SLX data center routers like the 9540, 9640, and 9850 models have unique virtual 10-gigabit ethernet interfaces called “insight interfaces” that can capture and display pass-by traffic. The insight interfaces appear as a virtual ethernet device inside a remote Ubuntu Linux 16.04 virtual machine, called short TPVM.
It makes it possible to run tools or services like tcpdump, p0f, snort or other tools directly on the router without any more environment or dedicated server.
The TPVM itself is a co-existing kernel-based virtual machine (KVM) to manage SLX-VM, running on one of the cores of the embedded Intel processor. Both virtual machines themself run on an Ubuntu Host operating system.
To start and get ready to rumble for the insight analytics path, we need to follow these steps:
- Install and start TPVM from privileged mode
- Add an insight interface from configuration mode
- Add filter or mirror ACLs rules to the insight interface
- Run applications inside TPVM, e.g., tcpdump
I will split the guide for readability into three single articles, starting today with the basic installation and configuration of TPVM itself.
TPVM
TPVM before SLXr18.2 was shipped within the SLX-OS image itself, but with the recent version changes, it has been decoupled and needs to be downloaded and copied in a separate process.
You can download and check the install instructions in the support panel, but you want to uninstall a previously installed TPVM version from the SLX first and then copy the Debian packages into the SLX-VM directory /tftpboot/SWBD2900.
The commands for the cleanup will look a bit like this.
slx# tpvm stop
slx# tpvm uninstall
slx# start-shell
Entering Linux shell for the user: admin
[admin@slx]# rm -rf /tftpboot/SWBD2900/vm-swbd2900-*.debThis will free up the current TPVM image; afterwards, you can then copy the new version to the SLX-VM with the help of scp or your favorite ssh tool.
~joerg$ scp tpvm-2.0.0–0.amd64 admin@slx:/tftpboot/SWBD2900/Check the Extreme SLX-OS Management Config Guide for version 18.r2 in doubt.
Installation
We will first check the current status of the installation by running the show tpvm status — command from the SLX privileged prompt.
slx# show tpvm status
TPVM is not installedIn this case, nothing is pre-installed, so we can continue to execute the install command; else we could uninstall a previous instance with tpvm uninstall.
slx# tpvm install
Installation starts. To check the status use ‘show tpvm status’ command
slx# show tpvm status
TPVM is being installed nowAfter a few moments, the TPVM installation is finished and we can check the status again and boot up things.
slx# show tpvm status
TPVM is installed but not running, and AutoStart is disabled on this host.
slx# tpvm start
start succeeds
slx# show tpvm status
TPVM is running, and AutoStart is disabled on this host.Access TPVM
Now comes the confusing part, and I don’t like the official documentation about this so much.
After you have booted TPVM, there are five possible ways to access its Linux shell through SSH or TTY with the default credentials admin/password.
- TPVM tries to register an IPv4 address by DHCP on the bridged management ethernet interface, and you can log in with SSH.
- TPVM tries to send IPv6 router solicitation packets and tries to acquire a local IPv6 address with NDP, and you can log in with SSH.
- TPVM registers an IPv6 link-local address with NDP, and also, log in with SSH is possible.
- The “may not be supported way”: The TPVM login prompt is catchable by hijacking the terminal session directly from the HOST-OS (see Inside Extreme SLX architecture)
- Access TPVM by console serial port (I am not showing this way, though) works similarly to point 4.
Execute the show tpvm ip-address-command and decide which way you want to use:
show tpvm ip-address
IPv4:
eth0 192.168.2.249
docker0 172.17.0.1
IPv6:2a02:0000:c000:0:da80:00ff:f00b:8800
eth0: fe80::da80:00ff:f00b:88001.) and 2.) Access TPVM with DHCP or ND served addresses
If there is an IPv4 or a globally routed IPv6 address visible, you can call yourself happy and directly connect to TPVM with the internal SSH client using the mgmt virtual router and forwarding instance.
slx# ssh 192.168.2.249 -l admin vrf mgmt-vrf
admin@192.168.2.249’s password:Also, if you have a routed IPv6 prefix on your management port:
slx# ssh 2a02:0000:c000:0:da00:00ff:f00b:8804 -l admin
admin@2a02:0000:c000:0:da00:00ff:f00b:’s password:3.) Access TPVM with link-local IPv6 addresses
But if we are not running a local DHCP or not spanning IPv6 - router advertisements on our management devices, we may end up like this:
slx# show tpvm ip-address
IPv4:
docker0 172.17.0.1
IPv6:
eth0
eth0 fe80::da00:00ff:f00b:8800The catch is to use the IPv6 link-local addresses to make the first login, alter the local network config inside the TPVM, and set a static IPv4 or IPv6 address, much easier reachable the inside of the SLX-VM or even the global outside.
