Merge remote-tracking branch 'origin/stage' into air-testing

.gitignore

@@ -52,6 +52,10 @@ hugo
 ##################
 .vscode/*
 
+# PyCharm Related #
+##################
+.idea/*
+
 # Common Python Venv #
 ######################
 venv/*

config.yml

@@ -12,8 +12,8 @@ enableRobotsTXT: True
 disableKinds: ["RSS", "taxonomy", "term"]
 
 Params:
-  cl_latest: "cumulus-linux-510"
-  netq_latest: "cumulus-netq-411"
+  cl_latest: "cumulus-linux-511"
+  netq_latest: "cumulus-netq-412"
   #sonic_latest: "sonic-202012"
   nvue_latest: "nvue-reference"
   air_latest: "nvidia-air"

content/cumulus-linux-50/System-Configuration/Date-and-Time/Precision Time Protocol-PTP.md

@@ -32,9 +32,9 @@ Cumulus Linux supports:
 - Hardware time stamping for PTP packets. This allows PTP to avoid inaccuracies caused by message transfer delays and improves the accuracy of time synchronization.
 
 {{%notice note%}}
-- On NVIDIA switches with Spectrum-2 and later, PTP is not supported on 1G interfaces.
 - You cannot run *both* PTP and NTP on the switch.
 - PTP supports the default VRF only.
+- 1G links might have a lower accuracy for PTP due to hardware limitations. If your application needs high accuracy from PTP, use higher link speeds.
 {{%/notice%}}
 
 ## Basic Configuration

content/cumulus-linux-51/System-Configuration/Date-and-Time/Precision Time Protocol-PTP.md

@@ -32,9 +32,9 @@ Cumulus Linux supports:
 - Hardware time stamping for PTP packets. This allows PTP to avoid inaccuracies caused by message transfer delays and improves the accuracy of time synchronization.
 
 {{%notice note%}}
-- On NVIDIA switches with Spectrum-2 and later, PTP is not supported on 1G interfaces.
 - You cannot run *both* PTP and NTP on the switch.
 - PTP supports the default VRF only.
+- 1G links might have a lower accuracy for PTP due to hardware limitations. If your application needs high accuracy from PTP, use higher link speeds.
 {{%/notice%}}
 
 ## Basic Configuration

content/cumulus-linux-510/Installation-Management/Upgrading-Cumulus-Linux.md

@@ -111,9 +111,13 @@ To back up and restore the configuration file:
 
    ```
    cumulus@switch:~$ nv config patch /home/cumulus/startup.yaml
-   cumulus@switch:~$ sudo systemctl restart nvued.service
+   cumulus@switch:~$ nv config apply
    ```
 
+{{%notice note%}}
+When you restore an NVUE configuration file that includes TACACS, you see an unrecoverable error when running additional NVUE commands. To work around this issue, restart the NVUE service with the `systemctl restart nvued.service` command.
+{{%/notice%}}
+
 For information about the NVUE object model and commands, see {{<link url="NVIDIA-User-Experience-NVUE" text="NVIDIA User Experience - NVUE">}}.
 
 {{%notice note%}}

content/cumulus-linux-510/Layer-2/Link-Layer-Discovery-Protocol.md

@@ -184,6 +184,32 @@ cumulus@switch:~$ sudo systemctl restart lldpd
 - The `-M 4` option sends a field in discovery packets to indicate that the switch is a network device.
 {{%/notice%}}
 
