+
+
+
+
+ +
+
+
+
+
+ ` Add ACL table](#config-acl-add-table-table_name-table_type-add-acl-table)
+ - [`config acl remove table ` Remove ACL table](#config-acl-remove-table-table_name-remove-acl-table)
+ - [`config acl update` Update ACL rules](#config-acl-update-update-acl-rules)
+ - [`acl-loader` Update ACL rules](#acl-loader-update-acl-rules)
+ - [`aclshow` Show ACL rule counters](#aclshow-show-acl-rule-counters)
+ - [`config mirror_session` Configure everflow mirror session](#config-mirror_session-configure-everflow-mirror-session)
+- [Test structure](#test-structure)
+ - [Overall structure](#overall-structure)
+ - [Prepare some variables for testing](#prepare-some-variables-for-testing)
+ - [Add everflow configuration](#add-everflow-configuration)
+ - [ACL tables](#acl-tables)
+ - [Mirror sessions](#mirror-sessions)
+ - [ACL rules](#acl-rules)
+ - [Run test](#run-test)
+ - [PTF Test](#ptf-test)
+- [Test cases](#test-cases)
+ - [Test case \#1 - Packets mirrored to best match resolved route](#test-case-1---packets-mirrored-to-best-match-resolved-route)
+ - [Test objective](#test-objective)
+ - [Test steps](#test-steps)
+ - [Test case \#2 - Change neighbor MAC address.](#test-case-2---change-neighbor-mac-address)
+ - [Test objective](#test-objective-1)
+ - [Test steps](#test-steps-1)
+ - [Test case \#3 - ECMP route change (remove next hop not used by session).](#test-case-3---ecmp-route-change-remove-next-hop-not-used-by-session)
+ - [Test objective](#test-objective-2)
+ - [Test steps](#test-steps-2)
+ - [Test case \#4 - ECMP route change (remove next hop used by session).](#test-case-4---ecmp-route-change-remove-next-hop-used-by-session)
+ - [Test objective](#test-objective-3)
+ - [Test steps](#test-steps-3)
+ - [Test case \#5 - Policer enforced DSCP value/mask test.](#test-case-5---policer-enforced-dscp-valuemask-test)
+ - [Test objective](#test-objective-4)
+ - [Test steps](#test-steps-4)
+- [TODO](#todo)
+- [Open Questions](#open-questions)
+
+## Overview
+
+This document is an updated version of the existing everflow test plan: https://github.com/Azure/SONiC/wiki/Everflow-test-plan
+
+The purpose is to test functionality of Everflow on the SONIC switch DUT with and without LAGs configured, closely resembling production environment.
+The test assumes all necessary configuration, including Everflow session and ACL rules, LAG configuration and BGP routes, are already pre-configured on the SONIC switch before test runs.
+
+### Scope
+The test is targeting a running SONIC system with fully functioning configuration.
+The purpose of the test is not to test specific SAI API, but functional testing of Everflow on SONiC system, making sure that traffic flows correctly, according to BGP routes advertised by BGP peers of SONIC switch, and the LAG configuration.
+
+NOTE: Everflow+LAG test will be able to run **only** in the testbed specifically created for LAG.
+
+### Summary of the existing everflow test plan
+
+The existing everflow scripts:
+```
+ansible/
+ roles/
+ test/
+ tasks/
+ everflow_testbed.yml
+ everflow_testbed/
+ apply_config/
+ acl_rule_persistent.json
+ expect_messages.txt
+ del_config/
+ acl_rule_persistent-del.json
+ acl_rule_persistent.json
+ acl_table.json
+ expect_messages.txt
+ session.json
+ apply_config.yml
+ del_config.yml
+ get_neighbor_info.yml
+ get_port_info.yml
+ get_session_info.yml
+ run_test.yml
+ testcase_1.yml
+ testcase_2.yml
+ testcase_3.yml
+ testcase_4.yml
+ testcase_5.yml
+ testcase_6.yml
+ testcase_7.yml
+ testcase_8.yml
+ files/
+ acstests/
+ everflow_tb_test.py
+ everflow_policer_test.py
+```
+
+The existing everflow test plan only covers ingress mirroring. ACL rules are added to ACL table of type "MIRROR". And by default, packets are only checked against the ACL rules on ingress stage. On ports that are bound to everflow ACL table, any ingress packets hitting the ACL rules are copied to associated mirror destination in GRE tunnel.
+
+Two packet directions are covered in the exist testing: SPINE -> TOR ports and TOR -> SPINE ports. When the injected packets hit any of the configured ACL rules in the ingress stage, the packets will be mirrored to configured mirror destination. GRE tunnel is used for sending mirrored packets with src, dst IP and other parameters configured in the mirror session. Below test cases are used for verifying that the DUT switch can properly forwarded the mirrored packets according to different routing configurations for mirror session destination.
+
+Example ACL table in config_db for everflow testing, type of the table is `MIRROR`:
+```
+{
+ "ACL_TABLE": {
+ "EVERFLOW": {
+ "policy_desc": "EVERFLOW",
+ "ports": [
+ "Ethernet100",
+ "Ethernet104",
+ "Ethernet92",
+ "Ethernet96",
+ "Ethernet84",
+ "Ethernet88",
+ "Ethernet76",
+ "Ethernet80",
+ "Ethernet108",
+ "Ethernet112",
+ "Ethernet64",
+ "Ethernet60",
+ "Ethernet52",
+ "Ethernet48",
+ "Ethernet44",
+ "Ethernet40",
+ "Ethernet36",
+ "Ethernet120",
+ "Ethernet116",
+ "Ethernet56",
+ "Ethernet124",
+ "Ethernet72",
+ "Ethernet68",
+ "Ethernet24",
+ "Ethernet20",
+ "Ethernet16",
+ "Ethernet12",
+ "Ethernet8",
+ "Ethernet4",
+ "Ethernet0",
+ "Ethernet32",
+ "Ethernet28"
+ ],
+ "type": "MIRROR"
+ }
+ }
+}
+```
+
+Example ACL rules in config_db for everflow testing, action field and value of the ACL rules is `MIRROR_ACTION: `:
+```
+{
+ "ACL_RULE": {
+ "EVERFLOW|RULE_1": {
+ "MIRROR_ACTION": "test_session_1",
+ "PRIORITY": "9999",
+ "SRC_IP": "20.0.0.10/32"
+ },
+ "EVERFLOW|RULE_2": {
+ "DST_IP": "30.0.0.10/32",
+ "MIRROR_ACTION": "test_session_1",
+ "PRIORITY": "9998"
+ },
+ "EVERFLOW|RULE_3": {
+ "L4_SRC_PORT": "4661",
+ "MIRROR_ACTION": "test_session_1",
+ "PRIORITY": "9997"
+ },
+ "EVERFLOW|RULE_4": {
+ "L4_DST_PORT": "4661",
+ "MIRROR_ACTION": "test_session_1",
+ "PRIORITY": "9996"
+ },
+ "EVERFLOW|RULE_5": {
+ "ETHER_TYPE": "4660",
+ "MIRROR_ACTION": "test_session_1",
+ "PRIORITY": "9995"
+ },
+ "EVERFLOW|RULE_6": {
+ "IP_PROTOCOL": "126",
+ "MIRROR_ACTION": "test_session_1",
+ "PRIORITY": "9994"
+ },
+ "EVERFLOW|RULE_7": {
+ "MIRROR_ACTION": "test_session_1",
+ "PRIORITY": "9993",
+ "TCP_FLAGS": "0x12/0x12"
+ },
+ "EVERFLOW|RULE_8": {
+ "L4_SRC_PORT_RANGE": "4672-4681",
+ "MIRROR_ACTION": "test_session_1",
+ "PRIORITY": "9992"
+ },
+ "EVERFLOW|RULE_9": {
+ "L4_DST_PORT_RANGE": "4672-4681",
+ "MIRROR_ACTION": "test_session_1",
+ "PRIORITY": "9991"
+ },
+ "EVERFLOW|RULE_10": {
+ "DSCP": "51",
+ "MIRROR_ACTION": "test_session_1",
+ "PRIORITY": "9990"
+ }
+ }
+}
+```
+
+Examples of show the ACL table and rules configuration from command line:
+```
+$ show acl table EVERFLOW
+Name Type Binding Description
+-------- ------ ----------- -------------
+EVERFLOW MIRROR Ethernet0 EVERFLOW
+ Ethernet4
+ Ethernet8
+ Ethernet12
+ Ethernet16
+ Ethernet20
+ Ethernet24
+ Ethernet28
+ Ethernet32
+ Ethernet36
+ Ethernet40
+ Ethernet44
+ Ethernet48
+ Ethernet52
+ Ethernet56
+ Ethernet60
+ Ethernet64
+ Ethernet68
+ Ethernet72
+ Ethernet76
+ Ethernet80
+ Ethernet84
+ Ethernet88
+ Ethernet92
+ Ethernet96
+ Ethernet100
+ Ethernet104
+ Ethernet108
+ Ethernet112
+ Ethernet116
+ Ethernet120
+ Ethernet124
+$ show acl rule
+Table Rule Priority Action Match
+-------- ------- ---------- ---------------------- ----------------------------
+EVERFLOW RULE_1 9999 MIRROR: test_session_1 SRC_IP: 20.0.0.10/32
+EVERFLOW RULE_2 9998 MIRROR: test_session_1 DST_IP: 30.0.0.10/32
+EVERFLOW RULE_3 9997 MIRROR: test_session_1 L4_SRC_PORT: 4661
+EVERFLOW RULE_4 9996 MIRROR: test_session_1 L4_DST_PORT: 4661
+EVERFLOW RULE_5 9995 MIRROR: test_session_1 ETHER_TYPE: 4660
+EVERFLOW RULE_6 9994 MIRROR: test_session_1 IP_PROTOCOL: 126
+EVERFLOW RULE_7 9993 MIRROR: test_session_1 TCP_FLAGS: 0x12/0x12
+EVERFLOW RULE_8 9992 MIRROR: test_session_1 L4_SRC_PORT_RANGE: 4672-4681
+EVERFLOW RULE_9 9991 MIRROR: test_session_1 L4_DST_PORT_RANGE: 4672-4681
+EVERFLOW RULE_10 9990 MIRROR: test_session_1 DSCP: 51
+```
+
+Existing test cases:
+* testcase 1 - Resolved route
+* testcase 2 - Longer prefix route with resolved next hop
+* testcase 3 - Remove longer prefix route
+* testcase 4 - Change neighbor MAC address
+* testcase 5 - Resolved ECMP route
+* testcase 6 - ECMP route change (remove next hop not used by session)
+* testcase 7 - ECMP route change (remove next hop used by session)
+* testcase 8 - Policer enforced DSCP value/mask test
+
+### Extend the test plan to cover both ingress and egress mirroring
+
+#### What new enhancements need to be covered?
+
+##### Egress ACL table
+In Jan 2019, egress ACL table support is added (https://github.com/Azure/SONiC/pull/322, https://github.com/Azure/sonic-swss/pull/741) to SONiC. Then ACL table can have an extra field `stage` indicting on which stage will the ACL rules be checked against packets. If the `stage` is ignored or is set to 'ingress', the behavior is same as before, ingress packets will be checked against ACL rules. If the `stage` field is set to 'egress', then on ports bound to ACL table, egress packets will be checked against the ACL rules and will be handled according to the action configured for the ACL rules. The action could be `PACKET_ACTION` or `MIRROR_ACTION`.
+
+##### Egress mirroring
+Besides the egress ACL table support, a recent enhancement (Design: https://github.com/Azure/SONiC/pull/411 Implementations: https://github.com/Azure/sonic-swss/pull/963 https://github.com/Azure/sonic-utilities/pull/575) added egress mirroring support. This enhancement added two ACL rule action types based on the existing mirroring action `MIRROR_ACTION`:
+* MIRROR_INGRESS_ACTION
+* MIRROR_EGRESS_ACTION
+
+The `MIRROR_INGRESS_ACTION` type new. But its behavior is same as the existing ingress mirroring. Packets hit ACL rule will be mirrored at the ingress stage.
+The `MIRROR_EGRESS_ACTION` is a new action type which is for egress mirroring. It means that on ports bound to everflow ACL table, when packets hit ACL rules of that table, the packets will be mirrored at the egress stage. The original `MIRROR_ACTION` is kept for backward compatibility and it is implicitly set to "ingress" by default.
+
+Combining these two enhancements, there are 4 scenarios for everflow.
+1. ACL table of type `MIRROR` have `stage` field ignored or set to "ingress". Action type of ACL_RULE is `MIRROR_ACTION` or `MIRROR_INGRESS_ACTION`.
+2. ACL table of type `MIRROR` have `stage` field ignored or set to "ingress". Action type of ACL_RULE is `MIRROR_EGRESS_ACTION`.
+3. ACL table of type `MIRROR` have `stage` field set to "egress". Action type of ACL_RULE is `MIRROR_ACTION` or `MIRROR_INGRESS_ACTION`.
+4. ACL table of type `MIRROR` have `stage` field set to "egress". Action type of ACL_RULE is `MIRROR_EGRESS_ACTION`.
+
+Expected behaviors for the combinations:
+
+| - | ACL table stage: ingress | ACL table stage: egress |
+| ---------------------------------- | -------------------------------------------------------- | ------------------------------------------------------ |
+| Action type: MIRROR_INGRESS_ACTION | Ingress packets hit ACL rules, mirrored at ingress stage | Not applicable |
+| Action type: MIRROR_EGRESS_ACTION | Ingress packets hit ACL rules, mirrored at egress stage | Egress packets hit ACL rules, mirrored at egress stage |
+
+Since not all the combinations are supported by all vendors, the enhancement also added ACL capability detection. The supported ACL action types at different stage are detected and stored in redis. The below is an example of showing detected capabilities:
+```
+$ redis-cli -n 6 hgetall 'SWITCH_CAPABILITY|switch'
+ 1) "MIRROR"
+ 2) "true"
+ 3) "MIRRORV6"
+ 4) "true"
+ 5) "ACL_ACTIONS|INGRESS"
+ 6) "PACKET_ACTION,REDIRECT_ACTION,MIRROR_INGRESS_ACTION"
+ 7) "ACL_ACTIONS|EGRESS"
+ 8) "PACKET_ACTION,MIRROR_EGRESS_ACTION"
+ 9) "ACL_ACTION|PACKET_ACTION"
+1) "DROP,FORWARD"
+```
+In the above example output, two everflow combinations are supported on the platform being checked:
+* INGRESS stage, MIRROR_INGRESS_ACTION
+* EGRESS stage, MIRROR_EGRESS_ACTION
+
+This test plan needs to be extended to cover both the existing everflow function and the newly added capabilities.
+
+#### Some existing areas not covered by the existing scripts
+
+##### ACL rule for matching "IN_PORTS"
+Now the SONiC ACL rules support matching "IN_PORTS". New ACL rule for matching "IN_PORTS" need to be added and covered.
+
+#### ACL rule for matching ICMP type and code
+The SONiC ACL rules also support matching ICMP type and code. New ACL rules for matching ICMP type and code need to be added and covered. The acl-loader utility does not support ICMP type and code yet. The sonic-cfggen tool will be used for directly loading such ACL rules to config_db.
+
+##### IPv6 everflow
+The existing scripts only covered IPv6. IPv6 is also supported by SONiC now. The scripts need to be extended to cover IPv6 everflow too. To cover IPv6:
+* Everflow ACL table of type "MIRRORV6" needs to be defined and loaded during testing.
+* Different stages (ingress & egress) also need to be covered.
+* Different ACL rule mirror actions also need to be covered.
+* New set of IPv6 ACL rules need to be defined and loaded during testing.
+* The PTF script needs to be extended to inject and monitor IPv6 packets.
+
+#### How to extend the testing
+
+To cover the new enhancements, the existing scripts need to be extended:
+* The existing structure, sub-tests and PTF scripts can be reused.
+* Add new sets of configurations.
+* We can refactor the run_test.yml to run the existing sub-tests in multiple iteration. Each iteration loads a different set of ACL table and ACL rules configuration.
+* Adjust initialization of variables used in testing if needed.
+* Add a new class in the existing PTF script to inject and monitor IPv6 packets.
+* Add a sub-test and add a new class in the PTF script to cover ACL rule matching "IN_PORTS".
+
+In a summary, the extended scripts need to do below work:
+1. Firstly the script need to get capability info of the DUT from hard coded resource, then check against the detected capabilities in DB. Fail the test if capabilities do not match.
+2. Create everflow ACL table with different stage setting. Load ACL rules with different action type.
+3. Run test cases in the existing scripts (8 test cases at the time of writing).
+4. Ensure that each combination of the supported ACL table stages and ACL rule action types are covered.
+
+Summary of the possible combinations:
+
+| Combinations | ACL table stage: ingress | ACL table stage: egress |
+| ------------------------------ | ------------------------ | ----------------------- |
+| ACL Rule MIRROR_INGRESS_ACTION | [x] | N/A |
+| ACL Rule MIRROR_EGRESS_ACTION | [x] | [x] |
+
+Totally there are 3 possible combinations. Not all the combinations are supported by all platforms. The actual combinations to be tested are determined the actual DUT platform.
+
+Switch's ACL capability can be queried from DB table `SWITCH_CAPABILITY|switch`. The testing script can query ACL capability first. And then run the supported combinations, skip the unsupported combinations.
+
+For example, if query SWITCH_CAPABILITY got below results:
+```
+$ redis-cli -n 6 hgetall "SWITCH_CAPABILITY|switch"
+1) "ACL_ACTIONS|INGRESS"
+2) "PACKET_ACTION,REDIRECT_ACTION,MIRROR_ACTION_INGRESS"
+3) "ACL_ACTIONS|EGRESS"
+4) "PACKET_ACTION,MIRROR_ACTION_EGRESS"
+...
+```
+Then the platform only supports two combinations:
+* ACL table stage ingress + ACL Rule MIRROR_INGRESS_ACTION
+* ACL table stage egress + ACL Rule MIRROR_EGRESS_ACTION
+
+The third combination would be skipped on this platform.
+
+#### Combine the existing test cases
+
+Some of the existing test cases are similar and doing repetitive testing. We remove and combine them to have a shorter list of test cases:
+* Test case #1 is covered in #2, #3 and #4. It can be removed.
+* Test case #2 and #3 can be combined to one case.
+* Test case #5 is covered in #6. It can be removed.
+
+### Test configurations
+
+#### ACL table configurations
+
+New ACL tables of type MIRROR and MIRRORv6 need to be created in testing. The new ACL tables also need to set different values for their "stage" attribute.
+
+### Related **DUT** CLI commands
+
+Summary of the CLI commands that will be used for configuring DUT.
+
+#### `sonic-cfggen` Advanced config_db updating tool
+
+This is the advanced tool for updating the config_db. It can be used for adding/removing ACL tables, ACL rules, mirror sessions and many more other configurations.
+
+Some example usages:
+
+* `sonic-cfggen -j --write-to-db`: Load configuration in json format to config_db. The json file could be ACL table configuration.
+* `sonic-cfggen -d -v ACL_TABLE`: Dump current ACL_TABLE configuration from config_db.
+* `sonic-cfggen -d -v ACL_RULE`: Dump current ACL_RULE configuration from config_db.
+
+#### `config acl add table ` Add ACL table
+
+Usage: `config acl add table [OPTIONS] `
+
+This is the formal command for adding ACL table. ACL table added using this command is associated with all interfaces. If ACL table associated with a fraction of the interfaces is needed, the above `sonic-cfggen` method can be used. On versions that this formal command is not supported yet, the `sonic-cfggen` tool can be used.
+
+#### `config acl remove table ` Remove ACL table
+
+Usage: `config acl remove table [OPTIONS] `
+
+This is the formal command for removing ACL table.
+
+#### `config acl update` Update ACL rules
+
+Usages:
+* `config acl update full [OPTIONS] FILE_NAME`
+* `config acl update incremental [OPTIONS] FILE_NAME`
+
+This is the formal command for loading ACL rules configuration from file specified by the FILE_NAME.
+
+#### `acl-loader` Update ACL rules
+
+Under the hood, the `config acl update` command called this `acl-loader` tool to load ACL rules configurations. For example:
+* `acl-loader update full [--session_name= --mirror_stage=]`: Load acl rules specified in a json file to config_db.
+
+On versions that the formal `config acl update` is not supported yet, this `acl-loader` tool or the `sonic-cfggen` tool can be used.
+
+The acl-loader utility does not support load ACL rules matching ICMP type and code yet as the time of writing. The `sonic-cfggen` tool will be used for loading ACL rules matching ICMP type&code.
+
+
+#### `aclshow` Show ACL rule counters
+
+This tool is for collecting ACL rule counters. For example:
+* `aclshow -a`
+
+#### `config mirror_session` Configure everflow mirror session
+
+This tool is for configuring everflow mirror session. For example:
+* `config mirror_session add [gre_type] [queue]`
+
+## Test structure
+
+### Overall structure
+
+The extended ansible test playbook will have below parts:
+1. Prepare some variables for testing
+2. Add everflow configuration
+3. Run everflow sub-tests
+4. Clear everflow configuration
+5. Repeat steps 1-3 for other configuration scenarios
+
+The subsequent sections will have more detailed description of part
+
+### Prepare some variables for testing
+
+Firstly, some variables need to be prepared for testing. For example, the source ports for injecting traffic. The expected destination ports for mirrored packets.
+
+### Add everflow configuration
+
+Before run the sub-tests for each scenario, the scripts need to setup by loading configurations to DUT for the scenario to be covered.
+
+There will be j2 template files for generating ACL tables and ACL rules configurations. Ansible playbook will generate ACL tables and ACL rules json configuration files to DUT based on these templates, switch capability and running topology. Then commands `sonic-cfggen` and `acl-loader` can be used for loading the configurations.
+
+Different sets of configuration files will be generated for different test scenarios:
+* IPv4 in IPv4
+ * ACL table: MIRROR, ingress; IPv4 ACL rules, MIRROR_INGRESS_ACTION; Mirror session IPv4 src & dst IP address
+ * ACL table: MIRROR, ingress; IPv4 ACL rules, MIRROR_EGRESS_ACTION; Mirror session IPv4 src & dst IP address
+ * ACL table: MIRROR, egress; IPv4 ACL rules, MIRROR_EGRESS_ACTION; Mirror session IPv4 src & dst IP address
+* IPv4 in IPv6
+ * ACL table: MIRROR, ingress; IPv4 ACL rules, MIRROR_INGRESS_ACTION; Mirror session IPv6 src & dst IP address
+ * ACL table: MIRROR, ingress; IPv4 ACL rules, MIRROR_EGRESS_ACTION; Mirror session IPv6 src & dst IP address
+ * ACL table: MIRROR, egress; IPv4 ACL rules, MIRROR_EGRESS_ACTION; Mirror session IPv6 src & dst IP address
+* IPv6 in IPv4
+ * ACL table: MIRRORV6, ingress; IPv6 ACL rules, MIRROR_INGRESS_ACTION; Mirror session IPv4 src & dst IP address
+ * ACL table: MIRRORV6, ingress; IPv6 ACL rules, MIRROR_EGRESS_ACTION; Mirror session IPv4 src & dst IP address
+ * ACL table: MIRRORV6, egress; IPv6 ACL rules, MIRROR_EGRESS_ACTION; Mirror session IPv4 src & dst IP address
+* IPv6 in IPv6
+ * ACL table: MIRRORV6, ingress; IPv6 ACL rules, MIRROR_INGRESS_ACTION; Mirror session IPv6 src & dst IP address
+ * ACL table: MIRRORV6, ingress; IPv6 ACL rules, MIRROR_EGRESS_ACTION; Mirror session IPv6 src & dst IP address
+ * ACL table: MIRRORV6, egress; IPv6 ACL rules, MIRROR_EGRESS_ACTION; Mirror session IPv6 src & dst IP address
+
+Totally there are 12 scenarios to cover. To make the scripts flexible, command line options should be added for selecting which scenarios to run.
+
+#### ACL tables
+
+For each test scenario, an ACL table configuration need to be created and loaded to DUT. Command `sonic-cfggen` can be used to load the ACL table configuration into config_db. Command syntax: `sonic-cfggen -j --write-to-db`.
+
+Example ACL table configuration files to be generated for each scenario:
+* ACL table: MIRROR, ingress
+```
+{
+ "ACL_TABLE": {
+ "EF_INGRESS": {
+ "policy_desc": "EVERFLOW ingress",
+ "ports": [
+ "Ethernet100", "Ethernet104", "Ethernet92", "Ethernet96", "Ethernet84", "Ethernet88", "Ethernet76", "Ethernet80", "Ethernet108", "Ethernet112", "Ethernet64", "Ethernet60", "Ethernet52", "Ethernet48", "Ethernet44", "Ethernet40", "Ethernet36", "Ethernet120", "Ethernet116", "Ethernet56", "Ethernet124", "Ethernet72", "Ethernet68", "Ethernet24", "Ethernet20", "Ethernet16", "Ethernet12", "Ethernet8", "Ethernet4", "Ethernet0", "Ethernet32", "Ethernet28"
+ ],
+ "type": "MIRROR",
+ "stage": "ingress"
+ }
+ }
+}
+```
+* ACL table: MIRROR, egress
+```
+{
+ "ACL_TABLE": {
+ "EF_EGRESS": {
+ "policy_desc": "EVERFLOW egress",
+ "ports": [
+ "Ethernet100", "Ethernet104", "Ethernet92", "Ethernet96", "Ethernet84", "Ethernet88", "Ethernet76", "Ethernet80", "Ethernet108", "Ethernet112", "Ethernet64", "Ethernet60", "Ethernet52", "Ethernet48", "Ethernet44", "Ethernet40", "Ethernet36", "Ethernet120", "Ethernet116", "Ethernet56", "Ethernet124", "Ethernet72", "Ethernet68", "Ethernet24", "Ethernet20", "Ethernet16", "Ethernet12", "Ethernet8", "Ethernet4", "Ethernet0", "Ethernet32", "Ethernet28"
+ ],
+ "type": "MIRROR",
+ "stage": "egress"
+ }
+ }
+}
+```
+* ACL table: MIRRORV6, ingress
+```
+{
+ "ACL_TABLE": {
+ "EFV6_INGRESS": {
+ "policy_desc": "EVERFLOW IPv6 ingress",
+ "ports": [
+ "Ethernet100", "Ethernet104", "Ethernet92", "Ethernet96", "Ethernet84", "Ethernet88", "Ethernet76", "Ethernet80", "Ethernet108", "Ethernet112", "Ethernet64", "Ethernet60", "Ethernet52", "Ethernet48", "Ethernet44", "Ethernet40", "Ethernet36", "Ethernet120", "Ethernet116", "Ethernet56", "Ethernet124", "Ethernet72", "Ethernet68", "Ethernet24", "Ethernet20", "Ethernet16", "Ethernet12", "Ethernet8", "Ethernet4", "Ethernet0", "Ethernet32", "Ethernet28"
+ ],
+ "type": "MIRRORV6",
+ "stage": "ingress"
+ }
+ }
+}
+```
+* ACL table: MIRRORV6, egress
+```
+{
+ "ACL_TABLE": {
+ "EFV6_EGRESS": {
+ "policy_desc": "EVERFLOW IPv6 egress",
+ "ports": [
+ "Ethernet100", "Ethernet104", "Ethernet92", "Ethernet96", "Ethernet84", "Ethernet88", "Ethernet76", "Ethernet80", "Ethernet108", "Ethernet112", "Ethernet64", "Ethernet60", "Ethernet52", "Ethernet48", "Ethernet44", "Ethernet40", "Ethernet36", "Ethernet120", "Ethernet116", "Ethernet56", "Ethernet124", "Ethernet72", "Ethernet68", "Ethernet24", "Ethernet20", "Ethernet16", "Ethernet12", "Ethernet8", "Ethernet4", "Ethernet0", "Ethernet32", "Ethernet28"
+ ],
+ "type": "MIRRORV6",
+ "stage": "egress"
+ }
+ }
+}
+```
+
+#### Mirror sessions
+
+For each scenario, a mirror session is required. Totally two types of mirror sessions are required for all the scenarios:
+* Mirror session using IPv4 source and destination IP addresses.
+* Mirror session using IPv6 source and destination IP addresses.
+
+The script will configure appropriate mirror session using `config mirror_session` while testing each of the scenario.
+
+Add mirror_session using IPv4 source and destination IP addresses:
+```
+$ config mirror_session add session_v4 1.1.1.1 2.2.2.2 8 64 0x6558 0
+$ acl-loader show session
+Name Status SRC IP DST IP GRE DSCP TTL Queue
+---------- -------- --------- -------- ------ ------ ----- -------
+session_v4 inactive 1.1.1.1 2.2.2.2 0x6558 8 64 0
+```
+
+Add mirror_session using IPv6 source and destination IP addresses:
+```
+$ config mirror_session add session_v6 2000::1:1:1:1 2000::2:2:2:2 8 64 0x6558 0
+$ acl-loader show session
+Name Status SRC IP DST IP GRE DSCP TTL Queue
+---------- -------- ------------- ------------- ------ ------ ----- -------
+session_v6 inactive 2000::1:1:1:1 2000::2:2:2:2 0x6558 8 64 0
+```
+
+#### ACL rules
+
+Generate different sets of ACL rules from template. Load the ACL rules using below command:
+`acl-loader update full --session_name= --mirror_stage=`
+
+For IPv4 testing, the ACL rules template:
+```
+{
+ "acl": {
+ "acl-sets": {
+ "acl-set": {
+ "{{ acl_table_name }}": {
+ "acl-entries": {
+ "acl-entry": {
+ "1": {
+ "actions": {
+ "config": {
+ "forwarding-action": "ACCEPT"
+ }
+ },
+ "config": {
+ "sequence-id": 1
+ },
+ "ip": {
+ "config": {
+ "source-ip-address": "20.0.0.10/32"
+ }
+ }
+ },
+ "2": {
+ "actions": {
+ "config": {
+ "forwarding-action": "ACCEPT"
+ }
+ },
+ "config": {
+ "sequence-id": 2
+ },
+ "ip": {
+ "config": {
+ "destination-ip-address": "192.168.0.10/32"
+ }
+ }
+ },
+ "3": {
+ "actions": {
+ "config": {
+ "forwarding-action": "ACCEPT"
+ }
+ },
+ "config": {
+ "sequence-id": 3
+ },
+ "transport": {
+ "config": {
+ "source-port": "4661"
+ }
+ }
+ },
+ "4": {
+ "actions": {
+ "config": {
+ "forwarding-action": "ACCEPT"
+ }
+ },
+ "config": {
+ "sequence-id": 4
+ },
+ "transport": {
+ "config": {
+ "destination-port": "4661"
+ }
+ }
+ },
+ "5": {
+ "actions": {
+ "config": {
+ "forwarding-action": "ACCEPT"
+ }
+ },
+ "config": {
+ "sequence-id": 5
+ },
+ "l2": {
+ "config": {
+ "ethertype": "4660"
+ }
+ }
+ },
+ "6": {
+ "actions": {
+ "config": {
+ "forwarding-action": "ACCEPT"
+ }
+ },
+ "config": {
+ "sequence-id": 6
+ },
+ "ip": {
+ "config": {
+ "protocol": 126
+ }
+ }
+ },
+ "7": {
+ "actions": {
+ "config": {
+ "forwarding-action": "ACCEPT"
+ }
+ },
+ "config": {
+ "sequence-id": 7
+ },
+ "transport": {
+ "config": {
+ "tcp-flags": ["TCP_ACK", "TCP_SYN"]
+ }
+ }
+ },
+ "8": {
+ "actions": {
+ "config": {
+ "forwarding-action": "ACCEPT"
+ }
+ },
+ "config": {
+ "sequence-id": 8
+ },
+ "transport": {
+ "config": {
+ "source-port": "4672..4681"
+ }
+ }
+ },
+ "9": {
+ "actions": {
+ "config": {
+ "forwarding-action": "ACCEPT"
+ }
+ },
+ "config": {
+ "sequence-id": 9
+ },
+ "transport": {
+ "config": {
+ "destination-port": "4672..4681"
+ }
+ }
+ },
+ "10": {
+ "actions": {
+ "config": {
+ "forwarding-action": "ACCEPT"
+ }
+ },
+ "config": {
+ "sequence-id": 10
+ },
+ "ip": {
+ "config": {
+ "dscp": "51"
+ }
+ }
+ },
+ "11": {
+ "actions": {
+ "config": {
+ "forwarding-action": "ACCEPT"
+ }
+ },
+ "config": {
+ "sequence-id": 10
+ },
+ "input_interface": {
+ "interface_ref": {
+ "config": {
+ "interface": "{{ acl_in_ports }}"
+ }
+ }
+ }
+ }
+ }
+ }
+ }
+ }
+ }
+ }
+}
+```
+
+For IPv6 testing, the ACL rules template:
+```
+{
+ "acl": {
+ "acl-sets": {
+ "acl-set": {
+ "{{ acl_table_name }}": {
+ "acl-entries": {
+ "acl-entry": {
+ "1": {
+ "actions": {
+ "config": {
+ "forwarding-action": "ACCEPT"
+ }
+ },
+ "config": {
+ "sequence-id": 1
+ },
+ "ip": {
+ "config": {
+ "source-ip-address": "2000::20:0:0:10/64"
+ }
+ }
+ },
+ "2": {
+ "actions": {
+ "config": {
+ "forwarding-action": "ACCEPT"
+ }
+ },
+ "config": {
+ "sequence-id": 2
+ },
+ "ip": {
+ "config": {
+ "destination-ip-address": "fe80::192:168:0:10/64"
+ }
+ }
+ },
+ "3": {
+ "actions": {
+ "config": {
+ "forwarding-action": "ACCEPT"
+ }
+ },
+ "config": {
+ "sequence-id": 3
+ },
+ "transport": {
+ "config": {
+ "source-port": "4661"
+ }
+ }
+ },
+ "4": {
+ "actions": {
+ "config": {
+ "forwarding-action": "ACCEPT"
+ }
+ },
+ "config": {
+ "sequence-id": 4
+ },
+ "transport": {
+ "config": {
+ "destination-port": "4661"
+ }
+ }
+ },
+ "5": {
+ "actions": {
+ "config": {
+ "forwarding-action": "ACCEPT"
+ }
+ },
+ "config": {
+ "sequence-id": 5
+ },
+ "l2": {
+ "config": {
+ "ethertype": "4660"
+ }
+ }
+ },
+ "6": {
+ "actions": {
+ "config": {
+ "forwarding-action": "ACCEPT"
+ }
+ },
+ "config": {
+ "sequence-id": 6
+ },
+ "ip": {
+ "config": {
+ "protocol": 126
+ }
+ }
+ },
+ "7": {
+ "actions": {
+ "config": {
+ "forwarding-action": "ACCEPT"
+ }
+ },
+ "config": {
+ "sequence-id": 7
+ },
+ "transport": {
+ "config": {
+ "tcp-flags": ["TCP_ACK", "TCP_SYN"]
+ }
+ }
+ },
+ "8": {
+ "actions": {
+ "config": {
+ "forwarding-action": "ACCEPT"
+ }
+ },
+ "config": {
+ "sequence-id": 8
+ },
+ "transport": {
+ "config": {
+ "source-port": "4672..4681"
+ }
+ }
+ },
+ "9": {
+ "actions": {
+ "config": {
+ "forwarding-action": "ACCEPT"
+ }
+ },
+ "config": {
+ "sequence-id": 9
+ },
+ "transport": {
+ "config": {
+ "destination-port": "4672..4681"
+ }
+ }
+ },
+ "10": {
+ "actions": {
+ "config": {
+ "forwarding-action": "ACCEPT"
+ }
+ },
+ "config": {
+ "sequence-id": 10
+ },
+ "ip": {
+ "config": {
+ "dscp": "51"
+ }
+ }
+ },
+ "11": {
+ "actions": {
+ "config": {
+ "forwarding-action": "ACCEPT"
+ }
+ },
+ "config": {
+ "sequence-id": 10
+ },
+ "input_interface": {
+ "interface_ref": {
+ "config": {
+ "interface": "{{ acl_in_ports }}"
+ }
+ }
+ }
+ }
+ }
+ }
+ }
+ }
+ }
+ }
+}
+```
+
+For example, if loaded IPv4 ACL rules into ACL table EF_EGRESS, used MIRROR_EGRESS_ACTION, used mirror session session_v4, they should be like below in config_db:
+```
+{
+ "ACL_RULE": {
+ "EF_EGRESS|RULE_1": {
+ "MIRROR_EGRESS_ACTION": "session_v4",
+ "PRIORITY": "9999",
+ "SRC_IP": "20.0.0.10/32"
+ },
+ "EF_EGRESS|RULE_2": {
+ "DST_IP": "30.0.0.10/32",
+ "MIRROR_EGRESS_ACTION": "session_v4",
+ "PRIORITY": "9998"
+ },
+ "EF_EGRESS|RULE_3": {
+ "L4_SRC_PORT": "4661",
+ "MIRROR_EGRESS_ACTION": "session_v4",
+ "PRIORITY": "9997"
+ },
+ "EF_EGRESS|RULE_4": {
+ "L4_DST_PORT": "4661",
+ "MIRROR_EGRESS_ACTION": "session_v4",
+ "PRIORITY": "9996"
+ },
+ "EF_EGRESS|RULE_5": {
+ "ETHER_TYPE": "4660",
+ "MIRROR_EGRESS_ACTION": "session_v4",
+ "PRIORITY": "9995"
+ },
+ "EF_EGRESS|RULE_6": {
+ "IP_PROTOCOL": "126",
+ "MIRROR_EGRESS_ACTION": "session_v4",
+ "PRIORITY": "9994"
+ },
+ "EF_EGRESS|RULE_7": {
+ "MIRROR_EGRESS_ACTION": "session_v4",
+ "PRIORITY": "9993",
+ "TCP_FLAGS": "0x12/0x12"
+ },
+ "EF_EGRESS|RULE_8": {
+ "L4_SRC_PORT_RANGE": "4672-4681",
+ "MIRROR_EGRESS_ACTION": "session_v4",
+ "PRIORITY": "9992"
+ },
+ "EF_EGRESS|RULE_9": {
+ "L4_DST_PORT_RANGE": "4672-4681",
+ "MIRROR_EGRESS_ACTION": "session_v4",
+ "PRIORITY": "9991"
+ },
+ "EF_EGRESS|RULE_10": {
+ "DSCP": "51",
+ "MIRROR_EGRESS_ACTION": "session_v4",
+ "PRIORITY": "9990"
+ },
+ "EF_EGRESS|RULE_11": {
+ "IN_PORTS": "Ethernet4,Ethernet8",
+ "MIRROR_EGRESS_ACTION": "session_v4",
+ "PRIORITY": "9989"
+ }
+ }
+}
+```
+
+To cover ACL rule matching ICMP type and code, additional ACL configuration is required. Since the acl-loader utility does not support parsing and loading ACL rules matching ICMP type&code, the advanced configuration tool `sonic-cfggen` will be used.
+
+Firstly, scripts need to prepare json file for ACL rules matching ICMP type&code from j2 template. To cover ICMPv4 and ICMPv6, two templates are required.
+
+For matching ICMPv4:
+```
+{
+ "ACL_RULE": {
+ "{{ ACL_TABLE_NAME }}|RULE_12": {
+ "MIRROR_EGRESS_ACTION": "{{ MIRROR_SESSION_NAME }}",
+ "PRIORITY": "9988",
+ "ICMP_TYPE": "8",
+ "ICMP_CODE": "0"
+ }
+}
+```
+
+For matching ICMPv6:
+```
+{
+ "ACL_RULE": {
+ "{{ ACL_TABLE_NAME }}|RULE_12": {
+ "MIRROR_EGRESS_ACTION": "{{ MIRROR_SESSION_NAME }}",
+ "PRIORITY": "9988",
+ "ICMPV6_TYPE": "128",
+ "ICMPV6_CODE": "0"
+ }
+}
+```
+
+Then use the `sonic-cfggen` tool to dump the current ACL rules configuration from config_db:
+`$ sonic-cfggen -d -v ACL_RULE`.
+
+Generate appropriate ICMP ACL rule configuration json file from j2 templates according to current testing scenario. Combine the dumped ACL rules with the ICMP ACL rules. Load the combined ACL rules into config_db using `sonic-cfggen` again:
+`$ sonic-cfggen -j --write-to-db`
+
+### Run test
+
+For each configuration scenario, we need to run all the sub-tests. Everflow sub-tests consists of a number of test cases. Each of the test case is executed with log analyzer enabled, for example:
+
+1. Run loganalyzer 'init' phase
+2. Run a everflow test case
+3. Run loganalyzer 'analyze' phase
+
+Each test case may involve with with one or more classes defined in the PTF script.
+
+#### PTF Test
+
+The everflow test cases eventually call the ptf scripts to do the actual testing. The PTF scripts inject packets into DUT and validate traffic forwarded by DUT.
+
+PTF test will generate traffic between ports and make sure it mirrored according to the configured Everflow session and ACL rules. Depending on the testbed topology and the existing configuration (e.g. ECMP, LAGS, etc) packets may arrive to different ports. Therefore ports connection information will be generated from the minigraph and supplied to the PTF script.
+
+The `EverflowTest` class in everflow_tb_test.py need to be extended to cover IPv6 testing. Need some new methods for sending and validating IPv6 packets.
+
+## Test cases
+
+Each test case will be additionally validated by the loganalyzer utility.
+
+Each test case will add dynamic Everflow ACL rules at the beginning and remove them at the end.
+
+Each test case will run traffic for persistent and dynamic Everflow ACL rules.
+
+Each test case will analyze Everflow packet header and payload (if mirrored packet is equal to original). In case of egress mirroring, verify that TTL of the mirrored packet in GRE tunnel is decremented comparing with the injected packet.
+
+### Test case \#1 - Packets mirrored to best match resolved route
+
+#### Test objective
+
+Verify that mirrored packets are forwarded to the best match route for the session destination IP.
+
+#### Test steps
+
+- Create route with next hop on port dst_port_1.
+- Send packets that hit each Everflow ACL rule.
+- Verify that the packets are mirrored to dst_port_1 with correct Everflow header.
+
+- Create another route with unresolved next hop.
+- Send packets that hit each Everflow ACL rule.
+- Verify that the packets are mirrored to dst_port_1 with correct Everflow header.
+
+- Remove the route with unresolved next hop. Create another route with best match prefix and resolved next hop on dst_port_2
+- Send packets that hit each Everflow ACL rule.
+- Verify that the packets are mirrored to dst_port_2 with correct Everflow header.
+
+- Remove the best match route
+- Send packets that hit each Everflow ACL rule.
+- Verify that the packets are mirrored to dst_port_1 with correct Everflow header.
+
+- Cleanup all the added routes
+
+While checking mirrored packets:
+- Verify that packets are mirrored to appropriate port.
+- Verify that mirrored packets payload is equal sent packets.
+- Analyze mirrored packets header.
+- In case of egress mirroring, verify that TTL of the mirrored packets is decremented comparing with the injected packets.
+
+### Test case \#2 - Change neighbor MAC address.
+
+#### Test objective
+
+Verify that session destination MAC address is changed after neighbor MAC address update.
+
+#### Test steps
+
+- Create route with next hop on port dst_port_1.
+- Send packets that hit each Everflow ACL rule.
+- Verify that the packets are mirrored to dst_port_1 with correct Everflow header.
+
+- Change neighbor MAC address of the next hop on dst_port_1.
+- Send packets that hit each Everflow ACL rule.
+- Verify that the packets are still mirrored to dst_port_1 with correct Everflow header.
+- Verify that DST MAC address in mirrored packet header is changed accordingly.
+
+- Cleanup all the added routes
+
+While checking mirrored packets:
+- Verify that packets are mirrored to appropriate port.
+- Verify that mirrored packets payload is equal sent packets.
+- Analyze mirrored packets header.
+- In case of egress mirroring, verify that TTL of the mirrored packets is decremented comparing with the injected packets.
+
+### Test case \#3 - ECMP route change (remove next hop not used by session).
+
+#### Test objective
+
+Verify that mirror session is still active after removal of next hop that was not used by mirror session.
+
+#### Test steps
+
+- Create ECMP route with next hops on dst_port_1 and dst_port_2.
+- Send packets that hit each Everflow ACL rule.
+- Verify that the packets are mirrored to dst_port_1 or dst_port_2 with correct Everflow header.
+
+- Add next hop on dst_port_3 to ECMP route
+- Send packets that hit each Everflow ACL rule.
+- Verify that the packets are mirrored to dst_port_1 or dst_port_2 with correct Everflow header.
+- Verify that the packets are not mirrored to dst_port_3
+
+- Remove the added ECMP next hop on dst_port_3.
+- Send packets that hit each Everflow ACL rule.
+- Verify that the packets are mirrored to dst_port_1 or dst_port_2 with correct Everflow header.
+- Verify that the packets are not mirrored to dst_port_3
+
+- Cleanup all the added routes
+
+While checking mirrored packets:
+- Verify that packets are mirrored to appropriate port.
+- Verify that mirrored packets payload is equal sent packets.
+- Analyze mirrored packets header.
+- In case of egress mirroring, verify that TTL of the mirrored packets is decremented comparing with the injected packets.
+
+### Test case \#4 - ECMP route change (remove next hop used by session).
+
+#### Test objective
+
+Verify that mirror session is still active after removal of next hop that was used by mirror session when there are other ECMP next hops available.
+
+#### Test steps
+
+- Create route with next hop on dst_port_1.
+- Send packets that hit each Everflow ACL rule.
+- Verify that the packets are mirrored to dst_port_1 with correct Everflow header.
+
+- Add next hops on dst_port_2 and dst_port_3 to route.
+- Send packets that hit each Everflow ACL rule.
+- Verify that the packets are mirrored to dst_port_1 with correct Everflow header.
+- Verify that the packets are not mirrored to dst_port_2 or dst_port_3.
+
+- Remove the ECMP next hop on dst_port_1.
+- Send packets that hit each Everflow ACL rule.
+- Verify that the packets are not mirrored to dst_port_1.
+- Verify that the packets are mirrored to dst_port_2 or dst_port_3 with correct Everflow header.
+
+- Cleanup all the added routes
+
+While checking mirrored packets:
+- Verify that packets are mirrored to appropriate port.
+- Verify that mirrored packets payload is equal sent packets.
+- Analyze mirrored packets header.
+- In case of egress mirroring, verify that TTL of the mirrored packets is decremented comparing with the injected packets.
+
+### Test case \#5 - Policer enforced DSCP value/mask test.
+
+#### Test objective
+
+#### Test steps
+
+
+## TODO
+- Everflow+VLAN test configuration and test cases (Add VLAN, move destination port in VLAN, test everflow; move destination port out of VLAN, test everflow)
+- Everflow+LAG test configuration and test cases (separate ansible playbook)
+
+## Open Questions
diff --git a/doc/acl/acl_stage_capability.md b/doc/acl/acl_stage_capability.md
new file mode 100644
index 0000000000..45494143d0
--- /dev/null
+++ b/doc/acl/acl_stage_capability.md
@@ -0,0 +1,226 @@
+# Egress mirroring support and ACL action capability check
+
+# Table of Contents
+
+#### Revision
+| Rev | Date | Author | Change Description |
+|:---:|:-------:|:------------------:|:------------------:|
+| 0.1 | 2019-05 | Blyschak Stepan | Initial Version |
+
+## Motivation
+Not all ASICs support all actions on ingress, egress stages
+
+E.g.: Egress mirror action on ingress stage or vice versa might be not supported
+
+## Design
+
+## 1. Egress mirroring support
+
+SAI API has two mirror action types - SAI_ACL_ACTION_TYPE_MIRROR_INGRESS, SAI_ACL_ACTION_TYPE_MIRROR_EGRESS which can be set on ingress or egress table.
+So SONiC will not restrict setting egress mirror rule on ingress table or vice versa.
+To check wheter such combination is supported by the ASIC application should look into SWITCH_CAPABILITY table which is described in part 2 of this document.
+
+The proposed new schema:
+
+### ACL_RULE_TABLE
+```
+mirror_action = 1*255VCHAR ; refer to the mirror session (implicitly ingress for backward compatibility)
+mirror_ingress_action = 1*255VCHAR ; refer to the mirror session
+mirror_egress_action = 1*255VCHAR ; refer to the mirror session
+```
+
+e.g.:
+```
+{
+ "ACL_RULE": {
+ "EVERFLOW_INGRESS|RULE_1": {
+ "MIRROR_EGRESS_ACTION": "everflow0",
+ "PRIORITY": "9999",
+ "SRC_IP": "20.0.0.10/32"
+ }
+}
+```
+
+The above example shows setting an egress mirror action on ingress everflow table.
+
+mirror_action should be implicitly set to "ingress" by default to be backward compatible
+
+
+### orchagent
+
+- AclRuleMirror adds processing of new schema and convert to SAI_ACL_ACTION_TYPE_MIRROR_INGRESS/EGRESS based on action key;
+- By default mirror action is considered "ingress" to be backward compatible;
+
+### acl-loader
+
+- By default acl-loader with ```--session_name``` parameter will produce ingress mirror rule;
+- A new parameter ```--mirror_stage=ingress|egress``` will be added;
+
+e.g.:
+
+```
+admin@sonic:~$ acl-loader update incremental --session_name=everflow0 --mirror_stage=egress rules.json
+```
+
+## 2. ACL action capability check
+
+### orchagent
+
+AclOrch on initialization will query ACL stage capabilities and store them in internal map:
+
+| SAI attribute | Comment |
+|:-----------------------------------------------------:|:-----------------------------------------------:|
+|SAI_SWITCH_ATTR_MAX_ACL_ACTION_COUNT | max acl action count |
+|SAI_SWITCH_ATTR_ACL_STAGE_INGRESS | list of action types supported on ingress stage |
+|SAI_SWITCH_ATTR_ACL_STAGE_EGRESS | list of action types supported on egress stage |
+
+For those ACL entry attributes which have isenum == true set in sai_attr_metadata_t we will query supported list of actions using ``` sai_query_attribute_enum_values_capability ```
+
+E.g for SAI_ACL_ENTRY_ATTR_ACTION_PACKET_ACTION:
+
+```c++
+status = sai_query_attribute_enum_values_capability(gSwitchId,
+ SAI_OBJECT_TYPE_SWITCH,
+ SAI_ACL_ENTRY_ATTR_ACTION_PACKET_ACTION,
+ &enum_values_capability);
+if (status != SAI_STATUS_SUCCESS)
+{
+ SWSS_LOG_THROW("sai_query_attribute_enum_values_capability failed");
+}
+```
+
+The above query will return a list of supported actions from ```sai_packet_action_t``` (DROP/FORWARD/COPY/TRAP etc.)
+
+**NOTE**: sai_query_attribute_enum_values_capability does not return values supported per stage
+
+**TODO**: sai_query_attribute_enum_values_capability not yet supported by libsairedis implementation
+
+#### aclorch.cpp
+
+```c++
+class AclOrch
+{
+public:
+ ...
+ // return true if action in attr is supported at stage otherwise return false
+ bool isActionSupported(acl_stage_type_t stage, sai_acl_entry_attr_t attr) const;
+ ...
+private:
+
+ // query SAI_SWITCH_ATTR_ACL_STAGE_INGRESS/SAI_SWITCH_ATTR_STAGE_EGRESS
+ // will be called from AclOrch::init();
+ void queryAclCapabilities();
+
+ std::map> m_aclStageCapabilities;
+ std::map> m_aclEnumActionCapabilities;
+...
+};
+```
+
+and in AclRule
+
+```c++
+class AclRule
+{
+public:
+ ...
+ // generic validation of ACL action based on m_aclStageCapabilities
+ // if some of sai_acl_entry_attr_t values in m_actions keys are enums (isenum == true)
+ // validate based on m_aclEnumActionCapabilities
+ virtual bool validateAddAction(string attr_name, string attr_value);
+ ...
+};
+```
+
+AclRule derivatives will call base class method ```AclRule::validateAddAction```, e.g. AclRuleMirror:
+
+```c++
+AclRuleMirror::validateAddAction(string attr_name, string attr_value)
+{
+ ... //
+ ... // validate
+
+ ... // fill in m_actions map
+
+ return AclRule::validateAddAction(attr_name, attr_value);
+}
+```
+
+### VS test
+
+Test case 1:
+
+VS test cases update to check for differnt combinations ingress/egress table and ingress/egress mirror rule creation
+
+### system level testing
+
+TBD
+
+### Switch capability table
+
+We will put ACL capabilities in state DB table:
+
+```
+SWITCH_CAPABILITY|switch
+```
+
+e.g:
+```
+127.0.0.1:6379[6]> hgetall "SWITCH_CAPABILITY|switch"
+1) "ACL_ACTIONS|INGRESS"
+2) "PACKET_ACTION,REDIRECT_ACTION,MIRROR_ACTION_INGRESS"
+3) "ACL_ACTIONS|EGRESS"
+4) "PACKET_ACTION,MIRROR_ACTION_EGRESS"
+...
+```
+
+For those action keys which are enums we will put queried supported enum values in DB
+```
+5) "ACL_ACTION|PACKET_ACTION"
+6) "DROP,FORWARD,COPY,TRAP"
+```
+
+Producer for ACL_RULE table like acl-loader will look at "ACL_ACTIONS|table-stage" to get a list of supported action keys.
+If key is in the list of supported, it will look if "ACL_ACTION|action-key" exists, if it doesn't exist we cannot validate action value (e.g value is not an enum but object like in redirect or mirror key), otherwise acl-loader gets a list of supported values and checks if value is in the list.
+
+#### NOTE
+
+To be consistent with SAI data type 'redirect:' will be moved out from PACKET_ACTION key to own REDIRECT_ACTION key.
+Old config like ```"PACKET_ACTION": "redirect:Ethernet8"``` should still work for backward compatibility.
+
+##### ACL_RULE_TABLE
+```
+redirect_action = 1*255VCHAR ; refer to the redirect object
+```
+
+
+### libsairedis
+
+Implement SAI_ATTR_VALUE_TYPE_ACL_CAPABILITY deserialization as it is missing
+**DONE**
+
+### vslib
+
+Add support for SAI_SWITCH_ATTR_ACL_STAGE_INGRESS, SAI_SWITCH_ATTR_ACL_STAGE_EGRESS to VS.
+
+Two options:
+1. Return all actions as supported
+2. Return per VS simulating specific device. Currently there are MLNX and BRCM
+
+Second options is harder to maintain:
+1. every SAI (mlnx/brcm) update will require to check if list of supported actions were updated and update a VS library correspondingly and also update VS test.
+2. VS tests need to check which acl test cases to run for which vs simulating device
+
+So, we prefer to go with first option to make all actions returned as supported by VS.
+
+### VS test
+
+Check negative flow in case action is not supported.