First, we note down the IPv6-address from the shell output, starting with fe80, and then try to ping it from the SLX command line using the mgmt-vrf as virtual router:
slx# ping ipv6 fe80::da00:00ff:f00b:8800 interface management vrf mgmt-vrf
Type Control-c to abort
64 bytes from fe80::da00: icmp_seq=0 ttl=64 time=3.239 ms
64 bytes from fe80::da00: icmp_seq=1 ttl=64 time=1.985 msA direct SSH connection with IPv6 from the SLX prompt would work in a perfect world, but there seems to be an error or bug in the current code. I have already submitted this as a bug to Extreme.
slx# ssh fe80::da84:66ff:feeb:8804 -l admin interface management vrf mgmt-vrf
Invalid InterfaceSo for the first connection to TPVM, we will first drop into the Linux shell of the SLX virtual machine with the start-shell-command and then execute the SSH client directly.
slx# start-shell
Entering Linux shell for the user: admin
[admin@slx]# ssh -6 fe80::da00:00ff:f00b:8800%eth0 -l admin
Welcome to Ubuntu 16.04.4 LTS (GNU/Linux 4.4.0–128-generic x86_64)Last login: Tue Apr 2 12:12:46 2019
admin@TPVM:~$
Please be sure to set the -6 parameter for IPv6 address parsing and add the local interface %eth0 to the address, and else the network stack can’t target the correct outgoing interface for link-local schemes.
Also, add the -l parameter and specify the username as admin . When asked for a password, type “password” like said before.
4.) The “not so supported way.”
If all things break or you need to make some crash recovery, we can log in via the attaching to a tmux session, created on startup of the Host OS. To do this, we first need to connect to the Host OS via the SLX prompt.
My other article, “Inside Extreme Networks SLX” might come in handy for this, but I will repeat the login procedure here.
From the SLX prompt, we need to connect via telnet or ssh to the loopback address 127.2.0.1 and login with the default Brocade login: username: root , password: fibranne.
slx# telnet 127.2.0.1 vrf mgmt-vrfTrying 127.2.0.1…
Connected to 127.2.0.1.
Escape character is ‘^]’.
Ubuntu 14.04 LTS
HOST login: root
Password:Last login: Wed Jan 2 16:12:38 GMT 2019 from pb_vm1 on pts/6Welcome to Ubuntu 14.04 LTS (GNU/Linux 4.4.7 x86_64)
root@HOST:~#
On boot up, the SLX Host operating system will start a tmux session on the hardware console port and will span one virtual serial port for the TPVM.
So after you have logged into the host OS, you can attach the existing tmux session and use the function keys F1, F2, or F3 to switch between the virtual serial port of the Ubuntu host OS, the SLX-VM, and the TPVM prompt.
root@HOST:~# /fusion/sbin/tmux attach -t FUSION_KVMUbuntu 14.04 LTS HOST ttyS0
HOST login:
Password:
PRESS F2SLX-OS (slx)
slx login:
PRESS F3Ubuntu 16.04.4 LTS TPVM ttyS0
TPVM login: admin
Password: password122 packages can be updated.
70 updates are security updates.admin@TPVM:~$
With the F9 — button, you can detach the tmux session again.
And finally logged in…
Inside TPVM, we will open a root shell with the sudo command and entering the admin password once again.
admin@TPVM:~$ sudo -s
[sudo] password for admin:
root@TPVM:~# id
uid=0(root) gid=0(root) groups=0(root)Regular Linux programs and commands will apply from this time point. With the ip program, we can list all attached network interfaces.
Besides the docker- and the loopback interface, the eth0 interface for the management and eth1 for the insight interface is still running in a downstate. Eth1 will change its status to up as soon it is activated from the SLX-VM command line..
root@TPVM:~# ip -4 link
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN mode DEFAULT group default qlen 1
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP mode DEFAULT group default qlen 1000
link/ether d8:00:00:00:00:04 brd ff:ff:ff:ff:ff:ff
3: eth1: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc mq state UP mode DEFAULT group default qlen 1000
link/ether d8:00:00:00:00:02 brd ff:ff:ff:ff:ff:ff
4: docker0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN mode DEFAULT group default
link/ether 02:42:28:2d:60:b9 brd ff:ff:ff:ff:ff:ffTo alter the network configuration persistently, we need to change the file /etc/network/interfaces, which is read on startup by the ifupdown-scripts.
For example, we can set the static ip address 192.168.1.5 within the range of a fictive management network of 192.168.1.0/24 by editing the file like this:
source /etc/network/interfaces.d/*
auto lo
iface lo inet loopbackauto eth0
iface eth0 inet static
address 192.168.1.5
netmask 255.255.255.0
gateway 192.168.1.1auto eth1
iface eth1 inet manual
Also, you can apply this change instantly by typing ifdown eth0 && ifup eth0 inside the shell. You can read more about ifupdown-scripts in the Ubuntu Wiki.
From here on
So from this point on, we shall have a working TPVM accessible directly from the SLX-VM or a dedicated management network. In the future, part two, we will finally configure and activate the insight interface.
