From dbddfe85adaa70552607b38706b39238b465ac4e Mon Sep 17 00:00:00 2001 From: Nicolas Fort Date: Fri, 23 Jul 2021 11:17:55 -0300 Subject: Index file updated and splitted into new files. Indent and lenght on every file was verified --- docs/configuration/policy/access-list.rst | 77 ++ docs/configuration/policy/bgp-policies.rst | 124 ++++ docs/configuration/policy/examples.rst | 180 +++++ docs/configuration/policy/index.rst | 1085 +--------------------------- docs/configuration/policy/local-route.rst | 20 + docs/configuration/policy/prefix-list.rst | 87 +++ docs/configuration/policy/route-map.rst | 262 +++++++ docs/configuration/policy/route.rst | 428 +++++++++++ 8 files changed, 1213 insertions(+), 1050 deletions(-) create mode 100644 docs/configuration/policy/access-list.rst create mode 100644 docs/configuration/policy/bgp-policies.rst create mode 100644 docs/configuration/policy/examples.rst create mode 100644 docs/configuration/policy/local-route.rst create mode 100644 docs/configuration/policy/prefix-list.rst create mode 100644 docs/configuration/policy/route-map.rst create mode 100644 docs/configuration/policy/route.rst (limited to 'docs') diff --git a/docs/configuration/policy/access-list.rst b/docs/configuration/policy/access-list.rst new file mode 100644 index 00000000..41c35986 --- /dev/null +++ b/docs/configuration/policy/access-list.rst @@ -0,0 +1,77 @@ +################## +Access List Policy +################## + +Filtering is used for both input and output of the routing information. Once +filtering is defined, it can be applied in any direction. VyOS makes filtering +possible using acls and prefix lists. + +Basic filtering can be done using access-list and access-list6. + +************* +Configuration +************* + +Access Lists +============ + +.. cfgcmd:: set policy access-list + + This command creates the new access list policy, where must be + a number from 1 to 2699. + +.. cfgcmd:: set policy access-list description + + Set description for the access list. + +.. cfgcmd:: set policy access-list rule <1-65535> action + + + This command creates a new rule in the access list and defines an action. + +.. cfgcmd:: set policy access-list rule <1-65535> + + + This command defines matching parameters for access list rule. Matching + criteria could be applied to destinarion or source parameters: + + * any: any IP address to match. + * host: single host IP address to match. + * inverse-match: network/netmask to match (requires network be defined). + * network: network/netmask to match (requires inverse-match be defined). + +IPv6 Access List +================ + +Basic filtering could also be applied to IPv6 traffic. + +.. cfgcmd:: set policy access-list6 + + This command creates the new IPv6 access list, identified by + +.. cfgcmd:: set policy access-list6 description + + Set description for the IPv6 access list. + +.. cfgcmd:: set policy access-list6 rule <1-65535> action + + This command creates a new rule in the IPv6 access list and defines an + action. + +.. cfgcmd:: set policy access-list6 rule <1-65535> source + + + This command defines matching parameters for IPv6 access list rule. Matching + criteria could be applied to source parameters: + + * any: any IPv6 address to match. + * exact-match: exact match of the network prefixes. + * network: network/netmask to match (requires inverse-match be defined) BUG, + NO invert-match option in access-list6 + + +******** +Examples +******** + +Examples would be uploaded soon. \ No newline at end of file diff --git a/docs/configuration/policy/bgp-policies.rst b/docs/configuration/policy/bgp-policies.rst new file mode 100644 index 00000000..72b612cb --- /dev/null +++ b/docs/configuration/policy/bgp-policies.rst @@ -0,0 +1,124 @@ +#################### +BGP Related Policies +#################### + +VyOS provides policies commands exclusively for BGP traffic filtering and +manipulation. In this section, all those commands are covered. + +************* +Configuration +************* + +policy as-path-list +=================== + +.. cfgcmd:: set policy as-path-list + + Create as-path-policy identified by name . + +.. cfgcmd:: set policy as-path-list description + + Set description for as-path-list policy. + +.. cfgcmd:: set policy as-path-list rule <1-65535> action + + Set action to take on entries matching this rule. + +.. cfgcmd:: set policy as-path-list rule <1-65535> description + + Set description for rule. + +.. cfgcmd:: set policy as-path-list rule <1-65535> regex + + Regular expression to match against an AS path. For example "64501 64502". + + +policy community-list +===================== + +.. cfgcmd:: set policy community-list + + Creat community-list policy identified by name . + +.. cfgcmd:: set policy community-list description + + Set description for community-list policy. + +.. cfgcmd:: set policy community-list rule <1-65535> action + + + Set action to take on entries matching this rule. + +.. cfgcmd:: set policy community-list rule <1-65535> description + + Set description for rule. + +.. cfgcmd:: set policy community-list rule <1-65535> regex + + + Regular expression to match against a community-list. + + +policy extcommunity-list +======================== + +.. cfgcmd:: set policy extcommunity-list + + Creat extcommunity-list policy identified by name . + +.. cfgcmd:: set policy extcommunity-list description + + Set description for extcommunity-list policy. + +.. cfgcmd:: set policy extcommunity-list rule <1-65535> action + + + Set action to take on entries matching this rule. + +.. cfgcmd:: set policy extcommunity-list rule <1-65535> description + + + Set description for rule. + +.. cfgcmd:: set policy extcommunity-list rule <1-65535> regex + + Regular expression to match against an extended community list, where text + could be: + + * : Extended community list regular expression. + * : Route Target regular expression. + * : Site of Origin regular expression. + + +policy large-community-list +=========================== + +.. cfgcmd:: set policy large-community-list + + Creat large-community-list policy identified by name . + +.. cfgcmd:: set policy large-community-list description + + Set description for large-community-list policy. + +.. cfgcmd:: set policy large-community-list rule <1-65535> action + + + Set action to take on entries matching this rule. + +.. cfgcmd:: set policy large-community-list rule <1-65535> description + + + Set description for rule. + +.. cfgcmd:: set policy large-community-list rule <1-65535> regex + + + Regular expression to match against a large community list. + + +******** +Examples +******** + +Examples would be uploaded soon. \ No newline at end of file diff --git a/docs/configuration/policy/examples.rst b/docs/configuration/policy/examples.rst new file mode 100644 index 00000000..88715a0a --- /dev/null +++ b/docs/configuration/policy/examples.rst @@ -0,0 +1,180 @@ +BGP Example +=========== + +**Policy definition:** + +.. code-block:: none + + # Create policy + set policy route-map setmet rule 2 action 'permit' + set policy route-map setmet rule 2 set as-path-prepend '2 2 2' + + # Apply policy to BGP + set protocols bgp local-as 1 + set protocols bgp neighbor 203.0.113.2 address-family ipv4-unicast route-map import 'setmet' + set protocols bgp neighbor 203.0.113.2 address-family ipv4-unicast soft-reconfiguration 'inbound' + +Using 'soft-reconfiguration' we get the policy update without bouncing the +neighbor. + +**Routes learned before routing policy applied:** + +.. code-block:: none + + vyos@vos1:~$ show ip bgp + BGP table version is 0, local router ID is 192.168.56.101 + Status codes: s suppressed, d damped, h history, * valid, > best, i - internal, + r RIB-failure, S Stale, R Removed + Origin codes: i - IGP, e - EGP, ? - incomplete + + Network Next Hop Metric LocPrf Weight Path + *> 198.51.100.3/32 203.0.113.2 1 0 2 i < Path + + Total number of prefixes 1 + +**Routes learned after routing policy applied:** + +.. code-block:: none + + vyos@vos1:~$ show ip bgp + BGP table version is 0, local router ID is 192.168.56.101 + Status codes: s suppressed, d damped, h history, * valid, > best, i - internal, + r RIB-failure, S Stale, R Removed + Origin codes: i - IGP, e - EGP, ? - incomplete + + Network Next Hop Metric LocPrf Weight Path + *> 198.51.100.3/32 203.0.113.2 1 0 2 2 2 2 i + + Total number of prefixes 1 + vyos@vos1:~$ + +You now see the longer AS path. + + +Transparent Proxy +================= + +The following example will show how VyOS can be used to redirect web +traffic to an external transparent proxy: + +.. code-block:: none + + set policy route FILTER-WEB rule 1000 destination port 80 + set policy route FILTER-WEB rule 1000 protocol tcp + set policy route FILTER-WEB rule 1000 set table 100 + +This creates a route policy