+
+For ingress and egress tables:
+ - Set custom SAI_SWITCH_ATTR_ACL_STAGE_$STAGE attribute using setReadOnlyAttribute mechanism in VS test infrastructure and restart orchagent to make it reconstruct its capability map;
+ - Create ACL rule wich is not supported and verify no entry in ASIC DB;
+
+### system level testing
+
+TBD
diff --git a/doc/bfd/BFD_Enhancement_HLD.md b/doc/bfd/BFD_Enhancement_HLD.md
new file mode 100644
index 0000000000..8c580dd019
--- /dev/null
+++ b/doc/bfd/BFD_Enhancement_HLD.md
@@ -0,0 +1,453 @@
+# Feature Name
+Bidirectional Forwarding Detection
+# High Level Design Document
+#### Rev 0.2
+
+# Table of Contents
+ * [List of Tables](#list-of-tables)
+ * [Revision](#revision)
+ * [About This Manual](#about-this-manual)
+ * [Scope](#scope)
+ * [Definition/Abbreviation](#definitionabbreviation)
+
+# List of Tables
+[Table 1: Abbreviations](#table-1-abbreviations)
+
+# Revision
+| Rev | Date | Author | Change Description |
+|:---:|:-----------:|:------------------:|-----------------------------------|
+| 0.1 | 05/15/2019 | Sumit Agarwal | Initial version |
+| 1.0 | 18/06/2019 | Sumit Agarwal | Updated community review comments |
+
+# About this Manual
+This document provides general information about the BFD feature implementation in SONiC.
+# Scope
+This document describes the high level design of BFD, with software implementation.In this implementation, the BFD state machines and session termination happens on the Host CPU, specifically in FRR.
+
+# Definition/Abbreviation
+### Table 1: Abbreviations
+| **Term** | **Meaning** |
+|--------------------------|-------------------------------------|
+| BFD | Bidirectional Forwarding Detection |
+| BGP | Border Gateway Protocol |
+| GR | Graceful Restart |
+
+# 1 Requirement Overview
+## 1.1 Functional Requirements
+ 1. Support monitoring of forwarding path failure for BGP neighbor.
+ 2. Support BFD single hop sessions.
+ 3. Support BFD multi hop sessions.
+ 4. Support Asynchronous mode of operation.
+ 5. Support Echo mode of operation.
+ 6. Support IPv4 address family.
+ 7. Support IPv6 address family.
+ 8. Support LAG interface.
+ 9. Support ECMP paths for multi hop session.
+ 10. Support FRR container warm reboot.
+ 11. Support 64 BFD sessions.
+ 12. Support minimum timeout interval of 300 milliseconds.
+## 1.2 Configuration and Management Requirements
+BFD will support CLI in FRR vtysh shell.
+## 1.3 Scalability Requirements
+Support 64 BFD session with timer of 100 * 3 milliseconds, i.e. detection time of 300 milliseconds.
+## 1.4 Warm Boot Requirements
+BFD should support planned/unplanned restart of BGP container.
+
+# 2 Functionality
+## 2.1 Target Deployment Use Cases
+BFD supports creation of single hop and multi hop session to monitor forwarding path failure.
+Single hop session are created for iBGP.
+Multihop session are created usually for protocols like eBGP where the neighbors are multiple hop apart.
+## 2.2 Functional Description
+This document provides functional design and specifications of BFD protocol as defined in RFC 5880, 5881, 5882 and 5883.
+
+Bidirectional Forwarding Detection, (BFD) is a protocol defined by the BFD working group at IETF. The protocol defines a method of rapid detection of the failure of a forwarding path by checking that the next hop router is alive. The protocol will be able to detect the forwarding path failure in milliseconds depending on the actual configuration. Currently a Routing Protocol takes a few seconds (from 3 seconds to 180 seconds or even more) to detect that the neighbouring router, the next hop router, is not operational causing packet loss due to incorrect routing information. BFD is designed to provide a rapid forwarding path failure detection service to a Routing Protocol in a few milliseconds.
+
+# 3 Design
+
+
+
+
+
+__Figure 1: BFD in SONiC Architecture__
+
+
+BFD is part of the FRR BGP container in SONiC system. BFD daemon communicates with linux kernel using UDP socket to send and receive BFD packets. BFD relies on Linux kernel for routing of BFD packet to its destination.
+BFD communicates to applications like BGP through Zebra, BGP sends BFD session create/delete events through Zebra and in case of session timeout BFD informs BGP through Zebra.
+## 3.1 Overview
+### 3.1.1 Packet Tx
+In current FRR BFD implementation, for packet Tx BFD packet is constructed every time a packet has to be sent, this is an overhead considering BFD needs to send packet every few milliseconds. A better approach is to store the BFD packet in memory for each session and keep replaying the packet as per the BFD transmission interval.
+
+**Stored packets are updated in below circumstances:**
+
+ 1. **Local configuration change:**
+When BFD timer configuration is changed the packet stored in memory will be flushed and new packet will be constructed until new timer negotiation is complete.
+
+ 2. **Received Rx packet with poll bit set:**
+When a Rx packet is received with poll bit set, BFD will flush the stored Tx packet and a fresh packet will be sent until the negotiation is complete.
+
+### 3.1.3 LAG support:
+When deploying BFD over LAG interface it is expected that BFD session do not flap when a LAG member port flaps. BFD packets are send over a member port in the LAG based on the hashing in the kernel. When the port on which BFD packets are being sent goes down, BFD packets should seamlessly switchover to next available member port in LAG decided by hasing in the kernel.
+One BFD session will be created per LAG irrespective of number of member port in the LAG. RFC 7130 does specifies creation of BFD session for each member port of LAG, but this will not be implemented.
+
+Supporting LAG is challenging in BFD due to time it may take for member port down event to reach control plane, in SONiC when a port is DOWN, the down event has to traverse up to ORCH agent and then back to the kernel, this may take considerable time.
+
+In current SONiC implementation BFD relies on kernel network stack to switch the BFD packet to next available active port when a member port goes DOWN in LAG. BFD timers in this case is directly proportional to the time it takes for kernel to get the port down event. Faster the kernel learns port down the more aggressive BFD timers can be. In this case it is suggested to configure BFD timer values to have a timeout value of atleast 600 msec.
+
+### 3.1.4 ECMP Support:
+For BFD multihop session there could be multiple nexthop to reach the destination, it is expected that BFD session do not flap when an active nexthop goes down, BFD session should seamlessly switchover to next available nexthop without bringing down the BFD session.
+
+Supporting ECMP is challenging in BFD due to time it may take for control plane to know that the active nexthop went down. In SONiC this information has to traverse all the way down to kernel after traversing all the DBs this may take considerable time.
+
+In current SONiC implementation BFD relies on kernel network stack to switch the BFD packet to next available nexthop when a active nexthop goes down. BFD timers in this case is directly proportional to the time it takes for kernel to get the nexthop down event. Faster the kernel learns active nexthop is down the more aggressive BFD timers can be. In this case it is suggested to configure BFD timer values to have a timeout of atleast 600 msec.
+
+## 3.2 CLI
+### 3.2.1 Data Models
+NA
+### 3.2.2 Configuration Commands
+
+Config commands as in FRR BGP container is described at below link.
+[Config commands](http://docs.frrouting.org/en/latest/bfd.html)
+### 3.2.3 Show Commands
+
+Show commands as in FRR BGP container is described at below link.
+[Show commands](http://docs.frrouting.org/en/latest/bfd.html)
+**show bfd peer [{multihop|local-address |interface IFNAME ifname|vrf NAME vrfname}]**
+
+This command is enhanced to add detect-multiplier, enhanced show output is as below:
+```
+sonic# show bfd peer
+ BFD Peers:
+ peer 10.0.0.103 interface Ethernet204
+ ID: 2
+ Remote ID: 5
+ Status: up
+ Uptime: 30 second(s)
+ Diagnostics: ok
+ Remote diagnostics: ok
+ Local timers:
+ Detect-multiplier: 3
+ Receive interval: 300ms
+ Transmission interval: 300ms
+ Echo transmission interval: disabled
+ Remote timers:
+ Detect-multiplier: 3
+ Receive interval: 200ms
+ Transmission interval: 200ms
+ Echo transmission interval: 0ms
+```
+
+A new show command is added as below:
+
+**show bfd peers brief**
+Show all the BFD peer in brief, sample output as below:
+This command is available in FRR vtysh shell.
+
+```
+Session count: 1
+SessionId LocalAddr NeighAddr State
+========= ========= ========= =====
+1 192.168.0.1 192.168.0.2 UP
+```
+### 3.2.4 Debug Commands
+Debug commands as in FRR BGP container is described at below link.
+[Debug commands](http://docs.frrouting.org/en/latest/bfd.html)
+
+In current FRR implementation of BFD, debug are reported only in error cases. To debug issues it is necessary to have a few debug in positive code flow to trace the code flow. A few debugs is added in the positive code path and a new command is added to enable/disable debugs in positive code flow. These debugs will be reported only when enabled through this new command. Error debugs will continue to be reported always as in the current FRR BFD implementation.
+
+This new command will be available in FRR vtysh shell.
+Command syntax as below :
+**[no] debug bfd**
+
+### 3.2.5 REST API Support
+NA
+
+# 4 Flow Diagrams
+NA
+
+# 5 Serviceability and Debug
+**Configuring BFD**
+In order to monitor a forwarding path BFD need triggers from the application to create BFD session with the remote peer. Below are the steps to enable BFD in BGP.
+
+```
+ sonic#
+ sonic# conf t
+ sonic(config)# router bgp
+ sonic(config-router)# neighbor 1.1.1.1 remote-as 7
+ sonic(config-router)# neighbor 1.1.1.1 bfd
+```
+
+Different timer values can be configured to achieve the desired failure detection time. Below configurations can be used to configure BFD timers.
+
+```
+ sonic(config)# bfd
+ sonic(config-bfd)# peer 1.1.1.1
+ sonic(config-bfd-peer)# detect-multiplier 3
+ sonic(config-bfd-peer)# receive-interval 200
+ sonic(config-bfd-peer)# transmit-interval 200
+```
+**Show Output**
+Below output shows BFD session in UP state established for BGP protocol.
+
+```
+ sonic# show bfd peer
+ BFD Peers:
+ peer 10.0.0.103 interface Ethernet204
+ ID: 2
+ Remote ID: 5
+ Status: up
+ Uptime: 30 second(s)
+ Diagnostics: ok
+ Remote diagnostics: ok
+ Local timers:
+ Receive interval: 300ms
+ Transmission interval: 300ms
+ Echo transmission interval: disabled
+ Remote timers:
+ Receive interval: 200ms
+ Transmission interval: 200ms
+ Echo transmission interval: 0ms
+```
+**BFD Counters**
+Below output shows BFD counter for particular BFD session
+```
+sonic# show bfd peer 192.168.0.1 counters
+ peer 192.168.0.1
+ Control packet input: 126 packets
+ Control packet output: 247 packets
+ Echo packet input: 2409 packets
+ Echo packet output: 2410 packets
+ Session up events: 1
+ Session down events: 0
+ Zebra notifications: 4
+```
+# 6 Warm Boot Support
+Planned/unplanned warm-boot of a BGP container can be achieved by running BGP in GR mode.
+
+When BGP container is rebooted, remote BGP neighbour enters GR helper mode when BFD indicate timeout and GR helper mode is enabled. If the flag in BFD control packet indicate that the BFD in remote neighbour is not control plane independent, BFD session down event can be a trigger to BGP to enter helper mode. In GR helper mode remote BGP neighbor should not delete the routes learnt through BGP neighbour and keep the forwarding plane intact until GR timeout.
+After warm-boot is completed BGP will re-establish all the sessions and trigger BFD to establish corresponding BFD sessions.
+
+# 7 BFD packet trapping to CPU
+
+
+BFD packets are classified based on packet pattern defined in RFC 5880. Trapping of Single-Hop and Multi-hop BFD packets for IPv4 and IPv6 address family is supported.
+
+
+
+BFD related control plane QoS can be configured by user via 00-copp.config.json file. User can specify which CPU queue a protocol (e.g. BFD) is trapped to and policing parameters to rate limit the protocol packet. Below is an example of the BFD protocol trapping COPP (Control Plane Policing) configuration in 00-copp.config.json file:
+
+```
+{
+"COPP_TABLE:trap.group.bfd": {
+"trap_ids": "bfd,bfdv6",
+"trap_action":"trap",
+"trap_priority":"5",
+"queue": "5",
+"meter_type":"packets",
+"mode":"sr_tcm",
+"cir":"60000",
+"cbs":"60000",
+"red_action":"drop"
+},
+"OP": "SET"
+}
+```
+
+# 7 Scalability
+ - No of sessions: 64
+ - Transmit-interval: 100 milliseconds
+ - Receive-interval: 100 milliseconds
+ - Detect-multiplier: 3
+
+Goal is to support 64 BFD session with timer of 100 * 3 milliseconds, i.e. minimum detection time of 300 milliseconds.
+These timer values are subject to revision based on the BFD sessiom stability observed during multi-dimensional scale test.
+
+# 8 Enable/Disable BFD daemon
+BFD daemon can be enabled and disabled at compile time as well as in the switch.
+
+**Enable/Disable at Compile time**
+
+To enable BFD add the below text in corresponding files as below:
+
+**../dockers/docker-fpm-frr/supervisord.conf**
+```
+[program:bfdd]
+command=/usr/lib/frr/bfdd -A 127.0.0.1
+priority=4
+stopsignal=KILL
+autostart=false
+autorestart=false
+startsecs=0
+stdout_logfile=syslog
+stderr_logfile=syslog
+```
+
+**../dockers/docker-fpm-frr/start.sh**
+```
+supervisorctl start bfdd
+```
+
+**Enable/Disable in the switch**
+BFD daemon can be enabled/disabled in the same way as done during compile time. The file path on the switch are as below. After modifying these files BGP container should be restarted.
+
+./etc/supervisor/conf.d/supervisord.conf
+./usr/bin/start.sh
+
+# 9 Unit Test
+Unit test cases for this specification are as listed below:
+
+|**Test-Case ID**|**Test Title**|**Test Scenario**|
+|----------------|--------------|-----------------|
+| | BFD for BGP IPv4 single-hop |
+1| | Verify BFD session establishment.|
+2| | Verify BFD packet transmission as per configured interval|
+3| | Verify BFD state notification to BGP
+4| | Verify BFD session establishment trigger from BGP
+5| | Verify change of BFD transmission configuration at run time.
+6| | Verify deletion of BFD session by BGP config
+7| | Verify timeout of BGP session.
+8| | Verify timeout notification to BGP.
+9| | Verify deletion of BFD session after timeout. |
+ ||BFD for BGP IPv4 single-hop over LAG |
+10| | Verify BFD session establishment.
+11||Verify session flap on LAG down
+12||Verify session flap on LAG member down.
+13||Verify session flap on LAG member UP.
+ ||BFD for BGP IPv4 multi-hop |
+14| | Verify BFD session establishment.
+15| |Verify BFD packet transmission as per configured interval
+16| |Verify BFD state notification to BGP
+17| |Verify BFD session establishment trigger from BGP
+18| |Verify change of BFD transmission configuration at run time.
+19| |Verify deletion of BFD session by BGP config.
+20| |Verify timeout of BGP session.
+21| |Verify timeout notification to BGP.
+22||Verify deletion of BFD session after timeout.Verify BFD session establishment.
+ ||BFD for BGP IPv4 Multi-hop over LAG|
+23| |Verify BFD session establishment.
+24| |Verify session flap on LAG down
+25| |Verify session flap on LAG member down.
+26| |Verify session flap on LAG member UP.
+ ||BFD for BGP IPv4 Multi-hop with ECMP|
+27| | Verify BFD session establishment for BGP neighbour having ECMP paths.
+28| |Verify BFD session switch to next available ECMP path on active path DOWN
+29| |Verify BFD session timeout on all ECMP path DOWN.
+30| |Verify BFD session timeout when an intermediate path is DOWN.
+ ||BFD for BGP IPv6 multi-hop|
+31| |Verify BFD session establishment with link-local address.
+32| |Verify BFD session establishment with global address.
+33| |Verify BFD packet transmission as per configured interval
+34| |Verify BFD state notification to BGP
+35| |Verify BFD session establishment trigger from BGP
+36| |Verify change of BFD transmission configuration at run time.
+37| |Verify deletion of BFD session by BGP config.
+38| |Verify timeout of BGP session.
+39| |Verify timeout notification to BGP.
+40| |Verify deletion of BFD session after timeout.
+ ||BFD for BGP IPv6 Multi-hop over LAG|
+41| |Verify BFD session establishment.
+42| |Verify session flap on LAG down
+43| |Verify session flap on LAG member down.
+44| |Verify session flap on LAG member UP.
+ ||BFD for BGP IPv6 Multi-hop with ECMP|
+45| |Verify BFD session establishment for BGP neighbour having ECMP paths.
+46| |Verify BFD session switch to next available ECMP path on active path DOWN
+47| |Verify BFD session timeout on all ECMP path DOWN.
+48| |Verify BFD session timeout when a intermediate path is DOWN.
+ ||BFD CLI|
+49| |Verify CLI to cofigure BFD for BGP
+50| |Verify CLI to configure transmit interval
+51| |Verify CLI to configure receive interval
+52| |Verify CLI to configure detection multiplier
+53| |Verify CLI to configure echo multiplier
+54| |Verify CLI to enable echo mode
+55| |Verify CLI to disable echo mode
+56| |Verify CLI to shutdown BFD peer.
+57| |Verify CLI to configure static IPv4 single hop peer.
+58| |Verify CLI to configure static IPv4 multi hop peer.
+59| |Verify CLI to configure static IPv4 single hop peer with local address
+60| |Verify CLI to configure static IPv4 single hop peer with interface.
+61| |Verify CLI to configure static IPv4 single hop peer.
+62| |Verify CLI to configure static IPv4 multi hop peer.
+63| |Verify CLI to configure static IPv4 single hop peer with local address
+64| |Verify CLI to configure static IPv4 single hop peer with interface.
+65| |Verify CLI to configure static IPv6 single hop peer.
+66| |Verify CLI to configure static IPv6 multi hop peer.
+67| |Verify CLI to configure static IPv6 single hop peer with local address
+68| |Verify CLI to configure static IPv6 single hop peer with interface.
+69| |Verify CLI to configure static IPv6 single hop peer.
+70| |Verify CLI to configure static IPv6 multi hop peer.
+71| |Verify CLI to configure static IPv6 single hop peer with local address
+72| |Verify CLI to configure static IPv6 single hop peer with interface.
+73| |Verify CLI to configure static IPv4 single hop peer.
+74| |Verify CLI to un-configure static IPv4 multi hop peer.
+75| |Verify CLI to un-configure static IPv4 single hop peer with local address
+76| |Verify CLI to un-configure static IPv4 single hop peer with interface.
+77| |Verify CLI to un-configure static IPv4 single hop peer.
+78| |Verify CLI to un-configure static IPv4 multi hop peer.
+79| |Verify CLI to un-configure static IPv4 single hop peer with local address
+80| |Verify CLI to un-configure static IPv4 single hop peer with interface.
+81| |Verify CLI to un-configure static IPv6 single hop peer.
+82| |Verify CLI to un-configure static IPv6 multi hop peer.
+83| |Verify CLI to un-configure static IPv6 single hop peer with local address
+84| |Verify CLI to un-configure static IPv6 single hop peer with interface.
+85| |Verify CLI to un-configure static IPv6 single hop peer.
+86| |Verify CLI to un-configure static IPv6 multi hop peer.
+87| |Verify CLI to un-configure static IPv6 single hop peer with local address
+88| |Verify CLI to un-configure static IPv6 single hop peer with interface.
+89| |Verify CLI to display IPv4 Peer.
+90| |Verify CLI to display IPv4 peer with local address
+91| |Verify CLI to display IPv4 peer with interface.
+92| |Verify CLI to display IPv6 Peer.
+93| |Verify CLI to display IPv6 peer with local address
+94| |Verify CLI to display IPv6 peer with interface.
+95| |Verify CLI to display IPv4 multihop Peer.
+96| |Verify CLI to display IPv6 multihop Peer.
+97| |Verify config save and reload of BFD configuration.
+98| |Verify unsaved config loss after relaod.
+ ||BFD static peer|
+99| |Verify BFD static IPv4 single hop peer establishment.
+100| |Verify BFD static IPv4 multi hop peer stablishment.
+101| |Verify BFD static IPv4 single hop peer stablishment with local address
+102| |Verify BFD static IPv4 single hop peer with interface.
+103| |Verify BFD static IPv6 single hop peer establishment.
+104| |Verify BFD static IPv6 multi hop peer stablishment.
+105| |Verify BFD static IPv6 single hop peer stablishment with local address
+106| |Verify BFD static IPv6 single hop peer with interface.
+ ||BFD echo mode|
+107| |Verify BFD session with echo mode.
+108| |Verify BFD echo mode packet transmission as per configured interval
+109| |Verify echo mode timeout of BGP session.
+110| |Verify echo mode timeout notification to BGP.
+111| |Verify echo mode deletion of BFD session after timeout.
+ ||BFD scale|
+112| |Verify 64 BFD IPv4 single hop ession with 100 * 3 msec timer
+113| |Verify 64 BFD IPv4 mulit hop ession with 200 * 3 msec timer
+114| |Verify 64 BFD IPv6 multi hop ession with 200 * 3 msec timer
+115| |Verify 64 BFD IPv6 single hop ession with 100 * 3 msec timer
+116| |Verify LAG member down with 64 BFD IPv4 single hop session with 100 * 3 msec timer
+117| |Verify LAG member down with 64 BFD IPv4 mulit hop ession with 200 * 3 msec timer
+118| |Verify LAG member down with 64 BFD IPv6 multi hop ession with 200 * 3 msec timer
+119| |Verify LAG member down with 64 BFD IPv6 single hop ession with 100 * 3 msec timer
+120| |Verify active ECMP path down with 64 IPv4 multi hop session.
+121| |Verify active ECMP path down with 64 IPv6 multi hop session.
+122| |Verify echo mode with 64 IPv4 single hop session.
+123| |Verify echo mode with 64 IPv6 single hop session.
+124| |Verify 64 IPv4 single-hop static BFD session.
+125| |Verify 64 IPv4 multi-hop static BFD session.
+126| |Verify 64 IPv6 single-hop static BFD session.
+127| |Verify 64 IPv6 multi-hop static BFD session.
+ ||BFD LOG|
+128| |Verify log generation on BFD session UP.
+129| |Verify log generation on B sFDession DOWN.
+130| |Verify log generation on BFD session DOWN with DOWN reason ADMIN_DOWN.
+131| |Verify log generation on BFD session DOWN with DOWN reason "detection timeout"
+132| |Verify log generation on BFD session DOWN with DOWN reason "neighbour signalled session down"
+ ||BFD INTEROPERABILITY|
+133| |Verify BFD IPv4 single-hop session establishment with third party device.
+134| |Verify BFD IPv6 single-hop session establishment with third party device.
+135| |Verify BFD IPv4 multi-hop session establishment with third party device.
+136| |Verify BFD IPv6 multi-hop session establishment with third party device.
+137| |Verify run time timer config change for BFD sessions with third party device.
+
+
diff --git a/doc/bfd/images/BFD_Block_Diagram.png b/doc/bfd/images/BFD_Block_Diagram.png
new file mode 100644
index 0000000000..2ff9406c8b
Binary files /dev/null and b/doc/bfd/images/BFD_Block_Diagram.png differ
diff --git a/doc/bfd/images/BFD_Block_Diagram.xml b/doc/bfd/images/BFD_Block_Diagram.xml
new file mode 100644
index 0000000000..80ca5b71a1
--- /dev/null
+++ b/doc/bfd/images/BFD_Block_Diagram.xml
@@ -0,0 +1,2 @@
+
+3Vldc9soFP01foxHAn35sXGa7LTpNttkpu2+7GCBLSZIeBCOpf31CxGyhZDjeCt3u3mKOFxfiXMP917IBM7z6kagdfaJY8ImwMPVBF5NAPB9D6o/GqkbJIpnDbASFBujPXBP/yYG9Ay6oZiUlqHknEm6tsGUFwVJpYUhIfjWNltyZr91jVbEAe5TxFz0K8Uya9AExHv8N0JXWftmPzLry1FrbFZSZgjzbQeC7ydwLjiXzVNezQnT5LW8NL+7PjC7+zBBCvmaH3z8EH+4fbgkj1X4x0Nef56BOb4wXp4Q25gFfyGYlhclEU9EmA+XdcuGWsNaP6Y1owVWBvBym1FJ7tco1fhWiUBhmcyZGvnqccE3yhDfLnYASh9XQqOfN1J5IQZfUsbmnHHx/Ca4TFKSpgovpeCPpDOzSMIg9NSMS0C7GiIkqTqQIeSG8JxIUSsTMxu1MjPqBIkZb/ex9j2DZd04hwZERl+rne99CNSDicIJEQFORJwoiIZTQ9yRAGBUZjvbESgDsU2ZD1zKgnCIMnAuyqBD2S0tNpWCfidyy8XjM31Kdz/GZE+hOCQJDoYUmoAFjKLz0B0MKDSIBuiOzsV2eIpAvZNpXS5JNLzxcTxbeCNtfDDrqRi6tM4GWA3OxWrksHp5ffUWiB3Q608lNnaI/ZMsBHKoVa5UT0F+UVoDkPT0mriFCgzwmpyL18ThdbnOy7pI8f+M2tBJBfF/TG3blLyUYkmB3+n2VjdjDJUlbXhCQrpwh2FFk6i/6fwxhVHcAt+7s1eVSS/NqO6O7oigao268WvAisrGmw8iM9bOLryp58cG2DvUg7oz6Ls7GM2Sb0RKjrcAav0rIo+nWYKtrt/VRif2Q71MiwnCkKRP9llhSA/mDXecqpUdLO67drR10azb/Krb2/ccQWA7CvvVvyHGcfQsz92yf0CxbjZwFNts4vYQBWxdtgeLvFrpc+R0yfg2zZSap6gouFQk8+IvbYgYXRXKkJGl1N0tFerUpyZ1PiGlHCclwKSXEsKhY8FhWYx/KHBb3JcywoJx1ez28kELKrtrynbEa5POuBOTg0Sesnv8aJytAg/1FadulQAecXTmrQJe0T+/7VCG4UihdCr3K0OpaER1x2ytDcoXPrh/5E2smxb10HgcVyezn9EEJLFvNQFTT+nzXzQCBwV2tCKDX6oiRxGwQu00ea/VZtTTpnPAOXOage490pdKeXqoHBWpoih71djqtwuuL+ms5txAbTFOVdSfLwN1iaUpYu/MRE4xZocaf/swO0LZBnFocQ5h6JTtYEA757uYcsv25c3d2w0A9O0A+IHbN40UADXcX503m2b/Dwj4/h8= }
+ ```
+sonic# clear ip route
+ not-installed not installed in hardware
+sonic# clear ip route not-installed
+
+ A.B.C.D/M ipv4 prefix with mask
+ X:X::X:X/M ipv6 prefix with mask
+```
+The above command will send route add message for the failed route from Zebra to fpmsyncd.
+
+### 3.7.5 REST API Support
+
+# 4 Flow Diagrams
+ 
+
+__Figure 1: High level module interaction for route install error notification__
+
+
+
+__Figure 2: Module flow for route add error notification__
+
+
+
+__Figure 3: Module flow for route add success notification__
+ 
+
+__Figure 4: Module flow for route delete success/fail notification__
+
+# 5 Serviceability and Debug
+
+
+# 6 Warm Boot Support
+There are two scenarios here. One is warm-reboot case and another is unplanned reboot (like bgp restart or docker restart due to cold reboot). Note that in current sonic code, we don't retain routes learnt by Zebra across
+warm-reboot.
+During warm reboot, fpmsyncd supports syncing of existing routes in APP_DB with newly learnt routes. After warm reboot of BGP docker, BGP sends newly learnt routes to fpmsyncd. Since warm reboot is enabled, fpmsyncd will mark the existing db routes and send only the newly learnt routes to APP_DB. If BGP error-handling is enabled, for the routes which were same as before, we will send an implicit positive ACK to Zebra.
+Before warm reboot, suppose, we had 5 routes sent by BGP to fpmsynd, out of them., 5th route failed to be installed in hardware. Zebra will delete the 5th route from kernel, APP_DB, ASIC_DB and ERROR_DB. After warm reboot, when fpmsyncd receives the 5 routes again from BGP, it will send add for the 5th route again (since 5th route was never present in APP_DB prior to warm reboot).
+During unplanned reboot, for the same 5 routes, suppose, fpmsyncd crashed before processing the add failure for the 5th route. Now, all the 5 routes are present in APP_DB and ASIC_DB. Since
+the 5th route failed to be installed in hardware, it is present in ERROR_DB. When docker comes up again, orchagent will send the notification for the 5th route failure to fpmsyncd. fpmsyncd will send this message to Zebra. Zebra cleans the route from APP_DB and ASIC_DB. After the warm reboot timer expires, fpmsyncd will
+receive the implicit ACK for the remaining routes (routes which did not change during warm-reboot). If any route changes during warm-reboot, the route will be sent to orchagent for installation in hardware and ACK will take its normal flow.
+
+# 7 Scalability
+
+# 8 Unit Test
+
+The UT testcases are as follows:
+
+|**Test-Case ID**|**Description**|**Status**|**Comments**|
+|----------------|---------------|----------|------------|
+1 | Send an iBGP route from the traffic generator and see that route is learnt in BGP. | | Check the route in zebra. fpmsyncd should send route to APP_DB. Check APP_DB. Check that orchagent should send this route to ASIC_DB. Check that syncd should send the route to ASIC. |
+ 2 | Send an eBGP route from the traffic generator and see that route is learnt in BGP. | | |
+ 3 | Install a route and check that error status is present in "show ip route" in zebra. | | |
+ 4 | Install a route and check that route is present in kernel. | | |
+ 5 | Install a route and check that route is present in APP_DB and ASIC_DB. | | |
+ 6 | Execute the command "show bgp ipv4". Check that the error status (installed in hardware flag) is shown as 0. | | |
+ 7 | Check that routes with installed flag as TRUE is sent to eBGP peers. Also, BGP ribout list should have this route. | | |
+ 8 | Check that routes with installed flag as TRUE is sent to iBGP peers. (Rules for iBGP and route reflector will apply). | | |
+ 9 | Send an iBGP route from the traffic generator and see that route is learnt in BGP. But this route is not installed in ASIC_DB. Check that error status is correctly shown in APP_DB. Please note that route will be present in BGP/Zebra/APP_DB. | | Check the route in zebra. fpmsyncd should send route to APP_DB. Check APP_DB. Check that orchagent should send this route to ASIC_DB. Check that syncd should send the route to ASIC. |
+ 10 | Send an eBGP route from the traffic generator and see that route is learnt in BGP. But this route is not installed in ASIC_DB. Check that error status is correctly shown in APP_DB. Check different kinds of errors like nexthop group-id add failed, nexthop add failed, route add failed, route table/nexthop table is full etc. | | |
+ 11 | Install a route and check that route is present in zebra, but not in ASIC_DB and kernel. | | |
+ 12 | Install a route and check that route is not present in APP_DB and ASIC_DB. (Can be due to send error from fpmsyncd). | | |
+ 13 | Execute the command "show bgp ipv4". Check that the error status (installed flag) is shown as some non-zero value. Also check the rib failure flag. In case of error, check if BGP ribout message does not contain this route. | | |
+ 14 | Check that routes with installed flag as FALSE is not sent to eBGP peers. Also, BGP ribout list should not have this route. If route has already been sent by BGP, it should be withdrawn. | | |
+ 15 | Check that routes with installed flag as FALSE is not sent to iBGP peers. (Rules for iBGP and route reflector will apply). If route has already been sent by BGP, it should be withdrawn. | | |
+ 16 | Send a route. Execute "show bgp ipv4". Check that this command shows the error status (installed flag). See that it shows error. Also, check the rib-failure flag. | | |
+17 | Send a route. Execute "show bgp ipv4". Check that this command shows the error status (installed flag). See that it shows error. Also, check the rib-failure flag. Now,send the same route again so that it in installed successfully. Check all the flags. | | |
+# 9 Internal Design Information
\ No newline at end of file
diff --git a/doc/bgp_error_handling/images/bgp_error_handling_flow1.png b/doc/bgp_error_handling/images/bgp_error_handling_flow1.png
new file mode 100644
index 0000000000..810a9ca6bf
Binary files /dev/null and b/doc/bgp_error_handling/images/bgp_error_handling_flow1.png differ
diff --git a/doc/bgp_error_handling/images/bgp_error_handling_flow1.xml b/doc/bgp_error_handling/images/bgp_error_handling_flow1.xml
new file mode 100644
index 0000000000..bbeb117c54
--- /dev/null
+++ b/doc/bgp_error_handling/images/bgp_error_handling_flow1.xml
@@ -0,0 +1,2 @@
+
