summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
m---------docs/_include/vyos-1x0
-rw-r--r--docs/_static/images/vyos-sr-isis.pngbin0 -> 45339 bytes
-rw-r--r--docs/_static/images/zone-policy-diagram.pngbin113618 -> 126116 bytes
-rw-r--r--docs/changelog/1.3.rst8
-rw-r--r--docs/changelog/1.4.rst44
-rw-r--r--docs/configexamples/index.rst1
-rw-r--r--docs/configexamples/segment-routing-isis.rst279
-rw-r--r--docs/configuration/protocols/bgp.rst3
-rw-r--r--docs/configuration/protocols/index.rst1
-rw-r--r--docs/configuration/protocols/segment-routing.rst357
10 files changed, 691 insertions, 2 deletions
diff --git a/docs/_include/vyos-1x b/docs/_include/vyos-1x
-Subproject b65296a0ff39e66d87e916971477cce351f6d5a
+Subproject f5d40cf3cf8b29a289da31bb3f0368fcfaeae3c
diff --git a/docs/_static/images/vyos-sr-isis.png b/docs/_static/images/vyos-sr-isis.png
new file mode 100644
index 00000000..62430919
--- /dev/null
+++ b/docs/_static/images/vyos-sr-isis.png
Binary files differ
diff --git a/docs/_static/images/zone-policy-diagram.png b/docs/_static/images/zone-policy-diagram.png
index cfde4af6..49e3e046 100644
--- a/docs/_static/images/zone-policy-diagram.png
+++ b/docs/_static/images/zone-policy-diagram.png
Binary files differ
diff --git a/docs/changelog/1.3.rst b/docs/changelog/1.3.rst
index 18236014..d6ab1408 100644
--- a/docs/changelog/1.3.rst
+++ b/docs/changelog/1.3.rst
@@ -8,6 +8,14 @@
_ext/releasenotes.py
+2023-04-05
+==========
+
+* :vytask:`T4975` (bug): CLI does not work after cutting off the power or reset
+* :vytask:`T5136` (bug): Possible config corruption on upgrade
+* :vytask:`T425` (feature): AWS CloudWatch monitoring scripts
+
+
2023-04-01
==========
diff --git a/docs/changelog/1.4.rst b/docs/changelog/1.4.rst
index eab4caf1..465febef 100644
--- a/docs/changelog/1.4.rst
+++ b/docs/changelog/1.4.rst
@@ -8,6 +8,50 @@
_ext/releasenotes.py
+2023-04-10
+==========
+
+* :vytask:`T5151` (bug): EAP-TLS TLSv1.0/1.1 regression after T5003
+
+
+2023-04-07
+==========
+
+* :vytask:`T5149` (bug): op-mode openvpn should not raise error in case interface is disabled
+
+
+2023-04-06
+==========
+
+* :vytask:`T5147` (bug): Can't Commit with Container Network
+* :vytask:`T5142` (feature): One of the requirements is to use a system auditing tool to monitor and log all security-relevant events.
+* :vytask:`T5125` (feature): Add op-mode commands for hsflowd based sflow
+
+
+2023-04-05
+==========
+
+* :vytask:`T5145` (feature): Add maxsyslogins maximum number of all logins on system
+* :vytask:`T5135` (default): Rewrite opennhrp script using vyos.ipsec library
+* :vytask:`T4975` (bug): CLI does not work after cutting off the power or reset
+* :vytask:`T5136` (bug): Possible config corruption on upgrade
+
+
+2023-04-04
+==========
+
+* :vytask:`T5141` (feature): Add numbers for dhclient-exit-hooks.d to enforce script order execution
+* :vytask:`T5093` (bug): Command 'reset vpn ipsec-profile' doesn't work
+* :vytask:`T4362` (bug): Wan Load Balancing - Can't create routing tables
+
+
+2023-04-03
+==========
+
+* :vytask:`T5139` (feature): IKE life-time should start from 0 for disable rekey
+* :vytask:`T4173` (bug): Wan Load Balancing - Error on firewall NAT rules
+
+
2023-04-02
==========
diff --git a/docs/configexamples/index.rst b/docs/configexamples/index.rst
index a53a86c6..b3610d3a 100644
--- a/docs/configexamples/index.rst
+++ b/docs/configexamples/index.rst
@@ -20,6 +20,7 @@ This chapter contains various configuration examples:
inter-vrf-routing-vrf-lite
openvpn-ldap
qos
+ segment-routing-isis
nmp
diff --git a/docs/configexamples/segment-routing-isis.rst b/docs/configexamples/segment-routing-isis.rst
new file mode 100644
index 00000000..d9bc439b
--- /dev/null
+++ b/docs/configexamples/segment-routing-isis.rst
@@ -0,0 +1,279 @@
+:lastproofread: 2023-04-10
+
+.. _examples-segment-routing-isis:
+
+#############################
+Segment-routing IS-IS example
+#############################
+
+When utilizing VyOS in an environment with Cisco IOS-XR gear you can use this
+blue print as an initial setup to get MPLS ISIS-SR working between those two
+devices.The lab was build using :abbr:`EVE-NG (Emulated Virtual
+Environment NG)`.
