diff options
author | Daniel Thorpe <1077065+dantho281@users.noreply.github.com> | 2021-02-11 02:25:57 +0000 |
---|---|---|
committer | GitHub <noreply@github.com> | 2021-02-11 02:25:57 +0000 |
commit | e88fba68357181bd54fcc7489cbba08780cee6cd (patch) | |
tree | b67e88b1208fa835edf0420a42dd2b624ec2105b /docs/routing | |
parent | dab473bfd04ab2930c043b853ba9995d1ff335e6 (diff) | |
parent | f33b0c78b07c80998d2c0e64d6a20bcb109f6db5 (diff) | |
download | vyos-documentation-e88fba68357181bd54fcc7489cbba08780cee6cd.tar.gz vyos-documentation-e88fba68357181bd54fcc7489cbba08780cee6cd.zip |
Merge pull request #1 from vyos/master
Update fork
Diffstat (limited to 'docs/routing')
-rw-r--r-- | docs/routing/arp.rst | 59 | ||||
-rw-r--r-- | docs/routing/bfd.rst | 117 | ||||
-rw-r--r-- | docs/routing/bgp.rst | 335 | ||||
-rw-r--r-- | docs/routing/index.rst | 21 | ||||
-rw-r--r-- | docs/routing/mpls.rst | 107 | ||||
-rw-r--r-- | docs/routing/mss-clamp.rst | 43 | ||||
-rw-r--r-- | docs/routing/multicast.rst | 245 | ||||
-rw-r--r-- | docs/routing/ospf.rst | 140 | ||||
-rw-r--r-- | docs/routing/pbr.rst | 105 | ||||
-rw-r--r-- | docs/routing/rip.rst | 36 | ||||
-rw-r--r-- | docs/routing/routing-policy.rst | 60 | ||||
-rw-r--r-- | docs/routing/rpki.rst | 113 | ||||
-rw-r--r-- | docs/routing/static.rst | 134 |
13 files changed, 0 insertions, 1515 deletions
diff --git a/docs/routing/arp.rst b/docs/routing/arp.rst deleted file mode 100644 index 5f3115ab..00000000 --- a/docs/routing/arp.rst +++ /dev/null @@ -1,59 +0,0 @@ -.. _routing-arp: - -### -ARP -### - -:abbr:`ARP (Address Resolution Protocol)` is a communication protocol used for -discovering the link layer address, such as a MAC address, associated with a -given internet layer address, typically an IPv4 address. This mapping is a -critical function in the Internet protocol suite. ARP was defined in 1982 by -:rfc:`826` which is Internet Standard STD 37. - -In Internet Protocol Version 6 (IPv6) networks, the functionality of ARP is -provided by the Neighbor Discovery Protocol (NDP). - -To manipulate or display ARP_ table entries, the following commands are -implemented. - -Configure -========= - -.. cfgcmd:: set protocols static arp <address> hwaddr <mac> - - This will configure a static ARP entry always resolving `<address>` to - `<mac>`. - - Example: - - .. code-block:: none - - set protocols static arp 192.0.2.100 hwaddr 00:53:27:de:23:aa - -Operation -========= - -.. opcmd:: show protocols static arp - - Display all known ARP table entries spanning across all interfaces - -.. code-block:: none - - vyos@vyos:~$ show protocols static arp - Address HWtype HWaddress Flags Mask Iface - 10.1.1.1 ether 00:53:00:de:23:2e C eth1 - 10.1.1.100 ether 00:53:00:de:23:aa CM eth1 - - -.. opcmd:: show protocols static arp interface eth1 - - Display all known ARP table entries on a given interface only (`eth1`): - -.. code-block:: none - - vyos@vyos:~$ show protocols static arp interface eth1 - Address HWtype HWaddress Flags Mask Iface - 10.1.1.1 ether 00:53:00:de:23:2e C eth1 - 10.1.1.100 ether 00:53:00:de:23:aa CM eth1 - -.. _ARP: https://en.wikipedia.org/wiki/Address_Resolution_Protocol diff --git a/docs/routing/bfd.rst b/docs/routing/bfd.rst deleted file mode 100644 index 1d494332..00000000 --- a/docs/routing/bfd.rst +++ /dev/null @@ -1,117 +0,0 @@ -.. include:: ../_include/need_improvement.txt - -.. _routing-bfd: - -### -BFD -### - -:abbr:`BFD (Bidirectional Forwarding Detection)` is described and extended by -the following RFCs: :rfc:`5880`, :rfc:`5881` and :rfc:`5883`. - - -Configure BFD -============= - -.. cfgcmd:: set protocols bfd peer <address> - - Set BFD peer IPv4 address or IPv6 address - -.. cfgcmd:: set protocols bfd peer <address> echo-mode - - Enables the echo transmission mode - -.. cfgcmd:: set protocols bfd peer <address> multihop - - Allow this BFD peer to not be directly connected - -.. cfgcmd:: set protocols bfd peer <address> source [address <address> | interface <interface>] - - Bind listener to specifid interface/address, mandatory for IPv6 - -.. cfgcmd:: set protocols bfd peer <address> interval echo-interval <10-60000> - - The minimal echo receive transmission interval that this system is capable of handling - -.. cfgcmd:: set protocols bfd peer <address> interval multiplier <2-255> - - Remote transmission interval will be multiplied by this value - -.. cfgcmd:: set protocols bfd peer <address> interval [receive | transmit] <10-60000> - - Interval in milliseconds - -.. cfgcmd:: set protocols bfd peer <address> shutdown - - Disable a BFD peer - - -Enable BFD in BGP ------------------ - -.. cfgcmd:: set protocols bgp <asn> neighbor <address> bfd - - Enable BFD on a single BGP neighbor - -.. cfgcmd:: set protocols bgp <asn> peer-group <group> bfd - - Enable BFD on a BGP peer group - - - -Enable BFD in OSPF ------------------- - -.. cfgcmd:: set interfaces ethernet <ethN> ip ospf bfd - - Enable BFD for ospf on a interface - -.. cfgcmd:: set interfaces ethernet <ethN> ipv6 ospfv3 bfd - - Enable BFD for ospfv3 on a interface - - - -Operational Commands -==================== - -.. opcmd:: show protocols bfd peer - - Show all BFD peers - - .. code-block:: none - - BFD Peers: - peer 198.51.100.33 vrf default interface eth4.100 - ID: 4182341893 - Remote ID: 12678929647 - Status: up - Uptime: 1 month(s), 16 hour(s), 29 minute(s), 38 second(s) - Diagnostics: ok - Remote diagnostics: ok - Local timers: - Receive interval: 300ms - Transmission interval: 300ms - Echo transmission interval: 50ms - Remote timers: - Receive interval: 300ms - Transmission interval: 300ms - Echo transmission interval: 0ms - - peer 198.51.100.55 vrf default interface eth4.101 - ID: 4618932327 - Remote ID: 3312345688 - Status: up - Uptime: 20 hour(s), 16 minute(s), 19 second(s) - Diagnostics: ok - Remote diagnostics: ok - Local timers: - Receive interval: 300ms - Transmission interval: 300ms - Echo transmission interval: 50ms - Remote timers: - Receive interval: 300ms - Transmission interval: 300ms - Echo transmission interval: 0ms - - diff --git a/docs/routing/bgp.rst b/docs/routing/bgp.rst deleted file mode 100644 index 2c5e7089..00000000 --- a/docs/routing/bgp.rst +++ /dev/null @@ -1,335 +0,0 @@ -.. _bgp: - -### -BGP -### - -:abbr:`BGP (Border Gateway Protocol) is one of the Exterior Gateway Protocols -and the de facto standard interdomain routing protocol. The latest BGP version -is 4. BGP-4 is described in :rfc:`1771` and updated by :rfc:`4271`. :rfc:`2858` -adds multiprotocol support to BGP. - -VyOS makes use of :abbr:`FRR (Free Range Routing)` and we would like to thank -them for their effort! - -Basic Concepts -============== - -.. _bgp-autonomous-systems: - -Autonomous Systems ------------------- - -From :rfc:`1930`: - - An AS is a connected group of one or more IP prefixes run by one or more - network operators