called FILTER-WEB with one rule to set the +routing table for matching traffic (TCP port 80) to table ID 100 +instead of the default routing table. + +To create routing table 100 and add a new default gateway to be used by +traffic matching our route policy: + +.. code-block:: none + + set protocols static table 100 route 0.0.0.0/0 next-hop 10.255.0.2 + +This can be confirmed using the ``show ip route table 100`` operational +command. + +Finally, to apply the policy route to ingress traffic on our LAN +interface, we use: + +.. code-block:: none + + set interfaces ethernet eth1 policy route FILTER-WEB + + +Multiple Uplinks +================ + +VyOS Policy-Based Routing (PBR) works by matching source IP address +ranges and forwarding the traffic using different routing tables. + +Routing tables that will be used in this example are: + +* ``table 10`` Routing table used for VLAN 10 (192.168.188.0/24) +* ``table 11`` Routing table used for VLAN 11 (192.168.189.0/24) +* ``main`` Routing table used by VyOS and other interfaces not + participating in PBR + +.. figure:: /_static/images/pbr_example_1.png + :scale: 80 % + :alt: PBR multiple uplinks + + Policy-Based Routing with multiple ISP uplinks + (source ./draw.io/pbr_example_1.drawio) + +Add default routes for routing ``table 10`` and ``table 11`` + +.. code-block:: none + + set protocols static table 10 route 0.0.0.0/0 next-hop 192.0.2.1 + set protocols static table 11 route 0.0.0.0/0 next-hop 192.0.2.2 + +Add policy route matching VLAN source addresses + +.. code-block:: none + + set policy route PBR rule 20 set table '10' + set policy route PBR rule 20 description 'Route VLAN10 traffic to table 10' + set policy route PBR rule 20 source address '192.168.188.0/24' + + set policy route PBR rule 30 set table '11' + set policy route PBR rule 30 description 'Route VLAN11 traffic to table 11' + set policy route PBR rule 30 source address '192.168.189.0/24' + +Apply routing policy to **inbound** direction of out VLAN interfaces + +.. code-block:: none + + set interfaces ethernet eth0 vif 10 policy route 'PBR' + set interfaces ethernet eth0 vif 11 policy route 'PBR' + + +**OPTIONAL:** Exclude Inter-VLAN traffic (between VLAN10 and VLAN11) +from PBR + +.. code-block:: none + + set policy route PBR rule 10 description 'VLAN10 <-> VLAN11 shortcut' + set policy route PBR rule 10 destination address '192.168.188.0/24' + set policy route PBR rule 10 destination address '192.168.189.0/24' + set policy route PBR rule 10 set table 'main' + +These commands allow the VLAN10 and VLAN20 hosts to communicate with +each other using the main routing table. + +Local route +----------- + +The following example allows VyOS to use :abbr:`PBR (Policy-Based Routing)` +for traffic, which originated from the router itself. That solution for multiple +ISP's and VyOS router will respond from the same interface that the packet was +received. Also, it used, if we want that one VPN tunnel to be through one +provider, and the second through another. + +* ``203.0.113.254`` IP addreess on VyOS eth1 from ISP1 +* ``192.168.2.254`` IP addreess on VyOS eth2 from ISP2 +* ``table 10`` Routing table used for ISP1 +* ``table 11`` Routing table used for ISP2 + + +.. code-block:: none + + set policy local-route rule 101 set table '10' + set policy local-route rule 101 source '203.0.113.254' + set policy local-route rule 102 set table '11' + set policy local-route rule 102 source '192.0.2.254' + set protocols static table 10 route 0.0.0.0/0 next-hop '203.0.113.1' + set protocols static table 11 route 0.0.0.0/0 next-hop '192.0.2.2' + +Add multiple source IP in one rule with same priority + +.. code-block:: none + + set policy local-route rule 101 set table '10' + set policy local-route rule 101 source '203.0.113.254' + set policy local-route rule 101 source '203.0.113.253' + set policy local-route rule 101 source '198.51.100.0/24' + diff --git a/docs/configuration/policy/index.rst b/docs/configuration/policy/index.rst index 84b41ed6..fc1c1366 100644 --- a/docs/configuration/policy/index.rst +++ b/docs/configuration/policy/index.rst @@ -6,1061 +6,46 @@ Policy ###### -Policies are used for filtering and traffic management. With policies, network administrators could filter and treat traffic +Policies are used for filtering and traffic management. With policies, network +administrators could filter and treat traffic according to their needs. -There could be a wide range of routing policies. Some examples are listed below: +There could be a wide range of routing policies. Some examples are listed +below: * Filter traffic based on source/destination address. * Set some metric to routes learned from a particular neighbor. -* Set some attributes (like AS PATH or Community value) to advertised routes to neighbors. -* Prefer a specific routing protocol routes over another routing protocol running on the same router. - -Policies, in VyOS, are implemented using FRR filtering and route maps. Detailed information of FRR could be found in http://docs.frrouting.org/ - -************* -Configuration -************* - -.. _policy-filter: - -Filter -====== - -Filtering is used for both input and output of the routing information. Once filtering is defined, it can be applied in -any direction. -VyOS makes filtering possible using acls and prefix lists. - -policy access-list ------------------- - -Basic filtering could be done by access-list. - -.. cfgcmd:: set policy access-list - -This command creates the new access list policy, where must be a number from 1 to 2699. - -.. cfgcmd:: set policy access-list description - -Set description for the access list. - -.. cfgcmd:: set policy access-list rule <1-65535> action - -This command creates a new rule in the access list and defines an action. - -.. cfgcmd:: set policy access-list rule <1-65535> - -This command defines matching parameters for access list rule. Matching criteria could be applied to destinarion or source -parameters: - -* any: any IP address to match. -* host: single host IP address to match. -* inverse-match: network/netmask to match (requires network be defined). -* network: network/netmask to match (requires inverse-match be defined). - -policy access-list6 -------------------- - -Basic filtering could also be applied to IPv6 traffic. - -.. cfgcmd:: set policy access-list6 - -This command creates the new IPv6 access list, identified by - -.. cfgcmd:: set policy access-list6 description - -Set description for the IPv6 access list. - -.. cfgcmd:: set policy access-list6 rule <1-65535> action - -This command creates a new rule in the IPv6 access list and defines an action. - -.. cfgcmd:: set policy access-list6 rule <1-65535> source - -This command defines matching parameters for IPv6 access list rule. Matching criteria could be applied to source parameters: - -* any: any IPv6 address to match. -* exact-match: exact match of the network prefixes. -* network: network/netmask to match (requires inverse-match be defined) BUG, NO inver-match option in access-list6 - -policy prefix-list ------------------- - -Prefix lists provides the most powerful prefix based filtering mechanism. In addition to access-list functionality, -ip prefix-list has prefix length range specification. - -If no ip prefix list is specified, it acts as permit. If ip prefix list is defined, and no match is found, -default deny is applied. - -.. cfgcmd:: set policy prefix-list - -This command creates the new prefix-list policy, identified by . - -.. cfgcmd:: set policy prefix-list description - -Set description for the prefix-list policy. - -.. cfgcmd:: set policy prefix-list rule <1-65535> action - -This command creates a new rule in the prefix-list and defines an action. - -.. cfgcmd:: set policy prefix-list rule <1-65535> description - -Set description for rule in the prefix-list. - -.. cfgcmd:: set policy prefix-list rule <1-65535> prefix - -Prefix to match against. - -.. cfgcmd:: set policy prefix-list rule <1-65535> ge <0-32> - -Netmask greater than length. - -.. cfgcmd:: set policy prefix-list rule <1-65535> le <0-32> - -Netmask less than lenght - -policy prefix-list6 -------------------- - -Prefix list filtering could also be applied to IPv6 traffic. - -.. cfgcmd:: set policy prefix-list6 - -This command creates the new IPv6 prefix-list policy, identified by . - -.. cfgcmd:: set policy prefix-list6 description - -Set description for the IPv6 prefix-list policy. - -.. cfgcmd:: set policy prefix-list6 rule <1-65535> action - -This command creates a new rule in the IPv6 prefix-list and defines an action. - -.. cfgcmd:: set policy prefix-list6 rule <1-65535> description - -Set description for rule in IPv6 prefix-list. - -.. cfgcmd:: set policy prefix-list6 rule <1-65535> prefix - -IPv6 prefix. - -.. cfgcmd:: set policy prefix-list6 rule <1-65535> ge <0-128> - -Netmask greater than length. - -.. cfgcmd:: set policy prefix-list6 rule <1-65535> le <0-128> - -Netmask less than lenght - -Route -====== - -Route policies are defined in this section. This route policies can then be associated to interfaces. - -policy route ------------- - -.. cfgcmd:: set policy route - -This command creates a new route policy, identified by . - -.. cfgcmd:: set policy route description - -Set description for the route policy. - -.. cfgcmd:: set policy route enable-default-log - -Option to log packets hitting default-action. - -.. cfgcmd:: set policy route rule <1-9999> description - -Set description for rule in route policy. - -.. cfgcmd:: set policy route rule <1-9999> action drop - -Set rule action to drop. - -.. cfgcmd:: set policy route rule <1-9999> destination address - -Set match criteria based on destination address, where could be: - -* : IP address to match. -* : Subnet to match. -* -: IP range to match. -* !: Match everything except the specified address. -* !: Match everything except the specified subnet. -* !