diff options
Diffstat (limited to 'docs/routing')
-rw-r--r-- | docs/routing/arp.rst | 59 | ||||
-rw-r--r-- | docs/routing/bfd.rst | 117 | ||||
-rw-r--r-- | docs/routing/bgp.rst | 335 | ||||
-rw-r--r-- | docs/routing/index.rst | 22 | ||||
-rw-r--r-- | docs/routing/ip-commands.rst | 258 | ||||
-rw-r--r-- | docs/routing/mpls.rst | 157 | ||||
-rw-r--r-- | docs/routing/mss-clamp.rst | 63 | ||||
-rw-r--r-- | docs/routing/multicast.rst | 244 | ||||
-rw-r--r-- | docs/routing/ospf.rst | 141 | ||||
-rw-r--r-- | docs/routing/rip.rst | 37 | ||||
-rw-r--r-- | docs/routing/rpki.rst | 113 | ||||
-rw-r--r-- | docs/routing/static.rst | 134 |
12 files changed, 0 insertions, 1680 deletions
diff --git a/docs/routing/arp.rst b/docs/routing/arp.rst deleted file mode 100644 index 5f3115ab..00000000 --- a/docs/routing/arp.rst +++ /dev/null @@ -1,59 +0,0 @@ -.. _routing-arp: - -### -ARP -### - -:abbr:`ARP (Address Resolution Protocol)` is a communication protocol used for -discovering the link layer address, such as a MAC address, associated with a -given internet layer address, typically an IPv4 address. This mapping is a -critical function in the Internet protocol suite. ARP was defined in 1982 by -:rfc:`826` which is Internet Standard STD 37. - -In Internet Protocol Version 6 (IPv6) networks, the functionality of ARP is -provided by the Neighbor Discovery Protocol (NDP). - -To manipulate or display ARP_ table entries, the following commands are -implemented. - -Configure -========= - -.. cfgcmd:: set protocols static arp <address> hwaddr <mac> - - This will configure a static ARP entry always resolving `<address>` to - `<mac>`. - - Example: - - .. code-block:: none - - set protocols static arp 192.0.2.100 hwaddr 00:53:27:de:23:aa - -Operation -========= - -.. opcmd:: show protocols static arp - - Display all known ARP table entries spanning across all interfaces - -.. code-block:: none - - vyos@vyos:~$ show protocols static arp - Address HWtype HWaddress Flags Mask Iface - 10.1.1.1 ether 00:53:00:de:23:2e C eth1 - 10.1.1.100 ether 00:53:00:de:23:aa CM eth1 - - -.. opcmd:: show protocols static arp interface eth1 - - Display all known ARP table entries on a given interface only (`eth1`): - -.. code-block:: none - - vyos@vyos:~$ show protocols static arp interface eth1 - Address HWtype HWaddress Flags Mask Iface - 10.1.1.1 ether 00:53:00:de:23:2e C eth1 - 10.1.1.100 ether 00:53:00:de:23:aa CM eth1 - -.. _ARP: https://en.wikipedia.org/wiki/Address_Resolution_Protocol diff --git a/docs/routing/bfd.rst b/docs/routing/bfd.rst deleted file mode 100644 index b8fdf489..00000000 --- a/docs/routing/bfd.rst +++ /dev/null @@ -1,117 +0,0 @@ -.. include:: /_include/need_improvement.txt - -.. _routing-bfd: - -### -BFD -### - -:abbr:`BFD (Bidirectional Forwarding Detection)` is described and extended by -the following RFCs: :rfc:`5880`, :rfc:`5881` and :rfc:`5883`. - - -Configure BFD -============= - -.. cfgcmd:: set protocols bfd peer <address> - - Set BFD peer IPv4 address or IPv6 address - -.. cfgcmd:: set protocols bfd peer <address> echo-mode - - Enables the echo transmission mode - -.. cfgcmd:: set protocols bfd peer <address> multihop - - Allow this BFD peer to not be directly connected - -.. cfgcmd:: set protocols bfd peer <address> source [address <address> | interface <interface>] - - Bind listener to specifid interface/address, mandatory for IPv6 - -.. cfgcmd:: set protocols bfd peer <address> interval echo-interval <10-60000> - - The minimal echo receive transmission interval that this system is capable of handling - -.. cfgcmd:: set protocols bfd peer <address> interval multiplier <2-255> - - Remote transmission interval will be multiplied by this value - -.. cfgcmd:: set protocols bfd peer <address> interval [receive | transmit] <10-60000> - - Interval in milliseconds - -.. cfgcmd:: set protocols bfd peer <address> shutdown - - Disable a BFD peer - - -Enable BFD in BGP ------------------ - -.. cfgcmd:: set protocols bgp <asn> neighbor <address> bfd - - Enable BFD on a single BGP neighbor - -.. cfgcmd:: set protocols bgp <asn> peer-group <group> bfd - - Enable BFD on a BGP peer group - - - -Enable BFD in OSPF ------------------- - -.. cfgcmd:: set interfaces ethernet <ethN> ip ospf bfd - - Enable BFD for ospf on a interface - -.. cfgcmd:: set interfaces ethernet <ethN> ipv6 ospfv3 bfd - - Enable BFD for ospfv3 on a interface - - - -Operational Commands -==================== - -.. opcmd:: show protocols bfd peer - - Show all BFD peers - - .. code-block:: none - - BFD Peers: - peer 198.51.100.33 vrf default interface eth4.100 - ID: 4182341893 - Remote ID: 12678929647 - Status: up - Uptime: 1 month(s), 16 hour(s), 29 minute(s), 38 second(s) - Diagnostics: ok - Remote diagnostics: ok - Local timers: - Receive interval: 300ms - Transmission interval: 300ms - Echo transmission interval: 50ms - Remote timers: - Receive interval: 300ms - Transmission interval: 300ms - Echo transmission interval: 0ms - - peer 198.51.100.55 vrf default interface eth4.101 - ID: 4618932327 - Remote ID: 3312345688 - Status: up - Uptime: 20 hour(s), 16 minute(s), 19 second(s) - Diagnostics: ok - Remote diagnostics: ok - Local timers: - Receive interval: 300ms - Transmission interval: 300ms - Echo transmission interval: 50ms - Remote timers: - Receive interval: 300ms - Transmission interval: 300ms - Echo transmission interval: 0ms - - diff --git a/docs/routing/bgp.rst b/docs/routing/bgp.rst deleted file mode 100644 index c576d836..00000000 --- a/docs/routing/bgp.rst +++ /dev/null @@ -1,335 +0,0 @@ -.. _bgp: - -### -BGP -### - -:abbr:`BGP (Border Gateway Protocol)` is one of the Exterior Gateway Protocols -and the de facto standard interdomain routing protocol. The latest BGP version -is 4. BGP-4 is described in :rfc:`1771` and updated by :rfc:`4271`. :rfc:`2858` -adds multiprotocol support to BGP. - -VyOS makes use of :abbr:`FRR (Free Range Routing)` and we would like to thank -them for their effort! - -Basic Concepts -============== - -.. _bgp-autonomous-systems: - -Autonomous Systems ------------------- - -From :rfc:`1930`: - - An AS is a connected group of one or more IP prefixes run by one or more - network operators which has a SINGLE and CLEARLY DEFINED routing policy. - -Each AS has an identifying number associated with it called an :abbr:`ASN -(Autonomous System Number)`. This is a two octet value ranging in value from 1 -to 65535. The AS numbers 64512 through 65535 are defined as private AS numbers. -Private AS numbers must not be advertised on the global Internet. - -The :abbr:`ASN (Autonomous System Number)` is one of the essential elements of -BGP. BGP is a distance vector routing protocol, and the AS-Path framework -provides distance vector metric and loop detection to BGP. - -.. _bgp-address-families: - -Address Families ----------------- - -Multiprotocol extensions enable BGP to carry routing information for multiple -network layer protocols. BGP supports an Address Family Identifier (AFI) for -IPv4 and IPv6. - -.. _bgp-route-selection: - -Route Selection ---------------- - -The route selection process used by FRR's BGP implementation uses the following -decision criterion, starting at the top of the list and going towards the -bottom until one of the factors can be used. - -1. **Weight check** - - Prefer higher local weight routes to lower routes. - -2. **Local preference check** - - Prefer higher local preference routes to lower. - -3. **Local route check** - - Prefer local routes (statics, aggregates, redistributed) to