From dbddfe85adaa70552607b38706b39238b465ac4e Mon Sep 17 00:00:00 2001 From: Nicolas Fort Date: Fri, 23 Jul 2021 11:17:55 -0300 Subject: Index file updated and splitted into new files. Indent and lenght on every file was verified --- docs/configuration/policy/examples.rst | 180 +++++++++++++++++++++++++++++++++ 1 file changed, 180 insertions(+) create mode 100644 docs/configuration/policy/examples.rst (limited to 'docs/configuration/policy/examples.rst') diff --git a/docs/configuration/policy/examples.rst b/docs/configuration/policy/examples.rst new file mode 100644 index 00000000..88715a0a --- /dev/null +++ b/docs/configuration/policy/examples.rst @@ -0,0 +1,180 @@ +BGP Example +=========== + +**Policy definition:** + +.. code-block:: none + + # Create policy + set policy route-map setmet rule 2 action 'permit' + set policy route-map setmet rule 2 set as-path-prepend '2 2 2' + + # Apply policy to BGP + set protocols bgp local-as 1 + set protocols bgp neighbor 203.0.113.2 address-family ipv4-unicast route-map import 'setmet' + set protocols bgp neighbor 203.0.113.2 address-family ipv4-unicast soft-reconfiguration 'inbound' + +Using 'soft-reconfiguration' we get the policy update without bouncing the +neighbor. + +**Routes learned before routing policy applied:** + +.. code-block:: none + + vyos@vos1:~$ show ip bgp + BGP table version is 0, local router ID is 192.168.56.101 + Status codes: s suppressed, d damped, h history, * valid, > best, i - internal, + r RIB-failure, S Stale, R Removed + Origin codes: i - IGP, e - EGP, ? - incomplete + + Network Next Hop Metric LocPrf Weight Path + *> 198.51.100.3/32 203.0.113.2 1 0 2 i < Path + + Total number of prefixes 1 + +**Routes learned after routing policy applied:** + +.. code-block:: none + + vyos@vos1:~$ show ip bgp + BGP table version is 0, local router ID is 192.168.56.101 + Status codes: s suppressed, d damped, h history, * valid, > best, i - internal, + r RIB-failure, S Stale, R Removed + Origin codes: i - IGP, e - EGP, ? - incomplete + + Network Next Hop Metric LocPrf Weight Path + *> 198.51.100.3/32 203.0.113.2 1 0 2 2 2 2 i + + Total number of prefixes 1 + vyos@vos1:~$ + +You now see the longer AS path. + + +Transparent Proxy +================= + +The following example will show how VyOS can be used to redirect web +traffic to an external transparent proxy: + +.. code-block:: none + + set policy route FILTER-WEB rule 1000 destination port 80 + set policy route FILTER-WEB rule 1000 protocol tcp + set policy route FILTER-WEB rule 1000 set table 100 + +This creates a route policy called FILTER-WEB with one rule to set the +routing table for matching traffic (TCP port 80) to table ID 100 +instead of the default routing table. + +To create routing table 100 and add a new default gateway to be used by +traffic matching our route policy: + +.. code-block:: none + + set protocols static table 100 route 0.0.0.0/0 next-hop 10.255.0.2 + +This can be confirmed using the ``show ip route table 100`` operational +command. + +Finally, to apply the policy route to ingress traffic on our LAN +interface, we use: + +.. code-block:: none + + set interfaces ethernet eth1 policy route FILTER-WEB + + +Multiple Uplinks +================ + +VyOS Policy-Based Routing (PBR) works by matching source IP address +ranges and forwarding the traffic using different routing tables. + +Routing tables that will be used in this example are: + +* ``table 10`` Routing table used for VLAN 10 (192.168.188.0/24) +* ``table 11`` Routing table used for VLAN 11 (192.168.189.0/24) +* ``main`` Routing table used by VyOS and other interfaces not + participating in PBR + +.. figure:: /_static/images/pbr_example_1.png + :scale: 80 % + :alt: PBR multiple uplinks + + Policy-Based Routing with multiple ISP uplinks + (source ./draw.io/pbr_example_1.drawio) + +Add default routes for routing ``table 10`` and ``table 