Merge branch 'sagitta' of https://github.com/rebortg/vyos-documentation

15 files changed, 1507 insertions, 0 deletions

diff --git a/docs/configuration/protocols/bfd.rst b/docs/configuration/protocols/bfd.rst
new file mode 100644
index 00000000..b8fdf489
--- /dev/null
+++ b/docs/configuration/protocols/bfd.rst
@@ -0,0 +1,117 @@
+.. include:: /_include/need_improvement.txt
+
+.. _routing-bfd:
+
+###
+BFD
+###
+
+:abbr:`BFD (Bidirectional Forwarding Detection)` is described and extended by
+the following RFCs: :rfc:`5880`, :rfc:`5881` and :rfc:`5883`.
+
+
+Configure BFD
+=============
+
+.. cfgcmd:: set protocols bfd peer <address>
+
+   Set BFD peer IPv4 address or IPv6 address
+
+.. cfgcmd:: set protocols bfd peer <address> echo-mode
+
+   Enables the echo transmission mode
+
+.. cfgcmd:: set protocols bfd peer <address> multihop
+
+   Allow this BFD peer to not be directly connected
+
+.. cfgcmd:: set protocols bfd peer <address> source [address <address> | interface <interface>]
+
+   Bind listener to specifid interface/address, mandatory for IPv6
+
+.. cfgcmd:: set protocols bfd peer <address> interval echo-interval <10-60000>
+
+   The minimal echo receive transmission interval that this system is capable of handling
+
+.. cfgcmd:: set protocols bfd peer <address> interval multiplier <2-255>
+
+   Remote transmission interval will be multiplied by this value
+
+.. cfgcmd:: set protocols bfd peer <address> interval [receive | transmit] <10-60000>
+
+   Interval in milliseconds
+
+.. cfgcmd:: set protocols bfd peer <address> shutdown
+
+   Disable a BFD peer
+
+
+Enable BFD in BGP
+-----------------
+
+.. cfgcmd:: set protocols bgp <asn> neighbor <address> bfd
+
+   Enable BFD on a single BGP neighbor
+
+.. cfgcmd:: set protocols bgp <asn> peer-group <group> bfd
+
+   Enable BFD on a BGP peer group
+
+
+
+Enable BFD in OSPF
+------------------
+
+.. cfgcmd:: set interfaces ethernet <ethN> ip ospf bfd
+
+   Enable BFD for ospf on a interface
+
+.. cfgcmd:: set interfaces ethernet <ethN> ipv6 ospfv3 bfd
+
+   Enable BFD for ospfv3 on a interface
+
+
+
+Operational Commands
+====================
+
+.. opcmd:: show protocols bfd peer
+
+   Show all BFD peers
+
+   .. code-block:: none
+
+      BFD Peers:
+           peer 198.51.100.33 vrf default interface eth4.100
+                   ID: 4182341893
+                   Remote ID: 12678929647
+                   Status: up
+                   Uptime: 1 month(s), 16 hour(s), 29 minute(s), 38 second(s)
+                   Diagnostics: ok
+                   Remote diagnostics: ok
+                   Local timers:
+                           Receive interval: 300ms
+                           Transmission interval: 300ms
+                           Echo transmission interval: 50ms
+                   Remote timers:
+                           Receive interval: 300ms
+                           Transmission interval: 300ms
+                           Echo transmission interval: 0ms
+
+           peer 198.51.100.55 vrf default interface eth4.101
+                   ID: 4618932327
+                   Remote ID: 3312345688
+                   Status: up
+                   Uptime: 20 hour(s), 16 minute(s), 19 second(s)
+                   Diagnostics: ok
+                   Remote diagnostics: ok
+                   Local timers:
+                           Receive interval: 300ms
+                           Transmission interval: 300ms
+                           Echo transmission interval: 50ms
+                   Remote timers:
+                           Receive interval: 300ms
+                           Transmission interval: 300ms
+                           Echo transmission interval: 0ms
+
+
diff --git a/docs/configuration/protocols/bgp.rst b/docs/configuration/protocols/bgp.rst
new file mode 100644
index 00000000..c576d836
--- /dev/null
+++ b/docs/configuration/protocols/bgp.rst
@@ -0,0 +1,335 @@
+.. _bgp:
+
+###
+BGP
+###
+
+:abbr:`BGP (Border Gateway Protocol)` is one of the Exterior Gateway Protocols
+and the de facto standard interdomain routing protocol. The latest BGP version
+is 4. BGP-4 is described in :rfc:`1771` and updated by :rfc:`4271`. :rfc:`2858`
+adds multiprotocol support to BGP.
+
+VyOS makes use of :abbr:`FRR (Free Range Routing)` and we would like to thank
+them for their effort!
+
+Basic Concepts
+==============
+
+.. _bgp-autonomous-systems:
+
+Autonomous Systems
+------------------
+
+From :rfc:`1930`:
+
+   An AS is a connected group of one or more IP prefixes run by one or more
+   network operators which has a SINGLE and CLEARLY DEFINED routing policy.
+
+Each AS has an identifying number associated with it called an :abbr:`ASN
+(Autonomous System Number)`. This is a two octet value ranging in value from 1
+to 65535. The AS numbers 64512 through 65535 are defined as private AS numbers.
+Private AS numbers must not be advertised on the global Internet.
+
+The :abbr:`ASN (Autonomous System Number)` is one of the essential elements of
+BGP. BGP is a distance vector routing protocol, and the AS-Path framework
+provides distance vector metric and loop detection to BGP.
+
+.. _bgp-address-families:
+
+Address Families
+----------------
+
+Multiprotocol extensions enable BGP to carry routing information for multiple
+network layer protocols. BGP supports an Address Family Identifier (AFI) for
+IPv4 and IPv6.
+
+.. _bgp-route-selection:
+
+Route Selection
+---------------
+
+The route selection process used by FRR's BGP implementation uses the following
+decision criterion, starting at the top of the list and going towards the
+bottom until one of the factors can be used.
+
+1. **Weight check**
+
+   Prefer higher local weight routes to lower routes.
+
+2. **Local preference check**
+
+   Prefer higher local preference routes to lower.
+
+3. **Local route check**
+
+   Prefer local routes (statics, aggregates, redistributed) to received routes.
+
+4. **AS path length check**
+
+   Prefer shortest hop-count AS_PATHs.
+
+5. **Origin check**
+
+   Prefer the lowest origin type route. That is, prefer IGP origin routes to
+   EGP, to Incomplete routes.
+
+6. **MED check**
+
+   Where routes with a MED were received from the same AS, prefer the route
+   with the lowest MED.
+
+7. **External check**
+
+   Prefer the route received from an external, eBGP peer over routes received
+   from other types of peers.
+
+8. **IGP cost check**
+
+   Prefer the route with the lower IGP cost.
+
+9. **Multi-path check**
+
+   If multi-pathing is enabled, then check whether the routes not yet
+   distinguished in preference may be considered equal. If
+   :cfgcmd:`bgp bestpath as-path multipath-relax` is set, all such routes are
+   considered equal, otherwise routes received via iBGP with identical AS_PATHs
+   or routes received from eBGP neighbours in the same AS are considered equal.
+
+10. **Already-selected external check**
+
+    Where both routes were received from eBGP peers, then prefer the route
+    which is already selected. Note that this check is not applied if
+    :cfgcmd:`bgp bestpath compare-routerid` is configured. This check can
+    prevent some cases of oscillation.
+
+11. **Router-ID check**
+
+    Prefer the route with the lowest `router-ID`. If the route has an
+    `ORIGINATOR_ID` attribute, through iBGP reflection, then that router ID is
+    used, otherwise the `router-ID` of the peer the route was received from is
+    used.
+
+12. **Cluster-List length check**
+
+    The route with the shortest cluster-list length is used. The cluster-list
+    reflects the iBGP reflection path the route has taken.