received routes. - -4. **AS path length check** - - Prefer shortest hop-count AS_PATHs. - -5. **Origin check** - - Prefer the lowest origin type route. That is, prefer IGP origin routes to - EGP, to Incomplete routes. - -6. **MED check** - - Where routes with a MED were received from the same AS, prefer the route - with the lowest MED. - -7. **External check** - - Prefer the route received from an external, eBGP peer over routes received - from other types of peers. - -8. **IGP cost check** - - Prefer the route with the lower IGP cost. - -9. **Multi-path check** - - If multi-pathing is enabled, then check whether the routes not yet - distinguished in preference may be considered equal. If - :cfgcmd:`bgp bestpath as-path multipath-relax` is set, all such routes are - considered equal, otherwise routes received via iBGP with identical AS_PATHs - or routes received from eBGP neighbours in the same AS are considered equal. - -10. **Already-selected external check** - - Where both routes were received from eBGP peers, then prefer the route - which is already selected. Note that this check is not applied if - :cfgcmd:`bgp bestpath compare-routerid` is configured. This check can - prevent some cases of oscillation. - -11. **Router-ID check** - - Prefer the route with the lowest `router-ID`. If the route has an - `ORIGINATOR_ID` attribute, through iBGP reflection, then that router ID is - used, otherwise the `router-ID` of the peer the route was received from is - used. - -12. **Cluster-List length check** - - The route with the shortest cluster-list length is used. The cluster-list - reflects the iBGP reflection path the route has taken. - -13. **Peer address** - - Prefer the route received from the peer with the higher transport layer - address, as a last-resort tie-breaker. - -.. _bgp-capability-negotiation: - -Capability Negotiation ----------------------- - -When adding IPv6 routing information exchange feature to BGP. There were some -proposals. :abbr:`IETF (Internet Engineering Task Force)` -:abbr:`IDR (Inter Domain Routing)` adopted a proposal called Multiprotocol -Extension for BGP. The specification is described in :rfc:`2283`. The protocol -does not define new protocols. It defines new attributes to existing BGP. When -it is used exchanging IPv6 routing information it is called BGP-4+. When it is -used for exchanging multicast routing information it is called MBGP. - -*bgpd* supports Multiprotocol Extension for BGP. So if a remote peer supports -the protocol, *bgpd* can exchange IPv6 and/or multicast routing information. - -Traditional BGP did not have the feature to detect a remote peer's -capabilities, e.g. whether it can handle prefix types other than IPv4 unicast -routes. This was a big problem using Multiprotocol Extension for BGP in an -operational network. :rfc:`2842` adopted a feature called Capability -Negotiation. *bgpd* use this Capability Negotiation to detect the remote peer's -capabilities. If a peer is only configured as an IPv4 unicast neighbor, *bgpd* -does not send these Capability Negotiation packets (at least not unless other -optional BGP features require capability negotiation). - -By default, FRR will bring up peering with minimal common capability for the -both sides. For example, if the local router has unicast and multicast -capabilities and the remote router only has unicast capability the local router -will establish the connection with unicast only capability. When there are no -common capabilities, FRR sends Unsupported Capability error and then resets the -connection. - -.. _bgp-router-configuration: - -BGP Router Configuration -======================== - -ASN and Router ID ------------------ - -.. cfgcmd:: set protocols bgp <asn> - - First of all you must configure BGP router with the :abbr:`ASN (Autonomous - System Number)`. The AS number is an identifier for the autonomous system. - The BGP protocol uses the AS number for detecting whether the BGP connection - is internal or external. - -.. cfgcmd:: set protocols bgp <asn> parameters router-id - - This command specifies the router-ID. If router ID is not specified it will - use the highest interface IP address. - -Route Selection ---------------- - -.. cfgcmd:: set protocols bgp <asn> parameters bestpath as-path confed - - This command specifies that the length of confederation path sets and - sequences should be taken into account during the BGP best path - decision process. - -.. cfgcmd:: set protocols bgp <asn> parameters bestpath as-path multipath-relax - - This command specifies that BGP decision process should consider paths - of equal AS_PATH length candidates for multipath computation. Without - the knob, the entire AS_PATH must match for multipath computation. - -.. cfgcmd:: set protocols bgp <asn> parameters bestpath as-path ignore - - Ignore AS_PATH length when selecting a route - -IPv4 -^^^^ - -A simple eBGP configuration: - -**Node 1:** - -.. code-block:: none - - set protocols bgp 65534 neighbor 192.168.0.2 ebgp-multihop '2' - set protocols bgp 65534 neighbor 192.168.0.2 remote-as '65535' - set protocols bgp 65534 neighbor 192.168.0.2 update-source '192.168.0.1' - set protocols bgp 65534 address-family ipv4-unicast network '172.16.0.0/16' - set protocols bgp 65534 parameters router-id '192.168.0.1' - -**Node 2:** - -.. code-block:: none - - set protocols bgp 65535 neighbor 192.168.0.1 ebgp-multihop '2' - set protocols bgp 65535 neighbor 192.168.0.1 remote-as '65534' - set protocols bgp 65535 neighbor 192.168.0.1 update-source '192.168.0.2' - set protocols bgp 65535 address-family ipv4-unicast network '172.17.0.0/16' - set protocols bgp 65535 parameters router-id '192.168.0.2' - - -Don't forget, the CIDR declared in the network statement MUST **exist in your -routing table (dynamic or static), the best way to make sure that is true is -creating a static route:** - -**Node 1:** - -.. code-block:: none - - set protocols static route 172.16.0.0/16 blackhole distance '254' - -**Node 2:** - -.. code-block:: none - - set protocols static route 172.17.0.0/16 blackhole distance '254' - - -IPv6 -^^^^ - -A simple BGP configuration via IPv6. - -**Node 1:** - -.. code-block:: none - - set protocols bgp 65534 neighbor 2001:db8::2 ebgp-multihop '2' - set protocols bgp 65534 neighbor 2001:db8::2 remote-as '65535' - set protocols bgp 65534 neighbor 2001:db8::2 update-source '2001:db8::1' - set protocols bgp 65534 neighbor 2001:db8::2 address-family ipv6-unicast - set protocols bgp 65534 address-family ipv6-unicast network '2001:db8:1::/48' - set protocols bgp 65534 parameters router-id '10.1.1.1' - -**Node 2:** - -.. code-block:: none - - set protocols bgp 65535 neighbor 2001:db8::1 ebgp-multihop '2' - set protocols bgp 65535 neighbor 2001:db8::1 remote-as '65534' - set protocols bgp 65535 neighbor 2001:db8::1 update-source '2001:db8::2' - set protocols bgp 65535 neighbor 2001:db8::1 address-family ipv6-unicast - set protocols bgp 65535 address-family ipv6-unicast network '2001:db8:2::/48' - set protocols bgp 65535 parameters router-id '10.1.1.2' - -Don't forget, the CIDR declared in the network statement **MUST exist in your -routing table (dynamic or static), the best way to make sure that is true is -creating a static route:** - -**Node 1:** - -.. code-block:: none - - set protocols static route6 2001:db8:1::/48 blackhole distance '254' - -**Node 2:** - -.. code-block:: none - - set protocols static route6 2001:db8:2::/48 blackhole distance '254' - -Route Filter -^^^^^^^^^^^^ - -Route filter can be applied using a route-map: - -**Node1:** - -.. code-block:: none - - set policy prefix-list AS65535-IN rule 10 action 'permit' - set policy prefix-list AS65535-IN rule 10 prefix '172.16.0.0/16' - set policy prefix-list AS65535-OUT rule 10 action 'deny' - set policy prefix-list AS65535-OUT rule 10 prefix '172.16.0.0/16' - set policy prefix-list6 AS65535-IN rule 10 action 'permit' - set policy prefix-list6 AS65535-IN rule 10 prefix '2001:db8:2::/48' - set policy prefix-list6 AS65535-OUT rule 10 action 'deny' - set policy prefix-list6 AS65535-OUT rule 10 prefix '2001:db8:2::/48' - set policy route-map AS65535-IN rule 10 action 'permit' - set policy route-map AS65535-IN rule 10 match ip address prefix-list 'AS65535-IN' - set policy route-map AS65535-IN rule 10 match ipv6 address prefix-list 'AS65535-IN' - set policy route-map AS65535-IN rule 20 action 'deny' - set policy route-map AS65535-OUT rule 10 action 'deny' - set policy route-map AS65535-OUT rule 10 match ip address prefix-list 'AS65535-OUT' - set policy route-map AS65535-OUT rule 10 match ipv6 address prefix-list 'AS65535-OUT' - set policy route-map AS65535-OUT rule 20 action 'permit' - set protocols bgp 65534 neighbor 2001:db8::2 address-family ipv4-unicast route-map export 'AS65535-OUT' - set protocols bgp 65534 neighbor 2001:db8::2 address-family ipv4-unicast route-map import 'AS65535-IN' - set protocols bgp 65534 neighbor 2001:db8::2 address-family ipv6-unicast route-map export 'AS65535-OUT' - set protocols bgp 65534 neighbor 2001:db8::2 address-family ipv6-unicast route-map import 'AS65535-IN' - -**Node2:** - -.. code-block:: none - - set policy prefix-list AS65534-IN rule 10 action 'permit' - set policy prefix-list AS65534-IN rule 10 prefix '172.17.0.0/16' - set policy prefix-list AS65534-OUT rule 10 action 'deny' - set policy prefix-list AS65534-OUT rule 10 prefix '172.17.0.0/16' - set policy prefix-list6 AS65534-IN rule 10 action 'permit' - set policy prefix-list6 AS65534-IN rule 10 prefix '2001:db8:1::/48' - set policy prefix-list6 AS65534-OUT rule 10 action 'deny' - set policy prefix-list6 AS65534-OUT rule 10 prefix '2001:db8:1::/48' - set policy route-map AS65534-IN rule 10 action 'permit' - set policy route-map AS65534-IN rule 10 match ip address prefix-list 'AS65534-IN' - set policy route-map AS65534-IN rule 10 match ipv6 address prefix-list 'AS65534-IN' - set policy route-map AS65534-IN rule 20 action 'deny' - set policy route-map AS65534-OUT rule 10 action 'deny' - set policy route-map AS65534-OUT rule 10 match ip address prefix-list 'AS65534-OUT' - set policy route-map AS65534-OUT rule 10 match ipv6 address prefix-list 'AS65534-OUT' - set policy route-map AS65534-OUT rule 20 action 'permit' - set protocols bgp 65535 neighbor 2001:db8::1 address-family ipv4-unicast route-map export 'AS65534-OUT' - set protocols bgp 65535 neighbor 2001:db8::1 address-family ipv4-unicast route-map import 'AS65534-IN' - set protocols bgp 65535 neighbor 2001:db8::1 address-family ipv6-unicast route-map export 'AS65534-OUT' - set protocols bgp 65535 neighbor 2001:db8::1 address-family ipv6-unicast route-map import 'AS65534-IN' - -We could expand on this and also deny link local and multicast in the rule 20 -action deny. diff --git a/docs/routing/index.rst b/docs/routing/index.rst deleted file mode 100644 index 63d7c7d8..00000000 --- a/docs/routing/index.rst +++ /dev/null @@ -1,22 +0,0 @@ -.. _routing: - -####### -Routing -####### - -.. toctree:: - :maxdepth: 1 - - arp - bfd - bgp - mpls - mss-clamp - multicast - ip-commands - ospf - pbr - rip - policy - rpki - static diff --git a/docs/routing/ip-commands.rst b/docs/routing/ip-commands.rst deleted file mode 100644 index eba4fd90..00000000 --- a/docs/routing/ip-commands.rst +++ /dev/null @@ -1,258 +0,0 @@ -.. _ip-commands: - -########### -IP commands -########### - -IPv4 -==== - -System configuration commands ------------------------------ - -.. cfgcmd:: set system ip disable-forwarding - - Use this command to disable IPv4 forwarding on all interfaces. - -.. cfgcmd:: set system ip arp table-size <number> - - Use this command to define the maximum number of entries to keep in - the ARP cache (1024, 2048, 4096, 8192, 16384, 32768). - -.. cfgcmd:: set system ip multipath layer4-hashing - - Use this command to use Layer 4 information for IPv4 ECMP hashing. - - -Operational commands --------------------- - -show commands -^^^^^^^^^^^^^ - -See below the different parameters available for the IPv4 **show** command: - -.. code-block:: none - - vyos@vyos:~$ show ip - Possible completions: - access-list Show all IP access-lists - as-path-access-list - Show all as-path-access-lists - bgp Show Border Gateway Protocol (BGP) information - community-list - Show IP community-lists - extcommunity-list - Show extended IP community-lists - forwarding Show IP forwarding status - groups Show IP multicast group membership - igmp Show IGMP (Internet Group Management Protocol) information - large-community-list - Show IP large-community-lists - multicast Show IP multicast - ospf Show IPv4 Open Shortest Path First (OSPF) routing information - pim Show PIM (Protocol Independent Multicast) information - ports Show IP ports in use by various system services - prefix-list Show all IP prefix-lists - protocol Show IP route-maps per protocol - rip Show Routing Information Protocol (RIP) information - route Show IP routes - - -reset commands -^^^^^^^^^^^^^^ - -And the different IPv4 **reset** commands available: - -.. code-block:: none - - vyos@vyos:~$ reset ip - Possible completions: - arp Reset Address Resolution Protocol (ARP) cache - bgp Clear Border Gateway Protocol (BGP) statistics or status - igmp IGMP clear commands - multicast IP multicast routing table - route Reset IP route - -IPv6 -==== - -System configuration commands ------------------------------ - -.. cfgcmd:: set system ipv6 disable - - Use this command to disable assignment of IPv6 addresses on all - interfaces. - -.. cfgcmd:: set system ipv6 disable-forwarding - - Use this command to disable IPv6 forwarding on all interfaces. - -.. cfgcmd:: set system ipv6 neighbor table-size <number> - - Use this command to define the maximum number of entries to keep in - the Neighbor cache (1024, 2048, 4096, 8192, 16384, 32768). - -.. cfgcmd:: set system ipv6 strict-dad - - Use this command to disable IPv6 operation on interface when - Duplicate Address Detection fails on Link-Local address. - -.. cfgcmd:: set system ipv6 multipath layer4-hashing - - Use this command to user Layer 4 information for ECMP hashing. - - -Operational commands --------------------- - -Show commands -^^^^^^^^^^^^^ - -.. opcmd:: show ipv6 neighbors - - Use this command to show IPv6 Neighbor Discovery Protocol information. - -.. opcmd:: show ipv6 groups - - Use this command to show IPv6 multicast group membership. - -.. opcmd:: show ipv6 forwarding - - Use this command to show IPv6 forwarding status. - -.. opcmd:: show ipv6 route - - Use this command to show IPv6 routes. - - Check the many parameters available for the `show ipv6 route` command: - - .. code-block:: none - - vyos@vyos:~$ show ipv6 route - Possible completions: - <Enter> Execute the current command - <X:X::X:X> Show IPv6 routes of given address or prefix - <X:X::X:X/M> - bgp Show IPv6 BGP routes - cache Show kernel IPv6 route cache - connected Show IPv6 connected routes - forward Show kernel IPv6 route table - isis Show IPv6 ISIS routes - kernel Show IPv6 kernel routes - ospfv3 Show IPv6 