########################## Command reference. Runtime ########################## **Runtime** is a part of the configuration file that can be changed after **Bison Router** has been started. It contains settings of virtual interfaces, routing, subscribers, and settings of other BisonRouter subsystems. When configuring, it is important to respect the dependency between objects. If object A is used by object B, then object A must be added first. For example, a VIF should be created before adding an IP address to the VIF. Control Plane Protection ************************ BisonRouter's control plane module is responsible for processing protocols such as ARP, PPPoE, DHCP, etc. Handling incoming packets of these protocols is a CPU-intensive task, and therefore, the control plane could be overwhelmed by a storm of such packets. To prevent this scenario, BisonRouter employs a protection mechanism to detect such storms and drop incoming packets if their rate exceeds a defined threshold. To limit the number of incoming packets processed, BisonRouter utilizes policer objects. Multiple policers are assigned for each of the control plane-protected protocols. Presently, three protocols are protected by policers: ARP, PPPoE, and DHCP. To determine the policer object for processing an incoming packet, BisonRouter calculates a hash value using the header content of the packet. Specifically, for ARP, PPPoE, and DHCP, BisonRouter employs the source MAC address field to compute the hash value and select the appropriate policer. Note that the total rate of incoming packets for a protocol equals the number of policers multiplied by the rate of each policer. The number of policers created for a protocol, policer's ingress packets rates and a protection status of each protocol are controled by the following sysctl variables. =================================== ======================================================== ============= Sysctl variable Description | Default | value =================================== ======================================================== ============= cplane_protection_arp_enabled | A boolean variable to disable/enable 1 | protection of the ARP protocol. | 0 - disabled. 1 - enabled. cplane_protection_arp_nb_policers | An integer variable to set up the number 32 | of policer objects for the ARP protocol. | The scope of the variable is startup. cplane_protection_arp_rate | An integer variable to set up the maximum rate 50 | of ingress ARP reply packets handled by | a single policer. | The scope of the variable is runtime. cplane_protection_pppoe_enabled | A boolean variable to disable/enable protection 1 | of the PPPoE protocol. 0 - disabled. 1 - enabled. | The scope of the variable is runtime. cplane_protection_pppoe_nb_policers | An integer variable to set up the number of policer 32 | objects for the PPPoE protocol. | The scope of the variable is startup. cplane_protection_pppoe_rate | An integer variable to set up the maximum 150 | rate of ingress PPPoE packets handled | by a single policer. | The scope of the variable is runtime. cplane_protection_dhcp_enabled | A boolean variable to disable/enable protection 1 | of DHCP v4, v6 protocols. | 0 - disabled. 1 - enabled. | The scope of the variable is runtime. cplane_protection_dhcp_nb_policers | An integer variable to set up the number of policer 32 | objects for DHCP v4, v6 protocols. | The scope of the variable is startup. cplane_protection_dhcp_rate | An integer variable to set up the maximum rate 200 | of ingress DHCP packets handled by a single policer. | The scope of the variable is runtime. =================================== ======================================================== ============= **Example** .. code-block:: none startup { sysctl set cplane_protection_arp_nb_policers 32 } runtime { sysctl set cplane_protection_arp_rate 200 } rcli sh cplane protection ========================= This command outputs status of the Control Plane Protection module. .. code-block:: none sh cplane protection **Example** .. code-block:: none rcli sh cplane protection ARP: enabled: yes number of policers: 32 policer rate: 50 dropped ingress ARP replies: 0 PPPoE: enabled: yes number of policers: 32 policer rate: 150 dropped packets: 0 DHCP v4 and v6: enabled: yes number of policers: 32 policer rate: 200 dropped packets: 0 VLAN Set ******** VLAN Set is a helper BisonRouter module that enables other modules and functions to operate with multiple VLANs at the same time. For example, if there is a need to create hundreds of similar Virtual Interfaces (VIFs) it is easier to do that by creating a VLAN Set containing all VLAN ids and by running a single command to create VIFs that takes a VLAN Set id as a parameter. vlan set create =============== This command creates a new VLAN set. .. code-block:: none vlan set create **Description** =========== ======================== Item Description =========== ======================== vlan_set_id The ID of a new VLAN set =========== ======================== **Example** This example shows how to create a VLAN set with id ``2``: .. code-block:: none vlan set create 2 vlan set destroy ================ This command deletes a VLAN set. .. code-block:: none vlan set destroy **Description** =========== ============================== Item Description =========== ============================== vlan_set_id The ID of a VLAN set to delete =========== ============================== **Example** This example shows how to delete a VLAN set with id ``2``: .. code-block:: none vlan set destroy 2 vlan set add range ================== This command adds a range of VLAN identifiers to a VLAN set. .. code-block:: none vlan set add port range [svid ] cvid **Description** +-------------+----------------------------+-----------------+ | Item | Description | Value | +=============+============================+=================+ | vlan_set_id | The ID of a VLAN set | A numeric value | | | virtual interfaces | | +-------------+----------------------------+-----------------+ | port | Physical NIC Port number | A numeric value | | | associated with VLANs | | +-------------+----------------------------+-----------------+ | svid_range | Service VLAN ID | 1-4095. | | | or Service VLAN range | | | | | Mandatory | | | | for QinQ | | | | VLAN sets | +-------------+----------------------------+-----------------+ | cvid_range | Customer VLAN ID | 1-4095. | | | or Customer VLAN range | | | | | Mandatory | | | | for QinQ | | | | and Dot1Q | | | | VLAN sets | +-------------+----------------------------+-----------------+ **Examples** This example shows how to add Dot1Q VLANs with id values in the range from 10 to 100 to a VLAN set with id 2. .. code-block:: none vlan set 2 add port 1 range cvid 10 100 This example shows how to add Dot1Q VLAN with id 139 to a VLAN set with id 2. .. code-block:: none vlan set 2 add port 1 range cvid 139 This example shows how to add QinQ VLAN with svids in the range 10 20 and cvids in the range 1 10. .. code-block:: none vlan set 2 add port 1 range svid 10 20 cvid 1 10 vlan set del range ================== This command deletes a range of VLAN identifiers from a VLAN set. .. code-block:: none vlan set del port range [svid ] cvid **Description** +-------------+----------------------------+-----------------+ | Item | Description | Value | +=============+============================+=================+ | vlan_set_id | The ID of a VLAN set | A numeric value | | | virtual interfaces | | +-------------+----------------------------+-----------------+ | port | Physical NIC Port number | A numeric value | | | associated with VLANs | | +-------------+----------------------------+-----------------+ | svid_range | Service VLAN ID | 1-4095. | | | or Service VLAN range | | | | | Mandatory | | | | for QinQ | | | | VLAN sets | +-------------+----------------------------+-----------------+ | cvid_range | Customer VLAN ID | 1-4095. | | | or Customer VLAN range | | | | | Mandatory | | | | for QinQ | | | | and Dot1Q | | | | VLAN sets | +-------------+----------------------------+-----------------+ **Examples** This example shows how to delete Dot1Q VLANs with id values in the range from 10 to 100 from a VLAN set with id 2. .. code-block:: none vlan set 2 del port 1 range cvid 10 100 This example shows how to delete Dot1Q VLAN with id 139 from a VLAN set with id 2. .. code-block:: none vlan set 2 del port 1 range cvid 139 This example shows how to delete QinQ VLAN with svids in the range 10 20 and cvids in the range 1 10. .. code-block:: none vlan set 2 del port 1 range svid 10 20 cvid 1 10 Virtual Interfaces ****************** VIF (virtual interface) is an essential part of **Bison Router** which provides access to the VLAN. vif add ======= This command creates a new virtual L3 interface (VIF). .. code-block:: none vif add name port type [svid ] [cvid ] [flags ] [MTU ] **Description** +------+---------------------------+-----------+ | Item | Description | Value | +======+===========================+===========+ | name | Name of the virtual || The VIF's| | | interface to be added | name must | | | | start | | | | with a | | | | letter. | | | || The max. | | | | name | | | | length | | | | is 96 | | | | characters| | | | | | | | | | | | | | | | | | | | | +------+---------------------------+-----------+ | port | The port number to which | | | | the VIF is added | | +------+---------------------------+-----------+ | type | VIF type | untagged | | | +-----------+ | | | dot1q | | | +-----------+ | | | qinq | +------+---------------------------+-----------+ | svid | Service VLAN ID | 1-4095. | | | | Mandatory | | | | for QinQ | +------+---------------------------+-----------+ | cvid | Customer VLAN ID | 1-4095. | | | | Mandatory | | | | for QinQ | | | | and dot1q | +------+---------------------------+-----------+ | flag | Add a flag | | +------+---------------------------+-----------+ | MTU | Maximum transmission unit | | | | size | | +------+---------------------------+-----------+ **Flags** These flags enable the following network functions: =========== ====================================================================== Flag Description =========== ====================================================================== npf_on NPF at interface kni Kernal Network Interface. Mandatory for FRR/Quagga integration proxy_arp Proxy ARP flow_acct Flow Accounting (Netflow/IPFIX) rpf Reverse path filter dhcp_rel DHCP relay. Enabled by default vrrp VRRP pppoe_on PPPoE l2_subs L2 subscribers management l3_subs L3 subscribers management =========== ====================================================================== vif flags ========= This command is intended for VIF flags enabling/disabling. Use this command if you need to enable a new flag that you did not specify in the ``vif add`` command. .. code-block:: none vif flags name flags **Description** =========== =============================================== Item Description =========== =============================================== up Enable a flag down Disable a flag name VIF's name =========== =============================================== **Flags** These flags enable the following network functions: =========== ====================================================================== Flag Description =========== ====================================================================== proxy_arp Proxy ARP flow_acct Flow Accounting (Netflow/IPFIX) rpf Reverse path filter dhcp_rel DHCP relay. Enabled by default pppoe_on PPPoE l2_subs L2 subscribers management l3_subs L3 subscribers management =========== ====================================================================== **Example** This example shows how to disable the ``dhcp_rel`` flag for the VIF v20. .. code-block:: none vif flags down name v20 flags dhcp_rel vif del ======= This command deletes a VIF. .. code-block:: none vif del **Description** =========== =============================================== Item Description =========== =============================================== name Name of the VIF to delete =========== =============================================== **Example** This example shows how to delete a VIF named ``v20``: .. code-block:: none vif del v20 vif car ======= This command enables ingress/egress bandwidth limit for a VIF. .. code-block:: none vif car name ingress cir egress cir .. note:: Zero value is used to delete a limit. **Description** =========== ===================================================== ====== Item Description Value =========== ===================================================== ====== name Name of the VIF for applying a limit cir_value Committed information rate value Kbit/s =========== ===================================================== ====== **Example** This example shows how to enable ingress/egress bandwidth equal to ``10000`` for the VIF named ``v20``: .. code-block:: none vif car name v20 ingress cir 10000 egress cir 10000 This example shows how to disable ingress/egress bandwidth for the VIF named ``v20``: .. code-block:: none vif car name v20 ingress cir 0 egress cir 0 sh vif ====== This command outputs all VIFs and information about their configuration. .. code-block:: none sh vif **Example** Example of the response for ``sh vif`` command: .. code-block:: none sh vif vif v20 id 2 port 0, vlan 0.20, encapsulation dot1q mac address 0E:7B:2D:2E:F4:13 shaper ingress not set egress not set ACL ingress not set egress not set flags dhcp_rel,NAT mtu 1500 vif v30 id 3 port 1, vlan 0.30, encapsulation dot1q mac address CA:D6:F3:10:39:4A shaper ingress not set egress not set ACL ingress not set egress not set flags dhcp_rel mtu 1500 vif lo id 1 port 255, vlan 4095.4095, encapsulation qinq mac address 00:00:00:00:00:01 shaper ingress not set egress not set ACL ingress not set egress not set flags dhcp_rel mtu 1500 sh vif ============= This command outputs information about a particular VIF. .. code-block:: none sh vif **Description** =========== ===================================================== Item Description =========== ===================================================== name Name of the VIF to show information about =========== ===================================================== **Example** This example shows how to output information about the VIF named ``v20``: .. code-block:: none sh vif v20 The response has the following format: .. code-block:: none vif v20 id 2 port 0, vlan 0.20, encapsulation dot1q mac address 0E:7B:2D:2E:F4:13 shaper ingress not set egress not set ACL ingress not set egress not set flags dhcp_rel,NAT mtu 1500 sh vif counters =============== This command outputs VIFs traffic statistics. .. code-block:: none sh vif counters **Example** Description .. code-block:: none vif_id name port svid cvid rx_pkts tx_pkts rx_bytes tx_bytes 2 v20 0 0 20 0 0 0 0 3 v30 1 0 30 2 0 804 0 clear vif counters ================== This command clears VIFs statistics. .. code-block:: none clear vif counters VIF VLAN set commands ===================== These commands create a series of similar VIFs that differ only by the VLAN parameters. The commands use the VLAN set module to select the VLAN ids for which VIFs are created. vif add vlan set ---------------- This command creates multiple VIFs with the VLAN ids from a VLAN set. Each VIF has the same parameters specified by the command and differs only by the VLAN ids and the name. VIF's name is composed by concatenating the VIF name prefix, the port number, and VLAN ids. For example 'v1.10.5' is the name of a VIF with port number 1, svid 10 and cvid 5. 'v' is the default value of the VIF name prefix. .. code-block:: none vif add vlan set [flags ] [mtu ] [prefix ] **Description** +-------------------+---------------------------+-----------+ | Item | Description | Value | +===================+===========================+===========+ | vlan_set_id | VLAN set id | | +-------------------+---------------------------+-----------+ | flag | VIF flags | | +-------------------+---------------------------+-----------+ | mtu | Maximum transmission unit | | | | size | | +-------------------+---------------------------+-----------+ | vif_name_prefix | VIF name prefix. Default | | | | value is 'v' | | +-------------------+---------------------------+-----------+ .. note:: After a VLAN set is modified and a new VLAN is added to it BisonRouter do not automatically executes commands dependent on the modified VLAN set. For example, BisonRouter will not create new VIFs corresponding to the added VLANs, or it will not add an IP address to those VIFs. Commands using a VLAN set as a parameter should be executed again manually. **Example** .. code-block:: none vif add vlan set 2 This command creates VIFs with the VLAN ids from the VLAN set 2. VIF have default flags, mtu, and prefix name 'v'. vif del vlan set ---------------- This command deletes multiple VIFs with the VLAN ids from a VLAN set. If VIFs were created with a non default VIF name prefix then the same prefix should be used by this delete commdand. The flag parameter and the mtu parameter should match the same parameters used when VIFs were created by the `vif add vlan set`_ command. .. code-block:: none vif del vlan set [flags ] [mtu ] [prefix ] **Description** +-------------------+---------------------------+-----------+ | Item | Description | Value | +===================+===========================+===========+ | vlan_set_id | VLAN set id | | +-------------------+---------------------------+-----------+ | flag | VIF flags | | +-------------------+---------------------------+-----------+ | mtu | Maximum transmission unit | | | | size | | +-------------------+---------------------------+-----------+ | vif_name_prefix | VIF name prefix. Default | | | | value is 'v' | | +-------------------+---------------------------+-----------+ .. note:: After a VLAN set is modified and a new VLAN is added to it BisonRouter do not automatically executes commands dependent on the modified VLAN set. For example, BisonRouter will not create new VIFs corresponding to the added VLANs, or it will not add an IP address to those VIFs. Commands using a VLAN set as a parameter should be executed again manually. **Example** .. code-block:: none vif del vlan set 2 This command deletes VIFs with the VLAN ids from the VLAN set 2. VIF range commands ================== These commands create a series of similar VIFs that differ only by the VLAN parameters. A general command is ``vif add range``. The syntax varies depending on which VIF parameters need to be specified. .. note:: The ``range`` parameter in each command represents a range