-: Match everything except the specified range. - -.. cfgcmd:: set policy route rule <1-9999> destination group - -Set destination match criteria based on groups, where would be the group name/identifier. - -.. cfgcmd:: set policy route rule <1-9999> destination port - -Set match criteria based on destination port, where could be: - -* : Named port (any name in /etc/services, e.g., http). -* <1-65535>: Numbered port. -* -: Numbered port range (e.g., 1001-1005). - -Multiple destination ports can be specified as a comma-separated list. The whole list can also be "negated" using '!'. -For example: '!22,telnet,http,123,1001-1005' - -.. cfgcmd:: set policy route rule <1-9999> disable - -Option to disable rule. - -.. cfgcmd:: set policy route rule <1-9999> fragment - -Set IP fragment match, where: - -* match-frag: Second and further fragments of fragmented packets. -* match-non-frag: Head fragments or unfragmented packets. - -.. cfgcmd:: set policy route rule <1-9999> icmp - -Set ICMP match criterias, based on code and/or types. Types could be referenced by number or by name. - -.. cfgcmd:: set policy route rule <1-9999> ipsec - -Set IPSec inbound match criterias, where: - -* match-ipsec: match inbound IPsec packets. -* match-none: match inbound non-IPsec packets. - -.. cfgcmd:: set policy route rule <1-9999> limit burst <0-4294967295> - -Set maximum number of packets to alow in excess of rate - -.. cfgcmd:: set policy route rule <1-9999> limit rate - -Set maximum average matching rate. Format for rate: integer/time_unit, where time_unit could be any one of second, minute, -hour or day.For example 1/second implies rule to be matched at an average of once per second. - -.. cfgcmd:: set policy route rule <1-9999> log - -Option to enable or disable log matching rule. - -.. cfgcmd:: set policy route rule <1-9999> log - -Option to log matching rule. - -.. cfgcmd:: set policy route rule <1-9999> protocol - -Set protocol to match. Protocol name in /etc/protocols or protocol number, or "tcp_udp" or "all". -Also, protocol could be denied by using !. - -.. cfgcmd:: set policy route rule <1-9999> recent <1-255|0-4294967295> - -Set parameters for matching recently seen sources. This match could be used by seeting count (source address seen more than -<1-255> times) and/or time (source address seen in the last <0-4294967295> seconds). - -.. cfgcmd:: set policy route rule <1-9999> set dscp <0-63> - -Set packet modifications: Packet Differentiated Services Codepoint (DSCP) - -.. cfgcmd:: set policy route rule <1-9999> set mark <1-2147483647> - -Set packet modifications: Packet marking - -.. cfgcmd:: set policy route rule <1-9999> set table - -Set packet modifications: Routing table to forward packet with. - -.. cfgcmd:: set policy route rule <1-9999> set tcp-mss <500-1460> - -Set packet modifications: Explicitly set TCP Maximum segment size value. - -.. cfgcmd:: set policy route rule <1-9999> source address - -Set match criteria based on source address, where could be: - -* : IP address to match. -* : Subnet to match. -* -: IP range to match. -* !: Match everything except the specified address. -* !: Match everything except the specified subnet. -* !-: Match everything except the specified range. - -.. cfgcmd:: set policy route rule <1-9999> source group - -Set source match criteria based on groups, where would be the group name/identifier. - -.. cfgcmd:: set policy route rule <1-9999> source port - -Set match criteria based on source port, where could be: - -* : Named port (any name in /etc/services, e.g., http). -* <1-65535>: Numbered port. -* -: Numbered port range (e.g., 1001-1005). - -Multiple source ports can be specified as a comma-separated list. The whole list can also be "negated" using '!'. -For example: '!22,telnet,http,123,1001-1005' - -.. cfgcmd:: set policy route rule <1-9999> state - -Set match criteria based on session state. - -.. cfgcmd:: set policy route rule <1-9999> tcp flags - -Set match criteria based on tcp flags. Allowed values for TCP flags: SYN ACK FIN RST URG PSH ALL -When specifying more than one flag, flags should be comma-separated. -For example : value of 'SYN,!ACK,!FIN,!RST' will only match packets with the SYN flag set, and the ACK, FIN and RST flags unset. - -.. cfgcmd:: set policy route rule <1-9999> time monthdays - -Set monthdays to match rule on. Format for monthdays: 2,12,21. -To negate add ! at the front eg. !2,12,21 - -.. cfgcmd:: set policy route rule <1-9999> time startdate - -Set date to start matching rule. Format for date: yyyy-mm-dd. To specify time of date with startdate, append -'T' to date followed by time in 24 hour notation hh:mm:ss. For eg startdate -value of 2009-01-21T13:30:00 refers to 21st Jan 2009 with time 13:30:00. - -.. cfgcmd:: set policy route rule <1-9999> time starttime - -Set time of day to start matching rule. Format of time: hh:mm:ss using 24 hours notation. - -.. cfgcmd:: set policy route rule <1-9999> time stopdate - -Set date to stop matching rule. Format for date: yyyy-mm-dd. To specify time of date with stopdate, append -'T' to date followed by time in 24 hour notation hh:mm:ss. For eg startdate -value of 2009-01-21T13:30:00 refers to 21st Jan 2009 with time 13:30:00. - -.. cfgcmd:: set policy route rule <1-9999> time stoptime - -Set time of day to stop matching rule. Format of time: hh:mm:ss using 24 hours notation. - -.. cfgcmd:: set policy route rule <1-9999> time utc - -Interpret times for startdate, stopdate, starttime and stoptime to be UTC. - -.. cfgcmd:: set policy route rule <1-9999> time weekdays - -Weekdays to match rule on. Format for weekdays: Mon,Thu,Sat. To negate add ! at the front eg. !Mon,Thu,Sat. - - -policy ipv6-route ------------------ - -IPv6 route policies are defined in this section. This route policies can then be associated to interfaces. - -.. cfgcmd:: set policy ipv6-route - -This command creates a new IPv6 route policy, identified by . - -.. cfgcmd:: set policy ipv6-route description - -Set description for the IPv6 route policy. - -.. cfgcmd:: set policy ipv6-route enable-default-log - -Option to log packets hitting default-action. - -.. cfgcmd:: set policy ipv6-route rule <1-9999> action drop - -Set rule action to drop. - -.. cfgcmd:: set policy ipv6-route rule <1-9999> description - -Set description for rule in IPv6 route policy. - -.. cfgcmd:: set policy ipv6-route rule <1-9999> destination address - -Set match criteria based on destination IPv6 address, where could be: - -* : IPv6 address to match. -* : IPv6 prefix to match. -* -: IPv6 range to match. -* !: Match everything except the specified address. -* !: Match everything except the specified prefix. -* !-: Match everything except the specified range. - -.. cfgcmd:: set policy ipv6-route rule <1-9999> destination port - -Set match criteria based on destination port, where could be: - -* : Named port (any name in /etc/services, e.g., http). -* <1-65535>: Numbered port. -* -: Numbered port range (e.g., 1001-1005). - -Multiple destination ports can be specified as a comma-separated list. The whole list can also be "negated" using '!'