Kernel Stack

This chapter contains the following sections:

About Kernel Stack

Kernel Stack (kstack) uses well known Linux APIs to manage the routes and front panel ports.

Open Containers, like the Guest Shell, are Linux environments that are decoupled from the host software. You can install or modify software within that environment without impacting the host software packages.

Guidelines and Limitations

Using the Kernel Stack has the following guidelines and limitations:

  • Guest Shell, other open containers, and the host Bash Shell use Kernel Stack (kstack).

  • Open containers start in the host default namespace

    • Other network namespaces might be accessed by using the setns system call

    • The nsenter and ip netns exec utilities can be used to execute within the context of a different network namespace.

    • The PIDs and identify options for the ip netns command do not work without modification because of the file system device check. A vrfinfo utility is provided to give the network administrator the same information.

  • Open containers may read the interface state from /proc/net/dev or use other normal Linux utilities such as netstat or ifconfig without modification. This provides counters for packets that have initiated / terminated on the switch.

  • Open containers may use ethtool –S to get extended statistics from the net devices. This includes packets switched through the interface.

  • Open containers may run packet capture applications like tcpdump to capture packets initiated from or terminated on the switch.

  • There is no support for networking state changes (interface creation/deletion, IP address configuration, MTU change, etc.) from the Open containers

  • IPv4 and IPv6 are supported

  • Raw PF_PACKET is supported

  • Well-known ports (0-15000) may only be used by one stack (Netstack or kstack) at a time, regardless of the network namespace.

  • There is no IP connectivity between Netstack and kstack applications. This is a host limitation which also applies to open containers.

  • Open containers are not allowed to send packets directly over an Ethernet out-of-band channel (EOBC) interface to communicate with the linecards or standby Sup.

  • From within an open container, direct access to the EOBC interface used for internal communication with linecards or the standby supervisor. The host bash shell should be used if this access is needed.

  • The management interface (mgmt0) is represented as eth1 in the kernel netdevices.

  • Use of the VXLAN overlay interface (NVE x) is not supported for applications utilizing the kernel stack. NX-OS features, including CLI commands, are able to use this interface via netstack.

    For more information about the NVE interface, see the Cisco Nexus 9000 Series NX-OS VXLAN Configuration Guide.

Changing the Port Range

Netstack and kstack divide the port range between them. The default port ranges are as follows:

  • Kstack—15001 to 58000

  • Netstack—58001 to 65535


    Note

    Within this range 63536 to 65535 are reserved for NAT.


Procedure

Command or Action Purpose

[no] sockets local-port-range start-port end-port

This command modifies the port range for kstack. This command does not modify the Netstack range.

Example

The following example sets the kstack port range:

switch# sockets local-port-range 15001 25000

What to do next

After you have entered the command, be aware of the following issues:

  • Reload the switch after entering the command.

  • Leave a minimum of 7000 ports unallocated which are used by Netstack.

  • Specify the start-port as 15001 or the end-port as 65535 to avoid holes in the port range.