which has a SINGLE and CLEARLY DEFINED routing policy. - -Each AS has an identifying number associated with it called an :abbr:`ASN -(Autonomous System Number)`. This is a two octet value ranging in value from 1 -to 65535. The AS numbers 64512 through 65535 are defined as private AS numbers. -Private AS numbers must not be advertised on the global Internet. - -The :abbr:`ASN (Autonomous System Number)` is one of the essential elements of -BGP. BGP is a distance vector routing protocol, and the AS-Path framework -provides distance vector metric and loop detection to BGP. - -.. _bgp-address-families: - -Address Families ----------------- - -Multiprotocol extensions enable BGP to carry routing information for multiple -network layer protocols. BGP supports an Address Family Identifier (AFI) for -IPv4 and IPv6. - -.. _bgp-route-selection: - -Route Selection ---------------- - -The route selection process used by FRR's BGP implementation uses the following -decision criterion, starting at the top of the list and going towards the -bottom until one of the factors can be used. - -1. **Weight check** - - Prefer higher local weight routes to lower routes. - -2. **Local preference check** - - Prefer higher local preference routes to lower. - -3. **Local route check** - - Prefer local routes (statics, aggregates, redistributed) to received routes. - -4. **AS path length check** - - Prefer shortest hop-count AS_PATHs. - -5. **Origin check** - - Prefer the lowest origin type route. That is, prefer IGP origin routes to - EGP, to Incomplete routes. - -6. **MED check** - - Where routes with a MED were received from the same AS, prefer the route - with the lowest MED. - -7. **External check** - - Prefer the route received from an external, eBGP peer over routes received - from other types of peers. - -8. **IGP cost check** - - Prefer the route with the lower IGP cost. - -9. **Multi-path check** - - If multi-pathing is enabled, then check whether the routes not yet - distinguished in preference may be considered equal. If - :cfgcmd:`bgp bestpath as-path multipath-relax` is set, all such routes are - considered equal, otherwise routes received via iBGP with identical AS_PATHs - or routes received from eBGP neighbours in the same AS are considered equal. - -10. **Already-selected external check** - - Where both routes were received from eBGP peers, then prefer the route - which is already selected. Note that this check is not applied if - :cfgcmd:`bgp bestpath compare-routerid` is configured. This check can - prevent some cases of oscillation. - -11. **Router-ID check** - - Prefer the route with the lowest `router-ID`. If the route has an - `ORIGINATOR_ID` attribute, through iBGP reflection, then that router ID is - used, otherwise the `router-ID` of the peer the route was received from is - used. - -12. **Cluster-List length check** - - The route with the shortest cluster-list length is used. The cluster-list - reflects the iBGP reflection path the route has taken. - -13. **Peer address** - - Prefer the route received from the peer with the higher transport layer - address, as a last-resort tie-breaker. - -.. _bgp-capability-negotiation: - -Capability Negotiation ----------------------- - -When adding IPv6 routing information exchange feature to BGP. There were some -proposals. :abbr:`IETF (Internet Engineering Task Force)` -:abbr:`IDR (Inter Domain Routing)` adopted a proposal called Multiprotocol -Extension for BGP. The specification is described in :rfc:`2283`. The protocol -does not define new protocols. It defines new attributes to existing BGP. When -it is used exchanging IPv6 routing information it is called BGP-4+. When it is -used for exchanging multicast routing information it is called MBGP. - -*bgpd* supports Multiprotocol Extension for BGP. So if a remote peer supports -the protocol, *bgpd* can exchange IPv6 and/or multicast routing information. - -Traditional BGP did not have the feature to detect a remote peer's -capabilities, e.g. whether it can handle prefix types other than IPv4 unicast -routes. This was a big problem using Multiprotocol Extension for BGP in an -operational network. :rfc:`2842` adopted a feature called Capability -Negotiation. *bgpd* use this Capability Negotiation to detect the remote peer's -capabilities. If a peer is only configured as an IPv4 unicast neighbor, *bgpd* -does not send these Capability Negotiation packets (at least not unless other -optional BGP features require capability negotiation). - -By default, FRR will bring up peering with minimal common capability for the -both sides. For example, if the local router has unicast and multicast -capabilities and the remote router only has unicast capability the local router -will establish the connection with unicast only capability. When there are no -common capabilities, FRR sends Unsupported Capability error and then resets the -connection. - -.. _bgp-router-configuration: - -BGP Router Configuration -======================== - -ASN and Router ID ------------------ - -.. cfgcmd:: set protocols bgp <asn> - - First of all you must configure BGP router with the :abbr:`ASN (Autonomous - System Number)`. The AS number is an identifier for the autonomous system. - The BGP protocol uses the AS number for detecting whether the BGP connection - is internal or external. - -.. cfgcmd:: set protocols bgp <asn> parameters router-id - - This command specifies the router-ID. If router ID is not specified it will - use the highest interface IP address. - -Route Selection ---------------- - -.. cfgcmd:: set protocols bgp <asn> parameters bestpath as-path confed - - This command specifies that the length of confederation path sets and - sequences should be taken into account during the BGP best path - decision process. - -.. cfgcmd:: set protocols bgp <asn> parameters bestpath as-path multipath-relax - - This command specifies that BGP decision process should consider paths - of equal AS_PATH length candidates for multipath computation. Without - the knob, the entire AS_PATH must match for multipath computation. - -.. cfgcmd:: set protocols bgp <asn> parameters bestpath as-path ignore - - Ignore AS_PATH length when selecting a route - -IPv4 -^^^^ - -A simple eBGP configuration: - -**Node 1:** - -.. code-block:: none - - set protocols bgp 65534 neighbor 192.168.0.2 ebgp-multihop '2' - set protocols bgp 65534 neighbor 192.168.0.2 remote-as '65535' - set protocols bgp 65534 neighbor 192.168.0.2 update-source '192.168.0.1' - set protocols bgp 65534 address-family ipv4-unicast network '172.16.0.0/16' - set protocols bgp 65534 parameters router-id '192.168.0.1' - -**Node 2:** - -.. code-block:: none - - set protocols bgp 65535 neighbor 192.168.0.1 ebgp-multihop '2' - set protocols bgp 65535 neighbor 192.168.0.1 remote-as '65534' - set protocols bgp 65535 neighbor 192.168.0.1 