of numbers. Enter two numbers separated by a space to specify a range (for example, ``cvid 100 200`` means Customer VLAN IDs from 100 to 200) and one number if it is a particular object (``cvid 100`` means Customer VLAN ID number 100). vif add range ------------- .. code-block:: none vif add name port type range svid cvid [flags ] [mtu ] **Description** +------------+---------------------------+-----------+ | Item | Description | Value | +============+===========================+===========+ | name | Name of the range of || The VIF's| | | virtual interfaces | name must | | | to be added | start | | | | with a | | | | letter. | | | || The max. | | | | name | | | | length | | | | is 96 | | | | characters| +------------+---------------------------+-----------+ | port | The port number to which | | | | the VIFs range is added | | +------------+---------------------------+-----------+ | type | VIFs type | untagged | | | +-----------+ | | | dot1q | | | +-----------+ | | | qinq | +------------+---------------------------+-----------+ | svid_range | Service VLAN ID | 1-4095. | | | or Service VLAN range | | | | | Mandatory | | | | for QinQ | +------------+---------------------------+-----------+ | cvid_range | Customer VLAN ID | 1-4095. | | | or Customer VLAN range | Mandatory | | | | for QinQ | | | | and dot1q | | | | | +------------+---------------------------+-----------+ | flag | Add a flag | | +------------+---------------------------+-----------+ | MTU | Maximum transmission unit | | | | size | | +------------+---------------------------+-----------+ **Example** To create 101 VIFs with VLAN numbers from 4.100 to 4.200 use the following format ``svid 4 cvid 100 200``. Example of the full command: .. code-block:: none vif add name rng1_ port 1 type qinq range svid 4 cvid 100 200 flags l2_subs To create 202 VIFs with VLAN numbers from 4.100 to 5.200 use the following format ``svid 4 5 cvid 100 200``. Example of the full command: .. code-block:: none vif add name rng2_ port 1 type qinq range svid 4 5 cvid 100 200 flags l2_subs vif del range ------------- This command deletes a VIF's range. .. code-block:: none vif del range svid cvid name **Description** +------------+---------------------------+-----------+ | Item | Description | Value | +============+===========================+===========+ | name | Name of the range of || The VIF's| | | virtual interfaces to be | name must | | | deleted | start | | | | with a | | | | letter. | | | || The max. | | | | name | | | | length | | | | is 96 | | | | characters| +------------+---------------------------+-----------+ | svid_range | Service VLAN ID | 1-4095. | | | or Service VLAN range | | | | | Mandatory | | | | for QinQ | +------------+---------------------------+-----------+ | cvid_range | Customer VLAN ID | 1-4095. | | | or Customer VLAN range | Mandatory | | | | for QinQ | | | | and dot1q | | | | | +------------+---------------------------+-----------+ **Example** This example shows how to delete a VIFs range named ``v20`` with VLAN numbers from ``4.100`` to ``5.200``: .. code-block:: none vif del range svid 4 5 cvid 100 200 v20 Traffic classification ********************** .. note:: ``ipset`` and ``l2set`` are subcases of U32 set. in IPv6, only ``l2set`` is supported. U32 sets ======== u32set create ------------- This command creates a new U32 set. .. code-block:: none u32set create size bucket_size type **Description** +-----------------+---------------------------+---------------+ | Item | Description | Value | +=================+===========================+===============+ | name | U32 set name || The U32 | | | | set | | | | name must | | | | start | | | | with a | | | | letter. | | | || The max. | | | | name | | | | length | | | | is 96 | | | | characters | +-----------------+---------------------------+---------------+ | size | U32 set size | The max. | | | | number | | | | of elements | | | | in the set | +-----------------+---------------------------+---------------+ | bucket_size | Bucket size | 8-256 | +-----------------+---------------------------+---------------+ | set_type | U32 set type | | ``ip`` - | | | | a set | | | | containing | | | | ipv4 | | | | addresses | | | | | ``l2`` - | | | | a set | | | | containing | | | | VIF IDs | +-----------------+---------------------------+---------------+ **Example** The example shows how to create a U32 set for storing IPv4 addresses: .. code-block:: none u32set create ips1 size 16384 bucket_size 16 type ip u32set destroy -------------- This command deletes a U32 set. .. code-block:: none u32set destroy **Description** =========== ============================================================================================= Item Description =========== ============================================================================================= name Name of the U32 set to delete =========== ============================================================================================= **Example** This command deletes the U32 set named ``ips1``: .. code-block:: none u32set destroy ips1 IP set ====== ipset add --------- This command adds an IP address to a U32 set. .. code-block:: none ipset add [flags [,...]] **Description** =========== ============================================================================================= Item Description =========== ============================================================================================= name Name of the U32 set to add an IP address ip_address IP address to add flags Optional flags | ``persistent`` adds a persistent value that will be saved in a configuration file by the `save config`_ command =========== ============================================================================================= **Example** This example shows how to add the IP address ``10.0.0.1/24`` to the U32 set named ``ips1``: .. code-block:: none ipset add ips1 10.0.0.1/24 ipset del --------- This command deletes an IP address from a U32 set. .. code-block:: none ipset del **Description** =========== ============================================================================================= Item Description =========== ============================================================================================= name Name of the U32 set to delete an IP address from ip_address IP address to delete =========== ============================================================================================= **Example** This example shows how to delete the IP address ``10.0.0.1/24`` from the U32 set named ``ips1``: .. code-block:: none ipset del ips1 10.0.0.1/24 ipset test ---------- This command checks whether a U32 set contains an IP address or not. .. code-block:: none ipset test **Description** =========== ============================================================================================= Item Description =========== ============================================================================================= name Name of the U32 set to check ip_address IP address to check =========== ============================================================================================= **Example** This example shows how to check whether the U32 set named ``ips1`` contains the IP address ``10.0.0.1/24``: .. code-block:: none ipset test ips1 10.0.0.1/24 sh ipset -------- This command outputs information about an IP set. .. code-block:: none sh ipset **Description** =========== ============================================================================================= Item Description =========== ============================================================================================= name Name of an IP set to output information =========== ============================================================================================= **Example** The response has the following format: .. code-block:: none sh ipset ips1 U32SET name ips1, type IP, hash size 4096, hash bucket size 16, num items: 1 ipv4 address 10.1.1.1 l2 set ====== l2set add --------- This command adds a VIF identifier to a U32 set. The VIF identifier is a combination of ``port``, ``svid``, and ``cvid`` values and it is an integral element of the set. .. code-block:: none l2set add port svid cvid [flags [,...]] **Description** +-------+---------------------------+-----------------------+ | Item | Description | Value | +=======+===========================+=======================+ | name | Name of the U32 set to add|| The U32 | | | a VIF identifier | set | | | | name must | | | | start | | | | with a | | | | letter. | | | || The max. | | | | name | | | | length | | | | is 96 | | | | characters | +-------+---------------------------+-----------------------+ | port | The port number to which | | | | the VIF is added | | +-------+---------------------------+-----------------------+ | svid | Service VLAN ID | 1-4095 | +-------+---------------------------+-----------------------+ | cvid | Customer VLAN ID | 1-4095 | +-------+---------------------------+-----------------------+ | flags | optional flags || ``persistent`` adds | | | | a persistent value | | | | that will be saved | | | || in a | | | | a configuration file | | | | by the `save config`_ | | | || command | +-------+---------------------------+-----------------------+ **Example** This example shows how