+
+.. figure:: /_static/images/vyos-sr-isis.png
+ :alt: ISIS-SR network
+
+ ISIS-SR example network
+
+The below configuration is used as example where we keep focus on
+VyOS-P1/VyOS-P2/XRv-P3 which we share the settings.
+
+
+Configuration
+=============
+
+- VyOS-P1:
+
+.. code-block:: none
+
+ set interfaces dummy dum0 address '192.0.2.1/32'
+ set interfaces ethernet eth1 address '192.0.2.5/30'
+ set interfaces ethernet eth1 mtu '8000'
+ set interfaces ethernet eth3 address '192.0.2.21/30'
+ set interfaces ethernet eth3 mtu '8000'
+ set protocols isis interface dum0 passive
+ set protocols isis interface eth1 network point-to-point
+ set protocols isis interface eth3 network point-to-point
+ set protocols isis level 'level-2'
+ set protocols isis log-adjacency-changes
+ set protocols isis metric-style 'wide'
+ set protocols isis net '49.0000.0000.0000.0001.00'
+ set protocols isis segment-routing maximum-label-depth '8'
+ set protocols isis segment-routing prefix 192.0.2.1/32 index value '1'
+ set protocols mpls interface 'eth1'
+ set protocols mpls interface 'eth3'
+ set system host-name 'P1-VyOS'
+
+- XRv-P3:
+
+.. code-block:: none
+
+ hostname P3-VyOS
+ interface Loopback0
+ ipv4 address 192.0.2.3 255.255.255.255
+ !
+ interface GigabitEthernet0/0/0/1
+ mtu 8014
+ ipv4 address 192.0.2.6 255.255.255.252
+ !
+ interface GigabitEthernet0/0/0/2
+ mtu 8014
+ ipv4 address 192.0.2.18 255.255.255.252
+ !
+ router isis VyOS
+ is-type level-2-only
+ net 49.0000.0000.0000.0003.00
+ log adjacency changes
+ address-family ipv4 unicast
+ metric-style wide
+ segment-routing mpls
+ !
+ interface Loopback0
+ passive
+ address-family ipv4 unicast
+ prefix-sid index 3
+ !
+ !
+ interface GigabitEthernet0/0/0/1
+ point-to-point
+ address-family ipv4 unicast
+ !
+ !
+ interface GigabitEthernet0/0/0/2
+ point-to-point
+ address-family ipv4 unicast
+ !
+ !
+ !
+
+- VyOS-P2:
+
+.. code-block:: none
+
+ set interfaces dummy dum0 address '192.0.2.2/32'
+ set interfaces ethernet eth2 address '192.0.2.17/30'
+ set interfaces ethernet eth2 mtu '8000'
+ set interfaces ethernet eth3 address '192.0.2.26/30'
+ set interfaces ethernet eth3 mtu '8000'
+ set protocols isis interface dum0 passive
+ set protocols isis interface eth2 network point-to-point
+ set protocols isis interface eth3 network point-to-point
+ set protocols isis level 'level-2'
+ set protocols isis log-adjacency-changes
+ set protocols isis metric-style 'wide'
+ set protocols isis net '49.0000.0000.0000.0002.00'
+ set protocols isis segment-routing maximum-label-depth '8'
+ set protocols isis segment-routing prefix 192.0.2.2/32 index value '2'
+ set protocols mpls interface 'eth2'
+ set protocols mpls interface 'eth3'
+ set system host-name 'P2-VyOS'
+
+This gives us MPLS segment routing enabled and labels forwarding :
+
+.. code-block:: none
+
+ vyos@P1-VyOS:~$ show mpls table
+ Inbound Label Type Nexthop Outbound Label
+ -----------------------------------------------------------------
+ 15000 SR (IS-IS) 192.0.2.6 implicit-null