+tLzHruQ60y34NN+wAXkzlE9573Im771JSU/f4j7n63t/XDTQk65C7cxNSRRFRqxYK4Kq/6DccElrMtf6lBf9fxAov/6D8v9BEBilsfcDtNz/tJAw/k9DtTb5vyf9rwa3eYp/G6F/W48mL7b/ceI+Tf3ezP+zMZvGscj2/9GWrOv0+5+nlVP/P+86J1XxfzS4WdL/n61hk+/1P60UQv6v9k/RVPV/7wwT9D9HhuS/J//7JFud5NPvf2tChf+g3DpN+z/fhosrejB5/52Xf64T/1+O/j8DW4tx//9yAcZDNC642//Fh623+OZ6Mt7/9W8vZ9If/z7wv4Pd7//OwDvuGXxthr+pYs9i3Zt3grQkLXpr2pq9mcb3eDrt+zS8J/TgAJtkXbVOx5hzUz+tf12h5d+f/60Ppm8qcO0+zW9rss3/LGHZXMU7avbvlsx/W6H/trzf82RP/oMy//yKiPNY/QfhmoA1nR+kStXEvH8M168Fv3q/6eCHmHNM/H6yUs1pyfulYoResAMHY4qbZnEnu9Bx/A/CksecvX2WEC67mf1eIgmsquj+5C/K1HyVyU3j/sa/XXFFIbRKPZ0SaEHjJHroVYhs+GqUq2wcDXP5s0vIk+43ncQInMKrTuVLya9wv+NMmgYJeztRfBiE+f1M77AD+FdI4NbhOwxpLen3UySWY1mJyYfRIMc53+mYRm8whiD7E/cbuRJKxu4Y12F9odHfu7yXVl4p7vfoqTjzIJxaDX0tse/yBBFWfouPLTUlGcH8V9NFQ4B64dS8kEX2UHxMurqv96YZ6iFKIk7NFAwY+RX264qs39v15/33Ho+3SZMKo9HwU+1jMukGOQeHsdS1tKhVJTT//a4h1dTBplh7Yd5rVkMPeVSjYd7fUoww3bGgLep8jg71ID43va0bR81zgtldKt85nSOyPH9NjvB5lrOXi7zGiBunqfJ5e7uGcf6N/uQUYMm6QHQlllzm5bc6hW6oGk28a9akM7nGReLy9IwJbHZy83v2BsFUGu+a6gx0AU3DmKhqdZIS2jZ5mZg8Jje1yBiYii1cg/yoobaMZJZjHCGLD58T10CQs0jy/TUOb3d0Id88avsZHFPvwARGEVnnNHEEuaOgM/OarOcSBpb1jcj1LJtPjGwPS2/IrRQ+VbpBsf80zdLnL0xSgZdjlut8GHWE+sBhjR7dpm18wQQRe0d4ewnlbP+gddS832H2B6WHe36urZLj6HUy0ayP5/sjgFeEdP2cuEEXliBZomskEmR5hlM9CVuYatscLrwtd56/HRWz/d4DGVQisknIlQ3PrZZYmdazKFm8aQR1WL5tk2LlgMjl6gGva6nf845e1L8vQjSqSGpy1taIIleKo+pnfNy4KUDUKjecpCXGTmNkBQwB3RGTiI/2va2zKU50CXkGay3XPtXp4/fbrGDGdpbWJ4zHuLSy1H6uL5vYeDQZZGWug2ldmby+JzKqHvO1+n2hj+V8GuUvZY8EZvpYoarjMCZgDCVQZcd/zHcmwGK9/075BSFELJj90lWWo8zwvGKBOQ2p0z81L1sKb8K0ay9D5D5TpbbdMBzNbjhS4+f8Z6st0nskgdxJX1I0zuqhQAjEXGXz6/rAB1oo+UP8GempibFGFVYGfEoTk6kN6kOpYhklBc/hhUeNmC2p9zB+7wueu3A9Gv04tm+vQkKPX4T6Qn+rKqck2c+e2t5ZIlS6mQlEMVvbmQvK/eeSLJIN7PazJmulULu3OVjajJXRIg3DH5T4htmSGjEBlvpH1Iedl3Dcbb+0Ego/9n02gMTHyTpJ7YokFFWDW0X9SI+janMdfvLKFKxI6bIJxvNcgMQIc+nUQzuqidnz+RCBh2084w09x5LtGj3kTWUYzKLtwHTe8Dhh7fSOTpVXYF2BKvKN+0Gsz+DbYxLH6m0uXLqknwK6nBouT4lX4Unsg5pW8fWg4CVpcER/p8GFE7n3H199v3NkAJwC63tZ+FUCwS7caxIijCkAiejUhdbwmI68+b6twcNwGSTbCPp9GQk7QV75OVP1qwmL1M9UYM8f/uMXlvib3sOHAcVFY8ROs3+bb+ypStTKfBS7iwSLwoX2uvP2ubukHLyfvA95awxPpvudrOxLjC2vbzb5sbTjgIm5j2TrTL1T6QosywlixSkxhS9Guz1SkVR7oUfB5EzthibhKS0rAMZs861v879QAbjhr32w1I521pzveXz0Nv3Gwoxot8Y/1CAvbISpiNsSuinGfBy/Y3KUcsbIT3S0Ywq6EFCURL6F4EB0XSJ5MMRi2rqB6WLlVl4GgZFMsWHpkCVk0I23IT1n+aQPRjscb7sCD5yNZdGBcuQRlQ6irZN9SL2SytSUiHLOyS3K9jUwtXxexlXAn4YWVgD29bIlH4hBBGYlvu2qbr/a4nFVU4/J1sdlWXWDEM4iH2cFSwk6J+mTGCcZUjLth7kDLrJe8OKuLkLLz1WUyKAAzFrnMRoq5NJQIml1P5x6HTaCqZhPQQdOK9Df2xQdvZkWe6kLHn2NNfBoWqnftTAJEn6NgjV70f8Al7BSU7dl10L3t2emAD9je1lsYHLWZtGrtVHFo7CofV0OgqCiE3zRAW/aE2Xr3ocfSPh90stH+8K0fOG9jM1vj63MtjHtPghaEeDO90I1J9wuYSI4G5mqK6NMXlMfmJJDRen6RorXSADRN6Ap6qZe9sZ2MANFOyaWXMqKLqLOiygSY41Ev/zznJ75NetewOMJlpdmI2z81uREdPMZmrcNUswPcUzTh6x37ktn+F0IMrWAwcEDUl2HSnGbpZn664htM+6xHfhChPzeuVbruRnf1RSRq7wOZ2sMczILZ4fQkMWjmOt1t9LFojbFrflK3RHBpTWzePlQuS+9Vl9As5mrCTusdnh9cuGyMHRfb7XiasKceMfr5vwxVbL9hlfSlBxPZmW8adf1LB4cyBTe6vD1sVOyOx9Np6EMchwfJkJin+LzTA5lR5AF3zuvsMkx8l1twuIWLJaaP94NhaalD7ZUIMZpkZWUYq/lhNrKznsIr3rK+qeYsOE/uMm9o/7Yf4G8t0uAFdByVKax4Ct2pvtyfPZV/pVWXrLJ2PfOHiY7W3SFq3xkcWdpuy3K7fqtA/aa38Lj8urAytb2HKoPAeDjLq4jpsFY8+HpvZC40McoSbDMiEhd8EwvX/1Rm/KFOzYLULfdhB2mo4tsfOkTZ6/QYEuzfGO0+Hm04UNjovr7WGpY4ai2gYNMkZLPd55ZH0zAsEEr08Yon9WP+fkL03WIpZbDDlGiv3N8q2rMurFiYg88adk6kVUCxYmu2eS10Iag8yFRtCXeBFoaPFWnnZksnWd0A6I1tWxZHCuSV4lSL/EePq/AsNUvJUJ3DHCmrmu/KfuJN6cXhlj3ydeW7TJmfAfHimMgbZr8x1La6R4T/eJ/ET2jh3nLYqKKwgfK2USyD5lQByWHM7014hN6Eqoy5tTq0tx/agXxul46OrdRZ5jU+6hyzrfzZJba3VK8MRvCj4ZVDbrK7dW2wcVM8Q/69l83c/ygaSec/sLZdxHmhV9XsXYebxof0jzpjz6RCFdDrHZtqWLOOfed7rzFjiWZIe3bdygynUIUBLrSmui3obv7uoMo05tlEiszcGHH6L9z99Ll/CUhaqGVj/gO7XFq3smmWkqfRBjHLv42uQC/cT5ijzIueWC5tp4R/q/l5XmkrtVEXPcxZonBZ7Eu4JfhvR5Fz48G7WAiPb1evTAxlW/SC/IlgajO0777AiMb3AjCDRhi4/Qu7v7h3HpCGWZlA/Nw47b6SM3rg6tyl55uae6SEEwzs+yHMH9ffG5gY4dP35q8qwgg6tL2Y1mMj4+1YqleyUcq+jg1Hue1SzG6YHFMkgu9qtFFgOt0SACNRTiWqqfMfdBuyBLKG8+H4reUiJbFPVOt4wNEuOFn4+Nd/8qmttSDJrR4OMQi85dNl+ovZ27SEt8+Ua/rpvNEhGFpLHwSBcmvhwsCn9q1MOFpApfU4FdvuWV+G6QC4icYvl9Mq8hvM6U8X3fbCvgAh13yLzeVuvU/L1+WFyXA8eo5wuXi5qb82KQnbBFziXHKro2eI/yq7amcUFOrpHRG6ILv6t/zqXpXB9NcTt+uI5hTPHjSvmW1EkXg05FocOBDs7FIrXNT7iA4EA/dSqZHoJNeb+pifqSSkNJ5qSt2pIjEOQUUWIm1zuj8nJ96EwwDWWxyRjX5NQZ0xZr7BF7z4SMmtz5pG+9m7hJu+Tin/eHOjmIxrDfVam20LwOneqZlTIkGkWHjZ3t+bmTEr737qSF8HnNzN5nnTkLwLREbRiksEsTlNaqdcE2Phr/ee6eGi4NNBB6tuRlKMBeMFbN+jNPeHURyKSm1cvA7FWHxDE9Vs6vygSVgxxmEbanYWkNZqardJxsMs2L87XRcVjy+CkmTZ7ZvN9PxWdsQVn25Ce878lMMrZtEei3CkHY1kA+R2sV7NdvX9YZ34be28dSaw64MXg/iMI/OHrPVuoR3wMR0n+RYC4B2QzinIduy0rxEomLAW8SpFjMSxqZ+K1VS9nZD8bb65bU7h/AUxMsZXib+GQsZcPTliGXgTptLAp0rx0mXFDvRGL98+GWagRQuewsB15xKebM+hn7Hehf/aGfN5XkO25avFPjnkkqISAtEBaKYGncgABor8qCYCr7cL+HQqDNkKX4CcYI0hQYw0QhEKlXXa61iKscpTDlf/+Ar94yF6fxROgqjoqAN8UbkX4N15BtDPgnzcmAWnzErTj5+pL+KZ6i4Aw8cZ9MhGllkekrt/VXXIK/wyh52tPvoMRCrJBYdH0l4FP500foNAj5T7Ey/UtZkBMWzzMFGyE6D9x9nxwazyRxCagrhLuB5q/v8dN0PY744MN44Ift6w7QJSVJzKmt/24rJ0Pq8baD18yXawhYMJsCOAG+b+7Hc9eU3D1xKcl5I1hnZ2ctqRf9+9dWtG+MQd5ceV5IvVuuPnI8EEdW14w6MEJOiUCUtTbQXGVHGH9DTVB3jXaJRPRjUsH6JyExmW7Hebapy+7GcMlEHKeuFmxLceuaeuSfwr1wSUAnX9h7As1x8kEiCGiw/n0s33sfJii4f4yK5jQeC1WBmyy/5MpxVqkzZWyepwiVZZw3AGuZ4Xres5C1FtwvOmjc+LWHqpFJrRe4NL3ULRL7+zhQGrIEX4w7iLve2hLoKEaLsSb48V+MBjslTE4vGDJ/MnvIOc5cG3szLMF53dBLGBXTBZYLp9jQK/Vo5CZjmrEnDjM2J3fTyxDb0UkBSF3GtUDxfcSkLfsjGB8hekW0H34AbShOodkiK7ZKLesSgJR97Y/baLUnwNNi0QKlvKUpqGvIIvQde/Srb1H/Jhjgy+mM3VSFHnwdiQ5wM+C/5ooSI71FbEKe/Yws3JbOA0REFn3vzFWwiYhplaBYPAyuMsmd7VJ57MIM2GfNjUeV9eLs6SwdeiMWHNuD3fpCOPSu0Sw4uw4/5VczN06BVDRxddmkY+yF0kIFU1GrLHSBB6fl5JkuafsYIvzheirxcxgGzf/imnG9u9VnWlYpLo66PrBgYCpmYq34ZB8OUWCIrOgbezkJJALs3scgXSIlQocTnR1vtlj2ao7szlt7QBhZghO9KuagHJN25P0Dsc2Xvku8QxXOGfOMyUkHejjvjyuOub5/HkdJInO2qVW7R92+qpjZE+eSxNGQfSISo+jojvOiwp1FGUO+lhD1qdbnaSa1w95x9cXBXFJLB7xglIF/Nx5pkEmXIru0c0EOBU9Dd3dVgi8QINmRlMzYUzcek5ZPgVZiqOOz7Gla2cw0Z3diXOmuJ/Ix2rJ2/RB1fpw5NcmyQ1+2NDTHjMr7lcxht9HNI7KKPaPSgFuAd2SYu8IFZJgqPRoqhvWvm51rIe+ISdYykl4Gc7yO/6hLZBPY8FUrDxqQ48TV1oiRUzkXKnJww3d69otdjVtbn5qhY/YpcND2EkyJ4AfUsPmlz6X09l3SxirxVJmloQvPrqL2AAFWEzFlihLafVo5fNykB0HOakFLFeSDZNu+zLVnOnc/YrXqDcI04dWKrTUK5yWfgD9ehXHQGIJfd5kThXdEVmTE2M2o6am4lEQzZ2aD/uEXaW6wGJQjVpKMPycyMNKptCIcruQ18/168lspqPm41bmAlHLyy/fAmqVXfdWmie3DsDolXR+pUyqcHmhaPSWbbpNOj6XztXBSzJ3En2Ujn+pGuEebryku2U5FWtF6mX/tqABxaaBwVm+M7R6+adcTvcZvJVYYUYrg/RbBbMtQItLaRg486qIX7GROrli+8ufULPBVVG/4MHt01M1A8kZq59nsTj3oVi7q98TPeyEU1bOF6Xd3tUUkxhPQbqMhTSlAAU5lRzUaw2V7r7K64QL17x0g8siY8kb+Fx8R5d4HzjJTEGzfQGz+GMjHBeR9hrodGNsvNqIGdYofdTy1JzrRQ0NdPv8FS5uJT5LfdUhJ0p9z+kmbP0tbPdb3izZJ6OmF8TyQLNNMd3d+pROaMnfZuKsrDrmiNjGfrmO6GGqOsrdWKGwRcKrlG/nQ7M1+cWUOrfb/q/DSV4JaC38qorGs8qWiqavgzjZprMzXBDYVro0WkHJxXIJ17bYb/tiAUyxLc2qKZ85EDwTnAMDe8omn93TdCPqu1rqg4edjlD2nC7fOvaXKkSfu4YSuVAHoS8IihHCstg4APtVR8fGPeLIjGdS1w7IkHGAr2nm0KA27TVjNAevKhRJ5yjbSLBa41eHQhZ//OdEgNXs+y8K9Ch1a3TcUkpbApbxFiZL5uL3PQC7Sy9W2qoD4pXUmrRxBBYjElMegDkae/8UegKLU6DQfx7aeaw51wc5O5GFsqSjGYeZrVXJSCo/h1kjEO5NpWP1ZY5rkQufCTP5a9ss3Yefr1Oc9PTGnRWcoQ9gi8Bv804rc7r8cf80oJvverEU2Q5ixSyJIwR3a7kV1ZDxsktCnak1AOy0tYtPE5opoGtP58DroT2dUjWMVXHNuMl9IFBkQDWIbmV9ZsN7dTCFARHJKTnK9SRAuyNniTq5RHbh6SU/ktH3oCgi9mg7S/8+lUFFvzJlBJgpasRViWdDZX6SWFWB4mC/vUnBvxkG/fFDKGRpbF/siH5PmJIJiCOhiXeaZlWVEJ8z65qUXSBSXSCNebP6vVHT/ci5ZfgnjPvm3RbKkM1iydwERFbo+RYSqJso7+T27r36eefWrss82FeZbGLnJZOetK8kWrig4G+iIUfqtHyojpbdZHNUWMMiGNpaygGr4tuQ9faLKP6L43imoNyRAjbhh3tLlGj31ZCF8WKPaD/dZ8GrP1eXbnHshjqfIMqeDG5+UaCVDkQopTdQgLtvQ63AXKjfzsI6APvHpWCHXfmrAfe+YLR55Ksq3FYILcAA0yvbBmFUMTkS++oPQmTt97N+NiblhBLvRSm2ep8Iks7EUOiTjM55J1+bQgVuK1tZ9hG6Rx9yMiTYjd730EbuODfLnwmYEBMHSIkMiHhRSapglDn+Zj2OMvDWFDylT0qw6Qu9OqRHL3QhfeADmagYA/PEs0PjYBnlLTSTyiQI5MXODPOSS4Kp6zS7KiNu9ryhgfbsaq1CmSwWm+PAC/l2So1XoanGoBYEWz04kA4bi9YNjH7J7lJ+BvlG2k5Y6diRQI1BlizaljjfZwjry5w210buaqM7bIymNywueet/73LF6owzXVoJB3azJjNWPRLw0eyO/9fOn3qhll0zr44Qw0laK8O5fbBVlJ2gBlnObZUG0egst6Bb/QmNa/JThwirmui951gNc7J9AYqzXeZzLq1+SIWTrwFeVAkU7i4SG5L2VVdftHlBw5NHeIHSGrDtABs9EVv1A+93UaNnJ9TFMOgxt3wRlq1/RFG/CbyL4mDKhW+LEIVbUe8oSEm/DGB4CYDoELwPyYw1Nk76UgvAaVU1UuV87zWuHOLflXKWnGj1JOx7fV2gP9rty7eii5Mo4zu4+G6ytwZAt9ngFkz3ATlf3z3LBIy9lUi7CXVeKlsjhxToRHsyDrUtWW90y7qz2DguENPOn0PSPjERjwV858SMxJtoRmlFL/yrogfX6SCYzwKFmd5VOYp+S+dEqifzc9DcyAmdD98z0szC/IM8rdEz2n003qHEQbeT40zLWqNM50FRUHwyLa70sca/Wz8xp2JyynyJRU9axroVadv/Itw2sICssi3HglSr9gGMKMSG5qu4eQO+l4jKX2XUnMVF3coX24qB9uuxEtRzOxOI8yMt3Jb9Itt+BDXA/mxN2lDvv2I8aeZfUBRWLlYQ1BNWSMupRHKJfv9KsYkJFha5q4xuUDWSOOYMw1BMqDi9dlzFRmbSWr+CmUu0fcbt9C25A6UnyXLMyPYvIENToa+ynIXvwrczohGlzR/mtN43Ouk19FTHwpILCH/fIS+Po4dy+3QBHgq8eqnL9It+U0ljFnpHmjRsMv3O+F3RDnMnbBqsyotPtQs2eIgFWIZ3LXQ9eMu/cDEpa8Hkd3LcmiTMfO3bwE7YGYGyn2HY/Gsj/CR6FvWNTUmAZs28RuIKEcnZps37v/SmamFexhZp6EU/yIfAZuPdkXDiEa2oSYSROb8KdJPHFTFZmVxXB0TRCxMfef3PA3ETVltvdIBGVmkVPOljMV1zlTOPOPDioGSdZ8SDrRB2UnGSTMLXcaMhPPOjPJYtWfmBYv0wdoqCHsR/om1hmUL4ADU/TOUIYAyjWfBgt+whTkwyfD2gPKEe+XEMyPeoOGOABXcjzm5zaCfeVgxlEoljFWyGwnvLm+Q0ZV8lzY6u/TOqXv/ifJ0VX4yS4lthi3Qa86JMQU7l8Hu8jsFosS0fPKbwQXlJTTElt4UyUzeTp8O8T3QRhRzB4EDgqnDDz6Mmiq9sa2RGURPCbfWFQQ9drpGNsQt7j/WG3WpVMlPUHkk62x+GMgS50IBUxE9KmkKJoZDUlQJKh1DxCUDY3ngFOgtHJk5Aa5S4J/ACW2nT7cqWmslz7lFKrsHf6L6hTHErIp5xma1GrrKBTrBhGPi+c3HfeH/s101nz4NX/yoWDlseaNgSISKOfsjF9F2L3+knIuEAem58kFkd6N8K29qmq66yN2J6jnAV5z0YdJxVoN8KxmD1OQz0/jdu4F0asceOv+85QH3TprXb4tWEat635WZ7cfLogiz7Ry+5cqm2tF9+/FBykIo7U/w8ZqvB5yq1rnMgFyhFO78XqnCUJIi319UZQE6n6ojBGBOZ2RscLmSyo6dvtmbg+MOyDf2ReHNMYWcylaF81KyshL4P2fxCYh3uHMyy+2lyQ3QdPXPYlonXumP5+EKYszvPRZ8TmMcncCHJbxhtpluHwU/zF14zhCaiUUG4V4NcYKNYlAobT4EMLdmQYEu9zsUVqy0kzYSKoU78DHTizGa3LdWSzeykMR/pJMF8xXmC5MqwAJW6oJqD3eg1kJIK8WCyrx0KAUL+pvtHOblHP7r6hvHpO9rKoBSbgM69x4bkLSQUCpj600hWpxECt4kqFCxQki+FG4T/frEjr8Z0cKi+WncvAeCJsquo/6wX3js20p+7J4vTeoZD79QSERxXKOK9gsHYAjE7DjONU1KFWUViZdpjuc+sRUblH84SrGou19e7KNd7KDL5B4BIzufyWNLGC4nZ/9m72/i1vEwkem3LZ0bE6SKbu8KtND2tZmGZopo/mB60d5yvmIPi2boaf1qlkTaqmuHmqa04wji4ZOvyH/Ihz1JiXiFXM18uTXTa4hEdJQjgocblJi4/NfQXArEMqSkwSCIgXP/GMvk9iw6iZfQhxH5c0yBsyHPh0IrYWSJLxbxZ8yckAZoHxpUwHhUPdy+MzghT9MieJCg6Z8jjtjQ9fZScn7keX2Jht3Wqu6bjbEuBBhOrwwmYYPd32uiHO6dfPNGt4kVGDctZh3pkXkWjEfEVdAqLrZr9GZAJr39o4yWPeKsMXwA+ZViM0aZghEwRCvFQAx4ZZJ6UTGeoafzG6+yqFNylOUaD3E+V/WXZ2bRfe3kpr6HyjB2+t3JytZtPrnrlr9/iy2mgGV0GW5N8Z6RmZkoz8OVOIsMK1Ec7x8FliUqGYcIVfirK821LRTnktoEr5VwW7DzNIzOsUiTQ7nKi5U1x3dOOo4phRtjFfSPhR5MYgtCf+4bwO86ayfHzbpvavYzMBujSqbgk520ORCunuQzUhh4bzBtx/SlnQVcPlgKrzO5avo2h4fL/31sVUM9zlzMbT89bE+jeE+SHERPkF8kLXUDYbZTKaOS7JwT1NlEPjx/jXuq91IIiQPqkwxNG/bDDpvf6ABjTYMsAkIa1l9Vi9H9krzX+aIGehuGT9zKxYn2zH6RtYkbrVvAj8BSwwiBdsiVCBpYRmz2eXuYiOg/p/lOUI0SbTUz/IysvcpbUnp3Sf6oyQG+nDbpJ+aIuPsjlIgTwmwhTqpAuySKHG8VQoKBhvcWhEc7G5w5egWcF8gy4LTKvwy07CPe1/+9pruXszPTD+rXuLIF6AN2N6xUn9W9W/f4DEBloAYmruDV8nyP8EVPHkJAGw4eECZmqln8x7GFJ8bWfdZBXnRnOMv3PxzdgpG9Hz8FCQlhPkyIfi0NAiM9tomOXtwzPk6VhDzV/RoTO/qQR88k7LAmrNhShxajOHdEHwRamFB+MukNa/45XB6xaV6cg6rtlZ59/yi8SDWkOBHk/1z79N4Bt5Gk99Iu2D/qKiV4PAEhmSphL5vv+LSpvvVg4rOuV6TSzYfUaxu1L9DiKl0Jkq5+HtccB1O0XhqZBW+OQWYqGRVhPb77ZCec9IO72i6/ubmWGj+4qXIeTLCiYZ/RUj9n/EI+z+GQgID+r2Q/Y2rzlXD4EeqvgGdZOMh1KnmT6Ctye4c+BeF/woc0wPr9K92FIHuRGmDbZCqZhFW+RxgtV5uTIGUOdhyoYcW+peBGxiJBwvRsgZ90LLxB1MPvK0G25tfufJvKoCObGL2YCuLFgzTWFZA4hPwU+zKCegEns7LB3FpqgPLTV+M5bcrsa9MrnT6qq6PGsBd6eFTiXeAHdFNAPYmiw4zL2glf1GUdweC+npIcPKh9Aqtr7j2qigcZ5R5OQnjcUP3nUJCrkuofpFhYNflVyfq3lFCuXoFoFIkSf8ZTUFhhMEzp6/vBo3MdC4XDcPs4E/N2azSPcsrHfu4YRSh6l8p/v9rX7YyxAdEQ61moKKUvafufVQx8sPN7EcvX5/4bWD6UlOpqfgZVaTA2mLybBG0CiYSPqf7mP57I/33M65lNIIbVB3cummb8PtbYIexttSuvdGHKjWZCWWR5maKPvqAMJbWI93CYRj7Hacz/OK/6o7cEPPvIntgfjRrHVIiOdOm1c1pW+rLAPrALDcRqg7LQmSEn+UVYymsllcZP+gXX7OUGz0yBEnxDCHUS9nW5qha4z013PPUDljz1fFyJVZ4Ef7CDeqNNLID7dJHHo9yUN3BLwhBP9OnrgdZGerVs9j2sPIPP5GcsrBEtdfqtSSC722Da5tw4ARsKZ25PPDmy7o0Df7XiLGwRfXXQNgrc65L01wtyuo6fHr/ouz9q3NXmFLTs5+hMa6jZKTCr3VCh0TC+QDJhHDFrLk0M9IhmS2EL3JMcVsRZVukylWc4NdqFX2IJnY7kuRXfZrqEGfotgMu/fwCnX4Zb3ThuMeQHjyLImRBMVY3VGzTOqSRUou4TPGScsmxEGOhgrEW7daOh5RGyhTnDeX52C5MEdfUfLh+8OFUvBKAGHPf+g4vpisAWSPisipALXpGBv4f3H2OTQC+/XFiUj0xKTisZVsacFQb5hPTalNrMDUAvNXqPdI/iVZmGI5hXN9hA4MUSeeIigUb1lCB6ab85qmbM0j2KUy0E5S0uQAdNv09crEZGhuRK05ZJv1x1n79A4EUj0MkY+ms2jvZKG+BDSNCPAc28QthUpyfH/5kB8VY9AWP/R6NkvVQ/XxEhqFmCLppAHojSNSJgdLLBbGu+/Sxlw23dakA4vJScXOgmuW7WDpVIt129s4QYsmkZgQ0gsSwSXgkf3iY2Jxciv22cu4Tba3H8HMckxzTQ8uAWGXY8kTuicPXGRvVLh8i31Tdy5jdZ4oA/WywaTT3ge1YGqxqp//VyeIN91Z1avqXW8KkRHGDW1xcmyYiKlLNnACiC5VdqaosK7S+/g8JLud7zEGus9VsMZGFZduSmjtisq0C5FBdwoW7TxCo6yqRzD4g5qzIOcKTHJnGzCeFSUArvWKnhZS7W9/wFxJ3Qpar6h8OUToata1AeYS2il/x5CRuGSa/8T7lmvld9THyyNglWOWuZVgyV76ewXGtc3SlT1xa1H2i6eAZ2DorLNfkUbPJrbDZr8IE07Qr9biP6bMwnuxwhxJOccPOX8JKguI3wtMC6tzO2yk3+dU/4Wnxxs9I5Q4Zb1NloeiYEybL4UkCYhEXoilTpkHJzzGVPTdsHe6vcW/8BDwS1YFsMIfaLq4KKGCJQWlLsz5hbxn6T0l6oajusj2INfaqCBv3k1Z4ZYie7TxAoo29Z1yjmPnnScfrRtvgFTnkDeurE2dCW9T0kiUXIxq/P3uZkLFczTZPLShn/p3eoYusPvYc+ryOiFL0h3Ej4mYr8bNVIP5uSfah8i1iPpXN2/5Nd4CkHG90QujTWGmQ+Cbwrms09qV7IOwbq4dxaM3XdToejSgKL9e8BjOg4C2kf6Mb4vQO32ZXo3+aWz4wVDjv6KW52Bil158gFzJJhMBSfNeeYxv63MtyXUoc+yvuZFna4MYaD94irbWQvEYgzZ9EGXFqY8/oL5afFsruHeUgsuOqVDGihoBjrWWs2kX2K0Ynh4HJSOCH4iZ9qCMS2Hj8cZKSGCBzeJj67P2t65T0z/JEX/LqqMgU0cqCnwgQh84KnvKa3qVu5NBqT0dRFqA5NY6TAybScZ4vywzsNS4oUBY+aFzrTCkAhXMeuVWw74h5CP/26z0BqZImdyayRaPXOspi9gtbRgoA7KV08IMCr54h8ZPILl/ZrvR7+MbWRDNjDi+0KaCFpTCLgwxJgX5Ck/f3BUldsBv7q2R3sJkFRfSW9a7vHASEFHby4eg1IW1OaGzMeSAurECEfVjyJynAsn971Ua1hh/8UsBbjN7fqZm5HN5OQHy9xJQXblM2u3RSLV9FSWRoh20dg8rvd6Uhmf5F2i8VP+40J7l6RNyEyRD6kZGoihdKpbX4NkTm4q+AF2hcwJzQbvtnZkfORwP0jKhf6JEIRNq5bABhGT0PVU2932AVJjOh99OW6VIoOlLzLkAj8EoC+3lRdiXk2sxYCxlgCrqRbZ12QPeEetVTEobqD6hPfiD5SBa9pd6Hdc/Pj/qVUqGJ2xsN6zbP/QD/XhqLqVQLdpY5Fcw56IrUdRsYoDTA4k53x2wJv6pBep9askQRy3A8Q4NAyr1SGdPfdV0N+drek9r2SRTlmYQDftKFEH3626uoTCpKUegbCXZVxdEEe3TaAIPpmCCH9prSxjYBuxQEKPM++rawvB/dcDgnydrqdPYleQr66T1jOP+grdbx9r0qu/O3u4IXG2y3P8W5EC+A5lOjeEMq7y2LnngRHUWvync/3G0GBHhjg/AfmBn3erApEHCpM3yfecLZz/WRIiEDzF2X0iR1Cakmi1Rjz+JHk9tYM4XkRLaV6SL1QZIpaEiXXj6GVHBPXjgXW8+LVfXR7ti4/06vS4XVbsxJd1zMPAr6IRJ5mMpUg2snbrca2AfywxHqUJ0Y3Ux+FPbZeJnZqnVZnXzOXmS/DBpFDuxZPixMrh1Gd3kfL51WyylMPX/MOvDWEcDV3jSIPC6OW7LANtGvswOKrlJjPWfsc4cT9zH24lbD9fqNJk2aUFR6WRAgjmroDp8C0tlb/qa3ws2i86Wt3AfEtimWCWT526q95e5Xbp+4+hmLv1wjTejCTLu6kGQjyzPFnNrLPYH0XVsCvwmeQqun8fAtNm8gS1/dThbzTxJ9fYtfzQElhZ+TAhX/DFEZbk3RdlA7uPu23ETLpsSJCkBtjBWV63i2tOLWmkHL8FBPUxTwAdUqapN5BG6MJOcIgtDGR9ddxiY2AVJPvxZ/xkHH/dCYLkGXfNvaqq6Pri5wxEyueZDB+U20nLG7jrQdLfqBu1wGDEvC/eWAaj+mWrX680pzNdha6MXzLxP9sMBjTdFNbyJZBiERIhIAXDtSF4QiO5F9737E8m9YTdEkWPvgYYC4orkTpHcrsZy2Cvaz1ncMAmZ7CicDNocrEuPQxOIS1Typv2dMfXinjm5FN338w+eDDoBg+wPKdfbmKf7tYqfRWf+9h+1MCIkmMAX6mFB15+b3biapxbNsXll4DQ1LU3QsCXaQf2vDyb1wPr6YxjrPSJ8/8O6AF9DYrkMBkh5hUyMWJgMhP+4ggZ8epeI14bYNUtU+FN2DfH0W+nuO0wqEk3InOsHrvcOKLJBRRfGeFrkFKo/lrxTWryYjZxP8QyB4WHnv2jAqZYmGnoevhQN2ix+Y/v7+JU9tZBAMfQXi4HrRRz3JZ3UA+UhOEJBFf8q1lchh46aEko9A+v/b0uYXsLrSmoXx646+hr22/gKsITHeNsrUsZiWV8lUNlBPAt8/vQOuTsGLOy8wjLLVxXHbUsU813h/b40VWcsmU3ihdQcD1lKU9Pn9XdKDGLMOeKCilfYJ/3aVy63YpIwdTUvW5wNh5ZF4q9mp5ebVBu5Jx5/SgEhRWRVIdveyZu5GDTRkPHsMpFAg5wSv1EB/9tA97BB4pVdW68CQ8ymiIChckdiRwbqYHFwuYOSW/nIn/HxJBihyNGCNAH9mnuBC+8m9IfgHWRRdYl1qh8GmtpOmFMtQcehqHy3dZBg0ozw1HIKRg2yL+uF+WjwG0pDyUwPeFyOEi8RZJuRDF6CmhSDlGOsI1yT2IqBXQiBygcfhVoRwxVqj3z0DW7iqbPvgYf62s3o3YvnSZ174XgS7YJyXVugaSt/QGS8X/nL+t3GOXLe8cy7f4bP1iTSM5Zuf4jEsV+LTx909AJ66BcssahQuE0GT/71PpWlJoHFN28W4isOB56RSgOFDGOH0q66+YqiWD7H6A8ocXgl8vTh507HJn7JU4/V9Gp4mypov7wbwsEyEYBeieiTlEfukymiOOg1IgmTCUXmxd3oB6+DUhCa6SPCM9d+7fs2obwWmP9cvw8D7BjzKs5nM9sWeyK3pCt9c1TUfnSaroEid+/7SO+rOKHqhzIYOgUbu40sfh12SNe5Ki2gIXFTDuANePOD08g3zyVCYhDw8JOrfOH4ML5XSRMorEsjWeXcBS6doQhFGZIXeDbxczz0ukWChcVLbn1J3clqD2sCuvsKPcMxwUHOMatQJp9VcL0b1p75x1oDtDNj0xjxpOpNb/3N7SenbKZg6eTcNG67F8eXcQv44UghLS9x3yh7KoCg+JB2W5yZEufvig07wQAmLl74odDl2iy1thcyWIftpIlDYHyaDqMxCHvF22SJErGY5w/vabmVupn9Pb47Zju+9VhTakuJYxKt28klNhQ7zOUxkt2E31AGbvaHSo5c4Pi+6PkDhUNeE5s9ThKrlah0DTPT6rlJnFSgN32qPYf3CYEk0RBUcV1Exk1FEqGKCoeQRwr0YHOD1j+PIawclhLmDtW8t6Vrv+CuBAoqCVEx+PSseB0e4CtSab8rHb8ZJtmQqvOvfDvKiFqXXJ0ma6S+SM7Pd1NBYxGTlpwBP/bgX6jAmNDWqSHyEFNeQGuC/SIikDaSpZAv9Q3KmL4T6uMHhGlNaFXHOq/VdDSXjtMr/XelWcOV8pdmeMl4r6hwJzT2zEWYHWc+wU5SwtymAQ2CyvFPO+waKzjvYUcAe7Uu2YIb2gXX3j4fpuv+bzONqhSaUvBUx12WpFpzXzLnEQHKhhpdDY5OY9iOlYXTgS5QYJm1GDO2H8ia4DPe4XKQnF/TPCWHPj+IAlh0vKfP/MoZcrUQ3ayiWN00bL08i1gr5sTZS+DG1M//B97KwrhGqik/cUc1vny1RKUgpOwkAaP6FaVZ52gSOpOuTM0YbV9e3dbxHLeJ4sdUWuUM+CNgxnyr8s2jFNeiqjUWz/+IkCM5ZKetVTZnripPt50cPBAdhX8uWI7TGVJv6XJQD/73UDlA0Z6M9cB5TEUXaDkZNs8RvNbE28UFJhrNYQqHICRu888Yqokx+49X8LrAF7mgcK3iXCkx9bLEwFHkO9Z2dxYmcXEoZpUpBplj4gTt5kJwClDQvfxCpEgN55/PFgcKrjpTTg/VqioiW+7y4vnIwEWHYSoz+XdMJxwU7vLdhFq6NFn4gFisvCXuyM0oJAv4Jg+flFwyhBqpom856Gurd9lwYGtHYOpUhiIvx0vflmzaG7oL3PblWpr76ENWEan9cHp4npmhS8HJs+LtqXxZfVSZedA4io7UWbwzHWbhEswh+ajENvtaBawbyxZp2xD3GqaivM0Lb0SP5GeKgzhdS4agaLnr1lQPfwvNS+BChEzQzG9G/uPn4/rYOrc7WyDO+fiZcvVJZPaaRJ79XToMYwNoZSDKbI3vWiAHcu9lETvvwk6oN3XM9OllQ4/AClzYpB7UtujUlJsHEUT2F0j/cg1i5Sqd732qt0wQkudRxUfdhBIT4p2/MXi9/eOcJq1gp5PDV+jmI+kNpWQlmtuK6SeQoeF75UHJC77GL/6yVtV+VcsL3tWIoqzicsLFqUWG0QmuU2Vw8v5n0KsFb/EHRdND3YntyBk8xdtnSCrN/hzYiFP1TehQCNrQiIygIfFqvQH1tm54UpAIatDYa8UjtywZOjLZ4Ksd1cPkAPhSCwAs40a/lLLhgoDvEzOscywQT1FlYvLzMyeQe3Y2lYB34oGYDuTeTHIXJ4kgLIdUuZPT1tgV5iI1mSG9muRG6NHArw0BUv7l/7SuCoJ8P2VRoXfHwVNdzqQ0j2lfxTM53PDr49L8WmFT4Rb51ubmPrX/sFWea0sQoBOQqjgvQtfhwYANQFl7GCOax5jm2V24AduLRvAGShIdUR+GWuYMSoAbo05sJtJFG1b2SYEOb5ppdPbWKJImV8ePN1n5q6HO1VPFiX34j07xkxotvOv6Y4Kk8k4nizuG2U5lZNuQxfTTHFqWwyfrUvGVTSLNhFA1s5MRXMWdec1KtyoDcbH5mZ6Tab2N/OF+GVCO/UPA/kbBoNaKXUUoOPGr7GrmPEZcly3jz+ttflTAj5LA5xTUhaJLpaEkSfzQEneQehO1LBCb8IhUKU9caZ4tN/PEsFqiXDQ+tE9UvHc7Why9YdATbszSUJO1fofUJym/AVmh+Dqs36gqRYtslSEHqWzTteDO49aEfOu42wsVyp6rchUJn6bcj+5rrbd/XbUROKXWd2+6uGVVlPGha4a0ffhL7rZvkk01TuksZLJXMEkoagTR7GinOTXN+zgNl8PWsV9GEYtJtT3JoR+pHhoIDFXG2LauuuCXcOew/5qdsvJIoeeRlKPMZFipBfY6KHl6zBOYuvniHmYK6zelY/waPAdv4hz2In9Z5iHmpo/yFtaC6eSloP/oOoIDkLt1ip1O2q7tt0qGxVbjuTmvQ4unmVEER1QqGGzEe+9Sninu6mjlShsWRjtZueElU/HCZHF0I8Qala+8TipLuytX35dm67cXXLAJKcR7vYcFA8m6JJAmoba88nS5JFoVKRtKAuV3phtFv2r93D2K0+xFX1ULT0n0JUwi9rki9Fyqt0rvcXzJ8mVyi7Z6CZNaTmsKiuUjVT9v+XuuUrjhL1JYoB65j3Sn82TWJbeLv6jCpBZtNA2xHHTfdtmWc6HXNdYRAbC/5mj9/IyvaMDkZaB3OJqcRpPG67jcKMzHXhMctI/dxj+U++Z8uwEQFmBJFo2uoqcRJsY5ChRlXBRLX6AyyImv99+pUYmuvmCwZO+K2vUlU5yOs7syFFC3RMdzaHqJPP7FiOPFihdksCdGHKaJE0iRXPd4K0Dg6HhfPsPDHKjQ9nw9dXVBUFNerSyL0wnQ62+OPgt0XR9E+0igwK5XYospoqqm2+a0FOM/iXtriBiQDOiwSrQZ2X6RNge0QA1AVdKE0eRpmf69wRRhQip/mlp3PwBxZQGPWHNZ3B9Bn8AOVPiUDFwEs0t8H0aRlWrUb8TrjFfCIMIA6aL3f2PDee8RGHhmr2ia0+fUTOtNTFN/oQU1Nya4bXM+dg/WPJs2Gp/BAEp8noCgu/gk13cXOULUC4ni8oqb6zgldZO+zTVtcNE8S1JEQnMfXDmfKjEiYXKNsV5PAN5ndF9ZK0xxS7Y+qvNu+TQbTKI7vgzrEPmbnGXs3KdB/JIux8DGyYlHKHCCw/+/uvlvJYmVJ7mvoQwsTWmsND1ofaPn1BObe3X0OTUYwGDFjnMYMDtAiK7Oquhowa6THvhkBibbmTJSdpbfKkyCCXWrcHonjMxJSXDUhtQr2Z3GyrbKs6RXA36r2j25te08DgkhXXxnz+W7Z7RM7T/4jjsk3C/Tk6NWHt4/LIINpEkRpFnimm0Fhsw3R8wXv8QrckTBbqtzWaJnhkpwLRr8FiSR6NQtWfWm65hl1/yq0evbVY8hueL8mm8VGmeYDqu205kekU/xOzxCz/ZA4tyNc02uKks3NkB+yGTKGnBCCXqg0FezzQ4qjrH2hb2tTIc+YaM+pmtwGp0nlswB3oR9Jie0+cgBdM0HqN1P4iqEsleaUeeChsqMDgZvA/jWr8ZDawcX0Ik32s8JKftZ3H+rZAED5WzjBVaTh+ITyeXDNyec7VWe/hIdMonxuN49eLkzXjkZW7VcBPqoAhtuJ5bxvjg5MZ0+0vZ2pG+UHtcrkgmM0bGTY5w14sD+SpSz7dRFakVgX+ykCbIPgyVG227Ne/rA6FW/gPIm9E0Ycl5TGlKsymyMI4kHymLhFVXXa6LXU1sWCzk2LRYt0TWwNQVj9sxMhXu6GZk8e25cuYhUmCO5/DhuBnrBvLkdHaX1PQlAkDVFBcLreVo23b4LZydkb9TOeEYG/KVhvJplkOIDarTIItlaDVPVt//eik6pap7c+c/f5l2lzr6Ej1fukTtS1ugUnKfxzaSHNvwX78zy9QIwtLN0cY9VAM6Mqs76qCtgO4StR3Y6f5XbFGuK3epP/fTXKiM/xwonyl4vCtjDC5eR1IeX2ba9s/RZMxrE19lD/vW/NSw1AVoQJvPahW0/fGdybxdwrr66fQQrh6DgJUT3vogJs8zUG/QEFk2FFEpC3CBtBSaMTqZ7rfh8lM6Ud80nawowNJm11fOnZbPl58p4yg9J6fOhlP8sCXji8xs+bMS3AEn4uYeT5FacdiRYclePtohkxhrt6oG237km/FQgP6nO+avDPDYjo6zup1dcGuj7BNiKU1TANr68VjLa5+vluDHbduUPGF8+YeHsRZ/jy8aruViIwdoelvc8t+0+OyrKWRN0OnEu8y90UvJNvwVbNWh/lSgsHTOL21kZi04swEY5XA5CjaurxzhWatjili5HNflrV2OwAedylOZun/BRCljgl07XOUXz2VBzJCFweVBytsylutrQXS94LiORIiueCX32v0aK8wdLW01N8FZUYSvZa9L3gTdZpdVY2nh5mS2hkUDL3XQi8iTrtjrKmE7ht6ZV11CRVaKyF3iTdNke9OHc+dvReqGqpmmwz7Gr5JTa0E1P3Q1uTd3SVRPWO+XsvOD1LGzFgei8of4lHis5lEi+92sneFIlAH9Lua2zals9MltkDioSHgMLW0K7t4dh+j1wo7BFHfg7Z6y/JBofjQOVhBXjBbC/CP6cpZ/6T2BOD9To9TFbxWCxxu0V9vuXAGLisAQ5CDssD+Fgx45b3ApjmWm3fNDpGUzXcf9K5+PWTlM3CE4THYlqR4jDoUut9lVRnJZH0M20ot5pxtF/b/Kmaz1gWBEH82cQP4nuzML4VUMZJerAwnh9ilwGl1ASsMjDMzcLy56V2rty1BTrS9AQ+9mlLvketQM+W+pCSdDfsf8Qf2EXVCHY/EYpKKtpJ9R+TNxTsYWUfWpmwqinpuZvajqmOpGrl/I53dFaA+VO+dzL8f17Me5kSiJnHt1WNR3RRX3PxubXVR5mu6YPdSE0K5cZvaxb1vRXGbSVKZXkR4Dj83eC8vpWOtsl447/dQ+Rsc6hOLmIip/lbHL1vEM7wn2+Dv+XyuOf7nH/Jke+PdXy31f95gTOfLDql2Z9s4QbWvkjqMbblrMcCE1fwUYjrLykf1em/Wl8fyvAouGD6cgk1BFXYCK9mEvi+E54WpvTEejgxq0qOWT5nxdwpkpsm6ax2WXzsX8NLI83hq3PxVSPSr6AGZcNPPxPvLB4fWT06hPiqLL1SAoTx34sXsXEnQ67RjmajL+FKAwaA1WEl2P6OjfV2pctspYXUOYn/29X1xb0+WLcDw09NJUdvuNR3KAkSjeRRmpHtqwQBZ5JUpbNtEK8Fi5Z7/BECjY+cL8OJj+PIywvE/jKcCuLqWzrgvmwpOggCXgx3Lqa4ITy0ODr9+suWovy+r/+fulcoYcyC6GN43JAKw7Je9H13kqekxeeWqSjMaMXlaVN3QXXouS8TbzmpY39uW6gGfEaG2mBYutGJeJedCspsloNoL9QvFARabDm0jGcl4v3jvPtswExHVPPNFWeXosfkPDtoavu+rBEzHPrxhz9PaUg7aylF/65xO4fVV3s5xZByooBuEVMCaL8OjR30U7CsxvWosrwk6xxIk7I+X9gumZJZQE90H8lVb3eldVxJoa0PTwDe53nX/orDBcWPaHpgsBELUeaRuacmFwfvVxbiY83xKXyo2Z2safQg4mgVk6onATZDRo8vassa9TxTXnCtRA03YerR9KMShmsYl9IILAxr6abk9WCfQPm/c69DOPgZzqylCKyHHzo3Lm8zVJ6e0T70jWQ2siKuL9Jd9p7PSZRKEkp/OaTRjPerLW3eczH7TzvvepzCCYl349XQbG5xt2j3xnRBkd1qJ/vR3fDyPzgIOEoy1ITlSvkBiQjTuzyvq4XnO+fPtawv3l/gVCu6vHQ+0h9GXoqEAaFxaflnVpBEEeurFDyY3Y0GCnFIHafn59ts5tkMNPzKtQtiY4lC+7P4tidoNQXNulT+4L2t6gdIdBe7xg3kFyYLdZHKad/3tgRT8UiOBiYo6o/zXyQPX8wyMNMojaeOL53ny2HVMmq0hNLY+YiELQW1h+IH5ySjkJJUC1GiBkq6ockLgkoEO+Cy71Z3L4Huf7k56BPY7W5UNAwRqaex+pMu4Zedf0TTFdY4/9F/1+Iq7FYEy9IHQhMN+Aesmq4nhLwGtNDfJW3zRHt9Tlwg5jcyO+/lJeA++QHnD3KiLF2+TqxedllL48x0H1e5OrIQZn9LHbxZms8fUupSdyy7HvbYQGTtKxOwSMrDL4EluTYQNzjN/ctguMqIBuj5S5z2CNjPtYRmjRTN+9A4BlQo3Fwn7adEDWPArdHmT4z291/hdX6CjpQ6uMc8yw0KwEVKH91TIMR3K3hCEm//PA+LYKg593morvGCv0hc7rAiUoFgSkGfo05YGpiP/t0tGIOEqnN/4bTC98w5Yz7ricFptDGxkN3tq6c/j/+6AZ/feQ959sCv3hKh2D7vfcWD2OaZaZ2Ty3v7cfWtYPi21fhf3wsfO3+wjRRZhzFVp26mdkLeB4kqy6ngp53+XIXHYpRlMOQCmApFuOeXrx2/wrjSaZem2qATixgdSVr/UvVpOLXkPIsvwRt9x7Dyoiof0gjeh3DbzdEmdgLV7CW0g2GyVBx7SsIkIjuSj4FB71LBidoR6t9vB1kWf+Zw8kpg3X7mKsL2lIzTleBQOeqVoUDbPbcwa7Hu97VrVM2IZMTweudGVA/EcT46UkMr1hm5Yk9/eU7R5gg7i47fB1lrKj03PtXxfvrBgnMdmk7j3fAcjyoej8cZrNx5usoJJbyEuQmaKvy+8y1ZgO40+EwuzDLC2ezbApiQ0Pbz82BkI7FLVbyJ2KaZsWV4rpg5g8P6vKy1R8OFw4tBicIBCQM8kiOkVgbaq95mgZSJkBbHAN+IRB6u9PPXhb972NWtiwP4TLIpYbBoPIimHlCwTShh2yFrO+36fNd0KSVK0u4IFRmIC3il4LzPsDZ39yA5qSD2ASkh+5HKV90b3L3LjXEvqr+maEeLQnjpdRZi1u88Z9UsJprnLdvLc+/84U0bIGOzILnltaLBvmtWCGjwWQ/ObyxGK73mB6Du4GfmwAvYiKyzoXpnJ4YA1SO8eTXvvKE9MGTKEWwVrkvPyycwVGeDFix8ZbhTvFUiFELTfrMeqDx46KdfdZN5bftjmEVHzpOM7tdEdli+FZwLCgiDdsQOIFq3dh/V1dzA8ubCQgHD8nTWOeEvt0fjaKg/WZjsa2Jqu9KadvCiTVZePUpYkQvaRDec8jbw60/JT9aaO4Wpq+wHz/mWa0UtQ+C9bWVXfpZYEfusRYw0zt5nKQmRJzg+BB82rWvgy6AOv6BrZgc11CvF2AYiIyduJELHgrJk2F/bWI050sEkvAPTdnmqO8Wx1t2me/5VHnm/wvcEK5fQXH6kcR/nuvpSZi2ldAFCA2APckmhE0p7c4/MmNau1r6ylyIw7xnCmbBVy+z5V1jljHKam4NtN77yVu87M8g0dylHKcKwuSmyUokI5fo+1lViiH0BoSRLYD+k1NnYyE7UJ7gQ4Lm3Iz+RDF10Mzw/e698QvihWl7DY6we7fs+PktSGu+9C69Jlq6h1GOsTRMRima2ghmSRR3u0W8XCN2plmxTKJmoEs28i5arPBtQayw+52D0o4AatNOCrb/A1swC5W7vCbXkuDUUqVqOmbTPP54xqANrxEuAljpTD7eQpc2CtaS/T9/r7tWvPzcf3TEt8ekaClrC1fa93Gjnp6E7PEKsDCB89sIEWCZ0FCjHaPzCJTRs079nIbpbu+oig17q14CJFR2nVdpMWSYzKzU10DaPEgN0J7iW13F3xb36kL5v6tWdZNd8+nDru/YlZSLN2PTdcOFEXX2DvDxU74fW/rtg0cwghjJ19wzwihS6Hx7/vSBTFq10oijT7wXoYzS9AAeOJiqUxcud+Pbbqztr65iary62Iss2x3uQI1WMr0DvH/LKmXEyJyqSXXSsEKgVaweqvq+DF9KXHOESeeyPIK29XQKG/DKj3i70Do2jhfv5mXArcRUsA6gb8c1jPX/x3KPa+yP66dhZr1AOKRMOGJu7uL7Ja5RTkpznoYA5Cprv46jlqtlwZgeJphUrfMBl5AaybvRoFpCYpBEMRwxflqx1SPo3StAayBYnvNbjs7VIo0kKJWqBY/9bEfudTW7F/JWPtV5NH1hxR9XaK8K7+71wc4RDeV9z9B/N7d0BNsV1TkBFP4qm/tgf1R5n93H5LvApqX2bX+3PIVRrAt3bX3wnxJTkfk4E7W3WavOVBn/N8n80E5POvQKC6ytBPinrHyYq4YRMf7qC7y1GepsVR6INSnpI+Rv/mB4shrupinHfZlZyr3cIv+bmP5pNxf38D7Yc0U32vvYfk/2yx3jG+pSJHXvU/+3+OBTtrH5UF5MDO4oQ/gFZF3ylHaJn+70c8Gm6v51C9ZCWD/XJlObm5Wo9m52VR+erz8z/vrQ9AptKFO/NFAoziI1WbC+8EO6J6+26uW8efkUK6heosPdtGm6BVAdhszxpuBcFpVEQvfChaHvqzghetVZbgn9GF21V5HMCX3Sr3bNPbg/OX1EKPplph5hx7urnQNHvT6uihvbOJHq2oT5qLIqAptZkkYykM1XiB8uwYtuujCsMcunqhsaRVBVwqrdDPxVI0Q+aFJHlaSlwo8FlQtHe9J38Dk/nD4xf+ZhmMZZ30jvhVQCDFCz/Iw7o23mlYOngzTXkqbPtrqpla8aEkwr8/n4UzRWehx3wzexMCl4FUc1dm4eJT7iVpQvvKunnhqiSqNIGRpDq50ZpY/79J/xX6W27nrCftUhqrL90b1p0yLOjqdL1t/4HpHE12STfB3fFoEE8NoUtJJlNOZJOWDJWBBvq7Uwr6+9S9LlRsqkiN2BZCQjndAfmD2E6JuziVLD+kEEwu25C3294EQ6lelQIru6b9Z7dorJSZPLngSssubD7Nf5mrc/9lQ51fr//r++mNZt9r+3vnhhnzS9FrqDoKKExdIJD6FEZGHsNHoQV7rzrpX/l5E3ZT7R9OZgzibZOjb5CRarN+8/zSrneVRDP0ird7A7uy3GSdCvWBZF7IM4lDX1k4Nk9Kf4ZxeeDig+uw1LQOEXf8ope44HKS0M5564miVcspj6iqchpPDceDUANZXspvc3SmVyVhFQuyVqM2fvnyFFdypR730gFY1PvXORc5wTw8HYChDQEQuEFgNkj8YvvpGhjHI1gfJQ0e3ptwmoXizPgN6S2HNfAQ8tBhkFM9VdKEwHcUlOWeUEtnrMXnQZFHyqLDjjYhjld2ky3jrYzAVDBu99LAUr4o2eoLzw5IHpW8z0j067bWBF0jjZ7Y7jr+bhAzPE8YFXzRdyGPhDeATKYBOLwvIbCbUVocvHBrKgBlhhWO48dQWtQWZQUvZmFl15EZk+Bf/Wwl2HEBgxr5nv0fkn0sp1Mx0VTx52WmsVtUMK1mJNxqVg13iJwDfohbCA2MSKIC1yDhD2xGNmm/d72r0QRmCSXvN5B74FrqKNS+eIlcmUvA0m8wDrEDurf8Zs0wjBeZtfGmscagFcnxvATv3oBYtV77qtQJX8U8WskvS4ajURaNB1mzEtH+LG771m1PezKbGZtG8NM9Cp4KkEKG2MMuAzoUN5ACg9YyA8YkVafIoGD8Ey/FG6wBmKOmBOoe2K5rkUyvv3sPFQiq+FCynyGNvvFM5NwOHNbyNNeBHmFAx6gWjQOpJUsbCk+07hmVFuIr4sE0mveWkZ/eodiCFlkGIv95/kzOC2E/ePxpetu9umh8BL+4qHAVx3wQzos3gHSzk8KFjSLrnMAFD0tmdQgtZQVaZ2EWlt3p8GD/XLR9oaf1OxIMTvEl58xk3xnOfHlnuOFsaWhL4b5XPigoEwjMoDQQZZ10M1om40zdXXQHZTeQPftontYuO36j2cN597VrJwCXKlY+bdzgPrBf0XdvpAnL7zzy1DQVsVY7/Fth39pkPxZHu9xoE2oS8gRopmteyNwlBOFK7HGt8cWdB95G5XCJJjbx5Tqk1oJA5oHyQ2M+7nTBFeGuamBXDcCW2FPR23GiFCVGgQlJHfV2saTs3aw+F3GUwxn1IkqcC3V4vSSdYhwIu8Wc0f424m7ODJLfZCW7f07vu6R4+PPtcDdWQB+jFoQ5qRrWL50Z0dw4KA8a0zjpDYY67+6ixi9xu/6G4z9bian6YPSFRfxDnCeKcEnU323cNyTqJlUOu8D9ydA9Rk+9MdyZVBZJVkxACPL+sIbjOzDq1MpY4xfMXFysMjbCoNbVPXEjWy3fIVGe5w/6pwGZpftBfeVPuAjUlBgWsR6gU+ia2lWOTu8PkEEhJTih7c+usGp0M7n2y6xBOGoXyALQDeOwyBVkr6MLlrnufuRGeF9Mru7Xiomch878JWfynOc2Ae+DH2rNI5O2xa4TDsZvxFMP6sr9AXU2bvPuUJLhU9WgfsG+TUJloVHFYO5mftEsZyuk1tm9jwgDf8B9ulLF6F33ecz8JhoGXbMcxxpnvnZPgS4YP5qOm2v2mo/pw3nmpscGm5X7tFQls1EqvDtjRjyQzt9eRAMUPBFUWZZRUaxEhT71S6rSK0cuc6Fav5+k9je7GZTf+dS4DGYtvQl8tEXMD5Wso/hHCIH5Tgi7Mlr6ZcFt0hJHbN7NSdRtXwZnt4ZjO8TlusolBT+BrqjqqlhT1HyKYfrkUoKc6lSvWp46isVir9qbeS2tMBj5pDuHqFW/CJiW0vhXNF9exw89MEczIPfs5EgNl3uh4EXUB+ulR5eDQmNr4tpG0a12FEwk+qZe1mnTaCz3KvKrOFWCmNHszv+X26mjPn2CA65uySTbS9M1Qwq001dQWmORs1Rt0sao57M51Ntk4iBjBeEpTMK837Tv1xmmYM/6lmHjj9Rkv35rDgHSyvas7Xo8SBLkvRgSZzk6r4sPbmUX0PJX6uMXGJH/LYNQ/31cfvOjfK6y9oO5PP42Kjbquqx/EvLLDcx3JOIiGHQvGQvkbQnEplfQo9n8DkcUZMW1tJy4wlOVFsWFQdwuZUhjBOg7Qq3QNuLsc1euiHR3HZDs5buqsPXZ4O8a6FZGuIq1lupm4HCOsjwyUryyasrwP7w0qe5ocbNKexzTHup6b5cFJQXrZrihJVghtN6bPGFzwHYHUUw7yDz23VLeGlpACLjVr7ofWf2wuePNXEa8ASTCeSLPDZDx1tCEbIxCpbsidtQdWTY76dGZKPkBZOKzkwr3imZznGIOcXKtIonX8ECvkG8hOUPWsYNgVyi3TWX4XOmfv7dKg1LuuTZ9E54qaKzNpjEv+k7zH/3WI7xeFUvqjOrRe3x4rUoST6+Vv1muyRAEMjtJYq72xA2Cgh/eZE+uRwyzUHaSYoPHdwwK24X+442pqmsEhTjTq9v3g+8SSeGvvkbgH7uQgaVM6FKLsgIWNu7aGbiQPeuUynx7qsoFRtef4Bbp85NWxW5f+HCC7pJMEJ5cOaF6miORJpBr2oafOwO/EwZj720Jj1dBWxE0GamcvZN796kwciXh/aeu4NCwQxos48Imtu4D8bmdZQY/s4lPDsmQyQbX9pUByLd+Qupi0YxklH1xTRroG/43pZc65vPrPYXKj1JTDUhsQkWEgAvtQqUNYI3+ovFFsMg62SU1uIkuaGBfD5xSmJB8kCQo/BJPTLT8DtwhyfdeAaEHY7Mn1oQmbj+rHOX3PyoG5TIEexTGK4LulhzHosp4OO9Ez7Kjw16PLkLV0fSPSar+9PQLmbZx1doWAI9pwrDEAOx9pk18n/FL14E/sfM6ivplp9ZHVJgpSuy6zgAYzcEN4i8Wpjr3qbyh4l2l50c0kPfRg4hx8oP1TP/b5v3BcKFYLvneSZS4rFRieMX/jPIknY+j79JaK5KPCcYODIeSc9Ls/qGvv8iFNmSCnvxzTnkm5Rg2Vh/Bhk4J+34mlV1I1OpRfBv23y5i7vL+cgmKp/3KL0O4rkvUqN/OPgK4kNwjalIySQWGCaFGN1gKI8xIXuDA3/eVtce/ux7ENLxPB4UzysbyHZXCMn3vj6pc2Hoj4ONjiERRw/BgUfWVyFgj7w/eS7HDfb+Gbx256m3kkOaz2Fm9uMPPggZP/dhFwQNBH2Fb4FXLZ0h//I5/F6GDeDx9AfKwO+pQySbAhTA1m/O7KMz4RJrqtRjuaM051mqKuAn281c69yvd5VFi7D90gSwrmUuKSZy1m9ckDZP+BBPsXkq7kyUi57SQKAOvisAq79subKQlQUpx9lzyvcLOK27umcTolAVYqeTIBsSEmpQq6fsCsZZsrAxr2N/Yg9HjWMXOcyeeSf+CVMzVImuzjpjnd3NA0Bxt0YG8IN/A/wX/VpWReMhFOHUMvkmUv8yE3/1iNI7fWDN7i8z4RLAlv9BqlgB2vWL+6Kkz+EH4y+6Bnd37v4rl4LB/tk+7Ggeg3GCn4bQZPxaM+bV3IR0m1EUTPyx7Y6MWb0P+vPBW0WdSOcVyPZXG84u7WKm5UNoGQFSm/Rjij8WlNMj/ro+7xa6VIrZbmDEKr0yAgOSV+rVRqnR6JD1V5vxVuSoT2ydQsjfAJWFdEvO7PYGzxappWuRsC+tuRm/tBPqqTWCjW2/TYrNUpGrz83S0ZMk9vlRNWyzLG4DDlkrcZZ70L/ctMQ0X5rSLhjxxFAb1eOXXeDv7sR/5uker3IY7DVDtSOErDEbZqHlnfWfknb0JJcHq6mfzyminhtRAe5mlQbruDZGeYneki/CPFpn1EaXrB52FNT+EdoAdgNEl5mOBdev/cxGRYe4u6fuCaX0+RiRL7bY3aRG7O2D4t0XxuM1bQ8BgmRsVtGFSi/YFNK07uWCYF8Cqmf7CqSoUHlOeoJ/ObSIPNj8qkCa5zwofO8lfFK0PrONusyu5bTv+AZ7Gn9bDSYNlpe+o7V7A+0G6trnfUxcsLok2VdORcVGgTOj64GFGJFUMYPTVI0PDhigabGBd3Ow9IJoXI/5Co5S1l/pfQzGi+r2t2R+CXb/xgonWUgdE2P2XlJhBdUvnq/0I4RIrQnL58kXEWhKWotprqQz9gPqRJhcL5uBPUA9sQ+P0af6ixFfvGNnLltd5stYnszIjHJkXrU2+UzXboHe6abI3E+mr0uO3Jv2y5YHFNYBfmbgrztpbbWxWRATY8ffbiSyGzeo64f2CLt/JkUGWwW4c5ZRcJcqrjhBvOEv4AY/HQ7Qx4A2O+T/d9qBdH8y3CZzJus0fbnTaKsXwlLxy44Y0VnFMREN0x5pUoCzQ50O4EVKbn9weUAcBzyxI9mJwdcn6CsYRXeX83e8jGRu3LqAfnwFLleFTzySFmWRpsz6M4e+gAAIFjK907y4rE6tAawCO3UG8Z/LBBXSafsA2cf14gX/e+ETPAMzpXvi2kRb0Z8b3UHhMHpLA3p98UO0M4QzayqLwG3QijCtIpMH37P72Mapoinp2U8jJV8RJ+epwS7GCusiG/vzpd7AIErI8RkyTOuDbEB4IvY25xTrNlCue/iYLnHvyTQiNtj2Pr2ZVq9UTt3iT3xNn0QZ2EorIAbIFjaGhn50JISZjcFl2uEdif2XwKEmes5rNYbwCF4Fce4H3manSmt5deL3Ft/bYANoHy4qc4WDsLo9YGvr/cQ0g91PQ2w+Wh+vBZEEoYr5kxYvQG+4ZGclkXfeWVxOApyMUjcYj83PXtNwFeg66Fdia4b+jrbgRRZaGxWsmESrMuSB8lTQ8325Nv2JzI9AkxJRGsRZgLsJBZWmijdyfiM6KLOkQDC1JdkWTGiiyTIQqjeXv2qHtpyGDj8B9OUh9ZXETCGz3KBq8szzB6sGg1iKUKyQQpHc/Re5SxbbEmIe97/6nHrHcb1X12uoLo388NTS1jJyzodOeRzNA93CHK/cec1ywo5YP+5HXbsRv1kSlUrb3g4YE/JpwzbO7wHsir9O6aSBet+21c6drBT0WaZSMDcTs0M6Xvlq+2bvm9HETxyX5vCv0cTzn3z6qNxEfrCRvZ6K/D3dSy6ZnuLWO+neH2d4Jnc7Gkq47XIGJ7KMDmiX0r+shMo4XN+alwZ/l9Z5SUcO8IwH8FCdTitozUjhfVZDd5Ar/Tux9GkLNI1eNTU1OgwgGyGV4eeXEA4sUVV1DbAU0e7QKoejaWiA81B1WKKfp3KewkTOAQ4KAgFNFxCVA2q/A0diLP2kfzsfVi4bfaR1L/agcUkoA2m4pQmt/mC8Ih9BuDM/AcxxzMB2lNjThMpffDiW5MVmGxxl8tyibC8PD5cHvrD54mO9fy+Nr414gBi0UZ/Gx6yW33FT38YH1TfbqYkJL5DTL8f+sy/aCxIPmckY2rvqixoWshZOI9gxNH+BV9UdKJTxHhd+wUa6Zf+GJ7hNfrze3KKb7fLEmedBL+DcHZUfiqqdSxDMqsFF2NLQAl9f5ReIXYigYf2zM++wsF0HpUgYixJ2pK0Aiwpd556DE/gw+CgUvDi58ygV3q+Z0ZZCQPBX0xWAKLouLiwcBLkRhDqIa04QolLt7Iw+H6bsjHX5FFgl90DjfMPBPOMvJ5tq//47d6YG4nT7Th500wv28HV/JPID19NyeUrtmgKPITScL0vRs68go5KOLzt15SeBguFB7Vjt41hJa+/bAUhzCMTG+sgPHPC55zajDrxlaJkz9P0Bu/VM7cVFRt3bTBau9ABcrj/v7yVKS/XESiCFWB7MoAqbVIpz1d2lWSIC+1m4qva8lHtdOWK7jMk0rAeQva4vBlJlZVbFU3sLViTkk/aHPD4xWeirtJWAqL3ARw5tiaPRL9ZoX//Kn7rPIseZ1aY+078dmm1ixZCgpKyxHpTZBctE0+HyRFM8bp9lpMW0B2GZHk/qKq7zKaFrA6ElpVMPl5AN5DKPmwjoASfwAM84yaMhxxdg/uMT/DsgmOJ63u2c3RoY5n/B9L9HIRfLVlz/xzOWwf8+uXm4hGIcim15VzHw7z/A/3Vs9b+nXYPIv5/P/zk7GgL+bav/49xoGPn32Ojk3/Oqq/++9/8c6fzZhH9Odf6vj/9zevTftf84gxvm/jc= 7Vttc+I2EP41zNx9CGNbfgkfAwm5XK8Xhsxd23zpCFs2amSLChGgv76SLRvbIiH4TCAzZDLBWsnrZffZF62VDhjEq1sGZ9PfaYBIxzKCVQdcdyzLtC2rI3+NYJ1RPNPJCBHDgVq0ITzg/5AiGoq6wAGaVxZySgnHsyrRp0mCfF6hQcbosrospKT61BmMkEZ48CHRqX/ggE8z6qXlbehfEI6m+ZNNt5fNxDBfrL7JfAoDuiyRwE0HDBilPLuKVwNEpPJyvWT3DV+YLQRjKOFvuWHUx1/v3ODCDO8mj+OR/ePxJrmwMy7PkCzUF+7fjpS8fJ0rgdFFEiDJx+yA/nKKOXqYQV/OLoXZBW3KY6KmdbmUqM+IcbQqkZSct4jGiLO1WKJmHaUyhRlHQWZZMoBaMS3pHigaVCaPCr4brYgLpZg9lORpStI0JIw7k5cEJ09VdRRmN8SAwAkifeg/RalKB5RQljIAvd5gMBRC9jlkEeIjxLAQHjGpZ5xEYpErmdEF89ELk0LfbP2nfFLXyYd/KSnSwfVKiZGN1mr0osEyUXajBwUVH9LNWjKcs8VwOY0hAjl+rnreNmuqJ4woFhIXqOlVUQOsGh6U8rKbyo5S43NZ5XPpVNkoA9XZpMgqvnNzsPV+BWytQyDT2SviAu+NWMkD+omApUgwysq22xAtRdhZV1H4TnDJv0YJL49owuDRY7jpnVYQN62Tcqzd/gJOyl+A3VJ0Be5x/QVoMAhn8Xyd+MHRXQYYJ+YyeuFzNRr9fd1/0XH8tXCdALHd6ppkuv02KQhFVXS/4IILak+vtr1Tr+42vTqH0utp5fgTiTC211KEsd1e1zlmjLH0GGN2xfgBJSLIGJ+Y0M0gMT9LiQI97IhVV3LnKv2JwPkc+412FMP05wMYvla3m2bTSszcwejQZnfObq1bxTWNmjc2dmzXPGrpYLlb7OsSoa5+SFM5N4Z2/13QfOJinna1rsQC05itNpPiKpKfN+Px/ThNqxk3IV3GMJv+YNnWqe2fHa975Hxr6XXMPfOnMEIKKMcs+jyrqq5cM8cq+qzLk4piO/dJuXFPJNx5bktVjAtqNcz7tqEsvUa1SjXMTZJj7ZCVy5wz+oRKM2bPMAD4AFlPq0Uab5ftHYwOjIM8zpRwAM44aNw2Metx+82bGm8Ho0PjwNRwYEscfKcch2cEvIwAzXB2QwTUM4vG6NAIsDQEOBIBY7rgSHzeJXMOUzZDiMkZGvvXCmbTdxD1jZHG6NDQ0BseblcBYcFQjgXsC23R5IyI1zbLVUN6bZUNdUaHRoR+sKAnEXGNCEqjxblw2K+AtJrGhjoSNEaHRoLeFesdvnAI058PjYB64WAZLRUOGqNDI0Dvm3nn7NDGZqLeAG3cKX/nTirYdqJqv05qb1sj9TKtR1FMn0spxhgyGouP3xBL5OHEt/VYOVrxGs7quCkQFWJCttEhwVEiYSvwlHZpZVdQwJxcqYkYB4F84NY246YR+WqDbI8TGXa1o1ScTCyht9hWluFbbzm01msEp/UidGevEZxWr7Huxo17jXVGrR15+zFH7H7yjzyYaxlpbM4YioCv/DjfPeJi9xgWaQEnUm+QBUuYjoOF/MuptB6jEYNxLE8/WsZE6lyd4RC6T9lM5NokTSwoyG+jedv/E0OhcElhSpFaWPqYJCAZty/frj93FUiIcMkpJQFi1XPECYyV1X5ChuFEoDWlv37Y1inZUvnHHiEnofI1TSXaKFIeaAgK+b5hRsRKFpI0gU7FOpS0dZalCk1bjzVeS7FGDEs42x5+LMASGH3tfXdABGxrNWTuzwu9pbX3+zxzWxoyjW1bnbflnV3VzkerUYqXV7/a8NQYNQ5KYrg5dZ8t3/zvArj5Hw== 7Vtbc6s2EP41nmkfnEGIS3j0LWl6ek489nTak5eODDJmgpErcByfX18JBAaEDw42sZPaL4GVWKTd71vtSqQDB8vXe4pWi6/EwX5HVZzXDhx2VPbTLPaHS7aJxAR6InCp5yQisBNMvR9YCBUhXXsODgsdI0L8yFsVhTYJAmxHBRmilGyK3ebEL751hVwsCaY28mXpX54TLRLprWru5L9hz12kbwaGmPASpZ3FTMIFcsgmJ4KjDhxQQqLkavk6wD43XmqX5Lm7Pa3ZwCgOokMeGPe93x8MpwvmD7OnyVj782kUdLVEywvy12LC/fuxGG+0TY1AyTpwMNcDOrC/WXgRnq6QzVs3zO1MtoiWvmiWxyWG+oJphF9zIjHOe0yWOKJb1kW06rfJEwIzuoDMJucAYdRFzvZQyJBwuZvp3VmFXQjDvMFIpmQkyULMuSt+6XvBc9EczAp0+ze7UW709PZ7vm3IJ61kd1txl8GF3/hohv0+sp/d2BUD4hMavxha1mBwxybXjxB1cTTG1GOTxpT7xwtc1sngysia2nhP416HJSrr0YOdAodkt+Ycp1c4LpVR7KPIeykyr8qb4g1j4rERZ6ixiqjJMJJqEEZIHsoTpaQHgKIiq6RHWLqsJ4ZWNunmaLPOgbbmGEgD9YWAQIUlFOgNUVAOQu+MgtSsORg84RlFZ4/NwLqs4AzUD8YXeFF8gcaJoia8PS9foASD+WoZbgPbOTtloHphlJETmt54/M+wv5c49pZRx8G03lyzxLZ/zDJBlrU8riOmBZ/OrppRa1ejyq56W3a9rKX7QiKMdqq8TLPMG/2cMUaVYwy4YfdTHLAgo/xCmW0GAfiVj8iRww7r1eMVKeeTj8LQs4sAODDjv4t/vH9EyTPOtQBLUSD8AJAoIQKUI93BORqsUdQ2IPQr4WWvGKmeYwlvaNaZCW9U+Nfwmbn6cxKPdOdo4981SRu6YbyP1WMdgLJ63TWyK5f/HU0mj5N4wU20sdElCpPmD7YOG2rR4emie651WJXzm0dqL5CLBUzOmQyasNZY75oMprnphcSw2vopde6FBDvTPFWwM2Ax1JXY0Xaok3NXNZfbjIIUa9eM5qBMpOm2U7kelxS1jIM0zuRwAK84aLydAszGxU6NorZxACQcaBwH30jkza8I2I8AqdxVGiJAWlnKitpGwHU345DzhabrvaRIe1/3avLR71trG6uqtLF4lBhjVqOoSo/vghxW4VwDyL5jzDevIPsePB2ghsHLnWLcG+Ppw7fJly9fF93J9668YLzZyZV+qPDVxST7TTeupC2S9jauKn2lHs396n0NnZP/IQgjFI8hXNs2DsNc2nBYMGCldFREBsXs1WgWd+ARYMUtE9tK73f0IZMg33MDDiwGlXiDhJfkno38nmhYeo7Dn/9J9JjHv2xEUlGffWYkRtLJPu7JQ3Q/O/ZuCig3KjDMAiRSHx0JWVCsKtXi82Q+D3ErCJO3yj9dNJBIXF7BD675ymGlvVSg0ldyJmAUeTyVePz5CQvrCKuboIpaR4Kqa1RGgfYJe8BRxkcnrMSzxt8GaTWKWiasvL9t/qQ2/4Tk1GvICfRSdZVmp00R1D7/qo6aPhn/JNoYDfkHlBpFLfNPPjK5/X/xz6jjn5aeJ5xmcTyGfux295F90n33rwpw9B8= 7Vrfk6I4EP5rrLp70AIiODz6a+Zm63bHdepubuflKkLE1CDxQhx1//pNICAQOJTV1anSF6QTOkn393U6DS0wXG4fKFwtPhMX+S1Dc7ctMGoZ4qfzi5DsYklPN2OBR7Ebi/S94Bl/R1KoSekauyjMdWSE+Ayv8kKHBAFyWE4GKSWbfLc58fOjrqCHFMGzA31V+oJdtoild0ZvL/8DYW+RjKxbdtyyhElnuZJwAV2yyYjAuAWGlBAW/1tuh8gXxkvsEj93X9GaToyigB3ywGSAPz1ablufP85ep5PuX6/joN2NtbxDfy0XPHiYyPmyXWIEStaBi4QevQUGmwVm6HkFHdG64W7nsgVb+rJZnZec6juiDG0zIjnPB0SWiNEd7yJbzbv4CYkZU0Jmk3GANOoiY3sgZVC63Ev17q3C/0jDHGGknmIkxULcuSvx18fBW94c3Ap09w+/0Tpmcvst2zYSi9bSu528S+Eibnw4Q/4AOm9e5Ioh8QmNBga2PRze88UNGKQeYhNEMV80osI/OPB4J0soI2vqoIrGSofFKuvRg9wch1S3ZhxnljgukVHkQ4bf88wr86YcYUIwn3GKGjuPmhQjiQZphPihLFEKenQ9r8gu6JGWLuqJoJUuujna7EugrTkGkkB9JSAwQAEFZkMUFIPQL0ZBYtYMDF7RjMKLx2bdvq7grBsfjC/gqvgCrAJftIZ8AXeX5QtQYDBfLcNd4LgXpwwwrowyakLTn0z+HQ0qiePsOHVcROvNNYtt++csFaRZy9OacS3odHbtWrV2tcrsap7Lrte1dV9JhOmeKi/r2r2OeckYY6gxxujw+2cU8CCj/Ua5bYaB/rs47opjcMH1vFdfnEgFn3wYhtjJA+DAjP8++on+jJI3lGnRbU0D4ANAooAI3Wiao4EaRecGhHkjvOoVK9m4fpbwlmFfmPBWiX8tn5trMCfRTPeOtv5bk6ShHUZ1rD7voGur7b6R//PEdTydPk2jDTfWxmcXK4ybP9g+bGl5h5tpnL7UTmyoGc4TdRbQQxIol0wHe91ezlyJZS6VDibZ6ZVEsdoTVOLcKwl3vbu8O5uHOwvkg12BHecOdmr2CjLZzThIsHbLaQ7KRbpND9JWjaIz4yCJMxkcdG84aFxQ0a3Gx50aRefGga7gwBQ4+EIYnt8QUI0As5AO6U03hJ5do6gCAdwPcJfpthIdwuoJW2b5OHtAxRpPC69bseSQ1xdNsaMo+sW7SPe6ksorca9SbW/q3tqy/bndq7LXEpvDlKwZ4tfHIGQwUjOKPgiZQ+zf9o4DDhOFkN/4dYxShDkQINV7x6khZKp5Zq+TAuY+AxjscJOS4Aab6h286O2mFVXQq1F05rhiqklnUiNz8XurrODG0Ja1oY+9IK64OdxHiKo1t0RPuIJBqaKDKnd3EUQpWfHLZxSG4vOxfREv1p0fj4ujqVeU9sT0C7DNwTAgolQ3mGPfL8OsXPhIrhoMRB2KE8bvy4Yldl0xVmlha1/6+t/ds/mrzjTtqCluFWHWpLhlPnwbvXz6+n37ZbF2vr69euP+3+0yPB0ZRkqZXmKnS5FfL543jt4zqh48HdlLfaN+fHhsdd0uo6guKDpBIgZoL5gtXAo3hxbaVTZSxIeDs6iDIIncEHlvc9AyR0dRsHoPmke/dEYK4dIPXOVMWiljsjCsZkAlYbVO4aCQMOZnX/HlIZl/nMznIToSUvx2/61s3H3/xTEY/wA= WARNING : THRESHOLD_EXCEEDED for <%> Used count free count "```
+
+```" NOTICE : THRESHOLD_CLEAR for <%> Used count free count "```
+
+``` = ```
+
+- Default polling interval should be set to 5 minutes.