to add the VIF identifier ``port 1 svid 2 cvid 3`` to the U32set named ``l2s1``: .. code-block:: none l2set add l2s1 port 1 svid 2 cvid 3 l2set del --------- This command deletes a VIF identifier (port, svid, and cvid) from a U32 set. .. code-block:: none l2set del port svid cvid **Description** +------+---------------------------+-----------+ | Item | Description | Value | +======+===========================+===========+ | name | Name of the U32 set to || The U32 | | | delete a VIF identifier | set | | | | name must | | | | start | | | | with a | | | | letter. | | | || The max. | | | | name | | | | length | | | | is 96 | | | | characters| +------+---------------------------+-----------+ | port | The port number to which | | | | the VIF is added | | +------+---------------------------+-----------+ | svid | Service VLAN ID | 1-4095 | +------+---------------------------+-----------+ | cvid | Customer VLAN ID | 1-4095 | +------+---------------------------+-----------+ **Example** This example shows how to delete the VIF identifier ``port 1 svid 2 cvid 3`` from the U32set named ``l2s1``: .. code-block:: none l2set del l2s1 port 1 svid 2 cvid 3 l2set test ---------- This command checks whether a U32 set contains a VIF identifier or not. .. code-block:: none l2set test port svid cvid **Description** +------+---------------------------+-----------+ | Item | Description | Value | +======+===========================+===========+ | name | Name of the U32 set to || The U32 | | | check a VIF identifier | set | | | | name must | | | | start | | | | with a | | | | letter. | | | || The max. | | | | name | | | | length | | | | is 96 | | | | characters| +------+---------------------------+-----------+ | port | The port number to which | | | | the VIF is added | | +------+---------------------------+-----------+ | svid | Service VLAN ID | 1-4095 | +------+---------------------------+-----------+ | cvid | Customer VLAN ID | 1-4095 | +------+---------------------------+-----------+ **Example** This example shows how to check whether the U32set named ``l2s1`` contains the VIF identifier ``port 1 svid 2 cvid 3`` or not: .. code-block:: none l2set test l2s1 port 1 svid 2 cvid 3 sh l2set -------- This command outputs information about an L2 set. .. code-block:: none sh l2set **Description** =========== ============================================================================================= Item Description =========== ============================================================================================= name Name of an L2 set to output information =========== ============================================================================================= **Example** The response has the following format: .. code-block:: none sh l2set l2s1 U32SET name l2s1, type L2, hash size 4096, hash bucket size 16, num items: 1 port_id.svid.cvid 1.0.30 Prefix Map ========== The prefix map is a map containing IPv4 prefixes and integer values associated with them. It can be used to classify a packet. The value associated with the prefix matched to the packet can be used for further packet processing. For example, the prefix map is used by a multi-policer that applies different policies depending on the source or destination address of the packet. The value associated with the prefix indicates the multi-policer's ID in this case. The prefix map performs a search using the LPM algorithm (`Longest prefix match `_). From two prefixes that differ only in length, the longer prefix will be selected. For example, in case of 2 prefixes: ``10.0.0.0/29`` and ``10.0.0.0/24``, the address ``10.0.0.2`` matches the prefix ``10.0.0.0/29``, because ``29`` is longer than ``24``. prefix map create ----------------- This command creates a new prefix map. .. code-block:: none prefix map create [type ] **Description** ============= ============================================================ ========== Item Description Value ============= ============================================================ ========== prefix_map_id ID of a prefix map to create 0-31 map_type Prefix map type. Default type is ipv4. ipv4, ipv6 ============= ============================================================ ========== **Example** This example shows how to create a new ipv4 prefix map with the ID ``10``: .. code-block:: none prefix map create 10 type ipv4 prefix map destroy ------------------ This command deletes a prefix map. .. code-block:: none prefix map destroy **Description** ============= ============================================================ Item Description ============= ============================================================ prefix_map_id ID of a prefix map to delete ============= ============================================================ **Example** This example shows how to delete a prefix map with the ID ``10``: .. code-block:: none prefix map destroy 10 prefix map add -------------- This command adds a prefix and a value associated with it into a prefix map. .. code-block:: none prefix map add / value [flags ] **Description** ============= ============================================================ Item Description ============= ============================================================ prefix_map_id ID of a prefix map to add a prefix prefix IPv4 prefix to add mask Subnet mask value The number that will be associated with the prefix flags Optional flags: | ``persistent`` adds a persistent value that will be saved in a configuration file by the `save config`_ command ============= ============================================================ **Example** This example shows how to add the IPv4 prefix ``192.168.1.115/32`` and its associated value ``2`` to the prefix map ``10``: .. code-block:: none prefix map add 10 192.168.1.115/32 value 2 prefix map del -------------- This command deletes a prefix from a prefix map. .. code-block:: none prefix map del **Description** ============= ============================================================ Item Description ============= ============================================================ prefix_map_id ID of a prefix map to delete a prefix ipv4_prefix IPv4 prefix to delete ============= ============================================================ **Example** This example shows how to delete the prefix ``192.168.1.115/32`` from the prefix map ``10``: .. code-block:: none prefix map del 10 192.168.1.115/32 sh prefix map ------------- This command outputs the content of a prefix map. .. code-block:: none sh prefix map **Description** ============= ============================================================ Item Description ============= ============================================================ prefix_map_id ID of a prefix map to output ============= ============================================================ **Example** The response has the following format: .. code-block:: none sh prefix map 10 prefix map id 10, num prefixes 4 192.168.1.116/32 3 192.168.1.117/32 4 10.11.1.10/32 101 192.168.1.115/32 2 IPv4 addressing and routing *************************** This section describes the commands for configuring IPv4 routing and addressing. IP addresses ============ ip addr add ----------- This command assigns an IP address to a VIF. .. code-block:: none ip addr add / dev **Description** =========== ============================================================ Item Description =========== ============================================================ ip_address IP address to assign mask Subnet mask (1-32) vif_name Name of the VIF to assign an IP address =========== ============================================================ **Example** This example shows how to assign ``10.0.0.1/24`` IP address to the VIF named ``v20``: .. code-block:: none ip addr add 10.0.0.1/24 dev v20 ip addr del ----------- This command deletes an IP address from a VIF. .. code-block:: none ip addr del / dev **Description** =========== ============================================================= Item Description =========== ============================================================= ip_address IP address to delete mask Subnet mask (1-32) vif_name Name of the VIF to delete the IP address =========== ============================================================= **Example** This example shows how to delete ``10.0.0.1/24`` IP address assigned to the VIF named ``v20``: .. code-block:: none ip addr del 10.0.0.1/24 dev v20 sh ip addr ---------- The command outputs a list of IP addresses in use. .. code-block:: none sh ip addr **Example** .. code-block:: none name port vid encapsulation v20 0 0.20 dot1q 192.168.1.1/24 primary v30 1 0.30 dot1q 192.168.2.1/24 primary lo 255 4095.4095 qinq 5.5.5.5/32 h .. note:: The ``vid`` value consists of . IP address VLAN set commands ============================ These commands are used to simultaneously add/delete addresses to/from multiple VIFs. VIFs are selected with the help of the VLAN set module. ip addr add vlan set -------------------- This command adds an IP address to multiple VIFs created by the `vif add vlan set`_ command. .. code-block:: none ip addr add / vlan set [prefix ] **Description** =========== ============================================================ ======== Item Description Value =========== ============================================================ ======== ip_address IP address to assign to VIFs mask Subnet mask (1-32) vlan_set_id ID of a VLAN set to select the VIFs vif_prefix VIF name prefix (optional). It should be the the same VIF name prefix that was used with `vif add vlan set`_ command. =========== ============================================================ ======== **Example** This example shows how to add IP address 10.0.0.1/24 to the VIFs created with VLAN set 2. .. code-block:: none ip addr add 10.0.0.1/24 vlan set 2 .. note:: After a VLAN set is modified and a new VLAN is added to it BisonRouter do not automatically executes commands dependent on the modified VLAN set. For example, BisonRouter will not create new VIFs corresponding to the added VLANs, or it will not add an IP address to those VIFs. Commands using a VLAN set as a parameter should be executed again manually. ip addr del vlan set -------------------- This command deletes an IP address from multiple VIFs created by the `vif add vlan set`_ command. .. code-block:: none ip addr del / vlan set [prefix ] **Description** =========== ============================================================ ======== Item Description Value =========== ============================================================ ======== ip_address IP address to delete from VIFs mask Subnet mask (1-32) vlan_set_id ID of a VLAN set to select the VIFs vif_prefix VIF name prefix (optional). It should be the the same VIF name prefix that was used with `vif add vlan set`_ command. =========== ============================================================ ======== **Example** This example shows how to delete IP address 10.0.0.1/24 from the VIFs created with VLAN set 2. .. code-block:: none ip addr del 10.0.0.1/24 vlan set 2 .. note:: After a VLAN set is modified and a new VLAN is added to it BisonRouter do not automatically executes commands dependent on the modified VLAN set. For example, BisonRouter will not create new VIFs corresponding to the added VLANs, or it will not add an IP address to those VIFs. Commands using a VLAN set as a parameter should be executed again manually. IP address range commands ========================= These commands are used to simultaneously change (add/remove) addresses of a set of VIFs. ip addr add range ----------------- This command adds an IP address to multiple VIFs. .. code-block:: none ip addr add range svid cvid / name **Description** =========== ============================================================ ======== Item Description Value =========== ============================================================ ======== svid_range Service VLAN ID or Service VLAN range 1-4095 cvid_range Customer VLAN ID or Customer VLAN range 1-4095 ip_address IP address to assign mask Subnet mask (1-32) name Name prefix =========== ============================================================ ======== .. note:: The names output in the table have the following structure ``prefixsvid.cvid``, where the prefix is a VIF name prefix. For example, if VIF name prefix is ``v``, SVID is ``1`` and CVID ``2``, the name will be ``v1.2``. **Example** This example shows how to add the IP address to the VIFs range 4.100-4.200: .. code-block:: none ip addr add range svid 4 cvid 100 200 10.0.0.1/24 name v20 ip addr del range ----------------- This command deletes an IP address from a VIFs range. .. code-block:: none ip addr del range svid cvid / name **Description** =========== ============================================================ ======== Item Description Value =========== ============================================================ ======== svid_range Service VLAN ID or Service VLAN range 1-4095 cvid_range Customer VLAN ID or Customer VLAN range 1-4095 ip_address IP address to delete mask Subnet mask (1-32) name Name prefix =========== ============================================================ ======== **Example** This example shows how to delete the IP address from the VIFs range 4.100-4.200: .. code-block:: none ip addr add range svid 4 cvid 100 200 10.0.0.1/24 name v20 IP routing tables ================= **Bison Router** forward packets based on routing tables, the sum of which forms the FIB (Forwarding Information Base). Multiple routing tables are supported. The main table is created automatically and used by default. All other tables are optional, they are created and edited manually. If multiple tables are used, the table selection is based on PBR (Policy-based Routing). ip route table add ------------------ This command creates a new routing table. .. code-block:: none ip route table add **Description** +------+---------------------------+-----------+ | Item | Description | Value | +======+===========================+===========+ | name | Name of the routing table || The table| | | to be added | name must | | | | start | | | | with a | | | | letter. | | | || The max. | | | | name | | | | length | | | | is 96 | | | | characters| | | | | | | | | | | | | | | | | | | | | +------+---------------------------+-----------+ **Example** This example shows how to create a new routing table named ``table_1``: .. code-block:: none ip route table add table_1 ip route table del ------------------ This command deletes a routing table. .. code-block:: none ip route table del **Description** =========== ============================================================= Item Description =========== ============================================================= name Name of the table to delete =========== ============================================================= **Example** This example shows how to delete a routing table named ``table_1``: .. code-block:: none ip route table del table_1 sh ip route tables ------------------ This command shows a list of routing tables. .. code-block:: none sh ip route tables **Example** The response has the following format: .. code-block:: none sh ip route tables main table_1 IP routes ========= After creating routing tables, you can add routes to them. ip route add ------------ The following command syntax creates a route to a **directly connected network**. .. code-block:: none ip route add / dev [src ] [table ] [flags [, ...]] **Description** =========== ============================================================================================= Item Description =========== ============================================================================================= ip_address Directly connected network mask Directly connected network mask (1-32) vif_name The name of the VIF to which the network is connected src_ip Source IP address table_name Specify the name of the table to add a route, otherwise it is added to the default one flags Optional flags: | ``redistribute`` - redistribute this route to Quagga/FRR. =========== ============================================================================================= **Example** This example shows how to add a connected route to a routing table named ``table_1``: .. code-block:: none ip route add 10.0.0.0/24 dev v20 table table_1 This command creates a **route to a remote network**. .. code-block:: none ip route add / via [src ] [table ] .. Note:: The IP address of the gateway must be reachable via a directly connected route. A directly connected route is added to the main routing table automatically when an IP address is added to a VIF. All routes in additional tables need to be created manually. **Description** =========== ============================================================================================= Item Description =========== ============================================================================================= ip_address Remote network mask Remote network mask (1-32) gw_ip IP of the gateway to reach the remote network src_ip Source IP address table_name Specify the name of the table to add a route, otherwise it is added to the default one =========== ============================================================================================= **Example** This example shows how to add a route to a remote network to the main routing table: .. code-block:: none ip route add 10.0.0.0/24 via 192.168.1.15 This command creates an **unreachable route**. .. code-block:: none ip route add / unreachable [table ] **Description** =========== ============================================================================================= Item Description =========== ============================================================================================= ip_address Unreachable route mask Network mask (1-32) table_name Specify the name of the table to add a route, otherwise it is added to the default one =========== ============================================================================================= **Example** This example shows how to add an unreachable route to the main routing table: .. code-block:: none ip route add 10.0.0.0/24 unreachable ip route del ------------ This command deletes a route from a routing table. .. code-block:: none ip route del [table ] **Description** =========== ============================================================================================= Item Description =========== ============================================================================================= ip_address IP route