+ 15001 SR (IS-IS) 192.0.2.22 implicit-null
+ 15002 SR (IS-IS) fe80::5200:ff:fe04:3 implicit-null
+ 16002 SR (IS-IS) 192.0.2.6 16002
+ 16003 SR (IS-IS) 192.0.2.6 implicit-null
+ 16011 SR (IS-IS) 192.0.2.22 implicit-null
+
+ vyos@P2-VyOS:~$ show mpls table
+ Inbound Label Type Nexthop Outbound Label
+ -------------------------------------------------------
+ 15000 SR (IS-IS) 192.0.2.18 implicit-null
+ 16001 SR (IS-IS) 192.0.2.18 16001
+ 16003 SR (IS-IS) 192.0.2.18 implicit-null
+ 16011 SR (IS-IS) 192.0.2.18 16011
+
+ RP/0/0/CPU0:P3-VyOS#show mpls forwarding
+ Tue Mar 28 17:47:18.928 UTC
+ Local Outgoing Prefix Outgoing Next Hop Bytes
+ Label Label or ID Interface Switched
+ ------ ----------- ------------------ ------------ --------------- ------------
+ 16001 Pop SR Pfx (idx 1) Gi0/0/0/1 192.0.2.5 0
+ 16002 Pop SR Pfx (idx 2) Gi0/0/0/2 192.0.2.17 0
+ 16011 16011 SR Pfx (idx 11) Gi0/0/0/1 192.0.2.5 0
+ 24000 Pop SR Adj (idx 1) Gi0/0/0/1 192.0.2.5 0
+ 24001 Pop SR Adj (idx 3) Gi0/0/0/1 192.0.2.5 0
+ 24002 Pop SR Adj (idx 1) Gi0/0/0/2 192.0.2.17 0
+ 24003 Pop SR Adj (idx 3) Gi0/0/0/2 192.0.2.17 0
+
+
+VyOS is able to check MSD per devices:
+
+.. code-block:: none
+
+ vyos@P1-VyOS:~$ show isis segment-routing node
+ Area VyOS:
+ IS-IS L1 SR-Nodes:
+
+ IS-IS L2 SR-Nodes:
+
+ System ID SRGB SRLB Algorithm MSD
+ ---------------------------------------------------------------
+ 0000.0000.0001 16000 - 23999 15000 - 15999 SPF 8
+ 0000.0000.0002 16000 - 23999 15000 - 15999 SPF 8
+ 0000.0000.0003 16000 - 23999 0 - 4294967295 SPF 10
+ 0000.0000.0011 16000 - 23999 15000 - 15999 SPF 8
+
+ vyos@P2-VyOS:~$ show isis segment-routing node
+ Area VyOS:
+ IS-IS L1 SR-Nodes:
+
+ IS-IS L2 SR-Nodes:
+
+ System ID SRGB SRLB Algorithm MSD
+ ---------------------------------------------------------------
+ 0000.0000.0001 16000 - 23999 15000 - 15999 SPF 8
+ 0000.0000.0002 16000 - 23999 15000 - 15999 SPF 8
+ 0000.0000.0003 16000 - 23999 0 - 4294967295 SPF 10
+ 0000.0000.0011 16000 - 23999 15000 - 15999 SPF 8
+
+Here is the routing tables showing the MPLS segment routing label operations:
+
+.. code-block:: none
+
+ vyos@P1-VyOS:~$ show ip route isis
+ Codes: K - kernel route, C - connected, S - static, R - RIP,
+ O - OSPF, I - IS-IS, B - BGP, E - EIGRP, N - NHRP,
+ T - Table, v - VNC, V - VNC-Direct, A - Babel, F - PBR,
+ f - OpenFabric,
+ > - selected route, * - FIB route, q - queued, r - rejected, b - backup
+ t - trapped, o - offload failure
+
+ I>* 192.0.2.2/32 [115/30] via 192.0.2.6, eth1, label 16002, weight 1, 1d03h18m
+ I>* 192.0.2.3/32 [115/10] via 192.0.2.6, eth1, label implicit-null, weight 1, 1d03h18m
+ I 192.0.2.4/30 [115/20] via 192.0.2.6, eth1 inactive, weight 1, 1d03h18m
+ I>* 192.0.2.11/32 [115/20] via 192.0.2.22, eth3, label implicit-null, weight 1, 1d02h47m
+ I>* 192.0.2.16/30 [115/20] via 192.0.2.6, eth1, weight 1, 1d03h18m
+ I 192.0.2.20/30 [115/20] via 192.0.2.22, eth3 inactive, weight 1, 1d02h48m
+ I>* 192.0.2.24/30 [115/30] via 192.0.2.6, eth1, weight 1, 1d03h18m
+
+