OSPF6 routes - ripng Show IPv6 RIPNG routes - static Show IPv6 static routes - summary Show IPv6 routes summary - table Show IP routes in policy table - vrf Show IPv6 routes in VRF - - -.. opcmd:: show ipv6 prefix-list - - Use this command to show all IPv6 prefix lists - - There are different parameters for getting prefix-list information: - - .. code-block:: none - - vyos@vyos:~$ show ipv6 prefix-list - Possible completions: - <Enter> Execute the current command - <WORD> Show specified IPv6 prefix-list - detail Show detail of IPv6 prefix-lists - summary Show summary of IPv6 prefix-lists - -.. opcmd:: show ipv6 access-list - - Use this command to show all IPv6 access lists - - You can also specify which IPv6 access-list should be shown: - - .. code-block:: none - - vyos@vyos:~$ show ipv6 access-list - Possible completions: - <Enter> Execute the current command - <text> Show specified IPv6 access-list - -.. opcmd:: show ipv6 bgp - - Use this command to show IPv6 Border Gateway Protocol information. - - - In addition, you can specify many other parameters to get BGP - information: - - .. code-block:: none - - vyos@vyos:~$ show ipv6 bgp - Possible completions: - <Enter> Execute the current command - <X:X::X:X> Show BGP information for given address or prefix - <X:X::X:X/M> - community Show routes matching the communities - community-list - Show routes matching the community-list - filter-list Show routes conforming to the filter-list - large-community - Show routes matching the large-community-list - large-community-list - neighbors Show detailed information on TCP and BGP neighbor connections - prefix-list Show routes matching the prefix-list - regexp Show routes matching the AS path regular expression - route-map Show BGP routes matching the specified route map - summary Show summary of BGP neighbor status - - -.. opcmd:: show ipv6 ospfv3 - - Use this command to get information about OSPFv3. - - You can get more specific OSPFv3 information by using the parameters - shown below: - - .. code-block:: none - - vyos@vyos:~$ show ipv6 ospfv3 - Possible completions: - <Enter> Execute the current command - area Show OSPFv3 spf-tree information - border-routers - Show OSPFv3 border-router (ABR and ASBR) information - database Show OSPFv3 Link state database information - interface Show OSPFv3 interface information - linkstate Show OSPFv3 linkstate routing information - neighbor Show OSPFv3 neighbor information - redistribute Show OSPFv3 redistribute External information - route Show OSPFv3 routing table information - -.. opcmd:: show ipv6 ripng - - Use this command to get information about the RIPNG protocol - -.. opcmd:: show ipv6 ripng status - - Use this command to show the status of the RIPNG protocol - - -Reset commands -^^^^^^^^^^^^^^ - -.. opcmd:: reset ipv6 bgp <address> - - Use this command to clear Border Gateway Protocol statistics or - status. - - -.. opcmd:: reset ipv6 neighbors <address | interface> - - Use this command to reset IPv6 Neighbor Discovery Protocol cache for - an address or interface. - -.. opcmd:: reset ipv6 route cache - - Use this command to flush the kernel IPv6 route cache. - An address can be added to flush it only for that route. - diff --git a/docs/routing/mpls.rst b/docs/routing/mpls.rst deleted file mode 100644 index 82e99a17..00000000 --- a/docs/routing/mpls.rst +++ /dev/null @@ -1,157 +0,0 @@ -.. _mpls: - -#################################### -MPLS (Multiprotocol Label Switching) -#################################### - -:abbr:`MPLS (Multi-Protocol Label Switching)` is a packet forwarding paradigm -which differs from regular IP forwarding. Instead of IP addresses being used to -make the decision on finding the exit interface, a router will instead use an -exact match on a 32 bit/4 byte header called the MPLS label. This label is -inserted between the ethernet (layer 2) header and the IP (layer 3) header. -One can statically or dynamically assign label allocations, but we will focus -on dynamic allocation of labels using some sort of label distribution protocol -(such as the aptly named Label Distribution Protocol / LDP, Resource Reservation -Protocol / RSVP, or Segment Routing through OSPF/ISIS). These protocols allow -for the creation of a unidirectional/unicast path called a labeled switched -path (initialized as LSP) throughout the network that operates very much like -a tunnel through the network. An easy way of thinking about how an MPLS LSP -actually forwards traffic throughout a network is to think of a GRE tunnel. -They are not the same in how they operate, but they are the same in how they -handle the tunneled packet. It would be good to think of MPLS as a tunneling -technology that can be used to transport many different types of packets, to -aid in traffic engineering by allowing one to specify paths throughout the -network (using RSVP or SR), and to generally allow for easier intra/inter -network transport of data packets. - -For more information on how MPLS label switching works, please go visit -`Wikipedia (MPLS)`_. - -.. note:: MPLS support in VyOS is not finished yet, and therefore its - functionality is limited. Currently there is no support for MPLS enabled VPN - services such as L3VPNs, L2VPNs, and mVPNs. RSVP support is also not present - as the underlying routing stack (FRR) does not implement it. Currently VyOS - can be configured as a label switched router (MPLS P router), in both - penultimate and ultimate hop popping operations. - -Label Distribution Protocol -=========================== - -The :abbr:`MPLS (Multi-Protocol Label Switching)` architecture does not assume -a single protocol to create MPLS paths. VyOS supports the Label Distribution -Protocol (LDP) as implemented by FRR, based on :rfc:`5036`. - -:abbr:`LDP (Label Distribution Protocol)` is a TCP based MPLS signaling protocol -that distributes labels creating MPLS label switched paths in a dynamic manner. -LDP is not a routing protocol, as it relies on other routing protocols for -forwarding decisions. LDP cannot bootstrap itself, and therefore relies on said -routing protocols for communication with other routers that use LDP. - -In order to allow for LDP on the local router to exchange label advertisements -with other routers, a TCP session will be established between automatically -discovered and statically assigned routers. LDP will try to establish a TCP -session to the **transport address** of other routers. Therefore for LDP to -function properly please make sure the transport address is shown in the -routing table and reachable to traffic at all times. - -It is highly recommended to use the same address for both the LDP router-id and -the discovery transport address, but for VyOS MPLS LDP to work both parameters -must be explicitly set in the configuration. - -Configuration Options -===================== - -.. cfgcmd:: set protocols mpls ldp interface <interface> - - Use this command to enable LDP, and enable MPLS processing on the interface you - define. - -.. cfgcmd:: set protocols mpls ldp router-id <address> - - Use this command to configure the IP address used as the LDP router-id of the - local device. - -.. cfgcmd:: set protocols mpls ldp discovery transport-ipv4-address <IPv4 address> -.. cfgcmd:: set protocols mpls ldp discovery transport-ipv6-address <IPv6 address> - - Use this command to set the IPv4 or IPv6 transport-address used by LDP. - -.. cfgcmd:: set protocols mpls ldp neighbor <IPv4 address> password <password> - - Use this command