network-instance mgmt
            server-list [
                1.1.1.1
                2.2.2.2
            ]
            search-list [
                nokia1.com
                nokia2.com
            ]
            host-entry srlinux.nokia.com {
                ipv4-address 3.3.3.3
                ipv6-address 2001:db8:123:456::11:11
            }
        }
    }

2.2. Configuring the management network-instance

Management of the SR Linux device is primarily done via a management network-instance. The management network-instance isolates management traffic from other network-instances configured on the device.

The out-of-band mgmt0 port is automatically added to the management network-instance, and management services run within the management network-instance.

Although the management network-instance is primarily intended to handle management traffic, you can configure it in the same way as any other network-instance on the device, including protocols, policies, and filters. The management network instance is part of the default configuration, but may be deleted if necessary.

Addressing within the management network-instance is available via DHCP and static IP addresses. Both IPv4 and IPv6 addresses are supported.

Example:

--{ candidate shared default }--[  ]--
info network-instance mgmt
 network-instance mgmt {
        type ip-vrf
        admin-state enable
        description "Management network instance"
        interface mgmt0 {
            admin-state enable
            subinterface 0 {
                admin-state enable
                ipv4 {
                   dhcp-client true
                }
                ipv6 {
                   dhcp-client true
                }
            }
        protocols {
            linux {
                export-routes true
                export-neighbors false
            }
        }
 }

2.3. Configuring access

2.3.1. Configuring access types

Access to the SR Linux device is available via a number of APIs and protocols. The SR Linux supports the following ways to access the device:

  1. SSH – Secure Shell, a standard method for accessing network devices. See Enabling an SSH server.
  2. FTP – File Transfer Protocol, a secure method for copying files to and from network devices. See Configuring FTP.
  3. Console – Access to the SR Linux CLI via direct connection to a serial port on the device.
  4. gNMI – A gRPC-based protocol for the modification and retrieval of configuration from a target device, as well as the control and generation of telemetry streams from a target device to a data collection system. See gNMI server.
  5. JSON-RPC – Ability to retrieve and set configuration and state using a JSON-RPC API. See JSON-RPC server.
  6. SNMP – Simple Network Management Protocol, a commonly used network management protocol. The SR Linux device supports SNMPv2 with a limited set of OIDs. See Configuring SNMP.

Regardless of the method of access, all sessions are authenticated (if authentication is enabled), whether the session is entered via the console, SSH, or an API. Access to the device is controlled via the aaa_mgr application. See Securing access.

2.3.2. Enabling an SSH server

You can enable an SSH server for one or more network instances on the SR Linux device, so that users can log in to the CLI using an SSH client. The SR Linux device implements SSH via OpenSSH, and configures /etc/ssh/sshd_config in the underlying Linux OS. Only SSHv2 is supported.

Example:

In the following example, an SSH server is enabled in the mgmt and default network-instances, specifying the IP addresses where the device listens for SSH connections:

--{ candidate shared default }--[  ]--
info system ssh-server
    system {
        ssh-server {
            network-instance mgmt {
                admin-state enable
                source-address [
                    1.1.1.1
                    1.1.1.2
                ]
            }
            network-instance default {
                admin-state enable
                source-address [
                    2.1.1.1
                    2.1.1.2
                ]
            }
        }
    }

2.3.3. Configuring FTP

You can enable an FTP server for one or more network instances on the SR Linux device, so that users can transfer files to and from the device. The SR Linux uses the vsftpd (very secure FTP daemon) application within the underlying Linux OS. The authenticated user’s home directory returned by the aaa_mgr application is set as the user’s FTP root directory.

Example:

In the following example, the FTP server is enabled in the mgmt and default network-instance, specifying the IP addresses where the device listens for FTP connections:

--{ candidate shared default }--[  ]--
info system ftp-server
    system {
        ftp-server {
            network-instance mgmt {
                admin-state enable
                source-address [
                    1.1.1.1
                ]
            }
            network-instance default {
                admin-state enable
                source-address [
                    2.1.2.1
                ]
            }
        }
    }

2.3.4. Configuring SNMP

The SR Linux device supports SNMPv2. To allow an SNMP client to read information about the system as an aid in monitoring the device, the SR Linux supports the following OIDs. The MIB file that covers these OIDs is packaged with each release.