update-source '192.168.0.2' - set protocols bgp 65535 address-family ipv4-unicast network '172.17.0.0/16' - set protocols bgp 65535 parameters router-id '192.168.0.2' - - -Don't forget, the CIDR declared in the network statement MUST **exist in your -routing table (dynamic or static), the best way to make sure that is true is -creating a static route:** - -**Node 1:** - -.. code-block:: none - - set protocols static route 172.16.0.0/16 blackhole distance '254' - -**Node 2:** - -.. code-block:: none - - set protocols static route 172.17.0.0/16 blackhole distance '254' - - -IPv6 -^^^^ - -A simple BGP configuration via IPv6. - -**Node 1:** - -.. code-block:: none - - set protocols bgp 65534 neighbor 2001:db8::2 ebgp-multihop '2' - set protocols bgp 65534 neighbor 2001:db8::2 remote-as '65535' - set protocols bgp 65534 neighbor 2001:db8::2 update-source '2001:db8::1' - set protocols bgp 65534 neighbor 2001:db8::2 address-family ipv6-unicast - set protocols bgp 65534 address-family ipv6-unicast network '2001:db8:1::/48' - set protocols bgp 65534 parameters router-id '10.1.1.1' - -**Node 2:** - -.. code-block:: none - - set protocols bgp 65535 neighbor 2001:db8::1 ebgp-multihop '2' - set protocols bgp 65535 neighbor 2001:db8::1 remote-as '65534' - set protocols bgp 65535 neighbor 2001:db8::1 update-source '2001:db8::2' - set protocols bgp 65535 neighbor 2001:db8::1 address-family ipv6-unicast - set protocols bgp 65535 address-family ipv6-unicast network '2001:db8:2::/48' - set protocols bgp 65535 parameters router-id '10.1.1.2' - -Don't forget, the CIDR declared in the network statement **MUST exist in your -routing table (dynamic or static), the best way to make sure that is true is -creating a static route:** - -**Node 1:** - -.. code-block:: none - - set protocols static route6 2001:db8:1::/48 blackhole distance '254' - -**Node 2:** - -.. code-block:: none - - set protocols static route6 2001:db8:2::/48 blackhole distance '254' - -Route Filter -^^^^^^^^^^^^ - -Route filter can be applied using a route-map: - -**Node1:** - -.. code-block:: none - - set policy prefix-list AS65535-IN rule 10 action 'permit' - set policy prefix-list AS65535-IN rule 10 prefix '172.16.0.0/16' - set policy prefix-list AS65535-OUT rule 10 action 'deny' - set policy prefix-list AS65535-OUT rule 10 prefix '172.16.0.0/16' - set policy prefix-list6 AS65535-IN rule 10 action 'permit' - set policy prefix-list6 AS65535-IN rule 10 prefix '2001:db8:2::/48' - set policy prefix-list6 AS65535-OUT rule 10 action 'deny' - set policy prefix-list6 AS65535-OUT rule 10 prefix '2001:db8:2::/48' - set policy route-map AS65535-IN rule 10 action 'permit' - set policy route-map AS65535-IN rule 10 match ip address prefix-list 'AS65535-IN' - set policy route-map AS65535-IN rule 10 match ipv6 address prefix-list 'AS65535-IN' - set policy route-map AS65535-IN rule 20 action 'deny' - set policy route-map AS65535-OUT rule 10 action 'deny' - set policy route-map AS65535-OUT rule 10 match ip address prefix-list 'AS65535-OUT' - set policy route-map AS65535-OUT rule 10 match ipv6 address prefix-list 'AS65535-OUT' - set policy route-map AS65535-OUT rule 20 action 'permit' - set protocols bgp 65534 neighbor 2001:db8::2 address-family ipv4-unicast route-map export 'AS65535-OUT' - set protocols bgp 65534 neighbor 2001:db8::2 address-family ipv4-unicast route-map import 'AS65535-IN' - set protocols bgp 65534 neighbor 2001:db8::2 address-family ipv6-unicast route-map export 'AS65535-OUT' - set protocols bgp 65534 neighbor 2001:db8::2 address-family ipv6-unicast route-map import 'AS65535-IN' - -**Node2:** - -.. code-block:: none - - set policy prefix-list AS65534-IN rule 10 action 'permit' - set policy prefix-list AS65534-IN rule 10 prefix '172.17.0.0/16' - set policy prefix-list AS65534-OUT rule 10 action 'deny' - set policy prefix-list AS65534-OUT rule 10 prefix '172.17.0.0/16' - set policy prefix-list6 AS65534-IN rule 10 action 'permit' - set policy prefix-list6 AS65534-IN rule 10 prefix '2001:db8:1::/48' - set policy prefix-list6 AS65534-OUT rule 10 action 'deny' - set policy prefix-list6 AS65534-OUT rule 10 prefix '2001:db8:1::/48' - set policy route-map AS65534-IN rule 10 action 'permit' - set policy route-map AS65534-IN rule 10 match ip address prefix-list 'AS65534-IN' - set policy route-map AS65534-IN rule 10 match ipv6 address prefix-list 'AS65534-IN' - set policy route-map AS65534-IN rule 20 action 'deny' - set policy route-map AS65534-OUT rule 10 action 'deny' - set policy route-map AS65534-OUT rule 10 match ip address prefix-list 'AS65534-OUT' - set policy route-map AS65534-OUT rule 10 match ipv6 address prefix-list 'AS65534-OUT' - set policy route-map AS65534-OUT rule 20 action 'permit' - set protocols bgp 65535 neighbor 2001:db8::1 address-family ipv4-unicast route-map export 'AS65534-OUT' - set protocols bgp 65535 neighbor 2001:db8::1 address-family ipv4-unicast route-map import 'AS65534-IN' - set protocols bgp 65535 neighbor 2001:db8::1 address-family ipv6-unicast route-map export 'AS65534-OUT' - set protocols bgp 65535 neighbor 2001:db8::1 address-family ipv6-unicast route-map import 'AS65534-IN' - -We could expand on this and also deny link local and multicast in the rule 20 -action deny. diff --git a/docs/routing/index.rst b/docs/routing/index.rst deleted file mode 100644 index a34bbfac..00000000 --- a/docs/routing/index.rst +++ /dev/null @@ -1,21 +0,0 @@ -.. _routing: - -####### -Routing -####### - -.. toctree:: - :maxdepth: 1 - - arp - bfd - bgp - mpls - mss-clamp - multicast - ospf - pbr - rip - routing-policy - rpki - static diff --git a/docs/routing/mpls.rst b/docs/routing/mpls.rst deleted file mode 100644 index c6d9d0fe..00000000 --- a/docs/routing/mpls.rst +++ /dev/null @@ -1,107 +0,0 @@ -.. _mpls: - -**** -MPLS -**** - - -Label Distribution Protocol -=========================== - - -.. note:: VyOS' MPLS support is not finished yet, its funcitionality is - limited. Currently it can only be configured as a P router, that is, - an LSR in the core of an MPLS network. - - -The **Multi-Protocol Label Switching** (MPLS) architecture does not -assume a single protocol to create MPLS paths. VyOS supports the Label -Distribution Protocol (LDP) as implemented by FRR, based on `RFC 5036 <https://tools.ietf.org/html/rfc5036.html>`__. - -LDT it is an MPLS signaling protocol that distributes labels creating -MPLS paths in a dynamic manner. LDT is not exactly a routing protocol, -as it relies on other routing protocols for forwarding decisions. - - -.. cfgcmd:: set protocols mpls ldp interface <interface> - - Use this command to enable LDP in the interface you define. - - -.. cfgcmd:: set protocols mpls ldp router-id <address> - - Use this command to configure the IP address used as the LDP - router-id of the local device - - -In order to allow the exchange of label advertisements required