+ vyos@P2-VyOS:~$ show ip route isis
+ Codes: K - kernel route, C - connected, S - static, R - RIP,
+ O - OSPF, I - IS-IS, B - BGP, E - EIGRP, N - NHRP,
+ T - Table, v - VNC, V - VNC-Direct, A - Babel, F - PBR,
+ f - OpenFabric,
+ > - selected route, * - FIB route, q - queued, r - rejected, b - backup
+ t - trapped, o - offload failure
+
+ I>* 192.0.2.1/32 [115/30] via 192.0.2.18, eth2, label 16001, weight 1, 1d03h17m
+ I>* 192.0.2.3/32 [115/10] via 192.0.2.18, eth2, label implicit-null, weight 1, 1d03h17m
+ I>* 192.0.2.4/30 [115/20] via 192.0.2.18, eth2, weight 1, 1d03h17m
+ I>* 192.0.2.11/32 [115/40] via 192.0.2.18, eth2, label 16011, weight 1, 1d02h47m
+ I 192.0.2.16/30 [115/20] via 192.0.2.18, eth2 inactive, weight 1, 1d03h17m
+ I>* 192.0.2.20/30 [115/30] via 192.0.2.18, eth2, weight 1, 1d03h17m
+
+ RP/0/0/CPU0:P3-VyOS#show route isis
+ Tue Mar 28 18:19:16.417 UTC
+
+ i L2 192.0.2.1/32 [115/20] via 192.0.2.5, 1d03h, GigabitEthernet0/0/0/1
+ i L2 192.0.2.2/32 [115/20] via 192.0.2.17, 1d03h, GigabitEthernet0/0/0/2
+ i L2 192.0.2.11/32 [115/30] via 192.0.2.5, 1d02h, GigabitEthernet0/0/0/1
+ i L2 192.0.2.20/30 [115/20] via 192.0.2.5, 1d03h, GigabitEthernet0/0/0/1
+ i L2 192.0.2.24/30 [115/20] via 192.0.2.17, 1d03h, GigabitEthernet0/0/0/2
+
+Information about prefix-sid and label-operation from VyOS
+
+.. code-block:: none
+
+ vyos@P1-VyOS:~$ show isis route prefix-sid
+ Area VyOS:
+ IS-IS L2 IPv4 routing table:
+
+ Prefix Metric Interface Nexthop SID Label Op.
+ ----------------------------------------------------------------------
+ 192.0.2.1/32 0 - - - -
+ 192.0.2.2/32 30 eth1 192.0.2.6 2 Swap(16002, 16002)
+ 192.0.2.3/32 10 eth1 192.0.2.6 3 Pop(16003)
+ 192.0.2.4/30 20 eth1 192.0.2.6 - -
+ 192.0.2.16/30 20 eth1 192.0.2.6 - -
+ 192.0.2.20/30 0 - - - -
+ 192.0.2.24/30 30 eth1 192.0.2.6 - -
+
+ vyos@P2-VyOS:~$ show isis route prefix-sid
+ Area VyOS:
+ IS-IS L2 IPv4 routing table:
+
+ Prefix Metric Interface Nexthop SID Label Op.
+ -----------------------------------------------------------------------
+ 192.0.2.1/32 30 eth2 192.0.2.18 1 Swap(16001, 16001)
+ 192.0.2.2/32 0 - - - -
+ 192.0.2.3/32 10 eth2 192.0.2.18 3 Pop(16003)
+ 192.0.2.4/30 20 eth2 192.0.2.18 - -
+ 192.0.2.16/30 20 eth2 192.0.2.18 - -
+ 192.0.2.20/30 30 eth2 192.0.2.18 - -
+ 192.0.2.24/30 0 - - - -
+
+Ping between VyOS-P1 / VyOS-P2 to confirm reachability:
+
+.. code-block:: none
+
+ vyos@P1-VyOS:~$ ping 192.0.2.2 source-address 192.0.2.1
+ PING 192.0.2.2 (192.0.2.2) from 192.0.2.1 : 56(84) bytes of data.
+ 64 bytes from 192.0.2.2: icmp_seq=1 ttl=63 time=3.47 ms
+ 64 bytes from 192.0.2.2: icmp_seq=2 ttl=63 time=2.06 ms
+ 64 bytes from 192.0.2.2: icmp_seq=3 ttl=63 time=3.90 ms
+ 64 bytes from 192.0.2.2: icmp_seq=4 ttl=63 time=3.87 ms
+ ^C
+ --- 192.0.2.2 ping statistics ---
+ 4 packets transmitted, 4 received, 0% packet loss, time 3004ms
+ rtt min/avg/max/mdev = 2.064/3.326/3.903/0.748 ms
+
+ vyos@P2-VyOS:~$ ping 192.0.2.1 source-address 192.0.2.2
+ PING 192.0.2.1 (192.0.2.1) from 192.0.2.2 : 56(84) bytes of data.