+
+13. **Peer address**
+
+    Prefer the route received from the peer with the higher transport layer
+    address, as a last-resort tie-breaker.
+
+.. _bgp-capability-negotiation:
+
+Capability Negotiation
+----------------------
+
+When adding IPv6 routing information exchange feature to BGP. There were some
+proposals. :abbr:`IETF (Internet Engineering Task Force)`
+:abbr:`IDR (Inter Domain Routing)` adopted a proposal called Multiprotocol
+Extension for BGP. The specification is described in :rfc:`2283`. The protocol
+does not define new protocols. It defines new attributes to existing BGP. When
+it is used exchanging IPv6 routing information it is called BGP-4+. When it is
+used for exchanging multicast routing information it is called MBGP.
+
+*bgpd* supports Multiprotocol Extension for BGP. So if a remote peer supports
+the protocol, *bgpd* can exchange IPv6 and/or multicast routing information.
+
+Traditional BGP did not have the feature to detect a remote peer's
+capabilities, e.g. whether it can handle prefix types other than IPv4 unicast
+routes. This was a big problem using Multiprotocol Extension for BGP in an
+operational network. :rfc:`2842` adopted a feature called Capability
+Negotiation. *bgpd* use this Capability Negotiation to detect the remote peer's
+capabilities. If a peer is only configured as an IPv4 unicast neighbor, *bgpd*
+does not send these Capability Negotiation packets (at least not unless other
+optional BGP features require capability negotiation).
+
+By default, FRR will bring up peering with minimal common capability for the
+both sides. For example, if the local router has unicast and multicast
+capabilities and the remote router only has unicast capability the local router
+will establish the connection with unicast only capability. When there are no
+common capabilities, FRR sends Unsupported Capability error and then resets the
+connection.
+
+.. _bgp-router-configuration:
+
+BGP Router Configuration
+========================
+
+ASN and Router ID
+-----------------
+
+.. cfgcmd:: set protocols bgp <asn>
+
+   First of all you must configure BGP router with the :abbr:`ASN (Autonomous
+   System Number)`. The AS number is an identifier for the autonomous system.
+   The BGP protocol uses the AS number for detecting whether the BGP connection
+   is internal or external.
+
+.. cfgcmd:: set protocols bgp <asn> parameters router-id
+
+   This command specifies the router-ID. If router ID is not specified it will
+   use the highest interface IP address.
+
+Route Selection
+---------------
+
+.. cfgcmd:: set protocols bgp <asn> parameters bestpath as-path confed
+
+   This command specifies that the length of confederation path sets and
+   sequences should be taken into account during the BGP best path
+   decision process.
+
+.. cfgcmd:: set protocols bgp <asn> parameters bestpath as-path multipath-relax
+
+   This command specifies that BGP decision process should consider paths
+   of equal AS_PATH length candidates for multipath computation. Without
+   the knob, the entire AS_PATH must match for multipath computation.
+
+.. cfgcmd:: set protocols bgp <asn> parameters bestpath as-path ignore
+
+   Ignore AS_PATH length when selecting a route
+
+IPv4
+^^^^
+
+A simple eBGP configuration:
+
+**Node 1:**
+
+.. code-block:: none
+
+  set protocols bgp 65534 neighbor 192.168.0.2 ebgp-multihop '2'
+  set protocols bgp 65534 neighbor 192.168.0.2 remote-as '65535'
+  set protocols bgp 65534 neighbor 192.168.0.2 update-source '192.168.0.1'
+  set protocols bgp 65534 address-family ipv4-unicast network '172.16.0.0/16'
+  set protocols bgp 65534 parameters router-id '192.168.0.1'
+
+**Node 2:**
+
+.. code-block:: none
+
+  set protocols bgp 65535 neighbor 192.168.0.1 ebgp-multihop '2'
+  set protocols bgp 65535 neighbor 192.168.0.1 remote-as '65534'
+  set protocols bgp 65535 neighbor 192.168.0.1 update-source '192.168.0.2'
+  set protocols bgp 65535 address-family ipv4-unicast network '172.17.0.0/16'
+  set protocols bgp 65535 parameters router-id '192.168.0.2'
+
+
+Don't forget, the CIDR declared in the network statement MUST **exist in your
+routing table (dynamic or static), the best way to make sure that is true is
+creating a static route:**
+
+**Node 1:**
+
+.. code-block:: none
+
+  set protocols static route 172.16.0.0/16 blackhole distance '254'
+
+**Node 2:**
+
+.. code-block:: none
+
+  set protocols static route 172.17.0.0/16 blackhole distance '254'
+
+
+IPv6
+^^^^
+
+A simple BGP configuration via IPv6.
+
+**Node 1:**
+
+.. code-block:: none
+
+  set protocols bgp 65534 neighbor 2001:db8::2 ebgp-multihop '2'
+  set protocols bgp 65534 neighbor 2001:db8::2 remote-as '65535'
+  set protocols bgp 65534 neighbor 2001:db8::2 update-source '2001:db8::1'
+  set protocols bgp 65534 neighbor 2001:db8::2 address-family ipv6-unicast
+  set protocols bgp 65534 address-family ipv6-unicast network '2001:db8:1::/48'
+  set protocols bgp 65534 parameters router-id '10.1.1.1'
+
+**Node 2:**
+
+.. code-block:: none
+
+  set protocols bgp 65535 neighbor 2001:db8::1 ebgp-multihop '2'
+  set protocols bgp 65535 neighbor 2001:db8::1 remote-as '65534'
+  set protocols bgp 65535 neighbor 2001:db8::1 update-source '2001:db8::2'
+  set protocols bgp 65535 neighbor 2001:db8::1 address-family ipv6-unicast
+  set protocols bgp 65535 address-family ipv6-unicast network '2001:db8:2::/48'
+  set protocols bgp 65535 parameters router-id '10.1.1.2'
+
+Don't forget, the CIDR declared in the network statement **MUST exist in your
+routing table (dynamic or static), the best way to make sure that is true is
+creating a static route:**
+
+**Node 1:**
+
+.. code-block:: none
+
+  set protocols static route6 2001:db8:1::/48 blackhole distance '254'
+
+**Node 2:**
+
+.. code-block:: none
+
+  set protocols static route6 2001:db8:2::/48 blackhole distance '254'
+
+Route Filter
+^^^^^^^^^^^^
+
+Route filter can be applied using a route-map:
+
+**Node1:**
+
+.. code-block:: none
+
+  set policy prefix-list AS65535-IN rule 10 action 'permit'
+  set policy prefix-list AS65535-IN rule 10 prefix '172.16.0.0/16'
+  set policy prefix-list AS65535-OUT rule 10 action 'deny'
+  set policy prefix-list AS65535-OUT rule 10 prefix '172.16.0.0/16'
+  set policy prefix-list6 AS65535-IN rule 10 action 'permit'
+  set policy prefix-list6 AS65535-IN rule 10 prefix '2001:db8:2::/48'
+  set policy prefix-list6 AS65535-OUT rule 10 action 'deny'
+  set policy prefix-list6 AS65535-OUT rule 10 prefix '2001:db8:2::/48'
+  set policy route-map AS65535-IN rule 10 action 'permit'
+  set policy route-map AS65535-IN rule 10 match ip address prefix-list 'AS65535-IN'
+  set policy route-map AS65535-IN rule 10 match ipv6 address prefix-list 'AS65535-IN'
+  set policy route-map AS65535-IN rule 20 action 'deny'
+  set policy route-map AS65535-OUT rule 10 action 'deny'
+  set policy route-map AS65535-OUT rule 10 match ip address prefix-list 'AS65535-OUT'
+  set policy route-map AS65535-OUT rule 10 match ipv6 address prefix-list 'AS65535-OUT'
+  set policy route-map AS65535-OUT rule 20 action 'permit'
+  set protocols bgp 65534 neighbor 2001:db8::2 address-family ipv4-unicast route-map export 'AS65535-OUT'