for LDP, -a TCP session should be established between routers. Routers will need -to learn each other's **transport address** in order to establish the -TCP session. - -You may want to use the same address for both the LDP router-id and the -discovery transport address, but for VyOS MPLS LDP to work both -parameters must be explicitely set in the configuration. - - -.. cfgcmd:: set protocols mpls ldp discovery transport-ipv4-address | transport-ipv6-address <address> - - Use this command to set the IPv4 or IPv6 transport-address used by - LDP. - -.. cfgcmd:: set protocols mpls ldp neighbor <address> password <password> - - Use this command to configure authentication for LDP peers. Set the - IP address of the LDP peer and a password that should be shared in - order to become neighbors. - - -Example -------- - -.. code-block:: none - - set interfaces dummy dum0 address '2.2.2.2/32' - set interfaces ethernet eth1 address '10.0.0.2/24' - set interfaces ethernet eth2 address '10.0.255.1/24' - set protocols mpls ldp discovery transport-ipv4-address '2.2.2.2' - set protocols mpls ldp interface 'eth1' - set protocols mpls ldp interface 'eth2' - set protocols mpls ldp router-id '2.2.2.2' - set protocols ospf area 0 network '0.0.0.0/0' - set protocols ospf parameters router-id '2.2.2.2' - - -show commands -------------- - -When LDP is working, you will be able to see label information in the -outcome of ``show ip route``. Besides that information, there are also -specific *show* commands for LDP: - - -.. opcmd:: show mpls ldp binding - - Use this command to see the Label Information Base. - - -.. opcmd:: show mpls ldp discovery - - Use this command to see Discovery Hello information - - -.. opcmd:: show mpls ldp interface - - Use this command to see LDP interface information - - -.. opcmd:: show mpls ldp neighbor - - Uset this command to see LDP neighbor information - - -.. opcmd:: show mpls ldp neighbor detail - - Uset this command to see detailed LDP neighbor information - - diff --git a/docs/routing/mss-clamp.rst b/docs/routing/mss-clamp.rst deleted file mode 100644 index 923b1338..00000000 --- a/docs/routing/mss-clamp.rst +++ /dev/null @@ -1,43 +0,0 @@ -.. include:: ../_include/need_improvement.txt - -.. _routing-mss-clamp: - -TCP-MSS Clamping ----------------- - -As Internet wide PMTU discovery rarely works we sometimes need to clamp our TCP -MSS value to a specific value. Starting with VyOS 1.2 there is a firewall option -to clamp your TCP MSS value for IPv4 and IPv6. - -Clamping can be disabled per interface using the `disable` keyword: - -.. code-block:: none - - set firewall options interface pppoe0 disable - -IPv4 -^^^^ - -Clamp outgoing MSS value in a TCP SYN packet to `1452` for `pppoe0` and `1372` -for your WireGuard `wg02` tunnel. - -.. code-block:: none - - set firewall options interface pppoe0 adjust-mss '1452' - set firewall options interface wg02 adjust-mss '1372' - -IPv6 -^^^^^ - -Clamp outgoing MSS value in a TCP SYN packet to `1280` for both `pppoe0` and -`wg02` interface. - -To achieve the same for IPv6 please use: - -.. code-block:: none - - set firewall options interface pppoe0 adjust-mss6 '1280' - set firewall options interface wg02 adjust-mss6 '1280' - -.. note:: MSS value = MTU - 20 (IP header) - 20 (TCP header), resulting in 1452 - bytes on a 1492 byte MTU. diff --git a/docs/routing/multicast.rst b/docs/routing/multicast.rst deleted file mode 100644 index d20d8e31..00000000 --- a/docs/routing/multicast.rst +++ /dev/null @@ -1,245 +0,0 @@ -.. _multicast: - -######### -Multicast -######### - -VyOS facilitates IP Multicast by supporting **PIM Sparse Mode**, -**IGMP** and **IGMP-Proxy**. - - -************ -PIM and IGMP -************ - -PIM (Protocol Independent Multicast) must be configured in every -interface of every participating router. Every router must also have the -location of the Rendevouz Point manually configured. Then, -unidirectional shared trees rooted at the Rendevouz Point will -automatically be built for multicast distribution. - -Traffic from multicast sources will go to the Rendezvous Point, and -receivers will pull it from a shared tree using IGMP (Internet Group -Management Protocol). - -Multicast receivers will talk IGMP to their local router, so, besides -having PIM configured in every router, IGMP must also be configured in -any router where there could be a multicast receiver locally connected. - -VyOS supports both IGMP version 2 and version 3 (which allows -source-specific multicast). - - -Example -======= - -In the following example we can see a basic multicast setup: - -.. image:: /_static/images/multicast-basic.png - :width: 90% - :align: center - :alt: Network Topology Diagram - - - -**Router 1** - -.. code-block:: none - - set interfaces ethernet eth2 address '172.16.0.2/24' - set interfaces ethernet eth1 address '100.64.0.1/24' - set protocols ospf area 0 network '172.16.0.0/24' - set protocols ospf area 0 network '100.64.0.0/24' - set protocols igmp interface eth1 - set protocols pim interface eth1 - set protocols pim interface eth2 - set protocols pim rp address 172.16.255.1 group '224.0.0.0/4' - -**Router 3** - -.. code-block:: none - - set interfaces dummy dum0 address '172.16.255.1/24' - set interfaces ethernet eth0 address '172.16.0.1/24' - set interfaces ethernet eth1 address '172.16.1.1/24' - set protocols ospf area 0 network '172.16.0.0/24' - set protocols ospf area 0 network '172.16.255.0/24' - set protocols ospf area 0 network '172.16.1.0/24' - set protocols pim interface dum0 - set protocols pim interface eth0 - set protocols pim interface eth1 - set protocols pim rp address 172.16.255.1 group '224.0.0.0/4' - -**Router 2** - -.. code-block:: none - - set interfaces ethernet eth1 address '10.0.0.1/24' - set interfaces ethernet eth2 address '172.16.1.2/24' - set protocols ospf area 0 network '10.0.0.0/24' - set protocols ospf area 0 network '172.16.1.0/24' - set protocols pim interface eth1 - set protocols pim interface eth2 - set protocols pim rp address 172.16.255.1 group '224.0.0.0/4' - - - - - -Basic commands -============== - -These are the commands for a basic setup. - -.. cfgcmd:: set protocols pim interface <interface-name> - - Use this command to enable PIM in the selected interface so that it - can communicate with PIM neighbors. - - -.. cfgcmd:: set protocols pim rp address <address> group <multicast-address/mask-bits> - - Use this comand to manually configure a Rendevouz Point for PIM so - that join messages can be sent there. Set the Rendevouz Point address - and the matching prefix of group ranges covered. These values must - be shared with every router participating in the PIM network. - - -.. cfgcmd:: set protocols igmp interface eth1 - - Use this command to configure an interface with IGMP so that PIM can - receive IGMP reports and query on the selected