+ 64 bytes from 192.0.2.1: icmp_seq=1 ttl=63 time=2.91 ms
+ 64 bytes from 192.0.2.1: icmp_seq=2 ttl=63 time=3.23 ms
+ 64 bytes from 192.0.2.1: icmp_seq=3 ttl=63 time=2.91 ms
+ 64 bytes from 192.0.2.1: icmp_seq=4 ttl=63 time=2.85 ms
+ ^C
+ --- 192.0.2.1 ping statistics ---
+ 4 packets transmitted, 4 received, 0% packet loss, time 3005ms
+ rtt min/avg/max/mdev = 2.846/2.972/3.231/0.151 ms \ No newline at end of file
diff --git a/docs/configuration/protocols/bgp.rst b/docs/configuration/protocols/bgp.rst
index 68688b25..737e98fa 100644
--- a/docs/configuration/protocols/bgp.rst
+++ b/docs/configuration/protocols/bgp.rst
@@ -939,8 +939,7 @@ IBGP (called confederation BGP). Confederation mechanism is described in
of the autonomous system that internally includes multiple sub-autonomous
systems (a confederation).
-.. cfgcmd:: set protocols bgp parameters confederation confederation
- peers <nsubasn>
+.. cfgcmd:: set protocols bgp parameters confederation peers <nsubasn>
This command sets other confederations <nsubasn> as members of autonomous
system specified by :cfgcmd:`confederation identifier <asn>`.
diff --git a/docs/configuration/protocols/index.rst b/docs/configuration/protocols/index.rst
index 682390d5..29dc230f 100644
--- a/docs/configuration/protocols/index.rst
+++ b/docs/configuration/protocols/index.rst
@@ -14,6 +14,7 @@ Protocols
igmp
isis
mpls
+ segment-routing
ospf
rip
rpki
diff --git a/docs/configuration/protocols/segment-routing.rst b/docs/configuration/protocols/segment-routing.rst
new file mode 100644
index 00000000..5ee710e9
--- /dev/null
+++ b/docs/configuration/protocols/segment-routing.rst
@@ -0,0 +1,357 @@
+.. _segment-routing:
+
+###############
+Segment Routing
+###############
+
+Segment Routing (SR) is a network architecture that is similar to source-routing
+. In this architecture, the ingress router adds a list of segments, known as
+SIDs, to the packet as it enters the network. These segments represent different
+portions of the network path that the packet will take.
+
+The SR segments are portions of the network path taken by the packet, and are
+called SIDs. At each node, the first SID of the list is read, executed as a
+forwarding function, and may be popped to let the next node read the next SID of
+the list. The SID list completely determines the path where the packet is
+forwarded.
+
+Segment Routing can be applied to an existing MPLS-based data plane and defines
+a control plane network architecture. In MPLS networks, segments are encoded as
+MPLS labels and are added at the ingress router. These MPLS labels are then
+exchanged and populated by Interior Gateway Protocols (IGPs) like IS-IS or OSPF
+which are running on most ISPs.
+
+
+.. note:: Segment routing defines a control plane network architecture and
+ can be applied to an existing MPLS based dataplane. In the MPLS networks,
+ segments are encoded as MPLS labels and are imposed at the ingress router.
+ MPLS labels are exchanged and populated by IGPs like IS-IS.Segment Routing
+ as per RFC8667 for MPLS dataplane. It supports IPv4, IPv6 and ECMP and has
+ been tested against Cisco & Juniper routers.however,this deployment is still
+ EXPERIMENTAL for FRR.
+
+
+IS-IS SR Configuration
+----------------------
+
+Segment routing (SR) is used by the IGP protocols to interconnect network
+devices, below configuration shows how to enable SR on IS-IS:
+
+
+.. note:: ``Known limitations:``
+
+ No support for level redistribution (L1 to L2 or L2 to L1)
+
+ No support for binding SID
+
+ No support for SRLB
+
+ Only one SRGB and default SPF Algorithm is supported
+
+
+
+.. cfgcmd:: set protocols isis segment-routing global-block high-label-value
+ <label-value>
+
+ Set the Segment Routing Global Block i.e. the label range used by MPLS to
+ store label in the MPLS FIB for Prefix SID. Note that the block size may
+ not exceed 65535.
+
+.. cfgcmd:: set protocols isis segment-routing global-block low-label-value
+ <label-value>
+
+ Set the Segment Routing Global Block i.e. the low label range used by MPLS to
+ store label in the MPLS FIB for Prefix SID. Note that the block size may
+ not exceed 65535.