+- Default HIGH threshold should be set to 85%.
+- Default LOW threshold should be set to 70%.
+- CRM feature should suppress SYSLOG messages after printing for 10 times.
+## 1.3 CLI requirements
+- User should be able to query usage and availability of monitored resources.
+- User should be able to configure thresholds values.
+
+# 2 Modules Design
+## 2.1 Config DB
+### 2.1.1 CRM Table
+New "CRM" table should be added to ConfigDB in order to store CRM related configuration: polling interval and LOW/HIGH threshold values.
+```
+; Defines schema for CRM configuration attributes
+key = CRM ; CRM configuration
+; field = value
+polling_interval = 1*4DIGIT ; CRM polling interval
+ipv4_route_threshold_type = "percentage" / "used" / "free" ; CRM threshold type for 'ipv4 route' resource
+ipv6_route_threshold_type = "percentage" / "used" / "free" ; CRM threshold type for 'ipv6 route' resource
+ipv4_nexthop_threshold_type = "percentage" / "used" / "free" ; CRM threshold type for 'ipv4 next-hop' resource
+ipv6_nexthop_threshold_type = "percentage" / "used" / "free" ; CRM threshold type for 'ipv6 next-hop' resource
+ipv4_neighbor_threshold_type = "percentage" / "used" / "free" ; CRM threshold type for 'ipv4 neighbor' resource
+ipv6_neighbor_threshold_type = "percentage" / "used" / "free" ; CRM threshold type for 'ipv6 neighbor' resource
+nexthop_group_member_threshold_type = "percentage" / "used" / "free" ; CRM threshold type for 'next-hop group member' resource
+nexthop_group_threshold_type = "percentage" / "used" / "free" ; CRM threshold type for 'next-hop group object' resource
+acl_table_threshold_type = "percentage" / "used" / "free" ; CRM threshold type for 'acl table' resource
+acl_group_threshold_type = "percentage" / "used" / "free" ; CRM threshold type for 'acl group' resource
+acl_entry_threshold_type = "percentage" / "used" / "free" ; CRM threshold type for 'acl entry' resource
+acl_counter_threshold_type = "percentage" / "used" / "free" ; CRM threshold type for 'acl counter' resource
+fdb_entry_threshold_type = "percentage" / "used" / "free" ; CRM threshold type for 'fdb entry' resource
+ipv4_route_low_threshold = 1*4DIGIT ; CRM low threshold for 'ipv4 route' resource
+ipv6_route_low_threshold = 1*4DIGIT ; CRM low threshold for 'ipv6 route' resource
+ipv4_nexthop_low_threshold = 1*4DIGIT ; CRM low threshold for 'ipv4 next-hop' resource
+ipv6_nexthop_low_threshold = 1*4DIGIT ; CRM low threshold for 'ipv6 next-hop' resource
+ipv4_neighbor_low_threshold = 1*4DIGIT ; CRM low threshold for 'ipv4 neighbor' resource
+ipv6_neighbor_low_threshold = 1*4DIGIT ; CRM low threshold for 'ipv6 neighbor' resource
+nexthop_group_member_low_threshold = 1*4DIGIT ; CRM low threshold for 'next-hop group member' resource
+nexthop_group_low_threshold = 1*4DIGIT ; CRM low threshold for 'next-hop group object' resource
+acl_table_low_threshold = 1*4DIGIT ; CRM low threshold for 'acl table' resource
+acl_group_low_threshold = 1*4DIGIT ; CRM low threshold for 'acl group' resource
+acl_entry_low_threshold = 1*4DIGIT ; CRM low threshold for 'acl entry' resource
+acl_counter_low_threshold = 1*4DIGIT ; CRM low threshold for 'acl counter' resource
+fdb_entry_low_threshold = 1*4DIGIT ; CRM low threshold for 'fdb entry' resource
+ipv4_route_high_threshold = 1*4DIGIT ; CRM high threshold for 'ipv4 route' resource
+ipv6_route_high_threshold = 1*4DIGIT ; CRM high threshold for 'ipv6 route' resource
+ipv4_nexthop_high_threshold = 1*4DIGIT ; CRM high threshold for 'ipv4 next-hop' resource
+ipv6_nexthop_high_threshold = 1*4DIGIT ; CRM high threshold for 'ipv6 next-hop' resource
+ipv4_neighbor_high_threshold = 1*4DIGIT ; CRM high threshold for 'ipv4 neighbor' resource
+ipv6_neighbor_high_threshold = 1*4DIGIT ; CRM high threshold for 'ipv6 neighbor' resource
+nexthop_group_member_high_threshold = 1*4DIGIT ; CRM high threshold for 'next-hop group member' resource
+nexthop_group_high_threshold = 1*4DIGIT ; CRM high threshold for 'next-hop group object' resource
+acl_table_high_threshold = 1*4DIGIT ; CRM high threshold for 'acl table' resource
+acl_group_high_threshold = 1*4DIGIT ; CRM high threshold for 'acl group' resource
+acl_entry_high_threshold = 1*4DIGIT ; CRM high threshold for 'acl entry' resource
+acl_counter_high_threshold = 1*4DIGIT ; CRM high threshold for 'acl counter' resource
+fdb_entry_high_threshold = 1*4DIGIT ; CRM high threshold for 'fdb entry' resource
+```
+## 2.2 Counters DB
+Two new tables should be added to the CountersDB in order to represent currently used and available entries for the CRM resources.
+### 2.2.1 CRM_STATS Table
+This table should store all global CRM stats.
+```
+; Defines schema for CRM counters attributes
+key = CRM_STATS ; CRM stats entry
+; field = value
+CRM_STATS_IPV4_ROUTE_AVAILABLE = 1*20DIGIT ; number of available entries for 'ipv4 route' resource
+CRM_STATS_IPV6_ROUTE_AVAILABLE = 1*20DIGIT ; number of available entries for 'ipv6 route' resource
+CRM_STATS_IPV4_NEXTHOP_AVAILABLE = 1*20DIGIT ; number of available entries for 'ipv4 next-hop' resource
+CRM_STATS_IPV6_NEXTHOP_AVAILABLE = 1*20DIGIT ; number of available entries for 'ipv6 next-hop' resource
+CRM_STATS_IPV4_NEIGHBOR_AVAILABLE = 1*20DIGIT ; number of available entries for 'ipv4 neighbor' resource
+CRM_STATS_IPV6_NEIGHBOR_AVAILABLE = 1*20DIGIT ; number of available entries for 'ipv6 neighbor' resource
+CRM_STATS_NEXTHOP_GROUP_MEMBER_AVAILABLE = 1*20DIGIT ; number of available entries for 'next-hop group member' resource
+CRM_STATS_NEXTHOP_GROUP_OBJECT_AVAILABLE = 1*20DIGIT ; number of available entries for 'next-hop group object' resource
+CRM_STATS_ACL_TABLE_AVAILABLE = 1*20DIGIT ; number of available entries for 'acl table' resource
+CRM_STATS_ACL_GROUP_AVAILABLE = 1*20DIGIT ; number of available entries for 'acl group' resource
+CRM_STATS_FDB_ENTRY_AVAILABLE = 1*20DIGIT ; number of available entries for 'fdb entry' resource
+CRM_STATS_IPV4_ROUTE_USED = 1*20DIGIT ; number of available entries for 'ipv4 route' resource
+CRM_STATS_IPV6_ROUTE_USED = 1*20DIGIT ; number of used entries for 'ipv6 route' resource
+CRM_STATS_IPV4_NEXTHOP_USED = 1*20DIGIT ; number of used entries for 'ipv4 next-hop' resource
+CRM_STATS_IPV6_NEXTHOP_USED = 1*20DIGIT ; number of used entries for 'ipv6 next-hop' resource
+CRM_STATS_IPV4_NEIGHBOR_USED = 1*20DIGIT ; number of available entries for 'ipv4 neighbor' resource
+CRM_STATS_IPV6_NEIGHBOR_USED = 1*20DIGIT ; number of available entries for 'ipv6 neighbor' resource
+CRM_STATS_NEXTHOP_GROUP_MEMBER_USED = 1*20DIGIT ; number of used entries for 'next-hop group member' resource
+CRM_STATS_NEXTHOP_GROUP_OBJECT_USED = 1*20DIGIT ; number of used entries for 'next-hop group object' resource
+CRM_STATS_ACL_TABLE_USED = 1*20DIGIT ; number of used entries for 'acl table' resource
+CRM_STATS_ACL_GROUP_USED = 1*20DIGIT ; number of used entries for 'acl group' resource
+CRM_STATS_FDB_ENTRY_USED = 1*20DIGIT ; number of used entries for 'fdb entry' resource
+```
+### 2.2.2 CRM_ACL_GROUP_STATS
+This table should store all "per ACL group" CRM stats .
+```
+; Defines schema for CRM counters attributes
+key = CRM_ACL_GROUP_STATS:OID ; CRM ACL group stats entry
+; field = value
+CRM_STATS_ACL_ENTRY_AVAILABLE = 1*20DIGIT ; number of available entries for 'acl entry' resource
+CRM_STATS_ACL_COUNTER_AVAILABLE = 1*20DIGIT ; number of available entries for 'acl counter' resource
+CRM_STATS_ACL_ENTRY_USED = 1*20DIGIT ; number of used entries for 'acl entry' resource
+CRM_STATS_ACL_COUNTER_USED = 1*20DIGIT ; number of used entries for 'acl counter' resource
+```
+## 2.4 Orchestration Agent
+New "CrmOrch" class should be implemented and it should run new CRM thread for all monitoring logic.
+
+CRM thread should check whether some threshold is exceeded and log appropriate (CLEAR/EXCEEDED) SYSLOG message. Also number of already logged EXCEEDED messages should be tracked and once it reached the pre-defined value all CRM SYSLOG messages should be suppressed. When CLEAR message is logged then counter for number of logged messages should be cleared.
+
+CLI show command should be able to display currently USED and AVAILABLE number of entries, but SAI provides API to query the current AVAILABLE entries. So, OrchAgent (appropriate agent for each resource) should track respective entries that are programmed and update appropriate counter in "CrmOrch" cache. Also, "CrmOrch" should provide public API in order to allow other agents update local cache and then CRM thread should periodically update CountersDB from the cache.
+## 2.6 SAI
+Shown below table represents all the SAI attributes which should be used to get required CRM counters.
+###### Table 3: CRM SAI attributes
+| CRM resource | SAI attribute |
+|--------------------------|-------------------------------------------------------|
+| IPv4 routes | SAI_SWITCH_ATTR_AVAILABLE_IPV4_ROUTE_ENTRY |
+| IPv6 routes | SAI_SWITCH_ATTR_AVAILABLE_IPV6_ROUTE_ENTRY |
+| IPv4 next-hops | SAI_SWITCH_ATTR_AVAILABLE_IPV4_NEXTHOP_ENTRY |
+| IPv6 next-hops | SAI_SWITCH_ATTR_AVAILABLE_IPV6_NEXTHOP_ENTRY |
+| IPv4 neighbors | SAI_SWITCH_ATTR_AVAILABLE_IPV4_NEIGHBOR_ENTRY |
+| IPv6 neighbors | SAI_SWITCH_ATTR_AVAILABLE_IPV6_NEIGHBOR_ENTRY |
+| Next-hop group members | SAI_SWITCH_ATTR_AVAILABLE_NEXT_HOP_GROUP_MEMBER_ENTRY |
+| Next-hop group objects | SAI_SWITCH_ATTR_AVAILABLE_NEXT_HOP_GROUP_ENTRY |
+| ACL tables | SAI_SWITCH_ATTR_AVAILABLE_ACL_TABLE |
+| ACL groups | SAI_SWITCH_ATTR_AVAILABLE_ACL_TABLE_GROUP |
+| ACL entries | SAI_ACL_TABLE_ATTR_AVAILABLE_ACL_ENTRY |
+| ACL counters | SAI_ACL_TABLE_ATTR_AVAILABLE_ACL_COUNTER |
+| FDB entries | SAI_SWITCH_ATTR_AVAILABLE_FDB_ENTRY |
+## 2.7 CLI
+New CRM utility script should be implement in "sonic-utilities" in order to configure and display all CRM related information.
+### 2.7.1 CRM utility interface
+```
+crm
+Usage: crm [OPTIONS] COMMAND [ARGS]...
+
+ Utility to operate with CRM configuration and resources.
+
+Options:
+ --help Show this message and exit.
+
+Commands:
+ config Set CRM configuration.
+ show Show CRM information.
+```
+#### 2.7.1.1 CRM utility config syntax
+* ```polling interval ```
+* ```thresholds all type [percentage|used|count]```
+* ```thresholds all [low|high] ```
+* ```thresholds [ipv4|ipv6] route type [percentage|used|count]```
+* ```thresholds [ipv4|ipv6] route [low|high] ```
+* ```thresholds [ipv4|ipv6] neighbor type [percentage|used|count]```
+* ```thresholds [ipv4|ipv6] neighbor [low|high] ```
+* ```thresholds [ipv4|ipv6] nexthop type [percentage|used|count]```
+* ```thresholds [ipv4|ipv6] nexthop [low|high] ```
+* ```thresholds nexthop group [member|object] type [percentage|used|count]```
+* ```thresholds nexthop group [member|object] [low|high] ```
+* ```thresholds acl [table|group] type [percentage|used|count]```
+* ```thresholds acl [table|group] [low|high] ```
+* ```thresholds acl group [entry|counter] type [percentage|used|count]```
+* ```thresholds acl group [entry|counter] [low|high] ```
+* ```thresholds fdb type [percentage|used|count]```
+* ```thresholds fdb [low|high] ```
+#### 2.7.1.2 CRM utility show syntax
+* ```summary```
+* ```[resources|thresholds] all```
+* ```[resources|thresholds] [ipv4|ipv6] [route|neighbor|nexthop]```
+* ```[resources|thresholds] nexthop group [member|object]```
+* ```[resources|thresholds] acl [table|group]```
+* ```[resources|thresholds] acl group [entry|counter]```
+* ```[resources|thresholds] fdb```
+### 2.7.2 Config CLI command
+Config command should be extended in order to add "crm" alias to the CRM utility.
+```
+Usage: config [OPTIONS] COMMAND [ARGS]...
+
+ SONiC command line - 'config' command
+
+Options:
+ --help Show this message and exit.
+
+Commands:
+...
+ crm CRM related configuration.
+```
+### 2.7.3 Show CLI command
+Show command should be extended in order to add "crm" alias to the CRM utility.
+```
+show
+Usage: show [OPTIONS] COMMAND [ARGS]...
+
+ SONiC command line - 'show' command
+
+Options:
+ -?, -h, --help Show this message and exit.
+
+Commands:
+ ...
+ crm Show CRM related information
+```
+# 3 Flows
+## 3.1 CRM monitoring
+
+## 3.2 CRM CLI config
+
+## 3.3 CRM CLI show
+
+# 4 Open Questions
diff --git a/doc/debug_framework_design_spec.md b/doc/debug_framework_design_spec.md
new file mode 100644
index 0000000000..7567e26d99
--- /dev/null
+++ b/doc/debug_framework_design_spec.md
@@ -0,0 +1,394 @@
+# Debug Framework in SONiC
+# Design Specification
+#### Rev 0.3
+
+# Table of Contents
+ * [List of Tables](#list-of-tables)
+ * [Revision](#revision)
+ * [About This Manual](#about-this-manual)
+ * [Scope](#scope)
+ * [Definition/Abbreviation](#definitionabbreviation)
+ * [1. Requirements ](#1-requirements)
+ * [2. Functional Description](#2-functional-description)
+ * [3. Design](#3-design)
+ * [4. Flow Diagrams](#4-flow-diagrams)
+ * [5. Serviceability and Debug](#5-serviceability-and-debug)
+ * [6. Warm Boot Support](#6-warm-boot-support)
+ * [7. Scalability](#7-scalability)
+ * [8. Unit Test](#8-unit-test)
+
+# List of Tables
+[Table 1: Abbreviations](#table-1-abbreviations)
+[Table 2: Configuration options and defaults](#table-2-defaults)
+
+# Revision
+| Rev | Date | Author | Change Description |
+|-----|------------|-----------------------------|----------------------------|
+| 0.1 | 05/19/2019 | Anil Sadineni, Laveen T | Initial version |
+| 0.2 | 05/31/2019 | Anil Sadineni, Laveen T | Address comments from Ben |
+| 0.3 | 07/22/2019 | Anil Sadineni, Laveen T | Internal review comments |
+
+# About this Manual
+This document provides general information about the debug framework and additional debug features implementation in SONiC.
+
+# Scope
+Current implementation of SONiC offers logging utility and utilities to display the contents of Redis. In an effort to enhance debug ability, A new debug framework is added with below functionality:
+ * Provide a framework that allows components to register and dump running snapshots of component internals using dump routines.
+ * Handle assert conditions to collect more info.
+ * Implement dump routines in OrchAgent using debug framework.
+
+Additionally, below debug features are done to enhance debug ability.
+ * Enhance existing show tech-support utility.
+ * Add additional scripts to enforce policies on debug related files.
+
+This document describes the above scope.
+
+# Definition/Abbreviation
+
+# Table 1: Abbreviations
+
+| **Term** | **Meaning** |
+|-------------------|-------------------------------------------------------------------------------------------------------|
+| Singleton | The singleton pattern is a design pattern that restricts the instantiation of a class to one object. | |
+
+# 1 Requirements
+## 1.1 Functional Requirements
+1. A framework to allow component registration and subsequently trigger dump routines. Triggers are from administrative CLI commands or from assert for this release.
+2. Assert routines for production environment to delay the reload for gathering information or notify admin and delegate the decision of reload to admin.
+3. Enhance tech-support to collect comprehensive info.
+4. Add a helper script to facilitate an upload of the debug info in a non-intrusive way.
+5. Rate limit and redirect critical logs for better debug ability.
+
+## 1.2 Configuration and Management Requirements
+1. New CLI for triggering dump routines of Daemons.
+2. New CLI to display drop/error interface counters.
+3. New CLI to trigger upload of debug information.
+4. Existing CLI is extended to filter the display counters on a specific interface.
+
+## 1.3 Scalability Requirements
+None
+
+## 1.4 Warm Boot Requirements
+None
+
+# 2 Functionality
+## 2.1 Functional Description
+
+**1. Dump Routines**
+- Framework facilitates to collect developer-level component internal data state under certain system conditions.
+- The triggers to dump information might come from administrative commands, from assert or in response to some critical notifications.
+- Framework provides interface for components to register and an interface for utilities to trigger the components to invoke dump routines.
+
+**2. Assert utility**
+- This utility adds some data collection of certain system information when an assert condition is hit.
+
+**3. Tech-support enhancements**
+- Current tech-support collects exhaustive information. The tech-support is enhanced to additionally collect STATE_DB dump, dump of ASIC specifics, filter and redirect critical logs to persistent log file for quick reference.
+
+**4. Helper Scripts**
+New utility scripts are provided to:
+- Print "headline" information for a quick summary of the system state.
+- Facilitate upload of the collected information.
+- Enforce policy on the number of debug-related files.
+
+# 3 Design
+## 3.1 Overview
+### 3.1.1 Framework for dump routines
+
+**Block Diagram**
+
+
+
+Debug framework provides an API for components to register with the framework. It also provides interface for administrator, assert utilities, error handling functions to invoke framework actions. Framework uses Redis notifications for communicating the trigger message from entity invoking the trigger to the registered components. Framework actions are configurable. These actions are applicable uniformly to all registered components.
+
+Debug Framework itself will not have an executing context. Framework actions are performed in the registered component's thread context. Trigger APIs are executed in the context of invoking utility or invoking process.
+Please refer [Flow Diagram](#4-flow-diagrams) for execution sequence.
+
+**Framework Responsibilities**
+
+Each registered component provides the routines to dump the component-specific state via callback functions. It is then the responsibility of the framework to
+- Monitor for specific system triggers or listen on framework trigger APIs invocation
+- Process the trigger and call appropriate dump routines
+- Manage the output location
+- Follow up with post actions like redirect summary to console/ compress the files and upload the file.
+
+**Component Responsibilities**
+
+Components implement dump routines following below guidelines
+- Implement a function of type DumpInfoFunc.
+ `typedef void (*DumpInfoFunc)(std::string, KeyOpFieldsValuesTuple);`
+- Within the function, dump the information into a string buffer and use a macro `SWSS_DEBUG_PRINT`. Macro will further process the information based on intended framework action. Wrap the function that uses multiple invocations of `SWSS_DEBUG_PRINT` with `SWSS_DEBUG_PRINT_BEGIN` and `SWSS_DEBUG_PRINT_END`.
+- Handle KeyOpFieldsValuesTuple as argument. Arguments like dumpType and pass thru arguments that instruct the level of info dump ( short summary/specific info/filtered output/full info) should be handled by components. These arguments are opaque to framework. Additional optional arguments like output location and post-actions are for the framework consumption.
+- Interpreting arguments is at discretion of components. Components may choose to dump same info for all trigger types ignoring input arguments.
+- Dump routines registered with framework should be thread safe. Necessary synchronization needs to be ensured.
+
+**Component registration options**
+
+Framework only manages component registration and invocation of callback functions. Framework itself does not have an executing context. To execute the callback function, components have an option to instruct framework either to create an additional thread that runs in the registrant context or not create a thread but merely publish an event to Redis and expect component to handle the event.
+Components have an option to register with debug framework using any one of the below APIs:
+Option #1. `Debugframework::linkWithFramework()`
+Option #2. `Debugframework::linkWithFrameworkNoThread()`
+
+Option #1 is preferred. However if a component already handles RedisDB events and doesn't want an additional thread (to avoid thread synchronization issues) might opt for option #2
+
+Option #1 ( Framework creates a Thread )
+---------
+Components register dump routine with debug framework using the API:
+`Debugframework::linkWithFramework(std::string &componentName, const DumpInfoFunc funcPtr);`
+
+Framework does the following:
+- Update framework internal data structure to save the registration information of components.
+- Create a `swss::Selectable` object.
+- Create a subscriber to a table/channel in APPL_DB in RedisDB with a unique channel name for receiving triggers.
+- Create a thread and wait on events/triggers.
+- Invoke component specific dump routine in this thread context on receipt of a trigger.
+- Handle the configured framework action within SWSS_DEBUG_PRINT. For example: Redirect the output to syslog or component specific log file.
+- Update Redis DB to indicate callback action completion.
+- Post-processing of information based on the configured framework action. For example: bundle the information and upload the information to a server.
+
+Option #2 ( Framework does not create a Thread )
+---------
+Components register dump routine with debug framework using the API:
+`Debugframework::linkWithFrameworkNoThread(std::string &componentName);`
+Framework will limit the job to the following:
+- Update framework internal data structure to save the registration information of components.
+- Handle the configured framework action within SWSS_DEBUG_PRINT. For example: Redirect the output to syslog or component specific log file.
+- Post-processing of information based on the configured framework action. For example: bundle the information and upload the information to a server.
+
+The below activity is delegated to the component
+- Optional creation of a swss::Selectable object.
+- Create a subscriber instance to a table/channel in APPL_DB in RedisDB for receiving triggers.
+- Optionally create a thread to wake on triggers.
+- Invoke component specific dump routine on receipt of a trigger.
+- Update Redis DB to indicate callback action completion.
+
+
+**Implementation brief**
+Framework will be implemented in C++ as a class in SWSS namespace.
+
+```
+ class Debugframework
+ {
+ public:
+ static Debugframework &getInstance(); // To have only one instance aka singleton
+
+ typedef void (*DumpInfoFunc)(std::string, KeyOpFieldsValuesTuple);
+
+ // Component registration option 1 API
+ static void linkWithFramework(std::string &componentName, const DumpInfoFunc funcPtr);
+
+ // Component registration option 2 API
+ static void linkWithFrameworkNoThread(std::string &componentName);
+
+ // Interface to invoke triggers
+ static void invokeTrigger(std::string componentName, std::string args);
+
+ private:
+ Debugframework();
+ std::map m_registeredComps;
+ std::map m.configParams;
+
+ // Thread in while(1) for handling triggers and invoking callbacks
+ [[ noreturn ]] void runnableThread();
+ };
+```
+#### 3.1.1.1 Integration of OrchAgent with framework
+##### 3.1.1.1.1 Integration of OrchAgent
+
+DebugDumpOrch is added as an interface for orchagent modules to register with debug framework. DebugDumpOrch uses linkWithFrameworkNoThread(). Orchagent modules (for eg. Routeorch/Neighorch) calls DebugDumpOrch::addDbgCompMap() to register.
+
+DebugDumpOrch
+- listens for notification events from debugframework
+- invokes corresponding component's CLI callback
+- notifies debugframework after processing the debug request
+
+##### 3.1.1.1.2 Triggers to OrchAgent
+
+show commands will act as triggers for OrchAgent.
+Syntax: `show debug ... `
+
+Definition of command and required options are left to the component module owners. Sample CLI section descripes few examples on how the "show debug" CLI command can be used.
+
+##### 3.1.1.1.3 Sample CLI
+*RouteOrch:*
+
+| Syntax | Description |
+|---------------------------------------------------------|---------------------------------------------------------------------------------------------|
+|show debug routeOrch routes -v -p | Dump all Routes or routes specific to a prefix |
+|show debug routeOrch nhgrp | NexthopGroup/ECMP info from RouteOrch::m_syncdNextHopGroups |
+|show debug routeOrch all | Translates to list of APIs to dump, which can be used for specific component based triggers |
+
+*NeighborOrch:*
+
+| Syntax | Description |
+|---------------------------|--------------------|
+|show debug NeighOrch nhops | Dump Nexthops info |
+|show debug NeighOrch neigh | Dump Neighbor info |
+
+##### 3.1.1.1.4 Sample Output
+
+```
+root@sonic:~# show debug routeorch routes -v VrfRED
+------------IPv4 Route Table ------------
+
+VRF_Name = VrfRED VRF_SAI_OID = 0x30000000005b1
+Prefix NextHop SAI-OID
+100.100.4.0/24 Ethernet4 0x60000000005b3
+33.33.33.0/24 0x55c1ca5b3b98 (ECMP) 0x50000000005db
+33.33.44.0/24 100.120.120.11|Ethernet8 0x40000000005d9
+33.33.55.0/24 100.120.120.12|Ethernet8 0x40000000005da
+100.102.102.0/24 Ethernet12 0x60000000005d3
+100.120.120.0/24 Ethernet8 0x60000000005b4
+
+------------IPv6 Route Table ------------
+
+VRF_Name = VrfRED VRF_SAI_OID = 0x30000000005b1
+Prefix NextHop SAI-OID
+2001:100:120:120::/64 Ethernet8 0x60000000005b4
+
+root@sonic:~# show debug routeorch nhgrp
+ ax Nexthop Group - 512
+NHGrpKey SAI-OID NumPath RefCnt
+0x55c1ca5b7bd0 0x50000000005db 3 1
+ 1: 100.120.120.10|Ethernet8
+ 2: 100.120.120.11|Ethernet8
+ 3: 100.120.120.12|Ethernet8
+
+root@sonic:~# show debug neighorch nhops
+
+NHIP Intf SAI-OID RefCnt Flags
+100.120.120.10 Ethernet8 0x40000000005d8 1 0
+100.120.120.11 Ethernet8 0x40000000005d9 2 0
+100.120.120.12 Ethernet8 0x40000000005da 2 0
+
+NHIP Intf SAI-OID RefCnt Flags
+fe80::648a:79ff:fe5d:6b2a Ethernet4 0x40000000005df 0 0
+fe80::fc54:ff:fe44:de2 Ethernet12 0x40000000005d4 0 0
+fe80::fc54:ff:fe78:5fac Ethernet8 0x40000000005d2 0 0
+fe80::fc54:ff:fe88:6f80 Ethernet4 0x40000000005d0 0 0
+fe80::fc54:ff:fe8e:d91f Ethernet0 0x40000000005d1 0 0
+
+root@sonic:~#
+root@sonic:~# show debug neighorch neigh
+NHIP Intf MAC
+100.120.120.10 Ethernet8 00:00:11:22:00:10
+100.120.120.11 Ethernet8 00:00:11:22:00:11
+100.120.120.12 Ethernet8 00:00:11:22:00:12
+
+NHIP Intf MAC
+fe80::648a:79ff:fe5d:6b2a Ethernet4 fe:54:00:35:18:bb
+fe80::fc54:ff:fe44:de2 Ethernet12 fe:54:00:44:0d:e2
+fe80::fc54:ff:fe78:5fac Ethernet8 fe:54:00:78:5f:ac
+fe80::fc54:ff:fe88:6f80 Ethernet4 fe:54:00:88:6f:80
+fe80::fc54:ff:fe8e:d91f Ethernet0 fe:54:00:8e:d9:1f
+
+```
+
+#### 3.1.1.3 Configuring Framework
+Debug framework will initialize with below default parameters and shall be considered if options are not specified as arguments in the triggers.
+
+# Table 2: Configuration Options and Defaults
+
+| **Parameter** | **options** | **Default** |
+|-------------------------------|-------------------------------------|-------------------------------|
+| DumpLocation | "syslog" / "filename" | /var/log/_dump.log |
+| TargetComponent | "all" / "componentname" | all |
+| Post-action | "upload" / "compress-rotate-keep" | compress-rotate-keep |
+| Server-location | ipaddress | 127.0.0.1 |
+| Upload-method | "scp" / "tftp" | tftp |
+| Upload-directory | "dir_path" / "default_dir" | default_dir |
+
+
+### 3.1.2 Assert Framework
+
+#### 3.1.2.1 Overview
+Asserts are added in the program execution sequence to confirm that the data/state at a certain point is valid/true. During developement, if the programming sequence fails in an assert condition then the program execution is stopped by crash/exception. In production code, asserts are normally removed. This framework enhances/extendes the assert to provide more debug details when an assert fails.
+
+Classify assert failure conditions based on following types, assert() will have type and the module as additional arguments
+- DUMP: Invokes the debug framework registered callback API corresponding to the module
+- BTRACE: Prints bracktrace and continue
+- SYSLOG: Update syslog with the assert failure
+- ABORT: Stop/throw exception
+
+
+#### 3.1.2.2 PsuedoCode:
+
+```
+ static void custom_assert(bool exp, const char*func, const unsigned line);
+
+ #ifdef assert
+ #undef assert
+ #define assert(exp) Debugframework::custom_assert(exp, __PRETTY_FUNCTION__, __LINE__)
+ #endif
+```
+
+## 3.2 DB Changes
+
+### 3.2.1 APP DB
+
+**Dump table**
+
+For triggering dump routines
+
+```
+; Defines schema for DEBUG Event attributes
+key = DAEMON:daemon_name ; daemon_session_name is unique identifier;
+; field = value
+DUMP_TYPE = "short" / "full" ; summary dump or full dump
+DUMP_TARGET = "default" / "syslog" ; syslog or specified file
+PASSTHRU_ARGS = arglist ; zero or more strings separated by ","
+
+```
+**Dump done table**
+```
+; Defines schema for DEBUG response attributes
+key = DAEMON:daemon_name ; daemon_session_name is unique identifier;
+; field = value
+RESPONSE_TYPE = < enum DumpResponse::result > ; pending/failure/successful
+```
+
+## 3.3 CLI
+
+### 3.3.1 Show Commands
+
+|Syntax | Description |
+|-------------------------------|-------------------------------------------------------------------------------|
+|show debug all | This command will invoke dump routines for all components with default action |
+|show debug < component > | This command will invoke dump routine for specific component |
+|show debug actions < options > | This command will display the configured framework actions |
+
+### 3.3.2 Debug/Error Interface counters
+show interfaces pktdrop is added to display debug/error counters for all interfaces.
+
+# 4 Flow Diagrams
+
+
+
+# 5 Serviceability and Debug
+None
+
+# 6 Warm Boot Support
+
+No change.
+
+
+
+# 7 Scalability
+No Change
+
+
+# 8 Unit Test
+### 8.1.1 Debug Framework
+1. Verify that Framework provides a shared library (a) for components to link and register with the framework and (b) for the utilities to issue triggers.
+2. Verify that on a running system, without any triggers framework does not add any CPU overhead.
+3. Verify that dump routines are invoked when a trigger is issued with all arguments from the trigger utilities/ show debug commands.
+4. Verify that number of subscribers is incremented using redis-cli after successful registration of component.
+5. Verify that SWSS_DEBUG_PRINT macro writes to dump location specified .
+6. Verify that SWSS_DEBUG_PRINT macro writes to SYSLOG when DUMP_TARGET in trigger is mentioned as syslog.
+7. Verify that if the utility function triggers dump for all, framework loops through the registrations and updates the table for each component.
+8. Verify that framework executes the configured post action.
+9. Verify the behaviour of framework when some component doesnt send a DONE message.
+10. Verify that framework handles multiple consecutive triggers and handles triggers independently.
+
+Go back to [Beginning of the document](#Debug-Framework-in-SONiC).
+
diff --git a/doc/drop_counters/drop_counters_HLD.md b/doc/drop_counters/drop_counters_HLD.md
new file mode 100644
index 0000000000..bd0cae6127
--- /dev/null
+++ b/doc/drop_counters/drop_counters_HLD.md
@@ -0,0 +1,397 @@
+# Configurable Drop Counters in SONiC
+
+# High Level Design Document
+#### Rev 1.0
+
+# Table of Contents
+* [List of Tables](#list-of-tables)
+* [List of Figures](#list-of-figures)
+* [Revision](#revision)
+* [About this Manual](#about-this-manual)
+* [Scope](#scope)
+* [Defintions/Abbreviation](#definitionsabbreviation)
+* [1 Overview](#1-overview)
+ - [1.1 Use Cases](#11-use-cases)
+ - [1.1.1 A flexible "drop filter"](#111-a-flexible-"drop-filter")
+ - [1.1.2 A helpful debugging tool](#112-a-helpful-debugging-tool)
+ - [1.1.3 More sophisticated monitoring schemes](#113-more-sophisticated-monitoring-schemes)
+* [2 Requirements](#2-requirements)
+ - [2.1 Functional Requirements](#21-functional-requirements)
+ - [2.2 Configuration and Management Requirements](#22-configuration-and-management-requirements)
+ - [2.3 Scalability Requirements](#23-scalability-requirements)
+ - [2.4 Supported Debug Counters](#24-supported-debug-counters)
+* [3 Design](#3-design)
+ - [3.1 CLI (and usage example)](#31-cli-and-usage-example)
+ - [3.1.1 Displaying available counter capabilities](#311-displaying-available-counter-capabilities)
+ - [3.1.2 Displaying current counter configuration](#312-displaying-current-counter-configuration)
+ - [3.1.3 Displaying the current counts](#313-displaying-the-current-counts)
+ - [3.1.4 Clearing the counts](#314-clearing-the-counts)
+ - [3.1.5 Configuring counters from the CLI](#315-configuring-counters-from-the-CLI)
+ - [3.2 Config DB](#32-config-db)
+ - [3.2.1 DEBUG_COUNTER Table](#321-debug_counter-table)
+ - [3.2.2 PACKET_DROP_COUNTER_REASON Table](#322-packet_drop_counter_reason-table)
+ - [3.3 State DB](#33-state-db)
+ - [3.3.1 DEBUG_COUNTER_CAPABILITIES Table](#331-debug-counter-capabilities-table)
+ - [3.3.2 SAI APIs](#332-sai-apis)
+ - [3.4 Counters DB](#34-counters-db)
+ - [3.5 SWSS](#35-swss)
+ - [3.5.1 SAI APIs](#351-sai-apis)
+ - [3.6 syncd](#34-syncd)
+* [4 Flows](#4-flows)
+ - [4.1 General Flow](#41-general-flow)
+* [5 Warm Reboot Support](#5-warm-reboot-support)
+* [6 Unit Tests](#6-unit-tests)
+* [7 Platform Support](#7-platform-support)
+ - [7.1 Known Limitations](#7.1-known-limitations)
+* [8 Open Questions](#8-open-questions)
+* [9 Acknowledgements](#9-acknowledgements)
+* [10 References](#10-references)
+
+# List of Tables
+* [Table 1: Abbreviations](#definitionsabbreviation)
+
+# List of Figures
+* [Figure 1: General Flow](#41-general-flow)
+
+# Revision
+| Rev | Date | Author | Change Description |
+|:---:|:--------:|:-----------:|---------------------------|
+| 0.1 | 07/30/19 | Danny Allen | Initial version |
+| 0.2 | 09/03/19 | Danny Allen | Review updates |
+| 0.3 | 09/19/19 | Danny Allen | Community meeting updates |
+| 1.0 | 11/19/19 | Danny Allen | Code review updates |
+
+# About this Manual
+This document provides an overview of the implementation of configurable packet drop counters in SONiC.
+
+# Scope
+This document describes the high level design of the configurable drop counter feature.
+
+# Definitions/Abbreviation
+| Abbreviation | Description |
+|--------------|-----------------|
+| RX | Receive/ingress |
+| TX | Transmit/egress |
+
+# 1 Overview
+The main goal of this feature is to provide better packet drop visibility in SONiC by providing a mechanism to count and classify packet drops that occur due to different reasons.
+
+The other goal of this feature is for users to be able to track the types of drop reasons that are important for their scenario. Because different users have different priorities, and because priorities change over time, it is important for this feature to be easily configurable.
+
+We will accomplish both goals by adding support for SAI debug counters to SONiC.
+* Support for creating and configuring port-level and switch-level debug counters will be added to orchagent and syncd.
+* A CLI tool will be provided for users to manage and configure their own drop counters
+
+## 1.1 Use Cases
+There are a couple of potential use cases for these drop counters.
+
+### 1.1.1 A flexible "drop filter"
+One potential use case is to use the drop counters to create a filter of sorts for the standard STAT_IF_IN/OUT_DISCARDS counters. Say, for example:
+- Packets X, Y, and Z exist in our system
+- Our switches should drop X, Y, and Z when they receive them
+
+We can configure a drop counter (call it "EXPECTED_DROPS", for example) that counts X, Y, and Z. If STAT_IF_IN_DISCARDS = EXPECTED_DROPS, then we know our switch is healthy and that everything is working as intended. If the counts don't match up, then there may be a problem.
+
+### 1.1.2 A helpful debugging tool
+Another potential use case is to configure the counters on the fly in order to help debug packet loss issues. For example, if we're consistently experiencing packet loss in your system, we might try:
+- Creating a counter that tracks L2_ANY and a counter that tracks L3_ANY
+- L2_ANY is incrementing, so we delete these two counters and create MAC_COUNTER that tracks MAC-related reasons (SMAC_EQUALS_DMAC, DMAC_RESERVED, etc.), VLAN_COUNTER that tracks VLAN related reasons, (INGRESS_VLAN_FILTER, VLAN_TAG_NOT_ALLOWED), and OTHER_COUNTER that tracks everything else (EXCEEDS_L2_MTU, FDB_UC_DISCARD, etc.)
+- OTHER_COUNTER is incrementing, so we delete the previous counters and create a counter that tracks the individual reasons from OTHER_COUNTER
+- We discover that the EXCEEDS_L2_MTU counter is increasing. There might be an MTU mismatch somewhere in our system!
+
+### 1.1.3 More sophisticated monitoring schemes
+Some have suggested other deployment schemes to try to sample the specific types of packet drops that are occurring in their system. Some of these ideas include:
+- Periodically (e.g. every 30s) cycling through different sets of drop counters on a given device
+- "Striping" drop counters across different devices in the system (e.g. these 3 switches are tracking VLAN drops, these 3 switches are tracking ACL drops, etc.)
+- An automatic version of [1.1.2](#112-a-helpful-debugging-tool) that adapts the drop counter configuration based on which counters are incrementing
+
+# 2 Requirements
+
+## 2.1 Functional Requirements
+1. CONFIG_DB can be configured to create debug counters
+2. STATE_DB can be queried for debug counter capabilities
+3. Users can access drop counter information via a CLI tool
+ 1. Users can see what capabilities are available to them
+ 1. Types of counters (i.e. port-level and/or switch-level)
+ 2. Number of counters
+ 3. Supported drop reasons
+ 2. Users can see what types of drops each configured counter contains
+ 3. Users can add and remove drop reasons from each counter
+ 4. Users can read the current value of each counter
+ 5. Users can assign aliases to counters
+ 6. Users can clear counters
+
+## 2.2 Configuration and Management Requirements
+Configuration of the drop counters can be done via:
+* config_db.json
+* CLI
+
+## 2.3 Scalability Requirements
+Users must be able to use all debug counters and drop reasons provided by the underlying hardware.
+
+Interacting with debug counters will not interfere with existing hardware counters (e.g. portstat). Likewise, interacting with existing hardware counters will not interfere with debug counter behavior.
+
+## 2.4 Supported Debug Counters
+* PORT_INGRESS_DROPS: port-level ingress drop counters
+* PORT_EGRESS_DROPS: port-level egress drop counters
+* SWITCH_INGRESS_DROPS: switch-level ingress drop counters
+* SWITCH_EGRESS_DROPS: switch-level egress drop counters
+
+# 3 Design
+
+## 3.1 CLI (and usage example)
+The CLI tool will provide the following functionality:
+* See available drop counter capabilities: `show dropcounters capabilities`
+* See drop counter config: `show dropcounters configuration`
+* Show drop counts: `show dropcounters counts`
+* Clear drop counters: `sonic-clear dropcounters`
+* Initialize a new drop counter: `config dropcounters install`
+* Add drop reasons to a drop counter: `config dropcounters add_reasons`
+* Remove drop reasons from a drop counter: `config dropcounters remove_reasons`
+* Delete a drop counter: `config dropcounters delete`
+
+### 3.1.1 Displaying available counter capabilities
+```
+admin@sonic:~$ show dropcounters capabilities
+Counter Type Total
+-------------------- -------
+PORT_INGRESS_DROPS 3
+SWITCH_EGRESS_DROPS 2
+
+PORT_INGRESS_DROPS:
+ L2_ANY
+ SMAC_MULTICAST
+ SMAC_EQUALS_DMAC
+ INGRESS_VLAN_FILTER
+ EXCEEDS_L2_MTU
+ SIP_CLASS_E
+ SIP_LINK_LOCAL
+ DIP_LINK_LOCAL
+ UNRESOLVED_NEXT_HOP
+ DECAP_ERROR
+
+SWITCH_EGRESS_DROPS:
+ L2_ANY
+ L3_ANY
+ A_CUSTOM_REASON
+```
+
+### 3.1.2 Displaying current counter configuration
+```
+admin@sonic:~$ show dropcounters configuration
+Counter Alias Group Type Reasons Description
+-------- -------- ----- ------------------ ------------------- --------------
+DEBUG_0 RX_LEGIT LEGIT PORT_INGRESS_DROPS SMAC_EQUALS_DMAC Legitimate port-level RX pipeline drops
+ INGRESS_VLAN_FILTER
+DEBUG_1 TX_LEGIT None SWITCH_EGRESS_DROPS EGRESS_VLAN_FILTER Legitimate switch-level TX pipeline drops
+
+admin@sonic:~$ show dropcounters configuration -g LEGIT
+Counter Alias Group Type Reasons Description
+-------- -------- ----- ------------------ ------------------- --------------
+DEBUG_0 RX_LEGIT LEGIT PORT_INGRESS_DROPS SMAC_EQUALS_DMAC Legitimate port-level RX pipeline drops
+ INGRESS_VLAN_FILTER
+```
+
+### 3.1.3 Displaying the current counts
+
+```
+admin@sonic:~$ show dropcounters counts
+ IFACE STATE RX_ERR RX_DROPS TX_ERR TX_DROPS RX_LEGIT
+--------- ------- -------- ---------- -------- ---------- ---------
+Ethernet0 U 10 100 0 0 20
+Ethernet4 U 0 1000 0 0 100
+Ethernet8 U 100 10 0 0 0
+
+DEVICE TX_LEGIT
+------ --------
+sonic 1000
+
+admin@sonic:~$ show dropcounters counts -g LEGIT
+ IFACE STATE RX_ERR RX_DROPS TX_ERR TX_DROPS RX_LEGIT
+--------- ------- -------- ---------- -------- ---------- ---------
+Ethernet0 U 10 100 0 0 20
+Ethernet4 U 0 1000 0 0 100
+Ethernet8 U 100 10 0 0 0
+
+admin@sonic:~$ show dropcounters counts -t SWITCH_EGRESS_DROPS
+DEVICE TX_LEGIT
+------ --------
+sonic 1000
+```
+
+### 3.1.4 Clearing the counts
+```
+admin@sonic:~$ sonic-clear dropcounters
+Cleared drop counters
+```
+
+### 3.1.5 Configuring counters from the CLI
+```
+admin@sonic:~$ sudo config dropcounters install DEBUG_2 PORT_INGRESS_DROPS [EXCEEDS_L2_MTU,DECAP_ERROR] -d "More port ingress drops" -g BAD -a BAD_DROPS
+admin@sonic:~$ sudo config dropcounters add_reasons DEBUG_2 [SIP_CLASS_E]
+admin@sonic:~$ sudo config dropcounters remove_reasons DEBUG_2 [SIP_CLASS_E]
+admin@sonic:~$ sudo config dropcounters delete DEBUG_2
+```
+
+## 3.2 Config DB
+Two new tables will be added to Config DB:
+* DEBUG_COUNTER to store general debug counter metadata
+* DEBUG_COUNTER_DROP_REASON to store drop reasons for debug counters that have been configured to track packet drops
+
+### 3.2.1 DEBUG_COUNTER Table
+Example:
+```
+{
+ "DEBUG_COUNTER": {
+ "DEBUG_0": {
+ "alias": "PORT_RX_LEGIT",
+ "type": "PORT_INGRESS_DROPS",
+ "desc": "Legitimate port-level RX pipeline drops",
+ "group": "LEGIT"
+ },
+ "DEBUG_1": {
+ "alias": "PORT_TX_LEGIT",
+ "type": "PORT_EGRESS_DROPS",
+ "desc": "Legitimate port-level TX pipeline drops"
+ "group": "LEGIT"
+ },
+ "DEBUG_2": {
+ "alias": "SWITCH_RX_LEGIT",
+ "type": "SWITCH_INGRESS_DROPS",
+ "desc": "Legitimate switch-level RX pipeline drops"
+ "group": "LEGIT"
+ }
+ }
+}
+```
+
+### 3.2.2 DEBUG_COUNTER_DROP_REASON Table
+Example:
+```
+{
+ "DEBUG_COUNTER_DROP_REASON": {
+ "DEBUG_0|SMAC_EQUALS_DMAC": {},
+ "DEBUG_0|INGRESS_VLAN_FILTER": {},
+ "DEBUG_1|EGRESS_VLAN_FILTER": {},
+ "DEBUG_2|TTL": {},
+ }
+}
+```
+
+## 3.3 State DB
+State DB will store information about:
+* What types of drop counters are available on this device
+* How many drop counters are available on this device
+* What drop reasons are supported by this device
+
+### 3.3.1 DEBUG_COUNTER_CAPABILITIES Table
+Example:
+```
+{
+ "DEBUG_COUNTER_CAPABILITIES": {
+ "SWITCH_INGRESS_DROPS": {
+ "count": "3",
+ "reasons": "[L2_ANY, L3_ANY, SMAC_EQUALS_DMAC]"
+ },
+ "SWITCH_EGRESS_DROPS": {
+ "count": "3",
+ "reasons": "[L2_ANY, L3_ANY]"
+ }
+ }
+}
+```
+
+This information will be populated by the orchestrator (described later) on startup.
+
+### 3.3.2 SAI APIs
+We will use the following SAI APIs to get this information:
+* `sai_query_attribute_enum_values_capability` to query support for different types of counters
+* `sai_object_type_get_availability` to query the amount of available debug counters
+
+## 3.4 Counters DB
+The contents of the drop counters will be added to Counters DB by flex counters.
+
+Additionally, we will add a mapping from debug counter names to the appropriate port or switch stat index called COUNTERS_DEBUG_NAME_PORT_STAT_MAP and COUNTERS_DEBUG_NAME_SWITCH_STAT_MAP respectively.
+
+## 3.5 SWSS
+A new orchestrator will be created to handle debug counter creation and configuration. Specifically, this orchestrator will support:
+* Creating a new counter
+* Deleting existing counters
+* Adding drop reasons to an existing counter
+* Removing a drop reason from a counter
+
+### 3.5.1 SAI APIs
+This orchestrator will interact with the following SAI Debug Counter APIs:
+* `sai_create_debug_counter_fn` to create/configure new drop counters.
+* `sai_remove_debug_counter_fn` to delete/free up drop counters that are no longer being used.
+* `sai_get_debug_counter_attribute_fn` to gather information about counters that have been configured (e.g. index, drop reasons, etc.).
+* `sai_set_debug_counter_attribute_fn` to re-configure drop reasons for counters that have already been created.
+
+## 3.6 syncd
+Flex counter will be extended to support switch-level SAI counters.
+
+# 4 Flows
+## 4.1 General Flow
+
+The overall workflow is shown above in figure 1.
+
+(1) Users configure drop counters using the CLI. Configurations are stored in the DEBUG_COUNTER Config DB table.
+
+(2) The debug counts orchagent subscribes to the Config DB table. Once the configuration changes, the orchagent uses the debug SAI API to configure the drop counters.
+
+(3) The debug counts orchagent publishes counter configurations to Flex Counter DB.
+
+(4) Syncd subscribes to Flex Counter DB and sets up flex counters. Flex counters periodically query ASIC counters and publishes data to Counters DB.
+
+(5) CLI uses counters DB to satisfy CLI requests.
+
+(6) (not shown) CLI uses State DB to display hardware capabilities (e.g. how many counters are available, supported drop reasons, etc.)
+
+# 5 Warm Reboot Support
+On resource-constrained platforms, debug counters can be deleted prior to warm reboot and re-installed when orchagent starts back up. This is intended to conserve hardware resources during the warm reboot. This behavior has not been added to SONiC at this time, but can be if the need arises.
+
+# 6 Unit Tests
+This feature comes with a full set of virtual switch tests in SWSS.
+```
+=============================================================================================== test session starts ===============================================================================================
+platform linux2 -- Python 2.7.15+, pytest-3.3.0, py-1.8.0, pluggy-0.6.0 -- /usr/bin/python2
+cachedir: .cache
+rootdir: /home/daall/dev/sonic-swss/tests, inifile:
+collected 14 items
+
+test_drop_counters.py::TestDropCounters::test_deviceCapabilitiesTablePopulated remove extra link dummy
+PASSED [ 7%]
+test_drop_counters.py::TestDropCounters::test_flexCounterGroupInitialized PASSED [ 14%]
+test_drop_counters.py::TestDropCounters::test_createAndRemoveDropCounterBasic PASSED [ 21%]
+test_drop_counters.py::TestDropCounters::test_createAndRemoveDropCounterReversed PASSED [ 28%]
+test_drop_counters.py::TestDropCounters::test_createCounterWithInvalidCounterType PASSED [ 35%]
+test_drop_counters.py::TestDropCounters::test_createCounterWithInvalidDropReason PASSED [ 42%]
+test_drop_counters.py::TestDropCounters::test_addReasonToInitializedCounter PASSED [ 50%]
+test_drop_counters.py::TestDropCounters::test_removeReasonFromInitializedCounter PASSED [ 57%]
+test_drop_counters.py::TestDropCounters::test_addDropReasonMultipleTimes PASSED [ 64%]
+test_drop_counters.py::TestDropCounters::test_addInvalidDropReason PASSED [ 71%]
+test_drop_counters.py::TestDropCounters::test_removeDropReasonMultipleTimes PASSED [ 78%]
+test_drop_counters.py::TestDropCounters::test_removeNonexistentDropReason PASSED [ 85%]
+test_drop_counters.py::TestDropCounters::test_removeInvalidDropReason PASSED [ 92%]
+test_drop_counters.py::TestDropCounters::test_createAndDeleteMultipleCounters PASSED [100%]
+
+=========================================================================================== 14 passed in 113.65 seconds ===========================================================================================
+```
+
+A separate test plan will be uploaded and review by the community. This will consist of system tests written in pytest that will send traffic to the device and verify that the drop counters are updated correctly.