prefix to delete mask Network mask (1-32) table_name Name of the table to delete the route =========== ============================================================================================= **Example** This example shows how to delete a route from the main routing table: .. code-block:: none ip route del 10.0.0.0/24 sh ip route ----------- This command outputs the content of a routing table. .. code-block:: none sh ip route [table_name] **Description** =========== ============================================================================================= Item Description =========== ============================================================================================= table_name Name of the table which content is output =========== ============================================================================================= .. note:: If the ``table_name`` parameter is not specified, the content of the main table is output by default. **Example** The response has the following format: .. code-block:: none sh ip route 10.114.0.0/29 unreachable proto rcli 5.5.5.5/32 local proto internal 192.168.1.0/24 C dev v20 src 192.168.1.1 proto internal 10.8.0.0/24 via 192.168.2.2 dev v30 src 192.168.2.1 proto rcli 224.0.0.0/4 unreachable proto rcli 192.168.2.0/24 C dev v30 src 192.168.2.1 proto internal 0.0.0.0/0 via 192.168.1.2 dev v20 src 192.168.1.1 proto rcli In particular, the response contains data on **route types** and **route origin**. **Route types** =========== ============================================================================================= Name Description =========== ============================================================================================= local Local network C Directly connected network unreachable Unreachable network via Remote network reachable via a gateway =========== ============================================================================================= **Route origin** =========== ============================================================================================= Name Description =========== ============================================================================================= rcli A route manually created with rcli internal Created by **Bison Router** fpm Created by Quagga/FRR =========== ============================================================================================= ip route get ------------ This command outputs the ip route that is used to forward a particular packet. .. code-block:: none ip route get [table ] [src ] **Description** =========== ============================================================================================= Item Description =========== ============================================================================================= dst_ip Destination IP address to lookup a route for. table_name Optional. Name of the routing table to lookup for a route in. src_ip | Optional. Source IP address to lookup for a particular next-hop | in a multi-hop route. It's used only with UCMP multi-hop routes | with 'ip_src_dst' or 'ip_src' hash function types. =========== ============================================================================================= .. note:: If the ``table_name`` parameter is not specified, the content of the main table is output by default. Equal-cost multipath (ECMP) and Unequal-cost multipath (UCMP) routing ===================================================================== BisonRouter supports both Equal-cost multipath (ECMP) and Unequal-cost multipath or Weighted mulltipath (UCMP) routing schemes. ECMP/UCMP routes can be created either manually or received from FRR routing daemons. Packets of the same L3 flow are always forwarded via the same path. ECMP/UCMP ip route add ---------------------- This command creates a multi-path route (ECMP or UCMP) to a remote network. .. code-block:: none ip route add / via nexthop weight [nexthop weight ...] [hash type ] [table ] [flags [, ...]] .. Note:: Nexthop IP addresses must be reachable via a directly connected route. A directly connected route is added to the main routing table automatically when an IP address is added to a VIF. All routes in additional tables need to be created manually. **Description** ================= ============================================================================================= Item Description ================= ============================================================================================= ip_address Remote network mask Remote network mask (1-32) nexthop1_ip IP address of the nexthop 1 gateway nexthop1_weight Nexthop 1 weight nexthop2_ip IP address of the nexthop 2 gateway nexthop2_weight Nexthop 2 weight hash_type | Optional parameter. Specifies a type of hash-function to determine | a next hop index for a particular packet. | Possible values: | ``ip_src_dst`` - a hash function that calculates the next hop index | using src-ip and dst-ip packet header fields | ``ip_src`` - a hash function that calculates the next hop index | using src-ip packet header field | ``ip_dst`` - a hash function that calculates the next hop index | using dst-ip packet header field | When omitted default global hash function type is used. | Default global hash function is set up with ``fib_multihop_default_hash_type`` | sysctl string variable that uses the same hash function type names. table_name The name of the table to add a route. The Main routing table is used by default. flags | Optional flags: | ``redistribute`` - redistribute this route to Quagga/FRR. ================= ============================================================================================= **Example** This example shows how to add a UCMP default route to the main routing table. The route is a two-path route. Path #1 has a weight 1. Path #2 has a weight 3. Those weights will result in 25% of traffic being forwarded via the path #1, and 75% of traffic via path #2. .. code-block:: none rcli ip route add 0.0.0.0/0 via nexthop 192.168.1.3 weight 1 nexthop 192.168.1.5 weight 3 hash type ip_src table main This example shows how to add a ECMP default route to the main routing table: .. code-block:: none rcli ip route add 0.0.0.0/0 via nexthop 192.168.1.3 weight 1 nexthop 192.168.1.5 weight 1 table main This example shows how to set up global default next hop hash function type for UCMP routes. .. code-block:: none rcli 'sysctl set fib_multihop_default_hash_type "ip_dst"' FRR and UCMP/ECMP ----------------- UCMP and ECMP routes can be created dynamically with the help of FRR software. https://docs.frrouting.org/en/latest/bgp.html#weighted-ecmp-using-bgp-link-bandwidth .. Note:: FRR should be compiled with the options '--enable-fpm' '--enable-multipath=8’. Policy-based Routing (PBR) ========================== Policy-based Routing (**PBR**) is a technique used to make routing decisions based on rules and packet data. The rules apply to each incoming packet and determine which routing table will be used to route the packet. The rules are analyzed in the order of the specified priority until the first match is found. The rule matches the packet if the packet data meets the criteria specified in the rule. If no match is found or there are no PBR rules then the main routing table is used. ip pbr rule add --------------- This command creates a PBR rule. There are several syntax types to create rules with different matching criteria. **Add a PBR rule for a U32 set** This command creates a PBR rule to match the traffic originating from one of the IP addresses contained in the IP set or VIFs contained in L2 set. .. code-block:: none ip pbr rule add prio u32set type table **Description** =========== ==================================================== ========================================== Item Description Value =========== ==================================================== ========================================== prio_num Priority number u32set_name Name of the U32 set to add to the rule type | ip - traffic originating from one | of the addresses contained in the IP set | l2 - traffic originating from one | of VIFs contained in an L2 set. table_name Name of the routing table to use =========== ==================================================== ========================================== **Examples** This example shows how to add a rule with a priority number ``1`` to match the traffic originating from one of the addresses contained in the IP set ``ips1``: .. code-block:: none ip pbr rule add prio 1 u32set ips1 type ip table table_1 This example shows how to add a rule with a priority number ``2`` to match the traffic originating from one of the VIFs contained in an L2 set ``l2settest``: .. code-block:: none ip pbr rule add prio 2 u32set l2settest type l2 table table_1 **Add a PBR rule for a network** This syntax variant creates a PBR rule to match the traffic originating from a particular network. To additionally match a destination network specify it in the parameter ``to `` (can be omitted). .. code-block:: none ip pbr rule add prio from / [to /] table **Description** ================== ===================================================== Item Description ================== ===================================================== prio_num Priority number src Source