+
+.. cfgcmd:: set protocols isis segment-routing local-block high-label-value
+ <label-value>
+
+ Set the Segment Routing Local Block i.e. the label range used by MPLS to
+ store label in the MPLS FIB for Prefix SID. Note that the block size may
+ not exceed 65535.Segment Routing Local Block, The negative command always
+ unsets both.
+
+.. cfgcmd:: set protocols isis segment-routing local-block <low-label-value
+ <label-value>
+
+ Set the Segment Routing Local Block i.e. the low label range used by MPLS to
+ store label in the MPLS FIB for Prefix SID. Note that the block size may
+ not exceed 65535.Segment Routing Local Block, The negative command always
+ unsets both.
+
+.. cfgcmd:: set protocols isis segment-routing maximum-label-depth <1-16>
+
+ Set the Maximum Stack Depth supported by the router. The value depend of
+ the MPLS dataplane.
+
+.. cfgcmd:: set protocols isis segment-routing prefix <address> index value
+ <0-65535>
+
+ A segment ID that contains an IP address prefix calculated by an IGP in the
+ service provider core network. Prefix SIDs are globally unique, this value
+ indentify it
+
+.. cfgcmd:: set protocols isis segment-routing prefix <address> index
+ <no-php-flag | explicit-null| n-flag-clear>
+
+ this option allows to configure prefix-sid on SR. The ‘no-php-flag’ means NO
+ Penultimate Hop Popping that allows SR node to request to its neighbor to
+ not pop the label. The ‘explicit-null’ flag allows SR node to request to its
+ neighbor to send IP packet with the EXPLICIT-NULL label. The ‘n-flag-clear’
+ option can be used to explicitly clear the Node flag that is set by default
+ for Prefix-SIDs associated to loopback addresses. This option is necessary
+ to configure Anycast-SIDs.
+
+
+.. opcmd:: show isis segment-routing node
+
+ Show detailed information about all learned Segment Routing Nodes
+
+.. opcmd:: show isis route prefix-sid
+
+ Show detailed information about prefix-sid and label learned
+
+.. note:: more information related IGP - :ref:`routing-isis`
+
+
+
+OSPF SR Configuration
+----------------------
+
+Segment routing (SR) is used by the IGP protocols to interconnect network
+devices, below configuration shows how to enable SR on OSPF:
+
+.. cfgcmd:: set protocols ospf parameters opaque-lsa
+
+ Enable the Opaque-LSA capability (rfc2370), necessary to transport label
+ on IGP
+
+
+.. cfgcmd:: set protocols ospf segment-routing global-block high-label-value
+ <label-value>
+
+ Set the Segment Routing Global Block i.e. the label range used by MPLS to
+ store label in the MPLS FIB for Prefix SID. Note that the block size may
+ not exceed 65535.
+
+.. cfgcmd:: set protocols ospf segment-routing global-block low-label-value
+ <label-value>
+
+ Set the Segment Routing Global Block i.e. the low label range used by MPLS to
+ store label in the MPLS FIB for Prefix SID. Note that the block size may
+ not exceed 65535.
+
+.. cfgcmd:: set protocols ospf segment-routing local-block high-label-value
+ <label-value>
+
+ Set the Segment Routing Local Block i.e. the label range used by MPLS to
+ store label in the MPLS FIB for Prefix SID. Note that the block size may
+ not exceed 65535.Segment Routing Local Block, The negative command always
+ unsets both.
+
+.. cfgcmd:: set protocols ospf segment-routing local-block <low-label-value
+ <label-value>
+
+ Set the Segment Routing Local Block i.e. the low label range used by MPLS to
+ store label in the MPLS FIB for Prefix SID. Note that the block size may
+ not exceed 65535.Segment Routing Local Block, The negative command always
+ unsets both.
+
+.. cfgcmd:: set protocols ospf segment-routing maximum-label-depth <1-16>
+
+ Set the Maximum Stack Depth supported by the router. The value depend of
+ the MPLS dataplane.
+
+.. cfgcmd:: set protocols ospf segment-routing prefix <address> index value
+ <0-65535>
+
+ A segment ID that contains an IP address prefix calculated by an IGP in the
+ service provider core network. Prefix SIDs are globally unique, this value
+ indentify it
+
+.. cfgcmd:: set protocols ospf segment-routing prefix <address> index
+ <no-php-flag | explicit-null| n-flag-clear>
+
+ this option allows to configure prefix-sid on SR. The ‘no-php-flag’ means NO
+ Penultimate Hop Popping that allows SR node to request to its neighbor to
+ not pop the label. The ‘explicit-null’ flag allows SR node to request to its
+ neighbor to send IP packet with the EXPLICIT-NULL label. The ‘n-flag-clear’
+ option can be used to explicitly clear the Node flag that is set by default
+ for Prefix-SIDs associated to loopback addresses. This option is necessary
+ to configure Anycast-SIDs.