to configure authentication for LDP peers. Set the - IP address of the LDP peer and a password that should be shared in - order to become neighbors. - -.. cfgcmd:: set protocols mpls ldp discovery hello-interval <seconds> -.. cfgcmd:: set protocols mpls ldp discovery hello-holdtime <seconds> - - Use this command if you would like to set the discovery hello and hold time - parameters. - -.. cfgcmd:: set protocols mpls ldp discovery session-ipv4-holdtime <seconds> -.. cfgcmd:: set protocols mpls ldp discovery session-ipv6-holdtime <seconds> - - Use this command if you would like to set the TCP session hold time intervals. - -.. cfgcmd:: set protocols mpls ldp export ipv4 explicit-null -.. cfgcmd:: set protocols mpls ldp export ipv6 explicit-null - - Use this command if you would like for the router to advertise FECs with a label - of 0 for explicit null operations. - - -Sample configuration to setup LDP on VyOS ------------------------------------------ - -.. code-block:: none - - set protocols ospf area 0 network '192.168.255.252/32' <--- Routing for loopback - set protocols ospf area 0 network '192.168.0.5/32' <--- Routing for an interface connecting to the network - set protocols ospf parameters router-id '192.168.255.252' <--- Router ID setting for OSPF - set protocols mpls ldp discovery transport-ipv4-address '192.168.255.252' <--- Transport address for LDP for TCP sessions to connect to - set protocols mpls ldp interface 'eth1' <--- Enable MPLS and LDP for an interface connecting to network - set protocols mpls ldp interface 'lo' <--- Enable MPLS and LDP on loopback for future services connectivity - set protocols mpls ldp router-id '192.168.255.252' <--- Router ID setting for LDP - set interfaces ethernet eth1 address '192.168.0.5/31' <--- Interface IP for connecting to network - set interfaces loopback lo address '192.168.255.252/32' <--- Interface loopback IP for router ID and other uses - - -Operational Mode Commands -========================= - -When LDP is working, you will be able to see label information in the outcome -of ``show ip route``. Besides that information, there are also specific *show* -commands for LDP: - -Show ----- - -.. opcmd:: show mpls ldp binding - - Use this command to see the Label Information Base. - -.. opcmd:: show mpls ldp discovery - - Use this command to see discovery hello information - -.. opcmd:: show mpls ldp interface - - Use this command to see LDP interface information - -.. opcmd:: show mpls ldp neighbor - - Use this command to see LDP neighbor information - -.. opcmd:: show mpls ldp neighbor detail - - Use this command to see detailed LDP neighbor information - -Reset ------ - -.. opcmd:: reset mpls ldp neighbor <IPv4 or IPv6 address> - - Use this command to reset an LDP neighbor/TCP session that is established - - -.. _`Wikipedia (MPLS)`: https://en.wikipedia.org/wiki/Multiprotocol_Label_Switching diff --git a/docs/routing/mss-clamp.rst b/docs/routing/mss-clamp.rst deleted file mode 100644 index 3fdd1153..00000000 --- a/docs/routing/mss-clamp.rst +++ /dev/null @@ -1,63 +0,0 @@ -.. _routing-mss-clamp: - -################ -TCP-MSS Clamping -################ - -As Internet wide PMTU discovery rarely works, we sometimes need to clamp -our TCP MSS value to a specific value. This is a field in the TCP -Options part of a SYN packet. By setting the MSS value, you are telling -the remote side unequivocally 'do not try to send me packets bigger than -this value'. - -Starting with VyOS 1.2 there is a firewall option to clamp your TCP MSS -value for IPv4 and IPv6. - - -.. note:: MSS value = MTU - 20 (IP header) - 20 (TCP header), resulting - in 1452 bytes on a 1492 byte MTU. - - -IPv4 -==== - -.. cfgcmd:: set firewall options interface <interface> adjust-mss <number-of-bytes> - - Use this command to set the maximum segment size for IPv4 transit - packets on a specific interface (500-1460 bytes). - -Example -------- - -Clamp outgoing MSS value in a TCP SYN packet to `1452` for `pppoe0` and -`1372` -for your WireGuard `wg02` tunnel. - -.. code-block:: none - - set firewall options interface pppoe0 adjust-mss '1452' - set firewall options interface wg02 adjust-mss '1372' - -IPv6 -==== - -.. cfgcmd:: set firewall options interface <interface> adjust-mss6 <number-of-bytes> - - Use this command to set the maximum segment size for IPv6 transit - packets on a specific interface (1280-1492 bytes). - -Example -------- - -Clamp outgoing MSS value in a TCP SYN packet to `1280` for both `pppoe0` and -`wg02` interface. - -.. code-block:: none - - set firewall options interface pppoe0 adjust-mss6 '1280' - set firewall options interface wg02 adjust-mss6 '1280' - - - -.. hint:: When doing your byte calculations, you might find useful this - `Visual packet size calculator <https://baturin.org/tools/encapcalc/>`_. diff --git a/docs/routing/multicast.rst b/docs/routing/multicast.rst deleted file mode 100644 index 9104b0c9..00000000 --- a/docs/routing/multicast.rst +++ /dev/null @@ -1,244 +0,0 @@ -.. _multicast: - -######### -Multicast -######### - -VyOS facilitates IP Multicast by supporting **PIM Sparse Mode**, -**IGMP** and **IGMP-Proxy**. - -************ -PIM and IGMP -************ - -PIM (Protocol Independent Multicast) must be configured in every -interface of every participating router. Every router must also have the -location of the Rendevouz Point manually configured. Then, -unidirectional shared trees rooted at the Rendevouz Point will -automatically be built for multicast distribution. - -Traffic from multicast sources will go to the Rendezvous Point, and -receivers will pull it from a shared tree using IGMP (Internet Group -Management Protocol). - -Multicast receivers will talk IGMP to their local router, so, besides -having PIM configured in every router, IGMP must also be configured in -any router where there could be a multicast receiver locally connected. - -VyOS supports both IGMP version 2 and version 3 (which allows -source-specific multicast). - - -Example -======= - -In the following example we can see a basic multicast setup: - -.. image:: /_static/images/multicast-basic.png - :width: 90% - :align: center - :alt: Network Topology Diagram - - - -**Router 1** - -.. code-block:: none - - set interfaces ethernet eth2 address '172.16.0.2/24' - set interfaces ethernet eth1 address '100.64.0.1/24' - set protocols ospf area 0 network '172.16.0.0/24' - set protocols ospf area 0 network '100.64.0.0/24' - set protocols igmp interface eth1 - set protocols pim interface eth1 - set protocols pim interface eth2 - set protocols pim rp address 172.16.255.1 group '224.0.0.0/4' - -**Router 3** - -.. code-block:: none - - set interfaces dummy dum0 address '172.16.255.1/24' - set interfaces ethernet eth0 address '172.16.0.1/24' - set interfaces ethernet eth1 address '172.16.1.1/24' - set protocols ospf area 0 network '172.16.0.0/24' - set protocols ospf area 0 network '172.16.255.0/24' - set protocols ospf area 0 network '172.16.1.0/24' - set protocols pim interface dum0 - set protocols pim interface eth0 - set protocols pim interface eth1 - set protocols pim rp address 172.16.255.1 group '224.0.0.0/4' - -**Router 2** - -.. code-block:: none - - set interfaces ethernet eth1 address '10.0.0.1/24' - set interfaces ethernet eth2 address '172.16.1.2/24' - set protocols ospf area 0 network '10.0.0.0/24' - set protocols ospf area 0 network '172.16.1.0/24' - set protocols pim interface eth1 - set protocols pim interface eth2 - set protocols pim rp address 