Table of Contents
What is loxicmd
loxicmd is command tool for loxilb's configuration. loxicmd aims to provide all configuation related to loxilb and is based on kubectl's look and feel.
How to build
Note - loxilb docker has this built-in and there is no need to build it when using loxilb docker
Install package dependencies
go get .
Make loxicmd
make
Install loxicmd
sudo cp -f ./loxicmd /usr/local/sbin
How to run and configure loxilb
Load Balancer
Get load-balancer rules
Get basic information
loxicmd get lb
Get detailed information
loxicmd get lb -o wide
Get info in json
loxicmd get lb -o json
Configure load-balancer rule
Simple NAT44 tcp (round-robin) load-balancer
loxicmd create lb 1.1.1.1 --tcp=1828:1920 --endpoints=2.2.3.4:1
Please note that round-robin is default mode in loxilb
End-point format is specified as <CIDR:weight>. For round-robin, weight(1) has no significance.
NAT66 (round-robin) load-balancer
loxicmd create lb 2001::1 --tcp=2020:8080 --endpoints=4ffe::1:1,5ffe::1:1,6ffe::1:1
NAT64 (round-robin) load-balancer
loxicmd create lb 2001::1 --tcp=2020:8080 --endpoints=31.31.31.1:1,32.32.32.1:1,33.33.33.1:1
WRR (Weighted round-robin) load-balancer (Divide traffic in 40%, 40% and 20% ratio among end-points)
loxicmd create lb 20.20.20.1 --select=priority --tcp=2020:8080 --endpoints=31.31.31.1:40,32.32.32.1:40,33.33.33.1:20
Sticky end-point selection load-balancer (select end-points based on traffic hash)
loxicmd create lb 20.20.20.1 --select=hash --tcp=2020:8080 --endpoints=31.31.31.1:1,32.32.32.1:1,33.33.33.1:1
Load-balancer with forceful tcp-reset session timeout after inactivity of 30s
loxicmd create lb 20.20.20.1 --tcp=2020:8080 --endpoints=31.31.31.1:1,32.32.32.1:1,33.33.33.1:1 --inatimeout=30
Load-balancer with one-arm mode
loxicmd create lb 20.20.20.1 --tcp=2020:8080 --endpoints=100.100.100.2:1,100.100.100.3:1,100.100.100.4:1 --mode=onearm
Load-balancer with fullnat mode
loxicmd create lb 88.88.88.1 --sctp=38412:38412 --endpoints=192.168.70.3:1 --mode=fullnat
** For more information on one-arm and full-nat mode, please check this post
Load-balancer config in DSR(direct-server return) mode
loxicmd create lb 20.20.20.1 --tcp=2020:8080 --endpoints=31.31.31.1:1,32.32.32.1:1 --mode=dsr
Load-balancer yaml example
apiVersion: netlox/v1
kind: Loadbalancer
metadata:
name: test
spec:
serviceArguments:
externalIP: 1.2.3.1
port: 80
protocol: tcp
sel: 0
endpoints:
- endpointIP: 4.3.2.1
weight: 1
targetPort: 8080
- endpointIP: 4.3.2.2
weight: 1
targetPort: 8080
- endpointIP: 4.3.2.3
weight: 1
targetPort: 8080
Delete a load-balancer rule
loxicmd delete lb 1.1.1.1 --tcp=1828
Endpoint
Get load-balancer end-point health information
loxicmd get ep
Create end-point for health probing
# loxicmd create endpoint IP [--desc=<desc>] [--probetype=<probetype>] [--probereq=<probereq>] [--proberesp=<proberesp>] [--probeport=<port>] [--period=<period>] [--retries=<retries>]
loxicmd create endpoint 32.32.32.1 --desc=zone1host --probetype=http --probeport=8080 --period=60 --retries=2
IP(string) : Endpoint target IPaddress\ desc(string) : Description of and end-point\ probetype(string): Probe-type:ping,http,https,connect-udp,connect-tcp,connect-sctp,none\ probereq(string): If probe is http/https, one can specify additional uri path\ proberesp(string): If probe is http/https, one can specify custom response string\ probeport(int): If probe is http,https,tcp,udp,sctp one can specify custom l4port to use\ period(int): Period of probing\ retries(int): Number of retries before marking endPoint inactive\
Create end-point with https probing information
# loxicmd create endpoint IP [--desc=<desc>] [--probetype=<probetype>] [--probereq=<probereq>] [--proberesp=<proberesp>] [--probeport=<port>] [--period=<period>] [--retries=<retries>]
loxicmd create endpoint 32.32.32.1 --desc=zone1host --probetype=https --probeport=8080 --probereq="health" --proberesp="OK" --period=60 --retries=2
Note: loxilb requires CA certificate for TLS connection and private certificate and private key for mTLS connection. Admin can keep a common(default) CA certificate for all the endpoints at "/opt/loxilb/cert/rootCA.crt" or per-endpoint certificates can be kept as "/opt/loxilb/cert/\<IP>/rootCA.crt", private key must be kept at "/opt/loxilb/cert/server.key" and private certificate at "/opt/loxilb/cert/server.crt". Please see Minica or Certstrap or this CICD test case to know how to generate certificates.