+  set protocols bgp 65534 neighbor 2001:db8::2 address-family ipv4-unicast route-map import 'AS65535-IN'
+  set protocols bgp 65534 neighbor 2001:db8::2 address-family ipv6-unicast route-map export 'AS65535-OUT'
+  set protocols bgp 65534 neighbor 2001:db8::2 address-family ipv6-unicast route-map import 'AS65535-IN'
+
+**Node2:**
+
+.. code-block:: none
+
+  set policy prefix-list AS65534-IN rule 10 action 'permit'
+  set policy prefix-list AS65534-IN rule 10 prefix '172.17.0.0/16'
+  set policy prefix-list AS65534-OUT rule 10 action 'deny'
+  set policy prefix-list AS65534-OUT rule 10 prefix '172.17.0.0/16'
+  set policy prefix-list6 AS65534-IN rule 10 action 'permit'
+  set policy prefix-list6 AS65534-IN rule 10 prefix '2001:db8:1::/48'
+  set policy prefix-list6 AS65534-OUT rule 10 action 'deny'
+  set policy prefix-list6 AS65534-OUT rule 10 prefix '2001:db8:1::/48'
+  set policy route-map AS65534-IN rule 10 action 'permit'
+  set policy route-map AS65534-IN rule 10 match ip address prefix-list 'AS65534-IN'
+  set policy route-map AS65534-IN rule 10 match ipv6 address prefix-list 'AS65534-IN'
+  set policy route-map AS65534-IN rule 20 action 'deny'
+  set policy route-map AS65534-OUT rule 10 action 'deny'
+  set policy route-map AS65534-OUT rule 10 match ip address prefix-list 'AS65534-OUT'
+  set policy route-map AS65534-OUT rule 10 match ipv6 address prefix-list 'AS65534-OUT'
+  set policy route-map AS65534-OUT rule 20 action 'permit'
+  set protocols bgp 65535 neighbor 2001:db8::1 address-family ipv4-unicast route-map export 'AS65534-OUT'
+  set protocols bgp 65535 neighbor 2001:db8::1 address-family ipv4-unicast route-map import 'AS65534-IN'
+  set protocols bgp 65535 neighbor 2001:db8::1 address-family ipv6-unicast route-map export 'AS65534-OUT'
+  set protocols bgp 65535 neighbor 2001:db8::1 address-family ipv6-unicast route-map import 'AS65534-IN'
+
+We could expand on this and also deny link local and multicast in the rule 20
+action deny.
diff --git a/docs/configuration/protocols/igmp-proxy.rst b/docs/configuration/protocols/igmp-proxy.rst
new file mode 100644
index 00000000..cce5f948
--- /dev/null
+++ b/docs/configuration/protocols/igmp-proxy.rst
@@ -0,0 +1,2 @@
+igmp-proxy
+##########
\ No newline at end of file
diff --git a/docs/configuration/protocols/igmp.rst b/docs/configuration/protocols/igmp.rst
new file mode 100644
index 00000000..9104b0c9
--- /dev/null
+++ b/docs/configuration/protocols/igmp.rst
@@ -0,0 +1,244 @@
+.. _multicast:
+
+#########
+Multicast
+#########
+
+VyOS facilitates IP Multicast by supporting **PIM Sparse Mode**,
+**IGMP** and **IGMP-Proxy**.
+
+************
+PIM and IGMP
+************
+
+PIM (Protocol Independent Multicast) must be configured in every
+interface of every participating router. Every router must also have the
+location of the Rendevouz Point manually configured. Then,
+unidirectional shared trees rooted at the Rendevouz Point will
+automatically be built for multicast distribution.
+
+Traffic from multicast sources will go to the Rendezvous Point, and
+receivers will pull it from a shared tree using IGMP (Internet Group
+Management Protocol).
+
+Multicast receivers will talk IGMP to their local router, so, besides
+having PIM configured in every router, IGMP must also be configured in
+any router where there could be a multicast receiver locally connected.
+
+VyOS supports both IGMP version 2 and version 3 (which allows
+source-specific multicast).
+
+
+Example
+=======
+
+In the following example we can see a basic multicast setup:
+
+.. image:: /_static/images/multicast-basic.png
+   :width: 90%
+   :align: center
+   :alt: Network Topology Diagram
+
+
+
+**Router 1**
+
+.. code-block:: none
+
+   set interfaces ethernet eth2 address '172.16.0.2/24'
+   set interfaces ethernet eth1 address '100.64.0.1/24'
+   set protocols ospf area 0 network '172.16.0.0/24'
+   set protocols ospf area 0 network '100.64.0.0/24'
+   set protocols igmp interface eth1
+   set protocols pim interface eth1
+   set protocols pim interface eth2
+   set protocols pim rp address 172.16.255.1 group '224.0.0.0/4'
+
+**Router 3**
+
+.. code-block:: none
+
+   set interfaces dummy dum0 address '172.16.255.1/24'
+   set interfaces ethernet eth0 address '172.16.0.1/24'
+   set interfaces ethernet eth1 address '172.16.1.1/24'
+   set protocols ospf area 0 network '172.16.0.0/24'
+   set protocols ospf area 0 network '172.16.255.0/24'
+   set protocols ospf area 0 network '172.16.1.0/24'
+   set protocols pim interface dum0
+   set protocols pim interface eth0
+   set protocols pim interface eth1
+   set protocols pim rp address 172.16.255.1 group '224.0.0.0/4'
+
+**Router 2**
+
+.. code-block:: none
+
+   set interfaces ethernet eth1 address '10.0.0.1/24'
+   set interfaces ethernet eth2 address '172.16.1.2/24'
+   set protocols ospf area 0 network '10.0.0.0/24'
+   set protocols ospf area 0 network '172.16.1.0/24'
+   set protocols pim interface eth1
+   set protocols pim interface eth2
+   set protocols pim rp address 172.16.255.1 group '224.0.0.0/4'
+
+
+
+
+
+Basic commands
+==============
+
+These are the commands for a basic setup.
+
+.. cfgcmd:: set protocols pim interface <interface-name>
+
+   Use this command to enable PIM in the selected interface so that it
+   can communicate with PIM neighbors.
+
+
+.. cfgcmd:: set protocols pim rp address <address> group <multicast-address/mask-bits>
+
+   Use this comand to manually configure a Rendevouz Point for PIM so
+   that join messages can be sent there. Set the Rendevouz Point address
+   and the matching prefix of group ranges covered. These values must
+   be shared with every router participating in the PIM network.
+
+
+.. cfgcmd:: set protocols igmp interface eth1
+
+   Use this command to configure an interface with IGMP so that PIM can
+   receive IGMP reports and query on the selected interface. By defaul
+   IGMP version 3 will be used.
+
+
+
+Tuning commands
+===============
+
+You can also tune multicast with the following commands.
+
+.. cfgcmd:: set protocols pim interface <interface> dr-priority <value>
+
+   Use this PIM command in the selected interface to set the priority
+   (1-4294967295) you want to influence in the election of a node to
+   become the Designated Router for a LAN segment. The default priority
+   is 1, set a  higher value to give the router more preference in the
+   DR election process.
+
+
+.. cfgcmd:: set protocols pim int <interface> hello <seconds>
+
+   Use this command to configure the PIM hello interval in seconds
+   (1-180) for the selected interface.
+
+
+.. cfgcmd:: set protocols pim rp keep-alive-timer <seconds>
+
+   Use this PIM command to modify the the time out value (31-60000
+   seconds) for an `(S,G) <https://tools.ietf.org/html/rfc7761#section-4.1>`_
+   flow. 31 seconds is chosen for a lower bound as some hardware
+   platforms cannot see data flowing in better than 30 second chunks.
+
+
+.. cfgcmd:: set protocols igmp interface <interface> join <multicast-address> source <IP-address>
+
+   Use this command to allow the selected interface join a multicast
+   group defining the multicast address you want to join and the source
+   IP address too.