+
+# 7 Platform Support
+In order to make this feature platform independent, we rely on SAI query APIs (described above) to check for what counter types and drop reasons are supported on a given device. As a result, drop counters are only available on platforms that support both the SAI drop counter API as well as the query APIs, in order to preserve safety.
+
+# 7.1 Known Limitations
+* BRCM SAI:
+ - ACL_ANY, DIP_LINK_LOCAL, SIP_LINK_LOCAL, and L3_EGRESS_LINK_OWN are all based on the same underlying counter in hardware, so enabling any one of these reasons on a drop counter will (implicitly) enable all of them.
+
+# 8 Open Questions
+- How common of an operation is configuring a drop counter? Is this something that will usually only be done on startup, or something people will be updating frequently?
+
+# 9 Acknowledgements
+I'd like to thank the community for all their help designing and reviewing this new feature! Special thanks to Wenda, Ying, Prince, Guohan, Joe, Qi, Renuka, and the team at Microsoft, Madhu and the team at Aviz, Ben, Vissu, Salil, and the team at Broadcom, Itai, Matty, Liat, Marian, and the team at Mellanox, and finally Ravi, Tony, and the team at Innovium.
+
+# 10 References
+[1] [SAI Debug Counter Proposal](https://github.com/itaibaz/SAI/blob/a612dd21257cccca02cfc6dab90745a56d0993be/doc/SAI-Proposal-Debug-Counters.md)
diff --git a/doc/drop_counters/drop_counters_general_flow.png b/doc/drop_counters/drop_counters_general_flow.png
new file mode 100644
index 0000000000..c662080360
Binary files /dev/null and b/doc/drop_counters/drop_counters_general_flow.png differ
diff --git a/doc/error-handling/error_handling_design_spec.md b/doc/error-handling/error_handling_design_spec.md
new file mode 100755
index 0000000000..65308e2f4d
--- /dev/null
+++ b/doc/error-handling/error_handling_design_spec.md
@@ -0,0 +1,429 @@
+# Error Handling Framework in SONiC
+# High Level Design Document
+#### Rev 0.1
+
+# Table of Contents
+ * [Revision](#revision)
+ * [About this Manual](#about-this-manual)
+ * [Scope](#scope)
+ * [Overview](#overview)
+ * [Definitions/Abbreviation](#definitionsabbreviation)
+ * [1 Requirements Overview](#1-requirements-overview)
+ * [1.1 Functional Requirements](#11-functional-requirements)
+ * [1.2 Configuration and Management Requirements ](#12-Configuration-and-Management-Requirements)
+ * [1.3 Supported Objects](#13-Supported-Objects)
+ * [2 Use cases](#2-Use-cases)
+ * [3 Design](#3-Design)
+ * [3.1 Error Database](#31-Error-Database)
+ * [3.2 Error codes](#32-Error-codes)
+ * [3.3 OrchAgent Changes](#33-OrchAgent-changes)
+ * [3.3.1 Event processing](#331-Event-Processing)
+ * [3.3.2 Application registration](#332-Application-Registration)
+ * [3.3.3 Clearing ERROR_DB](#333-Clearing-ERROR-DB)
+ * [3.4 DB changes](#34-DB-Changes)
+ * [3.4.1 Config DB](#341-Config-DB)
+ * [3.4.2 App DB](#342-App-DB)
+ * [3.4.3 Error DB](#343-Error-DB)
+ * [3.4.3.1 Error Tables](#3431-Error-Tables)
+ * [3.4.3.2 Error DB Schemas](#3432-Error-DB-Schemas)
+ * [3.5 CLI](#35-CLI)
+ * [3.5.1 Data Models](#351-Data-Models)
+ * [3.5.2 Config commands](#352-Config-commands)
+ * [3.5.3 Show commands](#353-Show-commands)
+ * [3.5.4 Clear commands](#354-Clear-commands)
+ * [4 Flow Diagrams](#4-Flows-diagrams)
+ * [4.1 Route Add Failure](#41-Route-Add-Failure)
+ * [5 Serviceability and Debug](#5-Serviceability-and-Debug)
+ * [6 Warm Boot Support](#6-Warm-Boot-Support)
+ * [7 Scalability](#7-Scalability)
+ * [8 Unit Tests](#8-Unit-Tests)
+ * [9 Unsupported features](#9-Unsupported-features)
+
+# Revision
+
+| Rev | Date | Author | Change Description |
+|:---:|:-----------:|:-------------------------|:----------------------|
+| 0.1 | 05/6/2019 | Siva Mukka, Santosh Doke | Initial version |
+
+
+# About this Manual
+This document describes the design details of error handling framework in SONiC. The framework is responsible for notifying ASIC/SAI programming failures back to applications. It can also be extended to notify other failures in the system.
+
+# Scope
+This document describes the high level design details of error handling framework in SONiC.
+
+# Overview
+SONIC currently does not have a mechanism to propagate ASIC/SAI programming errors back to application. If the SAI CREATE/SET method fails:
+
+- Syncd treats all such failures as fatal irrespective of reason code.
+- Syncd sends a switch shutdown request to Orchestration Agent.
+- Syncd waits indefinitely to restart, switch is no longer manageable/operational.
+
+To address this, a generic framework is introduced to notify errors, instead of sending shutdown request to OrchAgent.
+
+# Definitions/Abbreviation
+###### Table 1: Abbreviations
+| Abbreviation | Description |
+| ------------ | ------------------------------------------------------------ |
+| SAI | Switch Abstraction Interface |
+| APP DB | Application Database |
+| ASIC DB | ASIC Database |
+| ERROR DB | Error Database |
+| SWSS | Switch State Service |
+| Syncd | Daemon responsible for invoking SAI functions based on ASIC DB updates |
+
+In this document, the term '**object**' refers to an entry in the table OR a specific attribute in the table.
+
+# 1 Requirements Overview
+## 1.1 Functional Requirements
+
+The requirements for error handling framework are:
+
+1.1.1 Provide registration/de-registration mechanism for applications to enable/disable error notifications on a specific table. More than one application can register for notifications on a given table.
+
+1.1.2 Provide notifications for failed objects and also for the objects that were successfully installed. By default, only failed operations are notified. A configuration parameter to enable notifications for objects that are processed without error.
+
+1.1.3 Provide support to get all the failed objects at any given instance.
+
+1.1.4 Provide error notifications for CREATE/DELETE/UPDATE operations on objects. Framework does not report errors for GET operation.
+
+1.1.5 Provide all the required key fields as part of notifications so that applications can map the error to an object. For example, framework provides subnet/length/nexthop fields as part of failed route notification along with operation and actual error code.
+
+1.1.6 Provide error codes to application when reporting failures. Framework defines various error codes and maps them to underlying SAI/ASIC errors. For example, TABLE_FULL, NOT_FOUND and OUT_OF_MEMORY.
+
+1.1.7 In some cases, a given object may fail multiple times. The framework reports each failure as a separate notification, but retains the last-known error on that object. For example, a route modify operation may fail multiple times with different set of next hops, in which case multiple failure notifications are reported for that route entry.
+
+1.1.8 Provide configuration commands to clear the failed objects.
+
+1.1.9 Framework is only responsible for reporting errors. Any retry/rollback operation is the responsibility of applications.
+
+## 1.2 Configuration and Management Requirements
+Provide CLI commands to display and clear ERROR_DB tables.
+
+## 1.3 Supported objects
+Error handling framework supports notifications for the following tables defined in APP_DB:
+
+- ROUTE_TABLE
+- NEIGH_TABLE
+
+The framework can be extended for other tables depending on application requirements. Currently, only ROUTE/NEIGH tables are supported to address the BGP use case.
+
+# 2 Use cases
+
+BGP application relies on RIB failure status to withdraw or advertise the routes. The error handling framework notifies the BGP application about route programming failures. This helps BGP application to withdraw the failed routes that are advertised to the neighbors.
+
+Following diagram describes a high level overview of the BGP use case:
+
+
+
+# 3 Design
+
+## 3.1 Error Database
+
+As SONIC architecture relies on the use of centralized Redis-database as means of multi-process communication among all subsystems, the framework re-uses the same mechanism to notify errors back to applications.
+
+A new database, ERROR_DB, is introduced to store the details of failed entries/objects corresponding to various tables. The ERROR_DB tables are defined in application friendly format. Applications can register as consumer of ERROR_DB table to receive error notifications, whereas OrchAgent is registered as producer of ERROR_DB table. If the SAI CREATE/SET method fails, Syncd informs OrchAgent using the notification channel of ASIC_DB. OrchAgent is responsible to translate the ASIC_DB notification and store it in ERROR_DB format. It is also responsible to map the SAI specific error codes to SWSS error codes.
+
+For some objects, a notification may be needed even when the object is successfully programmed (SAI API reports SUCCESS). In such scenarios, the framework does not store the object in ERROR_DB (to reduce memory usage), but does notify the registered applications using ERROR_DB notification channel.
+
+Defining a separate error database has the following advantages over extending existing APP_DB tables for error notifications:
+
+- Applications do not register as consumer & producer for same table, which avoids redundant notifications.
+- Flexible, not tied to any other table format.
+- Extensible to all types of errors in the system, not restricted to APP_DB definitions.
+- Efficient, as notifications are limited to failures in the DB.
+- Notification for delete failures can be supported even when corresponding objects are deleted from APP_DB.
+
+## 3.2 Error codes
+As per SONIC architecture, applications do not invoke SAI APIs directly and they are not aware of underlying SAI error codes. A new set of generic error codes are defined for applications, which are internally mapped to underlying SAI error codes.
+
+As SWSS submodule already provides a common library accessible to all SONIC applications, a new set of common error codes are defined as part of this library (applications need not include any new header files). The following table shows the mapping of SWSS error codes to SAI error codes.
+
+| SWSS error code | SAI error code |
+|-----------------------|--------------------------------|
+| SWSS_RC_SUCCESS | SAI_STATUS_SUCCESS |
+| SWSS_RC_INVALID_PARAM | SAI_STATUS_INVALID_PARAMETER |
+| SWSS_RC_UNAVAIL | SAI_STATUS_NOT_SUPPORTED |
+| SWSS_RC_NOT_FOUND | SAI_STATUS_ITEM_NOT_FOUND |
+| SWSS_RC_NO_MEMORY | SAI_STATUS_NO_MEMORY |
+| SWSS_RC_EXISTS | SAI_STATUS_ITEM_ALREADY_EXISTS |
+| SWSS_RC_FULL | SAI_STATUS_TABLE_FULL |
+| SWSS_RC_IN_USE | SAI_STATUS_OBJECT_IN_USE |
+
+## 3.3 OrchAgent changes
+
+OrchAgent is the only component responsible for adding/modifying/deleting objects in ERROR_DB database. Since the error handling framework is part of the orchestration agent, the error notifications are reported only when orchestration agent is running.
+
+OrchAgent defines the following new classes to handle error reporting/listening:
+
+1. **Error reporter class** - defines functions to write to ERROR_DB and publish the notifications.
+2. **Error listener class** - defines functions to register/de-register for notifications on a specific table. Applications need to specify the table name, operation such CREATE/DELETE/UPDATE, notification type (success/failure/both) and callback function when instantiating the error listener class. Applications can instantiate multiple listeners to receive notifications from different tables.
+
+### 3.3.1 Event processing
+
+Below diagram shows how framework reports notifications to the registered listeners:
+
+
+
+The following is the sequence of events involved in reporting a failure notification from Syncd process to application:
+
+1. Syncd reports errors using a single notification channel to OrchAgent. Using a single notification channel ensures that order of the notifications is retained.
+2. After receiving the notification from Syncd, OrchAgent:
+ - Translates it from SAI data types to ERROR_DB data types
+ - Adds an entry in to error database. If the entry already exists, the corresponding failure code is updated.
+ - Publishes the notifications to respective error listeners.
+3. Error listener waits for the incoming notifications, filters them and invokes the application callback.
+
+
+
+The following is the sequence of events involved in reporting successful programming of an entry from Syncd process to application:
+
+1. Syncd reports the successful programming of an entry to OrchAgent using a notification channel.
+
+2. After receiving the notification from Syncd, OrchAgent:
+
+ - Translates it from SAI data types to ERROR_DB data types.
+
+ - Removes the entry from database. if present.
+ - Publishes the notifications to respective error listeners.
+
+3. Error listener waits for the incoming notifications, filters them and invokes the application callback.
+
+
+
+The following table describes how framework handles some of the notifications:
+
+| Previous Notification | Current Notification | Framework Action |
+| --------------------- | -------------------- | ------------------------------------------------------------ |
+| Create failure | Update failure | Update the entry in the database and notify the registered applications |
+| Create failure | Delete failure | Remove the entry from database and notify the registered applications |
+| Create failure | Update success | Remove the entry from the database and notify the registered applications |
+| Create success | Delete failure | Add the entry to the database and notify the registered applications |
+| Delete failure | Create success | Remove the entry from the database and notify the registered applications |
+
+### 3.3.2 Application registration
+```
+ErrorListener fpmErrorListener(APP_ROUTE_TABLE_NAME, (ERR_NOTIFY_FAIL | ERR_NOTIFY_POSITIVE_ACK));
+
+Select s;
+s.addSelectable(&fpmErrorListener);
+```
+
+### 3.3.3 Clearing ERROR_DB
+ERROR_DB contents can be cleared using CLI command. The clear command can be invoked for all objects in a table or all tables. OrchAgent gets notified about clear operation via the notification channel and it deletes the corresponding objects from ERROR_DB without notifying the registered applications.
+
+## 3.4 DB Changes
+### 3.4.1 Config DB
+None.
+
+### 3.4.2 App DB
+None.
+
+### 3.4.3 Error DB
+
+#### 3.4.3.1 ERROR Tables
+
+```
+ERROR_ROUTE_TABLE|prefix
+ "opcode": {{method}}
+ "nexthop": {{list_of_nexthops}}
+ "intf": ifindex ? PORT_TABLE.key
+ "status": {{return_code}}
+```
+
+```
+ERROR_NEIGH_TABLE|INTF_TABLE.name/ VLAN_INTF_TABLE.name / LAG_INTF_TABLE.name|prefix
+ "opcode": {{method}}
+ "neigh": {{mac_address}}
+ "family": {{ip_address_family}}
+ "status": {{return_code}}
+```
+
+### 3.4.3.2 ERROR_DB Schemas
+
+```
+;Defines schema for ERROR_ROUTE_TABLE that stores error status while programming the routes
+;Status: Mandatory
+key = ERROR_ROUTE_TABLE|prefix
+; field = value
+operation = opcode ; method CREATE/SET/DELETE
+nexthop = *prefix, ; IP addresses separated by “,”
+intf = ifindex, ; zero or more separated by ","
+rc = SWSS Code ; status code
+```
+
+```
+;Defines schema for ERROR_NEIGH_TABLE that stores error status while programming the neighbor table entries
+;Status: Mandatory
+key = ERROR_NEIGH_TABLE|INTF_TABLE.name / VLAN_INTF_TABLE.name / LAG_INTF_TABLE.name|prefix
+operation = opcode ; method CREATE/SET/DELETE
+neigh = 12HEXDIG ; mac address of the neighbor
+family = "IPv4" / "IPv6" ; address family
+rc = SWSS code ; status code for each neighbour
+```
+
+Please refer to the [schema](https://github.com/Azure/sonic-swss/blob/master/doc/swss-schema.md) document for details on value annotations.
+
+
+## 3.5 CLI
+
+### 3.5.1 Data Models
+
+Commands summary :
+
+ - show error-database [TableName]
+ - sonic-clear error-database [TableName]
+
+### 3.5.2 Config commands
+None
+
+### 3.5.3 Show commands
+show command to display the error database entries
+
+```
+show error-database [TableName]
+
+Usage: show [OPTIONS] COMMAND [ARGS]...
+
+ SONiC command line - 'show' command
+
+Options:
+
+ -?, -h, --help Show this message and exit.
+
+Commands:
+
+ error-database Show error database entries
+
+```
+
+Example:
+```
+Router#show error-database route
+Route Nexthop Operation Failure
+-------------- --------------------- --------- --------------
+2.2.2.0/24 10.10.10.2 Create TABLE FULL
+192.168.10.12/24 12.12.10.2,11,11,11,2 Update PARAM
+...
+```
+
+### 3.5.4 Clear commands
+Clear command to clear error database entries
+```
+sonic-clear error-database [TableName]
+
+Usage: sonic-clear [OPTIONS] COMMAND [ARGS]...
+
+Options:
+
+ -?, -h, --help Show this message and exit.
+
+Commands:
+
+ error-database Clear error database entries
+
+```
+
+
+# 4 Flows Diagrams
+
+## 4.1 Route add failure
+The following flow diagram depicts the flow of route failure notification.
+
+
+
+
+
+Syncd sends the following data to the framework through a notification channel as part of the error notification.
+
+
+```
+key:"SAI_OBJECT_TYPE_ROUTE_ENTRY:{"dest":"20.20.20.0/24","vr":"oid:0x300000000004a"}"
+
+1) "opcode"
+2) "CREATE"
+3) "SAI_ROUTE_ENTRY_ATTR_NEXT_HOP_ID"
+4) "oid:0x1000000000001"
+5) "rc"
+6) "SAI_STATUS_TABLE_FULL"
+```
+
+The framework records the following entry into ERROR_ROUTE_TABLE, which gets notified to the registered applications.
+
+```
+"ERROR_ROUTE_TABLE:20.20.20.0/24"
+1) "opcode"
+2) "CREATE"
+3) "nexthop"
+4) "10.10.10.2"
+5) "intf"
+6) "Vlan10"
+7) "rc"
+8) "SWSS_RC_TABLE_FULL"
+```
+
+# 5 Serviceability and Debug
+
+The logging utility `swssloglevel` is used to set the log level for various operations involved in error handling.
+
+- When application registers/de-registers for notifications on ERROR_DB
+- When framework notifies errors to applications
+- When framework receives error notifications from Syncd
+- When framework adds entry to ERROR_DB
+- When frame deletes entry from ERROR_DB
+- When framework receives 'clear' command
+
+
+
+# 6 Warm Boot Support
+ The error database is not persistent across warm reboots.
+
+# 7 Scalability
+
+None.
+
+# 8 Unit Tests
+
+The unit test plan for error handling framework is documented below:
+
+| Error Handling | S.No | Test description |
+| -------------- | ---- | ------------------------------------------------------------ |
+| Route Table | 1.1 | Verify application can register successfully for ROUTE table notifications. Generate failure event and verify application is notified |
+| | 1.2 | Verify application can de-register successfully for ROUTE table notifications. Generate failure event and verify application is NO LONGER notified. |
+| | 1.3 | Verify multiple applications registering for ROUTE table notifications. Generate failure event and verify all registered applications are notified. |
+| | 1.4 | Verify multiple applications de-register for ROUTE table notifications. Generate failure event and verify only de-registered application is NO LONGER notified. Other registered applications continue to get notified. |
+| | 1.5 | Verify that the notification for IPv4/IPv6 ROUTE entry contains all the required parameters as defined by the schema - Prefix/Nexthops/Opcode/Failure code. |
+| | 1.6 | Verify error is notified incase of IPv4/IPv6 ROUTE add failure due to TABLE full condition. Verify entry exists in ERROR_DB for failed route with Opcode=Add and Error=Table Full. |
+| | 1.7 | Verify error is notified incase of IPv4/IPv6 ROUTE add failure due to ENTRY_EXISTS condition. Verify entry exists in ERROR_DB for failed route with Opcode=Add and Error=Entry Exists. |
+| | 1.8 | Verify application is notified even in case of IPv4/IPv6 ROUTE is successfully programmed (NO_ERROR). Verify that there is NO entry for the route in ERROR_DB. |
+| | 1.9 | Verify error is notified in case of IPv4/IPv6 ROUTE deletion failure due to NOT_FOUND. Verify that there is NO entry for the failed route in ERROR_DB. |
+| | 1.10 | Verify that the failed IPv4/IPv6 ROUTE entry in ERROR_DB is cleared, when application deletes that entry. Verify other failed entries in ERROR_DB are retained. |
+| | 1.11 | Verify multiple add failures on the ECMP IPv4/IPv6 ROUTE entry. Verify each failure is notified individually along with set of nexthops. Verify ERROR_DB entry reflects the last known failure status. |
+| Neighbor Table | 2.1 | Verify application can register successfully for Neighbor table notifications. Generate failure event and verify application is notified. |
+| | 2.2 | Verify application can de-register successfully for Neighbor table notifications. Generate failure event and verify application is NO LONGER notified. |
+| | 2.3 | Verify multiple applications registerting for Neighbor table notifications. Generate failure event and verify all registered applications are notified. |
+| | 2.4 | Verify multiple applications de-register for Neighbor table notifications. Generate failure event and verify only de-registered application is NO LONGER notified. Other registered applications continue to get notified. |
+| | 2.5 | Verify that the notification for IPv4/IPv6 Neighbor entry contains all the required parameters as defined by the schema - Ifname/Prefix/Opcode/Failure code. |
+| | 2.6 | Verify error is notified incase of IPv4/IPv6 NEIGHBOR add failure due to TABLE full condition. Verify entry exists in ERROR_DB for failed neighbor with Opcode=Add and Error=Table Full. |
+| | 2.7 | Verify error is notified incase of IPv4/IPv6 NEIGHBOR add failure due to ENTRY_EXISTS condition. Verify entry exists in ERROR_DB for failed neighbor with Opcode=Add and Error=Entry Exists. |
+| | 2.8 | Verify application is notified even in case of IPv4/IPv6 NEIGHBOR is successfully programmed (NO_ERROR). Verify that there is NO entry for the neighbor in ERROR_DB in this case. |
+| | 2.9 | Verify error is notified in case of IPv4/IPv6 NEIGHBOR deletion failure due to NOT_FOUND. Verify that there is NO entry in ERROR_DB in this case. |
+| | 2.10 | Verify that the failed IPv4/IPv6 NEIGHBOR entry in ERROR_DB is cleared, when application deletes that entry. Verify other failed entries in ERROR_DB are retained. |
+| CLI | 3.1 | Verify that the 'show' command displays all the failed entries in the ERROR_DB. Verify that the output matches with redis-cli query command. |
+| | 3.2 | Verify that the 'clear' command removes all the failed entries in the ERROR_DB. Verify using redis-cli query command that there are no entries in ERROR_DB. |
+
+
+# 9 Unsupported features
+
+- Add transaction ID support to track the notifications back to application. This helps applications to correlate when multiple operations fail on the same object.
+
+ Typically, the following steps are required to handle the request that includes transaction ID:
+
+ - Application adds transaction ID (Tid) to APP_DB entry
+ - OrchAgent pass Tid to ASIC_DB
+ - Syncd includes Tid in the notification after invoking SAI API
+ - OrchAgent pass the Tid to the applications that includes other error details.
+
+ If Tid is included in the application request, framework includes the same in the notification. Otherwise, the notification is still sent, but without Tid. This enables migration of applications to start using Tid on a need basis.
+
+- Extend error handling to other tables in the sytem (VLAN/LAG/Mirror/FDB etc).
diff --git a/doc/error-handling/images/bgp_use_case.png b/doc/error-handling/images/bgp_use_case.png
new file mode 100755
index 0000000000..6cb81b850b
Binary files /dev/null and b/doc/error-handling/images/bgp_use_case.png differ
diff --git a/doc/error-handling/images/error_handling_overview.png b/doc/error-handling/images/error_handling_overview.png
new file mode 100755
index 0000000000..9bd72264b5
Binary files /dev/null and b/doc/error-handling/images/error_handling_overview.png differ
diff --git a/doc/error-handling/images/route_add_failure_flow.png b/doc/error-handling/images/route_add_failure_flow.png
new file mode 100755
index 0000000000..7881ac0e1a
Binary files /dev/null and b/doc/error-handling/images/route_add_failure_flow.png differ
diff --git a/doc/everflow/SONiC Everflow Always-on HLD.pdf b/doc/everflow/SONiC Everflow Always-on HLD.pdf
new file mode 100644
index 0000000000..9b7035bbd9
Binary files /dev/null and b/doc/everflow/SONiC Everflow Always-on HLD.pdf differ
diff --git a/doc/SONiC_EVERFLOW_IPv6.pdf b/doc/everflow/SONiC_EVERFLOW_IPv6.pdf
similarity index 100%
rename from doc/SONiC_EVERFLOW_IPv6.pdf
rename to doc/everflow/SONiC_EVERFLOW_IPv6.pdf
diff --git a/doc/fastreboot.pdf b/doc/fast-reboot/fastreboot.pdf
similarity index 100%
rename from doc/fastreboot.pdf
rename to doc/fast-reboot/fastreboot.pdf
diff --git a/doc/fwutil/fwutil.md b/doc/fwutil/fwutil.md
new file mode 100755
index 0000000000..9f524880f3
--- /dev/null
+++ b/doc/fwutil/fwutil.md
@@ -0,0 +1,462 @@
+# SONiC FW utility
+
+## High Level Design document
+
+## Table of contents
+- [About this manual](#about-this-manual)
+- [Revision](#revision)
+- [Abbreviations](#abbreviations)
+- [1 Introduction](#1-introduction)
+ - [1.1 Feature overview](#11-feature-overview)
+ - [1.2 Requirements](#12-requirements)
+ - [1.2.1 Functionality](#121-functionality)
+ - [1.2.2 Command interface](#122-command-interface)
+ - [1.2.3 Error handling](#123-error-handling)
+ - [1.2.4 Event logging](#124-event-logging)
+- [2 Design](#2-design)
+ - [2.1 Overview](#21-overview)
+ - [2.2 FW utility](#22-fw-utility)
+ - [2.2.1 Command structure](#221-command-structure)
+ - [2.2.2 Command interface](#222-command-interface)
+ - [2.2.2.1 Show commands](#2221-show-commands)
+ - [2.2.2.1.1 Overview](#22211-overview)
+ - [2.2.2.1.2 Description](#22212-description)
+ - [2.2.2.2 Install commands](#2222-install-commands)
+ - [2.2.2.2.1 Overview](#22221-overview)
+ - [2.2.2.2.2 Description](#22222-description)
+ - [2.2.2.3 Update commands](#2223-update-commands)
+ - [2.2.2.3.1 Overview](#22231-overview)
+ - [2.2.2.3.2 Description](#22232-description)
+- [3 Flows](#3-flows)
+ - [3.1 Show components status](#31-show-components-status)
+ - [3.2 Install component FW](#32-install-component-fw)
+ - [3.2.1 Non modular chassis platform](#321-non-modular-chassis-platform)
+ - [3.2.2 Modular chassis platform](#322-modular-chassis-platform)
+- [4 Tests](#4-tests)
+ - [4.1 Unit tests](#41-unit-tests)
+
+## About this manual
+
+This document provides general information about FW utility implementation in SONiC.
+
+## Revision
+
+| Rev | Date | Author | Description |
+|:---:|:----------:|:--------------:|:----------------------------------|
+| 0.1 | 21/08/2019 | Nazarii Hnydyn | Initial version |
+| 0.2 | 10/09/2019 | Nazarii Hnydyn | Review feedback and other changes |
+| 0.3 | 17/09/2019 | Nazarii Hnydyn | Align flows with the platform API |
+| 0.4 | 18/12/2019 | Nazarii Hnydyn | CLI review feedback |
+
+## Abbreviations
+
+| Term | Meaning |
+|:-------|:----------------------------------------------------|
+| FW | Firmware |
+| SONiC | Software for Open Networking in the Cloud |
+| PSU | Power Supply Unit |
+| QSFP | Quad Small Form-factor Pluggable |
+| EEPROM | Electrically Erasable Programmable Read-Only Memory |
+| I2C | Inter-Integrated Circuit |
+| SPI | Serial Peripheral Interface |
+| JTAG | Joint Test Action Group |
+| BIOS | Basic Input/Output System |
+| CPLD | Complex Programmable Logic Device |
+| FPGA | Field-Programmable Gate Array |
+| URL | Uniform Resource Locator |
+| API | Application Programming Interface |
+| N/A | Not Applicable/Not Available |
+
+## List of figures
+
+[Figure 1: FW utility High Level Design](#figure-1-fw-utility-high-level-design)
+[Figure 2: Show components status flow](#figure-2-show-components-status-flow)
+[Figure 3: FW install (non modular) flow](#figure-3-fw-install-non-modular-flow)
+[Figure 4: FW install (modular) flow](#figure-4-fw-install-modular-flow)
+
+## List of tables
+
+[Table 1: Event logging](#table-1-event-logging)
+
+# 1 Introduction
+
+## 1.1 Feature overview
+
+A modern network switch is a sophisticated equipment which consists of many auxiliary components
+which are responsible for managing different subsystems (e.g., PSU/FAN/QSFP/EEPROM/THERMAL)
+and providing necessary interfaces (e.g., I2C/SPI/JTAG).
+
+Basically these components are complex programmable logic devices with it's own HW architecture
+and software. The most important are BIOS/CPLD/FPGA etc.
+
+It is very important to always have the latest recommended software version to improve device stability,
+security and performance. Also, software updates can add new features and remove outdated ones.
+
+In order to make software update as simple as possible and to provide a nice user frindly
+interface for various maintenance operations (e.g., install a new FW or query current version)
+we might need a dedicated FW utility.
+
+## 1.2 Requirements
+
+### 1.2.1 Functionality
+
+**This feature will support the following functionality:**
+1. Manual FW installation for particular platform component
+2. Automatic FW installation for all available platform components
+3. Querying platform components and FW versions
+
+### 1.2.2 Command interface
+
+**This feature will support the following commands:**
+1. show: display FW versions
+2. install: manual FW installation
+3. update: automatic FW installation
+
+### 1.2.3 Error handling
+
+**This feature will provide error handling for the next situations:**
+1. Invalid input
+2. Incompatible options/parameters
+3. Invalid/nonexistent FW URL/path
+
+**Note:** FW binary validation (checksum, format, etc.) should be done by SONiC platform API
+
+### 1.2.4 Event logging
+
+**This feature will provide event logging for the next situations:**
+1. FW binary downloading over URL: start/end
+2. FW binary downloading over URL: error
+3. FW binary installation: start/end
+4. FW binary installation: error
+
+###### Table 1: Event logging
+
+| Event | Severity |
+|:------------------------------------------|:---------|
+| FW binary downloading over URL: start/end | NOTICE |
+| FW binary downloading over URL: error | ERROR |
+| FW binary installation: start/end | INFO |
+| FW binary installation: error | ERROR |
+
+**Note:** Some extra information also will be logged:
+1. Component location (e.g., Chassis1/Module1/BIOS)
+2. Operation result (e.g., success/failure)
+
+# 2 Design
+
+## 2.1 Overview
+
+
+
+###### Figure 1: FW utility High Level Design
+
+In order to improve scalability and performance a modern network switches provide different architecture solutions:
+1. Non modular chassis platforms
+2. Modular chassis platforms
+
+Non modular chassis platforms may contain only one chassis.
+A chassis may contain it's own set of components.
+
+Modular chassis platforms may contain only one chassis.
+A chassis may contain one or more modules and it's own set of components.
+Each module may contain it's own set of components.
+
+Basically each chassis/module may contain one or more components (e.g., BIOS/CPLD/FPGA).
+
+SONiC platform API provides an interface for FW maintenance operations for both modular and
+non modular chassis platforms. Both modular and non modular chassis platforms share the same platform API,
+but may have different implementation.
+
+SONiC FW utility uses platform API to interact with the various platform components.
+
+## 2.2 FW utility
+
+### 2.2.1 Command structure
+
+**User interface**:
+```
+fwutil
+|--- show
+| |--- status
+| |--- version
+|
+|--- install
+| |--- chassis
+| | |--- component
+| | |--- fw -y|--yes
+| |
+| |--- module
+| |--- component
+| |--- fw -y|--yes
+|
+|--- update -y|--yes -f|--force -i|--image=
+```
+
+**Note:** can be absolute path or URL
+
+### 2.2.2 Command interface
+
+#### 2.2.2.1 Show commands
+
+##### 2.2.2.1.1 Overview
+
+The purpose of the show commands group is to provide an interface for:
+1. FW utility related information query (version, etc.)
+2. Platform components related information query (fw, etc.)
+
+##### 2.2.2.1.2 Description
+
+**The following command displays FW utility version:**
+```bash
+root@sonic:~# fwutil show version
+fwutil version 1.0.0.0
+```
+
+**The following command displays platform components and FW versions:**
+1. Non modular chassis platform
+```bash
+root@sonic:~# fwutil show status
+Chassis Module Component Version Description
+-------- ------- ---------- ------------------ ------------
+Chassis1 N/A BIOS 0ACLH003_02.02.007 Chassis BIOS
+ CPLD 5 Chassis CPLD
+ FPGA 5 Chassis FPGA
+```
+
+2. Modular chassis platform
+```bash
+root@sonic:~# fwutil show status
+Chassis Module Component Version Description
+-------- ------- ---------- ------------------ ------------
+Chassis1 BIOS 0ACLH004_02.02.007 Chassis BIOS
+ CPLD 5 Chassis CPLD
+ FPGA 5 Chassis FPGA
+ Module1 CPLD 5 Module CPLD
+ FPGA 5 Module FPGA
+```
+
+#### 2.2.2.2 Install commands
+
+##### 2.2.2.2.1 Overview
+
+The purpose of the install commands group is to provide an interface
+for manual FW update of various platform components.
+
+##### 2.2.2.2.2 Description
+
+**The following command installs FW:**
+1. Non modular chassis platform
+```bash
+root@sonic:~# fwutil install chassis component BIOS fw --yes /bios.bin
+...
+FW update in progress ...
+...
+Warning: Cold reboot is required!
+root@sonic:~# fwutil install chassis component CPLD fw --yes /cpld.bin
+...
+FW update in progress ...
+...
+Warning: Power cycle is required!
+root@sonic:~# fwutil install chassis component FPGA fw --yes /fpga.bin
+...
+FW update in progress ...
+...
+Warning: Power cycle is required!
+```
+
+2. Modular chassis platform
+```bash
+root@sonic:~# fwutil install chassis component BIOS fw /bios.bin
+New FW will be installed, continue? [y/N]: N
+Aborted!
+root@sonic:~# fwutil install chassis component CPLD fw /cpld.bin
+New FW will be installed, continue? [y/N]: N
+Aborted!
+root@sonic:~# fwutil install chassis component FPGA fw /fpga.bin
+New FW will be installed, continue? [y/N]: N
+Aborted!
+root@sonic:~# fwutil install module Module1 component CPLD fw /cpld.bin
+New FW will be installed, continue? [y/N]: N
+Aborted!
+root@sonic:~# fwutil install module Module1 component FPGA fw /fpga.bin
+New FW will be installed, continue? [y/N]: N
+Aborted!
+```
+
+**Supported options:**
+1. -y|--yes - automatic yes to prompts. Assume "yes" as answer to all prompts and run non-interactively
+
+#### 2.2.2.3 Update commands
+
+##### 2.2.2.3.1 Overview
+
+The purpose of the update commands group is to provide an interface
+for automatic FW update of all available platform components.
+
+Automatic FW update requires platform_components.json to be created and placed at:
+_sonic-buildimage/device///platform_components.json_
+
+**Example:**
+1. Non modular chassis platform
+```json
+{
+ "chassis": {
+ "Chassis1": {
+ "component": {
+ "BIOS": {
+ "firmware": "/etc//fw//chassis1/bios.bin",
+ "version": "0ACLH003_02.02.010",
+ "info": "Cold reboot is required"
+ },
+ "CPLD": {
+ "firmware": "/etc//fw//chassis1/cpld.bin",
+ "version": "10",
+ "info": "Power cycle is required"
+ },
+ "FPGA": {
+ "firmware": "/etc//fw//chassis1/fpga.bin",
+ "version": "5",
+ "info": "Power cycle is required"
+ }
+ }
+ }
+ }
+}
+```
+
+2. Modular chassis platform
+```json
+{
+ "chassis": {
+ "Chassis1": {
+ "component": {
+ "BIOS": {
+ "firmware": "/etc//fw//chassis1/bios.bin",
+ "version": "0ACLH003_02.02.010",
+ "info": "Cold reboot is required"
+ },
+ "CPLD": {
+ "firmware": "/etc//fw//chassis1/cpld.bin",
+ "version": "10",
+ "info": "Power cycle is required"
+ },
+ "FPGA": {
+ "firmware": "/etc//fw//chassis1/fpga.bin",
+ "version": "5",
+ "info": "Power cycle is required"
+ }
+ }
+ }
+ },
+ "module": {
+ "Module1": {
+ "component": {
+ "CPLD": {
+ "firmware": "/etc//fw//module1/cpld.bin",
+ "version": "10",
+ "info": "Power cycle is required"
+ },
+ "FPGA": {
+ "firmware": "/etc//fw//module1/fpga.bin",
+ "version": "5",
+ "info": "Power cycle is required"
+ }
+ }
+ }
+ }
+}
+```
+
+**Note:** FW update will be skipped if component definition is not provided (e.g., 'BIOS': { })
+
+##### 2.2.2.3.2 Description
+
+**The following command updates FW of all available platform components:**
+1. Non modular chassis platform
+```bash
+root@sonic:~# fwutil update --image=next
+Chassis Module Component Firmware Version Status Info
+-------- ------- ---------- --------------------- --------------------------------------- ------------------ -----------------------
+Chassis1 N/A BIOS /bios.bin 0ACLH004_02.02.007 / 0ACLH004_02.02.010 update is required Cold reboot is required
+ CPLD /cpld.bin 5 / 10 update is required Power cycle is required
+ FPGA /fpga.bin 5 / 5 up-to-date Power cycle is required
+New FW will be installed, continue? [y/N]: y
+
+...
+FW update in progress ...
+...
+
+Summary:
+
+Chassis Module Component Status
+-------- ------- ---------- ----------
+Chassis1 N/A BIOS success
+ CPLD failure
+ FPGA up-to-date
+```
+
+2. Modular chassis platform
+```bash
+root@sonic:~# fwutil update --image=next
+Chassis Module Component Firmware Version Status Info
+-------- ------- ---------- --------------------- --------------------------------------- ------------------ -----------------------
+Chassis1 BIOS /bios.bin 0ACLH004_02.02.007 / 0ACLH004_02.02.010 update is required Cold reboot is required
+ CPLD /cpld.bin 5 / 10 update is required Power cycle is required
+ FPGA /fpga.bin 5 / 5 up-to-date Power cycle is required
+ Module1 CPLD /cpld.bin 5 / 10 update is required Power cycle is required
+ FPGA /fpga.bin 5 / 5 up-to-date Power cycle is required
+New FW will be installed, continue? [y/N]: y
+
+...
+FW update in progress ...
+...
+
+Summary:
+
+Chassis Module Component Status
+-------- ------- ---------- ----------
+Chassis1 BIOS success
+ CPLD success
+ FPGA up-to-date
+ Module1 CPLD failure
+ FPGA up-to-date
+```
+
+**Supported options:**
+1. -y|--yes - automatic yes to prompts. Assume "yes" as answer to all prompts and run non-interactively
+2. -f|--force - install FW regardless the current version
+3. -i|--image - update FW using current/next SONiC image
+
+**Note:** the default option is _--image=current_
+
+# 3 Flows
+
+## 3.1 Show components status
+
+
+
+###### Figure 2: Show components status flow
+
+## 3.2 Install component FW
+
+### 3.2.1 Non modular chassis platform
+
+
+
+###### Figure 3: FW install (non modular) flow
+
+### 3.2.2 Modular chassis platform
+
+
+
+###### Figure 4: FW install (modular) flow
+
+# 4 Tests
+
+## 4.1 Unit tests
+
+1. Show FW utility version
+2. Show components status
+3. Install new BIOS/CPLD/FPGA FW on non modular chassis
+4. Install new BIOS/CPLD/FPGA FW on modular chassis
+5. Update FW on all available platform components
diff --git a/doc/fwutil/images/fwutil_hld.svg b/doc/fwutil/images/fwutil_hld.svg
new file mode 100755
index 0000000000..7948300504
--- /dev/null
+++ b/doc/fwutil/images/fwutil_hld.svg
@@ -0,0 +1,609 @@
+
+
+
+
diff --git a/doc/fwutil/images/install_modular_flow.svg b/doc/fwutil/images/install_modular_flow.svg
new file mode 100755
index 0000000000..0ac6d3f780
--- /dev/null
+++ b/doc/fwutil/images/install_modular_flow.svg
@@ -0,0 +1,947 @@
+
+
+
+
diff --git a/doc/fwutil/images/install_non_modular_flow.svg b/doc/fwutil/images/install_non_modular_flow.svg
new file mode 100755
index 0000000000..c0f25a64fc
--- /dev/null
+++ b/doc/fwutil/images/install_non_modular_flow.svg
@@ -0,0 +1,739 @@
+
+
+
+
diff --git a/doc/fwutil/images/show_status_flow.svg b/doc/fwutil/images/show_status_flow.svg
new file mode 100755
index 0000000000..3f355dfc37
--- /dev/null
+++ b/doc/fwutil/images/show_status_flow.svg
@@ -0,0 +1,970 @@
+
+
+
+
diff --git a/doc/incremental-update-ip-lag/Incremental IP LAG Update.md b/doc/incremental-update-ip-lag/Incremental IP LAG Update.md
new file mode 100644
index 0000000000..87342f6905
--- /dev/null
+++ b/doc/incremental-update-ip-lag/Incremental IP LAG Update.md
@@ -0,0 +1,135 @@
+# SONiC IP/LAG Incremental Update
+
+# Table of Contents
+* [Revision](#revision)
+* [About](#about)
+* [Requirements Overview](#1-requirements-overview)
+* [Database Design](#2-database-design)
+* [Daemon Design](#3-daemon-design)
+* [Flows](#4-flows)
+
+##### Revision
+| Rev | Date | Author | Change Description |
+|:---:|:--------|:------------------:|--------------------|
+| 0.1 | 2018-09 | Shuotian Cheng | Initial Version |
+
+# About
+This document provides the general information about basic SONiC incremental configuration support including IP addresses configuration changes, and port channel configuration changes.
+
+# 1. Requirements Overview
+## 1.1 Functional Requirements
+#### Phase #0
+- Should be able to boot directly into working state given a working minigraph
+1. All IPs are assigned correctly to each router interfaces
+2. All port channel interfaces are created with correct members enslaved
+3. All VLAN interfaces are created with correct members enslaved
+4. All configured ports are set to admin status UP
+5. All configured ports are set to desired MTU
+#### Phase #1
+- Should not have static front panel interface configurations in `/etc/network/interfaces` file
+- Should not have static teamd configurations in `/etc/teamd/` folder.
+- Should be able to use command line to execute incremental updates including:
+1. Bring up/down all ports/port channels/VLANs
+2. Assign/remove IPs towards non-LAG-member/non-VLAN-member front panel ports, and port channels
+3. Create/remove port channels
+4. Add/remove members of port channels
+- Should be able to restart docker swss and the system recovers to the state before the restart
+
+*Note:*
+1. *Conflicting configurations that cannot be directly resolved are **NOT** supported in this phrase, including:*
+- *moving a port with IP into a port channel*
+- *assign an IP to a port channel member*
+- *adding/removing non-existing ports towards port channels, etc.*
+2. *Port channel and port channel members' admin status are controlled separately, indicating that a port channel's admin status DOWN will NOT affect its members' admin status to be brought down as well.*
+3. *Admin status and MTU are must have attributes for ports and port channels, and the default values are UP and 9100.*
+4. *MTU will be changed to the port channel's MTU once a port is enslaved into the port channel. However, the value will be automatically reset to its original one after the port is removed from the port channel.*
+#### Phase #2
+- Should be able to move loopback interface out of `/etc/network/interfaces` file and managed by `portmgrd`.
+- Should be able to restart docker teamd and all port channel configurations are reapplied
+
+*Note:*
+*The reason of moving this request into phase 2 is due to unrelated issues encountered while removing and recreating router interfaces, including IPv6 removal and potential SAI implementation issues.*
+
+#### Future Work
+TBD
+## 1.2 Orchagent Requirements
+The gap that orchagent daemon needs to fill is mostly related to MTU:
+- Should be able to change router interface MTU
+- Should be able to change LAG MTU
+
+## 1.3 \*-syncd Requirements
+- `portsyncd`: Should not be listening to netlink message to get port admin status and MTU
+
+## 1.4 \*-mgrd Requirements
+- `portmgrd`: Should be responsible for admin status and MTU configuration changes. Related tables: `PORT`
+- `intfsmgrd`: Should be responsible for port/port channel/VLAN IP configuraton changes. Related tables: `PORT_INTERFACE`, `PORTCHANNEL_INTERFACE`, `VLAN_INTERFACE`.
+- `teammgrd`: Should be responsible for port channel and port channel member configuration changes. Related tables: `PORTCHANNEL` AND `PORTCHANNEL_MEMBER`.
+
+## 1.4 Utility Requirements
+```
+config interface add ip
+config interface remove ip
+config interface mtu
+
+config port_channel add
+config port_channel remove
+config port_channel member add
+config port_channel member remove
+```
+
+# 2. Database Design
+## 2.1 CONF_DB
+#### 2.1.1 PORT Table
+```
+PORT|{{port_name}}
+ "admin_status": {{UP|DOWN}}
+ "mtu": {{mtu_value}}
+```
+#### 2.1.2 INTERFACE Table
+```
+INTERFACE|{{port_name}}|{{IP}}
+```
+#### 2.1.3 PORTCHANNEL Table
+```
+PORTCHANNEL|{{port_channel_name}}
+ "admin_status": {{UP|DOWN}}
+ "mtu": {{mtu_value}}
+ "min_links": {{min_links_value}}
+ "fall_back": {{true|false}}
+```
+#### 2.1.4 PORTCHANNEL_INTERFACE Table
+```
+PORTCHANNEL_INTERFACE|{{port_channel_name}}|{{IP}}
+```
+#### 2.1.5 PORTCHANNEL_MEMBER Table
+```
+PORTCHANNEL_MEMBER|{{port_channel_name}}|{{port_name}}
+```
+
+# 3. Daemon Design
+## 3.1 `orchagent`
+- When LAG MTU is updated, all LAG members' MTUs are updated.
+- When port/LAG MTU is updated, the associated router interface MTU is updated.
+## 3.2 `portmgrd`
+- Monitor `PORT` table
+- Should be responsible for admin status changes and MTU changes
+## 3.3 intfsyncd
+- Monitor `PORT_INTERFACE`, `PORTCHANNEL_INTERFACE`, `VLAN_INTERFACE` tables
+- Should be responsible for IP changes
+## 3.4 teamsyncd
+- Monitor `PORTCHANNEL` and `PORTCHANNEL_MEMBER` tables
+- Should be responsible for port channel changes and member changes
+
+# 4. Flows
+## 4.1 Admin Status/MTU Configuration Flow
+
+## 4.2 Port Channel and Member Configuration Flow
+
+## 4.3 IP Configuration Flow
+
+## 4.4 Device Start Flow
+
+## 4.5 Docker swss Restart
+TBD
+## 4.6 Docker teamd Restart
+TBD
diff --git a/doc/incremental-update-ip-lag/admin_status.png b/doc/incremental-update-ip-lag/admin_status.png
new file mode 100644
index 0000000000..8185e7770c
Binary files /dev/null and b/doc/incremental-update-ip-lag/admin_status.png differ
diff --git a/doc/incremental-update-ip-lag/device_start.png b/doc/incremental-update-ip-lag/device_start.png
new file mode 100644
index 0000000000..3bbaf219a4
Binary files /dev/null and b/doc/incremental-update-ip-lag/device_start.png differ
diff --git a/doc/incremental-update-ip-lag/ip.png b/doc/incremental-update-ip-lag/ip.png
new file mode 100644
index 0000000000..6880dc8476
Binary files /dev/null and b/doc/incremental-update-ip-lag/ip.png differ
diff --git a/doc/incremental-update-ip-lag/port_channel.png b/doc/incremental-update-ip-lag/port_channel.png
new file mode 100644
index 0000000000..81a49c26c0
Binary files /dev/null and b/doc/incremental-update-ip-lag/port_channel.png differ
diff --git a/doc/lag/LACP Fallback Feature for SONiC_v0.5.md b/doc/lag/LACP Fallback Feature for SONiC_v0.5.md
index b37adefffa..1eab42c948 100644
--- a/doc/lag/LACP Fallback Feature for SONiC_v0.5.md
+++ b/doc/lag/LACP Fallback Feature for SONiC_v0.5.md
@@ -1,72 +1,119 @@
# Introduction
## Overview
-The LACP Fallback Feature allows an active LACP interface to establish a Link Aggregation (LAG) before it receives LACP PDUs from its peer.
-
-This feature is useful in environments where customers have Preboot Execution Environment (PXE) Servers connected with a LACP Port Channel to the switch. Since PXE images are very small, many operating systems are unable to leverage LACP during the preboot process. The server’s NICs do not have the capability to run LACP without the assistance of a fully functional OS; during the PXE process, they are unaware of the other NIC and don’t have a method to form a LACP connection. Both the NIC’s on the server will be active and are sourcing frames from their respective MAC addresses during the initial boot process. Simply keeping both ports in the LAG active will not solve the problem because packets sourced from the MAC address of NIC-1 can be returned to the port on which NIC-2 is attached, which will cause NIC-2 to drop the packets (due to MAC mismatch).
+The LACP Fallback Feature allows an active LACP interface to establish a Link
+Aggregation (LAG) before it receives LACP PDUs from its peer.
+
+This feature is useful in environments where customers have Preboot Execution
+Environment (PXE) Servers connected with a LACP Port Channel to the switch.
+Since PXE images are very small, many operating systems are unable to leverage
+LACP during the preboot process. The server’s NICs do not have the
+capability to run LACP without the assistance of a fully functional OS; during
+the PXE process, they are unaware of the other NIC and don't have a method to
+form a LACP connection. Both the NIC's on the server will be active and are
+sourcing frames from their respective MAC addresses during the initial boot
+process. Simply keeping both ports in the LAG active will not solve the
+problem because packets sourced from the MAC address of NIC-1 can be returned
+to the port on which NIC-2 is attached, which will cause NIC-2 to drop the
+packets (due to MAC mismatch).
-With the LACP fallback feature, the switch allows the server to bring up the LAG (before receiving any LACP PDUs from the server) and keeps a single port active until it receive the LACP PDUs from the server. This allows the PXE boot server to establish a connection over one Ethernet port, download its boot image and then continue the booting process. When the server boot process is complete, the server fully forms an LACP port-channel.
+With the LACP fallback feature, the switch allows the server to bring up the
+LAG (before receiving any LACP PDUs from the server) and keeps a single port
+active until it receive the LACP PDUs from the server. This allows the PXE boot
+server to establish a connection over one Ethernet port, download its boot
+image and then continue the booting process. When the server boot process is
+complete, the server fully forms an LACP port-channel.
## Requirements
-a) LACP fallback feature can be enabled / disabled per LAG.
-b) Only one member port will be selected as active per LAG during fallback mode
-c) The member port will be moved out of the fallback state if it receives any LACP PDU from its peer.
-d) Interoperability with other devices running standard 802.3ad LACP protocol.
-e) The LACP runner behavior is not changed if fallback feature is disabled
+- LACP fallback feature can be enabled / disabled per LAG.
+- Only one member port will be selected as active per LAG during fallback mode
+- The member port will be moved out of the fallback state if it receives any
+ LACP PDU from its peer.
+- Interoperability with other devices running standard 802.3ad LACP protocol.
+- The LACP runner behavior is not changed if fallback feature is disabled
## Assumptions
-a) The LACP fallback feature is implemented on top of the open source libteam (https://github.com/jpirko/libteam) adopted by SONiC
-b) The server is supposed to use only the member port in fallback mode to communicate with switch during the fallback mode.
-c) The changes are limited to the libteam library only, the APP DB/SAI DB is not aware of the fallback state.
+- The LACP fallback feature is implemented on top of the open source libteam
+ (https://github.com/jpirko/libteam) adopted by SONiC
+- The server is supposed to use only the member port in fallback mode to
+ communicate with switch during the fallback mode.
+- The changes are limited to the libteam library only, the APP DB/SAI DB is not
+ aware of the fallback state.
## Limitations
-LACP fallback mode may also kick in during the normal LACP negotiation process due to the timing, which might cause some unexpected traffic loss. For example, if the LACP PDUs sent by peer are dropped completely, local member port with fallback enabled may still enter fallback mode, which might end up with data traffic loss.
-
+LACP fallback mode may also kick in during the normal LACP negotiation process
+due to the timing, which might cause some unexpected traffic loss. For example,
+if the LACP PDUs sent by peer are dropped completely, local member port with
+fallback enabled may still enter fallback mode, which might end up with data
+traffic loss.
+
# Background
-LACP fallback feature is implemented on the receiver side to establish a LAG before it receives LACP PDUs from its peer. So this section presents a formal description of the standard LACP Receive Machine.
+LACP fallback feature is implemented on the receiver side to establish a LAG
+before it receives LACP PDUs from its peer. So this section presents a formal
+description of the standard LACP Receive Machine.
## Receive Machine States and Timer
The receive machine has four states:
-• Rxm_current
-• Rxm_expired
-• Rxm_defaulted
-• Rxm_disabled
+- Rxm\_current
+- Rxm\_expired
+- Rxm\_defaulted
+- Rxm\_disabled
-One timer:
-Current while timer that is started in the Rxm_current and Rxm_expired states with two timeout: Short timeout (3s) and Long timeout (180s) depending on the value of the Actor’s Operational Status LACP_Timeout, as transmitted in LACPDUs.
+One timer: Current while timer that is started in the Rxm\_current and
+Rxm\_expired states with two timeout: Short timeout (3s) and Long timeout
+(180s) depending on the value of the Actor's Operational Status LACP\_Timeout,
+as transmitted in LACPDUs.
## Receive Machine Events
The following events can occur:
-• Participant created or reinitialized
-• Received LACP PDU
-• Physical MAC enabled
-• Physical MAC disabled
-• Current while timer expiry
-The physical MAC disabled event indicates that either or both of the physical MAC transmission or reception for the physical port associated with the actor have become non-operational. The received LACPDU event only occurs if both physical transmission and reception are operational, so far as the actor is aware.
+- Participant created or reinitialized
+- Received LACP PDU
+- Physical MAC enabled
+- Physical MAC disabled
+- Current while timer expiry
+
+The physical MAC disabled event indicates that either or both of the physical
+MAC transmission or reception for the physical port associated with the actor
+have become non-operational. The received LACPDU event only occurs if both
+physical transmission and reception are operational, so far as the actor is
+aware.
# LACP Fallback Design
-With the standard rx state machine described above, the member port will be put into defaulted state if the member port never receives LACP PDUs from remote end. And the member port is not selectable in defaulted state, thus the member port cannot be aggregated to the LAG.
+With the standard rx state machine described above, the member port will be put
+into defaulted state if the member port never receives LACP PDUs from remote
+end. And the member port is not selectable in defaulted state, thus the member
+port cannot be aggregated to the LAG.
-In order to support LACP fallback feature, we need to make the port selectable in defaulted state if fallback is enabled. Hence we'd like to introduce the fallback mode in defaulted state.