+## Change CDP Settings
+
+Cumulus Linux provides support for <span class="a-tooltip">[CDP](## "Cisco Discovery Protocol ")</span> so that the switch can advertise information about itself with Cisco routers that do not support LLDP. By default, the Cumulus Linux switch sends CDP packets only if the peer sends CDP packets. You can change this setting by replacing `-c` in the `/etc/default/lldpd` file with one of the following options:
+
+| Option | Description |
+|--------|-------------|
+| -cc    | The Cumulus Linux switch sends CDPv1 packets even when there is no detected CDP peer. |
+| -ccc   | The Cumulus Linux switch sends CDPv2 packets even when there is no detected CDP peer. |
+| -cccc  | The Cumulus Linux switch disables CDPv1 and enables CDPv2. |
+| -ccccc | The Cumulus Linux switch disables CDPv1 and forces CDPv2. |
+
+The following example changes the CDP setting to `-ccc` so that the switch sends CDPv2 packets even when there is no detected CDP peer:
+
+```
+cumulus@switch:~$ sudo nano /etc/default/lldpd
+...
+# Enable CDP by default
+DAEMON_ARGS="-ccc -x -M 4"
+```
+
+You must restart the `lldpd` service for the changes to take effect.
+
+```
+cumulus@switch:~$ sudo systemctl restart lldpd
+```
+
 ## Set LLDP Mode
 
 By default, the `lldpd` service sends LLDP frames unless it detects a CDP peer, then it sends CDP frames. You can change this behavior and configure the `lldpd` service to send only CDP frames or only LLDP frames.

content/cumulus-linux-510/Layer-3/VRFs/Management-VRF.md

@@ -38,81 +38,62 @@ Running `ifreload -a` disconnects the session for any interface configured as *a
 
 ## Run Services within the Management VRF
 
-At installation, the only two enabled services that run in the management VRF are NTP (`[email protected]`) and netqd (`netqd@mgmt`). However, you can run a variety of services within the management VRF instead of the default VRF. When you run a `systemd` service inside the management VRF, that service runs **only** on eth0. You cannot configure the same service to run in both the management VRF and the default VRF; you must stop and disable the normal service with `systemctl`.
+Most default services in Cumulus Linux are VRF aware. If you want to run a service within the management VRF instead of the default VRF, run the following commands:
 
-You must disable the following services in the default VRF if you want to run them in the management VRF:
-
-- chef-client
-- collectd
-- hsflowd
-- netq-agent
-- netq-notifier
-- puppet
-- snmpd
-- snmptrapd
-- ssh
-- zabbix-agent
-
-You can configure certain services (such as `snmpd`) to use multiple routing tables, some in the management VRF, some in the default or additional VRFs. The kernel provides a `sysctl` that allows a single instance to accept connections over all VRFs.
-
-{{%notice note%}}
-For TCP, connected sockets bind to the VRF on which the first packet arrives.
-{{%/notice%}}
-
-The following steps show how to enable the SNMP service to run in the management VRF. You can enable any of the services listed above, except for `dhcrelay` (see {{<link url="DHCP-Relays">}}).
-
-1. If SNMP is running, stop the service:
+1. If the service is running, stop the service:
 
     ```
-    cumulus@switch:~$ sudo systemctl stop snmpd.service
+    cumulus@switch:~$ sudo systemctl stop <service>.service
     ```
 
-2. Disable SNMP from starting automatically in the default VRF:
+2. Disable the service from starting automatically in the default VRF:
 
     ```
-    cumulus@switch:~$ sudo systemctl disable snmpd.service
+    cumulus@switch:~$ sudo systemctl disable <service>.service
     ```
 
-3. Start SNMP in the management VRF:
+3. Start the service in the management VRF:
 
     ```
-    cumulus@switch:~$ sudo systemctl start snmpd@mgmt.service
+    cumulus@switch:~$ sudo systemctl start <service>@mgmt.service
     ```
 
-4. Enable `snmpd@mgmt` so that it starts when the switch boots:
+4. Enable the service in the management VRF so that it starts when the switch boots:
 
     ```
-    cumulus@switch:~$ sudo systemctl enable snmpd@mgmt.service
+    cumulus@switch:~$ sudo systemctl enable <service>@mgmt.service
     ```
 
-5. Verify that the SNMP service is running in the management VRF:
-
-    ```
-    cumulus@switch:~$ ps aux | grep snmpd
-    snmp      3083  0.1  1.9  35916 13292 ?        Ss   21:07   0:00 /usr/sbin/snmpd -y -LS 0-4 d -Lf /dev/null -u snmp -g snmp -I -smux -p /run/snmpd.pid -f
-    cumulus   3225  0.0  0.1   6076   884 pts/0    S+   21:07   0:00 grep snmpd
-    ```
+5. Verify that the service is running in the management VRF with the `ps aux | grep <service>` command.
 