interface. By defaul - IGMP version 3 will be used. - - - -Tuning commands -=============== - -You can also tune multicast with the following commands. - -.. cfgcmd:: set protocols pim interface <interface> dr-priority <value> - - Use this PIM command in the selected interface to set the priority - (1-4294967295) you want to influence in the election of a node to - become the Designated Router for a LAN segment. The default priority - is 1, set a higher value to give the router more preference in the - DR election process. - - -.. cfgcmd:: set protocols pim int <interface> hello <seconds> - - Use this command to configure the PIM hello interval in seconds - (1-180) for the selected interface. - - -.. cfgcmd:: set protocols pim rp keep-alive-timer <seconds> - - Use this PIM command to modify the the time out value (31-60000 - seconds) for an `(S,G) <https://tools.ietf.org/html/rfc7761#section-4.1>`_ - flow. 31 seconds is chosen for a lower bound as some hardware - platforms cannot see data flowing in better than 30 second chunks. - - -.. cfgcmd:: set protocols igmp interface <interface> join <multicast-address> source <IP-address> - - Use this command to allow the selected interface join a multicast - group defining the multicast address you want to join and the source - IP address too. - - -.. cfgcmd:: set protocols igmp interface <interface query-interval <seconds> - - Use this command to configure in the selected interface the IGMP - host query interval (1-1800) in seconds that PIM will use. - - -.. cfgcmd:: set protocols igmp interface <interface query-max-response-time <deciseconds> - - Use this command to configure in the selected interface the IGMP - query response timeout value (10-250) in deciseconds. If a report is - not returned in the specified time, it will be asumed the `(S,G) or - (*,G) state <https://tools.ietf.org/html/rfc7761#section-4.1>`_ has - timed out. - - -.. cfgcmd:: set protocols igmp interface <interface> version <version-number> - - Use this command to define in the selected interface whether you - choose IGMP version 2 or 3. The default value is 3. - - - -********** -IGMP Proxy -********** - -:abbr:`IGMP (Internet Group Management Protocol)` proxy sends IGMP host messages -on behalf of a connected client. The configuration must define one, and only one -upstream interface, and one or more downstream interfaces. - -Configuration -============= - -.. cfgcmd:: set protocols igmp-proxy interface <interface> role <upstream | downstream> - - * **upstream:** The upstream network interface is the outgoing interface - which is responsible for communicating to available multicast data sources. - There can only be one upstream interface. - - * **downstream:** Downstream network interfaces are the distribution - interfaces to the destination networks, where multicast clients can join - groups and receive multicast data. One or more downstream interfaces must - be configured. - -.. cfgcmd:: set protocols igmp-proxy interface <interface> alt-subnet <network> - - Defines alternate sources for multicasting and IGMP data. The network address - must be on the following format 'a.b.c.d/n'. By default the router will - accept data from sources on the same network as configured on an interface. - If the multicast source lies on a remote network, one must define from where - traffic should be accepted. - - This is especially useful for the upstream interface, since the source for - multicast traffic is often from a remote location. - - This option can be supplied multiple times. - -.. cfgcmd:: set protocols igmp-proxy disable-quickleave - - Disables quickleave mode. In this mode the daemon will not send a Leave IGMP - message upstream as soon as it receives a Leave message for any downstream - interface. The daemon will not ask for Membership reports on the downstream - interfaces, and if a report is received the group is not joined again - upstream. - - If it's vital that the daemon should act exactly as a real multicast client - on the upstream interface, this function should be enabled. - - Enabling this function increases the risk of bandwidth saturation. - -.. cfgcmd:: set protocols igmp-proxy disable - - Disable this service. - -Example -------- - -Interface `eth1` LAN is behind NAT. In order to subscribe `10.0.0.0/23` subnet -multicast which is in `eth0` WAN we need to configure igmp-proxy. - -.. code-block:: none - - set protocols igmp-proxy interface eth0 role upstream - set protocols igmp-proxy interface eth0 alt-subnet 10.0.0.0/23 - set protocols igmp-proxy interface eth1 role downstream - -Operation -========= - -.. opcmd:: restart igmp-proxy - - Restart the IGMP proxy process. - - - diff --git a/docs/routing/ospf.rst b/docs/routing/ospf.rst deleted file mode 100644 index fbe8984f..00000000 --- a/docs/routing/ospf.rst +++ /dev/null @@ -1,140 +0,0 @@ -.. include:: ../_include/need_improvement.txt - -.. _routing-ospf: - -OSPF ----- - -:abbr:`OSPF (Open Shortest Path First)` is a routing protocol for Internet -Protocol (IP) networks. It uses a link state routing (LSR) algorithm and falls -into the group of interior gateway protocols (IGPs), operating within a single -autonomous system (AS). It is defined as OSPF Version 2 in :rfc:`2328` (1998) -for IPv4. Updates for IPv6 are specified as OSPF Version 3 in :rfc:`5340` -(2008). OSPF supports the :abbr:`CIDR (Classless Inter-Domain Routing)` -addressing model. - -OSPF is a widely used IGP in large enterprise networks. - -OSPFv2 (IPv4) -^^^^^^^^^^^^^ - -In order to have a VyOS system exchanging routes with OSPF neighbors, you will -at least need to configure an OSPF area and some network. - -.. code-block:: none - - set protocols ospf area 0 network 192.168.0.0/24 - -That is the minimum configuration you will need. -It is a good practice to define the router ID too. - -.. code-block:: none - - set protocols ospf parameters router-id 10.1.1.1 - - -Below you can see a typical configuration using 2 nodes, redistribute loopback -address and the node 1 sending the default route: - -**Node 1** - -.. code-block:: none - - set interfaces loopback lo address 10.1.1.1/32 - set protocols ospf area 0 network 192.168.0.0/24 - set protocols ospf default-information originate always - set protocols ospf default-information originate metric 10 - set protocols ospf default-information originate metric-type 2 - set protocols ospf log-adjacency-changes - set protocols ospf parameters router-id 10.1.1.1 - set protocols ospf redistribute connected metric-type 2 - set protocols ospf redistribute connected route-map CONNECT - - set policy route-map CONNECT rule 10 action permit - set policy route-map CONNECT rule 10 match interface lo - -**Node 2** - -.. code-block:: none - - set interfaces loopback lo address 10.2.2.2/32 - set protocols ospf area 0 network 192.168.0.0/24 - set protocols