+
+.. note:: more information related IGP - :ref:`routing-ospf`
+
+Configuration Example
+---------------------
+
+we described the configuration SR ISIS / SR OSPF using 2 connected with them to
+share label information.
+
+Enable IS-IS with Segment Routing (Experimental)
+================================================
+
+**Node 1:**
+
+.. code-block:: none
+
+ set interfaces loopback lo address '192.168.255.255/32'
+ set interfaces ethernet eth1 address '192.0.2.1/24'
+
+ set protocols isis interface eth1
+ set protocols isis interface lo
+ set protocols isis net '49.0001.1921.6825.5255.00'
+ set protocols isis segment-routing global-block high-label-value '599'
+ set protocols isis segment-routing global-block low-label-value '550'
+ set protocols isis segment-routing prefix 192.168.255.255/32 index value '1'
+ set protocols isis segment-routing prefix 192.168.255.255/32 index explicit-null
+ set protocols mpls interface 'eth1'
+
+**Node 2:**
+
+.. code-block:: none
+
+ set interfaces loopback lo address '192.168.255.254/32'
+ set interfaces ethernet eth1 address '192.0.2.2/24'
+
+ set protocols isis interface eth1
+ set protocols isis interface lo
+ set protocols isis net '49.0001.1921.6825.5254.00'
+ set protocols isis segment-routing global-block high-label-value '599'
+ set protocols isis segment-routing global-block low-label-value '550'
+ set protocols isis segment-routing prefix 192.168.255.254/32 index value '2'
+ set protocols isis segment-routing prefix 192.168.255.254/32 index explicit-null
+ set protocols mpls interface 'eth1'
+
+
+
+This gives us MPLS segment routing enabled and labels for far end loopbacks:
+
+.. code-block:: none
+
+ Node-1@vyos:~$ show mpls table
+ Inbound Label Type Nexthop Outbound Label
+ ----------------------------------------------------------------------
+ 552 SR (IS-IS) 192.0.2.2 IPv4 Explicit Null <-- Node-2 loopback learned on Node-1
+ 15000 SR (IS-IS) 192.0.2.2 implicit-null
+ 15001 SR (IS-IS) fe80::e87:6cff:fe09:1 implicit-null
+ 15002 SR (IS-IS) 192.0.2.2 implicit-null
+ 15003 SR (IS-IS) fe80::e87:6cff:fe09:1 implicit-null
+
+ Node-2@vyos:~$ show mpls table
+ Inbound Label Type Nexthop Outbound Label
+ ---------------------------------------------------------------------
+ 551 SR (IS-IS) 192.0.2.1 IPv4 Explicit Null <-- Node-1 loopback learned on Node-2
+ 15000 SR (IS-IS) 192.0.2.1 implicit-null
+ 15001 SR (IS-IS) fe80::e33:2ff:fe80:1 implicit-null
+ 15002 SR (IS-IS) 192.0.2.1 implicit-null
+ 15003 SR (IS-IS) fe80::e33:2ff:fe80:1 implicit-null
+
+Here is the routing tables showing the MPLS segment routing label operations:
+
+.. code-block:: none
+
+ Node-1@vyos:~$ show ip route isis
+ Codes: K - kernel route, C - connected, S - static, R - RIP,
+ O - OSPF, I - IS-IS, B - BGP, E - EIGRP, N - NHRP,
+ T - Table, v - VNC, V - VNC-Direct, A - Babel, F - PBR,
+ f - OpenFabric,
+ > - selected route, * - FIB route, q - queued, r - rejected, b - backup
+ t - trapped, o - offload failure
+
+ I 192.0.2.0/24 [115/20] via 192.0.2.2, eth1 inactive, weight 1, 00:07:48
+ I>* 192.168.255.254/32 [115/20] via 192.0.2.2, eth1, label IPv4 Explicit Null, weight 1, 00:03:39
+
+ Node-2@vyos:~$ show ip route isis
+ Codes: K - kernel route, C - connected, S - static, R - RIP,
+ O - OSPF, I - IS-IS, B - BGP, E - EIGRP, N - NHRP,
+ T - Table, v - VNC, V - VNC-Direct, A - Babel, F - PBR,
+ f - OpenFabric,
+ > - selected route, * - FIB route, q - queued, r - rejected, b - backup
+ t - trapped, o - offload failure
+