  1. sysName – located within the SNMP MIB-2 subtree, specifically at 1.3.6.1.2.1.1.5. This is generally the device FQDN. The SR Linux device reads the sysName from the configured system host name.
    If the host name does not contain a dot (.) character, the configured domain name is also read, and is appended to the host name before being returned to the client.
  2. sysObjectId – located within the SNMP MIB-2 subtree, specifically at 1.3.6.1.2.1.1.2. This identifies the kind of device being managed. SR Linux uses the subtree at 1.3.6.1.4.1.6527.
  3. sysContact – located within the SNMP MIB-2 subtree, specifically at 1.3.6.1.2.1.1.4. This identifies the contact person for this managed node, together with information on how to contact this person. SR Linux propagates the information configured for /system/information/contact for the sysContact OID.
  4. sysLocation – located within the SNMP MIB-2 subtree, specifically at 1.3.6.1.2.1.1.6. This identifies the physical location of the device. SR Linux propagates the information configured for /system/information/location for the sysLocation OID.
  5. sysDescr – located within the SNMP MIB-2 subtree, specifically at 1.3.6.1.2.1.1.1. This value can include the name and version for the system hardware, software operating system, and networking software. This must contain only printable ASCII characters.
    The SR Linux uses a fixed sysDescr field, based on this template:
    <SRLinux-version (from IDB)> Nokia <Platform Type> Copyright (c) 2000-2019 Nokia.
    Kernel <kernel-version> <Linux-version> <SNMP-version> <kernel build date>.
    All rights reserved. All use subject to applicable license agreements.
  6. ifIndex – located within the SNMP IF-MIB subtree, specifically at 1.3.6.1.2.1.2.2.1.1. This is a unique value, greater than zero, for each interface. SR Linux propagates the /interface[]/ifindex leaf into the ifIndex OID. One ifEntry is created for each ifIndex found in the system. If an interface does not have an ifIndex, it is not populated into SNMP. An ifIndex is generated only for physical interfaces (excluding managment).
  7. ifDescr – located within the SNMP IF-MIB subtree, specifically at 1.3.6.1.2.1.2.2.1.2. This is a string containing information about the interface. This string can include the name of the manufacturer, product name, and version of the interface hardware/software. SR Linux propagates the /interface[]/description leaf into the ifDescr OID. If the description passed from /interface[]/description exceeds 255 characters, it is truncated.
  8. ifOperStatus – located within the SNMP IF-MIB subtree, specifically at 1.3.6.1.2.1.2.2.1.8. This indicates the current operational state of the interface. SR Linux propagates the /interface[]/oper-state leaf into the ifOperStatus OID using the mapping shown in Table 3:
    Table 3:   Mapping between ifOperStatus OID and /interface[]/oper-state leaf 

    ifOperStatus OID value

    ID

    /interface[]/oper-state enum

    /interface[]/oper-state value

    up

    1

    up

    1

    down

    2

    down

    2

    testing

    3

    unknown

    4

    dormant

    5

    notPresent

    6

    empty

    3

    lowerLayerDown

    7

    down

    2

  9. ifAdminStatus – located within the SNMP IF-MIB subtree, specifically at 1.3.6.1.2.1.2.2.1.7. This is the desired state of the interface. The testing(3) state indicates that no operational packets can be passed. When a managed system initializes, all interfaces start with ifAdminStatus in the down(2) state. Based on either explicit management action or configuration information retained by the managed system, ifAdminStatus is then changed to either the up(1) or testing(3) states (or remains in the down(2) state).
    SR Linux propagates the /interface[]/admin-state leaf into the ifAdminStatus OID using the mapping shown in Table 4:
    Table 4:   Mapping between ifAdminStatus OID and /interface[]/admin-state leaf 

    ifAdminStatus OID value

    ID

    /interface[]/admin-state enum

    /interface[]/admin-state value

    up

    1

    enable

    1

    down

    2

    disable

    2

    testing

    3

Example:

In the following example, an SNMP server is running within the mgmt and default network-instances, and the configuration specifies the IP addresses where the device listens for SNMP client connections:

--{ candidate shared default }--[  ]--
info system snmp
    system {
        snmp {
            community test1 {
                permission r
                version v2c
            }
            network-instance mgmt {
                admin-state enable
                source-address [
                    1.1.1.1
                ]
            }
            network-instance default {
                admin-state enable
                source-address [
                    3.3.3.3
                ]
            }
        }
    }

2.3.5. Configuring banners

You can specify banner text that appears when a user connects to the SR Linux device. The following banners can be configured:

  1. Login banner – Displayed before a user has been authenticated by the system (for example, at the SSH login prompt)
  2. Message of the day (motd) banner – Displayed after the user has been authenticated by the system

The banners appear regardless of the method used to connect to the SR Linux, so they are displayed to users connecting via SSH, console, and so on.

Example:

In the following example, login and motd banners are configured. The login banner text appears at the prompt when a user attempts to log in to the system, and the motd banner text appears after the user has been authenticated.

--{ candidate shared default }--[  ]--
info system banner
    system {
        banner {
            login-banner "Enter your SRLinux login credentials."
            motd-
banner "Welcome to the SRLinux CLI. Note that your activity may be monitored."
        }
    }

2.4. Synchronizing the system clock

Network Time Protocol (NTP) is used to synchronize the system clock to a time reference. You can configure NTP settings on the SR Linux device using the CLl, and the SR Linux linux_mgr application provisions the settings in the underlying Linux OS.

NTP does not account for time zones, instead relying on the host to perform such computations. Time zones on the SR Linux device are based on the IANA tz database, which is implemented by the underlying Linux OS. You can specify the time zone of the SR Linux device using the CLI.

Example:

The following configuration enables the system NTP client on the SR Linux device and specifies an NTP server to use for clock synchronization. The NTP client runs in the mgmt network-instance. The system time zone is set to America/Los_Angeles.

--{ candidate shared default }--[  ]--
info system ntp
    system {
        ntp {
            admin-state enable
            network-instance mgmt
            server 4.53.160.75 {
            }
        }
        clock {
            timezone America/Los_Angeles
        }
    }