. -For example: '!22,telnet,http,123,1001-1005' - -.. cfgcmd:: set policy ipv6-route rule <1-9999> disable - -Option to disable rule. - -.. cfgcmd:: set policy ipv6-route rule <1-9999> icmpv6 type - -Set ICMPv6 match criterias, based on ICMPv6 type/code name. - -.. cfgcmd:: set policy ipv6-route rule <1-9999> ipsec - -Set IPSec inbound match criterias, where: - -* match-ipsec: match inbound IPsec packets. -* match-none: match inbound non-IPsec packets. - -.. cfgcmd:: set policy ipv6-route rule <1-9999> limit burst <0-4294967295> - -Set maximum number of packets to alow in excess of rate - -.. cfgcmd:: set policy ipv6-route rule <1-9999> limit rate - -Set maximum average matching rate. Format for rate: integer/time_unit, where time_unit could be any one of second, minute, -hour or day.For example 1/second implies rule to be matched at an average of once per second. - -.. cfgcmd:: set policy ipv6-route rule <1-9999> log - -Option to enable or disable log matching rule. - -.. cfgcmd:: set policy ipv6-route rule <1-9999> log - -Option to log matching rule. - -.. cfgcmd:: set policy ipv6-route rule <1-9999> protocol - -Set IPv6 protocol to match. IPv6 protocol name from /etc/protocols or protocol number, or "tcp_udp" or "all". -Also, protocol could be denied by using !. - -.. cfgcmd:: set policy ipv6-route rule <1-9999> recent <1-255|0-4294967295> - -Set parameters for matching recently seen sources. This match could be used by seeting count (source address seen more than -<1-255> times) and/or time (source address seen in the last <0-4294967295> seconds). - -.. cfgcmd:: set policy ipv6-route rule <1-9999> set dscp <0-63> - -Set packet modifications: Packet Differentiated Services Codepoint (DSCP) - -.. cfgcmd:: set policy ipv6-route rule <1-9999> set mark <1-2147483647> - -Set packet modifications: Packet marking. - -.. cfgcmd:: set policy ipv6-route rule <1-9999> set table - -Set packet modifications: Routing table to forward packet with. - -.. cfgcmd:: set policy ipv6-route rule <1-9999> set tcp-mss - -Set packet modifications: pmtu option automatically set to Path Maximum Transfer Unit minus 60 bytes. Otherwise, expliicitly -set TCP MSS value from 500 to 1460 - -.. cfgcmd:: set policy ipv6-route rule <1-9999> source address - -Set match criteria based on IPv6 source address, where could be: - -* : IPv6 address to match -* : IPv6 prefix to match -* -: IPv6 range to match -* !: Match everything except the specified address -* !: Match everything except the specified prefix -* !-: Match everything except the specified range - -.. cfgcmd:: set policy ipv6-route rule <1-9999> source mac-address - -Set source match criteria based on MAC address. Declare specific MAC address to match, or match everything except the specified MAC. - -.. cfgcmd:: set policy ipv6-route rule <1-9999> source port - -Set match criteria based on source port, where could be: - -* : Named port (any name in /etc/services, e.g., http). -* <1-65535>: Numbered port. -* -: Numbered port range (e.g., 1001-1005). - -Multiple source ports can be specified as a comma-separated list. The whole list can also be "negated" using '!'. -For example: '!22,telnet,http,123,1001-1005' - -.. cfgcmd:: set policy ipv6-route rule <1-9999> state - -Set match criteria based on session state. - -.. cfgcmd:: set policy ipv6-route rule <1-9999> tcp flags - -Set match criteria based on tcp flags. Allowed values for TCP flags: SYN ACK FIN RST URG PSH ALL -When specifying more than one flag, flags should be comma-separated. -For example : value of 'SYN,!ACK,!FIN,!RST' will only match packets with the SYN flag set, and the ACK, FIN and RST flags unset. - -.. cfgcmd:: set policy ipv6-route rule <1-9999> time monthdays - -Set monthdays to match rule on. Format for monthdays: 2,12,21. -To negate add ! at the front eg. !2,12,21 - -.. cfgcmd:: set policy ipv6-route rule <1-9999> time startdate - -Set date to start matching rule. Format for date: yyyy-mm-dd. To specify time of date with startdate, append -'T' to date followed by time in 24 hour notation hh:mm:ss. For eg startdate -value of 2009-01-21T13:30:00 refers to 21st Jan 2009 with time 13:30:00. - -.. cfgcmd:: set policy ipv6-route rule <1-9999> time starttime - -Set time of day to start matching rule. Format of time: hh:mm:ss using 24 hours notation. - -.. cfgcmd:: set policy ipv6-route rule <1-9999> time stopdate - -Set date to stop matching rule. Format for date: yyyy-mm-dd. To specify time of date with stopdate, append -'T' to date followed by time in 24 hour notation hh:mm:ss. For eg startdate -value of 2009-01-21T13:30:00 refers to 21st Jan 2009 with time 13:30:00. - -.. cfgcmd:: set policy ipv6-route rule <1-9999> time stoptime - -Set time of day to stop matching rule. Format of time: hh:mm:ss using 24 hours notation. - -.. cfgcmd:: set policy ipv6-route rule <1-9999> time utc - -Interpret times for startdate, stopdate, starttime and stoptime to be UTC. - -.. cfgcmd:: set policy ipv6-route rule <1-9999> time weekdays - -Weekdays to match rule on. Format for weekdays: Mon,Thu,Sat. To negate add ! at the front eg. !Mon,Thu,Sat. - - - -Route Map -========= - -Route map is a powerfull command, that gives network administrators a very useful and flexible tool for traffic manipulation. - -policy route-map ----------------- - -.. cfgcmd:: set policy route-map - -This command creates a new route-map policy, identified by . - -.. cfgcmd:: set policy route-map description - -Set description for the route-map policy. - -.. cfgcmd:: set policy route-map rule <1-65535> action - -Set action for the route-map policy. - -.. cfgcmd:: set policy route-map rule <1-65535> call - -Call another route-map policy on match. - -.. cfgcmd:: set policy route-map rule <1-65535> continue <1-65535> - -Jump to a different rule in this route-map on a match. - -.. cfgcmd:: set policy route-map rule <1-65535> description - -Set description for the rule in the route-map policy. - -.. cfgcmd:: set policy route-map rule <1-65535> match as-path - -BGP as-path list to match. - -.. cfgcmd:: set policy route-map rule <1-65535> match community community-list - -BGP community-list to match. - -.. cfgcmd:: set policy route-map rule <1-65535> match community exact-match - -Set BGP community-list to exactly match. - -.. cfgcmd:: set policy route-map rule <1-65535> match extcommunity - -BGP extended community to match. - -.. cfgcmd:: set policy route-map rule <1-65535> match interface - -First hop interface of a route to match. - -.. cfgcmd:: set policy route-map rule <1-65535> match ip address access-list <1-2699> - -IP address of route to match, based on access-list. - -.. cfgcmd:: set policy route-map rule <1-65535> match ip address prefix-list - -IP address of route to match, based on prefix-list. - -.. cfgcmd:: set policy route-map rule <1-65535> match ip nexthop access-list <1-2699> - -IP next-hop of route to match, based on access-list. - -.. cfgcmd:: set policy route-map rule <1-65535> match ip nexthop prefix-list - -IP next-hop of route to match, based on prefix-list. - -.. cfgcmd:: set policy route-map rule <1-65535> match ip route-source access-list <1-2699> - -IP route source of route to match, based on access-list. - -.. cfgcmd:: set policy route-map rule <1-65535> match ip route-source prefix-list - -IP route source of route to match, based on prefix-list. - -.. cfgcmd:: set policy route-map rule <1-65535> match ipv6 address access-list - -IPv6 address of route to match, based on IPv6 access-list. - -.. cfgcmd:: set policy route-map rule <1-65535> match ipv6 address prefix-list - -IPv6 address of route to match, based on IPv6 prefix-list. - -.. cfgcmd:: set policy route-map rule <1-65535> match ipv6 nexthop - -Nexthop IPv6 address to match. - -.. cfgcmd:: set policy route-map rule <1-65535> match large-community large-community-list - -Match BGP large communities. - -.. cfgcmd:: set policy route-map rule <1-65535> match local-preference <0-4294967295> - -Match local preference. - -.. cfgcmd:: set policy route-map rule <1-65535> match metric <1-65535> - -Match route metric. - -.. cfgcmd:: set policy route-map rule <1-65535> match origin - -Boarder Gateway Protocol (BGP) origin code to match. - -.. cfgcmd:: set policy route-map rule <1-65535> match peer - -Peer IP address to match. - -.. cfgcmd:: set policy route-map rule <1-65535> match rpki - -Match RPKI validation result. - -.. cfgcmd:: set policy route-map rule <1-65535> match tag <1-65535> - -Route tag to match. - -.. cfgcmd:: set policy route-map rule <1-65535> on-match goto <1-65535> - -Exit policy on match: go to rule <1-65535> - -.. cfgcmd:: set policy route-map rule <1-65535> on-match next - -Exit policy on match: go to next sequence number. - -.. cfgcmd:: set policy route-map rule <1-65535> set aggregator <1-4294967295|x.x.x.x> - -BGP aggregator attribute: AS number or IP address of an aggregation. - -.. cfgcmd:: set policy route-map rule <1-65535> set as-path-exclude - -Remove ASN(s) from a BGP AS-path attribute. For example "456 64500 45001". - -.. cfgcmd:: set policy route-map rule <1-65535> set as-path-prepend - -Prepend string for a BGP AS-path attribute. For example "64501 64501". - -.. cfgcmd:: set policy route-map rule <1-65535> set atomic-aggregate - -BGP atomic aggregate attribute. - -.. cfgcmd:: set policy route-map rule <1-65535> set bgp-extcommunity-rt - -Set route target