+In order to support LACP fallback feature, we need to make the port selectable
+in defaulted state if fallback is enabled. Hence we'd like to introduce the
+fallback mode in defaulted state.
-Fallback Mode:
-In this mode, the port selected bit is being set, which means the port is selectable and can be aggregated into the LAG. If any LACP PDU is being received over the LAG during this mode, the port will move to expired state, and restart the LACP negotiation with peer.
+- Fallback Mode:
+
+In this mode, the port selected bit is being set, which means the port is
+selectable and can be aggregated into the LAG. If any LACP PDU is being
+received over the LAG during this mode, the port will move to expired state,
+and restart the LACP negotiation with peer.
+
+- Fallback Eligible:
-Fallback Eligible:
-This checks whether LACP fallback feature is configured on this LAG. One and only one member port can be put into fallback mode per LAG. And the server is supposed to use only the member port in fallback mode to communicate with switch.
+This checks whether LACP fallback feature is configured on this LAG. One and
+only one member port can be put into fallback mode per LAG. And the server is
+supposed to use only the member port in fallback mode to communicate with
+switch.
To summarize, in the defaulted state, we have
```
@@ -78,7 +125,10 @@ Else
# LACP Fallback Config
## JSON Config
-teamd is configured using JSON config string. This can be passed to teamd either on the command line or in a file. JSON format was chosen because it's easy to specify (and parse) hierarchic configurations using it.
+
+teamd is configured using JSON config string. This can be passed to teamd
+either on the command line or in a file. JSON format was chosen because it's
+easy to specify (and parse) hierarchic configurations using it.
Example teamd config (teamd1.conf):
```
@@ -89,19 +139,21 @@ Example teamd config (teamd1.conf):
"name":"lacp",
"active": true,
"fast_rate": true,
- "fallback": true,
+ "fallback": true,
"tx_hash": ["eth", "ipv4"]
},
"link_watch":{"name":"ethtool"},
"ports":
{
"Ethernet30":{},
- "Ethernet31":{},
- "Ethernet32":{}
+ "Ethernet31":{},
+ "Ethernet32":{}
}
}
```
+
## Minigraph Config
+
```
@@ -112,6 +164,7 @@ Example teamd config (teamd1.conf):
```
+
The following set of Show commands relevant for LACP will be supported:
```
Teamshow
@@ -120,7 +173,6 @@ The following set of Show commands relevant for LACP will be supported:
# References
-a) SONiC Configuration Management
-b) Open Source libteam https://github.com/jpirko/libteam
-c) IEEE 802.3ad Standard for LACP http://www.ieee802.org/3/ad/public/mar99/seaman_1_0399.pdf
-
+- SONiC Configuration Management
+- Open Source libteam https://github.com/jpirko/libteam
+- IEEE 802.3ad Standard for LACP http://www.ieee802.org/3/ad/public/mar99/seaman_1_0399.pdf
diff --git a/doc/layer2-forwarding-enhancements/SONiC Layer 2 Forwarding Enhancements HLD.md b/doc/layer2-forwarding-enhancements/SONiC Layer 2 Forwarding Enhancements HLD.md
new file mode 100644
index 0000000000..75e4225885
--- /dev/null
+++ b/doc/layer2-forwarding-enhancements/SONiC Layer 2 Forwarding Enhancements HLD.md
@@ -0,0 +1,444 @@
+# Layer 2 Forwarding Enhancements
+#### Rev 1.0
+
+# Table of Contents
+ * [List of Tables](#list-of-tables)
+ * [Revision](#revision)
+ * [About This Manual](#about-this-manual)
+ * [Scope](#scope)
+ * [Definition/Abbreviation](#definitionabbreviation)
+ * [1. Requirements Overview](#1-requirement-overview)
+ * [1.1 Functional Requirements](#11-functional-requirements)
+ * [1.2 Configuration and Management Requirements](#12-configuration-and-management-requirements)
+ * [1.3 Scalability Requirements](#13-scalability-requirements)
+ * [1.4 Warm Boot Requirements](#14-warm-boot-requirements)
+ * [2. Functionality](#2-functionality)
+ * [2.1 Functional Description](#21-functional-description)
+ * [3. Design](#3-design)
+ * [3.1 Overview](#31-overview)
+ * [3.2 DB Changes](#32-db-changes)
+ * [3.2.1 CONFIG DB](#321-config-db)
+ * [3.3 Switch State Service Design](#33-switch-state-service-design)
+ * [3.3.1 Orchestration Agent](#331-orchestration-agent)
+ * [3.3.2 Other Process](#332-other-process)
+ * [3.4 Syncd](#34-syncd)
+ * [3.5 SAI](#35-sai)
+ * [3.6 CLI](#36-cli)
+ * [3.6.1 Configuration Commands](#361-configuration-commands)
+ * [3.6.2 Show Commands](#362-show-commands)
+ * [4. Flow Diagrams](#4-flow-diagrams)
+ * [5. Serviceability and Debug](#5-serviceability-and-debug)
+ * [6. Warm Boot Support](#6-warm-boot-support)
+ * [7. Scalability](#7-scalability)
+ * [8. Unit Test](#8-unit-test)
+
+
+# List of Tables
+[Table 1: Abbreviations](#table-1-abbreviations)
+
+
+# Revision
+| Rev | Date | Author | Change Description |
+|:---:|:-----------:|:------------------:|--------------------------------------------|
+| 1.0 | 04/30/2019 | Anil Pandey | Added detailed requirements |
+| | | | Added detailed Unit Test cases |
+| 0.3 | 04/29/2019 | Pankaj Jain | Modified static-mac and aging commands |
+| 0.2 | 04/26/2019 | Anil Pandey | Merged VLAN Range FS contents |
+| 0.1 | 04/11/2019 | Anil Pandey | Initial version |
+
+
+# About this Manual
+This document provides general information about the Layer 2 Forwarding Enhancements feature implementation in SONiC.
+# Scope
+This document describes the high level design of Layer 2 Forwarding Enhancements feature.
+
+
+# Definition/Abbreviation
+### Table 1: Abbreviations
+| **Term** | **Meaning** |
+|--------------------------|-------------------------------------|
+| FDB | Forwarding Database |
+
+
+# 1 Requirement Overview
+## 1.1 Functional Requirements
+
+ 1. FDB Flush Support
+ - FDB entries should be flushed per Port when the operational state of the port goes down. Only dynamic entries should be flushed.
+ - FDB entries should be flushed per Port per VLAN when a port is removed from a VLAN. Both dynamic and static entries should be flushed. Static FDB configuration should not be removed.
+ - FDB entries should be flushed per Port or per Port per VLAN when triggered by Layer 2 Protocol upon topology change. Only dynamic entries should be flushed.
+ - FDB entries should be flushed per Portchannel when the admin or operational status of the Portchannel goes down.
+ - FDB entry should be removed from FDB_TABLE in STATE_DB and ASIC_SB and internal orchagent FDB data structure and Hardware.
+
+2. Handle MAC move event generated by hardware.
+ - Existing FDB entry should be replaced with one having new Port in ASIC_DB and STATE_DB when a MAC move event is received.
+
+3. Configuration CLI for FDB aging time.
+ - The FDB aging time should be configurable in hardware to a desired value from CLI.
+ - There should be an option to disable aging by setting the aging time to 0.
+ - The default FDB aging time should be set to 600 seconds.
+
+4. Configuration CLI for Static FDB entry.
+ - A Static FDB entry should be configurable in hardware from CLI.
+ - Static FDB entry should be set in CONFIG_DB and APP_DB even if the port is not member of VLAN.
+ - Static FDB entry should be added in saved FDB in Orchagent if port is not member of VLAN.
+ - Static FDB entry should be added in saved FDB in Orchagent after the entry is deleted due to FDB flush when port is removed from VLAN.
+ - Static FDB entry should be added in STATE_DB.
+
+5. Should have per Port, per VLAN and per Port per VLAN FDB clear options in CLI command "sonic-clear fdb".
+
+6. VLAN range CLI support
+ - Should be able to create a range of VLANs in a single CLI command.
+ - Should be able to delete a range of VLANs in a single CLI command.
+ - Should be able to add a port to a range of VLANs in a single CLI command.
+ - Should be able to delete a port from a range of VLANs in a single CLI command.
+
+
+## 1.2 Configuration and Management Requirements
+- New CLI is added for configuring FDB aging time.
+- New CLI is added to display current FDB aging time.
+- New CLI is added for add/delete of Static FDB entry.
+- Existing CLI 'sonic-clear fdb' is extended to clear FDB per port or per VLAN or per Port per VLAN.
+- Existing CLI tree is extended to include support for keyword 'range' in each of the VLAN create and delete and VLAN member create and delete commands.
+
+
+## 1.3 Scalability Requirements
+- Up to 4094 VLAN will be supported.
+- VLAN range commands are invalidated for VLANs that fall outside the range 1 through 4094
+ (Aforementioned range should be configurable and valid).
+
+
+## 1.4 Warm Boot Requirements
+Warm boot support already exists.
+
+
+# 2 Functionality
+
+## 2.2 Functional Description
+**1. FDB Flush suport**
+- When a port operational state goes down, all dynamic FDB entries will be flushed on the port. The entries will be removed from FDB_TABLE in ASIC_DB, STATE_DB and Hardware and Orchagent data structures. Portchannel admin or operational state down will also be handled similarly.
+- When a port is removed from VLAN, all static and dynamic FDB entries will be flushed on the (port,VLAN). Static FDB entries will still be preserved in the FDB_TABLE in CONFIG_DB and APP_DB. When port is added back to VLAN, Orchagent will reprogram the FDB entries.
+- Spanning Tree Protocol to flush dynamic FDB entries either on a Port or on (Port,VLAN) when topology change occurs. API will be provided in Orchagent for L2 protocol component to flush FDB entries accordingly.
+
+
+**2. Handle MAC move events.**
+- MAC move event generated by some hardware (e.g. DNX) is currently not handled in SAI and SONiC. Will add support in Orchagent for moving the FDB entry to new port upon receipt of such event.
+
+
+**3. Configuration for FDB aging time.**
+- CLI configuration to be added to change the FDB aging time. By default, the aging time in hardware is 0 and set to 600 seconds in SONiC. It can be changed to a desired value if CLI is available. Currently, it can be done only by setting in APP_DB. The configuration range will be 0-1,000,000 seconds. Setting aging time to 0 will disable aging.
+
+
+**4. Configuration for static FDB entry.**
+- Currently, static FDB can only be added only by setting in APP_DB. CLI configuration will be added for this.
+- If a dynamic FDB already exists with the same (MAC, VLAN), it will be replaced with the static entry.
+- If the port is not member of VLAN, the static entry will be present in CONFIG_DB and APP_DB. It will also be saved in the orchagent saved FDB until the port is added to the VLAN.
+
+
+**5. FDB clear options for per port and per VLAN ans per Port per VLAN clear.**
+
+ - Currently, "sonic-clear fdb" command has only the option "ALL" supported. Will add options for "PORT" and "VLAN" to clear FDB entries either on a port or on a VLAN or on PORT and VLAN. Only dynamic FDB will be cleared.
+
+ **6. VLAN Range CLI.**
+- In current SONiC release, support for VLAN commands through CLI is limited to creating and deleting a single VLAN and adding/removing a port to/from a single VLAN. Support for VLAN range will be added in CLI to enable administrator to create and delete a range of VLANs and add/remove a port to/from a range of VLANs.
+- When a large number of interfaces are made members of a huge set of VLANs, deletion of VLANs takes significant time due to the reason mentioned in [Scalability](#7-scalability) section.
+- In SONiC, VLAN operations are performed either through config_db.json file or through CLI commands. In config_db.json file, administrator is required to update the desired VLAN and/or member port in each VLAN as per the JSON file format. This process is overburdening when it is required to manually add/delete VLANs in bulk and add/delete ports to/from VLANs in bulk. Administrator can perform the same operations through CLI commands which, though, is easy, becomes extremely taxing when multiple commands need to be executed to perform bulk operations, like creating/deleting 4094 VLANs and associating/removing ports from each of these VLANs through CLI commands that provide an option to enter only one VLAN.
+ - Administrator's task is greatly simplified with provision for VLAN range configuration. And time taken to perform the operations is drastically reduced.
+
+
+# 3 Design
+## 3.1 Overview
+Code changes are confined to the components marked in RED.
+
+
+ **Overview of components involved:**
+
+
+
+
+
+For FDB flush and FDB aging and Static FDB commands, the design is described in details in the SWSS section.
+Overview of changes for VLAN range support is provided below.
+
+**VLAN Range Support:**
+
+VLAN Range Support: For each of the new commands, a loop is iterated to run though the two configured parameters, first vlan-id and last vlan-id, (as specified in commands listed in section 3.6.2) and CONFIG_DB is updated through a single push operation using redisDB pipelining mechanism. Pipeline mechanism ensures the DB is updated very quick.
+
+Range command issued takes only two VLAN identifiers as arguments. List of VLANs are not configurable. For example, 'config vlan range add 2 10' is allowed and valid, but 'config vlan range add 2 10,3 100' is not valid.
+
+For VLAN range creation, VLAN existence for each VLAN identifier is checked in CONFIG_DB through GET operation prior to adding the redisDB SET to the pipeline. If few VLANs are already created and 'range create' command issued involves such VLANs, a message of severity 'warning' is logged, if the option '-w' is provided while configuring, and non-existent VLANs are created.
+
+For VLAN range deletion, existence of each VLAN is checked and delete operations are added to pipeline and executed at once after iterating through the entire range. For all non-existent VLANs, a single warning message is logged (if the optional argument, '-w', is enabled) after pipeline execution is completed.
+
+For VLAN member range creation and deletion, similar logic is added.
+
+VLAN and port identifier validation are added as part of the logic added in the functions for the new commands.
+
+
+## 3.2 DB Changes
+### 3.2.1 CONFIG DB
+**FDB table for Static MAC**
+
+FDB_TABLE will be set in CONFIG_DB to store static MAC configuration.
+
+**SWITCH table for Aging time configuration**
+
+SWITCH_TABLE will be set in CONFIG_DB to store FDB aging time configuration.
+
+## 3.3 Switch State Service Design
+### 3.3.1 Orchestration Agent
+
+
+**Data Structure changes**
+
+
+The internal FDB data structure will be enhanced to store the FDB type (static/dynamic). Currently, FDB is stored as c++ set. It will be changed to c++ map to store (key, value), where key is (MAC, bv_id) and value is FDB type.
+FDB type is needed to add Static FDB to saved FDB after flush.
+
+
+ **FDB Data structure in Orchagent:**
+
+
+
+
+In current Sonic implementation, when a FDB event is received with VLAN SAI object ID, the VLAN ID is retrieved by traversing through all the ports and VLANs in the orchagent DB and finding the one that matches the object ID. Also, the Port details are retrieved by traversing all the port and VLANs. This approach is inefficient as it may traverse through the number of VLANs configured for each FDB learn event. Worst case time is O(M*N) where M is the number of MAC events and N is the number of entries in port data structure.
+
+
+A new unordered_map containing a mapping between SAI object ID (can be either Port object ID or Bridge Port object ID or VLAN object ID) and Name (port or VLAN alias) will be added which can be looked up in O(1) time. The Port or VLAN alias retrieved from this will be looked up in the Port data structure.
+
+
+ **Object ID to alias mapping.**
+
+
+
+
+
+**Changes for FDB flush.**
+When a FDB flush request is received, Orchagent will send a bulk flush request to syncd. Individual FDB delete response from SAI will be used to delete FDB entries in ASIC_DB, STATE_DB and orchagent data structure. The delete response will be received as AGED event to syncd, which will delete the entry in ASIC_DB and notify Orchagent.
+
+
+When a port operational status goes down, portsorch will call fdborch API to trigger FDB flush. Only dynamic FDB will be flushed.
+
+
+When a port is removed from VLAN, portsorch will call fdborch API to trigger FDB flush. Both static and dynamic FDB will be flushed. Also, the static FDB will be added to the temporary DB in orchagent when delete response is received, so that it can programmed back when port is added back to VLAN.
+
+
+When Spanning tree state changes, protocol component within orchagent will call fdborch API to flush FDB by either per Port or per Port per VLAN. Only dynamic FDB will be flushed.
+
+
+ **FDB Flush due to Port operational state down:**
+
+
+
+
+
+ **FDB Flush due to Port removal from VLAN:**
+
+
+
+
+
+ **FDB Flush due to spanning tree state change:**
+
+
+
+
+
+**Changes for handling MAC move events.**
+Hardware can generate a single MAC move event instead of generating 2 events (del-old mac and add-new mac). Orchagent code changes will be done to replace the existing FDB entry with the new port in STATE_DB.
+
+
+**Changes for FDB aging time configuration.**
+A new CLI commands will be added for configuring the FDB aging time.
+FDB aging time configuration will be set in the SWITCH table in CONFIG_DB. Vlanmgr will populate it in the APP_DB. Orchagent will get notified and handling will be SwitchOrch. SwitchOrch will call sai_redis API to send request to syncd via ASIC_DB.
+
+
+
+
+
+**Changes for Static FDB configuration.**
+New CLI will be added for configuring Static FDB entry. It will be set in the FDB_TABLE in CONFIG_DB. Vlanmgr will handle the CONIG_DB changes, do necessary validations and then populate in APP_DB. FdbOrch already has all the necessary handling for Static FDB changes from APP_DB.
+When a port is removed from VLAN, the corresponding Static FDB entries will also be flushed from all databases except APP_DB and CONFIG_DB. Flushed static FDB will be stored in the saved FDB in orchagent for retrieval and programming later when port is added back to VLAN.
+If a dynamic FDB is already learnt and a static FDB is configured with same (MAC, VLAN), the existing dynamic FDB entry will be replaced with the static entry.
+
+
+
+
+
+
+
+
+
+### 3.3.2 Other Process
+**Vlanmgr changes**
+
+Vlanmgr will handle Aging time configuration changes from SWITCH table in CONFIG_DB. It will set the new aging time in SWITCH_TABLE in APP_DB, which will be processed by SwitchOrch.
+
+
+Vlanmgr will handle Static FDB configuration from FDB table in CONFIG_DB. It will do validation and then set the static FDB in FDB_TABLE in APP_DB, which will be processed by FdbOrch.
+
+
+## 3.4 SyncD
+No change.
+
+
+## 3.5 SAI
+No changes are being made in SAI. The following SAI attributes are used by the changes being made to SONiC:
+
+1. SAI_FDB_FLUSH_ATTR_BRIDGE_PORT_ID
+2. SAI_FDB_FLUSH_ATTR_BV_ID
+3. SAI_FDB_FLUSH_ATTR_ENTRY_TYPE
+4. SAI_FDB_ENTRY_ATTR_TYPE
+5. SA_FDB_EVENT_MOVE
+6. SAI_SWITCH_ATTR_FDB_AGING_TIME
+
+
+
+## 3.6 CLI
+
+### 3.6.1 Configuration Commands
+**FDB Aging time configuration**
+
+root@sonic:/# config mac aging-time
+- To set the mac aging time to a value.
+
+
+**Static MAC configuration**
+
+
+root@sonic:/# config mac add 00:10:3a:2b:05:67 100 Ethernet2
+- To add a static mac on vlan 100 and port Ethernet2.
+
+
+root@sonic:/# config mac del 00:10:3a:2b:05:67 100
+- To delete a static mac on vlan 100.
+
+**VLAN Range configuration**
+
+root@sonic:/# config vlan range add <-w, optional argument>
+
+root@sonic:/# config vlan range del <-w, optional argument>
+
+root@sonic:/# config vlan member range add <-w, optional argument>
+
+root@sonic:/# config vlan member range del <-w, optional argument>
+
+
+
+### 3.6.2 Show Commands
+
+
+root@sonic:/# show mac aging-time
+- To display the current configured mac aging time.
+
+
+# 4 Flow Diagrams
+Flow diagrams are provided in the [Design](#3-design) section.
+
+# 5 Serviceability and Debug
+Debug counters will be added for all operations and events related to L2 forwarding like the following:
+In Orchagent:
+- Number of FDB learn/aged events received from ASIC_DB.
+- Number of FDB add/delete request received from APP_DB.
+- Number vlan add/delete received from APP_DB.
+- Number of FDB entries inserted in the saved FDB database.
+- Number of FDB add/delete requests sent to syncd.
+- Counters for various failure conditions.
+
+
+NOTICE/INFO level logs will be added for major operations and events in vlanmgr and orchagent.
+
+
+Logic is added in the functions for VLAN range commands to append warning messages to a list and are displayed if the optional argument is provided. Iteration in the loops is not intentionally broken, if an existing/non-existing VLAN is trying to be operated upon, to ensure configuration for other VLANs goes through successfully.
+
+# 6 Warm Boot Support
+
+No change.
+
+# 7 Scalability
+
+If the number of VLANs in the range commands is high, the time it takes to perform the operation increases, though it is significantly lower compared to the same operation being performed using existing commands.
+
+
+# 8 Unit Test
+
+**Data structure changes**
+
+1. Verify that FDB internal map is updated properly when a FDB entry is added/deleted in hardware or when a static FDB entry is added/deleted.
+
+2. Verify that SAI Object ID to port/VLAN name mapping table is updated properly when a port/port-channel or VLAN is added/removed
+
+**FDB flush**
+
+3. Verify that dynamic fdb entries are flushed in hardware, orchagent data structure and other DBs when a port/portchannel operational state goes down.
+
+4. Verify that dynamic fdb entries are flushed in hardware, orchagent data structure and other DBs when a port/portchannel admin state goes down.
+
+5. Verify that FDB entries are added back properly when the port comes back operationally up.
+
+6. Verify that both static and dynamic fdb entries are flushed in hardware, orchagent data structure, STATE_DB and ASIC_DB when a port is removed from VLAN.
+
+7. Verify that the flushed static FDB entries are stored in saved FDB in orchagent.
+
+8. Verify that FDB entries are added back properly when the port is added back to the vlan.
+
+9. Verify that dynamic fdb entries are flushed in hardware, orchagent data structure and other DBs when 'sonic-clear fdb all" command is issued.
+
+10. Verify that dynamic fdb entries on a port are flushed in hardware, orchagent data structure and other DBs when 'sonic-clear fdb port" command is issued.
+
+11. Verify that dynamic fdb entries on a VLAN are flushed in hardware, orchagent data structure and other DBs when 'sonic-clear fdb vlan" command is issued.
+
+12. Verify that mac are learnt properly again after flush due to 'sonic-clear' command.
+
+13. Send traffic from same MAC, VLAN to a different port and verify that mac is updated in hardware, ASIC_DB, STATE_DB and orchagent data structure.
+
+**FDB Aging time configuration**
+
+14. Set FDB aging time from CLI and verify that FDB entries age out after that interval.
+
+15. Verify that FDB aging time takes effect after configuration is saved and switch is rebooted.
+
+**Static FDB entry configuration**
+
+16. Verify that Static FDB entry configured from CLI is added in hardware and all other DBs.
+
+18. Verify that if port is not member of VLAN, Static FDB entry is added in CONFIG_DB, APP_DB and saved FDB in orchagent.
+
+19. Verify that Static FDB entry is effective after configuration is saved and switch is rebooted..
+
+**Warm restart**
+
+20. Verify that Aging time and static MAC configuration are re-applied after switch, swss docker, syncd and orchagent warm reboot.
+
+21. Verify that FDb entries are synchronized after Orchagent unplanned reboot if the reboot happens while FDB flush is in progress.
+
+**Scale test**
+
+22. Verify 8K FDB entry learning. All entries should be added to various DBs, hardware and Orchagent data structure.
+
+23. Verify 8K FDB entry aging. All entries should be deleted from various DBs, hardware and Orchagent data structures.
+
+24. Verify 8K FDB entry flush per port, per VLAN and per port per VLAN.
+
+26. Learn 8K FDB entries on 4094 VLANs and verify the above cases.
+
+**VLAN Range:**
+
+27. Validate VLAN identifier in VLAN range commands.
+28. Check log messages (when '-w' option is provided) for overlapping and non-existent VLANs provided in VLAN range commands. Any conflicting configuration (for example: portchannel having an IP address configured being configured to participate in a VLAN) results in warning messages. Messages are grouped and displayed after the execution of the commands.
+29. Validate the port data provided in VLAN member range command.
+30. Validate the traffic flow after the VLANs are created and member ports are added.
+31. Ensure the ports removed from the VLANs are excluded from the hardware by sending matching traffic flows.
+32. Ensure the deletion of range of VLANs is successful.
+33. Create a range of VLANs and save the configuration. Check for the existence of VLANs after reload operation.
+34. Remove few VLANs randomly after executing the command to create a range of VLANs. Check for the existence of the rest of the VLANs.
+
+
diff --git a/doc/layer2-forwarding-enhancements/images/agingTimeConfig.jpg b/doc/layer2-forwarding-enhancements/images/agingTimeConfig.jpg
new file mode 100644
index 0000000000..6922b9853b
Binary files /dev/null and b/doc/layer2-forwarding-enhancements/images/agingTimeConfig.jpg differ
diff --git a/doc/layer2-forwarding-enhancements/images/fdbDataStructure.jpg b/doc/layer2-forwarding-enhancements/images/fdbDataStructure.jpg
new file mode 100644
index 0000000000..bd8702a743
Binary files /dev/null and b/doc/layer2-forwarding-enhancements/images/fdbDataStructure.jpg differ
diff --git a/doc/layer2-forwarding-enhancements/images/oidToName.jpg b/doc/layer2-forwarding-enhancements/images/oidToName.jpg
new file mode 100644
index 0000000000..f972266458
Binary files /dev/null and b/doc/layer2-forwarding-enhancements/images/oidToName.jpg differ
diff --git a/doc/layer2-forwarding-enhancements/images/overall.jpg b/doc/layer2-forwarding-enhancements/images/overall.jpg
new file mode 100644
index 0000000000..190118a23e
Binary files /dev/null and b/doc/layer2-forwarding-enhancements/images/overall.jpg differ
diff --git a/doc/layer2-forwarding-enhancements/images/portDownFlush.jpg b/doc/layer2-forwarding-enhancements/images/portDownFlush.jpg
new file mode 100644
index 0000000000..04018a5db1
Binary files /dev/null and b/doc/layer2-forwarding-enhancements/images/portDownFlush.jpg differ
diff --git a/doc/layer2-forwarding-enhancements/images/portVlanRemoveFlush.jpg b/doc/layer2-forwarding-enhancements/images/portVlanRemoveFlush.jpg
new file mode 100644
index 0000000000..9afffdbd6c
Binary files /dev/null and b/doc/layer2-forwarding-enhancements/images/portVlanRemoveFlush.jpg differ
diff --git a/doc/layer2-forwarding-enhancements/images/staticMacConfig.jpg b/doc/layer2-forwarding-enhancements/images/staticMacConfig.jpg
new file mode 100644
index 0000000000..e857a50645
Binary files /dev/null and b/doc/layer2-forwarding-enhancements/images/staticMacConfig.jpg differ
diff --git a/doc/layer2-forwarding-enhancements/images/stpFlush.jpg b/doc/layer2-forwarding-enhancements/images/stpFlush.jpg
new file mode 100644
index 0000000000..81ab313b59
Binary files /dev/null and b/doc/layer2-forwarding-enhancements/images/stpFlush.jpg differ
diff --git a/doc/macsec-gearbox/dummy b/doc/macsec-gearbox/dummy
new file mode 100644
index 0000000000..e69de29bb2
diff --git a/doc/media-settings/Media-based-Port-settings.md b/doc/media-settings/Media-based-Port-settings.md
index 8e71f1dad4..7417a82216 100644
--- a/doc/media-settings/Media-based-Port-settings.md
+++ b/doc/media-settings/Media-based-Port-settings.md
@@ -136,9 +136,9 @@
This mechanism is also very helpful in supporting new media types without upgrading the Operating system. If a new media type need to be supported the only change that needs to be done is modify media_settings.json to add the new media type.
-
+
-
+
## Breakout Scenario:
diff --git a/doc/mgmt/CVL_Yang_as_NB_YANG_v2.pptx b/doc/mgmt/CVL_Yang_as_NB_YANG_v2.pptx
new file mode 100644
index 0000000000..a007d08416
Binary files /dev/null and b/doc/mgmt/CVL_Yang_as_NB_YANG_v2.pptx differ
diff --git a/doc/mgmt/Jun2-26-2019-Sonic-Mgmt-Framework-Demo-Workflow.pptx b/doc/mgmt/Jun2-26-2019-Sonic-Mgmt-Framework-Demo-Workflow.pptx
new file mode 100644
index 0000000000..994b8322ec
Binary files /dev/null and b/doc/mgmt/Jun2-26-2019-Sonic-Mgmt-Framework-Demo-Workflow.pptx differ
diff --git a/doc/mgmt/Management Framework.md b/doc/mgmt/Management Framework.md
new file mode 100644
index 0000000000..155e99236a
--- /dev/null
+++ b/doc/mgmt/Management Framework.md
@@ -0,0 +1,2077 @@
+# SONiC Management Framework
+
+## High level design document
+
+### Rev 0.11
+
+## Table of Contents
+
+* [List of Tables](#list-of-tables)
+* [Revision](#revision)
+* [About this Manual](#about-this-manual)
+* [Scope](#scope)
+* [Definition/Abbreviation](#definitionabbreviation)
+* [Table 1: Abbreviations](#table-1-abbreviations)
+* [1 Feature Overview](#1-feature-overview)
+ * [1.1 Requirements](#11-requirements)
+ * [1.2 Design Overview](#12-design-overview)
+ * [1.2.1 Basic Approach](#121-basic-approach)
+ * [1.2.2 Container](#122-container)
+* [2 Functionality](#2-functionality)
+ * [2.1 Target Deployment Use Cases](#21-target-deployment-use-cases)
+* [3 Design](#3-design)
+ * [3.1 Overview](#31-overview)
+ * [3.1.1 Build time flow](#311-build-time-flow)
+ * [3.1.2 Run time flow](#312-run-time-flow)
+ * [3.1.2.1 CLI](#3121-cli)
+ * [3.1.2.2 REST](#3122-REST)
+ * [3.1.2.3 gNMI](#3123-gnmi)
+ * [3.2 SONiC Management Framework Components](#32-sonic-management-framework-components)
+ * [3.2.1 Build time components](#321-build-time-components)
+ * [3.2.1.1 Yang to OpenAPI converter](#3211-yang-to-openapi-converter)
+ * [3.2.1.1.1 Overview](#32111-overview)
+ * [3.2.1.1.2 Supported HTTP verbs](#32112-supported-http-verbs)
+ * [3.2.1.1.3 Supported Data Nodes](#32113-supported-data-nodes)
+ * [3.2.1.1.4 Data Type Mappings](#32114-data-type-mappings)
+ * [3.2.1.1.5 Future enhancements](#32115-future-enhancements)
+ * [3.2.1.2 swagger generator](#3212-swagger-generator)
+ * [3.2.1.3 YGOT generator](#3213-YGOT-generator)
+ * [3.2.1.4 pyang compiler](#3214-pyang-compiler)
+ * [3.2.2 Run time components](#322-run-time-components)
+ * [3.2.2.1 CLI](#3221-cli)
+ * [3.2.2.2 REST Client SDK](#3222-REST-client-sdk)
+ * [3.2.2.3 gNMI Client](#3223-gnmi-client)
+ * [3.2.2.4 REST server](#3224-REST-server)
+ * [3.2.2.4.1 Transport options](#32241-transport-options)
+ * [3.2.2.4.2 Translib linking](#32242-Translib-linking)
+ * [3.2.2.4.3 Media Types](#32243-media-types)
+ * [3.2.2.4.4 Payload Validations](#32244-payload-validations)
+ * [3.2.2.4.5 Concurrency](#32245-concurrency)
+ * [3.2.2.4.6 API Versioning](#32246-api-versioning)
+ * [3.2.2.4.7 RESTCONF Entity-tag](#32247-restconf-entity-tag)
+ * [3.2.2.4.8 RESTCONF Discovery](#32248-restconf-discovery)
+ * [3.2.2.4.9 RESTCONF Query Parameters](#32249-restconf-query-parameters)
+ * [3.2.2.4.10 RESTCONF Operations](#322410-restconf-operations)
+ * [3.2.2.4.11 RESTCONF Notifications](#322411-restconf-notifications)
+ * [3.2.2.4.12 Authentication](#322412-authentication)
+ * [3.2.2.4.13 Error Response](#322413-error-response)
+ * [3.2.2.4.14 DB Schema](#322414-db-schema)
+ * [3.2.2.4.15 API Documentation](#322415-api-documentation)
+ * [3.2.2.5 gNMI server](#3225-gnmi-server)
+ * [3.2.2.5.1 Files changed/added](#32251-files-changed/added)
+ * [3.2.2.5.2 Sample Requests](#32253-sample-requests)
+ * [3.2.2.6 Translib](#3226-Translib)
+ * [3.2.2.6.1 App Interface](#32261-app-interface)
+ * [3.2.2.6.2 Translib Request Handler](#32262-Translib-request-handler)
+ * [3.2.2.6.3 YGOT request binder](#32263-YGOT-request-binder)
+ * [3.2.2.6.4 DB access layer](#32264-db-access-layer)
+ * [3.2.2.6.5 App Modules](#32265-app-modules)
+ * [3.2.2.7 Transformer](#3227-transformer)
+ * [3.2.2.7.1 Components](#32271-components)
+ * [3.2.2.7.2 Design](#32272-design)
+ * [3.2.2.7.3 Process](#32273-process)
+ * [3.2.2.7.4 Common App](#32274-common-app)
+ * [3.2.2.7.5 YANG Extensions](#32275-yang-extensions)
+ * [3.2.2.7.6 Public Functions](#32276-public-functions)
+ * [3.2.2.7.7 Overloaded Modules](#32277-overloaded-modules)
+ * [3.2.2.7.8 Utilities](#32278-utilities)
+ * [3.2.2.8 Config Validation Library (CVL)](#3228-config-validation-library-cvl)
+ * [3.2.2.8.1 Architecture](#32281-architecture)
+ * [3.2.2.8.2 Validation types](#32282-validation-types)
+ * [3.2.2.8.3 CVL APIs](#32283-cvl-apis)
+ * [3.2.2.9 Redis DB](#3229-redis-db)
+ * [3.2.2.10 Non DB data provider](#32210-non-db-data-provider)
+* [4 Flow Diagrams](#4-flow-diagrams)
+ * [4.1 REST SET flow](#41-REST-set-flow)
+ * [4.2 REST GET flow](#42-REST-get-flow)
+ * [4.3 Translib Initialization flow](#43-Translib-initialization-flow)
+ * [4.4 gNMI flow](#44-gNMI-flow)
+ * [4.5 CVL flow](#45-CVL-flow)
+* [5 Developer Work flow](#5-Developer-Work-flow)
+ * [5.1 Developer work flow for custom (SONiC/CVL) YANG](#51-Developer-work-flow-for-custom-SONiCCVL-YANG)
+ * [5.1.1 Define Config Validation YANG schema](#511-Define-Config-Validation-YANG-schema)
+ * [5.1.2 Generation of REST server stubs and Client SDKs for YANG based APIs](#512-Generation-of-REST-server-stubs-and-Client-SDKs-for-YANG-based-APIs)
+ * [5.1.3 Config Translation App (Go language)](#513-Config-Translation-App-Go-language)
+ * [5.1.4 IS CLI](#514-IS-CLI)
+ * [5.1.5 gNMI](#515-gNMI)
+ * [5.2 Developer work flow for standard (OpenConfig/IETF) YANG](#52-Developer-work-flow-for-standard-OpenConfigIETF-YANG)
+ * [5.2.1 Identify the standard YANG module for the feature for northbound APIs](#521-Identify-the-standard-YANG-module-for-the-feature-for-northbound-APIs)
+ * [5.2.2 Define the Redis schema for the new feature. (not applicable for legacy/existing feature)](#522-Define-the-Redis-schema-for-the-new-feature-not-applicable-for-legacyexisting-feature)
+ * [5.2.3 Define Config Validation YANG schema](#523-Define-Config-Validation-YANG-schema)
+ * [5.2.4 Generation of REST server stubs and Client SDKs for YANG based APIs](#524-Generation-of-REST-server-stubs-and-Client-SDKs-for-YANG-based-APIs)
+ * [5.2.5 Config Translation App (Go language)](#525-Config-Translation-App-Go-language)
+ * [5.2.6 IS CLI](#526-IS-CLI)
+ * [5.2.7 gNMI](#527-gNMI)
+* [6 Error Handling](#6-error-handling)
+* [7 Serviceability and Debug](#7-serviceability-and-debug)
+* [8 Warm Boot Support](#8-warm-boot-support)
+* [9 Scalability](#9-scalability)
+* [10 Unit Test](#10-unit-test)
+* [11 Appendix A](#11-appendix-a)
+* [12 Appendix B](#11-appendix-b)
+
+
+## List of Tables
+
+[Table 1: Abbreviations](#table-1-abbreviations)
+
+## Revision
+
+| Rev | Date | Author | Change Description |
+|:---:|:-----------:|:-----------------------:|-----------------------------------|
+| 0.1 | 06/13/2019 | Anand Kumar Subramanian | Initial version |
+| 0.2 | 07/05/2019 | Prabhu Sreenivasan | Added gNMI, CLI content from DELL |
+| 0.3 | 08/05/2019 | Senthil Kumar Ganesan | Updated gNMI content |
+| 0.4 | 08/07/2019 | Arun Barboza | Clarifications on Table CAS |
+| 0.5 | 08/07/2019 | Anand Kumar Subramanian | Translib Subscribe support |
+| 0.6 | 08/08/2019 | Kwangsuk Kim | Updated Developer Workflow and CLI sections |
+| 0.7 | 08/09/2019 | Partha Dutta | Updated Basic Approach under Design Overview |
+| 0.8 | 08/15/2019 | Anand Kumar Subramanian | Addressed review comments |
+| 0.9 | 08/19/2019 | Partha Dutta | Addressed review comments related to CVL |
+| 0.10 | 09/25/2019 | Kwangsuk Kim | Updated Transformer section |
+| 0.11 | 09/30/2019 | Partha Dutta | Updated as per SONiC YANG guideline |
+| 0.12 | 10/19/2019 | Senthil Kumar Ganesan | Added Appendix B |
+
+## About this Manual
+
+This document provides general information about the Management framework feature implementation in SONiC.
+
+## Scope
+
+This document describes the high level design of Management framework feature.
+
+## Definition/Abbreviation
+
+### Table 1: Abbreviations
+
+| **Term** | **Meaning** |
+|--------------------------|-------------------------------------|
+| CVL | Config Validation Library |
+| NBI | North Bound Interface |
+| ABNF | Augmented Backus-Naur Form |
+| YANG | Yet Another Next Generation |
+| JSON | Java Script Object Notation |
+| XML | eXtensible Markup Language |
+| gNMI | gRPC Network Management Interface |
+| YGOT | YANG Go Tools |
+
+## 1 Feature Overview
+
+Management framework is a SONiC application which is responsible for providing various common North Bound Interfaces (NBIs) for the purposes of managing configuration and status on SONiC switches. The application manages coordination of NBI’s to provide a coherent way to validate, apply and show configuration.
+
+### 1.1 Requirements
+
+* Must provide support for:
+
+ 1. Standard [YANG](https://tools.ietf.org/html/rfc7950) models (e.g. OpenConfig, IETF, IEEE)
+ 2. Custom YANG models ([SONiC YANG](https://github.com/Azure/SONiC/blob/master/doc/mgmt/SONiC_YANG_Model_Guidelines.md))
+ 3. Industry-standard CLI / Cisco like CLI
+
+* Must provide support for [OpenAPI spec](https://swagger.io/specification/) to generate REST server side code
+* Must provide support for NBIs such as:
+
+ 1. CLI
+ 2. gNMI
+ 3. REST/RESTCONF
+
+* Must support the following security features:
+
+ 1. Certificate-based authentication
+ 2. User/password based authentication
+ 3. Role based authorization
+
+* Ease of use for developer workflow
+
+ 1. Specify data model and auto-generate as much as possible from there
+
+* Must support Validation and Error Handling - data model, platform capability/scale, dynamic resources
+* SNMP integration in SONiC is left for future study
+
+### 1.2 Design Overview
+
+Management framework makes use of the translation library (Translib) written in golang to convert the data models exposed to the management clients into the Redis ABNF schema format. Supported management servers can make use of the Translib to convert the incoming payload to SONiC ABNF schema and vice versa depending on the incoming request. Translib will cater to the needs of REST and gNMI servers. Later the Translib can be enhanced to support other management servers if needed. This framework will support both standard and custom YANG models for communication with the corresponding management servers. Management framework will also take care of maintaining data consistency, when writes are performed from two different management servers at the same time. Management framework will provide a mechanism to authenticate and authorize any incoming requests. Management framework will also take care of validating the requests before writing them into the Redis DB. Config Validation Library is used for syntactic and semantic validation of ABNF JSON based on YANG derived from Redis ABNF schema.
+
+#### 1.2.1 Basic Approach
+
+* Management framework takes comprehensive approach catering:
+ * Standard based YANG Models and custom YANG
+ * Open API spec
+ * Industry standard CLI
+ * Config Validation
+* REST server, gNMI server, App module and Translib - all in Go
+* Translation by using the Translib Library and application specific modules
+* Marshalling and unmarshalling using YGOT
+* Redis updated using CAS(Check-and-Set) trans. (No locking, No rollback)
+* Config Validation by using YANG model from ABNF schema
+* CLI with Klish framework
+
+#### 1.2.2 Container
+
+The management framework is designed to run in a single container named “sonic-mgmt-framework”. The container includes the REST server linked with Translib, and CLI process.
+The gNMI support requires the gNMI server which is provided as a part of sonic-telemetry container. We would like to rename this container as the sonic-gnmi container as now it can perform configurations as well through the gNMI server.
+
+## 2 Functionality
+
+### 2.1 Target Deployment Use Cases
+
+1. Industry Standard CLI which will use REST client to talk to the corresponding servers to send and receive data.
+2. REST client through which the user can perform POST, PUT, PATCH, DELETE, GET operations on the supported YANG paths.
+3. gNMI client with support for capabilities, get, set, and subscribe based on the supported YANG models.
+
+## 3 Design
+
+### 3.1 Overview
+
+The SONiC management framework comprises two workflows:
+
+1. Build time flow
+2. Run time flow
+
+as show in the architecture diagram below.
+
+
+
+#### 3.1.1 Build time flow
+
+The Developer starts by defining the desired management objects and the access APIs to provide for the target application. This can be done in one of the two ways: -
+1) A YANG data model
+2) An OpenAPI spec
+
+This can be an independent choice on an application by application basis. However note that using YANG allows for richer data modelling, and therefore superior data validation.
+
+1. In case of YANG, if the developer chooses standard YANG model (Openconfig, IETF etc.), a separate SONiC YANG model has to be written based on Redis ABNF schema for validating Redis configuration and transformer hints should be written in a deviation file for standard YANG model to Redis DB coversion and vice versa (refer to [3.2.2.7 Transformer](#3227-transformer) for details). However, if custom SONiC YANG model is written based on guidelines, CVL YANG is automatically derived from it and the same is used for validation purpose and there is no need of writing any deviation file for transformer hints. Based on the given YANG model as input, the pyang compiler generates the corresponding OpenAPI spec which is in turn given to the Swagger generator to generate the REST client SDK and REST server stubs in golang. The YANG data model is also provided to the [YGOT](https://github.com/openconfig/YGOT) generator to create the YGOT bindings. These are used on the interface between Translib and the selected App module. Specifically, Translib populates the binding structures based upon the incoming server payload, and the App module processes the structure accordingly. Additionally, a YANG annotation file must also be provided, for data models that do not map directly to the SONiC YANG structure. The requests in this case will be populated into the YGOT structures and passed to App module for conversion. The App module uses the YANG annotations to help convert and map YANG objects to DB objects and vice-versa.
+
+2. In case of OpenAPI spec, it is directly given to the [Swagger](https://swagger.io) generator to generate the REST client SDK and REST server stubs in golang. In this case the REST server takes care of validating the incoming request to be OpenAPI compliant before giving the same to Translib. There is no YANG, and therefore no YGOT bindings are generated or processed, and so the Translib infra will invoke the App module functions with the path and the raw JSON for App modules to convert. For configuration validation purpose, SONiC YANG model has to be written based on Redis ABNF schema.
+
+#### 3.1.2 Run time flow
+
+##### 3.1.2.1 CLI
+
+1. CLI uses the KLISH framework to provide a CLI shell. The CLI request is converted to a corresponding REST client SDK request that was generated by the Swagger generator, and is given to the REST server.
+2. The Swagger generated REST server handles all the REST requests from the client SDK and invokes a common handler for all the create, update, replace, delete and get operations along with path and payload. This common handler converts all the requests into Translib arguments and invokes the corresponding Translib provided APIs.
+3. Translib uses the value of the input (incoming) path/URI to determine the identity of the appropriate App module. It then calls that App module, passing the request as either a populated YGOT structure or as JSON, depending upon the data modelling method in use for the application (see section [3.1.1](#311-build-time-flow)).
+4. Further processing of CLI commands will be handled by Translib componenets that will be discussed in more detail in the later sections.
+
+##### 3.1.2.2 REST
+
+1. REST client will use the Swagger generated client SDK to send the request to the REST server.
+2. From then on the flow is similar to the one seen in the CLI.
+
+##### 3.1.2.3 gNMI
+
+GNMI service defines a gRPC-based protocol for the modification and retrieval of configuration from a target device, as well as the control and generation of telemetry streams from a target device to a data collection system. Refer [GNMI spec](https://github.com/openconfig/reference/blob/master/rpc/gnmi/gnmi-specification.md)
+
+
+
+1. Existing SONiC telemetry framework has been extended to support the new GNMI services.
+2. All 4 GNMI services are supported: Get, Set, Capabilities and Subscribe.
+3. A new transl data client is added to process the incoming YANG-based request (either standard or proprietary)
+4. The new transl data client relies on Translib infra provided to translate, get, set of the YANG objects.
+
+More details onthe GNMI server, Client and workflow provided later in the document.
+
+### 3.2 SONiC Management Framework Components
+
+Management framework components can be classified into
+
+1. Build time components
+2. Run time components
+
+#### 3.2.1 Build time components
+
+Following are the build time components of the management framework
+
+1. Pyang compiler (for YANG to OpenAPI conversion)
+2. Swagger generator
+3. YGOT generator
+4. pyang compiler (for YANG to YIN conversion)
+
+##### 3.2.1.1 YANG to OpenAPI converter
+
+##### 3.2.1.1.1 Overview
+
+Open source Python-based YANG parser called pyang is used for YANG parsing and building a Python object dictionary. A custom plugin is developed to translate this Python object dictionary into an OpenAPI spec. As of now OpenAPI spec version, 2.0 is chosen considering the maturity of the toolset available in the open community.
+
+URI format and payload is RESTCONF complaint and is based on the [RFC8040](https://tools.ietf.org/html/rfc8040). The Request and Response body is in JSON format in this release.
+
+##### 3.2.1.1.2 Supported HTTP verbs
+
+Following are the HTTP methods supported in first release.
+
+POST, PUT, PATCH, GET and DELETE.
+
+##### 3.2.1.1.3 Supported Data Nodes
+
+For each of the below-listed Data keywords nodes in the YANG model, the OpenAPI (path) will be generated in version 1
+
+* Container
+* List
+* Leaf
+* Leaf-list
+
+##### 3.2.1.1.4 Data Type Mappings
+
+ YANG Type | OpenAPI Type
+-------------|------------------
+int8 | Integer
+int16 | Integer
+int32 | Integer
+int64 | Integer
+uint8 | Integer
+uint16 | Integer
+uint32 | Integer
+uint64 | Integer
+decimal64 | Number
+String | string
+Enum | Enum
+Identityref | String (Future can be Enum)
+long | Integer
+Boolean | Boolean
+Binary | String with Format as Binary ()
+bits | integer
+
+* All list keys will be made mandatory in the payload and URI
+* YANG mandatory statements will be mapped to the required statement in OpenAPI
+* Default values, Enums are mapped to Default and Enums statements of OpenAPI
+* Currently, Swagger/OpenAPI 2.0 Specification does NOT support JSON-schema anyOf and oneOfdirectives, which means that we cannot properly treat YANG choice/case statements during conversion. As a workaround, the current transform will simply serialize all configuration nodes from the choice/case sections into a flat list of properties.
+
+##### 3.2.1.1.5 Future enhancements
+
+* Support for additional Data nodes such as RPC, Actions, and notifications(if required).
+* Support for RESTCONF query parameters such as depth, filter, etc
+* Support for other RESTCONF features such as capabilities.
+* Support for HTTPS with X.509v3 Certificates.
+* Support for a pattern in string, the range for integer types and other OpenAPI header objects defined in https://github.com/OAI/OpenAPI-Specification/blob/master/versions/2.0.md#header-object
+* Other misc OpenAPI related constraints will be added
+
+##### 3.2.1.2 Swagger generator
+
+Swagger-codegen tool (github.com/Swagger-api/Swagger-codegen) is used to generate REST server and client code from the OpenAPI definitions. It consumes the OpenAPI definitions generated from YANG files and any other manually written OpenAPI definition files.
+
+REST server is generated in Go language. Customized Swagger-codegen templates are used to make each server stub invoke a common request handler function. The common request handler will invoke Translib APIs to service the request.
+
+REST client is generated in Python language. Client applications can generate the REST client in any language using standard Swagger-codegen tool.
+
+##### 3.2.1.3 YGOT generator
+
+YGOT generator generates Go binding structures for the management YANG. The generated Go binding structures are consumed by the Translib to validate the incoming payload and help in conversion of Redis data to management YANG specific JSON output payload.
+
+##### 3.2.1.4 pyang compiler
+
+Open source pyang tool is used to compile YANG models and generate output file in required format. For example SONiC YANG model is compiled and YIN schema file is generated for validation purpose. Similarly, after compiling YANG model, OpenAPI spec file is generated for generating REST client SDK and server code using Swagger-codegen.
+
+#### 3.2.2 Run time components
+
+Following are the run time components in the management framework
+
+1. CLI
+2. REST Client SDK
+3. REST server
+4. gNMI Client
+5. gNMI server
+6. Translib
+7. Config Validation Library (CVL)
+8. Redis DB
+9. Non DB data provider
+
+##### 3.2.2.1 CLI
+
+Open source Klish is integrated into sonic-mgmt-framework container to provide the command line interface tool to perform more efficient network operations more efficiently in SONiC. Klish will provide the core functionality of command parsing, syntax validation, command help and command auto-completion. The following diagram shows how the CLI commands are built, processed, and executed.
+
+
+
+1. CLI command input from user
+2. Klish invokes the actioner script
+3. Actioner script invokes the Swagger Client SDK API to make a REST API call.
+4. Receive response fromSswagger client API and pass it to renderer scripts.
+5. Renderer scripts processes the JSON response from REST Client and optionally formats the output using a Jinja template
+6. CLI output is rendered to the console.
+
+###### 3.2.2.1.1 CLI components
+
+CLI consists of the following components.
+
+* **Open source Klish** - CLI parser framework to support Command Line Interface Shell
+* **XML files** to define CLI command line options and actions
+ * Klish uses XML to define CLI commands to build the command tree. Klish provides modular CLI tree configurations to build command trees from multiple XML files. XML elements can be defined with macros and entity references, which are then preprocessed by utility scripts to generate the expanded XML files that are ultimately used by Klish.
+* **Actioner** - Python scripts defined as a command `action`, to form the request body and invoke the swagger client API
+* **Renderer** - Python scripts defined with Jinja templates. Receives the JSON response from Swagger API and use the jinja2 template file to render and format CLI output.
+* **Preprocess scripts** - Validates XML files and applies some processing from a developer-friendly form into a "raw" form that is compatible with Klish.
+
+###### 3.2.2.1.2 Preprocessing XML files
+
+Multiple scripts are executed at build time to preprocess special XML tags/attributes - MACRO substitution, adding pipe processing, etc. - and generate target XML files in a form that is consumable by Klish.
+
+The XML files are also validated as part of compilation. `xmllint` is used to validate all the processed XML files after macro substitution and pipe processing against the detailed schema defined in `sonic-clish.xsd`. Once the XML files are fully validated and preprocessed, the target XML files are generated in the folder `${workspace}/sonic-mgmt-framework/build/cli/target/command-tree`.
+
+The following preprocessing scripts are introduced:
+* `klish_ins_def_cmd.py` - append the "exit" and "end" commands to the views of the Klish XML files
+* `klish_insert_pipe.py` - extend every show and get COMMAND with pipe option
+* `klish_platform_features_process.sh` - validate all platform XML files. Generate the entity.XML files.
+* `klish_replace_macro.py` – perform macro substitution on the Klish XML files
+
+###### 3.2.2.1.3 MACROs
+
+There are some CLI commands that can have the same set of options, where the set of XML tags would need to be repeated in all those CLI commands. Macros can be used to avoid such repetitions and to keep the options in one place, so that it is possible to make a reference to a macro in multiple command definitions. There are cases where we may need to use variations in the values of these macro options. In such cases, it is also possible to pass those XML attributes as an argument to macros and substitute those values inside the macro definition. The macro definition is referred as the ```` and `` `` tags. `klish_replace_macro.py` is used to process macros at the compile time to expand the references to the target XML files.
+The macro definition files are located in the folder `${workspace}/sonic-mgmt-framework/src/CLI/clitree/macro`.
+
+Example:
+
+Before macro substitution:
+
+```XML
+
+
+
+
+```
+
+After macro substitution:
+
+```XML
+
+
+
+
+
+
+
+
+ ...
+
+```
+
+###### 3.2.2.1.4 ENTITY
+XML files can include an ENTITY that refers to a predefined value. Entity is typically used to define platform specific values and processed by `klish_platform_features_process.sh` to prepend the ENTITY values to the target XML files. By default, there is a default file called `platform_dummy.XML` that defines a platform default ENTITY list. Note that the platform specific is not supported yet.
+
+Example: `platform_dummy.XML`
+
+```XML
+
+ START_PORT_ID
+ MAX_PORT_ID
+ START_SUB_PORT_ID
+ MAX_SUB_PORT_ID
+ MAX_MTU
+
+```
+
+The ENTITY name can be referenced in command definitions. For example, PTYPE for RANGE_MTU, used for interface commands:
+
+```XML
+` tag and run with shell commands. Klish spawns a sub-shell to interpret the instructions defined in a command's `` tag.
+The sub-shell runs the wrapper script `sonic_cli_.py`
+```
+ sonic_cli_.py [parameters . . .]
+```
+The `sonic_cli_.py` has a dispatch function to call a Swagger client method with parameters passed from user input.
+
+Example:
+```XML
+
+
+
+
+ if test "${direction-switch}" = "in"; then
+ Python $SONIC_CLI_ROOT/target/sonic-cli.py post_list_base_interfaces_interface ${access-list-name} ACL_IPV4 ${iface} ingress
+ else
+ Python $SONIC_CLI_ROOT/target/sonic-cli.py post_list_base_interfaces_interface ${access-list-name} ACL_IPV4 ${iface} egress
+ fi
+
+
+ ...