ospf log-adjacency-changes - set protocols ospf parameters router-id 10.2.2.2 - set protocols ospf redistribute connected metric-type 2 - set protocols ospf redistribute connected route-map CONNECT - - set policy route-map CONNECT rule 10 action permit - set policy route-map CONNECT rule 10 match interface lo - -OSPFv3 (IPv6) -^^^^^^^^^^^^^ - -A typical configuration using 2 nodes. - -**Node 1:** - -.. code-block:: none - - set protocols ospfv3 area 0.0.0.0 interface eth1 - set protocols ospfv3 area 0.0.0.0 range 2001:db8:1::/64 - set protocols ospfv3 parameters router-id 192.168.1.1 - set protocols ospfv3 redistribute connected - -**Node 2:** - -.. code-block:: none - - set protocols ospfv3 area 0.0.0.0 interface eth1 - set protocols ospfv3 area 0.0.0.0 range 2001:db8:2::/64 - set protocols ospfv3 parameters router-id 192.168.2.1 - set protocols ospfv3 redistribute connected - -.. note:: You can not easily redistribute IPv6 routes via OSPFv3 on a WireGuard - interface link. This requires you to configure link-local addresses manually - on the WireGuard interfaces, see :vytask:`T1483`. - -Example configuration for WireGuard interfaces: - -**Node 1** - -.. code-block:: none - - set interfaces wireguard wg01 address 'fe80::216:3eff:fe51:fd8c/64' - set interfaces wireguard wg01 address '192.168.0.1/24' - set interfaces wireguard wg01 peer ospf02 allowed-ips '::/0' - set interfaces wireguard wg01 peer ospf02 allowed-ips '0.0.0.0/0' - set interfaces wireguard wg01 peer ospf02 endpoint '10.1.1.101:12345' - set interfaces wireguard wg01 peer ospf02 pubkey 'ie3...=' - set interfaces wireguard wg01 port '12345' - set protocols ospfv3 parameters router-id 192.168.1.1 - set protocols ospfv3 area 0.0.0.0 interface 'wg01' - set protocols ospfv3 area 0.0.0.0 interface 'lo' - -**Node 2** - -.. code-block:: none - - set interfaces wireguard wg01 address 'fe80::216:3eff:fe0a:7ada/64' - set interfaces wireguard wg01 address '192.168.0.2/24' - set interfaces wireguard wg01 peer ospf01 allowed-ips '::/0' - set interfaces wireguard wg01 peer ospf01 allowed-ips '0.0.0.0/0' - set interfaces wireguard wg01 peer ospf01 endpoint '10.1.1.100:12345' - set interfaces wireguard wg01 peer ospf01 pubkey 'NHI...=' - set interfaces wireguard wg01 port '12345' - set protocols ospfv3 parameters router-id 192.168.1.2 - set protocols ospfv3 area 0.0.0.0 interface 'wg01' - set protocols ospfv3 area 0.0.0.0 interface 'lo' - -**Status** - -.. code-block:: none - - vyos@ospf01:~$ sh ipv6 ospfv3 neighbor - Neighbor ID Pri DeadTime State/IfState Duration I/F[State] - 192.168.0.2 1 00:00:37 Full/PointToPoint 00:18:03 wg01[PointToPoint] - - vyos@ospf02# run sh ipv6 ospfv3 neighbor - Neighbor ID Pri DeadTime State/IfState Duration I/F[State] - 192.168.0.1 1 00:00:39 Full/PointToPoint 00:19:44 wg01[PointToPoint] - diff --git a/docs/routing/pbr.rst b/docs/routing/pbr.rst deleted file mode 100644 index 797f79e3..00000000 --- a/docs/routing/pbr.rst +++ /dev/null @@ -1,105 +0,0 @@ -.. include:: ../_include/need_improvement.txt - -.. _routing-pbr: - -PBR ---- - -:abbr:`PBR (Policy-Based Routing)` allowing traffic to be assigned to -different routing tables. Traffic can be matched using standard 5-tuple -matching (source address, destination address, protocol, source port, -destination port). - -Transparent Proxy -^^^^^^^^^^^^^^^^^ - -The following example will show how VyOS can be used to redirect web -traffic to an external transparent proxy: - -.. code-block:: none - - set policy route FILTER-WEB rule 1000 destination port 80 - set policy route FILTER-WEB rule 1000 protocol tcp - set policy route FILTER-WEB rule 1000 set table 100 - -This creates a route policy called FILTER-WEB with one rule to set the -routing table for matching traffic (TCP port 80) to table ID 100 -instead of the default routing table. - -To create routing table 100 and add a new default gateway to be used by -traffic matching our route policy: - -.. code-block:: none - - set protocols static table 100 route 0.0.0.0/0 next-hop 10.255.0.2 - -This can be confirmed using the ``show ip route table 100`` operational -command. - -Finally, to apply the policy route to ingress traffic on our LAN -interface, we use: - -.. code-block:: none - - set interfaces ethernet eth1 policy route FILTER-WEB - - -Multiple Uplinks -^^^^^^^^^^^^^^^^ - -VyOS Policy-Based Routing (PBR) works by matching source IP address -ranges and forwarding the traffic using different routing tables. - -Routing tables that will be used in this example are: - -* ``table 10`` Routing table used for VLAN 10 (192.168.188.0/24) -* ``table 11`` Routing table used for VLAN 11 (192.168.189.0/24) -* ``main`` Routing table used by VyOS and other interfaces not - participating in PBR - -.. figure:: ../_static/images/pbr_example_1.png - :scale: 80 % - :alt: PBR multiple uplinks - - Policy-Based Routing with multiple ISP uplinks - (source ./draw.io/pbr_example_1.drawio) - -Add default routes for routing ``table 10`` and ``table 11`` - -.. code-block:: none - - set protocols static table 10 route 0.0.0.0/0 next-hop 192.0.1.1 - set protocols static table 11 route 0.0.0.0/0 next-hop 192.0.2.2 - -Add policy route matching VLAN source addresses - -.. code-block:: none - - set policy route PBR rule 20 set table '10' - set policy route PBR rule 20 description 'Route VLAN10 traffic to table 10' - set policy route PBR rule 20 source address '192.168.188.0/24' - - set policy route PBR rule 30 set table '11' - set policy route PBR rule 30 description 'Route VLAN11 traffic to table 11' - set policy route PBR rule 30 source address '192.168.189.0/24' - -Apply routing policy to **inbound** direction of out VLAN interfaces - -.. code-block:: none - - set interfaces ethernet eth0 vif 10 policy route 'PBR' - set interfaces ethernet eth0 vif 11 policy route 'PBR' - - -**OPTIONAL:** Exclude Inter-VLAN traffic (between VLAN10 and VLAN11) -from PBR - -.. code-block:: none - - set policy route PBR rule 10 description 'VLAN10 <-> VLAN11 shortcut' - set policy route PBR rule 10 destination address '192.168.188.0/24' - set policy route PBR rule 10 destination address '192.168.189.0/24' - set policy route PBR rule 10 set table 'main' - -These commands allow the VLAN10 and VLAN20 hosts to communicate with -each other using the main routing table. diff --git a/docs/routing/rip.rst b/docs/routing/rip.rst deleted file mode 100644 index 9cf4f289..00000000 --- a/docs/routing/rip.rst +++ /dev/null @@ -1,36 +0,0 @@ -.. include:: ../_include/need_improvement.txt - -.. _rip: - -RIP ---- - -:abbr:`RIP (Routing Information Protocol)` is a widely deployed interior gateway -protocol. RIP was developed in the 1970s at Xerox Labs as part of the XNS -routing protocol. RIP is a distance-vector protocol and is based on the -Bellman-Ford algorithms. As a distance-vector protocol, RIP router send updates -to its neighbors periodically, thus allowing the convergence to a known -topology. In each update, the distance to any given network will be broadcast -to its neighboring router. - -Supported versions of RIP are: -* RIPv1 as described in :rfc:`1058` -* RIPv2 as described in :rfc:`2453` - -Simple RIP configuration using 2 nodes and redistributing connected interfaces. - -**Node 1:** - -.. code-block:: none - - set interfaces loopback address 10.1.1.1/32 - set protocols rip network 192.168.0.0/24 - set protocols rip redistribute connected - -**Node 2:** - -.. code-block:: none - - set interfaces loopback address 10.2.2.2/32 - set protocols rip network 192.168.0.0/24 - set protocols rip redistribute connected diff --git a/docs/routing/routing-policy.rst b/docs/routing/routing-policy.rst deleted file mode 100644 index 461e42d8..00000000 --- a/docs/routing/routing-policy.rst +++ /dev/null @@ -1,60 +0,0 @@ -.. include:: ../_include/need_improvement.txt - -Routing-policy --------------- - -Routing Policies could be used to tell the router (self or neighbors) what routes and their attributes needs to be put into the routing table. - -There could be a wide range of routing policies. Some examples are below: - - * Set some metric to routes learned from a particular neighbor - * Set some attributes (like AS PATH or Community value) to advertised routes to neighbors - * Prefer a specific routing protocol routes over another routing protocol running on the same router - -Routing Policy Example -~~~~~~~~~~~~~~~~~~~~~~ - -**Policy definition:** - -.. code-block:: none - - #Create policy - set policy route-map setmet rule 2 action 'permit' - set policy route-map setmet rule 2 set as-path-prepend '2 2 2' - - #Apply policy to BGP - set protocols bgp 1 neighbor 203.0.113.2 address-family ipv4-unicast route-map import 'setmet' - set protocols bgp 1 neighbor 203.0.113.2 address-family ipv4-unicast soft-reconfiguration 'inbound' <<<< *** - - *** get policy update without bouncing the neighbor - -**Routes learned before routing policy applied:** - -.. code-block:: none - - vyos@vos1:~$ show ip bgp - BGP table version is 0, local router ID is 192.168.56.101 - Status codes: s suppressed, d damped, h history, * valid, > best, i - internal, - r RIB-failure, S Stale, R Removed - Origin codes: i - IGP, e - EGP, ? - incomplete - - Network Next Hop Metric LocPrf Weight Path - *> 198.51.100.3/32 203.0.113.2 1 0 2 i < Path - - Total number of prefixes 1 - -**Routes learned after routing policy applied:** - -.. code-block:: none - - vyos@vos1:~$ sho ip b - BGP table version is 0, local router ID is 192.168.56.101 - Status codes: s suppressed, d damped, h history, * valid, > best, i - internal, - r RIB-failure, S Stale, R Removed - Origin codes: i - IGP, e - EGP, ? - incomplete - - Network Next Hop Metric LocPrf Weight Path - *> 198.51.100.3/32 203.0.113.2 1 0 2 2 2 2 i < longer AS_path length - - Total number of prefixes 1 - vyos@vos1:~$ diff --git a/docs/routing/rpki.rst b/docs/routing/rpki.rst deleted file mode 100644 index 9813b1b6..00000000 --- a/docs/routing/rpki.rst +++ /dev/null @@ -1,113 +0,0 @@ -.. _rpki: - -#### -RPKI -#### - -.. pull-quote:: - - There are two types of Network Admins who deal with BGP, those who have - created an international incident and/or outage, and those who are lying - - -- `tweet by EvilMog`_, 2020-02-21 - -:abbr:`RPKI (Resource Public Key Infrastructure)` is a framework :abbr:`PKI -(Public Key Infrastructure)` designed to secure the Internet routing -infrastructure. It associates BGP route announcements with the correct -originating :abbr:`ASN (Autonomus System Number)` which BGP routers can then -use to check each route against the corresponding :abbr:`ROA (Route Origin -Authorisation)` for validity. RPKI is described in :rfc:`6480`. - -A BGP-speaking router like VyOS can retrieve ROA information from RPKI -"Relying Party software" (often just called an "RPKI server" or "RPKI -validator") by using :abbr:`RTR (RPKI to Router)` protocol. There are several -open source implementations to choose from, such as NLNetLabs' Routinator_ -(written in Rust), Cloudflare's GoRTR_ and OctoRPKI_ (written in Go), and -RIPE NCC's RPKI Validator_ (written in Java). The RTR protocol is described -in :rfc:`8210`. - -.. tip:: - If you are new to these routing security technologies then there is an - `excellent guide to RPKI`_ by NLnet Labs which will get you up to speed - very quickly. Their documentation explains everything from what RPKI is to - deploying it in production (albeit with a focus on using NLnet Labs' - tools). It also has some `help and operational guidance`_ including - "What can I do about my route having an Invalid state?" - -First you will need to deploy an RPKI validator for your routers to use. The -RIPE NCC helpfully provide `some instructions`_ to get you started with -several different options. Once your server is running you can start -validating announcements. - -Imported prefixes during the validation may have values: - - valid - The prefix and ASN that originated it match a signed ROA. These are - probably trustworthy route announcements. - - invalid - The prefix or prefix length and ASN that originated it doesn't - match any existing ROA. This could be the result of a prefix hijack, or - merely a misconfiguration, but should probably be treated as - untrustworthy route announcements. - - notfound - No ROA exists which covers that prefix. Unfortunately this is the case - for about 80% of the IPv4 prefixes which were announced to the :abbr:`DFZ - (default-free zone)` at the start of 2020 (see more detail in - NLnet Labs' `RPKI analytics`_). - -.. note:: - If you are responsible for the global addresses assigned to your - network, please make sure that your prefixes have ROAs associated with them - to avoid being `notfound` by RPKI. For most ASNs this will involve - publishing ROAs via your :abbr:`RIR (Regional Internet Registry)` (RIPE - NCC, APNIC, ARIN, LACNIC or AFRINIC), and is something you are encouraged - to do whenever you plan to announce addresses into the DFZ. - - Particularly large networks may wish to run their own RPKI certificate - authority and publication server instead of publishing ROAs via their RIR. - This is a subject far beyond the scope of VyOS' documentation. Consider - reading about Krill_ if this is a rabbit hole you need or especially want - to dive down. - -We can build route-maps for import based on these states. Here is a simple -RPKI configuration, where `routinator` is the RPKI-validating "cache" -server with ip `192.0.2.1`: - -.. code-block:: none - - set protocols rpki cache routinator address '192.0.2.1' - set protocols rpki cache routinator port '3323' - -Here is an example route-map to apply to routes learned at import. In this -filter we reject prefixes with the state `invalid`, and