value. ExtCommunity in format: asn:value. - -.. cfgcmd:: set policy route-map rule <1-65535> set comm-list comm-list - -BGP communities with a community-list. - -.. cfgcmd:: set policy route-map rule <1-65535> set comm-list delete - -Delete BGP communities matching the community-list. - -.. cfgcmd:: set policy route-map rule <1-65535> set community - -Set BGP community attribute. - -.. cfgcmd:: set policy route-map rule <1-65535> set distance <0-255> - -Locally significant administrative distance. - -.. cfgcmd:: set policy route-map rule <1-65535> set extcommunity-rt - -Set route target value. - -.. cfgcmd:: set policy route-map rule <1-65535> set extcommunity-soo - -Set site of origin value. - -.. cfgcmd:: set policy route-map rule <1-65535> set ip-next-hop - -Nexthop IP address. - -.. cfgcmd:: set policy route-map rule <1-65535> set ipv6-next-hop - -Nexthop IPv6 address. - -.. cfgcmd:: set policy route-map rule <1-65535> set large-community - -Set BGP large community value. - -.. cfgcmd:: set policy route-map rule <1-65535> set local-preference <0-4294967295> - -Set BGP local preference attribute. - -.. cfgcmd:: set policy route-map rule <1-65535> set metric <+/-metric|0-4294967295> - -Set destination routing protocol metric. Add or subtract metric, or set metric value. - -.. cfgcmd:: set policy route-map rule <1-65535> set metric-type - -Set OSPF external metric-type. - -.. cfgcmd:: set policy route-map rule <1-65535> set origin - -Set BGP origin code. - -.. cfgcmd:: set policy route-map rule <1-65535> set originator-id - -Set BGP originator ID attribute. - -.. cfgcmd:: set policy route-map rule <1-65535> set src - -Set source IP/IPv6 address for route. - -.. cfgcmd:: set policy route-map rule <1-65535> set table <1-200> - -Set prefixes to table. - -.. cfgcmd:: set policy route-map rule <1-65535> set tag <1-65535> - -Set tag value for routing protocol. - -.. cfgcmd:: set policy route-map rule <1-65535> set weight <0-4294967295> - -Set BGP weight attribute - - - -BGP filters -=========== - -With policies, BGP filters can be created. - -policy as-path-list -------------------- - -.. cfgcmd:: set policy as-path-list - -Create as-path-policy identified by name . - -.. cfgcmd:: set policy as-path-list description - -Set description for as-path-list policy. - -.. cfgcmd:: set policy as-path-list rule <1-65535> action - -Set action to take on entries matching this rule. - -.. cfgcmd:: set policy as-path-list rule <1-65535> description - -Set description for rule. - -.. cfgcmd:: set policy as-path-list rule <1-65535> regex - -Regular expression to match against an AS path. For example "64501 64502". - - -policy community-list ---------------------- - -.. cfgcmd:: set policy community-list - -Creat community-list policy identified by name . - -.. cfgcmd:: set policy community-list description - -Set description for community-list policy. - -.. cfgcmd:: set policy community-list rule <1-65535> action - -Set action to take on entries matching this rule. - -.. cfgcmd:: set policy community-list rule <1-65535> description - -Set description for rule. - -.. cfgcmd:: set policy community-list rule <1-65535> regex - -Regular expression to match against a community-list. - - -policy extcommunity-list ------------------------- - -.. cfgcmd:: set policy extcommunity-list - -Creat extcommunity-list policy identified by name . - -.. cfgcmd:: set policy extcommunity-list description - -Set description for extcommunity-list policy. - -.. cfgcmd:: set policy extcommunity-list rule <1-65535> action - -Set action to take on entries matching this rule. - -.. cfgcmd:: set policy extcommunity-list rule <1-65535> description - -Set description for rule. - -.. cfgcmd:: set policy extcommunity-list rule <1-65535> regex - -Regular expression to match against an extended community list, where text could be: - -* : Extended community list regular expression. -* : Route Target regular expression. -* : Site of Origin regular expression. - - -policy large-community-list ---------------------------- - -.. cfgcmd:: set policy large-community-list - -Creat large-community-list policy identified by name . - -.. cfgcmd:: set policy large-community-list description - -Set description for large-community-list policy. - -.. cfgcmd:: set policy large-community-list rule <1-65535> action - -Set action to take on entries matching this rule. - -.. cfgcmd:: set policy large-community-list rule <1-65535> description - -Set description for rule. - -.. cfgcmd:: set policy large-community-list rule <1-65535> regex - -Regular expression to match against a large community list. - - - -Local Route -=========== - -Policies for local traffic are defined in this section. - -policy local-route ------------------- - -.. cfgcmd:: set policy local-route rule <1-32765> set table <1-200|main> - -Set routing table to forward packet to. - -.. cfgcmd:: set policy local-route rule <1-32765> source - -Set source address or prefix to match. - - - - - - - - - -************* +* Set some attributes (like AS PATH or Community value) to advertised routes + to neighbors. +* Prefer a specific routing protocol routes over another routing protocol + running on the same router. + +Policies, in VyOS, are implemented using FRR filtering and route maps. Detailed +information of FRR could be found in http://docs.frrouting.org/ + +*************** +Policy Sections +*************** + +.. toctree:: + :maxdepth: 1 + :includehidden: + + access-list + prefix-list + route + route-map + bgp-policies + local-route + +******** Examples -************* - - -Example -======= - -**Policy definition:** - -.. code-block:: none - - # Create policy - set policy route-map setmet rule 2 action 'permit' - set policy route-map setmet rule 2 set as-path-prepend '2 2 2' - - # Apply policy to BGP - set protocols bgp local-as 1 - set protocols bgp neighbor 203.0.113.2 address-family ipv4-unicast route-map import 'setmet' - set protocols bgp neighbor 203.0.113.2 address-family ipv4-unicast soft-reconfiguration 'inbound' - -Using 'soft-reconfiguration' we get the policy update without bouncing the -neighbor. - -**Routes learned before routing policy applied:** - -.. code-block:: none - - vyos@vos1:~$ show ip bgp - BGP table version is 0, local router ID is 192.168.56.101 - Status codes: s suppressed, d damped, h history, * valid, > best, i - internal, - r RIB-failure, S Stale, R Removed - Origin codes: i - IGP, e - EGP, ? - incomplete - - Network Next Hop Metric LocPrf Weight Path - *> 198.51.100.3/32 203.0.113.2 1 0 2 i < Path - - Total number of prefixes 1 - -**Routes learned after routing policy applied:** - -.. code-block:: none - - vyos@vos1:~$ show ip bgp - BGP table version is 0, local router ID is 192.168.56.101 - Status codes: s suppressed, d damped, h history, * valid, > best, i - internal, - r RIB-failure, S Stale, R Removed - Origin codes: i - IGP, e - EGP, ? - incomplete - - Network Next Hop Metric LocPrf Weight Path - *> 198.51.100.3/32 203.0.113.2 1 0 2 2 2 2 i - - Total number of prefixes 1 - vyos@vos1:~$ - -You now see the longer AS path. - - - -.. _routing-pbr: - -### -PBR -### - -:abbr:`PBR (Policy-Based Routing)` allowing traffic to be assigned to -different routing tables. Traffic can be matched using standard 5-tuple -matching (source address, destination address, protocol, source port, -destination port). - -Transparent Proxy -================= - -The following example will show how VyOS can be used to redirect web -traffic to an external transparent proxy: - -.. code-block:: none - - set policy route FILTER-WEB rule 1000 destination port 80 - set policy route FILTER-WEB rule 1000 protocol tcp - set policy route FILTER-WEB rule 1000 set table 100 - -This creates a route policy called FILTER-WEB with one rule to set the -routing table for matching traffic (TCP port 80) to table ID 100 -instead of the default routing table. - -To create routing table 100 and add a new default gateway to be used by -traffic matching our route policy: - -.. code-block:: none - - set protocols static table 100 route 0.0.0.0/0 next-hop 10.255.0.2 - -This can be confirmed using the ``show ip route table 100`` operational -command. - -Finally, to apply the policy route to ingress traffic on our LAN -interface, we use: - -.. code-block:: none - - set interfaces ethernet eth1 policy route FILTER-WEB - - -Multiple Uplinks -================ - -VyOS Policy-Based Routing (PBR) works by matching source IP address -ranges and forwarding the traffic using different routing tables. - -Routing tables that will be used in this example are: - -* ``table 10`` Routing table used for VLAN 10 (192.168.188.0/24) -* ``table 11`` Routing table used for VLAN 11 (192.168.189.0/24) -* ``main`` Routing table used by VyOS and other interfaces not - participating in PBR - -.. figure:: /_static/images/pbr_example_1.png - :scale: 80 % - :alt: PBR multiple uplinks - - Policy-Based Routing with multiple ISP uplinks - (source ./draw.io/pbr_example_1.drawio) - -Add default routes for routing ``table 10`` and ``table 11`` - -.. code-block:: none - - set protocols static table 10 route 0.0.0.0/0 next-hop 192.0.2.1 - set protocols static table 11 route 0.0.0.0/0 next-hop 192.0.2.2 - -Add policy route matching VLAN source addresses - -.. code-block:: none - - set policy route PBR rule 20 set table '10' - set policy route PBR rule 20 description 'Route VLAN10 traffic to table 10' - set policy route PBR rule 20 source address '192.168.188.0/24' - - set policy route PBR rule 30 set table '11' - set policy route PBR rule 30 description 'Route VLAN11 traffic to table 11' - set policy route PBR rule 30 source address '192.168.189.0/24' - -Apply routing policy to **inbound** direction of out VLAN interfaces - -.. code-block:: none - - set interfaces ethernet eth0 vif 10 policy route 'PBR' - set interfaces ethernet eth0 vif 11 policy route 'PBR' - - -**OPTIONAL:** Exclude Inter-VLAN traffic (between VLAN10 and VLAN11) -from PBR - -.. code-block:: none - - set policy route PBR rule 10 description 'VLAN10 <-> VLAN11 shortcut' - set policy route PBR rule 10 destination address '192.168.188.0/24' - set policy route PBR rule 10 destination address '192.168.189.0/24' - set policy route PBR rule 10 set table 'main' - -These commands allow the VLAN10 and VLAN20 hosts to communicate with -each other using the main routing table. - -Local route -=========== - -The following example allows VyOS to use :abbr:`PBR (Policy-Based Routing)` -for traffic, which originated from the router itself. That solution for multiple -ISP's and VyOS router will respond from the same interface that the packet was -received. Also, it used, if we want that one VPN tunnel to be through one -provider, and the second through another. - -* ``203.0.113.254`` IP addreess on VyOS eth1 from ISP1 -* ``192.168.2.254`` IP addreess on VyOS eth2 from ISP2 -* ``table 10`` Routing table used for ISP1 -* ``table 11`` Routing table used for ISP2 - - -.. code-block:: none - - set policy local-route rule 101 set table '10' - set policy local-route rule 101 source '203.0.113.254' - set policy local-route rule 102 set table '11' - set policy local-route rule 102 source '192.0.2.254' - set protocols static table 10 route 0.0.0.0/0 next-hop '203.0.113.1' - set protocols static table 11 route 0.0.0.0/0 next-hop '192.0.2.2' - -Add multiple source IP in one rule with same priority - -.. code-block:: none +******** - set policy local-route rule 101 set table '10' - set policy local-route rule 101 source '203.0.113.254' - set policy local-route rule 101 source '203.0.113.253' - set policy local-route rule 101 source '198.51.100.0/24' +Examples of policies usage: +.. toctree:: + :maxdepth: 1 + :includehidden: + + examples \ No newline at end of file diff --git a/docs/configuration/policy/local-route.rst b/docs/configuration/policy/local-route.rst new file mode 100644 index 00000000..0b0122ab --- /dev/null +++ b/docs/configuration/policy/local-route.rst @@ -0,0 +1,20 @@ +################## +Local Route Policy +################## + +Policies for local traffic are defined in this section. + +************* +Configuration +************* + +Local Route +=========== + +.. cfgcmd:: set policy local-route rule <1-32765> set table <1-200|main> + + Set routing table to forward packet to. + +.. cfgcmd:: set policy local-route rule <1-32765> source + + Set source address or prefix to match. diff --git a/docs/configuration/policy/prefix-list.rst b/docs/configuration/policy/prefix-list.rst new file mode 100644 index 00000000..ebc02ea2 --- /dev/null +++ b/docs/configuration/policy/prefix-list.rst @@ -0,0 +1,87 @@ +################## +Prefix List Policy +################## + +Prefix lists provides the most powerful prefix based filtering mechanism. In +addition to access-list functionality, ip prefix-list has prefix length range +specification. + +If no ip prefix list is specified, it acts as permit. If ip prefix list is +defined, and no match is found, default deny is applied. + +Prefix filtering can be done using prefix-list and prefix-list6. + +************* +Configuration +************* + +Prefix Lists +============ + +.. cfgcmd:: set policy prefix-list + + This command creates the new prefix-list policy, identified by . + +.. cfgcmd:: set policy prefix-list description + + Set description for the prefix-list policy. + +.. cfgcmd:: set policy prefix-list rule <1-65535> action + + This command creates a new rule in the prefix-list and defines an action. + +.. cfgcmd:: set policy prefix-list rule <1-65535> description + + Set description for rule in the prefix-list. + +.. cfgcmd:: set policy prefix-list rule <1-65535> prefix + + Prefix to match against. + +.. cfgcmd:: set policy prefix-list rule <1-65535> ge <0-32> + + Netmask greater than length. + +.. cfgcmd:: set policy prefix-list rule <1-65535> le <0-32> + + Netmask less than lenght + +IPv6 Prefix Lists +================= + +.. cfgcmd:: set policy prefix-list6 + + This command creates the new IPv6 prefix-list policy, identified by . + +.. cfgcmd:: set policy prefix-list6 description + + Set description for the IPv6 prefix-list policy. + +.. cfgcmd:: set policy prefix-list6 rule <1-65535> action + + This command creates a new rule in the IPv6 prefix-list and defines an + action. + +.. cfgcmd:: set policy prefix-list6 rule <1-65535> description + + Set description for rule in IPv6 prefix-list. + +.. cfgcmd:: set policy prefix-list6 rule <1-65535> prefix + + + IPv6 prefix. + +.. cfgcmd:: set policy prefix-list6 rule <1-65535> ge <0-128> + + Netmask greater than length. + +.. cfgcmd:: set policy prefix-list6 rule <1-65535> le <0-128> + + Netmask less than lenght + + +******** +Examples +******** + +Examples would be uploaded soon. \ No newline at end of file diff --git a/docs/configuration/policy/route-map.rst b/docs/configuration/policy/route-map.rst new file mode 100644 index 00000000..14cace25 --- /dev/null +++ b/docs/configuration/policy/route-map.rst @@ -0,0 +1,262 @@ +################ +Route Map Policy +################ + +Route map is a powerfull command, that gives network administrators a very +useful and flexible tool for traffic manipulation. + +************* +Configuration +************* + +Route Map +========= + +.. cfgcmd:: set policy route-map + + This command creates a new route-map policy, identified by . + +.. cfgcmd:: set policy route-map description + + Set description for the route-map policy. + +.. cfgcmd:: set policy route-map rule <1-65535> action + + Set action for the route-map policy. + +.. cfgcmd:: set policy route-map rule <1-65535> call + + Call another route-map policy on match. + +.. cfgcmd:: set policy route-map rule <1-65535> continue <1-65535> + + Jump to a different rule in this route-map on a match. + +.. cfgcmd:: set policy route-map rule <1-65535> description + + Set description for the rule in the route-map policy. + +.. cfgcmd:: set policy route-map rule <1-65535> match as-path + + BGP as-path list to match. + +.. cfgcmd:: set policy route-map rule <1-65535> match community + community-list + + BGP community-list to match. + +.. cfgcmd:: set policy route-map rule <1-65535> match community + exact-match + + Set BGP community-list to exactly match. + +.. cfgcmd:: set policy route-map rule <1-65535> match extcommunity + + + BGP extended community to match. + +.. cfgcmd:: set policy route-map rule <1-65535> match interface + + First hop interface of a route to match. + +.. cfgcmd:: set policy route-map rule <1-65535> match ip address + access-list <1-2699> + + IP address of route to match, based on access-list. + +.. cfgcmd:: set policy route-map rule <1-65535> match ip address + prefix-list + + IP address of route to match, based on prefix-list. + +.. cfgcmd:: set policy route-map rule <1-65535> match ip nexthop + access-list <1-2699> + + IP next-hop of route to match, based on access-list. + +.. cfgcmd:: set policy route-map rule <1-65535> match ip nexthop + prefix-list + + IP next-hop of route to match, based on prefix-list. + +.. cfgcmd:: set policy route-map rule <1-65535> match ip route-source + access-list <1-2699> + + IP route source of route to match, based on access-list. + +.. cfgcmd:: set policy route-map rule <1-65535> match ip route-source + prefix-list + + IP route source of route to match, based on prefix-list. + +.. cfgcmd:: set policy route-map rule <1-65535> match ipv6 address + access-list + + IPv6 address of route to match, based on IPv6 access-list. + +.. cfgcmd:: set policy route-map rule <1-65535> match ipv6 address + prefix-list + + IPv6 address of route to match, based on IPv6 