+```
+
+###### 3.2.2.1.6 Renderer scripts
+
+The actioner script receives the JSON output from the swagger client API and invokes the renderer script. The renderer script will send the JSON response to the jinja2 template file to parse the response and generate the CLI output.
+
+Example: "show acl"
+
+```
+{\% set acl_sets = acl_out['openconfig_aclacl']['acl_sets']['acl_set'] \%}
+ {\% for acl_set in acl_sets \%}
+ Name: {{ acl_set['state']['description'] }}
+ {\% endfor \%}
+ NOTE: An extra backslash is added in front of % in the above code snippet. Remove the backslash while using the actual jinja2 code in SONiC.
+```
+
+###### 3.2.2.1.7 Workflow (to add a new CLI)
+
+The following steps are to be followed when a new CLI is to be added.
+1. Create an XML file that defines CLI command and parameters that the command requires.
+2. Define the CLI help string to be displayed and datatype for the parameters. New parameter types (PTYPES), macros, and entities can be defined and used in the XML files. Valid XML tags are defined in the `sonic-clish.xsd` file.
+3. Add the shell commands to `` tag to run the wrapper script with the Swagger client method name and parameters
+4. Add the code to the wrapper script to construct the payload in `generate_body()` and handle the response
+5. For ‘show’ commands, create a Jinja template to format the output
+
+
+##### 3.2.2.2 REST Client SDK
+
+Framework provides swagger-codegen generated Python client SDK. Developers can generate client SDK code in other programming languages from the OpenAPI definitions as required.
+
+Client applications can use swagger generated client SDK or any other REST client tool to communicate with the REST server.
+
+##### 3.2.2.3 gNMI Client
+
+SONiC Teleletry service provides the gNMI server, while the client must be provided by the user.
+
+GNMI client developed by JipanYANG.(github.com/jipanYANG/gnxi/gnmi_get, github.com/jipanYANG/gnxi/gnmi_set)
+is used for testing. gnmi_get and gnmi_set code has been changed to handle module name.
+
+Note: Although the GRPC protocol allows for many encodings and models to be used, our usage is restricted to JSON encoding.
+
+Supported RPC Operations:
+-------------------------
+- Get: Get one or more paths and have value(s) returned in a GetResponse.
+- Set: Update, replace or delete objects
+ + Update: List of one or more objects to update
+ + Replace: List of one or objects to replace existing objects, any unspecified fields wil be defaulted.
+ + Delete: List of one or more object paths to delete
+- Capabilities: Return gNMI version and list of supported models
+- Subscribe:
+ + Subscribe to paths using either streaming or poll, or once based subscription, with either full current state or updated values only.
+ * Once: Get single subscription message.
+ * Poll: Get one subscription message for each poll request from the client.
+ * Stream: Get one subscription message for each object update, or at each sample interval if using sample mode. target_defined uses the values pre-configured for that particular object.
+
+
+Example Client Operations:
+--------------------------
+Using opensource clients, these are example client operations. The .json test payload files are available here: https://github.com/project-arlo/sonic-mgmt-framework/tree/master/src/Translib/test
+
+Get:
+----
+`./gnmi_get -xpath /openconfig-acl:acl/interfaces -target_addr 127.0.0.1:8080 -alsologtostderr -insecure true -pretty`
+
+Set:
+----
+Replace:
+--------
+ `./gnmi_set -replace /openconfig-acl:acl/:@./test/01_create_MyACL1_MyACL2.json -target_addr 127.0.0.1:8080 -alsologtostderr -insecure true -pretty`
+Delete:
+-------
+ `./gnmi_set -delete /openconfig-acl:acl/ -target_addr 127.0.0.1:8080 -insecure`
+
+Subscribe:
+----------
+Streaming sample based:
+-----------------------
+`./gnmi_cli -insecure -logtostderr -address 127.0.0.1:8080 -query_type s -streaming_sample_interval 3000000000 -streaming_type 2 -q /openconfig-acl:acl/ -v 0 -target YANG`
+
+Poll based:
+-----------
+`./gnmi_cli -insecure -logtostderr -address 127.0.0.1:8080 -query_type p -polling_interval 1s -count 5 -q /openconfig-acl:acl/ -v 0 -target YANG`
+
+Once based:
+-----------
+`./gnmi_cli -insecure -logtostderr -address 127.0.0.1:8080 -query_type o -q /openconfig-acl:acl/ -v 0 -target YANG`
+
+##### 3.2.2.4 REST Server
+
+The management REST server is a HTTP server implemented in Go language.
+It supports following operations:
+
+* RESTCONF APIs for YANG data
+* REST APIs for manual OpenAPI definitions
+
+###### 3.2.2.4.1 Transport options
+
+REST server supports only HTTPS transport and listens on default port 443.
+Server port can be changed through an entry in CONFIG_DB REST_SERVER table.
+Details are in [DB Schema](#3_2_2_4_14-db-schema) section.
+
+HTTPS certificates are managed similar to that of existing gNMI Telemetry program.
+Server key, certificate and CA certificate file paths are configured in CONFIG_DB
+DEVICE_METATDATA table entry. Same certificate is used by both gNMI Telemetry and
+REST server.
+
+###### 3.2.2.4.2 Translib linking
+
+REST server will statically link with Translib. For each REST request, the server
+invokes Translib API which then invokes appropriate App module to process the request.
+Below is the mapping of HTTP operations to Translib APIs:
+
+ HTTP Method | Translib API | Request data | Response data
+-------------|------------------|---------------|---------------
+ GET | Translib.Get | path | status, payload
+ POST | Translib.Create | path, payload | status
+ PATCH | Translib.Update | path, payload | status
+ PUT | Translib.Replace | path, payload | status
+ DELETE | Translib.Delete | path | status
+
+More details about Translib APIs are in section [3.2.2.6](#3_2_2_6-Translib).
+
+###### 3.2.2.4.3 Media Types
+
+YANG defined RESTCONF APIs support **application/yang-data+json** media type.
+Request and response payloads follow [RFC7951](https://tools.ietf.org/html/rfc7951)
+defined encoding rules. Media type **application/yang-data+xml** is not supported
+in first release.
+
+OpenAPI defined REST APIs can use any media type depending on App module
+implementation. However content type negotiation is not supported by REST server.
+A REST API should not be designed to consume or produce multiuple content types.
+OpenAPI definition for each REST API should have maximun one cone media type in
+its "consumes" and "produces" statements.
+
+###### 3.2.2.4.4 Payload Validations
+
+REST server does not validate request payload for YANG defined RESTCONF APIs.
+Payload will be validated automatically in lower layers when it gets loaded
+into YGOT bindings.
+
+For OpenAPI defined REST APIs the REST server will provide limited payload
+validation. JSON request payloads (content type **application/json**) will be
+validated against the schema defined in OpenAPI. Response data and non-JSON
+request data are not validated by the REST server - this is left to the App module.
+
+###### 3.2.2.4.5 Concurrency
+
+REST server will accept concurrent requests. Translib provides appropriate locking mechanism - parallel reads and sequential writes.
+
+###### 3.2.2.4.6 API Versioning
+
+REST server will allow clients to specify API version through a custom HTTP header "Accept-Version". However API versioning feature will be supported only in a future release. The server will ignore the version information in current release.
+
+ Accept-Version: 2019-06-20
+ Accept-Version: 1.0.3
+
+REST server will extract version text from the request header and pass it to the Translib API as metadata. App modules can inspect the version information and act accordingly.
+
+For YANG defined RESTCONF APIs, the version is the latest YANG revision date. For manual OpenAPI definitions developer can define version text in any appropriate format.
+
+###### 3.2.2.4.7 RESTCONF Entity-tag
+
+REST server will support RESTCONF entity-tag and last-modified timestamps in next release. server will not process or send corresponding request, response headers in first release.
+Note that entity-tag and last-modified timestamps will be supported only for top level datastore node (/restconf/data). Per resource entity tags and timestamps will not be supported. Global entity tag and timestamp are used for configuration resources.
+
+###### 3.2.2.4.8 RESTCONF Discovery
+
+server will support RESTCONF root resource discovery as described in [RFC8040, section 3.1](https://tools.ietf.org/html/rfc8040#page-18). RESTCONF root resource will be "/restconf".
+
+YANG module library discovery as per [RFC7895](https://tools.ietf.org/html/rfc7895) will be supported in a future release.
+
+###### 3.2.2.4.9 RESTCONF Query Parameters
+
+RESTCONF Query Parameters will be supported in future release. All query parameters will be ignored by REST server in this release.
+
+###### 3.2.2.4.10 RESTCONF Operations
+
+RESTCONF operations via YANG RPC are not supported in this release. They can be supported in future releases.
+
+###### 3.2.2.4.11 RESTCONF Notifications
+
+RESTCONF Notification are not supported by framework. Clients can use gNMI for monitoring and notifications.
+
+###### 3.2.2.4.12 Authentication
+
+REST server will support below 3 authentication modes.
+
+* No authentication
+* TLS Certificate authentication
+* Username/password authentication
+
+Only one mode can be active at a time. Administrator can choose the authentication mode through ConfigDB REST_SERVER table entry. See [DB Schema](#3_2_2_4_14-db-schema) section.
+
+###### 3.2.2.4.12.1 No Authentication
+
+This is the default mode. REST server will not authenticate the client; all requests will be processed. It should not be used in production.
+
+###### 3.2.2.4.12.2 Certificate Authentication
+
+In this mode TLS public certificate of the client will be used to authenticate the client. Administrator will have to pre-provision the CA certificate in ConfigDB DEVICE_METADATA|x509 entry. REST server will accept a request only if the client TLS certificate is signed by that CA.
+
+###### 3.2.2.4.12.3 User Authentication
+
+In this mode REST server expects the client to provide user credentials in every request. server will support HTTP Basic Authentication method to accept user credentials.
+
+REST server will integrate with Linux PAM to authenticate and authorize the user. PAM may internally use native user database or TACACS+ server based on system configuration. REST write requests will be allowed only if the user belong to admin group. Only read operations will be allowed for other users.
+
+Performing TACACS+ authentication for every REST request can slow down the APIs. This will be optimized through JSON Web Token (JWT) or a similar mechanism in future release.
+
+###### 3.2.2.4.13 Error Response
+
+REST server sends back HTTP client error (4xx) or server error (5xx) status when request processing
+fails. Response status and payload will be as per RESTCONF specifications - [RCF8040, section7](https://tools.ietf.org/html/rfc8040#page-73).
+Error response data will be a JSON with below structure. Response Content-Type will be
+"application/yang-data+json".
+
+ +---- errors
+ +---- error*
+ +---- error-type "protocol" or "application"
+ +---- error-tag string
+ +---- error-app-tag? string
+ +---- error-path? xpath
+ +---- error-message? string
+
+Note: REST server will not populate error-app-tag and error-path fields in this release. It can be
+enhanced in a future release. A sample error response:
+
+ {
+ "ietf-restconf:errors" : {
+ "error" : [
+ {
+ "error-type" : "application",
+ "error-tag" : "invalid-value",
+ "error-message" : "VLAN 100 not found"
+ }
+ ]
+ }
+ }
+
+**error-type** can be either "protocol" or "application", indicating the origin of the error.
+RESTCONF defines two more error-type enums "transport" and "rpc"; they are not used by REST server.
+
+**error-tag** indicates nature of error as described in [RFC8040, section 7](https://tools.ietf.org/html/rfc8040#page-74).
+
+**error-message** field carries a human friendly error message that can be displayed to the end
+user. This is an optional field; system error do not include error-message, or have generic
+messages like "Internal error". App module developer should use human friendly messages while
+returning application errors. In case of CVL constraint violation the REST server will pick
+the error message from the YANG "error-message" statement of CVL schema YANG.
+
+Table below lists possible error conditions with response status and data returned by REST server.
+
+Method | Error condition | Status | error-type | error-tag | error-message
+--------|--------------------------|--------|-------------|------------------|----------------------
+*any* | Incorrect request data | 400 | protocol | invalid-value |
+*write* | Bad content-type | 415 | protocol | invalid-value | Unsupported content-type
+*write* | OpenAPI schema validation fails | 400 | protocol| invalid-value | Content not as per schema
+*write* | YGOT schema validation fails | 400 | protocol| invalid-value | *YGOT returned message*
+*any* | Invalid user credentials | 401 | protocol | access-denied | Authentication failed
+*write* | User is not an admin | 403 | protocol | access-denied | Authorization failed
+*write* | Translib commit failure | 409 | protocol | in-use |
+*any* | Unknown HTTP server failure | 500 | protocol | operation-failed | Internal error
+*any* | Not supported by App module | 405 | application | operation-not-supported | *App module returned message*
+*any* | Incorrect payload | 400 | application | invalid-value | *App module returned message*
+*any* | Resource not found | 404 | application | invalid-value | *App module returned message*
+POST | Resource exists | 409 | application | resource-denied | *App module returned message*
+*any* | Unknown error in Translib | 500 | application | operation-failed | Internal error
+*any* | Unknown App module failure | 500 | application | operation-failed | *App module returned message*
+*any* | CVL constraint failure | 500 | application | invalid-value | *error-message defined in SONiC YANG*
+
+
+###### 3.2.2.4.14 DB Schema
+
+A new table "REST_SERVER" will be introduced in ConfigDB for maintaining REST server configurations. Below is the schema for this table.
+
+ key = REST_SERVER:default ; REST server configurations.
+ ;field = value
+ port = 1*5DIGIT ; server port - defaults to 443
+ client_auth = "none"/"user"/"cert" ; Client authentication mode.
+ ; none: No authentication, all clients
+ ; are allowed. Should be used only
+ ; for debugging. Default.
+ ; user: Username/password authentication
+ ; via PAM.
+ ; cert: Certificate based authentication.
+ ; Client's public certificate should
+ ; be registered on this server.
+ log_level = DIGIT ; Verbosity for glog.V logs
+
+###### 3.2.2.4.15 API Documentation
+
+REST server will provide [Swagger UI](https://github.com/swagger-api/swagger-ui) based online
+documentation and test UI for all REST APIs it supports. Documentation can be accessed by launching
+URL **https://*REST_SERVER_IP*/ui** in a browser. This page will list all supported OpenAPI
+definition files (both YANG generated and manual) along with link to open Swagger UI for them.
+
+
+##### 3.2.2.5 gNMI server
+
+1. gNMI server is part of the telemetry process that supports telemtry as well as gNMI.
+2. The gRPC server opens a TCP port and allows only valid mutually authenticated TLS connections, which requires valid Client, server and CA Certificates be installed as well a properly configured DNS. Multiple simultaneous connections are allowed to gNMI server.
+3. The gNMI Agent uses the db client, as well as the non-db client to access and modify data directly in the Redis DB.
+4. The Translib client is used to provide alternative models of access such as Openconfig models as opposed to the native Redis schema, as long as the Translib supports these models. Translib offers bidirectional translation between the native Redis model and the desired north bound model, as well as notifications/updates on these model objects to support telemetry and asynchronous updates, alarms and events. Translib should also provide information about what models it supports so that information can be returned in gNMI Capabilities response.
+5. The gNMI server defines the four RPC functions as required by the gNMI Specification: Get, Set, Capabilities and Subscribe.
+6. Since the db, non-db and Translib clients offer the functionality to support these functions, gNMI only has to translate the paths and object payloads into the correct parameters for the client calls and package the results back into the response gNMI objects to return to the gNMI Client, which is a straightforward operation, since no additional processing of the data is expected to be done in the gNMI server itself. When new models are added to Translib, no additional work should be required to support them in gNMI server.
+7. All operations in a Set request are processed in a single transaction that will either succeed or fail as one operation. The db, non-db and Translib clients must support a Bulk operation in order to achieve the transactional behavior. gNMI server then must use this Bulk operation for Set requests.
+8. Subscribe operations: Once, Poll and Stream require that the gRPC connection remain open until the subscription is completed. This means many connections must be supported. Subscribe offers several options, such as only sending object updates (not the whole object) which requires support form the db clients. Subscribe also allows for periodic sampling defined by the client. This must be handled in the gNMI agent itself. This requires a timer for each subscribe connection of this type in order to periodically poll the db client and return the result in a Subscribe Response. These timers should be destroyed when the subscription gRPC connection is closed.
+
+###### 3.2.2.5.1 Files changed/added:
+
+ |-- gnmi_server
+ | |-- client_subscribe.go
+ | |-- server.go ------------------- MODIFIED (Handles creation of transl_data_client for GET/SET/CAPABILITY)
+ | |-- server_test.go
+ |-- sonic_data_client
+ | |-- db_client.go ---------------- MODIFIED (Common interface Stub code for new functions as all data clients implement common interface functions)
+ | |-- non_db_client.go ------------ MODIFIED (Common interface Stub code for new functions as all data clients implement common interface functions)
+ | |-- transl_data_client.go ------- ADDED (Specific processing for GET/SET/CAPABILITY for transl data clients)
+ | |-- trie.go
+ | |-- virtual_db.go
+ |
+ |-- transl_utils -------------------- ADDED
+ |-- transl_utils.go ------------- ADDED (Layer for invoking Translib API's)
+
+###### 3.2.2.5.2 Sample Requests
+
+go run gnmi_get.go -xpath /openconfig-acl:acl/acl-sets/acl-set[name=MyACL4][type=ACL_IPV4]/acl-entries/acl-entry[sequence-id=1] -target_addr 10.130.84.34:8081 -alsologtostderr -insecure true -pretty
+
+go run gnmi_set.go -replace /openconfig-acl:acl/acl-sets/acl-set[name=MyACL4][type=ACL_IPV4]/acl-entries/acl-entry=2/actions/config:@openconfig.JSON -target_addr 10.130.84.34:8081 -alsologtostderr -insecure true -pretty
+
+go run gnmi_capabilities.go -target_addr 10.130.84.34:8081 -alsologtostderr -insecure true -pretty
+
+##### 3.2.2.6 Translib
+
+Translib is a library that adapts management server requests to SONiC data providers and vice versa. Translib exposes the following APIs for the management servers to consume.
+
+ func Create(req SetRequest) (SetResponse, error)
+ func Update(req SetRequest) (SetResponse, error)
+ func Replace(req SetRequest) (SetResponse, error)
+ func Delete(req SetRequest) (SetResponse, error)
+ func Get(req GetRequest) (GetResponse, error)
+ func Subscribe(paths []string, q *queue.PriorityQueue, stop chan struct{}) ([]*IsSubscribeResponse, error)
+ func IsSubscribeSupported(paths []string) ([]*IsSubscribeResponse, error)
+ func GetModels() ([]ModelData, error)
+
+ Translib Structures:
+ type ErrSource int
+
+ const(
+ ProtoErr ErrSource = iota
+ AppErr
+ )
+
+ type SetRequest struct{
+ Path string
+ Payload []byte
+ }
+
+ type SetResponse struct{
+ ErrSrc ErrSource
+ }
+
+ type GetRequest struct{
+ Path string
+ }
+
+ type GetResponse struct{
+ Payload []byte
+ ErrSrc ErrSource
+ }
+
+ type SubscribeResponse struct{
+ Path string
+ Payload []byte
+ Timestamp int64
+ SyncComplete bool
+ IsTerminated bool
+ }
+
+ type NotificationType int
+
+ const(
+ Sample NotificationType = iota
+ OnChange
+ )
+
+ type IsSubscribeResponse struct{
+ Path string
+ IsOnChangeSupported bool
+ MinInterval int
+ Err error
+ PreferredType NotificationType
+ }
+
+ type ModelData struct{
+ Name string
+ Org string
+ Ver string
+ }
+
+Translib has the following sub modules to help in the translation of data
+
+1. App Interface
+2. Translib Request Handlers
+3. YGOT request binder
+4. DB access layer
+5. App Modules
+6. Transformer
+
+###### 3.2.2.6.1 App Interface
+
+App Interface helps in identifying the App module responsible for servicing the incoming request. It provides the following APIs for the App modules to register themselves with the App interface during the initialization of the app modules.
+
+ func Register(path string, appInfo *AppInfo) error
+ This method can be used by any App module to register itself with the Translib infra.
+ Input Parameters:
+ path - base path of the model that this App module services
+ appInfo - This contains the reflect types of the App module structure that needs to be instantiated for each request, corresponding YGOT structure reflect type to instantiate the corresponding YGOT structure and boolean indicating if this is native App module to differentiate between OpenAPI spec servicing App module and the YANG serving App module.
+ Returns:
+ error - error string
+ func AddModel(model *gnmi.ModelData) error
+ This method can be used to register the models that the App module supports with the Translib infra.
+ Input Parameters:
+ model - Filled ModelData structure containing the Name, Organisation and version of the model that is being supported.
+ Returns:
+ error - error string
+
+ App Interface Structures:
+ //Structure containing App module information
+ type AppInfo struct {
+ AppType reflect.Type
+ YGOTRootType reflect.Type
+ IsNative bool
+ tablesToWatch []*db.TableSpec
+ }
+
+ Example Usages:
+ func init () {
+ log.Info("Init called for ACL module")
+ err := register("/openconfig-acl:acl",
+ &appInfo{appType: reflect.TypeOf(AclApp{}),
+ ygotRootType: reflect.TypeOf(ocbinds.OpenconfigAcl_Acl{}),
+ isNative: false,
+ tablesToWatch: []*db.TableSpec{&db.TableSpec{Name: ACL_TABLE}, &db.TableSpec{Name: RULE_TABLE}}})
+
+ if err != nil {
+ log.Fatal("Register ACL App module with App Interface failed with error=", err)
+ }
+
+ err = appinterface.AddModel(&gnmi.ModelData{Name:"openconfig-acl",
+ Organization:"OpenConfig working group",
+ Version:"1.0.2"})
+ if err != nil {
+ log.Fatal("Adding model data to appinterface failed with error=", err)
+ }
+ }
+
+ type AclApp struct {
+ path string
+ YGOTRoot *YGOT.GoStruct
+ YGOTTarget *interface{}
+ }
+
+Translib request handlers use the App interface to get all the App module information depending on the incoming path as part of the requests.
+
+###### 3.2.2.6.2 Translib Request Handler
+
+These are the handlers for the APIs exposed by the Translib. Whenever a request lands in the request handler, the handler uses the App interface to get the App module that can process the request based on the incoming path. It then uses the YGOT binder module, if needed, to convert the incoming path and payload from the request into YGOT structures. The filled YGOT structures are given to the App Modules for processing. The Translib also interacts with the DB access layer to start, commit and abort a transaction.
+
+###### 3.2.2.6.3 YGOT request binder
+
+The YGOT request binder module uses the YGOT tools to perform the unmarshalling and validation. YGOT (YANG Go Tools) is an open source tool and it has collection of Go utilities which are used to
+
+ 1. Generate a set of Go structures for bindings for the given YANG modules at build time
+ 2. Unmarshall the given request into the Go structure objects. These objects follows the same hierarchical structure defined in the YANG model, and it's simply a data instance tree of the given request, but represented using the generated Go structures
+ 3. Validate the contents of the Go structures against the YANG model (e.g., validating range and regular expression constraints).
+ 4. Render the Go structure objects to an output format - such as JSON.
+
+This RequestBinder module exposes the below mentioned APIs which will be used to unmarshall the request into Go structure objects, and validate the request
+
+ func getRequestBinder(uri *string, payload *[]byte, opcode int, appRootNodeType *reflect.Type) *requestBinder
+ This method is used to create the requestBinder object which keeps the given request information such as uri, payload, App module root type, and unmarshall the same into object bindings
+ Input parameters:
+ uri - path of the target object in the request.
+ payload - payload content of given the request and the type is byte array
+ opcode - type of the operation (CREATE, DELETE, UPDATE, REPLACE) of the given request, and the type is enum
+ appRootNodeType - pointer to the reflect.Type object of the App module root node's YGOT structure object
+ Returns:
+ requestBinder - pointer to the requestBinder object instance
+
+ func (binder *requestBinder) unMarshall() (*YGOT.GoStruct, *interface{}, error)
+ This method is be used to unmarshall the request into Go structure objects, and validates the request against YANG model schema
+ Returns:
+ YGOT.GoStruct - root Go structure object of type Device.
+ interface{} - pointer to the interface type of the Go structure object instance of the given target path
+ error - error object to describe the error if the unmarshalling fails, otherwise nil
+
+Utilities methods:
+These utilities methods provides below mentioned common operations on the YGOT structure which are needed by the App module
+
+ func getParentNode(targetUri *string, deviceObj *ocbinds.Device) (*interface{}, *YANG.Entry, error)
+ This method is used to get parent object of the given target object's uri path
+ Input parameters:
+ targetUri - path of the target URI
+ deviceObj - pointer to the base root object Device
+ Returns
+ interface{} - pointer to the parent object of the given target object's URI path
+ YANG.Entry - pointer to the YANG schema of the parent object
+ error - error object to describe the error if this methods fails to return the parent object, otherwise nil
+
+ func getNodeName(targetUri *string, deviceObj *ocbinds.Device) (string, error)
+ This method is used to get the YANG node name of the given target object's uri path.
+ Input parameters:
+ targetUri - path of the target URI
+ deviceObj - pointer to the base root object Device
+ Returns:
+ string - YANG node name of the given target object
+ error - error object to describe the error if this methods fails to return the parent object, otherwise nil
+
+ func getObjectFieldName(targetUri *string, deviceObj *ocbinds.Device, YGOTTarget *interface{}) (string, error)
+ This method is used to get the go structure object field name of the given target object.
+ Input parameters:
+ targetUri - path of the target URI
+ deviceObj - pointer to the base root object Device
+ YGOTTarget - pointer to the interface type of the target object.
+ Returns:
+ string - object field name of the given target object
+ error - error object to describe the error if this methods fails to perform the desired operation, otherwise nil
+
+###### 3.2.2.6.4 DB access layer
+
+The DB access layer implements a wrapper over the [go-redis](https://github.com/go-redis/redis) package
+enhancing the functionality in the following ways:
+
+ * Provide a sonic-py-swsssdk like API in Go
+ * Enable support for concurrent access via Redis CAS (Check-And-Set)
+ transactions.
+ * Invoke the CVL for validation before write operations to the Redis DB
+
+The APIs are broadly classified into the following areas:
+
+ * Initialization/Close: NewDB(), DeleteDB()
+ * Read : GetEntry(), GetKeys(), GetTable()
+ * Write : SetEntry(), CreateEntry(), ModEntry(), DeleteEntry()
+ * Transactions : StartTx(), CommitTx(), AbortTx()
+ * Map : GetMap(), GetMapAll()
+ * Subscriptions : SubscribeDB(), UnsubscribeDB()
+
+Detail Method Signature:
+ Please refer to the code for the detailed method signatures.
+
+Concurrent Access via Redis CAS transactions:
+
+ Upto 4 levels of concurrent write access support.
+
+ 1. Table based watch keys (Recommended):
+ At App module registration, the set of Tables that are to be managed by
+ the module are provided. External (i.e. non-Management-Framework)
+ applications may choose to watch and set these same table keys to detect
+ and prevent concurrent write access. The format of the table key is
+ "CONFIG_DB_UPDATED_". (Eg: CONFIG_DB_UPDATED_ACL_TABLE)
+
+ 2. Row based watch keys:
+ For every transaction, the App module provides a list of keys that it
+ would need exclusive access to for the transaction to succeed. Hence,
+ this is more complex for the app modules to implement. The external
+ applications need not be aware of table based keys. However, the
+ concurrent modification of yet to be created keys (i.e. keys which are
+ not in the DB, but might be created by a concurrent application) may not
+ be detected.
+
+ 3. A combination of 1. and 2.:
+ More complex, but easier concurrent write access detection.
+
+ 4. None:
+ For applications not needing concurrent write access protections.
+
+
+DB access layer, Redis, CVL Interaction:
+
+ DB access | PySWSSSDK API | RedisDB Call at | CVL Call at
+ | | at CommitTx | invocation
+ ----------------|------------------|-------------------|--------------------
+ SetEntry(k,v) | set_entry(k,v) | HMSET(fields in v)|If HGETALL=no entry
+ | | HDEL(fields !in v | ValidateEditConfig
+ | | but in | (OP_CREATE)
+ | | previous HGETALL)|
+ | | |Else
+ | | | ValidateEditConfig(
+ | | | OP_UPDATE)
+ | | | ValidateEditConfig(
+ | | | DEL_FIELDS)
+ ----------------|------------------|-------------------|--------------------
+ CreateEntry(k,v)| none | HMSET(fields in v)| ValidateEditConfig(
+ | | | OP_CREATE)
+ ----------------|------------------|-------------------|--------------------
+ ModEntry(k,v) | mod_entry(k,v) | HMSET(fields in v)| ValidateEditConfig(
+ | | | OP_UPDATE)
+ ----------------|------------------|-------------------|--------------------
+ DeleteEntry(k,v)|set,mod_entry(k,0)| DEL | ValidateEditConfig(
+ | | | OP_DELETE)
+ ----------------|------------------|-------------------|--------------------
+ DeleteEntryField| none | HDEL(fields) | ValidateEditConfig(
+ (k,v) | | | DEL_FIELDS)
+
+
+##### 3.2.2.7 Transformer
+
+Transformer provides the underlying infrastructure for developers to translate data from YANG to ABNF/Redis schema and vice versa, using YANG extensions annotated to YANG paths to provide translation methods. At run time, the YANG extensions are mapped to an in-memory Transformer Spec that provides two-way mapping between YANG and ABNF/Redis schema for Transformer to perform data translation while processing SET/GET operations.
+
+In case that SONiC YANG modules are used by NBI applications, the Transformer performs 1:1 mapping between a YANG object and a SONiC DB object without a need to write special translation codes. If the openconfig YANGs are used by NBI applications, you may need special handling to translate data between YANG and ABNF schema. In such case, you can annotate YANG extensions and write callbacks to perform translations where required.
+
+For special handling, a developer needs to provide:
+1. An annotation file to define YANG extensions on YANG paths where translation required
+e.g. In openconfig-acl.yang, ACL FORWARDING_ACTION "ACCEPT" mapped to "FORWARD", ACL sequence id ‘1’ mapped to ‘RULE_1’ in Redis DB etc.
+2. Transformer callbacks to perform translation
+
+###### 3.2.2.7.1 Components
+
+Transformer consists of the following components and data:
+* **Transformer Spec:** a collection of translation hints
+* **Spec Builder:** loads YANG and annotation files to dynamically build YANG schema tree and Transformer Spec.
+* **Transformer Core:** perform main transformer tasks, i.e. encode/decode YGOT, traverse the payload, lookup Transformer spec, call Transformer methods, construct the results, error reporting etc.
+* **Built-in Default Transformer method:** perform static translation
+* **Overloaded Transformer methods:** callback functions invoked by Transformer core to perform complex translation with developer supplied translation logic
+* **Ouput framer:** aggregate the translated pieces returned from default and overloaded methods to construct the output payload
+* **Method overloader:** dynamically lookup and invoke the overloaded transformer methods during data translation
+* **YANG schema tree:** provides the Transformer with the schema information that can be accessed by Transformer to get node information, like default values, parent/descendant nodes, etc.
+
+
+
+###### 3.2.2.7.2 Design
+
+Requests from Northbound Interfaces (NBI) are processed by Translib public APIs - Create, Replace, Update, Delete, (CRUD) and Get - that call a specific method on the common app module. The common app calls Transformer APIs to translate the request, then use the translated data to proceed to DB/CVL layer to set or get data in Redis DB. The **common app** as a default application module generically handles both SET (CRUD) and GET, and Subscribe requests with Transformer. Note that a specific app module can be registered to the Translib to handle the requests if needed.
+
+
+
+At Transformer init, it loads YANG modules pertaining to the applications. Transformer parses YANG modules with the extensions to dynamically build an in-memory schema tree and transformer spec.
+
+Below structure is defined for the transformer spec:
+
+```YANG
+type yangXpathInfo struct {
+ yangDataType string
+ tableName *string
+ childTable []string
+ dbEntry *yang.Entry
+ yangEntry *yang.Entry
+ keyXpath map[int]*[]string
+ delim string
+ fieldName string
+ xfmrFunc string
+ xfmrKey string
+ dbIndex db.DBNum
+ keyLevel int
+}
+```
+
+When a request lands at the common app in the form of a YGOT structure from the Translib request handler, the request is passed to Transformer that decodes the YGOT structure to read the request payload and look up the spec to get translation hints. Note that the Transformer cannot be used for OpenAPI spec. The Transformer Spec is structured with a two-way mapping to allow Transformer to map YANG-based data to ABNF data and vice-versa via reverse lookup. The reverse mapping is used to populate the data read from Redis DB to YANG structure for the response to get operation.
+
+Transformer has a built-in default transformer method to perform static, simple translation from YANG to ABNF or vice versa. It performs simple mapping - e.g. a direct name/value mapping, table/key/field name - which can be customized by a YANG extension.
+
+Additionally, for more complex translations of non-ABNF YANG models, i.e. OpenConfig models, Transformer also allows developers to overload the default method by specifying a callback fucntion in YANG extensions, to perform translations with developer-supplied translation codes as callback functions. Transformer dynamically invokes those functions instead of using default method. Each transformer callback must be defined to support two-way translation, i.e, YangToDb_
| + |  |
++ | + | + |
Following is the list of platforms that supports SONiC.
++ +
| Vendor | +Platform | +ASIC Vendor | +Switch ASIC | +Port Configuration | +Image | +
|---|---|---|---|---|---|
| Accton | +AS4630-54PE | +Broadcom | +Helix 5 | +48x1G + 4x25G + 2x100G | +SONiC-ONIE-Broadcom | +
| Accton | +AS5712-54X | +Broadcom | +Trident 2 | +72x10G | +SONiC-ONIE-Broadcom | +
| Accton | +AS5812-54X | +Broadcom | +Trident 2 | +72x10G | +SONiC-ONIE-Broadcom | +
| Accton | +AS5835-54T | +Broadcom | +Trident 3 | +48x10G + 6x100G | +SONiC-ONIE-Broadcom | +
| Accton | +AS5835-54X | +Broadcom | +Trident 3 | +48x10G + 6x100G | +SONiC-ONIE-Broadcom | +
| Accton | +AS6712-32X | +Broadcom | +Trident 2 | +32x40G | +SONiC-ONIE-Broadcom | +
| Accton | +AS7116-54X | +Nephos | +Taurus | +48x25G + 6x100G | +SONiC-ONIE-Nephos | +
| Accton | +AS7312-54X | +Broadcom | +Tomahawk | +48x25G + 6x100G | +SONiC-ONIE-Broadcom | +
| Accton | +AS7312-54XS | +Broadcom | +Tomahawk | +48x25G + 6x100G | +SONiC-ONIE-Broadcom | +
| Accton | +AS7315-27XB | +Broadcom | +Qumran | +20x10G + 4x25G + 3x100G | +SONiC-ONIE-Broadcom | +
| Accton | +AS7326-56X | +Broadcom | +Trident 3 | +48x25G + 8x100G | +SONiC-ONIE-Broadcom | +
| Accton | +AS7512-32X | +Cavium | +XPliantCNX880** | +32x100G | +SONiC-ONIE-Cavium | +
| Accton | +AS7712-32X | +Broadcom | +Tomahawk | +32x100G | +SONiC-ONIE-Broadcom | +
| Accton | +AS7716-32X | +Broadcom | +Tomahawk | +32x100G | +SONiC-ONIE-Broadcom | +
| Accton | +AS7716-32XB | +Broadcom | +Tomahawk | +32x100G | +SONiC-ONIE-Broadcom | +
| Accton | +AS7726-32X | +Broadcom | +Trident 3 | +32x100G | +SONiC-ONIE-Broadcom | +
| Accton | +AS7816-64X | +Broadcom | +Tomahawk 2 | +64x100G | +SONiC-ONIE-Broadcom | +
| Accton | +AS9716-32D | +Broadcom | +Tomahawk 3 | +32x400G | +SONiC-ONIE-Broadcom | +
| Accton | +Minipack | +Broadcom | +Tomahawk 3 | +128x100G | +SONiC-ONIE-Broadcom | +
| Alphanetworks | +SNH60A0 | +Broadcom | +Tomahawk | +32x100G | +SONiC-ONIE-Broadcom | +
| Alphanetworks | +SNH60B0 | +Broadcom | +Tomahawk | +64x100G | +SONiC-ONIE-Broadcom | +
| Arista | +7050QX-32 | +Broadcom | +Trident 2 | +32x40G | +SONiC-Aboot-Broadcom | +
| Arista | +7050QX-32S | +Broadcom | +Trident 2 | +32x40G | +SONiC-Aboot-Broadcom | +
| Arista | +7060CX-32S | +Broadcom | +Tomahawk | +32x100G | +SONiC-Aboot-Broadcom | +
| Arista | +7060DX4-32 | +Broadcom | +Tomahawk 3 | +32x400G + 2x10G | +SONiC-Aboot-Broadcom | +
| Arista | +7060PX4-32 | +Broadcom | +Tomahawk 3 | +32x400G + 2x10G | +SONiC-Aboot-Broadcom | +
| Arista | +7170-64C | +Barefoot | +Tofino | +64x100G | +SONiC-ONIE-Barefoot | +
| Arista | +7260CX3-64 | +Broadcom | +Tomahawk 2 | +64x100G | +SONiC-Aboot-Broadcom | +
| Arista | +7280CR3-32D4 | +Broadcom | +Jericho 2 | +32x100G + 4x400G | +SONiC-Aboot-Broadcom | +
| Arista | +7280CR3-32P4 | +Broadcom | +Jericho 2 | +32x100G + 4x400G | +SONiC-Aboot-Broadcom | +
| Barefoot | +SONiC-P4 | +Barefoot | +P4 Emulated | +Configurable | +SONiC-P4 | +
| Barefoot | +Wedge 100BF-32 | +Barefoot | +Tofino | +32x100G | +SONiC-ONIE-Barefoot | +
| Barefoot | +Wedge 100BF-65X | +Barefoot | +Tofino | +32x100G | +SONiC-ONIE-Barefoot | +
| Celestica | +DX010 | +Broadcom | +Tomahawk | +32x100G | +SONiC-ONIE-Broadcom | +
| Celestica | +E1031 | +Broadcom | +Helix4 | +48x1G + 4x10G | +SONiC-ONIE-Broadcom | +
| Celestica | +midstone-200i | +Innovium | +Teralynx 7 | +128x100G | +SONiC-ONIE-Innovium | +
| Celestica | +Silverstone | +Broadcom | +Tomahawk 3 | +32x400G | +SONiC-ONIE-Broadcom | +
| Centec | +E582-48X2Q | +Centec | +Goldengate | +48x10G + 2x40G + 4x100G | +SONiC-ONIE-Centec | +
| Centec | +E582-48X6Q | +Centec | +Goldengate | +48x10G + 6x40G | +SONiC-ONIE-Centec | +
| Cig | +CS6436-56P | +Nephos | +Taurus | +48x25G + 8x100G | +SONiC-ONIE-Nephos | +
| Dell | +S5232F-C32 | +Broadcom | +Trident 3 | +32x100G | +SONiC-ONIE-Broadcom | +
| Dell | +S6000-ON | +Broadcom | +Trident 2 | +32x40G | +SONiC-ONIE-Broadcom | +
| Dell | +S6100-ON | +Broadcom | +Tomahawk | +64x40G | +SONiC-ONIE-Broadcom | +
| Dell | +Z9100-C32 | +Broadcom | +Tomahawk | +32x100G | +SONiC-ONIE-Broadcom | +
| Dell | +Z9264 | +Broadcom | +Tomahawk 2 | +64x100G | +SONiC-ONIE-Broadcom | +
| Delta | +AG5648 | +Broadcom | +Tomahawk | +48x25G + 6x100G | +SONiC-ONIE-Broadcom | +
| Delta | +AG6248C | +Broadcom | +Helix 4 | +48x1G + 2x10G | +SONiC-ONIE-Broadcom | +
| Delta | +AG9032V1 | +Broadcom | +Tomahawk | +32x100G | +SONiC-ONIE-Broadcom | +
| Delta | +AG9032V2 | +Broadcom | +Trident 3 | +32x100G + 1x10G | +SONiC-ONIE-Broadcom | +
| Delta | +AG9064 | +Broadcom | +Tomahawk 2 | +64x100G | +SONiC-ONIE-Broadcom | +
| Delta | +et-c032if | +Innovium | +Teralynx 7 | +32x400G | +SONiC-ONIE-Innovium | +
| Delta | +ET-6448M | +Marvell | +Prestera 98DX3255 | +48xGE + 4x10G | +SONiC-ONIE-Marvell | +
| Embedway | +ES6220 (48x10G) | +Centec | +Goldengate | +48x10G + 2x40G + 4x100G | +SONiC-ONIE-Centec | +
| Embedway | +ES6428A-X48Q2H4 | +Centec | +Goldengate | +4x100G + 2x40G + 48x10G | +SONiC-ONIE-Centec | +
| Wedge 100-32X | +Broadcom | +Tomahawk | +32x100G | +SONiC-ONIE-Broadcom | +|
| Ingrasys | +S8810-32Q | +Broadcom | +Trident 2 | +32x40G | +SONiC-ONIE-Broadcom | +
| Ingrasys | +S8900-54XC | +Broadcom | +Tomahawk | +48x25G + 6x100G | +SONiC-ONIE-Broadcom | +
| Ingrasys | +S8900-64XC | +Broadcom | +Tomahawk | +48x25G + 16x100G | +SONiC-ONIE-Broadcom | +
| Ingrasys | +S9100-32X | +Broadcom | +Tomahawk | +32x100G | +SONiC-ONIE-Broadcom | +
| Ingrasys | +S9130-32X | +Nephos | +Taurus | +32x100G | +SONiC-ONIE-Nephos | +
| Ingrasys | +S9180-32X | +Barefoot | +Tofino | +32x100G | +SONiC-ONIE-Barefoot | +
| Ingrasys | +S9200-64X | +Broadcom | +Tomahawk 2 | +64x100G | +SONiC-ONIE-Broadcom | +
| Ingrasys | +S9230-64X | +Nephos | +Taurus | +64x100G | +SONiC-ONIE-Nephos | +
| Ingrasys | +S9280-64X | +Barefoot | +Tofino | +64x100G | +SONiC-ONIE-Barefoot | +
| Inventec | +D6254QS | +Broadcom | +Trident 2 | +72x10G | +SONiC-ONIE-Broadcom | +
| Inventec | +D6356 | +Broadcom | +Trident 3 | +48x25G + 8x100G | +SONiC-ONIE-Broadcom | +
| Inventec | +D6556 | +Broadcom | +Trident 3 | +48x25G + 8x100G | +SONiC-ONIE-Broadcom | +
| Inventec | +D7032Q | +Broadcom | +Tomahawk | +32x100G | +SONiC-ONIE-Broadcom | +
| Inventec | +D7054Q | +Broadcom | +Tomahawk | +48x25G + 6x100G | +SONiC-ONIE-Broadcom | +
| Inventec | +D7264Q | +Broadcom | +Tomahawk 2 | +64x100G | +SONiC-ONIE-Broadcom | +
| Juniper Networks | +QFX5210-64C | +Broadcom | +Tomahawk 2 | +64x100G | +SONiC-ONIE-Broadcom | +
| Marvell | +RD-ARM-48XG6CG-A4 | +Marvell | +Prestera 98EX54xx | +6x100G+48x10G | +SONiC-ONIE-Marvell | +
| Marvell | +RD-BC3-4825G6CG-A4 | +Marvell | +Prestera 98CX84xx | +6x100G+48x25G | +SONiC-ONIE-Marvell | +
| Mellanox | +SN2010 | +Mellanox | +Spectrum | +4x100G+18x25G | +SONiC-ONIE-Mellanox | +
| Mellanox | +SN2100 | +Mellanox | +Spectrum | +16x100G | +SONiC-ONIE-Mellanox | +
| Mellanox | +SN2410 | +Mellanox | +Spectrum | +48x25G+8x100G | +SONiC-ONIE-Mellanox | +
| Mellanox | +SN2700 | +Mellanox | +Spectrum | +32x100G | +SONiC-ONIE-Mellanox | +
| Mellanox | +SN2740 | +Mellanox | +Spectrum | +32x100G | +SONiC-ONIE-Mellanox | +
| Mellanox | +SN3700 | +Mellanox | +Spectrum 2 | +32x200G | +SONiC-ONIE-Mellanox | +
| Mellanox | +SN3700C | +Mellanox | +Spectrum 2 | +32x100G | +SONiC-ONIE-Mellanox | +
| Mellanox | +SN3800 | +Mellanox | +Spectrum 2 | +64x100G | +SONiC-ONIE-Mellanox | +
| Mitac | +LY1200-B32H0-C3 | +Broadcom | +Tomahawk | +32x100G | +SONiC-ONIE-Broadcom | +
| Pegatron | +Porsche | +Nephos | +Taurus | +48x25G + 6x100G | +SONiC-ONIE-Nephos | +
| Quanta | +T3032-IX7 | +Broadcom | +Trident 3 | +32x100G | +SONiC-ONIE-Broadcom | +
| Quanta | +T4048-IX8 | +Broadcom | +Trident 3 | +48x25G + 8x100G | +SONiC-ONIE-Broadcom | +
| Quanta | +T4048-IX8C | +Broadcom | +Trident 3 | +48x25G + 8x100G | +SONiC-ONIE-Broadcom | +
| Quanta | +T7032-IX1B | +Broadcom | +Tomahawk | +32x100G | +SONiC-ONIE-Broadcom | +
| Quanta | +T9032-IX9 | +Broadcom | +Tomahawk 3 | +32x400G | +SONiC-ONIE-Broadcom | +
| Wnc | +OSW1800 | +Barefoot | +Tofino | +48x25G + 6x100G | +SONiC-ONIE-Barefoot | +
+
+Note: +
-
+
- Dell S6100-ON is a modular switch that has different port configurations. Currently only the 64x40G port configuration is supported. +
- Arista devices use the Aboot boot loader instead of ONIE. It is normally pre-installed. To learn more about Aboot, please refer to their documentation here. +
- ONIE images are normally pre-installed. For DELL switches, you can find their ONIE images and instructions on Dell's website, S6000-ON, S6100-ON, Z9100-ON. +
- Please contact Marvell for details of the SKU information. +
- Please contact vendors for support and SKU information. +
- Inventec swsp@inventec.com +
- Edgecore sales@edge-core.com +
-
+
+
+
+
+ + + diff --git a/assets/css/style.css b/assets/css/style.css index f9eeac4390..8948f27abb 100644 --- a/assets/css/style.css +++ b/assets/css/style.css @@ -62,7 +62,7 @@ a { a:hover, a:focus { outline: none; - text-decoration: none; + text-decoration: underline; } h1, h2, h3, h4, h5, h6 { diff --git a/assets/img/all_partners2_1920x1320.jpg b/assets/img/all_partners2_1920x1320.jpg index f78b8ad266..dede91eb2b 100644 Binary files a/assets/img/all_partners2_1920x1320.jpg and b/assets/img/all_partners2_1920x1320.jpg differ diff --git a/contact.html b/contact.html index 5cd989f292..b1024c516f 100644 --- a/contact.html +++ b/contact.html @@ -47,61 +47,6 @@ @@ -178,7 +123,10 @@
Contact
- + + diff --git a/doc/DUT_monitor_HLD.md b/doc/DUT_monitor_HLD.md new file mode 100644 index 0000000000..bd17ca8b81 --- /dev/null +++ b/doc/DUT_monitor_HLD.md @@ -0,0 +1,252 @@ +Table of Contents + +- [Scope](#scope) +- [Overview](#overview) +- [Quality Objective](#quality-objective) +- [Module design](#module-design) + - [Overall design](#overall-design) + - [Updated directory structure](#updated-directory-structure) + - [Thresholds overview](#thresholds-overview) + - [Thresholds configuration file](#thresholds-configuration-file) + - [Thresholds template](#thresholds-template) + - [Preliminary defaults](#preliminary-defaults) +- [Pytest plugin overview](#pytest-plugin-overview) + - [Pytest option](#pytest-option) + - [Pytest hooks](#pytest-hooks) + - [Classes](#classes) +- [Interaction with dut](#interaction-with-dut) +- [Tests execution flaw](#tests-execution-flaw) +- [Extended info to print for error cases](#extended-info-to-print-for-error-cases) +- [Commands to fetch monitoring data](#commands-to-fetch-monitoring-data) +- [Possible future expansion](#possible-future-expansion) + + + +### Scope + +This document describes the high level design of verification the hardware resources consumed by a device. The hardware resources which are currently verified are CPU, RAM and HDD. + +This implementation will be integrated in test cases written on Pytest framework. + +### Overview + +During tests run test cases perform many manipulations with DUT including different Linux and SONiC configurations and sending traffic. + +To be sure that CPU, RAM and HDD resources utilization on DUT are not increasing within tests run, those parameters can be checked after each finished test case. + +Purpose of the current feature is to - verify that previously listed resources are not increasing during tests run. It achieves by performing verification after each test case. + +### Quality Objective ++ Ensure CPU consumption on DUT does not exceed threshold ++ Ensure RAM consumption on DUT does not exceed threshold ++ Ensure used space in the partition mounted to the HDD "/" root folder does not exceed threshold + +### Module design +#### Overall design +The following figure depicts current feature integration with existed Pytest framework. + + + +Newly introduced feature consists of: ++ Pytest plugin – pytest_dut_monitor.py. Plugin defines: + + pytest hooks: pytest_addoption , pytest_configure, pytest_unconfigure + + pytest fixtures: dut_ssh, dut_monitor + + DUTMonitorPlugin – class to be registered as plugin. Define pytest fixtures described above + + DUTMonitorClient - class to control DUT monitoring over SSH ++ Pytest plugin register new options: "--dut_monitor", "--thresholds_file" ++ Python module - dut_monitor.py. Which is running on DUT and collects CPU, RAM and HDD data and writes it to the log files. There will be created three new files: cpu.log, ram.log, hdd.log. + +#### Updated directory structure ++ ./sonic-mgmt/tests/plugins/\_\_init__.yml ++ ./sonic-mgmt/tests/plugins/dut_monitor/thresholds.yml ++ ./sonic-mgmt/tests/plugins/dut_monitor/pytest_dut_monitor.py ++ ./sonic-mgmt/tests/plugins/dut_monitor/dut_monitor.py ++ ./sonic-mgmt/tests/plugins/dut_monitor/errors.py ++ ./sonic-mgmt/tests/plugins/dut_monitor/\_\_init__.py + +#### Thresholds overview +To be able to verify that CPU, RAM or HDD utilization are not critical on the DUT, there is a need to define specific thresholds. + +List of thresholds: ++ Total system CPU consumption ++ Separate process CPU consumption ++ Time duration of CPU monitoring ++ Average CPU consumption during test run ++ Peak RAM consumption ++ RAM consumption delta before and after test run ++ Used disk space + +```Total system CPU consumption``` - integer value (percentage). Triggers when total peak CPU consumption is >= to defined value during “Peak CPU monitoring duration” seconds. + +```Separate process CPU consumption``` - integer value (percentage). Triggers when peak CPU consumption of any separate process is >= to defined value during “Peak CPU measurement duration” seconds. + +```Time duration of CPU monitoring``` - integer value (seconds). Time frame. Used together with total or process peak CPU consumption verification. + +```Average CPU consumption during test run``` - integer value (percentage). Triggers when the average CPU consumption of the whole system between start/stop monitoring (between start/end test) is >= to defined value. + +```Peak RAM consumption``` – integer value (percentage). Triggers when RAM consumption of the whole system is >= to defined value. + +```RAM consumption delta before and after test``` – integer value (percentage). Difference between consumed RAM before and after test case. Triggers when the difference is >= to defined value. + +```Used disk space``` - integer value (percentage). Triggers when used disk space is >= to defined value. + +#### Thresholds configuration file +Default thresholds are defined in ./sonic-mgmt/tests/plugins/dut_monitor/thresholds.yml file. + +The proposal is to define thresholds for specific platform and its hwsku. Below is template of "thresholds.yml" file, which has defined: general default thresholds, platform default thresholds, specific HWSKU thresholds. + +If HWSKU is not defined for current DUT - platform thresholds will be used. + +If platform is not defined for current DUT - default thresholds will be used. + + +##### Thresholds template example: +```code +# All fields are mandatory +default: + cpu_total: x + cpu_process: x + cpu_measure_duration: x + cpu_total_average: x + ram_peak: x + ram_delta: x + hdd_used: x + + +# Platform inherits thresholds from 'default' section +# Any threshold field can be redefined per platform specific +# In below example all defaults are redefined +platform X: + hwsku: + [HWSKU]: + cpu_total: x + cpu_process: x + cpu_measure_duration: x + cpu_total_average: x + ram_peak: x + ram_delta: x + hdd_used: x + default: + cpu_total: x + cpu_process: x + cpu_measure_duration: x + cpu_total_average: x + ram_peak: x + ram_delta: x + hdd_used: x +``` +##### Preliminary defaults +Note: need to be tested to define accurately. + + cpu_total: 90 + cpu_process: 60 + cpu_measure_duration: 10 + cpu_total_average: 90 + ram_peak: 80 + ram_delta: 1 + hdd_used: 80 + +##### How to tune thresholds +1. User can pass its own thresholds file for test run using "--thresholds_file" pytest option. For example: +```code +py.test TEST_RUN_OPTIONS --thresholds_file THRESHOLDS_FILE_PATH +``` +2. User can update thresholds directly in test case by using "dut_monitor" fixture. +For example: +```code +dut_monitor["cpu_total"] = 80 +dut_monitor["ram_peak"] = 90 +... +``` +3. Define thresholds for specific test groups. +For specific test groups like scale, performance, etc. thresholds can be common. In such case "thresholds.yml" file can be created and placed next to the test module file. Pytest framework will automatically discover "thresholds.yml" file and will apply defined thresholds for current tests. + + +### Pytest plugin overview + +#### Pytest option +To enable DUT monitoring for each test case the following pytest console option should be used - "--dut_monitor" + +#### Pytest hooks +dut_monitor.py module defines the following hooks: +##### pytest_addoption(parser) +Register "--dut_monitor" option. This option used for trigger device monitoring. + +Register "--thresholds_file" option. This option takes path to the thresholds file. + +##### pytest_configure(config) +Check whether "--dut_monitor" option is used, if so register DUTMonitorPlugin class as pytest plugin. +##### pytest_unconfigure(config) +Unregister DUTMonitorPlugin plugin. + +### Classes +#### DUTMonitorClient class +Define API for: + ++ Start monitoring on the DUT ++ Stop monitoring on the DUT. Compare measurements with defined thresholds ++ Execute remote commands via SSH ++ Track SSH connection with DUT ++ Automatically restore SSH connection with DUT while in monitoring mode + +#### DUTMonitorPlugin class +Defines the following pytest fixtures: + +##### dut_ssh(autouse=True, scope="session") +Establish SSH connection with a device. Keeps this connection during all tests run. + +If the connection to the DUT is broken during monitoring phase (test performed DUT reboot), it will automatically try to restore connection during some time (for example 5 minutes). + +If the connection will be restored, monitoring will be automatically restored as well and dut_monitor fixture will have monitoring results even if reboot occurred. So, monitoring results will not be lost if in some case DUT will be rebooted. + +If the connection will not be restored, exception will be raised that DUT become inaccessible. + +##### dut_monitor(dut_ssh, autouse=True, scope="function") +- Starts DUT monitoring before test start +- Stops DUT monitoring after test finish +- Get measured values and compare them with defined thresholds +- Pytest error will be generated if any of resources exceed the defined threshold. + + +### Interaction with dut + + + +### Tests execution flaw + ++ Start pytest run with added “–dut_monitor” option ++ Before each test case - initialize DUT monitoring ++ Start reading CPU, RAM and HDD values every 2 seconds ++ Start test case ++ Wait the test case to finish ++ Stop reading CPU, RAM and HDD values ++ Display logging message with measured parameters ++ After the end of each test case compare obtained values with defined thresholds ++ Pytest error will be generated if any of resources exceed the defined threshold. Error message will also show extended output about consumed CPU, RAM and HDD, which is described below. Test case status like pass/fail still be shown separately. It gives possibility to have separate results for test cases (pass/fail) and errors if