+
+
+.. cfgcmd:: set protocols igmp interface <interface query-interval <seconds>
+
+   Use this command to configure in the selected interface the IGMP
+   host query interval (1-1800) in seconds that PIM will use.
+
+
+.. cfgcmd:: set protocols igmp interface <interface query-max-response-time <deciseconds>
+
+   Use this command to configure in the selected interface the IGMP
+   query response timeout value (10-250) in deciseconds. If a report is
+   not returned in the specified time, it will be asumed the `(S,G) or
+   (*,G) state <https://tools.ietf.org/html/rfc7761#section-4.1>`_ has
+   timed out.
+
+
+.. cfgcmd:: set protocols igmp interface <interface> version <version-number>
+
+   Use this command to define in the selected interface whether you
+   choose IGMP version 2 or 3. The default value is 3.
+
+
+
+**********
+IGMP Proxy
+**********
+
+:abbr:`IGMP (Internet Group Management Protocol)` proxy sends IGMP host messages
+on behalf of a connected client. The configuration must define one, and only one
+upstream interface, and one or more downstream interfaces.
+
+Configuration
+=============
+
+.. cfgcmd:: set protocols igmp-proxy interface <interface> role <upstream | downstream>
+
+   * **upstream:** The upstream network interface is the outgoing interface
+     which is responsible for communicating to available multicast data sources.
+     There can only be one upstream interface.
+
+   * **downstream:** Downstream network interfaces are the distribution
+     interfaces to the destination networks, where multicast clients can join
+     groups and receive multicast data. One or more downstream interfaces must
+     be configured.
+
+.. cfgcmd:: set protocols igmp-proxy interface <interface> alt-subnet <network>
+
+   Defines alternate sources for multicasting and IGMP data. The network address
+   must be on the following format 'a.b.c.d/n'. By default the router will
+   accept data from sources on the same network as configured on an interface.
+   If the multicast source lies on a remote network, one must define from where
+   traffic should be accepted.
+
+   This is especially useful for the upstream interface, since the source for
+   multicast traffic is often from a remote location.
+
+   This option can be supplied multiple times.
+
+.. cfgcmd:: set protocols igmp-proxy disable-quickleave
+
+   Disables quickleave mode. In this mode the daemon will not send a Leave IGMP
+   message upstream as soon as it receives a Leave message for any downstream
+   interface. The daemon will not ask for Membership reports on the downstream
+   interfaces, and if a report is received the group is not joined again
+   upstream.
+
+   If it's vital that the daemon should act exactly as a real multicast client
+   on the upstream interface, this function should be enabled.
+
+   Enabling this function increases the risk of bandwidth saturation.
+
+.. cfgcmd:: set protocols igmp-proxy disable
+
+   Disable this service.
+
+Example
+-------
+
+Interface `eth1` LAN is behind NAT. In order to subscribe `10.0.0.0/23` subnet
+multicast which is in `eth0` WAN we need to configure igmp-proxy.
+
+.. code-block:: none
+
+  set protocols igmp-proxy interface eth0 role upstream
+  set protocols igmp-proxy interface eth0 alt-subnet 10.0.0.0/23
+  set protocols igmp-proxy interface eth1 role downstream
+
+Operation
+=========
+
+.. opcmd:: restart igmp-proxy
+
+   Restart the IGMP proxy process.
+
+
+
diff --git a/docs/configuration/protocols/index.rst b/docs/configuration/protocols/index.rst
new file mode 100644
index 00000000..819db4df
--- /dev/null
+++ b/docs/configuration/protocols/index.rst
@@ -0,0 +1,23 @@
+#########
+Protocols
+#########
+
+
+.. toctree::
+   :maxdepth: 1
+   :includehidden:
+
+   bfd
+   bgp
+   igmp
+   igmp-proxy
+   is-is
+   mpls
+   ospf
+   ospfv3
+   pim
+   rip
+   ripng
+   rpki
+   static
+   vrf
diff --git a/docs/configuration/protocols/isis.rst b/docs/configuration/protocols/isis.rst
new file mode 100644
index 00000000..807dca83
--- /dev/null
+++ b/docs/configuration/protocols/isis.rst
@@ -0,0 +1,74 @@
+.. include:: ../_include/need_improvement.txt
+
+.. _isis:
+
+#####
+IS-IS
+#####
+
+:abbr:`IS-IS (Intermediate System to Intermediate System)` is a link-state interior gateway routing protocol.
+Like OSPF, IS-IS runs the Dijkstra shortest-path first (SPF) algorithm to create a database of the network’s
+topology and, from that database, to determine the best (that is, shortest) path to a destination.
+The routers exchange topology information with their nearest neighbors.
+IS-IS runs directly on the data link layer (Layer 2).
+IS-IS addresses are called :abbr:`NETs (Network Entity Titles)` and can be 8 to 20 bytes long, but are generally 10 bytes long.
+
+For example :abbr:`NET (Network Entity Title)`
+
+.. code-block:: none
+
+  49.0001.1921.6800.1002.00
+
+The IS-IS address consists of three parts:
+
+  :abbr:`AFI (Address family authority identifier)`
+    ``49`` The AFI value 49 is what IS-IS uses for private addressing.
+
+  Area identifier:
+    ``0001`` IS-IS area number (Area1)
+
+  System identifier:
+    ``1921.6800.1002`` For system idetifier we recommend to use IP address or MAC address of the router.
+
+  NET selector:
+    ``00`` Must always be 00, to indicate "this system".
+
+Simple IS-IS configuration using 2 nodes and redistributing connected interfaces.
+
+**Node 1:**
+
+.. code-block:: none
+
+  set interfaces dummy dum0 address '203.0.113.1/24'
+  set interfaces ethernet eth1 address '192.0.2.1/24'
+
+  set policy prefix-list EXPORT-ISIS rule 10 action 'permit'
+  set policy prefix-list EXPORT-ISIS rule 10 prefix '203.0.113.0/24'
+  set policy route-map EXPORT-ISIS rule 10 action 'permit'
+  set policy route-map EXPORT-ISIS rule 10 match ip address prefix-list 'EXPORT-ISIS'
+
+  set protocols isis FOO interface eth1
+  set protocols isis FOO net '49.0001.1921.6800.1002.00'
+  set protocols isis FOO redistribute ipv4 connected level-2 route-map 'EXPORT-ISIS'
+
+**Node 2:**
+
+.. code-block:: none
+
+  set interfaces ethernet eth1 address '192.0.2.2/24'
+
+  set protocols isis FOO interface eth1
+  set protocols isis FOO net '49.0001.1921.6800.2002.00'
+
+Show ip routes on Node2:
+
+.. code-block:: none
+
+  vyos@r2:~$ show ip route isis 
+  Codes: K - kernel route, C - connected, S - static, R - RIP,
+         O - OSPF, I - IS-IS, B - BGP, E - EIGRP, N - NHRP,
+         T - Table, v - VNC, V - VNC-Direct, A - Babel, D - SHARP,
+         F - PBR, f - OpenFabric,
+         > - selected route, * - FIB route, q - queued route, r - rejected route
+
+  I   203.0.113.0/24 [115/10] via 192.0.2.1, eth1, 00:03:42
diff --git a/docs/configuration/protocols/mpls.rst b/docs/configuration/protocols/mpls.rst
new file mode 100644
index 00000000..4451c5c3
--- /dev/null
+++ b/docs/configuration/protocols/mpls.rst
@@ -0,0 +1,213 @@
+.. _mpls:
+
+####################################
+MPLS (Multiprotocol Label Switching)
+####################################
+
+:abbr:`MPLS (Multi-Protocol Label Switching)` is a packet forwarding paradigm
+which differs from regular IP forwarding. Instead of IP addresses being used to
+make the decision on finding the exit interface, a router will instead use an
+exact match on a 32 bit/4 byte header called the MPLS label. This label is
+inserted between the ethernet (layer 2) header and the IP (layer 3) header.