set a higher -`local-preference` if the prefix is RPKI `valid` rather than merely -`notfound`. - -.. code-block:: none - - set policy route-map ROUTES-IN rule 10 action 'permit' - set policy route-map ROUTES-IN rule 10 match rpki 'valid' - set policy route-map ROUTES-IN rule 10 set local-preference '300' - set policy route-map ROUTES-IN rule 20 action 'permit' - set policy route-map ROUTES-IN rule 20 match rpki 'notfound' - set policy route-map ROUTES-IN rule 20 set local-preference '125' - set policy route-map ROUTES-IN rule 30 action 'deny' - set policy route-map ROUTES-IN rule 30 match rpki 'invalid' - -Once your routers are configured to reject RPKI-invalid prefixes, you can -test whether the configuration is working correctly using the `RIPE Labs RPKI -Test`_ experimental tool. - -.. _tweet by EvilMog: https://twitter.com/Evil_Mog/status/1230924170508169216 -.. _Routinator: https://www.nlnetlabs.nl/projects/rpki/routinator/ -.. _GoRTR: https://github.com/cloudflare/gortr -.. _OctoRPKI: https://github.com/cloudflare/cfrpki#octorpki -.. _Validator: https://www.ripe.net/manage-ips-and-asns/resource-management/certification/tools-and-resources -.. _some instructions: https://labs.ripe.net/Members/tashi_phuntsho_3/how-to-install-an-rpki-validator -.. _Krill: https://www.nlnetlabs.nl/projects/rpki/krill/ -.. _RPKI analytics: https://www.nlnetlabs.nl/projects/rpki/rpki-analytics/ -.. _RIPE Labs RPKI Test: https://sg-pub.ripe.net/jasper/rpki-web-test/ -.. _excellent guide to RPKI: https://rpki.readthedocs.io/ -.. _help and operational guidance: https://rpki.readthedocs.io/en/latest/about/help.html diff --git a/docs/routing/static.rst b/docs/routing/static.rst deleted file mode 100644 index 523627fa..00000000 --- a/docs/routing/static.rst +++ /dev/null @@ -1,134 +0,0 @@ -.. _static-routing: - -###### -Static -###### - -Static routes are manually configured routes, which, in general, cannot be -updated dynamically from information VyOS learns about the network topology from -other routing protocols. However, if a link fails, the router will remove -routes, including static routes, from the :abbr:`RIPB (Routing Information -Base)` that used this interface to reach the next hop. In general, static -routes should only be used for very simple network topologies, or to override -the behavior of a dynamic routing protocol for a small number of routes. The -collection of all routes the router has learned from its configuration or from -its dynamic routing protocols is stored in the RIB. Unicast routes are directly -used to determine the forwarding table used for unicast packet forwarding. - -Static Routes -############# - -.. cfgcmd:: set protocols static route <subnet> next-hop <address> - - Configure next-hop `<address>` for an IPv4 static route. Multiple static - routes can be created. - -.. cfgcmd:: set protocols static route <subnet> next-hop <address> disable - - Disable this IPv4 static route entry. - -.. cfgcmd:: set protocols static route <subnet> next-hop <address> distance <distance> - - Defines next-hop distance for this route, routes with smaller administrative - distance are elected prior those with a higher distance. - - Range is 1 to 255, default is 1. - - .. note:: Routes with a distance of 255 are effectively disabled and not - installed into the kernel. - -.. cfgcmd:: set protocols static route6 <subnet> next-hop <address> - - Configure next-hop `<address>` for an IPv6 static route. Multiple static - routes can be created. - -.. cfgcmd:: set protocols static route6 <subnet> next-hop <address> disable - - Disable this IPv6 static route entry. - -.. cfgcmd:: set protocols static route6 <subnet> next-hop <address> distance <distance> - - Defines next-hop distance for this route, routes with smaller administrative - distance are elected prior those with a higher distance. - - Range is 1 to 255, default is 1. - - .. note:: Routes with a distance of 255 are effectively disabled and not - installed into the kernel. - - -Interface Routes -================ - -.. cfgcmd:: set protocols static interface-route <subnet> next-hop-interface <interface> - - Allows you to configure the next-hop interface for an interface-based IPv4 - static route. `<interface>` will be the next-hop interface where trafic is - routed for the given `<subnet>`. - -.. cfgcmd:: set protocols static interface-route <subnet> next-hop-interface <interface> disable - - Disables interface-based IPv4 static route. - -.. cfgcmd:: set protocols static interface-route <subnet> next-hop-interface <interface> distance <distance> - - Defines next-hop distance for this route, routes with smaller administrative - distance are elected prior those with a higher distance. - - Range is 1 to 255, default is 1. - -.. cfgcmd:: set protocols static interface-route6 <subnet> next-hop-interface <interface> - - Allows you to configure the next-hop interface for an interface-based IPv6 - static route. `<interface>` will be the next-hop interface where trafic is - routed for the given `<subnet>`. - -.. cfgcmd:: set protocols static interface-route6 <subnet> next-hop-interface <interface> disable - - Disables interface-based IPv6 static route. - -.. cfgcmd:: set protocols static interface-route6 <subnet> next-hop-interface <interface> distance <distance> - - Defines next-hop distance for this route, routes with smaller administrative - distance are elected prior those with a higher distance. - - Range is 1 to 255, default is 1. - - -Blackhole -========= - -.. cfgcmd:: set protocols static route <subnet> blackhole - - Use this command to configure a "black-hole" route on the router. A - black-hole route is a route for which the system silently discard packets - that are matched. This prevents networks leaking out public interfaces, but - it does not prevent them from being used as a more specific route inside your - network. - -.. cfgcmd:: set protocols static route <subnet> blackhole distance <distance> - - Defines blackhole distance for this route, routes with smaller administrative - distance are elected prior those with a higher distance. - -.. cfgcmd:: set protocols static route6 <subnet> blackhole - - Use this command to configure a "black-hole" route on the router. A - black-hole route is a route for which the system silently discard packets - that are matched. This prevents networks leaking out public interfaces, but - it does not prevent them from being used as a more specific route inside your - network. - -.. cfgcmd:: set protocols static route6 <subnet> blackhole distance <distance> - - Defines blackhole distance for this route, routes with smaller administrative - distance are elected prior those with a higher distance. - - -Alternate Routing Tables -======================== - -TBD - -Alternate routing tables are used with policy based routing of by utilizing -:ref:`vrf`. |