11`` + +.. code-block:: none + + set protocols static table 10 route 0.0.0.0/0 next-hop 192.0.2.1 + set protocols static table 11 route 0.0.0.0/0 next-hop 192.0.2.2 + +Add policy route matching VLAN source addresses + +.. code-block:: none + + set policy route PBR rule 20 set table '10' + set policy route PBR rule 20 description 'Route VLAN10 traffic to table 10' + set policy route PBR rule 20 source address '192.168.188.0/24' + + set policy route PBR rule 30 set table '11' + set policy route PBR rule 30 description 'Route VLAN11 traffic to table 11' + set policy route PBR rule 30 source address '192.168.189.0/24' + +Apply routing policy to **inbound** direction of out VLAN interfaces + +.. code-block:: none + + set interfaces ethernet eth0 vif 10 policy route 'PBR' + set interfaces ethernet eth0 vif 11 policy route 'PBR' + + +**OPTIONAL:** Exclude Inter-VLAN traffic (between VLAN10 and VLAN11) +from PBR + +.. code-block:: none + + set policy route PBR rule 10 description 'VLAN10 <-> VLAN11 shortcut' + set policy route PBR rule 10 destination address '192.168.188.0/24' + set policy route PBR rule 10 destination address '192.168.189.0/24' + set policy route PBR rule 10 set table 'main' + +These commands allow the VLAN10 and VLAN20 hosts to communicate with +each other using the main routing table. + +Local route +----------- + +The following example allows VyOS to use :abbr:`PBR (Policy-Based Routing)` +for traffic, which originated from the router itself. That solution for multiple +ISP's and VyOS router will respond from the same interface that the packet was +received. Also, it used, if we want that one VPN tunnel to be through one +provider, and the second through another. + +* ``203.0.113.254`` IP addreess on VyOS eth1 from ISP1 +* ``192.168.2.254`` IP addreess on VyOS eth2 from ISP2 +* ``table 10`` Routing table used for ISP1 +* ``table 11`` Routing table used for ISP2 + + +.. code-block:: none + + set policy local-route rule 101 set table '10' + set policy local-route rule 101 source '203.0.113.254' + set policy local-route rule 102 set table '11' + set policy local-route rule 102 source '192.0.2.254' + set protocols static table 10 route 0.0.0.0/0 next-hop '203.0.113.1' + set protocols static table 11 route 0.0.0.0/0 next-hop '192.0.2.2' + +Add multiple source IP in one rule with same priority + +.. code-block:: none + + set policy local-route rule 101 set table '10' + set policy local-route rule 101 source '203.0.113.254' + set policy local-route rule 101 source '203.0.113.253' + set policy local-route rule 101 source '198.51.100.0/24' + -- cgit v1.2.3 From fb2225147ee1cb822bafda1f4da7e2969c3a6379 Mon Sep 17 00:00:00 2001 From: Nicolas Fort Date: Mon, 26 Jul 2021 16:13:24 -0300 Subject: bgp-policies.rst deletted, and its content was divided in as-path-list.rst, community-list.rst, extcommunity-list.rst and larg-community-list.rst; Examples sections on every files removed; examples-rst changed, ir order to have the list of example on left menu --- docs/configuration/policy/access-list.rst | 11 +- docs/configuration/policy/as-path-list.rst | 33 ++++++ docs/configuration/policy/bgp-policies.rst | 124 --------------------- docs/configuration/policy/community-list.rst | 35 ++++++ docs/configuration/policy/examples.rst | 13 ++- docs/configuration/policy/extcommunity-list.rst | 40 +++++++ docs/configuration/policy/index.rst | 5 +- docs/configuration/policy/large-community-list.rst | 36 ++++++ docs/configuration/policy/prefix-list.rst | 7 -- docs/configuration/policy/route-map.rst | 6 - docs/configuration/policy/route.rst | 7 -- 11 files changed, 157 insertions(+), 160 deletions(-) create mode 100644 docs/configuration/policy/as-path-list.rst delete mode 100644 docs/configuration/policy/bgp-policies.rst create mode 100644 docs/configuration/policy/community-list.rst create mode 100644 docs/configuration/policy/extcommunity-list.rst