+One can statically or dynamically assign label allocations, but we will focus
+on dynamic allocation of labels using some sort of label distribution protocol
+(such as the aptly named Label Distribution Protocol / LDP, Resource Reservation
+Protocol / RSVP, or Segment Routing through OSPF/ISIS). These protocols allow
+for the creation of a unidirectional/unicast path called a labeled switched
+path (initialized as LSP) throughout the network that operates very much like
+a tunnel through the network. An easy way of thinking about how an MPLS LSP
+actually forwards traffic throughout a network is to think of a GRE tunnel.
+They are not the same in how they operate, but they are the same in how they
+handle the tunneled packet. It would be good to think of MPLS as a tunneling
+technology that can be used to transport many different types of packets, to
+aid in traffic engineering by allowing one to specify paths throughout the
+network (using RSVP or SR), and to generally allow for easier intra/inter
+network transport of data packets.
+
+For more information on how MPLS label switching works, please go visit
+`Wikipedia (MPLS)`_.
+
+.. note:: MPLS support in VyOS is not finished yet, and therefore its
+   functionality is limited. Currently there is no support for MPLS enabled VPN
+   services such as L3VPNs, L2VPNs, and mVPNs. RSVP support is also not present
+   as the underlying routing stack (FRR) does not implement it. Currently VyOS
+   can be configured as a label switched router (MPLS P router), in both
+   penultimate and ultimate hop popping operations.
+
+Label Distribution Protocol
+===========================
+
+The :abbr:`MPLS (Multi-Protocol Label Switching)` architecture does not assume
+a single protocol to create MPLS paths. VyOS supports the Label Distribution
+Protocol (LDP) as implemented by FRR, based on :rfc:`5036`.
+
+:abbr:`LDP (Label Distribution Protocol)` is a TCP based MPLS signaling protocol
+that distributes labels creating MPLS label switched paths in a dynamic manner.
+LDP is not a routing protocol, as it relies on other routing protocols for
+forwarding decisions. LDP cannot bootstrap itself, and therefore relies on said
+routing protocols for communication with other routers that use LDP.
+
+In order to allow for LDP on the local router to exchange label advertisements
+with other routers, a TCP session will be established between automatically
+discovered and statically assigned routers. LDP will try to establish a TCP
+session to the **transport address** of other routers. Therefore for LDP to
+function properly please make sure the transport address is shown in the
+routing table and reachable to traffic at all times.
+
+It is highly recommended to use the same address for both the LDP router-id and
+the discovery transport address, but for VyOS MPLS LDP to work both parameters
+must be explicitly set in the configuration.
+
+Another thing to keep in mind with LDP is that much like BGP, it is a protocol that
+runs on top of TCP. It however does not have an ability to do something like a
+refresh capability like BGPs route refresh capability. Therefore one might have
+to reset the neighbor for a capability change or a configuration change to work.
+
+Configuration Options
+=====================
+
+.. cfgcmd:: set protocols mpls ldp interface <interface>
+
+  Use this command to enable LDP, and enable MPLS processing on the interface you
+  define.
+
+.. cfgcmd:: set protocols mpls ldp router-id <address>
+
+  Use this command to configure the IP address used as the LDP router-id of the
+  local device.
+
+.. cfgcmd:: set protocols mpls ldp discovery transport-ipv4-address <IPv4 address>
+.. cfgcmd:: set protocols mpls ldp discovery transport-ipv6-address <IPv6 address>
+
+  Use this command to set the IPv4 or IPv6 transport-address used by LDP.
+
+.. cfgcmd:: set protocols mpls ldp neighbor <address> password <password>
+
+  Use this command to configure authentication for LDP peers. Set the
+  IP address of the LDP peer and a password that should be shared in
+  order to become neighbors. 
+  
+.. cfgcmd:: set protocols mpls ldp neighbor <address> session-holdtime <seconds>
+  
+  Use this command to configure a specific session hold time for LDP peers.
+  Set the IP address of the LDP peer and a session hold time that should be
+  configured for it. You may have to reset the neighbor for this to work.
+  
+.. cfgcmd:: set protocols mpls ldp neighbor <address> ttl-security <disable | hop count>
+
+  Use this command to enable, disable, or specify hop count for TTL security
+  for LDP peers. By default the value is set to 255 (or max TTL). 
+
+.. cfgcmd:: set protocols mpls ldp discovery hello-ipv4-interval <seconds>
+.. cfgcmd:: set protocols mpls ldp discovery hello-ipv4-holdtime <seconds>
+.. cfgcmd:: set protocols mpls ldp discovery hello-ipv6-interval <seconds>
+.. cfgcmd:: set protocols mpls ldp discovery hello-ipv6-holdtime <seconds>
+
+  Use these commands if you would like to set the discovery hello and hold time
+  parameters.
+
+.. cfgcmd:: set protocols mpls ldp discovery session-ipv4-holdtime <seconds>
+.. cfgcmd:: set protocols mpls ldp discovery session-ipv6-holdtime <seconds>
+
+  Use this command if you would like to set the TCP session hold time intervals.
+
+.. cfgcmd:: set protocols mpls ldp export ipv4 explicit-null
+.. cfgcmd:: set protocols mpls ldp export ipv6 explicit-null
+
+  Use this command if you would like for the router to advertise FECs with a label
+  of 0 for explicit null operations.
+  
+.. cfgcmd:: set protocols mpls ldp allocation ipv4 access-list <access list number>
+.. cfgcmd:: set protocols mpls ldp allocation ipv6 access-list6 <access list number>
+
+  Use this command if you would like to control the local FEC allocations for LDP. A
+  good example would be for your local router to not allocate a label for everything.
+  Just a label for what it's useful. A good example would be just a loopback label.
+  
+.. cfgcmd:: set protocols mpls ldp parameters cisco-interop-tlv
+
+  Use this command to use a Cisco non-compliant format to send and interpret the
+  Dual-Stack capability TLV for IPv6 LDP communications. This is related to :rfc:`7552`.
+  
+.. cfgcmd:: set protocols mpls ldp parameters transport-prefer-ipv4
+
+  Use this command to prefer IPv4 for TCP peer transport connection for LDP when
+  both an IPv4 and IPv6 LDP address are configured on the same interface.
+  
+.. cfgcmd:: set protocols mpls ldp targeted-neighbor ipv4 enable
+.. cfgcmd:: set protocols mpls ldp targeted-neighbor ipv6 enable
+
+  Use this command to enable targeted LDP sessions to the local router. The router
+  will then respond to any sessions that are trying to connect to it that are not
+  a link local type of TCP connection.
+  
+.. cfgcmd:: set protocols mpls ldp targeted-neighbor ipv4 address <address>
+.. cfgcmd:: set protocols mpls ldp targeted-neighbor ipv6 address <address>
+
+  Use this command to enable the local router to try and connect with a targeted
+  LDP session to another router.
+  
+.. cfgcmd:: set protocols mpls ldp targeted-neighbor ipv4 hello-holdtime <seconds>
+.. cfgcmd:: set protocols mpls ldp targeted-neighbor ipv4 hello-interval <seconds>
+.. cfgcmd:: set protocols mpls ldp targeted-neighbor ipv6 hello-holdtime <seconds>
+.. cfgcmd:: set protocols mpls ldp targeted-neighbor ipv6 hello-interval <seconds>
+
+  Use these commands if you would like to set the discovery hello and hold time
+  parameters for the targeted LDP neighbors.
