summaryrefslogtreecommitdiff
path: root/docs/configuration/protocols/bgp.rst
diff options
context:
space:
mode:
authorKyleM <103862795+ServerForge@users.noreply.github.com>2023-02-04 08:57:51 -0500
committerGitHub <noreply@github.com>2023-02-04 08:57:51 -0500
commitbfdd195284a17bab5632db363a1832e3e2de4b20 (patch)
treeb4495e9debd5d751ca747838bb674df4668f31b1 /docs/configuration/protocols/bgp.rst
parentd39ce49e2f54b99433c5c661fc1cb6efbbe6c930 (diff)
downloadvyos-documentation-bfdd195284a17bab5632db363a1832e3e2de4b20.tar.gz
vyos-documentation-bfdd195284a17bab5632db363a1832e3e2de4b20.zip
Add docs for RFC 9234
Added documentation for new BGP roles for RFC 9234
Diffstat (limited to 'docs/configuration/protocols/bgp.rst')
-rw-r--r--docs/configuration/protocols/bgp.rst34
1 files changed, 34 insertions, 0 deletions
diff --git a/docs/configuration/protocols/bgp.rst b/docs/configuration/protocols/bgp.rst
index 6593730f..bef75733 100644
--- a/docs/configuration/protocols/bgp.rst
+++ b/docs/configuration/protocols/bgp.rst
@@ -206,6 +206,40 @@ Defining Peers
peers ASN is the same as mine as specified under the :cfgcmd:`protocols
bgp <asn>` command the connection will be denied.
+.. cfgcmd:: set protocols bgp neighbor <address|interface> local-role <role> [strict]
+
+ BGP roles are defined in RFC :rfc:`9234` and provide an easy way to
+ add route leak prevention, detection and mitigation. The local Role
+ value is negotiated with the new BGP Role capability which has a
+ built-in check of the corresponding value. In case of a mismatch the
+ new OPEN Roles Mismatch Notification <2, 11> would be sent.
+ The correct Role pairs are:
+
+ Provider - Customer
+
+ Peer - Peer
+
+ RS-Server - RS-Client
+
+ If :cfgcmd:`strict` is set the BGP session won’t become established
+ until the BGP neighbor sets local Role on its side. This
+ configuration parameter is defined in RFC :rfc:`9234` and is used to
+ enforce the corresponding configuration at your counter-parts side.
+
+ Routes that are sent from provider, rs-server, or the peer local-role
+ (or if received by customer, rs-clinet, or the peer local-role) will
+ be marked with a new Only to Customer (OTC) attribute.
+
+ Routes with this attribute can only be sent to your neighbor if your
+ local-role is provider or rs-server. Routes with this attribute can
+ be received only if your local-role is customer or rs-client.
+
+ In case of peer-peer relationship routes can be received only if OTC
+ value is equal to your neighbor AS number.
+
+ All these rules with OTC will help to detect and mitigate route leaks
+ and happen automatically if local-role is set.
+
.. cfgcmd:: set protocols bgp neighbor <address|interface> shutdown
This command disable the peer or peer group. To reenable the peer use