network src_mask Source network mask dst Destination network dest_mask Destination network mask table_name Name of the routing table to use ================== ===================================================== **Examples** This example shows how to create a rule with a priority number ``1`` to match the traffic originating from a particular network: .. code-block:: none ip pbr rule add prio 1 from 10.0.0.1/24 table table_1 This example shows how to create a rule with a priority number ``1`` to match the traffic originating from a particular network and destinated to another network: .. code-block:: none ip pbr rule add prio 1 from 10.200.22.0/24 to 10.200.23.0/24 table table_1 **Add an L4 PBR rule** This syntax variant creates a PBR rule to match the traffic sourced from or destinated to a specific L4 port. .. code-block:: none ip pbr rule add prio proto src|dst table **Description** ================== ===================================================== Item Description ================== ===================================================== prio_num Priority number ip_proto IP protocol port L4 port number table_name Name of the routing table to use ================== ===================================================== **Examples** This example shows how to create a rule with a priority number ``1`` to match the UDP traffic desinated to port 53: .. code-block:: none ip pbr rule add prio 1 proto udp dst port 53 table table_1 This example shows how to create a rule with a priority number ``1`` to match the UDP traffic sourced from port 80: .. code-block:: none ip pbr rule add prio 1 proto udp src port 80 table table_1 ip pbr rule del --------------- This command deletes a PBR rule with the given priority. .. note:: Removing a priority does not affect the priority numbering of other existing rules. .. note:: Avoid creating rules with the same priority, otherwise it may lead to unpredictable prioritization of these rules. To view the list of existing rules, use the command ``sh ip pbr rules``. .. code-block:: none ip pbr rule del prio **Description** ================== ===================================================== Item Description ================== ===================================================== prio_num Priority number ================== ===================================================== **Example** This example shows how to delete a PBR rule with the priority number ``2``: .. code-block:: none ip pbr rule del prio 2 ip pbr flush ------------ This command deletes all PBR rules. .. code-block:: none ip pbr flush sh ip pbr rules --------------- This command outputs all PBR rules. .. code-block:: none sh ip pbr rules **Example** The response has the following format: .. code-block:: none sh ip pbr prio condition rt_table 10 ipset ips1 rt_bl 20 l2set l2s1 rt_bl 30 from 10.200.22.0/24 rt_bl 40 from 10.200.22.0/24 to 10.200.23.0/24 rt_bl IPv4 ARP ******** ARP (Address Resolution Protocol) is used to map IP addresses to MAC addresses. The ARP cache is a table of records consisting of three elements: IP address, MAC address, and VIF name. arp add ======= This command creates or edits an ARP record. .. code-block:: none arp add dev [type] **Description** ========== ================================================= ==================================== Item Description Value ========== ================================================= ==================================== ip_address IP address to map mac MAC address to map vif_name Name of the corresponding VIF type ARP record type | static - doesn't have a TTL | dynamic - has a TTL (default type) ========== ================================================= ==================================== .. note:: ARP TTL is configured in ``sysctl ``. This variable can be changed at any time. The default value is 300 seconds. **Example** This example shows how to add an ARP cache record mapping IP address ``10.0.0.1``, MAC address ``E0:D5:5E:8D:35:2E`` and VIF named ``v20``: .. code-block:: none arp add 10.0.0.1 E0:D5:5E:8D:35:2E dev v20 .. note:: VIF, in this case, is the scope of the command. Exactly the same IP and MAC addresses may exist within another VIF. arp del ======= This command deletes an ARP record. .. code-block:: none arp del dev **Description** ========== ================================================= Item Description ========== ================================================= ip_address IP address to delete vif_name Name of the corresponding VIF ========== ================================================= **Example** This example shows how to delete the ARP record for IP address ``10.0.0.1`` and VIF ``v20``: .. code-block:: none arp del 10.0.0.1 dev v20 sh arp cache ============ This command outputs the content of the ARP cache. .. code-block:: none sh arp cache **Example** .. code-block:: none sh arp cache port vid ip mac type state 2 0.3 192.168.1.165 E0:D5:5E:8D:35:2E dynamic ok 2 0.5 192.168.5.101 A8:5B:78:09:0C:E1 dynamic ok 2 0.3 192.168.1.3 D4:CA:6D:7C:D0:DF dynamic ok 2 0.20 192.168.20.3 E0:D5:5E:8D:35:2E dynamic ok 2 0.20 192.168.20.2 60:A4:4C:41:0A:24 dynamic ok .. note:: The ``vid`` value consists of ``.`` Possible types: =========== ============================================== Type Description =========== ============================================== Dynamic Has a TTL Static Doesn't have a TTL =========== ============================================== Possible states: =========== ====================================================================== State Description =========== ====================================================================== ok Ready to use resolving ARP request sent, but still no response received failed ARP request sent, no response received (final state) stale Response received, but the value of the MAC address could be outdated =========== ====================================================================== Utilities ********* ping ==== Ping is a utility used to test the reachability of a host on an IP network. Ping measures the round-trip time for messages sent from the originating host to a destination device that are echoed back to the source. .. note:: This command is only used on the command line. .. code-block:: none ping --help Usage: ping [-c,--count ] [-i,--interval ] [-s ] [-f,--dont_frag] [-a,--source_address ] [-w,--nowait] [-h,--help] **Description** ================= ====================================================================== ===== Parameter Description Value ================= ====================================================================== ===== count Number of test packets (default value - 5) interval Time interval between requests ms icmp_payload_size Request size bytes dont_frag Don't fragment src_ip_address VIF IP address from which the request is sent nowait Send requests without pauses help Output help dest_ip_address Destination IP address ================= ====================================================================== ===== **Example** .. code-block:: none ping 8.8.8.8 Ping 8.8.8.8 56(84) bytes of data. reply 56 bytes icmp_seq=1 time=103.515 ms reply 56 bytes icmp_seq=2 time=109.306 ms reply 56 bytes icmp_seq=3 time=103.933 ms reply 56 bytes icmp_seq=4 time=119.942 ms reply 56 bytes icmp_seq=5 time=121.397 ms --- Ping 8.8.8.8 statistics: sent: 5, recv: 5 (100%), lost: 0 (0%) round-trip min/avg/max = 103.515/111.617/121.397 traceroute ========== Traceroute is an utility to discover the route packets take to a specified network host. .. note:: This command is only used on the command line. .. code-block:: none rcli traceroute --help Usage: traceroute [-c dont_inc_dst_port] [-f first_ttl] [-m max_ttl] [-P proto] [-l payload_len] [-s src_address] [-q nprobes] [-t tos] [-w waittime] [-o src_port] [-b base_dst_port] [-h,--help] host **Description** ==================== ====================================================================== ===== Parameter Description Value ==================== ====================================================================== ===== dont_inc_dst_port Don't increment the destination port number in UDP packets first_ttl Set the initial TTL number max_ttl Set the max TTL number proto Set the protocol being used to discover the route. icmp and udp protocol are supported payload_len Set the length of payloads src_address Set the source IP addres of probes nprobes Set the number of probes to send for each TTL tos Set the TOS value of probes waittime Wait time in ms for a response to a probe src_port Set the source port of probes. Only for UDP. base_dst_port Set the base destination port number. Only for UDP. help Output the help message host Destination host ==================== ====================================================================== ===== **Example** .. code-block:: none rcli traceroute -p icmp xx.xx.1.1 traceroute to xx.xx.1.1, 64 hops max, payload 16 bytes 1 192.168.1.2 0.332ms 0.169ms 0.150ms 2 xx.xx.1.1 0.756ms 0.283ms 0.165ms arping ====== ARPING is an utility to test reachability of a host on a connected IP network. ARPING sends ARP requests to the specified host and ouputs hosts replies. .. note:: This command is only used on the command line. .. code-block:: none rcli arping --help Usage: arping [-c,--count count] [-i,--interval