 Run the following command to show the process IDs associated with the management VRF:
 
 ```
 cumulus@switch:~$ ip vrf pids mgmt
-1149  ntpd
- 1159  login
- 1227  bash
-16178  vi
-  948  dhclient
-20934  sshd
-20975  bash
-21343  sshd
-21384  bash
-21477  ip
+ 2559  login
+ 2753  bash
+ 2045  dhclient
+ 5421  sshd
+ 5462  sshd
+ 5463  bash
+37691  sshd
+37732  sshd
+37735  bash
+55679  sshd
+55720  sshd
+55721  bash
+55993  ip
+ 3834  ntpd
+ 2023  python3
+ 2563  netqd
+ 1855  login
+ 2770  bash
 ```
 
 Run the following command to show the VRF association of the specified process:
 
 ```
-cumulus@switch:~$ ip vrf identify 2055
+cumulus@switch:~$ ip vrf identify 2045
 mgmt
 ```
 

content/cumulus-linux-510/Network-Virtualization/Ethernet-Virtual-Private-Network-EVPN/EVPN-Enhancements.md

@@ -771,6 +771,89 @@ switch# exit
 You can only match type-2 and type-5 routes based on VNI.
 {{%/notice%}}
 
+## BGP Neighbor Prefix Limits for EVPN
+
+Cumulus Linux provides commands to control the number of inbound prefixes allowed from a BGP neighbor for EVPN.
+
+To configure inbound prefix limits, set:
+- The maximum inbound prefix limit from the BGP neighbor. You can set a value between 0 and 4294967295 or `none`.
+- When to generate a warning syslog message and bring down the BGP session. This is a percentage of the maximum inbound prefix limit. You can set a value between 0 and 100. Alternatively, you can configure the switch to generate a warning syslog message only **without** bringing down the BGP session.
+- The time in seconds to wait before establishing the BGP session again with the neighbor. The default value is `auto`, which uses standard BGP timers and processing (typically between 2 and 3 seconds). You can set a value between 1 and 65535.
+
+Before you configure a prefix limit, determine how many routes the remote BGP neighbor typically sends and set a threshold that is slightly higher than the number of BGP prefixes you expect to receive during normal operations.
+
+{{< tabs "TabID781" >}}
+{{< tab "NVUE Commands" >}}
+
+The following example sets the maximum inbound prefix limit from the neighbor swp51 to 3, generates a warning syslog message and brings down the BGP session when the number of prefixes received reaches 50 percent of the maximum limit. After 60 seconds, the BGP session with the peer reestablishes.
+
+```
+cumulus@switch:~$ nv set vrf default router bgp neighbor swp51 address-family l2vpn-evpn prefix-limits inbound maximum 3
+cumulus@switch:~$ nv set vrf default router bgp neighbor swp51 address-family l2vpn-evpn prefix-limits inbound warning-threshold 50
+cumulus@switch:~$ nv set vrf default router bgp neighbor swp51 address-family l2vpn-evpn prefix-limits inbound reestablish-wait 60
+cumulus@switch:~$ nv config apply
+```
+
+The following example sets the maximum inbound prefix limit from peer swp51 to 3 and generates a warning syslog message only (without bringing down the BGP session) when the number of prefixes received reaches 50 percent of the maximum limit.
+
+```
+cumulus@switch:~$ nv set vrf default router bgp neighbor swp51 address-family l2vpn-evpn prefix-limits inbound maximum 3
+cumulus@switch:~$ nv set vrf default router bgp neighbor swp51 address-family l2vpn-evpn prefix-limits inbound warning-threshold 50
+cumulus@switch:~$ nv set vrf default router bgp neighbor swp51 address-family l2vpn-evpn prefix-limits inbound warning-only on
+cumulus@switch:~$ nv config apply
+```
+
+{{< /tab >}}
+{{< tab "vtysh Commands" >}}
+
+The following example sets the maximum inbound prefix limit from the neighbor swp51 to 3, generates a warning syslog message and brings down the BGP session when the number of prefixes received reaches 50 percent of the maximum limit. After 1 minute, the BGP session with the peer reestablishes.
+
+```
+cumulus@switch:~$ sudo vtysh
+...
+switch# configure terminal
+switch(config)# router bgp 65101
+switch(config-router)# address-family l2vpn evpn 
+switch(config-router-af)# neighbor swp51 maximum-prefix 3 50 restart 1
+switch(config-router-af)# end
+switch# write memory
+switch# exit
+```
+
+You can use the `force` option (`neighbor swp51 maximum-prefix 3 50 restart 1 force`) to force check all received routes, not only accepted routes.
+
+The following example sets the maximum inbound prefix limit from peer swp51 to 3, and generates a warning syslog message only (without bringing down the BGP session) when the number of prefixes received reaches 50 percent of the maximum limit.
+
+```
+cumulus@switch:~$ sudo vtysh
+...
+switch# configure terminal
+switch(config)# router bgp 65101
+switch(config-router)# address-family l2vpn evpn 
+switch(config-router-af)# neighbor swp51 maximum-prefix 3 50 warning-only 
+switch(config-router-af)# end
+switch# write memory
+switch# exit
+```
+
+You can use the `force` option (`neighbor swp51 maximum-prefix 3 50 warning-only force`) to force check all received routes, not only accepted routes.
+
+The vtysh commands save the configuration in the `/etc/frr/frr.conf` file. For example:
+
+```
+cumulus@switch:~$ sudo cat /etc/frr/frr.conf
+...
+address-family l2vpn evpn
+advertise-all-vni
+neighbor peerlink.4094 activate
+neighbor swp51 activate
+neighbor swp51 maximum-prefix 5 warning-only
+...
+```
+
+{{< /tab >}}
+{{< /tabs >}}
+
 ## Advertise SVI IP Addresses
 