Endpoint yaml example
apiVersion: netlox/v1
kind: Endpoint
metadata:
name: test
spec:
hostName: "Test"
description: string
inactiveReTries: 0
probeType: string
probeReqUrl: string
probeDuration: 0
probePort: 0
Delete end-point informtion
loxicmd delete endpoint 31.31.31.31
Session
Get Session information
loxicmd get session
Create Session information
#loxicmd create session <userID> <sessionIP> --accessNetworkTunnel=<TeID>:<TunnelIP> --coreNetworkTunnel=<TeID>:<TunnelIP>
loxicmd create session user1 192.168.20.1 --accessNetworkTunnel=1:1.232.16.1 coreNetworkTunnel=1:1.233.16.1
userID(string): User Ident\ sessionIP(string): Session IPaddress\ accessNetworkTunnel(string): accessNetworkTunnel has pairs that can be specified as 'TeID:IP'\ coreNetworkTunnel(string): coreNetworkTunnel has pairs that can be specified as 'TeID:IP'\
Session yaml example
apiVersion: netlox/v1
kind: Session
metadata:
name: test
spec:
ident: user1
sessionIP: 88.88.88.88
accessNetworkTunnel:
TeID: 1
tunnelIP: 11.11.11.11
coreNetworkTunnel:
TeID: 1
tunnelIP: 22.22.22.22
Delete Session information
loxicmd delete session user1
SessionUlCl
Get SessionUlCl information
loxicmd get sessionulcl
Create SessionUlCl information
#loxicmd create sessionulcl <userID> --ulclArgs=<QFI>:<ulclIP>,...
loxicmd create sessionulcl user1 --ulclArgs=16:192.33.125.1
userID(string): User Ident\ ulclArgs(string): Port pairs can be specified as 'QFI:UlClIP'\
SessionUlCl yaml example
apiVersion: netlox/v1
kind: SessionULCL
metadata:
name: test
spec:
ulclIdent: user1
ulclArgument:
qfi: 11
ulclIP: 8.8.8.8
Delete SessionUlCl information
loxicmd delete sessionulcl --ulclArgs=192.33.125.1
ulclArgs(string): UlCl IP address can be specified as 'UlClIP'. It don't need QFI.
