gRIBI configuration
To enable the gRIBI service:
- Configure gRPC server settings at system level using the following procedures:
- (Optional) Configure network instance level gRIBI protocol parameters:
Enabling gRIBI service support
-
Set the
gRPC
server admin-state to enable (default is
disable):
system grpc-server <name> admin-state enable
-
Set
the following system-level
gRPC
server parameters:
- metadata-authentication: enables or disables the use of username/password authentication for every gRPC RPC request
- network-instance: specifies the network instance in which the gRPC listens for incoming connections.
- port: sets the TCP port the gRPC server listens on for incoming connections
-
Note: 57400 is the default gRPC server port value, Any other value requires that you configure an ACL CPM filter to accept traffic on the configured port value.
- rate-limit: sets a limit on the number of connection attempts per minute
- services: specifies the gRPC service (in this case gribi) to enable on this gRPC server instance
- session-limit: sets a limit on the number of simultaneous active gRPC sessions
- source-address: lists the IP addresses the gRPC server listens on within the network instance
- timeout: sets the idle timeout in seconds on gRPC clients
- trace-options: sets gRPC trace options ([common | grpc | request | response])
- tls-profile: references the TLS profile to use on the gRPC server (mandatory)
- unix-socket: enables or disables use of UNIX sockets for the gRPC server
- yang-models: specifies the YANG models to use when the origin field is not present in requests (default: native)
Enable the gRIBI service support
The following example enables the gRIBI service on the mgmt gRPC server by specifying gribi as a supported service. It also sets the timeout, rate-limit, and session-limit values to their default values and sets the trace-options to common. It also defines a network-instance, source IP address, and port for the gRPC server.
--{ * candidate shared default }--[ ]--
# info system grpc-server mgmt
system {
grpc-server mgmt {
admin-state enable
timeout 7200
rate-limit 60
session-limit 20
network-instance mgmt
port 57400
trace-options [
common
]
services [
gribi
]
source-address [
10.10.10.1
]
}Configuring a UNIX socket for the gRPC server
To configure a UNIX socket for the gRPC server:
-
Set the system
gRPC
server UNIX socket admin-state to enable
(default is disable):
system grpc-server unix-socket admin-state enable
-
Set the following
gRPC
server parameters:
- tls-profile: References the TLS profile to use on the gRPC UNIX socket server. If none is specified, then TLS is not used.
- metadata-authentication: Enables or disables the use of username/password authentication for every gRPC RPC request (default: true).
The following example enables a UNIX socket using a TLS profile (test-tls) and sets metadata-authentication to true.
--{ * candidate shared default }--[ ]--
# info system grpc-server mgmt
system {
grpc-server mgmt {
admin-state enable
metadata-authentication true
tls-profile test-tls
unix-socket {
admin-state enable
}
}
}
Configuring gRIBI protocol parameters for the network instance
At the network instance level, you can configure gRIBI protocol parameters. By default, the gRIBI protocol admin-state is set to enable for the default network instance and for all IP-VRF network instances. However, state and telemetry information are not available for the network-instance protocols gribi container until a configuration exists in that context. Which means that you cannot display the admin-state for these network instances using info from state until you commit some configuration in the network-instance protocols gribi context. Nonetheless, these network instances remain available for gRIBI programming by default.
When the gRIBI protocol admin-state is set to disable, all IP entries and next-hop-groups associated with the network instance are deleted from the gRIBI service database. The recovery of this state depends on the gRIBI clients to re-signal all of the deleted entries. While in a disabled state, no entries are accepted for this network instance. (This is the same behavior when the network instance does not exist at all.)
Use the following procedure to configure gRIBI protocol parameters for the network instance.
-
To configure the gRIBI protocol admin-state, use the following
command (default is enable):
network-instance <instance> protocols gribi admin-state [enable | disable]
-
To set the gRIBI protocol parameters for the network instance, use the
following parameters:
- default-metric: Sets the route table metric to use for all gRIBI-created IPv4 and IPv6 routes.
- default-preference: Sets the default preference when deciding the route to use from different protocols (lower values indicate higher preference).
- max-ecmp-hash-buckets-per-next-hop-group: Sets the maximum number of ECMP hash buckets per next-hop-group.
- maximum-routes: Sets the maximum number of gRIBI routes (sum of IPv4 and IPv6 entries).
The following example sets the admin-state, default-metric, default-preference, max-ecmp-hash-buckets-per-next-hop-group, and maximum-routes parameters to their default values.
--{ * candidate shared default }--[ ]--
# info network-instance default protocols gribi
network-instance default {
protocols {
gribi {
admin-state enable
default-metric 1
default-preference 6
max-ecmp-hash-buckets-per-next-hop-group 128
maximum-routes 0
}
}
}