+ I 192.0.2.0/24 [115/20] via 192.0.2.1, eth1 inactive, weight 1, 00:07:46
+ I>* 192.168.255.255/32 [115/20] via 192.0.2.1, eth1, label IPv4 Explicit Null, weight 1, 00:03:43
+
+
+Enable OSPF with Segment Routing (Experimental):
+================================================
+
+**Node 1**
+
+.. code-block:: none
+
+ set interfaces loopback lo address 10.1.1.1/32
+ set interfaces ethernet eth0 address 192.168.0.1/24
+ set protocols ospf area 0 network '192.168.0.0/24'
+ set protocols ospf area 0 network '10.1.1.1/32'
+ set protocols ospf parameters opaque-lsa
+ set protocols ospf parameters router-id '10.1.1.1'
+ set protocols ospf segment-routing global-block high-label-value '1100'
+ set protocols ospf segment-routing global-block low-label-value '1000'
+ set protocols ospf segment-routing prefix 10.1.1.1/32 index explicit-null
+ set protocols ospf segment-routing prefix 10.1.1.1/32 index value '1'
+
+**Node 2**
+
+.. code-block:: none
+
+ set interfaces loopback lo address 10.1.1.2/32
+ set interfaces ethernet eth0 address 192.168.0.2/24
+ set protocols ospf area 0 network '192.168.0.0/24'
+ set protocols ospf area 0 network '10.1.1.2/32'
+ set protocols ospf parameters opaque-lsa
+ set protocols ospf parameters router-id '10.1.1.2'
+ set protocols ospf segment-routing global-block high-label-value '1100'
+ set protocols ospf segment-routing global-block low-label-value '1000'
+ set protocols ospf segment-routing prefix 10.1.1.2/32 index explicit-null
+ set protocols ospf segment-routing prefix 10.1.1.2/32 index value '2'
+
+
+This gives us MPLS segment routing enabled and labels for far end loopbacks:
+
+.. code-block:: none
+
+ Node-1@vyos:~$ show mpls table
+ Inbound Label Type Nexthop Outbound Label
+ -----------------------------------------------------------
+ 1002 SR (OSPF) 192.168.0.2 IPv4 Explicit Null <-- Node-2 loopback learned on Node-1
+ 15000 SR (OSPF) 192.168.0.2 implicit-null
+ 15001 SR (OSPF) 192.168.0.2 implicit-null
+
+ Node-2@vyos:~$ show mpls table
+ Inbound Label Type Nexthop Outbound Label
+ -----------------------------------------------------------
+ 1001 SR (OSPF) 192.168.0.1 IPv4 Explicit Null <-- Node-1 loopback learned on Node-2
+ 15000 SR (OSPF) 192.168.0.1 implicit-null
+ 15001 SR (OSPF) 192.168.0.1 implicit-null
+
+Here is the routing tables showing the MPLS segment routing label operations:
+
+.. code-block:: none
+
+ Node-1@vyos:~$ show ip route ospf
+ Codes: K - kernel route, C - connected, S - static, R - RIP,
+ O - OSPF, I - IS-IS, B - BGP, E - EIGRP, N - NHRP,
+ T - Table, v - VNC, V - VNC-Direct, A - Babel, F - PBR,
+ f - OpenFabric,
+ > - selected route, * - FIB route, q - queued, r - rejected, b - backup
+ t - trapped, o - offload failure
+
+ O 10.1.1.1/32 [110/0] is directly connected, lo, weight 1, 00:03:43
+ O>* 10.1.1.2/32 [110/1] via 192.168.0.2, eth0, label IPv4 Explicit Null, weight 1, 00:03:32
+ O 192.168.0.0/24 [110/1] is directly connected, eth0, weight 1, 00:03:43
+
+ Node-2@vyos:~$ show ip route ospf
+ Codes: K - kernel route, C - connected, S - static, R - RIP,
+ O - OSPF, I - IS-IS, B - BGP, E - EIGRP, N - NHRP,
+ T - Table, v - VNC, V - VNC-Direct, A - Babel, F - PBR,
+ f - OpenFabric,
+ > - selected route, * - FIB route, q - queued, r - rejected, b - backup
+ t - trapped, o - offload failure
+
+ O>* 10.1.1.1/32 [110/1] via 192.168.0.1, eth0, label IPv4 Explicit Null, weight 1, 00:03:36
+ O 10.1.1.2/32 [110/0] is directly connected, lo, weight 1, 00:03:51
+ O 192.168.0.0/24 [110/1] is directly connected, eth0, weight 1, 00:03:51
+