IPaddress
Get IPaddress information
loxicmd get ip
Create IPaddress information
#loxicmd create ip <DeviceIPNet> <device>
loxicmd create ip 192.168.0.1/24 eno7
DeviceIPNet(string): Actual IP address with mask\ device(string): name of the related device\
IPaddress yaml example
apiVersion: netlox/v1
kind: IPaddress
metadata:
name: test
spec:
dev: eno8
ipAddress: 192.168.23.1/32
Delete IPaddress information
#loxicmd delete ip <DeviceIPNet> <device>
loxicmd delete ip 192.168.0.1/24 eno7
FDB
Get FDB information
loxicmd get fdb
Create FDB information
#loxicmd create fdb <MacAddress> <DeviceName>
loxicmd create fdb aa:aa:aa:aa:bb:bb eno7
MacAddress(string): mac address\ DeviceName(string): name of the related device\
FDB yaml example
apiVersion: netlox/v1
kind: FDB
metadata:
name: test
spec:
dev: eno8
macAddress: aa:aa:aa:aa:aa:aa
Delete FDB information
#loxicmd delete fdb <MacAddress> <DeviceName>
loxicmd delete fdb aa:aa:aa:aa:bb:bb eno7
Route
Get Route information
loxicmd get route
Create Route information
#loxicmd create route <DestinationIPNet> <gateway>
loxicmd create route 192.168.212.0/24 172.17.0.254
DestinationIPNet(string): Actual IP address route with mask\ gateway(string): gateway information if any\
Route yaml example
apiVersion: netlox/v1
kind: Route
metadata:
name: test
spec:
destinationIPNet: 192.168.30.0/24
gateway: 172.17.0.1
Delete Route information
#loxicmd delete route <DestinationIPNet>
loxicmd delete route 192.168.212.0/24
Neighbor
Get Neighbor information
loxicmd get neighbor
Create Neighbor information
#loxicmd create neighbor <DeviceIP> <DeviceName> [--macAddress=aa:aa:aa:aa:aa:aa]
loxicmd create neighbor 192.168.0.1 eno7 --macAddress=aa:aa:aa:aa:aa:aa
DeviceIP(string): The IP address\ DeviceName(string): name of the related device\ macAddress(string): resolved hardware address if any\
Neighbor yaml example
apiVersion: netlox/v1
kind: Neighbor
metadata:
name: test
spec:
dev: eno8
macAddress: aa:aa:aa:aa:aa:aa
ipAddress: 192.168.23.21
Delete Neighbor information
#loxicmd delete neighbor <DeviceIP> <device>
loxicmd delete neighbor 192.168.0.1 eno7
Vlan
Get Vlan and Vlan Member information
loxicmd get vlan
loxicmd get vlanmember
Create Vlan and Vlan Member information
#loxicmd create vlan <Vid>
loxicmd create vlan 100
Vid(int): vlan identifier
#loxicmd create vlanmember <Vid> <DeviceName> --tagged=<Tagged>
loxicmd create vlanmember 100 eno7 --tagged=true
loxicmd create vlanmember 100 eno7
Vid(int): vlan identifier\ DeviceName(string): name of the related device\ tagged(boolean): tagged or not (default is false)\
Vlan yaml example
apiVersion: netlox/v1
kind: Vlan
metadata:
name: test
spec:
vid: 100
Vlan Member yaml example
apiVersion: netlox/v1
kind: VlanMember
metadata:
name: test
vid: 100
spec:
dev: eno8
Tagged: true
Delete Vlan and Vlan Member information
#loxicmd delete vlan <Vid>
loxicmd delete vlan 100
#loxicmd delete vlanmember <Vid> <DeviceName> --tagged=<Tagged>
loxicmd delete vlanmember 100 eno7 --tagged=true
loxicmd delete vlanmember 100 eno7
Vxlan
Get Vxlan and Vxlan Peer information
loxicmd get vxlan
loxicmd get vxlanpeer
Create Vxlan and Vxlan Peer information
#loxicmd create vxlan <VxlanID> <EndpointDeviceName>
loxicmd create vxlan 100 eno7
VxlanID(int): Vxlan Identifier\ EndpointDeviceName(string): VTEP Device name(It must have own IP address for peering.)\
#loxicmd create vxlanpeer <VxlanID> <PeerIP>
loxicmd create vxlan-peer 100 30.1.3.1
VxlanID(int): Vxlan Identifier\ PeerIP(string): Vxlan peer device IP address\
Vxlan yaml example