 In a typical EVPN deployment, you *reuse* SVI IP addresses on VTEPs across multiple racks. However, if you use *unique* SVI IP addresses across multiple racks and you want the local SVI IP address to be reachable via remote VTEPs, you can enable the advertise SVI IP and MAC address option. This option advertises the SVI IP and MAC address as a type-2 route and eliminates the need for any flooding over VXLAN to reach the IP address from a remote VTEP or rack.

content/cumulus-linux-510/Network-Virtualization/Ethernet-Virtual-Private-Network-EVPN/EVPN-Multihoming.md

@@ -82,7 +82,7 @@ EVPN multihoming supports the following route types.
 | 2 | MAC/IP advertisement route | {{<exlink url="https://tools.ietf.org/html/rfc7432" text="RFC 7432">}} |
 | 3 | Inclusive multicast route | {{<exlink url="https://tools.ietf.org/html/rfc7432" text="RFC 7432">}} |
 | 4 | Ethernet segment route | {{<exlink url="https://tools.ietf.org/html/rfc7432" text="RFC 7432">}} |
-| 5 | IP prefix route | {{<exlink url="https://tools.ietf.org/html/draft-ietf-bess-evpn-prefix-advertisement-04" text="draft-ietf-bess-evpn-prefix-advertisement-04">}} |
+| 5 | IP prefix route | {{<exlink url="https://tools.ietf.org/html/rfc9136" text="RFC 9136">}} |
 
 ### Unsupported Features
 

content/cumulus-linux-510/Network-Virtualization/Ethernet-Virtual-Private-Network-EVPN/_index.md

@@ -6,7 +6,7 @@ toc: 3
 ---
 VXLAN enables layer 2 segments to extend over an IP core (the underlay). The initial definition of VXLAN ({{<exlink url="https://tools.ietf.org/html/rfc7348" text="RFC 7348">}}) does not include any control plane and relied on a flood-and-learn approach for MAC address learning.
 
