From 69cc36d40dab2922799069001ea1b7308d9a1133 Mon Sep 17 00:00:00 2001 From: Yawen Date: Wed, 11 Jun 2025 10:31:05 +1000 Subject: [PATCH] [DualToR] enforce same loopback ip and drop bgp pkts on loopback1 for dualtor (#18766) What is the motivation for this PR? This PR updates the DualToR config to enforce the same loopback1 IP address for both ToRs. Based on a recent Incident 628608070 : [SONiC RCA][SLB_DNC] Gemini Tors dropping vip traffic, we need to block BGP from being established on loopback1. How did you do it? Assign the same loopback1 IP to both ToRs. Added an iptables rules to drop the packets sonic-net/sonic-host-services#262 How did you verify/test it? Confirmed both ToRs used the same loopback1 IP, and verify the drop rule. --- ansible/vars/topo_cable-test.yml | 4 ++-- ansible/vars/topo_dualtor-120.yml | 4 ++-- ansible/vars/topo_dualtor-56.yml | 4 ++-- ansible/vars/topo_dualtor-64-breakout.yml | 4 ++-- ansible/vars/topo_dualtor-64.yml | 4 ++-- ansible/vars/topo_dualtor-aa-120.yml | 4 ++-- ansible/vars/topo_dualtor-aa-56.yml | 4 ++-- ansible/vars/topo_dualtor-aa-64-breakout.yml | 4 ++-- ansible/vars/topo_dualtor-aa-64.yml | 4 ++-- ansible/vars/topo_dualtor-aa.yml | 4 ++-- ansible/vars/topo_dualtor-mixed-120.yml | 4 ++-- ansible/vars/topo_dualtor-mixed-56.yml | 4 ++-- ansible/vars/topo_dualtor-mixed.yml | 4 ++-- ansible/vars/topo_dualtor.yml | 4 ++-- tests/cacl/test_cacl_application.py | 2 ++ 15 files changed, 30 insertions(+), 28 deletions(-) diff --git a/ansible/vars/topo_cable-test.yml b/ansible/vars/topo_cable-test.yml index a662d0f3c62..d0e6d74a779 100644 --- a/ansible/vars/topo_cable-test.yml +++ b/ansible/vars/topo_cable-test.yml @@ -93,10 +93,10 @@ topology: loopback1: ipv4: - 10.1.0.34/32 - - 10.1.0.35/32 + - 10.1.0.34/32 ipv6: - FC00:1::34/128 - - FC00:1::35/128 + - FC00:1::34/128 loopback2: ipv4: - 10.1.0.36/32 diff --git a/ansible/vars/topo_dualtor-120.yml b/ansible/vars/topo_dualtor-120.yml index be86f04425e..66a8c2f109a 100644 --- a/ansible/vars/topo_dualtor-120.yml +++ b/ansible/vars/topo_dualtor-120.yml @@ -210,10 +210,10 @@ topology: loopback1: ipv4: - 10.1.0.34/32 - - 10.1.0.35/32 + - 10.1.0.34/32 ipv6: - FC00:1:0:34::/128 - - FC00:1:0:35::/128 + - FC00:1:0:34::/128 loopback2: ipv4: - 10.1.0.36/32 diff --git a/ansible/vars/topo_dualtor-56.yml b/ansible/vars/topo_dualtor-56.yml index 133566457f1..ba9751a037f 100644 --- a/ansible/vars/topo_dualtor-56.yml +++ b/ansible/vars/topo_dualtor-56.yml @@ -114,10 +114,10 @@ topology: loopback1: ipv4: - 10.1.0.34/32 - - 10.1.0.35/32 + - 10.1.0.34/32 ipv6: - FC00:1:0:34::/128 - - FC00:1:0:35::/128 + - FC00:1:0:34::/128 loopback2: ipv4: - 10.1.0.36/32 diff --git a/ansible/vars/topo_dualtor-64-breakout.yml b/ansible/vars/topo_dualtor-64-breakout.yml index 18208b1c991..690e6b5ff46 100644 --- a/ansible/vars/topo_dualtor-64-breakout.yml +++ b/ansible/vars/topo_dualtor-64-breakout.yml @@ -115,10 +115,10 @@ topology: loopback1: ipv4: - 10.1.0.34/32 - - 10.1.0.35/32 + - 10.1.0.34/32 ipv6: - FC00:1:0:34::/128 - - FC00:1:0:35::/128 + - FC00:1:0:34::/128 loopback2: ipv4: - 10.1.0.36/32 diff --git a/ansible/vars/topo_dualtor-64.yml b/ansible/vars/topo_dualtor-64.yml index fb4ab5179fc..9fa83b3d01d 100644 --- a/ansible/vars/topo_dualtor-64.yml +++ b/ansible/vars/topo_dualtor-64.yml @@ -118,10 +118,10 @@ topology: loopback1: ipv4: - 10.1.0.34/32 - - 10.1.0.35/32 + - 10.1.0.34/32 ipv6: - FC00:1:0:34::/128 - - FC00:1:0:35::/128 + - FC00:1:0:34::/128 loopback2: ipv4: - 10.1.0.36/32 diff --git a/ansible/vars/topo_dualtor-aa-120.yml b/ansible/vars/topo_dualtor-aa-120.yml index 4b735ca1514..06befc59e52 100644 --- a/ansible/vars/topo_dualtor-aa-120.yml +++ b/ansible/vars/topo_dualtor-aa-120.yml @@ -267,10 +267,10 @@ topology: loopback1: ipv4: - 10.1.0.34/32 - - 10.1.0.35/32 + - 10.1.0.34/32 ipv6: - FC00:1:0:34::/128 - - FC00:1:0:35::/128 + - FC00:1:0:34::/128 loopback2: ipv4: - 10.1.0.36/32 diff --git a/ansible/vars/topo_dualtor-aa-56.yml b/ansible/vars/topo_dualtor-aa-56.yml index 8110aa58082..39e1e687802 100644 --- a/ansible/vars/topo_dualtor-aa-56.yml +++ b/ansible/vars/topo_dualtor-aa-56.yml @@ -139,10 +139,10 @@ topology: loopback1: ipv4: - 10.1.0.34/32 - - 10.1.0.35/32 + - 10.1.0.34/32 ipv6: - FC00:1:0:34::/128 - - FC00:1:0:35::/128 + - FC00:1:0:34::/128 loopback2: ipv4: - 10.1.0.36/32 diff --git a/ansible/vars/topo_dualtor-aa-64-breakout.yml b/ansible/vars/topo_dualtor-aa-64-breakout.yml index 8531215b335..e6ee547bb50 100644 --- a/ansible/vars/topo_dualtor-aa-64-breakout.yml +++ b/ansible/vars/topo_dualtor-aa-64-breakout.yml @@ -139,10 +139,10 @@ topology: loopback1: ipv4: - 10.1.0.34/32 - - 10.1.0.35/32 + - 10.1.0.34/32 ipv6: - FC00:1:0:34::/128 - - FC00:1:0:35::/128 + - FC00:1:0:34::/128 loopback2: ipv4: - 10.1.0.36/32 diff --git a/ansible/vars/topo_dualtor-aa-64.yml b/ansible/vars/topo_dualtor-aa-64.yml index 52ea2acf139..3ed6ab3e32b 100644 --- a/ansible/vars/topo_dualtor-aa-64.yml +++ b/ansible/vars/topo_dualtor-aa-64.yml @@ -155,10 +155,10 @@ topology: loopback1: ipv4: - 10.1.0.34/32 - - 10.1.0.35/32 + - 10.1.0.34/32 ipv6: - FC00:1:0:34::/128 - - FC00:1:0:35::/128 + - FC00:1:0:34::/128 loopback2: ipv4: - 10.1.0.36/32 diff --git a/ansible/vars/topo_dualtor-aa.yml