172.16.255.1 group '224.0.0.0/4' - - - - - -Basic commands -============== - -These are the commands for a basic setup. - -.. cfgcmd:: set protocols pim interface <interface-name> - - Use this command to enable PIM in the selected interface so that it - can communicate with PIM neighbors. - - -.. cfgcmd:: set protocols pim rp address <address> group <multicast-address/mask-bits> - - Use this comand to manually configure a Rendevouz Point for PIM so - that join messages can be sent there. Set the Rendevouz Point address - and the matching prefix of group ranges covered. These values must - be shared with every router participating in the PIM network. - - -.. cfgcmd:: set protocols igmp interface eth1 - - Use this command to configure an interface with IGMP so that PIM can - receive IGMP reports and query on the selected interface. By defaul - IGMP version 3 will be used. - - - -Tuning commands -=============== - -You can also tune multicast with the following commands. - -.. cfgcmd:: set protocols pim interface <interface> dr-priority <value> - - Use this PIM command in the selected interface to set the priority - (1-4294967295) you want to influence in the election of a node to - become the Designated Router for a LAN segment. The default priority - is 1, set a higher value to give the router more preference in the - DR election process. - - -.. cfgcmd:: set protocols pim int <interface> hello <seconds> - - Use this command to configure the PIM hello interval in seconds - (1-180) for the selected interface. - - -.. cfgcmd:: set protocols pim rp keep-alive-timer <seconds> - - Use this PIM command to modify the the time out value (31-60000 - seconds) for an `(S,G) <https://tools.ietf.org/html/rfc7761#section-4.1>`_ - flow. 31 seconds is chosen for a lower bound as some hardware - platforms cannot see data flowing in better than 30 second chunks. - - -.. cfgcmd:: set protocols igmp interface <interface> join <multicast-address> source <IP-address> - - Use this command to allow the selected interface join a multicast - group defining the multicast address you want to join and the source - IP address too. - - -.. cfgcmd:: set protocols igmp interface <interface query-interval <seconds> - - Use this command to configure in the selected interface the IGMP - host query interval (1-1800) in seconds that PIM will use. - - -.. cfgcmd:: set protocols igmp interface <interface query-max-response-time <deciseconds> - - Use this command to configure in the selected interface the IGMP - query response timeout value (10-250) in deciseconds. If a report is - not returned in the specified time, it will be asumed the `(S,G) or - (*,G) state <https://tools.ietf.org/html/rfc7761#section-4.1>`_ has - timed out. - - -.. cfgcmd:: set protocols igmp interface <interface> version <version-number> - - Use this command to define in the selected interface whether you - choose IGMP version 2 or 3. The default value is 3. - - - -********** -IGMP Proxy -********** - -:abbr:`IGMP (Internet Group Management Protocol)` proxy sends IGMP host messages -on behalf of a connected client. The configuration must define one, and only one -upstream interface, and one or more downstream interfaces. - -Configuration -============= - -.. cfgcmd:: set protocols igmp-proxy interface <interface> role <upstream | downstream> - - * **upstream:** The upstream network interface is the outgoing interface - which is responsible for communicating to available multicast data sources. - There can only be one upstream interface. - - * **downstream:** Downstream network interfaces are the distribution - interfaces to the destination networks, where multicast clients can join - groups and receive multicast data. One or more downstream interfaces must - be configured. - -.. cfgcmd:: set protocols igmp-proxy interface <interface> alt-subnet <network> - - Defines alternate sources for multicasting and IGMP data. The network address - must be on the following format 'a.b.c.d/n'. By default the router will - accept data from sources on the same network as configured on an interface. - If the multicast source lies on a remote network, one must define from where - traffic should be accepted. - - This is especially useful for the upstream interface, since the source for - multicast traffic is often from a remote location. - - This option can be supplied multiple times. - -.. cfgcmd:: set protocols igmp-proxy disable-quickleave - - Disables quickleave mode. In this mode the daemon will not send a Leave IGMP - message upstream as soon as it receives a Leave message for any downstream - interface. The daemon will not ask for Membership reports on the downstream - interfaces, and if a report is received the group is not joined again - upstream. - - If it's vital that the daemon should act exactly as a real multicast client - on the upstream interface, this function should be enabled. - - Enabling this function increases the risk of bandwidth saturation. - -.. cfgcmd:: set protocols igmp-proxy disable - - Disable this service. - -Example -------- - -Interface `eth1` LAN is behind NAT. In order to subscribe `10.0.0.0/23` subnet -multicast which is in `eth0` WAN we need to configure igmp-proxy. - -.. code-block:: none - - set protocols igmp-proxy interface eth0 role upstream - set protocols igmp-proxy interface eth0 alt-subnet 10.0.0.0/23 - set protocols igmp-proxy interface eth1 role downstream - -Operation -========= - -.. opcmd:: restart igmp-proxy - - Restart the IGMP proxy process. - - - diff --git a/docs/routing/ospf.rst b/docs/routing/ospf.rst deleted file mode 100644 index 19787b11..00000000 --- a/docs/routing/ospf.rst +++ /dev/null @@ -1,141 +0,0 @@ -.. include:: /_include/need_improvement.txt - -.. _routing-ospf: - -#### -OSPF -#### - -:abbr:`OSPF (Open Shortest Path First)` is a routing protocol for Internet -Protocol (IP) networks. It uses a link state routing (LSR) algorithm and falls -into the group of interior gateway protocols (IGPs), operating within a single -autonomous system (AS). It is defined as OSPF Version 2 in :rfc:`2328` (1998) -for IPv4. Updates for IPv6 are specified as OSPF Version 3 in :rfc:`5340` -(2008). OSPF supports the :abbr:`CIDR (Classless Inter-Domain Routing)` -addressing model. - -OSPF is a widely used IGP in large enterprise networks. - -OSPFv2 (IPv4) -############# - -In order to have a VyOS system exchanging routes with OSPF neighbors, you will -at least need to configure an OSPF area and some network. - -.. code-block:: none - - set protocols ospf area 0 network 192.168.0.0/24 - -That is the minimum configuration you will need. -It is a good practice to define the router ID too. - -.. code-block:: none - - set protocols ospf parameters router-id 10.1.1.1 - - -Below you can see a typical configuration using 2 nodes, redistribute loopback -address and the node 1 sending the default route: - -**Node 1** - -.. code-block:: none - - set interfaces loopback lo address 10.1.1.1/32 - set protocols ospf area 0 network 192.168.0.0/24 - set protocols ospf default-information originate always - set protocols ospf default-information originate metric 10 - set protocols ospf default-information originate metric-type 2 - set protocols ospf log-adjacency-changes - set protocols ospf parameters router-id 10.1.1.1 - set protocols ospf redistribute connected metric-type 2 - set protocols ospf redistribute connected route-map CONNECT - - set policy route-map CONNECT rule 10 action permit - set policy route-map CONNECT rule 