-<span class="a-tooltip">[EVPN](## "Ethernet Virtual Private Network")</span> is a standards-based control plane for VXLAN defined in {{<exlink url="https://tools.ietf.org/html/rfc7432" text="RFC 7432">}} and {{<exlink url="https://datatracker.ietf.org/doc/draft-ietf-bess-evpn-overlay/" text="draft-ietf-bess-evpn-overlay">}} that allows for building and deploying VXLANs at scale. It relies on multi-protocol BGP (MP-BGP) to exchange information and uses BGP-MPLS IP VPNs ({{<exlink url="https://tools.ietf.org/html/rfc4364" text="RFC 4364">}}). It enables not only bridging between end systems in the same layer 2 segment but also routing between different segments (subnets). There is also inherent support for multi-tenancy.
+<span class="a-tooltip">[EVPN](## "Ethernet Virtual Private Network")</span> is a standards-based control plane for VXLAN defined in {{<exlink url="https://tools.ietf.org/html/rfc7432" text="RFC 7432">}} and {{<exlink url="https://datatracker.ietf.org/doc/html/rfc8365" text="RFC 8365">}} that allows for building and deploying VXLANs at scale. It relies on multi-protocol BGP (MP-BGP) to exchange information and uses BGP-MPLS IP VPNs ({{<exlink url="https://tools.ietf.org/html/rfc4364" text="RFC 4364">}}). It enables not only bridging between end systems in the same layer 2 segment but also routing between different segments (subnets). There is also inherent support for multi-tenancy.
 
 Cumulus Linux installs the routing control plane (including EVPN) as part of the {{<exlink url="https://frrouting.org/" text="FRR">}} package. For more information about FRR, refer to {{<link url="FRRouting">}}.
 

content/cumulus-linux-510/System-Configuration/Authentication-Authorization-and-Accounting/TACACS.md

@@ -311,10 +311,10 @@ cumulus@switch:~$ nv config apply
 {{< /tab >}}
 {{< tab "Linux Commands ">}}
 
-1. Edit the `/etc/audisp/plugins.d/audisp-tacplus.conf` file and change the `active` parameter to `no`:
+1. Edit the `/etc/audit/plugins.d/audisp-tacplus.conf` file and change the `active` parameter to `no`:
 
    ```
-   cumulus@switch:~$ sudo nano /etc/audisp/plugins.d/audisp-tacplus.conf
+   cumulus@switch:~$ sudo nano /etc/audit/plugins.d/audisp-tacplus.conf
    ...
    # default to enabling tacacs accounting; change to no to disable
    active = no

content/cumulus-linux-510/System-Configuration/Date-and-Time/Network-Time-Protocol-NTP.md

@@ -68,9 +68,19 @@ To check the NTP peer status:
 {{< tab "NVUE Commands ">}}
 
 ```
-cumulus@switch:~$ nv show service ntp default server
+cumulus@switch:~$ nv show service ntp mgmt server
+                 delay    iburst  jitter  offset   peer-state  poll  reach  refid         stratum  type  when
+---------------  -------  ------  ------  -------  ----------  ----  -----  ------------  -------  ----  ----
+23.157.160.168   67.4257          2.3843  -3.9378  -           128   377    129.6.15.28   2        u     41  
+50.205.57.38     72.6007          1.0799  -1.8208  *           128   377    .GPS.         1        u     63  
+h134-215-155-17  59.4988          2.3081  -2.6286  +           128   377    216.239.35.0  2        u     15  
+li1150-42.membe  40.9645          0.4877  -1.9565  +           64    376    129.7.1.66    2        u     162
 ```
 