apiVersion: netlox/v1
kind: Vxlan
metadata:
name: test
spec:
epIntf: eno8
vxlanID: 100
Vxlan Peer yaml example
apiVersion: netlox/v1
kind: VxlanPeer
metadata:
name: test
vxlanID: 100
spec:
peerIP: 21.21.21.1
Delete Vxlan and Vxlan Peer information
#loxicmd delete vxlan <VxlanID>
loxicmd delete vxlan 100
#loxicmd delete vxlanpeer <VxlanID> <PeerIP>
loxicmd delete vxlan-peer 100 30.1.3.1
Firewall
Get Firewall information
loxicmd get firewall
Create Firewall information
#loxicmd create firewall --firewallRule=<ruleKey>:<ruleValue>, [--allow] [--drop] [--trap] [--redirect=<PortName>] [--setmark=<FwMark>
loxicmd create firewall --firewallRule="sourceIP:1.2.3.2/32,destinationIP:2.3.1.2/32,preference:200" --allow
loxicmd create firewall --firewallRule="sourceIP:1.2.3.2/32,destinationIP:2.3.1.2/32,preference:200" --allow --setmark=10
loxicmd create firewall --firewallRule="sourceIP:1.2.3.2/32,destinationIP:2.3.1.2/32,preference:200" --drop
loxicmd create firewall --firewallRule="sourceIP:1.2.3.2/32,destinationIP:2.3.1.2/32,preference:200" --trap
loxicmd create firewall --firewallRule="sourceIP:1.2.3.2/32,destinationIP:2.3.1.2/32,preference:200" --redirect=hs1
firewallRule sourceIP(string) - Source IP in CIDR notation\ destinationIP(string) - Destination IP in CIDR notation\ minSourcePort(int) - Minimum source port range\ maxSourcePort(int) - Maximum source port range\ minDestinationPort(int) - Minimum destination port range\ maxDestinationPort(int) - Maximum source port range\ protocol(int) - the protocol\ portName(string) - the incoming port\ preference(int) - User preference for ordering\
Firewall yaml example
apiVersion: netlox/v1
kind: Firewall
metadata:
name: test
spec:
ruleArguments:
sourceIP: 192.169.1.2/24
destinationIP: 192.169.2.1/24
preference: 200
opts:
allow: true
Delete Firewall information
#loxicmd delete firewall --firewallRule=<ruleKey>:<ruleValue>
loxicmd delete firewall --firewallRule="sourceIP:1.2.3.2/32,destinationIP:2.3.1.2/32,preference:200
Mirror
Get Mirror information
loxicmd get mirror
Create Mirror information
#loxicmd create mirror <mirrorIdent> --mirrorInfo=<InfoOption>:<InfoValue>,... --targetObject=attachement:<port1,rule2>,mirrObjName:<ObjectName>
loxicmd create mirror mirr-1 --mirrorInfo="type:0,port:hs0" --targetObject="attachement:1,mirrObjName:hs1
mirrorIdent(string): Mirror identifier\ type(int) : Mirroring type as like 0 == SPAN, 1 == RSPAN, 2 == ERSPAN\ port(string) : The port where mirrored traffic needs to be sent\ vlan(int) : for RSPAN we may need to send tagged mirror traffic\ remoteIP(string) : For ERSPAN we may need to send tunnelled mirror traffic\ sourceIP(string): For ERSPAN we may need to send tunnelled mirror traffic\ tunnelID(int): For ERSPAN we may need to send tunnelled mirror traffic\
Mirror yaml example
apiVersion: netlox/v1
kind: Mirror
metadata:
name: test
spec:
mirrorIdent: mirr-1
mirrorInfo:
type: 0
port: eno1
targetObject:
attachment: 1
mirrObjName: eno2
Delete Mirror information
#loxicmd delete mirror <mirrorIdent>
loxicmd delete mirror mirr-1
Policy
Get Policy information
loxicmd get policy
Create Policy information
#loxicmd create policy IDENT --rate=<Peak>:<Commited> --target=<ObjectName>:<Attachment> [--block-size=<Excess>:<Committed>] [--color] [--pol-type=<policy type>]
loxicmd create policy pol-hs0 --rate=100:100 --target=hs0:1
loxicmd create policy pol-hs1 --rate=100:100 --target=hs0:1 --block-size=12000:6000
loxicmd create policy pol-hs1 --rate=100:100 --target=hs0:1 --color
loxicmd create policy pol-hs1 --rate=100:100 --target=hs0:1 --color --pol-type 0