10 match interface lo - -**Node 2** - -.. code-block:: none - - set interfaces loopback lo address 10.2.2.2/32 - set protocols ospf area 0 network 192.168.0.0/24 - set protocols ospf log-adjacency-changes - set protocols ospf parameters router-id 10.2.2.2 - set protocols ospf redistribute connected metric-type 2 - set protocols ospf redistribute connected route-map CONNECT - - set policy route-map CONNECT rule 10 action permit - set policy route-map CONNECT rule 10 match interface lo - -OSPFv3 (IPv6) -############# - -A typical configuration using 2 nodes. - -**Node 1:** - -.. code-block:: none - - set protocols ospfv3 area 0.0.0.0 interface eth1 - set protocols ospfv3 area 0.0.0.0 range 2001:db8:1::/64 - set protocols ospfv3 parameters router-id 192.168.1.1 - set protocols ospfv3 redistribute connected - -**Node 2:** - -.. code-block:: none - - set protocols ospfv3 area 0.0.0.0 interface eth1 - set protocols ospfv3 area 0.0.0.0 range 2001:db8:2::/64 - set protocols ospfv3 parameters router-id 192.168.2.1 - set protocols ospfv3 redistribute connected - -.. note:: You can not easily redistribute IPv6 routes via OSPFv3 on a WireGuard - interface link. This requires you to configure link-local addresses manually - on the WireGuard interfaces, see :vytask:`T1483`. - -Example configuration for WireGuard interfaces: - -**Node 1** - -.. code-block:: none - - set interfaces wireguard wg01 address 'fe80::216:3eff:fe51:fd8c/64' - set interfaces wireguard wg01 address '192.168.0.1/24' - set interfaces wireguard wg01 peer ospf02 allowed-ips '::/0' - set interfaces wireguard wg01 peer ospf02 allowed-ips '0.0.0.0/0' - set interfaces wireguard wg01 peer ospf02 endpoint '10.1.1.101:12345' - set interfaces wireguard wg01 peer ospf02 pubkey 'ie3...=' - set interfaces wireguard wg01 port '12345' - set protocols ospfv3 parameters router-id 192.168.1.1 - set protocols ospfv3 area 0.0.0.0 interface 'wg01' - set protocols ospfv3 area 0.0.0.0 interface 'lo' - -**Node 2** - -.. code-block:: none - - set interfaces wireguard wg01 address 'fe80::216:3eff:fe0a:7ada/64' - set interfaces wireguard wg01 address '192.168.0.2/24' - set interfaces wireguard wg01 peer ospf01 allowed-ips '::/0' - set interfaces wireguard wg01 peer ospf01 allowed-ips '0.0.0.0/0' - set interfaces wireguard wg01 peer ospf01 endpoint '10.1.1.100:12345' - set interfaces wireguard wg01 peer ospf01 pubkey 'NHI...=' - set interfaces wireguard wg01 port '12345' - set protocols ospfv3 parameters router-id 192.168.1.2 - set protocols ospfv3 area 0.0.0.0 interface 'wg01' - set protocols ospfv3 area 0.0.0.0 interface 'lo' - -**Status** - -.. code-block:: none - - vyos@ospf01:~$ sh ipv6 ospfv3 neighbor - Neighbor ID Pri DeadTime State/IfState Duration I/F[State] - 192.168.0.2 1 00:00:37 Full/PointToPoint 00:18:03 wg01[PointToPoint] - - vyos@ospf02# run sh ipv6 ospfv3 neighbor - Neighbor ID Pri DeadTime State/IfState Duration I/F[State] - 192.168.0.1 1 00:00:39 Full/PointToPoint 00:19:44 wg01[PointToPoint] - diff --git a/docs/routing/rip.rst b/docs/routing/rip.rst deleted file mode 100644 index 0d73ad34..00000000 --- a/docs/routing/rip.rst +++ /dev/null @@ -1,37 +0,0 @@ -.. include:: /_include/need_improvement.txt - -.. _rip: - -### -RIP -### - -:abbr:`RIP (Routing Information Protocol)` is a widely deployed interior gateway -protocol. RIP was developed in the 1970s at Xerox Labs as part of the XNS -routing protocol. RIP is a distance-vector protocol and is based on the -Bellman-Ford algorithms. As a distance-vector protocol, RIP router send updates -to its neighbors periodically, thus allowing the convergence to a known -topology. In each update, the distance to any given network will be broadcast -to its neighboring router. - -Supported versions of RIP are: -* RIPv1 as described in :rfc:`1058` -* RIPv2 as described in :rfc:`2453` - -Simple RIP configuration using 2 nodes and redistributing connected interfaces. - -**Node 1:** - -.. code-block:: none - - set interfaces loopback address 10.1.1.1/32 - set protocols rip network 192.168.0.0/24 - set protocols rip redistribute connected - -**Node 2:** - -.. code-block:: none - - set interfaces loopback address 10.2.2.2/32 - set protocols rip network 192.168.0.0/24 - set protocols rip redistribute connected diff --git a/docs/routing/rpki.rst b/docs/routing/rpki.rst deleted file mode 100644 index 9813b1b6..00000000 --- a/docs/routing/rpki.rst +++ /dev/null @@ -1,113 +0,0 @@ -.. _rpki: - -#### -RPKI -#### - -.. pull-quote:: - - There are two types of Network Admins who deal with BGP, those who have - created an international incident and/or outage, and those who are lying - - -- `tweet by EvilMog`_, 2020-02-21 - -:abbr:`RPKI (Resource Public Key Infrastructure)` is a framework :abbr:`PKI -(Public Key Infrastructure)` designed to secure the Internet routing -infrastructure. It associates BGP route announcements with the correct -originating :abbr:`ASN (Autonomus System Number)` which BGP routers can then -use to check each route against the corresponding :abbr:`ROA (Route Origin -Authorisation)` for validity. RPKI is described in :rfc:`6480`. - -A BGP-speaking router like VyOS can retrieve ROA information from RPKI -"Relying Party software" (often just called an "RPKI server" or "RPKI -validator") by using :abbr:`RTR (RPKI to Router)` protocol. There are several -open source implementations to choose from, such as NLNetLabs' Routinator_ -(written in Rust), Cloudflare's GoRTR_ and OctoRPKI_ (written in Go), and -RIPE NCC's RPKI Validator_ (written in Java). The RTR protocol is described -in :rfc:`8210`. - -.. tip:: - If you are new to these routing security technologies then there is an - `excellent guide to RPKI`_ by NLnet Labs which will get you up to speed - very quickly. Their documentation explains everything from what RPKI is to - deploying it in production (albeit with a focus on using NLnet Labs' - tools). It also has some `help and operational guidance`_ including - "What can I do about my route having an Invalid state?" - -First you will need to deploy an RPKI validator for your routers to use. The -RIPE NCC helpfully provide `some instructions`_ to get you started with -several different options. Once your server is running you can start -validating announcements. - -Imported prefixes during the validation may have values: - - valid - The prefix and ASN that originated it match a signed ROA. These are - probably trustworthy route announcements. - - invalid - The prefix or prefix length and ASN that originated it doesn't - match any existing ROA. This could be the result of a prefix hijack, or - merely a misconfiguration, but should probably be treated as - untrustworthy route announcements. - - notfound - No ROA exists which covers that prefix. Unfortunately this is the case - for about 80% of the IPv4 prefixes which were announced to the :abbr:`DFZ - (default-free zone)` at the start of 2020 (see more detail in - NLnet Labs' `RPKI analytics`_). - -.. note:: - If you are responsible for the global addresses assigned to your - network, please make sure that your prefixes have ROAs associated with them - to avoid being `notfound` by RPKI. For most ASNs this will involve - publishing ROAs via your :abbr:`RIR (Regional Internet Registry)` (RIPE - NCC, APNIC, ARIN, LACNIC or AFRINIC), and is something you are encouraged - to do whenever you plan to announce addresses into the DFZ. - - Particularly large networks may wish to run their own RPKI certificate - authority and publication server