+{{%notice note%}}
+The `nv show service ntp <vrf-id> pool` command shows information about the configured NTP pools. However, this command does not show an accurate representation of the connectivity state to the NTP reference clocks on the network. To show the actual state of the NTP reference servers discovered by the switch, run the `nv show service ntp <vrf-id> server` command.
+{{%/notice%}}
+
 {{< /tab >}}
 {{< tab "Linux Commands ">}}
 

content/cumulus-linux-510/System-Configuration/Date-and-Time/Precision Time Protocol-PTP.md

@@ -35,6 +35,7 @@ Cumulus Linux supports:
 - You cannot run *both* PTP and NTP on the switch.
 - PTP supports the default VRF only.
 - PTP on the NVIDIA SN5400 switch is in BETA
+- 1G links might have a lower accuracy for PTP due to hardware limitations. If your application needs high accuracy from PTP, use higher link speeds.
 {{%/notice%}}
 
 ## Basic Configuration
@@ -474,6 +475,7 @@ Cumulus Linux PTP has an option to use a servo specifically designed to handle t
 - Cumulus Linux supports Noise Transfer Servo on Spectrum ASICs that support SyncE.
 - NVIDIA recommends you do not change the default Noise Transfer Servo configuration parameters.
 - NVIDIA recommends you use Noise Transfer Servo with PTP Telecom profiles. If you use other profiles or choose not to use a profile, make sure to set the sync interval to -3 or better.
+- When you enable Noise Transfer Servo, the PTP log reporting offset is one every two seconds instead of one every second.
 {{%/notice%}}
 
 To enable Noise Transfer Servo:

content/cumulus-linux-510/System-Configuration/Date-and-Time/Pulse-Per-Second-PPS.md

@@ -29,6 +29,10 @@ cumulus@switch:~$ nv set platform pulse-per-second in state enabled
 cumulus@switch:~$ nv config apply
 ```
 
+{{%notice note%}}
+When you enable PPS In, the PTP log reporting offset is one every two seconds instead of one every second.
+{{%/notice%}}
+
 {{< /tab >}}
 {{< tab "Enable PPS Out ">}}
 

content/cumulus-linux-510/System-Configuration/System-Power.md

@@ -4,14 +4,14 @@ author: NVIDIA
 weight: 295
 toc: 3
 ---
-In certain situations, you might need to power off the switch instead of rebooting. To power off the switch, you can run the Linux `poweroff` command.
+In certain situations, you might need to power off the switch instead of rebooting. To power off the switch, run the `cl-poweroff` command, which shuts down the switch.
 
 ```
-cumulus@switch:~$ sudo poweroff
+cumulus@switch:~$ sudo cl-poweroff
 ```
 
-When you run the Linux `poweroff` command on the SN2201, SN2010, SN2100, SN2100B, SN3420, SN3700, SN3700C, SN4410, SN4600C, SN4600, SN4700, SN5400 or SN5600 switch, the switch reboots instead of powering off. To power off the switch, run the `cl-poweroff` command instead. The `cl-poweroff` command performs a hard *abrupt* power down instead of a graceful power down.
+Alternatively, you can run the Linux `poweroff` command, which gracefully shuts down the switch (the switch LEDs stay on). On certain switches, such as the NVIDIA SN2201, SN2010, SN2100, SN2100B, SN3420, SN3700, SN3700C, SN4410, SN4600C, SN4600, SN4700, SN5400, or SN5600, the switch reboots instead of powering off.
 
 ```
-cumulus@switch:~$ sudo cl-poweroff
+cumulus@switch:~$ sudo poweroff
 ```

content/cumulus-linux-510/Whats-New/_index.md

@@ -22,7 +22,7 @@ Cumulus Linux 5.10.1 provides {{<link title="Cumulus Linux 5.10 Packages" text="
 
 ### Platforms
 
-NVIDIA SN5400 (400G Spectrum-4)
+NVIDIA SN5400 (400G Spectrum-4) - C2P (connnector-to-power) version only
 
 {{%notice note%}}
 {{<link url="Precision-Time-Protocol-PTP" text="PTP">}} and {{<link url="Pulse-Per-Second-PPS" text="PPS">}} on the NVIDIA SN5400 switch are in BETA.