rate(string): Rate pairs can be specified as 'Peak:Commited'. rate unit : Mbps\ block-size(string): Block Size pairs can be specified as 'Excess:Committed'. block-size unit : bps\ target(string): Target Interface pairs can be specified as 'ObjectName:Attachment'\ color(boolean): Policy color enbale or not\ pol-type(int): Policy traffic control type. 0 : TrTCM, 1 : SrTCM\
Policy yaml example
apiVersion: netlox/v1
kind: Policy
metadata:
name: test
spec:
policyIdent: pol-eno8
policyInfo:
type: 0
colorAware: false
committedInfoRate: 100
peakInfoRate: 100
targetObject:
attachment: 1
polObjName: eno8
Delete Policy information
#loxicmd delete policy <Polident>
loxicmd delete policy pol-hs1
Session Recorder
Set n-tuple policy for recording
loxicmd create firewall --firewallRule="destinationIP:31.31.31.0/24,preference:200" --allow --record
loxilb will record any connection track entry which matches this policy (even for reverse direction) as a way to provide extended visibility for debugging
Check or record with tcpdump
tcpdump -i llb0 -n
Any valid tcpdump option can be used including saving to a pcap file
Get live connection-track information
loxicmd get conntrack
Get port-dump information
loxicmd get port
Save all loxilb's operational information in DBStore
loxicmd save -a
** This will ensure that whenever loxilb restarts, it will start with last saved state from DBStore
Configure loxicmd with yaml(Beta)
The loxicmd support yaml based configuration. The format is same as Kubernetes. This beta version support only one configuraion per one file. That means "Do not use --- in yaml file." . It will be supported at next release.
Command
#loxicmd apply -f <file.yaml>
#loxicmd delete -f <file.yaml>
loxicmd apply -f lb.yaml
loxicmd delete -f lb.yaml
File example(lb.yaml)
apiVersion: netlox/v1
kind: Loadbalancer
metadata:
name: load
spec:
serviceArguments:
externalIP: 123.123.123.1
port: 80
protocol: tcp
sel: 0
endpoints:
- endpointIP: 4.3.2.1
weight: 1
targetPort: 8080
- endpointIP: 4.3.2.2
weight: 1
targetPort: 8080
- endpointIP: 4.3.2.3
weight: 1
targetPort: 8080
It reuse API's json body as a "Spec". If the API URL has no param, it don't need to use "metadata". For example, The body of load Balancer rule is shown below.
{
"serviceArguments": {
"externalIP": "123.123.123.1",
"port": 80,
"protocol": "tcp",
"sel": 0
},
"endpoints": [
{
"endpointIP": "4.3.2.1",
"weight": 1,
"targetPort": 8080
},
{
"endpointIP": "4.3.2.2",
"weight": 1,
"targetPort": 8080
},
{
"endpointIP": "4.3.2.3",
"weight": 1,
"targetPort": 8080
}
}
This json format can be converted Yaml format as shown below.
serviceArguments:
externalIP: 123.123.123.1
port: 80
protocol: tcp
sel: 0
endpoints:
- endpointIP: 4.3.2.1
weight: 1
targetPort: 8080
- endpointIP: 4.3.2.2
weight: 1
targetPort: 8080
- endpointIP: 4.3.2.3
weight: 1
targetPort: 8080
Finally, this is located in the Spec of the entire configuration file as File example(lb.yaml)
If you want to add Vlan bridge, IPaddress or something else. Just change the Kind value from Loadbalancer to VlanBridge, IPaddress as like below example.
apiVersion: netlox/v1
kind: IPaddress
metadata:
name: test
spec:
dev: eno8
ipAddress: 192.168.23.1/32
If the URL has param such as adding vlanmember, it must have metadata.
apiVersion: netlox/v1
kind: VlanMember
metadata:
name: test
vid: 100
spec:
dev: eno8
Tagged: true
The example of all the settings below, so please refer to it.
More information
There are tons of other commands, use help option!
loxicmd help