instead of publishing ROAs via their RIR. - This is a subject far beyond the scope of VyOS' documentation. Consider - reading about Krill_ if this is a rabbit hole you need or especially want - to dive down. - -We can build route-maps for import based on these states. Here is a simple -RPKI configuration, where `routinator` is the RPKI-validating "cache" -server with ip `192.0.2.1`: - -.. code-block:: none - - set protocols rpki cache routinator address '192.0.2.1' - set protocols rpki cache routinator port '3323' - -Here is an example route-map to apply to routes learned at import. In this -filter we reject prefixes with the state `invalid`, and set a higher -`local-preference` if the prefix is RPKI `valid` rather than merely -`notfound`. - -.. code-block:: none - - set policy route-map ROUTES-IN rule 10 action 'permit' - set policy route-map ROUTES-IN rule 10 match rpki 'valid' - set policy route-map ROUTES-IN rule 10 set local-preference '300' - set policy route-map ROUTES-IN rule 20 action 'permit' - set policy route-map ROUTES-IN rule 20 match rpki 'notfound' - set policy route-map ROUTES-IN rule 20 set local-preference '125' - set policy route-map ROUTES-IN rule 30 action 'deny' - set policy route-map ROUTES-IN rule 30 match rpki 'invalid' - -Once your routers are configured to reject RPKI-invalid prefixes, you can -test whether the configuration is working correctly using the `RIPE Labs RPKI -Test`_ experimental tool. - -.. _tweet by EvilMog: https://twitter.com/Evil_Mog/status/1230924170508169216 -.. _Routinator: https://www.nlnetlabs.nl/projects/rpki/routinator/ -.. _GoRTR: https://github.com/cloudflare/gortr -.. _OctoRPKI: https://github.com/cloudflare/cfrpki#octorpki -.. _Validator: https://www.ripe.net/manage-ips-and-asns/resource-management/certification/tools-and-resources -.. _some instructions: https://labs.ripe.net/Members/tashi_phuntsho_3/how-to-install-an-rpki-validator -.. _Krill: https://www.nlnetlabs.nl/projects/rpki/krill/ -.. _RPKI analytics: https://www.nlnetlabs.nl/projects/rpki/rpki-analytics/ -.. _RIPE Labs RPKI Test: https://sg-pub.ripe.net/jasper/rpki-web-test/ -.. _excellent guide to RPKI: https://rpki.readthedocs.io/ -.. _help and operational guidance: https://rpki.readthedocs.io/en/latest/about/help.html diff --git a/docs/routing/static.rst b/docs/routing/static.rst deleted file mode 100644 index 523627fa..00000000 --- a/docs/routing/static.rst +++ /dev/null @@ -1,134 +0,0 @@ -.. _static-routing: - -###### -Static -###### - -Static routes are manually configured routes, which, in general, cannot be -updated dynamically from information VyOS learns about the network topology from -other routing protocols. However, if a link fails, the router will remove -routes, including static routes, from the :abbr:`RIPB (Routing Information -Base)` that used this interface to reach the next hop. In general, static -routes should only be used for very simple network topologies, or to override -the behavior of a dynamic routing protocol for a small number of routes. The -collection of all routes the router has learned from its configuration or from -its dynamic routing protocols is stored in the RIB. Unicast routes are directly -used to determine the forwarding table used for unicast packet forwarding. - -Static Routes -############# - -.. cfgcmd:: set protocols static route <subnet> next-hop <address> - - Configure next-hop `<address>` for an IPv4 static route. Multiple static - routes can be created. - -.. cfgcmd:: set protocols static route <subnet> next-hop <address> disable - - Disable this IPv4 static route entry. - -.. cfgcmd:: set protocols static route <subnet> next-hop <address> distance <distance> - - Defines next-hop distance for this route, routes with smaller administrative - distance are elected prior those with a higher distance. - - Range is 1 to 255, default is 1. - - .. note:: Routes with a distance of 255 are effectively disabled and not - installed into the kernel. - -.. cfgcmd:: set protocols static route6 <subnet> next-hop <address> - - Configure next-hop `<address>` for an IPv6 static route. Multiple static - routes can be created. - -.. cfgcmd:: set protocols static route6 <subnet> next-hop <address> disable - - Disable this IPv6 static route entry. - -.. cfgcmd:: set protocols static route6 <subnet> next-hop <address> distance <distance> - - Defines next-hop distance for this route, routes with smaller administrative - distance are elected prior those with a higher distance. - - Range is 1 to 255, default is 1. - - .. note:: Routes with a distance of 255 are effectively disabled and not - installed into the kernel. - - -Interface Routes -================ - -.. cfgcmd:: set protocols static interface-route <subnet> next-hop-interface <interface> - - Allows you to configure the next-hop interface for an interface-based IPv4 - static route. `<interface>` will be the next-hop interface where trafic is - routed for the given `<subnet>`. - -.. cfgcmd:: set protocols static interface-route <subnet> next-hop-interface <interface> disable - - Disables interface-based IPv4 static route. - -.. cfgcmd:: set protocols static interface-route <subnet> next-hop-interface <interface> distance <distance> - - Defines next-hop distance for this route, routes with smaller administrative - distance are elected prior those with a higher distance. - - Range is 1 to 255, default is 1. - -.. cfgcmd:: set protocols static interface-route6 <subnet> next-hop-interface <interface> - - Allows you to configure the next-hop interface for an interface-based IPv6 - static route. `<interface>` will be the next-hop interface where trafic is - routed for the given `<subnet>`. - -.. cfgcmd:: set protocols static interface-route6 <subnet> next-hop-interface <interface> disable - - Disables interface-based IPv6 static route. - -.. cfgcmd:: set protocols static interface-route6 <subnet> next-hop-interface <interface> distance <distance> - - Defines next-hop distance for this route, routes with smaller administrative - distance are elected prior those with a higher distance. - - Range is 1 to 255, default is 1. - - -Blackhole -========= - -.. cfgcmd:: set protocols static route <subnet> blackhole - - Use this command to configure a "black-hole" route on the router. A - black-hole route is a route for which the system silently discard packets - that are matched. This prevents networks leaking out public interfaces, but - it does not prevent them from being used as a more specific route inside your - network. - -.. cfgcmd:: set protocols static route <subnet> blackhole distance <distance> - - Defines blackhole distance for this route, routes with smaller administrative - distance are elected prior those with a higher distance. - -.. cfgcmd:: set protocols static route6 <subnet> blackhole - - Use this command to configure a "black-hole" route on the router. A - black-hole route is a route for which the system silently discard packets - that are matched. This prevents networks leaking out public interfaces, but - it does not prevent them from being used as a more specific route inside your - network. - -.. cfgcmd:: set protocols static route6 <subnet> blackhole distance <distance> - - Defines blackhole distance for this route, routes with smaller administrative - distance are elected prior those with a higher distance. - - -Alternate Routing Tables -======================== - -TBD - -Alternate routing tables are used with policy based routing of by utilizing -:ref:`vrf`. |