+
+
+Sample configuration to setup LDP on VyOS
+-----------------------------------------
+
+.. code-block:: none
+
+  set protocols ospf area 0 network '192.168.255.252/32'                      <--- Routing for loopback
+  set protocols ospf area 0 network '192.168.0.5/32'                          <--- Routing for an interface connecting to the network
+  set protocols ospf parameters router-id '192.168.255.252'                   <--- Router ID setting for OSPF
+  set protocols mpls ldp discovery transport-ipv4-address '192.168.255.252'   <--- Transport address for LDP for TCP sessions to connect to
+  set protocols mpls ldp interface 'eth1'                                     <--- Enable MPLS and LDP for an interface connecting to network
+  set protocols mpls ldp interface 'lo'                                       <--- Enable MPLS and LDP on loopback for future services connectivity
+  set protocols mpls ldp router-id '192.168.255.252'                          <--- Router ID setting for LDP
+  set interfaces ethernet eth1 address '192.168.0.5/31'                       <--- Interface IP for connecting to network
+  set interfaces loopback lo address '192.168.255.252/32'                     <--- Interface loopback IP for router ID and other uses
+
+
+Operational Mode Commands
+=========================
+
+When LDP is working, you will be able to see label information in the outcome
+of ``show ip route``. Besides that information, there are also specific *show*
+commands for LDP:
+
+Show
+----
+
+.. opcmd:: show mpls ldp binding
+
+  Use this command to see the Label Information Base.
+
+.. opcmd:: show mpls ldp discovery
+
+  Use this command to see discovery hello information
+
+.. opcmd:: show mpls ldp interface
+
+  Use this command to see LDP interface information
+
+.. opcmd:: show mpls ldp neighbor
+
+  Use this command to see LDP neighbor information
+
+.. opcmd:: show mpls ldp neighbor detail
+
+  Use this command to see detailed LDP neighbor information
+
+Reset
+-----
+
+.. opcmd:: reset mpls ldp neighbor <IPv4 or IPv6 address>
+
+  Use this command to reset an LDP neighbor/TCP session that is established
+
+
+.. _`Wikipedia (MPLS)`: https://en.wikipedia.org/wiki/Multiprotocol_Label_Switching
diff --git a/docs/configuration/protocols/ospf.rst b/docs/configuration/protocols/ospf.rst
new file mode 100644
index 00000000..ff7c5e64
--- /dev/null
+++ b/docs/configuration/protocols/ospf.rst
@@ -0,0 +1,70 @@
+.. include:: /_include/need_improvement.txt
+
+.. _routing-ospf:
+
+####
+OSPF
+####
+
+:abbr:`OSPF (Open Shortest Path First)` is a routing protocol for Internet
+Protocol (IP) networks. It uses a link state routing (LSR) algorithm and falls
+into the group of interior gateway protocols (IGPs), operating within a single
+autonomous system (AS). It is defined as OSPF Version 2 in :rfc:`2328` (1998)
+for IPv4. Updates for IPv6 are specified as OSPF Version 3 in :rfc:`5340`
+(2008). OSPF supports the :abbr:`CIDR (Classless Inter-Domain Routing)`
+addressing model.
+
+OSPF is a widely used IGP in large enterprise networks.
+
+OSPFv2 (IPv4)
+#############
+
+In order to have a VyOS system exchanging routes with OSPF neighbors, you will
+at least need to configure an OSPF area and some network.
+
+.. code-block:: none
+
+  set protocols ospf area 0 network 192.168.0.0/24
+
+That is the minimum configuration you will need.
+It is a good practice to define the router ID too.
+
+.. code-block:: none
+
+  set protocols ospf parameters router-id 10.1.1.1
+
+
+Below you can see a typical configuration using 2 nodes, redistribute loopback
+address and the node 1 sending the default route:
+
+**Node 1**
+
+.. code-block:: none
+
+  set interfaces loopback lo address 10.1.1.1/32
+  set protocols ospf area 0 network 192.168.0.0/24
+  set protocols ospf default-information originate always
+  set protocols ospf default-information originate metric 10
+  set protocols ospf default-information originate metric-type 2
+  set protocols ospf log-adjacency-changes
+  set protocols ospf parameters router-id 10.1.1.1
+  set protocols ospf redistribute connected metric-type 2
+  set protocols ospf redistribute connected route-map CONNECT
+
+  set policy route-map CONNECT rule 10 action permit
+  set policy route-map CONNECT rule 10 match interface lo
+
+**Node 2**
+
+.. code-block:: none
+
+  set interfaces loopback lo address 10.2.2.2/32
+  set protocols ospf area 0 network 192.168.0.0/24
+  set protocols ospf log-adjacency-changes
+  set protocols ospf parameters router-id 10.2.2.2
+  set protocols ospf redistribute connected metric-type 2
+  set protocols ospf redistribute connected route-map CONNECT
+
+  set policy route-map CONNECT rule 10 action permit
+  set policy route-map CONNECT rule 10 match interface lo
+
diff --git a/docs/configuration/protocols/ospfv3.rst b/docs/configuration/protocols/ospfv3.rst
new file mode 100644
index 00000000..f0e28983
--- /dev/null
+++ b/docs/configuration/protocols/ospfv3.rst
@@ -0,0 +1,71 @@
+OSPFv3 (IPv6)
+#############
+
+A typical configuration using 2 nodes.
+
+**Node 1:**
+
+.. code-block:: none
+
+  set protocols ospfv3 area 0.0.0.0 interface eth1
+  set protocols ospfv3 area 0.0.0.0 range 2001:db8:1::/64
+  set protocols ospfv3 parameters router-id 192.168.1.1
+  set protocols ospfv3 redistribute connected
+
+**Node 2:**
+
+.. code-block:: none
+
+  set protocols ospfv3 area 0.0.0.0 interface eth1
+  set protocols ospfv3 area 0.0.0.0 range 2001:db8:2::/64
+  set protocols ospfv3 parameters router-id 192.168.2.1
+  set protocols ospfv3 redistribute connected
+
+.. note:: You can not easily redistribute IPv6 routes via OSPFv3 on a WireGuard
+   interface link. This requires you to configure link-local addresses manually
+   on the WireGuard interfaces, see :vytask:`T1483`.
+
+Example configuration for WireGuard interfaces:
+
+**Node 1**
+
+.. code-block:: none
+
+  set interfaces wireguard wg01 address 'fe80::216:3eff:fe51:fd8c/64'
+  set interfaces wireguard wg01 address '192.168.0.1/24'
+  set interfaces wireguard wg01 peer ospf02 allowed-ips '::/0'
+  set interfaces wireguard wg01 peer ospf02 allowed-ips '0.0.0.0/0'
+  set interfaces wireguard wg01 peer ospf02 endpoint '10.1.1.101:12345'
+  set interfaces wireguard wg01 peer ospf02 pubkey 'ie3...='
+  set interfaces wireguard wg01 port '12345'
+  set protocols ospfv3 parameters router-id 192.168.1.1
+  set protocols ospfv3 area 0.0.0.0 interface 'wg01'
+  set protocols ospfv3 area 0.0.0.0 interface 'lo'
+
+**Node 2**
+
+.. code-block:: none
+
+  set interfaces wireguard wg01 address 'fe80::216:3eff:fe0a:7ada/64'
+  set interfaces wireguard wg01 address '192.168.0.2/24'
+  set interfaces wireguard wg01 peer ospf01 allowed-ips '::/0'
+  set interfaces wireguard wg01 peer ospf01 allowed-ips '0.0.0.0/0'
+  set interfaces wireguard wg01 peer ospf01 endpoint '10.1.1.100:12345'
+  set interfaces wireguard wg01 peer ospf01 pubkey 'NHI...='
+  set interfaces wireguard wg01 port '12345'
+  set protocols ospfv3 parameters router-id 192.168.1.2
+  set protocols ospfv3 area 0.0.0.0 interface 'wg01'
+  set protocols ospfv3 area 0.0.0.0 interface 'lo'
+
+**Status**
+
+.. code-block:: none
+
+  vyos@ospf01:~$ sh ipv6 ospfv3 neighbor
+  Neighbor ID     Pri    DeadTime    State/IfState         Duration I/F[State]
+  192.168.0.2       1    00:00:37     Full/PointToPoint    00:18:03 wg01[PointToPoint]
+
+  vyos@ospf02# run sh ipv6 ospfv3 neighbor
+  Neighbor ID     Pri    DeadTime    State/IfState         Duration I/F[State]
+  192.168.0.1       1    00:00:39     Full/PointToPoint    00:19:44 wg01[PointToPoint]
+
diff --git a/docs/configuration/protocols/pim.rst b/docs/configuration/protocols/pim.rst
new file mode 100644
index 00000000..1dd373d8
--- /dev/null
+++ b/docs/configuration/protocols/pim.rst
@@ -0,0 +1,2 @@
+PIM
+###
\ No newline at end of file
diff --git a/docs/configuration/protocols/rip.rst b/docs/configuration/protocols/rip.rst
new file mode 100644
index 00000000..0d73ad34
--- /dev/null
+++ b/docs/configuration/protocols/rip.rst
@@ -0,0 +1,37 @@
+.. include:: /_include/need_improvement.txt
+
+.. _rip:
+
+###
+RIP
+###
+
+:abbr:`RIP (Routing Information Protocol)` is a widely deployed interior gateway
+protocol. RIP was developed in the 1970s at Xerox Labs as part of the XNS
+routing protocol. RIP is a distance-vector protocol and is based on the
+Bellman-Ford algorithms. As a distance-vector protocol, RIP router send updates
+to its neighbors periodically, thus allowing the convergence to a known
+topology. In each update, the distance to any given network will be broadcast
+to its neighboring router.