resources consumption exceed the threshold. + + +#### Extended info to print for error cases +Display output of the following commands: + ++ df -h --total /* ++ ps aux --sort rss ++ docker stats --all --format "table {{.Name}}\t{{.CPUPerc}}\t{{.MemUsage}}" + +### Commands to fetch monitoring data + +##### Fetch CPU consumption: +ps -A -o pcpu | tail -n+2 | python -c "import sys; print(sum(float(line) for line in sys.stdin))" +##### Fetch RAM consumption: +show system-memory +OR +ps -A -o rss | tail -n+2 | python -c "import sys; print(sum(float(line) for line in sys.stdin))" + +##### Fetch HDD usage: +df -hm / + + +### Possible future expansion + +Later this functionality can be integrated with some UI interface where will be displayed consumed resources and device health during regression run. As UI board can be used Grafana. + +It can be useful for DUT health debugging and for load/stress testing analysis. diff --git a/doc/L3_performance_and_scaling_enchancements_HLD.md b/doc/L3_performance_and_scaling_enchancements_HLD.md new file mode 100644 index 0000000000..c01435cb37 --- /dev/null +++ b/doc/L3_performance_and_scaling_enchancements_HLD.md @@ -0,0 +1,228 @@ +# L3 Scaling and Performance Enhancements +Layer 3 Scaling and Performance Enhancements +# High Level Design Document +#### Rev 0.1 + +# Table of Contents + * [List of Tables](#list-of-tables) + * [Revision](#revision) + * [About This Manual](#about-this-manual) + * [Scope](#scope) + * [Definition/Abbreviation](#definitionabbreviation) + +# List of Tables +[Table 1: Abbreviations](#table-1-abbreviations) + +# Revision +| Rev | Date | Author | Change Description | +| :---: | :-----------: | :------------------: | ----------------------------------- | +| 0.1 | 06/04/2019 | Arvind | Initial version | +| | | | | + +# About this Manual +This document provides information about the Layer 3 performance and scaling improvements done in SONiC 201908. +# Scope +This document describes the high level design of Layer 3 performance and scaling improvements. + +# 1 Requirement Overview +## 1.1 Functional Requirements + + - __Scaling improvements__ + 1. ARP/ND + - Support for 32k IPv4 ARP entries + - Support for 16k IPv6 ND entries + 2. Route scale + - 200k IPv4 routes + - 65k IPv6 routes + + 3. ECMP + - 512 groups X 32 paths + - 256 groups X 64 paths + - 128 groups X 128 paths + + The route scale and ECMP items mentioned above will be tested to success. + A Broadcom Tomahawk-2 platform will be used for this testing, but the focus is on SONiC behavior + + - __Performance improvements__ + + 4. Reduce the IPv4 and IPv6 route programming time + 5. Reduce unknown ARP/ND learning time + 6. Reduce the time taken to display output with the following *"show commands"* + - **_show arp_** + - **_show ndp_** + + + +## 1.2 Configuration and Management Requirements +No new configuration or show commands introduced. + +## 1.3 Scalability Requirements +Covered in Functional requirements + + +## 1.4 Warm Boot Requirements + +There are no specific changes done for Warm-boot in this feature, however testing will done to make sure no change affect the warm boot time. + +# 2 Design + +## 2.1 Scaling improvements + +### 2.1.2 Improvement in number of ARP Entries + +SONiC currently supports around 2400 host entries. + +In our testing we found, when sending a lot of ARP/ND requests in a burst, ARP entries are getting purged from the kernel while the later set of ARP entries was still getting added. +The sequence of add/remove is in such a way that we were never able to cross ~2400 entries . + +In the kernel ARP module the following attributes govern how many ARP entries are key in the Kernel ARP cache +``` +gc_thresh1 (since Linux 2.2) +The minimum number of entries to keep in the ARP cache. The garbage collector will not run if there are fewer than this number of entries in the cache. Defaults to 128. + +gc_thresh2 (since Linux 2.2) +The soft maximum number of entries to keep in the ARP cache. The garbage collector will allow the number of entries to exceed this for 5 seconds before collection will be performed. Defaults to 512. + +gc_thresh3 (since Linux 2.2) +The hard maximum number of entries to keep in the ARP cache. The garbage collector will always run if there are more than this number of entries in the cache. Defaults to 1024. +``` + +To increase the number of ARP/ND entries these attributes will be changed to following values for IPv4 and IPv6 +``` +net.ipv4.neigh.default.gc_thresh1=16000 +net.ipv4.neigh.default.gc_thresh2=32000 +net.ipv4.neigh.default.gc_thresh3=48000 + +net.ipv6.neigh.default.gc_thresh1=8000 +net.ipv6.neigh.default.gc_thresh2=16000 +net.ipv6.neigh.default.gc_thresh3=32000 +``` +To increase rate of the ARP/ND packets coming to the CPU. Currently the max rate for ARP/ND is 600 packets, we will be increasing it to higher number(8000) in CoPP file to improve the learning time. + +## 2.2 Performance Improvements + +This section elaborates the changes done to improve L3 performance in SONiC + +### 2.2.1 Route installation time + +The tables below captures the baseline route programming time for IPv4 and IPv6 prefixes in SONiC. +To measure route programming time, BGP routes were advertised to a SONiC router and timed how long it took for these routes to be installed in the ASIC. + +### Table 2: IPv4 prefix route programming time + +| Routes | time taken on AS7712(Tomahawk) | +| ----------------------- | ------------------------------ | +| 10k IPv4 prefix routes | 11 seconds | +| 30k IPv4 prefix routes | 30 seconds | +| 60k IPv4 prefix routes | 48 seconds | +| 90k IPv4 prefix routes | 68 seconds | + + + +### Table 3: IPv6 prefix route programming time + +| Routes | time taken on AS7712(Tomahawk) | +| ---------------------------------- | ----------------------------- | +| 10k IPv6 route with prefixes > 64b | 11 seconds | +| 30k IPv6 route with prefixes >64b | 30 seconds | + + +#### 2.2.1.1 Proposed optimizations for reducing the route programming time. + +- Using sairedis bulk route APIs + + In SONiC architecture, routeorch in Orchagent processes route table updates from the APP_DB and calls the sairedis APIs to put these routes in ASIC_DB. + Currently Orchagent processes each route and puts in the ASIC_DB one at a time. The Redis pipelining allows for some level of bulking when putting entries in ASIC_DB but still one DB message is generated for every route. + + Further bulking can be done by using the sairedis bulk APIs for route creation and deletion. + + By using Sairedis bulk APIs, orchagent will call these APIs with a list of routes and their attributes. + The meta_sai layer in sairedis iterates over this route list and creates the meta objects for every route but only one Redis DB message will be generated for the route list. + Therefore using the sairedis bulk APIs reduces the number of Redis messages. + + The ASIC doesn't support bulk route creation/deletion,so syncd still processes one route at time and updates the ASIC. + + So, the saving achieved by using bulk APIs will be number of Redis message generated. + + Bulking of Route updates will be enabled in Orchagent. Orchagent will bulk 64 updates and send to Sairedis. + A new timer will be introduced in orchagent to flush the outstanding updates every second. + +- Optimization in Fpmsyncd + + Fpmsyncd listens to Netlink messages for Route add/delete messages and updates the APP_DB. + Current behaviour in Fpmsyncd + - When fpmsyncd get a route first it tries to get the master device name from the rt_table attribute of route object. + This is done to check if the route belongs to VNET_ROUTE_TABLE. + - To get a Master device name, fpmsyncd does a lookup in its local link cache. + - If the lookup in the local link cache fails, fpmsyncd updates cache by getting the configured links from the kernel. + + The problem here is if there are no VNET present on the system, this lookup will always fail and cache is updated for every route. + This seems to slow down the rate which route programed for the global route table. + + To fix this we will skip the lookup for the Master device name if the route object table value is zero .i.e. the route needs to put in the global routing table + + In our testing, we found which this change time taken to add 10k routes to the APP_DB was reduced from 7-8 seconds to 4-5 seconds. + +- Optimization in the sairedis. + + In sairedis every sai object is serialized in JSON format while creating the meta sai objects and updating the ASIC_DB. For serializing it uses json dump functionality to convert the objects in JSON. format. + This json dump function is provided by a open source JSON library. [[link to the open-source project](https://github.com/nlohmann/json)] + + Currently SONiC uses version 2.0 of this library, latest version however is version 3.6.1 + There have a been a few bug fixes/improvements done to the *dump()* from v 2.0 to v 3.6. + + We will be upgrading this library to latest version to pick up all the fixes. + + +With the above mentioned optimizations we target to get 30% reduction in the route programming time in SONiC. + +### 3.3 show CLI command enchancements + +#### 3.3.1 show arp/ndp command improvement. + +The current implemetation of the cli script for "show arp" or "show ndp" fetches the whole FDB table to get the outgoing interface incase the L3 interface is a VLAN L3 Interface. + +This slows down the show command. We will make changes to the CLI script to get FDB entries only for this specific ARP/ND instead of getting the whole FDB table. + +These changes will improve the performance of the command significantly + +# 4 Warm Boot Support +No specific changes are planned for Warm boot support as these are exisiting features. + +However, testing will done to make sure the changes done, for scaling or performance improvements, won't affect the Warm boot functionality. + + + +# 5 Unit Test +## 5.1 IPv4 Testcases +| Testcase number | Testcase | Result | Time taken | +| --------------- | ----------------------------------------------------------------------------- | ------ | ---------- | +| 1. | Verify 10k IPv4 routes are installed and measure the route programming time | | | +| 2. | Verify 60k IPv4 routes are installed and measure the route programming time | | | +| 3. | Verify 90k IPv4 routes are installed and measure the route programming time | | | +| 4. | Verify 128k IPv4 routes are installed and measure the route programming time | | | +| 5. | Verify 160k IPv4 routes are installed and measure the route programming time | | | +| 6. | Verify 200k IPv4 routes are installed and measure the route programming time | | | +| 7. | Verfiy 8k IPv4 ARP entries are learnt and measure the learning time | | | +| 8. | Verify 16k IPv4 ARP entries are learnt and measure the learning time | | | +| 9. | Verify 32k IPv4 ARP entries are learnt and measure the learning time | | | +## 5.2 IPv6 Testcases +| Testcase number | Testcase | Result | Time taken | +| --------------- | ---------------------------------------------------------------------------------------------- | ------ | ---------- | +| 1. | Verify 10k IPv6 routes with prefix >64b are installed and measure the route programming time | | | +| 2. | Verify 25k IPv6 routes with prefix > 64b are installed and measure the route programming time | | | +| 3. | Verify 40k IPv6 routes with prefix > 64b are installed and measure the route programming time | | | +| 4. | Verfiy 8k IPv6 ND entries are learnt and measure the learning time | | | +| 5. | Verify 16k IPv6 ND entries are learnt and measure the learning time | | | +| | | | | +## 5.3 Regresssion Testcases +| Testcase number | Testcase | Result | Time taken | +| --------------- | ----------------------------------------------------------- | ------ | ---------- | +| 1. | Measure the convergence time with link flaps | | | +| 2. | Measure the convergence time with Link flaps on ECMP paths | | | +| 3. | Clear bgp neighbors to check all routes and forwarding | | | +| 4. | Clear neigh table and check all routes and forwarding | | | +| 5. | Clear mac table and check all routes and forwarding | | | +| 6. | Test across warm reboot , Orchagt/Syncd restart and upgrade | | | + + diff --git a/doc/Optional-Feature-Control.md b/doc/Optional-Feature-Control.md new file mode 100644 index 0000000000..116cab0431 --- /dev/null +++ b/doc/Optional-Feature-Control.md @@ -0,0 +1,19 @@ +# SONiC Optional Feature Control Enhancement # + +## Revision ## + +| Rev | Date | Author | Change Description | +|:---:|:--------:|:-----------:|--------------------| +| 0.1 | 10/10/19 | Pradnya Mohite | Initial version | + +## Scope ## +Add support to enable/disable features in sonic. Features like telemetry agent can be optional and this enhancement will provide a way to control that. + +### Implementation Details ### +* Add feature table in config db. + * Modify sonic-cfggen tool to add table and enable the telemetry feature by default. + * For each feature, key is FEATURE|feature name, status :enabled/disabled. +* Add "config feature enable|disable [feature name]" command line. + * Add support for show and config commands. +* Add feature in hostcfgd to listen for Config DB FEATURE table entry changes, and enable & start or stop & disable the respective service as appropriate. + * When hostcfgd first starts, it reads all entries in the FEATURE table and compares with current status of each service. If there is mismatch, hostcfgd will enable & start or stop & disable as appropriate. \ No newline at end of file diff --git a/doc/SONIC_Test_Ingress_Discards_HLD.md b/doc/SONIC_Test_Ingress_Discards_HLD.md new file mode 100644 index 0000000000..d388c8e63a --- /dev/null +++ b/doc/SONIC_Test_Ingress_Discards_HLD.md @@ -0,0 +1,995 @@ +- [Overview](#overview) + - [Scope](#scope) + - [Supported topologies](#supported-topologies) + - [Discard groups covered by test case](#discard-groups-covered-by-test-cases) + - [Related DUT CLI commands](#related-dut-cli-commands) + - [SAI attributes](#sai-attributes) +- [General test flow](#general-test-flow) +- [Run test](#run-test) +- [Test cases](#test-cases) + - [Test case #1](#test-case-1) + - [Test case #2](#test-case-2) + - [Test case #3](#test-case-3) + - [Test case #4](#test-case-4) + - [Test case #5](#test-case-5) + - [Test case #6](#test-case-6) + - [Test case #7](#test-case-7) + - [Test case #8](#test-case-8) + - [Test case #9](#test-case-9) + - [Test case #10](#test-case-10) + - [Test case #11](#test-case-11) + - [Test case #12](#test-case-12) + - [Test case #13](#test-case-13) + - [Test case #14](#test-case-14) + - [Test case #15](#test-case-15) + - [Test case #16](#test-case-16) + - [Test case #17](#test-case-17) + - [Test case #18](#test-case-18) + - [Test case #19](#test-case-19) + - [Test case #20](#test-case-20) + - [Test case #21](#test-case-21) + +#### Overview +The purpose is to test drop counters triggers on receiving specific packets by DUT. + +The test assumes control plane traffic is disabled before test run by disabling VMs. + +Destination IP address of the injected packet must be routable to ensure packet should not be routed via specific interface but dropped. + +##### For Ethernet drop reasons: +```portstat -j``` - check ```RX_DRP``` + +##### For IP drop reasons: +```intfstat -j``` - check ```RX_ERR``` + +##### For ACL drop reasons: +```aclshow -a``` - check ```PACKETS COUNT``` + +#### Scope +The purpose of test cases is to verify that: +- appropriate packet drop counters trigger on SONIC system on expected value +- making sure that specific traffic drops correctly, according to sent packet and configured packet discards + +#### Supported topologies: +``` +t0 +t1 +t1-lag +ptf32 +``` + +#### Discard groups covered by test cases +Please refer to the test case for detailed description. + +| Test case ID| Drop reason | Group type| +|-------------|-------------|-----------| +| 1 | SMAC and DMAC are equal |Ethernet | +| 2 | Not allowed VLAN TAG| Ethernet| +| 3 | Multicast SMAC | Ethernet| +| 4 | Reserved DMAC | Ethernet| +| 5 | Loop-back filter | IP| +| 6 | Packet exceed router interface MTU| IP| +| 7 | Time To Live (TTL) Expired | IP| +| 8 | Discard at router interface for non-routable packets | IP| +| 9 | Absent IP header | IP| +| 10 | Broken IP header - header checksum or IPver or IPv4 IHL too short | IP| +| 11 | Unicast IP with multicast DMAC or broadcast DST MAC | IP| +| 12 | DST IP is loopback address | IP| +| 13 | SRC IP is loopback address | IP| +| 14 | SRC IP is multicast address | IP| +| 15 | SRC IP address is in class E | IP| +| 16 | SRC IP address is not specified | IP| +| 17 | DST IP address is not specified | IP| +| 18 | SRC IP address is link-local | IP| +| 19 | DST IP address is link-local | IP| +| 20 | ACL SRC IP DROP| IP| +| 21 | ERIF interface disabled | IP| + +#### Related DUT CLI commands +| **Command** | **Comment** | +|------------------------------------------------------------------|-------------| +| counterpoll port enable | Enable port counters | +| counterpoll rif enable | Enable RIF counters | +| portstat -j | Check ```RX_DRP``` | +| intfstat -j | Check ```RX_ERR``` | +| aclshow -a | Check ```PACKETS COUNT``` | +| sonic-clear counters | Clear counters | +| sonic-clear rifcounters | Clear RIF counters | + +As different vendors can have diferent drop counters calculation, for example L2 and L3 drop counters can be combined and L2 drop counter will be increased for all ingress discards. +So for valid drop counters verification there is a need to distinguish wheter drop counters are combined or not for current vendor. +This can be done by checking platform name of the DUT. + +##### Work need to be done based on this case +Create yml file which will contain list of regular expressions which match platform name of specific vendor who has combined drop counters calculation. Internally test framework will use this regular expressions to match current DUT platform name to determine whether drop counters are combined or not. + +##### Example of file content: +tests/drop_counters/combined_drop_counters.yml +``` +- "[REGEXP FOR VENDOR X]" +- "[REGEXP FOR VENDOR Y]" +``` + +#### SAI attributes +```SAI_PORT_STAT_IF_IN_DISCARDS``` - number of L2 discards + +```SAI_ROUTER_INTERFACE_STAT_IN_ERROR_PACKETS``` - number of L3 discards + +#### General test flow +##### Each test case will use the following port types: +- VLAN (T0) +- LAG (T0, T1-LAG) +- Router (T1, T1-LAG, PTF32) + +##### Drop counters which are going to be checked +It depends on test objective. + +Will be verified one of the following drop counters: +- Drop counter for L2 discards +- Drop counter for L3 discards +- Drop counter for ACL discards + +##### Sent packet number: +N=5 + +##### step #1 - Disable VMs +Before test suite run - disable control plane traffic generation. Use "testbed-cli.sh" script with "disconnect-vms" option. + +##### step #2 - Execute test scenario for all available port types depends on run topology (VLAN, LAG, Router) + +- Select PTF ports to send and sniff traffic +- Clear counters on DUT. Use CLI command "sonic-clear counters" +- Inject N packet via PTF port selected for TX +- Check specific drop counter incremented on N (depends on test case) + - If counter was not incremented on N, test fails with expected message +- Check other counters were not incremented on N based on sent packet type, sent port and expected drop reason (depends on test case) + - If counter was incremented on N, test fails with expected message +- Check the packet was dropped by sniffing packet absence on PTF port selected for RX + +##### step #3 - Enable VMs +Enable previously disabled VMs using "testbed-cli.sh" script with "connect-vms" option. + +#### Run test +``` +py.test --inventory ../ansible/inventory --host-pattern [DEVICE] --module-path ../ansible/library/ --testbed [DEVICE-TOPO] --testbed_file ../ansible/testbed.csv --junit-xml=./target/test-reports/ --show-capture=no --log-cli-level debug -ra -vvvvv ingress_discard/test_ingress_discard.py +``` + +#### Test cases +Each test case will be additionally validated by the loganalyzer utility. + +Each test case will run specific traffic to trigger specific discard reasone. + +Pytest fixture - "ptfadapter" is used to construct and send packets. + +After packet is sent using source port index, test framework waits during 5 seconds for specific packet did not appear, due to ingress packet drop, on one of the destination port indices. + +#### Test case #1 +##### Test objective + +Verify packet drops when SMAC and DMAC are equal + +Packet to trigger drop +``` +###[ Ethernet ]### + dst = [DUT_MAC_ADDR] + src = [DUT_MAC_ADDR] + type = 0x800 +... +``` + +##### Get interfaces which are members of LAG, RIF and VLAN. Repeat defined test steps for each of those interfaces. + +##### Test steps +- PTF host will send IP packet specifying identical src and dst MAC. +- When packet reaches SONIC DUT, it should be dropped according to the test objective +- Get L2 drop counter +- Verify drop counter incremented +- Get L3 drop counter +- Verify L3 drop counter is not incremented + +#### Test case #2 +##### Test objective + +Verify VLAN tagged packet drops when packet VLAN ID does not match ingress port VLAN ID + +Packet to trigger drop +``` +###[ Ethernet ]### + dst = [auto] + src = [auto] + type = 0x8100 + vid = 2 +###[ IP ]### + version = 4 + ttl = [auto] + proto = tcp + src = 10.0.0.2 + dst = [get_from_route_info] +... +``` + +##### Get interfaces which are members of LAG, RIF and VLAN. Repeat defined test steps for each of those interfaces. + +##### Test steps +- PTF host will send IP packet specifying VID different then port VLAN +- When packet reaches SONIC DUT, it should be dropped according to the test objective +- Get L2 drop counter +- Verify drop counter incremented +- Get L3 drop counter +- Verify L3 drop counter is not incremented + +#### Test case #3 +##### Test objective + +Verify packet with multicast SMAC drops + +Packet to trigger drop +``` +###[ Ethernet ]### + dst = [auto] + src = 01:00:5e:00:01:02 + type = 0x800 +###[ IP ]### + version = 4 + ttl = [auto] + proto = tcp + src = 10.0.0.2 + dst = [get_from_route_info] +... +``` + +##### Get interfaces which are members of LAG, RIF and VLAN. Repeat defined test steps for each of those interfaces. + +##### Test steps +- PTF host will send IP packet specifying multicast SMAC. +- When packet reaches SONIC DUT, it should be dropped according to the test objective +- Get L2 drop counter +- Verify drop counter incremented +- Get L3 drop counter +- Verify L3 drop counter is not incremented + +#### Test case #4 +##### Test objective + +Verify packet with reserved DMAC drops + +Packet1 to trigger drop (use reserved for future standardization MAC address) +``` +###[ Ethernet ]### + dst = 01:80:C2:00:00:05 + src = [auto] + type = 0x800 +###[ IP ]### + version = 4 + ttl = [auto] + proto = tcp + src = 10.0.0.2 + dst = [get_from_route_info] +... +``` +Packet2 to trigger drop (use provider Bridge group address) +``` +###[ Ethernet ]### + dst = 01:80:C2:00:00:08 + src = [auto] + type = 0x800 +###[ IP ]### + version = 4 + ttl = [auto] + proto = tcp + src = 10.0.0.2 + dst = [get_from_route_info] +... +``` + +##### Get interfaces which are members of LAG, RIF and VLAN. Repeat defined test steps for each of those interfaces. + +##### Test steps +- PTF host will send IP packet1 specifying reserved DMAC +- When packet reaches SONIC DUT, it should be dropped according to the test objective +- Get L2 drop counter +- Verify drop counter incremented +- Get L3 drop counter +- Verify L3 drop counter is not incremented +--- +- PTF host will send IP packet2 specifying reserved DMAC +- When packet reaches SONIC DUT, it should be dropped according to the test objective +- Get L2 drop counter +- Verify drop counter incremented +- Get L3 drop counter +- Verify L3 drop counter is not incremented + +#### Test case #5 +##### Test objective + +Verify packet drops by loop-back filter. Loop-back filter means that route to the host with DST IP of received packet exists on received interface + +Packet to trigger drop +``` +###[ Ethernet ]### + dst = [auto] + src = [auto] + type = 0x800 +###[ IP ]### + version = 4 + ttl = [auto] + proto = tcp + src = [auto] + dst = [known_bgp_neighboar_ip] +... +``` + +##### Get interfaces which are members of LAG, RIF and VLAN. Repeat defined test steps for each of those interfaces. + +##### Test steps +- PTF host will send IP packet specifying DST IP of VM host. Port to send is port which IP interface is in VM subnet. +- When packet reaches SONIC DUT, it should be dropped according to the test objective +- Get L3 drop counter +- Verify drop counter incremented +- Get L2 drop counter +- Verify L2 drop counter is not incremented + +#### Test case #6 +##### Test objective + +Verify packet which exceed router interface MTU (for IP packets) drops + +Note: make sure that configured MTU on testbed server and fanout are greater then DUT port MTU + +Packet to trigger drop +``` +###[ Ethernet ]### + dst = [auto] + src = [auto] + type = 0x800 +... +###[ TCP ]### + sport = [auto] + dport = [auto] + data = [max_mtu + 1] +... +``` + +##### Get interfaces which are members of LAG, RIF and VLAN. Repeat defined test steps for each of those interfaces. + +##### Test steps +- PTF host will send IP packet which exceed router interface MTU +- When packet reaches SONIC DUT, it should be dropped according to the test objective +- Get L3 drop counter +- Verify drop counter incremented +- Get L2 drop counter +- Verify L2 drop counter is not incremented + +#### Test case #7 +##### Test objective + +Verify packet with TTL expired (ttl <= 0) drops + +Packet to trigger drop +``` +###[ Ethernet ]### + dst = [auto] + src = [auto] + type = 0x800 +... +###[ IP ]### + version = 4 + ttl = 0 + proto = tcp + src = [auto] + dst = [auto] +... +``` + +##### Get interfaces which are members of LAG, RIF and VLAN. Repeat defined test steps for each of those interfaces. + +##### Test steps +- PTF host will send IP packet with TTL = 0 +- When packet reaches SONIC DUT, it should be dropped according to the test objective +- Get L3 drop counter +- Verify drop counter incremented +- Get L2 drop counter +- Verify L2 drop counter is not incremented + +#### Test case #8 +##### Test objective + +Verify non-routable packets discarded at router interface +Packet list: +- IGMP v1 v2 v3 membership query +- IGMP v1 membership report +- IGMP v2 membership report +- IGMP v2 leave group +- IGMP v3 membership report + +##### Get interfaces which are members of LAG, RIF and VLAN. Repeat defined test steps for each of those interfaces. + +##### Test steps +- PTF host will send IGMP v1 v2 v3 membership query +- When packet reaches SONIC DUT, it should be dropped according to the test objective +- Get L3 drop counter +- Verify drop counter incremented +- Get L2 drop counter +- Verify L2 drop counter is not incremented +--- +- PTF host will send IGMP v1 membership report +- When packet reaches SONIC DUT, it should be dropped according to the test objective +- Get L3 drop counter +- Verify drop counter incremented +- Get L2 drop counter +- Verify L2 drop counter is not incremented +--- +- PTF host will send IGMP v2 membership report +- When packet reaches SONIC DUT, it should be dropped according to the test objective +- Get L3 drop counter +- Verify drop counter incremented +- Get L2 drop counter +- Verify L2 drop counter is not incremented +--- +- PTF host will send IGMP v2 leave group +- When packet reaches SONIC DUT, it should be dropped according to the test objective +- Get L3 drop counter +- Verify drop counter incremented +- Get L2 drop counter +- Verify L2 drop counter is not incremented +--- +- PTF host will send IGMP v3 membership report +- When packet reaches SONIC DUT, it should be dropped according to the test objective +- Get L3 drop counter +- Verify drop counter incremented +- Get L2 drop counter +- Verify L2 drop counter is not incremented + +#### Test case #9 +##### Test objective + +Verify packet with no ip header available - drops + +Packet to trigger drop +``` +###[ Ethernet ]### + dst = [auto] + src = [auto] + type = 0x800 +###[ TCP ]### + sport = [auto] + dport = [auto] +``` + +##### Get interfaces which are members of LAG, RIF and VLAN. Repeat defined test steps for each of those interfaces. + +##### Test steps +- PTF host will send packet without IP header +- When packet reaches SONIC DUT, it should be dropped according to the test objective +- Get L3 drop counter +- Verify drop counter incremented +- Get L2 drop counter +- Verify L2 drop counter is not incremented + +#### Test case #10 +##### Test objective + +Verify DUT drop packet with broken ip header due to header checksum or IPver or IPv4 IHL too short + +Packet1 to trigger drop (Incorrect checksum) +``` +... +###[ IP ]### + version = 4 + ttl = [auto] + proto = tcp + src = [auto] + dst = [auto] + checksum = [generated_value] +... +``` + +Packet2 to trigger drop (Incorrect IP version) +``` +... +###[ IP ]### + version = 1 + ttl = [auto] + proto = tcp + src = [auto] + dst = [auto] +... +``` + +Packet3 to trigger drop (Incorrect IPv4 IHL) +``` +... +###[ IP ]### + version = 4 + ihl = 1 + ttl = [auto] + proto = tcp + src = [auto] + dst = [auto] +... +``` + +##### Get interfaces which are members of LAG, RIF and VLAN. Repeat defined test steps for each of those interfaces. + +##### Test steps +- PTF host will send packet1 +- When packet reaches SONIC DUT, it should be dropped according to the test objective +- Get L3 drop counter +- Verify drop counter incremented +- Get L2 drop counter +- Verify L2 drop counter is not incremented +--- +- PTF host will send packet2 +- When packet reaches SONIC DUT, it should be dropped according to the test objective +- Get L3 drop counter +- Verify drop counter incremented +- Get L2 drop counter +- Verify L2 drop counter is not incremented +--- +- PTF host will send packet3 +- When packet reaches SONIC DUT, it should be dropped according to the test objective +- Get L3 drop counter +- Verify drop counter incremented +- Get L2 drop counter +- Verify L2 drop counter is not incremented + +#### Test case #11 +##### Test objective + +Verify DUT drops unicast IP packet sent via: +- multicast DST MAC +- broadcast DST MAC + +Packet1 to trigger drop +``` +###[ Ethernet ]### + dst = 01:00:5e:00:01:02 + src = [auto] + type = 0x800 +###[ IP ]### + version = 4 + ttl = [auto] + proto = tcp + src = 10.0.0.2 + dst = [get_from_route_info] +... +``` + +Packet2 to trigger drop +``` +###[ Ethernet ]### + dst = ff:ff:ff:ff:ff:ff + src = [auto] + type = 0x800 +###[ IP ]### + version = 4 + ttl = [auto] + proto = tcp + src = 10.0.0.2 + dst = [get_from_route_info] +... +``` + +##### Get interfaces which are members of LAG, RIF and VLAN. Repeat defined test steps for each of those interfaces. + +##### Test steps +- PTF host will send packet1 +- When packet reaches SONIC DUT, it should be dropped according to the test objective +- Get L3 drop counter +- Verify drop counter incremented +- Get L2 drop counter +- Verify L2 drop counter is not incremented + +#### Test case #12 +##### Test objective + +Verify DUT drops packet where DST IP is loopback address + +For ipv4: dip==127.0.0.0/8 + +For ipv6: dip==::1/128 OR dip==0:0:0:0:0:ffff:7f00:0/104 + +Packet1 to trigger drop +``` +... +###[ IP ]### + version = 4 + ttl = [auto] + proto = tcp + src = [auto]] + dst = [127.0.0.1] +... +``` + +Packet2 to trigger drop +``` +... +###[ IP ]### + version = 6 + ttl = [auto] + proto = tcp + src = [auto]] + dst = [::1/128] +... +``` + +##### Get interfaces which are members of LAG, RIF and VLAN. Repeat defined test steps for each of those interfaces. + +##### Test steps +- PTF host will send packet1 +- When packet reaches SONIC DUT, it should be dropped according to the test objective +- Get L3 drop counter +- Verify drop counter incremented +- Get L2 drop counter +- Verify L2 drop counter is not incremented +--- +- PTF host will send packet2 +- When packet reaches SONIC DUT, it should be dropped according to the test objective +- Get L3 drop counter +- Verify drop counter incremented +- Get L2 drop counter +- Verify L2 drop counter is not incremented + +#### Test case #13 +##### Test objective + +Verify DUT drops packet where SRC IP is loopback address + +For ipv4: dip==127.0.0.0/8 + +For ipv6: dip==::1/128 OR dip==0:0:0:0:0:ffff:7f00:0/104 + +Packet1 to trigger drop +``` +... +###[ IP ]### + version = 4 + ttl = [auto] + proto = tcp + src = [127.0.0.1] + dst = [auto] +... +``` + +Packet2 to trigger drop +``` +... +###[ IP ]### + version = 6 + ttl = [auto] + proto = tcp + src = [::1/128] + dst = [auto] +... +``` + +##### Get interfaces which are members of LAG, RIF and VLAN. Repeat defined test steps for each of those interfaces. + +##### Test steps +- PTF host will send packet1 +- When packet reaches SONIC DUT, it should be dropped according to the test objective +- Get L3 drop counter +- Verify drop counter incremented +- Get L2 drop counter +- Verify L2 drop counter is not incremented +--- +- PTF host will send packet2 +- When packet reaches SONIC DUT, it should be dropped according to the test objective +- Get L3 drop counter +- Verify drop counter incremented +- Get L2 drop counter +- Verify L2 drop counter is not incremented + +#### Test case #14 +##### Test objective + +Verify DUT drops packet where SRC IP is multicast address + +For ipv4: sip = 224.0.0.0/4 + +For ipv6: sip == FF00::/8 + +Packet1 to trigger drop +``` +... +###[ IP ]### + version = 4 + ttl = [auto] + proto = tcp + src = [224.0.0.5] + dst = [auto] +... +``` + +Packet2 to trigger drop +``` +... +###[ IP ]### + version = 6 + ttl = [auto] + proto = tcp + src = [ff02::5] + dst = [auto] +... +``` + +##### Get interfaces which are members of LAG, RIF and VLAN. Repeat defined test steps for each of those interfaces. + +##### Test steps +- PTF host will send packet1 +- When packet reaches SONIC DUT, it should be dropped according to the test objective +- Get L3 drop counter +- Verify drop counter incremented +- Get L2 drop counter +- Verify L2 drop counter is not incremented +--- +- PTF host will send packet2 +- When packet reaches SONIC DUT, it should be dropped according to the test objective +- Get L3 drop counter +- Verify drop counter incremented +- Get L2 drop counter +- Verify L2 drop counter is not incremented + +#### Test case #15 +##### Test objective + +Verify DUT drops packet where SRC IP address is in class E + +SIP == 240.0.0.0/4 + +SIP != 255.255.255.255 + +Packet1 to trigger drop +``` +... +###[ IP ]### + version = 4 + ttl = [auto] + proto = tcp + src = [240.0.0.1] + dst = [auto] +... +``` + +Packet2 to trigger drop +``` +... +###[ IP ]### + version = 4 + ttl = [auto] + proto = tcp + src = [255.255.255.254] + dst = [auto] +... +``` + +##### Get interfaces which are members of LAG, RIF and VLAN. Repeat defined test steps for each of those interfaces. + +##### Test steps +- PTF host will send packet1 +- When packet reaches SONIC DUT, it should be dropped according to the test objective +- Get L3 drop counter +- Verify drop counter incremented +- Get L2 drop counter +- Verify L2 drop counter is not incremented +--- +- PTF host will send packet2 +- When packet reaches SONIC DUT, it should be dropped according to the test objective +- Get L3 drop counter +- Verify drop counter incremented +- Get L2 drop counter +- Verify L2 drop counter is not incremented + +#### Test case #16 +##### Test objective + +Verify DUT drops packet where SRC IP address is not specified + +IPv4 sip == 0.0.0.0/32 + +Note: for IPv6 (sip == ::0) + +Packet1 to trigger drop +``` +... +###[ IP ]### + version = 4 + ttl = [auto] + proto = tcp + src = [0.0.0.0] + dst = [auto] +... +``` + +Packet2 to trigger drop +``` +... +###[ IP ]### + version = 6 + ttl = [auto] + proto = tcp + src = [::0] + dst = [auto] +... +``` + +##### Get interfaces which are members of LAG, RIF and VLAN. Repeat defined test steps for each of those interfaces. + +##### Test steps +- PTF host will send packet1 +- When packet reaches SONIC DUT, it should be dropped according to the test objective +- Get L3 drop counter +- Verify drop counter incremented +- Get L2 drop counter +- Verify L2 drop counter is not incremented +--- +- PTF host will send packet2 +- When packet reaches SONIC DUT, it should be dropped according to the test objective +- Get L3 drop counter +- Verify drop counter incremented +- Get L2 drop counter +- Verify L2 drop counter is not incremented + +#### Test case #17 +##### Test objective + +Verify DUT drops packet where DST IP address is not specified + +IPv4 sip == 0.0.0.0/32 + +Note: for IPv6 (sip == ::0) + +Packet1 to trigger drop +``` +... +###[ IP ]### + version = 4 + ttl = [auto] + proto = tcp + src = [auto] + dst = [0.0.0.0] +... +``` + +Packet2 to trigger drop +``` +... +###[ IP ]### + version = 6 + ttl = [auto] + proto = tcp + src = [auto] + dst = [::0] +... +``` + +##### Get interfaces which are members of LAG, RIF and VLAN. Repeat defined test steps for each of those interfaces. + +##### Test steps +- PTF host will send packet1 +- When packet reaches SONIC DUT, it should be dropped according to the test objective +- Get L3 drop counter +- Verify drop counter incremented +- Get L2 drop counter +- Verify L2 drop counter is not incremented +--- +- PTF host will send packet2 +- When packet reaches SONIC DUT, it should be dropped according to the test objective +- Get L3 drop counter +- Verify drop counter incremented +- Get L2 drop counter +- Verify L2 drop counter is not incremented + +#### Test case #18 +##### Test objective + +Verify DUT drops packet where SRC IP is link-local address + +For ipv4: sip==169.254.0.0/16 + +Packet1 to trigger drop +``` +... +###[ IP ]### + version = 4 + ttl = [auto] + proto = tcp + src = [169.254.10.125] + dst = [auto] +... +``` + +##### Get interfaces which are members of LAG, RIF and VLAN. Repeat defined test steps for each of those interfaces. + +##### Test steps +- PTF host will send packet1 +- When packet reaches SONIC DUT, it should be dropped according to the test objective +- Get L3 drop counter +- Verify drop counter incremented +- Get L2 drop counter +- Verify L2 drop counter is not incremented + +#### Test case #19 +##### Test objective + +Verify DUT drops packet where DST IP is link-local address + +For ipv4: dip==169.254.0.0/16 + +Packet1 to trigger drop +``` +... +###[ IP ]### + version = 4 + ttl = [auto] + proto = tcp + src = [auto]] + dst = [169.254.10.125] +... +``` + +##### Get interfaces which are members of LAG, RIF and VLAN. Repeat defined test steps for each of those interfaces. + +##### Test steps +- PTF host will send packet1 +- When packet reaches SONIC DUT, it should be dropped according to the test objective +- Get L3 drop counter +- Verify drop counter incremented +- Get L2 drop counter +- Verify L2 drop counter is not incremented + +#### Test case #20 +##### Test objective + +Verify DUT drops packet when configured ACL DROP for SRC IP 20.0.0.0/24 + +Packet1 to trigger drop +``` +... +###[ IP ]### + version = 4 + ttl = [auto] + proto = tcp + src = [20.0.0.10] + dst = [auto] +... +``` + +##### Get interfaces which are members of LAG, RIF and VLAN. Repeat defined test steps for each of those interfaces. + +##### Test steps +- PTF host will send packet1 +- When packet reaches SONIC DUT, it should be dropped according to the test objective +- Get ACL drop counter +- Verify drop counter incremented +- Get L3 drop counter +- Verify L3 drop counter is not incremented + +#### Test case #21 +##### Test objective + +Verify egress RIF drop counter incremented while sending packets that are destined for a neighboring device but the egress link is down + +Packet1 to trigger drop +``` +... +###[ IP ]### + version = 4 + ttl = [auto] + proto = tcp + src = [auto] + dst = [auto] +... +``` + +##### Get interfaces which are members of LAG, RIF and VLAN. Repeat defined test steps for each of those interfaces. + +##### Test steps +- Disable egress interface on DUT which is linked with neighbouring device +- PTF host will send packet1 +- Verify that no packets appeared/captured on disabled link +- Get L3 drop counter +- Verify drop counter incremented +- Get L2 drop counter +- Verify L2 drop counter is not incremented +- Enable back egress interface on DUT which is linked with neighbouring device diff --git a/doc/SONiC-User-Manual.md b/doc/SONiC-User-Manual.md index 648621bf11..68b2ac6f71 100644 --- a/doc/SONiC-User-Manual.md +++ b/doc/SONiC-User-Manual.md @@ -49,7 +49,7 @@ Connect the console port of the device and use the 9600 baud rate to access the Users shall use the default username/password "admin/YourPaSsWoRd" to login to the device through the console port. After logging into the device, SONiC software can be configured in following three methods. - 1) [Command Line Interface](https://github.com/Azure/SONiC/wiki/Command-Reference) + 1) [Command Line Interface](https://github.com/Azure/sonic-utilities/blob/master/doc/Command-Reference.md) 2) [config_db.json](https://github.com/Azure/SONiC/wiki/Configuration) 3) [minigraph.xml](https://github.com/Azure/SONiC/wiki/Configuration-with-Minigraph-(~Sep-2017)) @@ -285,7 +285,7 @@ Before Sep 2017, we were using an XML file named minigraph.xml to configure SONi SONiC includes commands that allow user to show platform, transceivers, L2, IP, BGP status, etc. -- [Command Reference](Command-Reference.md) +- [Command Reference](https://github.com/Azure/sonic-utilities/blob/master/doc/Command-Reference.md) Note that all the configuration commands need root privileges to execute them and the commands are case-sensitive. Show commands can be executed by all users without the root privileges. @@ -579,11 +579,11 @@ Basic cable connectivity shall be verified by configuring the IP address for the | # | Module | CLI Link | ConfigDB Link | Remarks | | --- | --- | --- | --- | --- | -| 1 | Interface |[Interface CLI](Command-Reference.md#Interface-Configuration-And-Show-Commands) | [Interface ConfigDB](Configuration.md)| To view the details about the interface | -| 2 | BGP |[BGP CLI](Command-Reference.md#BGP-Configuration-And-Show-Commands) | [BGP ConfigDB](Configuration.md)| To view the details about the BGP | -| 3 | ACL |[ACL CLI](Command-Reference.md#ACL-Configuration-And-Show) | [ACL ConfigDB](Configuration.md)| To view the details about the ACL | +| 1 | Interface |[Interface CLI](https://github.com/Azure/sonic-utilities/blob/master/doc/Command-Reference.md#Interface-Configuration-And-Show-Commands) | [Interface ConfigDB](Configuration.md)| To view the details about the interface | +| 2 | BGP |[BGP CLI](https://github.com/Azure/sonic-utilities/blob/master/doc/Command-Reference.md#BGP-Configuration-And-Show-Commands) | [BGP ConfigDB](Configuration.md)| To view the details about the BGP | +| 3 | ACL |[ACL CLI](https://github.com/Azure/sonic-utilities/blob/master/doc/Command-Reference.md#ACL-Configuration-And-Show) | [ACL ConfigDB](Configuration.md)| To view the details about the ACL | | 4 | COPP |COPP CLI Not Available | [COPP ConfigDB](Configuration.md)| To view the details about the COPP | -| 5 | Mirroring |[Mirroring CLI](Command-Reference.md#Mirroring-Configuration-And-Show) | [Mirroring ConfigDB](Configuration.md)| To view the details about the Mirroring | +| 5 | Mirroring |[Mirroring CLI](https://github.com/Azure/sonic-utilities/blob/master/doc/Command-Reference.md#mirroring-configuration-and-show) | [Mirroring ConfigDB](Configuration.md)| To view the details about the Mirroring | diff --git a/doc/Sonic BSL Test plan.md b/doc/Sonic BSL Test plan.md new file mode 100644 index 0000000000..f4131648b1 --- /dev/null +++ b/doc/Sonic BSL Test plan.md @@ -0,0 +1,80 @@ +#SONiC BSL Test Plan + + +## Overview +This document outlines the Sonic BSL test plan. In BSL mode, Sonic device is brought up as an L2 switch. This test plan validates the functionality by running the tests as described in below sections. More details on BSL can be found in this [document](https://github.com/Azure/SONiC/wiki/L2-Switch-mode#3-generate-a-configuration-for-l2-switch-mode). This must be followed to configure a Sonic device in L2 switch and verify the associated commands before running the below test cases. + +### Scope +--------- +This is limited to Sonic device in BSL mode with the minimal functional verification. + + +## Test structure + +### Setup configuration +------------------- +L2 configuration on a T0 topology + +### Configuration scripts +------------------------- + +Configuration is created from https://github.com/Azure/SONiC/wiki/L2-Switch-mode#3-generate-a-configuration-for-l2-switch-mode. After applying configuration, this also has basic verifications of interfaces and oper status. + +The following is an example script to create config file for Mellanox platform +``` +sonic-cfggen -t /usr/local/lib/python2.7/dist-packages/usr/share/sonic/templates/l2switch.j2 -p -k Mellanox-SN2700-D48C8 +``` +The config contains all the ports set to admin-up and configure as untagged member ports of Vlan 1000. + +Test cases +---------- + +### Test case \#1 + +#### Test objective +Verify basic sanity + +#### Test description +Run sanity test - https://github.com/Azure/sonic-mgmt/blob/master/ansible/roles/test/tasks/base_sanity.yml + +### Test case \#2 + +#### Test objective +Verify FDB learning happens on all ports. + +#### Test description +Run fdb test - https://github.com/Azure/sonic-mgmt/blob/master/ansible/roles/test/tasks/fdb.yml + +### Test case \#3 + +#### Test objective +Verify Vlan configurations, ARP and PING. The current vlan test (vlantb) has two parts - vlan_configure and vlan_test. vlan_configure cannot be run on BSL without modification as it takes into account port-channels. This must be modified to run on BSL configuration. Test must also configure an IP address on Vlan interface. + +This test covers Vlan, ARP and PING tests. + +#### Test description +Run fdb test - https://github.com/Azure/sonic-mgmt/blob/master/ansible/roles/test/tasks/vlantb.yml + + +### Test case \#4 + +#### Test objective +Verify SNMP. This [document](https://github.com/Azure/SONiC/wiki/How-to-Check-SNMP-Configuration) can be referred for basic SNMP verification and configuring public community string + +The current SNMP test must be modified for BSL. The BSL test can cover to get + 1. MAC table + 2. Interface table + 3. CPU + 4. PSU + +#### Test description +Run SNMP test - https://github.com/Azure/sonic-mgmt/blob/master/ansible/roles/test/tasks/snmp.yml + +| **\#** | **Test Description** | **Expected Result** | +|--------|----------------------|---------------------| +| 1. | Sanity | Pass | +| 2. | FDB | MAC Learn | +| 3. | VLAN | PING,ARP succeeds | +| 4. | SNMP | Walk succeeds | +| 5. | | | + diff --git a/doc/acl/Everflow-test-plan.md b/doc/acl/Everflow-test-plan.md new file mode 100644 index 0000000000..b465acea69 --- /dev/null +++ b/doc/acl/Everflow-test-plan.md @@ -0,0 +1,1213 @@ + +- [Overview](#overview) + - [Scope](#scope) + - [Summary of the existing everflow test plan](#summary-of-the-existing-everflow-test-plan) + - [Extend the test plan to cover both ingress and egress mirroring](#extend-the-test-plan-to-cover-both-ingress-and-egress-mirroring) + - [What new enhancements need to be covered?](#what-new-enhancements-need-to-be-covered) + - [Egress ACL table](#egress-acl-table) + - [Egress mirroring](#egress-mirroring) + - [Some existing areas not covered by the existing scripts](#some-existing-areas-not-covered-by-the-existing-scripts) + - [ACL rule for matching "IN_PORTS"](#acl-rule-for-matching-in_ports) + - [ACL rule for matching ICMP type and code](#acl-rule-for-matching-icmp-type-and-code) + - [IPv6 everflow](#ipv6-everflow) + - [How to extend the testing](#how-to-extend-the-testing) + - [Combine the existing test cases](#combine-the-existing-test-cases) + - [Test configurations](#test-configurations) + - [ACL table configurations](#acl-table-configurations) + - [Related **DUT** CLI commands](#related-dut-cli-commands) + - [`sonic-cfggen` Advanced config_db updating tool](#sonic-cfggen-advanced-config_db-updating-tool) + - [`config acl add table
+
+
+For FDB flush and FDB aging and Static FDB commands, the design is described in details in the SWSS section.
+Overview of changes for VLAN range support is provided below.
+
+**VLAN Range Support:**
+
+VLAN Range Support: For each of the new commands, a loop is iterated to run though the two configured parameters, first vlan-id and last vlan-id, (as specified in commands listed in section 3.6.2) and CONFIG_DB is updated through a single push operation using redisDB pipelining mechanism. Pipeline mechanism ensures the DB is updated very quick.
+
+Range command issued takes only two VLAN identifiers as arguments. List of VLANs are not configurable. For example, 'config vlan range add 2 10' is allowed and valid, but 'config vlan range add 2 10,3 100' is not valid.
+
+For VLAN range creation, VLAN existence for each VLAN identifier is checked in CONFIG_DB through GET operation prior to adding the redisDB SET to the pipeline. If few VLANs are already created and 'range create' command issued involves such VLANs, a message of severity 'warning' is logged, if the option '-w' is provided while configuring, and non-existent VLANs are created.
+
+For VLAN range deletion, existence of each VLAN is checked and delete operations are added to pipeline and executed at once after iterating through the entire range. For all non-existent VLANs, a single warning message is logged (if the optional argument, '-w', is enabled) after pipeline execution is completed.
+
+For VLAN member range creation and deletion, similar logic is added.
+
+VLAN and port identifier validation are added as part of the logic added in the functions for the new commands.
+
+
+## 3.2 DB Changes
+### 3.2.1 CONFIG DB
+**FDB table for Static MAC**
+
+FDB_TABLE will be set in CONFIG_DB to store static MAC configuration.
+
+**SWITCH table for Aging time configuration**
+
+SWITCH_TABLE will be set in CONFIG_DB to store FDB aging time configuration.
+
+## 3.3 Switch State Service Design
+### 3.3.1 Orchestration Agent
+
+
+**Data Structure changes**
+
+
+The internal FDB data structure will be enhanced to store the FDB type (static/dynamic). Currently, FDB is stored as c++ set. It will be changed to c++ map to store (key, value), where key is (MAC, bv_id) and value is FDB type.
+FDB type is needed to add Static FDB to saved FDB after flush.
+
+
+ **FDB Data structure in Orchagent:**
+
+
+
+
+In current Sonic implementation, when a FDB event is received with VLAN SAI object ID, the VLAN ID is retrieved by traversing through all the ports and VLANs in the orchagent DB and finding the one that matches the object ID. Also, the Port details are retrieved by traversing all the port and VLANs. This approach is inefficient as it may traverse through the number of VLANs configured for each FDB learn event. Worst case time is O(M*N) where M is the number of MAC events and N is the number of entries in port data structure.
+
+
+A new unordered_map containing a mapping between SAI object ID (can be either Port object ID or Bridge Port object ID or VLAN object ID) and Name (port or VLAN alias) will be added which can be looked up in O(1) time. The Port or VLAN alias retrieved from this will be looked up in the Port data structure.
+
+
+ **Object ID to alias mapping.**
+
+
+
+
+
+**Changes for FDB flush.**
+When a FDB flush request is received, Orchagent will send a bulk flush request to syncd. Individual FDB delete response from SAI will be used to delete FDB entries in ASIC_DB, STATE_DB and orchagent data structure. The delete response will be received as AGED event to syncd, which will delete the entry in ASIC_DB and notify Orchagent.
+
+
+When a port operational status goes down, portsorch will call fdborch API to trigger FDB flush. Only dynamic FDB will be flushed.
+
+
+When a port is removed from VLAN, portsorch will call fdborch API to trigger FDB flush. Both static and dynamic FDB will be flushed. Also, the static FDB will be added to the temporary DB in orchagent when delete response is received, so that it can programmed back when port is added back to VLAN.
+
+
+When Spanning tree state changes, protocol component within orchagent will call fdborch API to flush FDB by either per Port or per Port per VLAN. Only dynamic FDB will be flushed.
+
+
+ **FDB Flush due to Port operational state down:**
+
+
+
+
+
+ **FDB Flush due to Port removal from VLAN:**
+
+
+
+
+
+ **FDB Flush due to spanning tree state change:**
+
+
+
+
+
+**Changes for handling MAC move events.**
+Hardware can generate a single MAC move event instead of generating 2 events (del-old mac and add-new mac). Orchagent code changes will be done to replace the existing FDB entry with the new port in STATE_DB.
+
+
+**Changes for FDB aging time configuration.**
+A new CLI commands will be added for configuring the FDB aging time.
+FDB aging time configuration will be set in the SWITCH table in CONFIG_DB. Vlanmgr will populate it in the APP_DB. Orchagent will get notified and handling will be SwitchOrch. SwitchOrch will call sai_redis API to send request to syncd via ASIC_DB.
+
+
+
+
+
+**Changes for Static FDB configuration.**
+New CLI will be added for configuring Static FDB entry. It will be set in the FDB_TABLE in CONFIG_DB. Vlanmgr will handle the CONIG_DB changes, do necessary validations and then populate in APP_DB. FdbOrch already has all the necessary handling for Static FDB changes from APP_DB.
+When a port is removed from VLAN, the corresponding Static FDB entries will also be flushed from all databases except APP_DB and CONFIG_DB. Flushed static FDB will be stored in the saved FDB in orchagent for retrieval and programming later when port is added back to VLAN.
+If a dynamic FDB is already learnt and a static FDB is configured with same (MAC, VLAN), the existing dynamic FDB entry will be replaced with the static entry.
+
+
+
+
+
+
+
+
+
+### 3.3.2 Other Process
+**Vlanmgr changes**
+
+Vlanmgr will handle Aging time configuration changes from SWITCH table in CONFIG_DB. It will set the new aging time in SWITCH_TABLE in APP_DB, which will be processed by SwitchOrch.
+
+
+Vlanmgr will handle Static FDB configuration from FDB table in CONFIG_DB. It will do validation and then set the static FDB in FDB_TABLE in APP_DB, which will be processed by FdbOrch.
+
+
+## 3.4 SyncD
+No change.
+
+
+## 3.5 SAI
+No changes are being made in SAI. The following SAI attributes are used by the changes being made to SONiC:
+
+1. SAI_FDB_FLUSH_ATTR_BRIDGE_PORT_ID
+2. SAI_FDB_FLUSH_ATTR_BV_ID
+3. SAI_FDB_FLUSH_ATTR_ENTRY_TYPE
+4. SAI_FDB_ENTRY_ATTR_TYPE
+5. SA_FDB_EVENT_MOVE
+6. SAI_SWITCH_ATTR_FDB_AGING_TIME
+
+
+
+## 3.6 CLI
+
+### 3.6.1 Configuration Commands
+**FDB Aging time configuration**
+
+root@sonic:/# config mac aging-time