create mode 100644 docs/configuration/policy/large-community-list.rst (limited to 'docs/configuration/policy/examples.rst') diff --git a/docs/configuration/policy/access-list.rst b/docs/configuration/policy/access-list.rst index 41c35986..0af9b911 100644 --- a/docs/configuration/policy/access-list.rst +++ b/docs/configuration/policy/access-list.rst @@ -33,7 +33,7 @@ Access Lists This command defines matching parameters for access list rule. Matching - criteria could be applied to destinarion or source parameters: + criteria could be applied to destination or source parameters: * any: any IP address to match. * host: single host IP address to match. @@ -67,11 +67,4 @@ Basic filtering could also be applied to IPv6 traffic. * any: any IPv6 address to match. * exact-match: exact match of the network prefixes. * network: network/netmask to match (requires inverse-match be defined) BUG, - NO invert-match option in access-list6 - - -******** -Examples -******** - -Examples would be uploaded soon. \ No newline at end of file + NO invert-match option in access-list6 \ No newline at end of file diff --git a/docs/configuration/policy/as-path-list.rst b/docs/configuration/policy/as-path-list.rst new file mode 100644 index 00000000..ceeb8e01 --- /dev/null +++ b/docs/configuration/policy/as-path-list.rst @@ -0,0 +1,33 @@ +#################### +BGP - AS Path Policy +#################### + +VyOS provides policies commands exclusively for BGP traffic filtering and +manipulation: **as-path-list** is one of them. + +************* +Configuration +************* + +policy as-path-list +=================== + +.. cfgcmd:: set policy as-path-list + + Create as-path-policy identified by name . + +.. cfgcmd:: set policy as-path-list description + + Set description for as-path-list policy. + +.. cfgcmd:: set policy as-path-list rule <1-65535> action + + Set action to take on entries matching this rule. + +.. cfgcmd:: set policy as-path-list rule <1-65535> description + + Set description for rule. + +.. cfgcmd:: set policy as-path-list rule <1-65535> regex + + Regular expression to match against an AS path. For example "64501 64502". diff --git a/docs/configuration/policy/bgp-policies.rst b/docs/configuration/policy/bgp-policies.rst deleted file mode 100644 index 72b612cb..00000000 --- a/docs/configuration/policy/bgp-policies.rst +++ /dev/null @@ -1,124 +0,0 @@ -#################### -BGP Related Policies -#################### - -VyOS provides policies commands exclusively for BGP traffic filtering and -manipulation. In this section, all those commands are covered. - -************* -Configuration -************* - -policy as-path-list -=================== - -.. cfgcmd:: set policy as-path-list - - Create as-path-policy identified by name . - -.. cfgcmd:: set policy as-path-list description - - Set description for as-path-list policy. - -.. cfgcmd:: set policy as-path-list rule <1-65535> action - - Set action to take on entries matching this rule. - -.. cfgcmd:: set policy as-path-list rule <1-65535> description - - Set description for rule. - -.. cfgcmd:: set policy as-path-list rule <1-65535> regex - - Regular expression to match against an AS path. For example "64501 64502". - - -policy community-list -===================== - -.. cfgcmd:: set policy community-list - - Creat community-list policy identified by name . - -.. cfgcmd:: set policy community-list description - - Set description for community-list policy. - -.. cfgcmd:: set policy community-list rule <1-65535> action - - - Set action to take on entries matching this rule. - -.. cfgcmd:: set policy community-list rule <1-65535> description - - Set description for rule. - -.. cfgcmd:: set policy community-list rule <1-65535> regex - - - Regular expression to match against a community-list. - - -policy extcommunity-list -======================== - -.. cfgcmd:: set policy extcommunity-list - - Creat extcommunity-list policy identified by name . - -.. cfgcmd:: set policy extcommunity-list description - - Set description for extcommunity-list policy. - -.. cfgcmd:: set policy extcommunity-list rule <1-65535> action - - - Set action to take on entries matching this rule. - -.. cfgcmd:: set policy extcommunity-list rule <1-65535> description - - - Set description for rule. - -.. cfgcmd:: set policy extcommunity-list rule <1-65535> regex - - Regular expression to match against an extended community list, where text - could be: - - * : Extended community list regular expression. - * : Route Target regular expression. - * : Site of Origin regular expression. - - -policy large-community-list -=========================== - -.. cfgcmd:: set policy large-community-list - - Creat large-community-list policy identified by name . - -.. cfgcmd:: set policy large-community-list description - - Set description for large-community-list policy. - -.. cfgcmd:: set policy large-community-list rule <1-65535> action - - - Set action to take on entries matching this rule. - -.. cfgcmd:: set policy large-community-list rule <1-65535> description - - - Set description for rule. - -.. cfgcmd:: set policy large-community-list rule <1-65535> regex - - - Regular expression to match against a large community list. - - -******** -Examples -******** - -Examples would be uploaded soon. \ No newline at end of file diff --git a/docs/configuration/policy/community-list.rst b/docs/configuration/policy/community-list.rst new file mode 100644 index 00000000..e53abeb3 --- /dev/null +++ b/docs/configuration/policy/community-list.rst @@ -0,0 +1,35 @@ +#################### +BGP - Community List +#################### + +VyOS provides policies commands exclusively for BGP traffic filtering and +manipulation: **community-list** is one of them. + +************* +Configuration +************* + +policy community-list +===================== + +.. cfgcmd:: set policy community-list + + Creat community-list policy identified by name . + +.. cfgcmd:: set policy community-list description + + Set description for community-list policy. + +.. cfgcmd:: set policy community-list rule <1-65535> action + + + Set action to take on entries matching this rule. + +.. cfgcmd:: set policy community-list rule <1-65535> description + + Set description for rule. + +.. cfgcmd:: set policy community-list rule <1-65535> regex + + + Regular expression to match against a community-list. \ No newline at end of file diff --git a/docs/configuration/policy/examples.rst b/docs/configuration/policy/examples.rst index 88715a0a..a1d40db4 100644 --- a/docs/configuration/policy/examples.rst +++ b/docs/configuration/policy/examples.rst @@ -1,5 +1,6 @@ +########### BGP Example -=========== +########### **Policy definition:** @@ -50,9 +51,9 @@ neighbor. You now see the longer AS path. - +################# Transparent Proxy -================= +################# The following example will show how VyOS can be used to redirect web traffic to an external transparent proxy: @@ -84,9 +85,9 @@ interface, we use: set interfaces ethernet eth1 policy route FILTER-WEB - +################ Multiple Uplinks -================ +################ VyOS Policy-Based Routing (PBR) works by matching source IP address ranges and forwarding the traffic using different routing tables. @@ -146,7 +147,7 @@ These commands allow the VLAN10 and VLAN20 hosts to communicate with each other using the main routing table. Local route ------------ +=========== The following example allows VyOS to use :abbr:`PBR (Policy-Based Routing)` for traffic, which originated from the router itself. That solution for multiple diff --git a/docs/configuration/policy/extcommunity-list.rst b/docs/configuration/policy/extcommunity-list.rst new file mode 100644 index 00000000..c413b8b5 --- /dev/null +++ b/docs/configuration/policy/extcommunity-list.rst @@ -0,0 +1,40 @@ +############################# +BGP - Extended Community List +############################# + +VyOS provides policies commands exclusively for BGP traffic filtering and +manipulation: **extcommunity-list** is one of them. + +************* +Configuration +************* + +policy extcommunity-list +======================== + +.. cfgcmd:: set policy extcommunity-list + + Creat extcommunity-list policy identified by name . + +.. cfgcmd:: set policy extcommunity-list description + + Set description for extcommunity-list policy. + +.. cfgcmd:: set policy extcommunity-list rule <1-65535> action + + + Set action to take on entries matching this rule. + +.. cfgcmd:: set policy extcommunity-list rule <1-65535> description + + + Set description for rule. + +.. cfgcmd:: set policy extcommunity-list rule <1-65535> regex + + Regular expression to match against an extended community list, where text + could be: + + * : Extended community list regular expression. + * : Route Target regular expression. + * : Site of Origin regular expression. diff --git a/docs/configuration/policy/index.rst b/docs/configuration/policy/index.rst index fc1c1366..51f60479 100644 --- a/docs/configuration/policy/index.rst +++ b/docs/configuration/policy/index.rst @@ -35,8 +35,11 @@ Policy Sections prefix-list route route-map - bgp-policies local-route + as-path-list + community-list + extcommunity-list + large-community-list ******** Examples diff --git a/docs/configuration/policy/large-community-list.rst b/docs/configuration/policy/large-community-list.rst new file mode 100644 index 00000000..39da0815 --- /dev/null +++ b/docs/configuration/policy/large-community-list.rst @@ -0,0 +1,36 @@ +########################## +BGP - Large Community List +########################## + +VyOS provides policies commands exclusively for BGP traffic filtering and +manipulation: **large-community-list** is one of them. + +************* +Configuration +************* + +policy large-community-list +=========================== + +.. cfgcmd:: set policy large-community-list + + Creat large-community-list policy identified by name . + +.. cfgcmd:: set policy large-community-list description + + Set description for large-community-list policy. + +.. cfgcmd:: set policy large-community-list rule <1-65535> action + + + Set action to take on entries matching this rule. + +.. cfgcmd:: set policy large-community-list rule <1-65535> description + + + Set description for rule. + +.. cfgcmd:: set policy large-community-list rule <1-65535> regex + + + Regular expression to match against a large community list. diff --git a/docs/configuration/policy/prefix-list.rst b/docs/configuration/policy/prefix-list.rst index ebc02ea2..63b6510e 100644 --- a/docs/configuration/policy/prefix-list.rst +++ b/docs/configuration/policy/prefix-list.rst @@ -78,10 +78,3 @@ IPv6 Prefix Lists .. cfgcmd:: set policy prefix-list6 rule <1-65535> le <0-128> Netmask less than lenght - - -******** -Examples -******** - -Examples would be uploaded soon. \ No newline at end of file diff --git a/docs/configuration/policy/route-map.rst b/docs/configuration/policy/route-map.rst index 14cace25..7c236cf7 100644 --- a/docs/configuration/policy/route-map.rst +++ b/docs/configuration/policy/route-map.rst @@ -254,9 +254,3 @@ Route Map <0-4294967295> Set BGP weight attribute - -******** -Examples -******** - -Examples would be uploaded soon. \ No newline at end of file diff --git a/docs/configuration/policy/route.rst b/docs/configuration/policy/route.rst index 8f54a47b..ffbe85b2 100644 --- a/docs/configuration/policy/route.rst +++ b/docs/configuration/policy/route.rst @@ -419,10 +419,3 @@ IPv6 Route Weekdays to match rule on. Format for weekdays: Mon,Thu,Sat. To negate add ! at the front eg. !Mon,Thu,Sat. - - -******** -Examples -******** - -Examples would be uploaded soon. \ No newline at end of file -- cgit v1.2.3