+
+Supported versions of RIP are:
+* RIPv1 as described in :rfc:`1058`
+* RIPv2 as described in :rfc:`2453`
+
+Simple RIP configuration using 2 nodes and redistributing connected interfaces.
+
+**Node 1:**
+
+.. code-block:: none
+
+  set interfaces loopback address 10.1.1.1/32
+  set protocols rip network 192.168.0.0/24
+  set protocols rip redistribute connected
+
+**Node 2:**
+
+.. code-block:: none
+
+  set interfaces loopback address 10.2.2.2/32
+  set protocols rip network 192.168.0.0/24
+  set protocols rip redistribute connected
diff --git a/docs/configuration/protocols/ripng.rst b/docs/configuration/protocols/ripng.rst
new file mode 100644
index 00000000..dec6bddf
--- /dev/null
+++ b/docs/configuration/protocols/ripng.rst
@@ -0,0 +1,3 @@
+#####
+RIPng
+#####
\ No newline at end of file
diff --git a/docs/configuration/protocols/rpki.rst b/docs/configuration/protocols/rpki.rst
new file mode 100644
index 00000000..9813b1b6
--- /dev/null
+++ b/docs/configuration/protocols/rpki.rst
@@ -0,0 +1,113 @@
+.. _rpki:
+
+####
+RPKI
+####
+
+.. pull-quote::
+
+   There are two types of Network Admins who deal with BGP, those who have
+   created an international incident and/or outage, and those who are lying
+
+   -- `tweet by EvilMog`_, 2020-02-21
+
+:abbr:`RPKI (Resource Public Key Infrastructure)` is a framework :abbr:`PKI
+(Public Key Infrastructure)` designed to secure the Internet routing
+infrastructure. It associates BGP route announcements with the correct
+originating :abbr:`ASN (Autonomus System Number)` which BGP routers can then
+use to check each route against the corresponding :abbr:`ROA (Route Origin
+Authorisation)` for validity. RPKI is described in :rfc:`6480`.
+
+A BGP-speaking router like VyOS can retrieve ROA information from RPKI
+"Relying Party software" (often just called an "RPKI server" or "RPKI
+validator") by using :abbr:`RTR (RPKI to Router)` protocol. There are several
+open source implementations to choose from, such as NLNetLabs' Routinator_
+(written in Rust), Cloudflare's GoRTR_ and OctoRPKI_ (written in Go), and
+RIPE NCC's RPKI Validator_ (written in Java). The RTR protocol is described
+in :rfc:`8210`.
+
+.. tip::
+  If you are new to these routing security technologies then there is an
+  `excellent guide to RPKI`_ by NLnet Labs which will get you up to speed
+  very quickly. Their documentation explains everything from what RPKI is to
+  deploying it in production (albeit with a focus on using NLnet Labs'
+  tools). It also has some `help and operational guidance`_ including
+  "What can I do about my route having an Invalid state?"
+
+First you will need to deploy an RPKI validator for your routers to use. The
+RIPE NCC helpfully provide `some instructions`_ to get you started with
+several different options.  Once your server is running you can start
+validating announcements.
+
+Imported prefixes during the validation may have values:
+
+  valid
+    The prefix and ASN that originated it match a signed ROA. These are
+    probably trustworthy route announcements.
+
+  invalid
+    The prefix or prefix length and ASN that originated it doesn't
+    match any existing ROA. This could be the result of a prefix hijack, or
+    merely a misconfiguration, but should probably be treated as
+    untrustworthy route announcements.
+
+  notfound
+    No ROA exists which covers that prefix. Unfortunately this is the case
+    for about 80% of the IPv4 prefixes which were announced to the :abbr:`DFZ
+    (default-free zone)` at the start of 2020 (see more detail in
+    NLnet Labs' `RPKI analytics`_).
+
+.. note::
+  If you are responsible for the global addresses assigned to your
+  network, please make sure that your prefixes have ROAs associated with them
+  to avoid being `notfound` by RPKI. For most ASNs this will involve
+  publishing ROAs via your :abbr:`RIR (Regional Internet Registry)` (RIPE
+  NCC, APNIC, ARIN, LACNIC or AFRINIC), and is something you are encouraged
+  to do whenever you plan to announce addresses into the DFZ.
+
+  Particularly large networks may wish to run their own RPKI certificate
+  authority and publication server instead of publishing ROAs via their RIR.
+  This is a subject far beyond the scope of VyOS' documentation. Consider
+  reading about Krill_ if this is a rabbit hole you need or especially want
+  to dive down.
+
+We can build route-maps for import based on these states. Here is a simple
+RPKI configuration, where `routinator` is the RPKI-validating "cache"
+server with ip `192.0.2.1`:
+
+.. code-block:: none
+
+  set protocols rpki cache routinator address '192.0.2.1'
+  set protocols rpki cache routinator port '3323'
+
+Here is an example route-map to apply to routes learned at import. In this
+filter we reject prefixes with the state `invalid`, and set a higher
+`local-preference` if the prefix is RPKI `valid` rather than merely
+`notfound`.
+
+.. code-block:: none
+
+  set policy route-map ROUTES-IN rule 10 action 'permit'
+  set policy route-map ROUTES-IN rule 10 match rpki 'valid'
+  set policy route-map ROUTES-IN rule 10 set local-preference '300'
+  set policy route-map ROUTES-IN rule 20 action 'permit'
+  set policy route-map ROUTES-IN rule 20 match rpki 'notfound'
+  set policy route-map ROUTES-IN rule 20 set local-preference '125'
+  set policy route-map ROUTES-IN rule 30 action 'deny'
+  set policy route-map ROUTES-IN rule 30 match rpki 'invalid'
+
+Once your routers are configured to reject RPKI-invalid prefixes, you can
+test whether the configuration is working correctly using the `RIPE Labs RPKI
+Test`_ experimental tool.