b/ansible/vars/topo_dualtor-aa.yml index fbe7842bea6..fe5819e4412 100644 --- a/ansible/vars/topo_dualtor-aa.yml +++ b/ansible/vars/topo_dualtor-aa.yml @@ -91,10 +91,10 @@ topology: loopback1: ipv4: - 10.1.0.34/32 - - 10.1.0.35/32 + - 10.1.0.34/32 ipv6: - FC00:1:0:34::/128 - - FC00:1:0:35::/128 + - FC00:1:0:34::/128 loopback2: ipv4: - 10.1.0.36/32 diff --git a/ansible/vars/topo_dualtor-mixed-120.yml b/ansible/vars/topo_dualtor-mixed-120.yml index c836d833cc6..0ba3c5ce330 100644 --- a/ansible/vars/topo_dualtor-mixed-120.yml +++ b/ansible/vars/topo_dualtor-mixed-120.yml @@ -239,10 +239,10 @@ topology: loopback1: ipv4: - 10.1.0.34/32 - - 10.1.0.35/32 + - 10.1.0.34/32 ipv6: - FC00:1:0:34::/128 - - FC00:1:0:35::/128 + - FC00:1:0:34::/128 loopback2: ipv4: - 10.1.0.36/32 diff --git a/ansible/vars/topo_dualtor-mixed-56.yml b/ansible/vars/topo_dualtor-mixed-56.yml index 7fdf022f0bc..78ced817439 100644 --- a/ansible/vars/topo_dualtor-mixed-56.yml +++ b/ansible/vars/topo_dualtor-mixed-56.yml @@ -127,10 +127,10 @@ topology: loopback1: ipv4: - 10.1.0.34/32 - - 10.1.0.35/32 + - 10.1.0.34/32 ipv6: - FC00:1:0:34::/128 - - FC00:1:0:35::/128 + - FC00:1:0:34::/128 loopback2: ipv4: - 10.1.0.36/32 diff --git a/ansible/vars/topo_dualtor-mixed.yml b/ansible/vars/topo_dualtor-mixed.yml index d042cf8bb91..bddf6096e97 100644 --- a/ansible/vars/topo_dualtor-mixed.yml +++ b/ansible/vars/topo_dualtor-mixed.yml @@ -79,10 +79,10 @@ topology: loopback1: ipv4: - 10.1.0.34/32 - - 10.1.0.35/32 + - 10.1.0.34/32 ipv6: - FC00:1:0:34::/128 - - FC00:1:0:35::/128 + - FC00:1:0:34::/128 loopback2: ipv4: - 10.1.0.36/32 diff --git a/ansible/vars/topo_dualtor.yml b/ansible/vars/topo_dualtor.yml index 6c70a8ed4b4..4ed284cdeb5 100644 --- a/ansible/vars/topo_dualtor.yml +++ b/ansible/vars/topo_dualtor.yml @@ -66,10 +66,10 @@ topology: loopback1: ipv4: - 10.1.0.34/32 - - 10.1.0.35/32 + - 10.1.0.34/32 ipv6: - FC00:1:0:34::/128 - - FC00:1:0:35::/128 + - FC00:1:0:34::/128 loopback2: ipv4: - 10.1.0.36/32 diff --git a/tests/cacl/test_cacl_application.py b/tests/cacl/test_cacl_application.py index 6d78acb5c16..89c463dd3b2 100644 --- a/tests/cacl/test_cacl_application.py +++ b/tests/cacl/test_cacl_application.py @@ -579,6 +579,8 @@ def generate_expected_rules(duthost, tbinfo, docker_network, asic_index, expecte rules_to_expect_for_dualtor = [ "-A INPUT -p udp -m udp --dport 67 -j DHCP", "-A DHCP -j RETURN", + "-I INPUT 1 -d 10.1.0.34 -p tcp --dport 179 -j DROP", + " ip6tables -I INPUT 1 -d fc00:1:0:34:: -p tcp --dport 179 -j DROP", "-N DHCP" ] iptables_rules.extend(rules_to_expect_for_dualtor)