prefix-list. + +.. cfgcmd:: set policy route-map rule <1-65535> match ipv6 nexthop + + + Nexthop IPv6 address to match. + +.. cfgcmd:: set policy route-map rule <1-65535> match large-community + large-community-list + + Match BGP large communities. + +.. cfgcmd:: set policy route-map rule <1-65535> match local-preference + <0-4294967295> + + Match local preference. + +.. cfgcmd:: set policy route-map rule <1-65535> match metric <1-65535> + + Match route metric. + +.. cfgcmd:: set policy route-map rule <1-65535> match origin + + + Boarder Gateway Protocol (BGP) origin code to match. + +.. cfgcmd:: set policy route-map rule <1-65535> match peer + + Peer IP address to match. + +.. cfgcmd:: set policy route-map rule <1-65535> match rpki + + + Match RPKI validation result. + +.. cfgcmd:: set policy route-map rule <1-65535> match tag <1-65535> + + Route tag to match. + +.. cfgcmd:: set policy route-map rule <1-65535> on-match goto <1-65535> + + Exit policy on match: go to rule <1-65535> + +.. cfgcmd:: set policy route-map rule <1-65535> on-match next + + Exit policy on match: go to next sequence number. + +.. cfgcmd:: set policy route-map rule <1-65535> set aggregator + <1-4294967295|x.x.x.x> + + BGP aggregator attribute: AS number or IP address of an aggregation. + +.. cfgcmd:: set policy route-map rule <1-65535> set as-path-exclude + + + Remove ASN(s) from a BGP AS-path attribute. For example "456 64500 45001". + +.. cfgcmd:: set policy route-map rule <1-65535> set as-path-prepend + + + Prepend string for a BGP AS-path attribute. For example "64501 64501". + +.. cfgcmd:: set policy route-map rule <1-65535> set atomic-aggregate + + BGP atomic aggregate attribute. + +.. cfgcmd:: set policy route-map rule <1-65535> set bgp-extcommunity-rt + + + Set route target value. ExtCommunity in format: asn:value. + +.. cfgcmd:: set policy route-map rule <1-65535> set comm-list comm-list + + + BGP communities with a community-list. + +.. cfgcmd:: set policy route-map rule <1-65535> set comm-list delete + + Delete BGP communities matching the community-list. + +.. cfgcmd:: set policy route-map rule <1-65535> set community + + + Set BGP community attribute. + +.. cfgcmd:: set policy route-map rule <1-65535> set distance <0-255> + + Locally significant administrative distance. + +.. cfgcmd:: set policy route-map rule <1-65535> set extcommunity-rt + + + Set route target value. + +.. cfgcmd:: set policy route-map rule <1-65535> set extcommunity-soo + + + Set site of origin value. + +.. cfgcmd:: set policy route-map rule <1-65535> set ip-next-hop + + + Nexthop IP address. + +.. cfgcmd:: set policy route-map rule <1-65535> set ipv6-next-hop + + + Nexthop IPv6 address. + +.. cfgcmd:: set policy route-map rule <1-65535> set large-community + + + Set BGP large community value. + +.. cfgcmd:: set policy route-map rule <1-65535> set local-preference + <0-4294967295> + + Set BGP local preference attribute. + +.. cfgcmd:: set policy route-map rule <1-65535> set metric + <+/-metric|0-4294967295> + + Set destination routing protocol metric. Add or subtract metric, or set + metric value. + +.. cfgcmd:: set policy route-map rule <1-65535> set metric-type + + + Set OSPF external metric-type. + +.. cfgcmd:: set policy route-map rule <1-65535> set origin + + + Set BGP origin code. + +.. cfgcmd:: set policy route-map rule <1-65535> set originator-id + + + Set BGP originator ID attribute. + +.. cfgcmd:: set policy route-map rule <1-65535> set src + + + Set source IP/IPv6 address for route. + +.. cfgcmd:: set policy route-map rule <1-65535> set table <1-200> + + Set prefixes to table. + +.. cfgcmd:: set policy route-map rule <1-65535> set tag <1-65535> + + Set tag value for routing protocol. + +.. cfgcmd:: set policy route-map rule <1-65535> set weight + <0-4294967295> + + Set BGP weight attribute + +******** +Examples +******** + +Examples would be uploaded soon. \ No newline at end of file diff --git a/docs/configuration/policy/route.rst b/docs/configuration/policy/route.rst new file mode 100644 index 00000000..8f54a47b --- /dev/null +++ b/docs/configuration/policy/route.rst @@ -0,0 +1,428 @@ +############ +Route Policy +############ + +Route and IPv6 route policies are defined in this section. This route policies +can then be associated to interfaces. + +************* +Configuration +************* + +Route +===== + +.. cfgcmd:: set policy route + + This command creates a new route policy, identified by . + +.. cfgcmd:: set policy route description + + Set description for the route policy. + +.. cfgcmd:: set policy route enable-default-log + + Option to log packets hitting default-action. + +.. cfgcmd:: set policy route rule <1-9999> description + + Set description for rule in route policy. + +.. cfgcmd:: set policy route rule <1-9999> action drop + + Set rule action to drop. + +.. cfgcmd:: set policy route rule <1-9999> destination address + + + Set match criteria based on destination address, where + could be: + + * : IP address to match. + * : Subnet to match. + * -: IP range to match. + * !: Match everything except the specified address. + * !: Match everything except the specified subnet. + * !-: Match everything except the specified range. + +.. cfgcmd:: set policy route rule <1-9999> destination group + + + Set destination match criteria based on groups, where would be the + group name/identifier. + +.. cfgcmd:: set policy route rule <1-9999> destination port + + + Set match criteria based on destination port, where could + be: + + * : Named port (any name in /etc/services, e.g., http). + * <1-65535>: Numbered port. + * -: Numbered port range (e.g., 1001-1005). + + Multiple destination ports can be specified as a comma-separated list. The + whole list can also be "negated" using '!'. For example: + '!22,telnet,http,123,1001-1005' + +.. cfgcmd:: set policy route rule <1-9999> disable + + Option to disable rule. + +.. cfgcmd:: set policy route rule <1-9999> fragment + + + Set IP fragment match, where: + + * match-frag: Second and further fragments of fragmented packets. + * match-non-frag: Head fragments or unfragmented packets. + +.. cfgcmd:: set policy route rule <1-9999> icmp + + Set ICMP match criterias, based on code and/or types. Types could be + referenced by number or by name. + +.. cfgcmd:: set policy route rule <1-9999> ipsec + + + Set IPSec inbound match criterias, where: + + * match-ipsec: match inbound IPsec packets. + * match-none: match inbound non-IPsec packets. + +.. cfgcmd:: set policy route rule <1-9999> limit burst <0-4294967295> + + Set maximum number of packets to alow in excess of rate + +.. cfgcmd:: set policy route rule <1-9999> limit rate + + Set maximum average matching rate. Format for rate: integer/time_unit, where + time_unit could be any one of second, minute, hour or day.For example + 1/second implies rule to be matched at an average of once per second. + +.. cfgcmd:: set policy route rule <1-9999> log + + Option to enable or disable log matching rule. + +.. cfgcmd:: set policy route rule <1-9999> log + + Option to log matching rule. + +.. cfgcmd:: set policy route rule <1-9999> protocol + + + Set protocol to match. Protocol name in /etc/protocols or protocol number, + or "tcp_udp" or "all". Also, protocol could be denied by using !. + +.. cfgcmd:: set policy route rule <1-9999> recent + <1-255|0-4294967295> + + Set parameters for matching recently seen sources. This match could be used + by seeting count (source address seen more than <1-255> times) and/or time + (source address seen in the last <0-4294967295> seconds). + +.. cfgcmd:: set policy route rule <1-9999> set dscp <0-63> + + Set packet modifications: Packet Differentiated Services Codepoint (DSCP) + +.. cfgcmd:: set policy route rule <1-9999> set mark <1-2147483647> + + Set packet modifications: Packet marking + +.. cfgcmd:: set policy route rule <1-9999> set table + + Set packet modifications: Routing table to forward packet with. + +.. cfgcmd:: set policy route rule <1-9999> set tcp-mss <500-1460> + + Set packet modifications: Explicitly set TCP Maximum segment size value. + +.. cfgcmd:: set policy route rule <1-9999> source address + + + Set match criteria based on source address, where could be: + + * : IP address to match. + * : Subnet to match. + * -: IP range to match. + * !: Match everything except the specified address. + * !: Match everything except the specified subnet. + * !-: Match everything except the specified range. + +.. cfgcmd:: set policy route rule <1-9999> source group + + + Set source match criteria based on groups, where would be the group + name/identifier. + +.. cfgcmd:: set policy route rule <1-9999> source port + + Set match criteria based on source port, where could be: + + * : Named port (any name in /etc/services, e.g., http). + * <1-65535>: Numbered port. + * -: Numbered port range (e.g., 1001-1005). + + Multiple source ports can be specified as a comma-separated list. The whole + list can also be "negated" using '!'