+
+.. _tweet by EvilMog: https://twitter.com/Evil_Mog/status/1230924170508169216
+.. _Routinator: https://www.nlnetlabs.nl/projects/rpki/routinator/
+.. _GoRTR: https://github.com/cloudflare/gortr
+.. _OctoRPKI: https://github.com/cloudflare/cfrpki#octorpki
+.. _Validator: https://www.ripe.net/manage-ips-and-asns/resource-management/certification/tools-and-resources
+.. _some instructions: https://labs.ripe.net/Members/tashi_phuntsho_3/how-to-install-an-rpki-validator
+.. _Krill: https://www.nlnetlabs.nl/projects/rpki/krill/
+.. _RPKI analytics: https://www.nlnetlabs.nl/projects/rpki/rpki-analytics/
+.. _RIPE Labs RPKI Test: https://sg-pub.ripe.net/jasper/rpki-web-test/
+.. _excellent guide to RPKI: https://rpki.readthedocs.io/
+.. _help and operational guidance: https://rpki.readthedocs.io/en/latest/about/help.html
diff --git a/docs/configuration/protocols/static.rst b/docs/configuration/protocols/static.rst
new file mode 100644
index 00000000..43b77c41
--- /dev/null
+++ b/docs/configuration/protocols/static.rst
@@ -0,0 +1,200 @@
+.. _static-routing:
+
+######
+Static
+######
+
+Static routes are manually configured routes, which, in general, cannot be
+updated dynamically from information VyOS learns about the network topology from
+other routing protocols. However, if a link fails, the router will remove
+routes, including static routes, from the :abbr:`RIPB (Routing Information
+Base)` that used this interface to reach the next hop. In general, static
+routes should only be used for very simple network topologies, or to override
+the behavior of a dynamic routing protocol for a small number of routes. The
+collection of all routes the router has learned from its configuration or from
+its dynamic routing protocols is stored in the RIB. Unicast routes are directly
+used to determine the forwarding table used for unicast packet forwarding.
+
+*************
+Static Routes
+*************
+
+.. cfgcmd:: set protocols static route <subnet> next-hop <address>
+
+   Configure next-hop `<address>` for an IPv4 static route. Multiple static
+   routes can be created.
+
+.. cfgcmd:: set protocols static route <subnet> next-hop <address> disable
+
+   Disable this IPv4 static route entry.
+
+.. cfgcmd:: set protocols static route <subnet> next-hop <address> distance <distance>
+
+   Defines next-hop distance for this route, routes with smaller administrative
+   distance are elected prior those with a higher distance.
+
+   Range is 1 to 255, default is 1.
+
+   .. note:: Routes with a distance of 255 are effectively disabled and not
+      installed into the kernel.
+
+.. cfgcmd:: set protocols static route6 <subnet> next-hop <address>
+
+   Configure next-hop `<address>` for an IPv6 static route. Multiple static
+   routes can be created.
+
+.. cfgcmd:: set protocols static route6 <subnet> next-hop <address> disable
+
+   Disable this IPv6 static route entry.
+
+.. cfgcmd:: set protocols static route6 <subnet> next-hop <address> distance <distance>
+
+   Defines next-hop distance for this route, routes with smaller administrative
+   distance are elected prior those with a higher distance.
+
+   Range is 1 to 255, default is 1.
+
+   .. note:: Routes with a distance of 255 are effectively disabled and not
+      installed into the kernel.
+
+
+Interface Routes
+================
+
+.. cfgcmd:: set protocols static interface-route <subnet> next-hop-interface <interface>
+
+   Allows you to configure the next-hop interface for an interface-based IPv4
+   static route. `<interface>` will be the next-hop interface where trafic is
+   routed for the given `<subnet>`.
+
+.. cfgcmd:: set protocols static interface-route <subnet> next-hop-interface <interface> disable
+
+   Disables interface-based IPv4 static route.
+
+.. cfgcmd:: set protocols static interface-route <subnet> next-hop-interface <interface> distance <distance>
+
+   Defines next-hop distance for this route, routes with smaller administrative
+   distance are elected prior those with a higher distance.
+
+   Range is 1 to 255, default is 1.
+
+.. cfgcmd:: set protocols static interface-route6 <subnet> next-hop-interface <interface>
+
+   Allows you to configure the next-hop interface for an interface-based IPv6
+   static route. `<interface>` will be the next-hop interface where trafic is
+   routed for the given `<subnet>`.
+
+.. cfgcmd:: set protocols static interface-route6 <subnet> next-hop-interface <interface> disable
+
+   Disables interface-based IPv6 static route.
+
+.. cfgcmd:: set protocols static interface-route6 <subnet> next-hop-interface <interface> distance <distance>
+
+   Defines next-hop distance for this route, routes with smaller administrative
+   distance are elected prior those with a higher distance.
+
+   Range is 1 to 255, default is 1.
+
+
+Blackhole
+=========
+
+.. cfgcmd:: set protocols static route <subnet> blackhole
+
+   Use this command to configure a "black-hole" route on the router. A
+   black-hole route is a route for which the system silently discard packets
+   that are matched. This prevents networks leaking out public interfaces, but
+   it does not prevent them from being used as a more specific route inside your
+   network.
+
+.. cfgcmd:: set protocols static route <subnet> blackhole distance <distance>
+
+   Defines blackhole distance for this route, routes with smaller administrative
+   distance are elected prior those with a higher distance.
+
+.. cfgcmd:: set protocols static route6 <subnet> blackhole
+
+   Use this command to configure a "black-hole" route on the router. A
+   black-hole route is a route for which the system silently discard packets
+   that are matched. This prevents networks leaking out public interfaces, but
+   it does not prevent them from being used as a more specific route inside your
+   network.
+
+.. cfgcmd:: set protocols static route6 <subnet> blackhole distance <distance>
+
+   Defines blackhole distance for this route, routes with smaller administrative
+   distance are elected prior those with a higher distance.
+
+
+Alternate Routing Tables
+========================
+
+TBD
+
+Alternate routing tables are used with policy based routing of by utilizing
+:ref:`vrf`.
+
+
+.. _routing-arp:
+
+###
+ARP
+###
+
+:abbr:`ARP (Address Resolution Protocol)` is a communication protocol used for
+discovering the link layer address, such as a MAC address, associated with a
+given internet layer address, typically an IPv4 address. This mapping is a
+critical function in the Internet protocol suite. ARP was defined in 1982 by
+:rfc:`826` which is Internet Standard STD 37.
+
+In Internet Protocol Version 6 (IPv6) networks, the functionality of ARP is
+provided by the Neighbor Discovery Protocol (NDP).
+
+To manipulate or display ARP_ table entries, the following commands are
+implemented.
+
+*********
+Configure
+*********
+
+.. cfgcmd:: set protocols static arp <address> hwaddr <mac>
+
+   This will configure a static ARP entry always resolving `<address>` to
+   `<mac>`.
+
+   Example:
+
+   .. code-block:: none
+
+     set protocols static arp 192.0.2.100 hwaddr 00:53:27:de:23:aa
+
+
+*********
+Operation
+*********
+
+
+.. opcmd:: show protocols static arp
+
+   Display all known ARP table entries spanning across all interfaces
+
+.. code-block:: none
+
+  vyos@vyos:~$ show protocols static arp
+  Address                  HWtype  HWaddress           Flags Mask     Iface
+  10.1.1.1                 ether   00:53:00:de:23:2e   C              eth1
+  10.1.1.100               ether   00:53:00:de:23:aa   CM             eth1
+
+
+.. opcmd:: show protocols static arp interface eth1
+
+   Display all known ARP table entries on a given interface only (`eth1`):
+
+.. code-block:: none
+
+  vyos@vyos:~$ show protocols static arp interface eth1
+  Address                  HWtype  HWaddress           Flags Mask     Iface
+  10.1.1.1                 ether   00:53:00:de:23:2e   C              eth1
+  10.1.1.100               ether   00:53:00:de:23:aa   CM             eth1
+
+.. _ARP: https://en.wikipedia.org/wiki/Address_Resolution_Protocol
diff --git a/docs/configuration/protocols/vrf.rst b/docs/configuration/protocols/vrf.rst
new file mode 100644
index 00000000..e7609a77
--- /dev/null
+++ b/docs/configuration/protocols/vrf.rst
@@ -0,0 +1,3 @@
+#############
+Protocols VRF
+#############