diff options
| author | KyleM <103862795+ServerForge@users.noreply.github.com> | 2023-02-04 08:57:51 -0500 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2023-02-04 08:57:51 -0500 |
| commit | bfdd195284a17bab5632db363a1832e3e2de4b20 (patch) | |
| tree | b4495e9debd5d751ca747838bb674df4668f31b1 /docs/configuration/protocols | |
| parent | d39ce49e2f54b99433c5c661fc1cb6efbbe6c930 (diff) | |
| download | vyos-documentation-bfdd195284a17bab5632db363a1832e3e2de4b20.tar.gz vyos-documentation-bfdd195284a17bab5632db363a1832e3e2de4b20.zip | |
Add docs for RFC 9234
Added documentation for new BGP roles for RFC 9234
Diffstat (limited to 'docs/configuration/protocols')
| -rw-r--r-- | docs/configuration/protocols/bgp.rst | 34 |
1 files changed, 34 insertions, 0 deletions
diff --git a/docs/configuration/protocols/bgp.rst b/docs/configuration/protocols/bgp.rst index 6593730f..bef75733 100644 --- a/docs/configuration/protocols/bgp.rst +++ b/docs/configuration/protocols/bgp.rst @@ -206,6 +206,40 @@ Defining Peers peers ASN is the same as mine as specified under the :cfgcmd:`protocols bgp <asn>` command the connection will be denied. +.. cfgcmd:: set protocols bgp neighbor <address|interface> local-role <role> [strict] + + BGP roles are defined in RFC :rfc:`9234` and provide an easy way to + add route leak prevention, detection and mitigation. The local Role + value is negotiated with the new BGP Role capability which has a + built-in check of the corresponding value. In case of a mismatch the + new OPEN Roles Mismatch Notification <2, 11> would be sent. + The correct Role pairs are: + + Provider - Customer + + Peer - Peer + + RS-Server - RS-Client + + If :cfgcmd:`strict` is set the BGP session won’t become established + until the BGP neighbor sets local Role on its side. This + configuration parameter is defined in RFC :rfc:`9234` and is used to + enforce the corresponding configuration at your counter-parts side. + + Routes that are sent from provider, rs-server, or the peer local-role + (or if received by customer, rs-clinet, or the peer local-role) will + be marked with a new Only to Customer (OTC) attribute. + + Routes with this attribute can only be sent to your neighbor if your + local-role is provider or rs-server. Routes with this attribute can + be received only if your local-role is customer or rs-client. + + In case of peer-peer relationship routes can be received only if OTC + value is equal to your neighbor AS number. + + All these rules with OTC will help to detect and mitigate route leaks + and happen automatically if local-role is set. + .. cfgcmd:: set protocols bgp neighbor <address|interface> shutdown This command disable the peer or peer group. To reenable the peer use |