. For example: + '!22,telnet,http,123,1001-1005' + +.. cfgcmd:: set policy route rule <1-9999> state + + + Set match criteria based on session state. + +.. cfgcmd:: set policy route rule <1-9999> tcp flags + + Set match criteria based on tcp flags. Allowed values for TCP flags: SYN ACK + FIN RST URG PSH ALL. When specifying more than one flag, flags should be + comma-separated. For example : value of 'SYN,!ACK,!FIN,!RST' will only match + packets with the SYN flag set, and the ACK, FIN and RST flags unset. + +.. cfgcmd:: set policy route rule <1-9999> time monthdays + + Set monthdays to match rule on. Format for monthdays: 2,12,21. + To negate add ! at the front eg. !2,12,21 + +.. cfgcmd:: set policy route rule <1-9999> time startdate + + Set date to start matching rule. Format for date: yyyy-mm-dd. To specify + time of date with startdate, append 'T' to date followed by time in 24 hour + notation hh:mm:ss. For eg startdate value of 2009-01-21T13:30:00 refers to + 21st Jan 2009 with time 13:30:00. + +.. cfgcmd:: set policy route rule <1-9999> time starttime + + Set time of day to start matching rule. Format of time: hh:mm:ss using 24 + hours notation. + +.. cfgcmd:: set policy route rule <1-9999> time stopdate + + Set date to stop matching rule. Format for date: yyyy-mm-dd. To specify time + of date with stopdate, append 'T' to date followed by time in 24 hour + notation hh:mm:ss. For eg startdate value of 2009-01-21T13:30:00 refers to + 21st Jan 2009 with time 13:30:00. + +.. cfgcmd:: set policy route rule <1-9999> time stoptime + + Set time of day to stop matching rule. Format of time: hh:mm:ss using 24 + hours notation. + +.. cfgcmd:: set policy route rule <1-9999> time utc + + Interpret times for startdate, stopdate, starttime and stoptime to be UTC. + +.. cfgcmd:: set policy route rule <1-9999> time weekdays + + Weekdays to match rule on. Format for weekdays: Mon,Thu,Sat. To negate add ! + at the front eg. !Mon,Thu,Sat. + + +IPv6 Route +========== + +.. cfgcmd:: set policy ipv6-route + + This command creates a new IPv6 route policy, identified by . + +.. cfgcmd:: set policy ipv6-route description + + Set description for the IPv6 route policy. + +.. cfgcmd:: set policy ipv6-route enable-default-log + + Option to log packets hitting default-action. + +.. cfgcmd:: set policy ipv6-route rule <1-9999> action drop + + Set rule action to drop. + +.. cfgcmd:: set policy ipv6-route rule <1-9999> description + + Set description for rule in IPv6 route policy. + +.. cfgcmd:: set policy ipv6-route rule <1-9999> destination address + + + Set match criteria based on destination IPv6 address, where + could be: + + * : IPv6 address to match. + * : IPv6 prefix to match. + * -: IPv6 range to match. + * !: Match everything except the specified address. + * !: Match everything except the specified prefix. + * !-: Match everything except the + specified range. + +.. cfgcmd:: set policy ipv6-route rule <1-9999> destination port + + + Set match criteria based on destination port, where could + be: + + * : Named port (any name in /etc/services, e.g., http). + * <1-65535>: Numbered port. + * -: Numbered port range (e.g., 1001-1005). + + Multiple destination ports can be specified as a comma-separated list. The + whole list can also be "negated" using '!'. For example: + '!22,telnet,http,123,1001-1005'. + +.. cfgcmd:: set policy ipv6-route rule <1-9999> disable + + Option to disable rule. + +.. cfgcmd:: set policy ipv6-route rule <1-9999> icmpv6 type + + Set ICMPv6 match criterias, based on ICMPv6 type/code name. + +.. cfgcmd:: set policy ipv6-route rule <1-9999> ipsec + + + Set IPSec inbound match criterias, where: + + * match-ipsec: match inbound IPsec packets. + * match-none: match inbound non-IPsec packets. + +.. cfgcmd:: set policy ipv6-route rule <1-9999> limit burst + <0-4294967295> + + Set maximum number of packets to alow in excess of rate + +.. cfgcmd:: set policy ipv6-route rule <1-9999> limit rate + + Set maximum average matching rate. Format for rate: integer/time_unit, where + time_unit could be any one of second, minute, hour or day.For example + 1/second implies rule to be matched at an average of once per second. + +.. cfgcmd:: set policy ipv6-route rule <1-9999> log + + Option to enable or disable log matching rule. + +.. cfgcmd:: set policy ipv6-route rule <1-9999> log + + Option to log matching rule. + +.. cfgcmd:: set policy ipv6-route rule <1-9999> protocol + + + Set IPv6 protocol to match. IPv6 protocol name from /etc/protocols or + protocol number, or "tcp_udp" or "all". Also, protocol could be denied by + using !. + +.. cfgcmd:: set policy ipv6-route rule <1-9999> recent + <1-255|0-4294967295> + + Set parameters for matching recently seen sources. This match could be used + by seeting count (source address seen more than <1-255> times) and/or time + (source address seen in the last <0-4294967295> seconds). + +.. cfgcmd:: set policy ipv6-route rule <1-9999> set dscp <0-63> + + Set packet modifications: Packet Differentiated Services Codepoint (DSCP) + +.. cfgcmd:: set policy ipv6-route rule <1-9999> set mark <1-2147483647> + + Set packet modifications: Packet marking. + +.. cfgcmd:: set policy ipv6-route rule <1-9999> set table + + Set packet modifications: Routing table to forward packet with. + +.. cfgcmd:: set policy ipv6-route rule <1-9999> set tcp-mss + + + Set packet modifications: pmtu option automatically set to Path Maximum + Transfer Unit minus 60 bytes. Otherwise, expliicitly set TCP MSS value from + 500 to 1460. + +.. cfgcmd:: set policy ipv6-route rule <1-9999> source address + + + Set match criteria based on IPv6 source address, where + could be: + + * : IPv6 address to match + * : IPv6 prefix to match + * -: IPv6 range to match + * !: Match everything except the specified address + * !: Match everything except the specified prefix + * !-: Match everything except the + specified range + +.. cfgcmd:: set policy ipv6-route rule <1-9999> source mac-address + + + Set source match criteria based on MAC address. Declare specific MAC address + to match, or match everything except the specified MAC. + +.. cfgcmd:: set policy ipv6-route rule <1-9999> source port + + + Set match criteria based on source port, where could be: + + * : Named port (any name in /etc/services, e.g., http). + * <1-65535>: Numbered port. + * -: Numbered port range (e.g., 1001-1005). + + Multiple source ports can be specified as a comma-separated list. The whole + list can also be "negated" using '!'. For example: + '!22,telnet,http,123,1001-1005'. + +.. cfgcmd:: set policy ipv6-route rule <1-9999> state + + + Set match criteria based on session state. + +.. cfgcmd:: set policy ipv6-route rule <1-9999> tcp flags + + Set match criteria based on tcp flags. Allowed values for TCP flags: SYN ACK + FIN RST URG PSH ALL. When specifying more than one flag, flags should be + comma-separated. For example : value of 'SYN,!ACK,!FIN,!RST' will only match + packets with the SYN flag set, and the ACK, FIN and RST flags unset. + +.. cfgcmd:: set policy ipv6-route rule <1-9999> time monthdays + + Set monthdays to match rule on. Format for monthdays: 2,12,21. + To negate add ! at the front eg. !2,12,21 + +.. cfgcmd:: set policy ipv6-route rule <1-9999> time startdate + + Set date to start matching rule. Format for date: yyyy-mm-dd. To specify + time of date with startdate, append 'T' to date followed by time in 24 hour + notation hh:mm:ss. For eg startdate value of 2009-01-21T13:30:00 refers to + 21st Jan 2009 with time 13:30:00. + +.. cfgcmd:: set policy ipv6-route rule <1-9999> time starttime + + Set time of day to start matching rule. Format of time: hh:mm:ss using 24 + hours notation. + +.. cfgcmd:: set policy ipv6-route rule <1-9999> time stopdate + + Set date to stop matching rule. Format for date: yyyy-mm-dd. To specify time + of date with stopdate, append 'T' to date followed by time in 24 hour + notation hh:mm:ss. For eg startdate value of 2009-01-21T13:30:00 refers to + 21st Jan 2009 with time 13:30:00. + +.. cfgcmd:: set policy ipv6-route rule <1-9999> time stoptime + + Set time of day to stop matching rule. Format of time: hh:mm:ss using 24 + hours notation. + +.. cfgcmd:: set policy ipv6-route rule <1-9999> time utc + + Interpret times for startdate, stopdate, starttime and stoptime to be UTC. + +.. cfgcmd:: set policy ipv6-route rule <1-9999> time weekdays + + Weekdays to match rule on. Format for weekdays: Mon,Thu,Sat. To negate add ! + at the front eg. !Mon,Thu,Sat. + + +******** +Examples +******** + +Examples would be uploaded soon. \ No newline at end of file -- cgit v1.2.3