interval_in_ms] [-h,--help] destination ip **Description** ================= ====================================================================== ===== Parameter Description Value ================= ====================================================================== ===== count Number of probe ARP requests (default value is 5) interval Time interval between requests ms help Output the help message destination ip Destination IP address ================= ====================================================================== ===== **Example** .. code-block:: none rcli arping 192.168.1.2 arping 192.168.1.2 reply time 0.168 ms from xx:xx:xx:xx:xx:1B reply time 0.147 ms from xx:xx:xx:xx:xx:1B reply time 0.216 ms from xx:xx:xx:xx:xx:1B reply time 0.211 ms from xx:xx:xx:xx:xx:1B reply time 0.135 ms from xx:xx:xx:xx:xx:1B --- arping 192.168.1.2 statistics: sent: 5, recv: 5 (100%), lost: 0 (0%) round-trip min/avg/max ms 0.135/0.175/0.216 IPv6 addressing and routing *************************** This section describes the commands for configuring IPv6 routing and addressing. Virtual interface IPv6 addressing ================================= ipv6 enable ----------- This command enables IPv6 protocol on a VIF and creates a link-local address using the `EUI-64 scheme `_. .. code-block:: none ipv6 enable dev **Description** =========== ============================================== Item Description =========== ============================================== vif_name Name of the VIF to enable the protocol =========== ============================================== **Example** This example shows how to enable IPv6 protocol on the VIF named ``v20``: .. code-block:: none ipv6 enable dev v20 ipv6 disable ------------ This command disables IPv6 protocol for a VIF and deletes all corresponding addresses and routes. .. code-block:: none ipv6 disable dev **Description** =========== ============================================== Item Description =========== ============================================== vif_name Name of the VIF to disable the protocol =========== ============================================== **Example** This example shows how to disable IPv6 protocol for the VIF named ``v20``: .. code-block:: none ipv6 disable dev v20 ipv6 enable vlan set -------------------- This command enables the IPv6 protocol at the VIFs with the VLAN ids from a VLAN set. .. code-block:: none ipv6 enable vlan set [prefix ] **Description** +-------------------+---------------------------+-----------+ | Item | Description | Value | +===================+===========================+===========+ | vlan_set_id | VLAN set id | | +-------------------+---------------------------+-----------+ | vif_name_prefix | VIF name prefix. Default | | | | value is 'v' | | +-------------------+---------------------------+-----------+ .. note:: The VIF name prefix value should match the prefix value that was used to create VIFs by `vif add vlan set`_ command. .. note:: After a VLAN set is modified and a new VLAN is added to it BisonRouter do not automatically executes commands dependent on the modified VLAN set. For example, BisonRouter will not create new VIFs corresponding to the added VLANs, or it will not add an IP address to those VIFs. Commands using a VLAN set as a parameter should be executed again manually. **Example** .. code-block:: none ipv6 enable vlan set 2 This command enables the IPv6 protocol at the VIFs with the VLAN ids from the VLAN set 2. ipv6 disable vlan set --------------------- This command disables the IPv6 protocol at the VIFs with the VLAN ids from a VLAN set. .. code-block:: none ipv6 disable vlan set [prefix ] **Description** +-------------------+---------------------------+-----------+ | Item | Description | Value | +===================+===========================+===========+ | vlan_set_id | VLAN set id | | +-------------------+---------------------------+-----------+ | vif_name_prefix | VIF name prefix. Default | | | | value is 'v' | | +-------------------+---------------------------+-----------+ .. note:: The VIF name prefix value should match the prefix value that was used to create VIFs by `vif add vlan set`_ command. .. note:: After a VLAN set is modified and a new VLAN is added to it BisonRouter do not automatically executes commands dependent on the modified VLAN set. For example, BisonRouter will not create new VIFs corresponding to the added VLANs, or it will not add an IP address to those VIFs. Commands using a VLAN set as a parameter should be executed again manually. **Example** .. code-block:: none ipv6 disable vlan set 2 This command disables the IPv6 protocol at the VIFs with the VLAN ids from the VLAN set 2. ipv6 enable vif range --------------------- This command enables or disables IPv6 protocol for a VLAN range. .. note:: The ``range`` parameter represents a range of numbers. Enter two numbers separated by a space to specify a range (for example, ``cvid 100 200`` means Customer VLAN IDs from 100 to 200) and one number if it is a particular object (``cvid 100`` means Customer VLAN ID number 100). .. code-block:: none ipv6 vif range svid cvid name **Description** =========== ================================================================================== ========= Item Description Value =========== ================================================================================== ========= state Enter ``enable`` to enable Router Advertisement messages or ``disable`` to disable | enable | disable svid_range Service VLAN ID or Service VLAN range 1-4095 cvid_range Customer VLAN ID or Customer VLAN range 1-4095 vif_name Name of the range of virtual interfaces to enable =========== ================================================================================== ========= **Example** This example shows how to enable IPv6 protocol on a VLAN range from 4.100 to 5.200 within the VIF ``v20``: .. code-block:: none ipv6 enable vif range svid 4 5 cvid 100 200 name v20 ipv6 addr add eui-64 -------------------- This command generates an address using the given prefix and the VIF ID (EUI-64 scheme) and assigns the address to the VIF. .. code-block:: none ipv6 addr add eui-64 / eui-64 dev **Description** =========== ============================================== Item Description =========== ============================================== prefix IPv6 prefix length IPv6 prefix length vif_name Name of the VIF to assign an IPv6 address =========== ============================================== **Example** This example shows how to generate an IPv6 address using the prefix ``2001:470:1f0e:1461::`` and assign it to the VIF ``v20``. .. code-block:: none ipv6 addr add eui-64 2001:470:1f0e:1461::/64 eui-64 dev v20 ipv6 addr add ------------- This command assigns an IPv6 address to a VIF. .. code-block:: none ipv6 addr add / dev **Description** ============ ============================================== Item Description ============ ============================================== ipv6_address IPv6 address length IPv6 address length vif_name Name of the VIF to assign an IPv6 address ============ ============================================== **Example** This example shows how to assign IPv6 address ``2001:470:1f0e:1461::2/64`` to VIF ``v20``: .. code-block:: none ipv6 addr add 2001:470:1f0e:1461::2/64 dev v20 ipv6 addr link-local -------------------- This command assigns an IPv6 link-local address to a VIF. .. code-block:: none ipv6 addr link-local dev **Description** ============ ============================================== Item Description ============ ============================================== ipv6_address IPv6 address vif_name Name of the VIF to assign an IPv6 address ============ ============================================== **Example** This example shows how to assign IPv6 link-local address ``fe80::1269:ddac:fe32:d336`` to VIF ``v20``: .. code-block:: none ipv6 addr link-local fe80::1269:ddac:fe32:d336 dev v20 ipv6 addr link-local eui-64 --------------------------- This command generates a link-local address using the EUI-64 scheme and assigns it to a VIF. .. code-block:: none ipv6 addr link-local eui-64 dev **Description** ============ ============================================== Item Description ============ ============================================== vif_name Name of the VIF to assign an IPv6 address ============ ============================================== **Example** This example shows how to assign a link-local address generated using the EUI-64 scheme to the VIF ``v20``: .. code-block:: none ipv6 addr link-local eui-64 dev v20 ipv6 addr auto -------------- This command enables/disables SLAAC client on a VIF. After enabling, **Bison Router** starts assigning dynamic IPv6 addresses on an interface based on the information received in Router Advertisement messages. .. code-block:: none ipv6 addr auto dev **Description** ============ =========================================================== ========= Item Description Value ============ =========================================================== ========= vif_name Name of the VIF to enable SLAAC state Enter ``enable`` to enable SLAAC or ``disable`` to disable | enable | disable ============ =========================================================== ========= ipv6 addr del ------------- This command deletes an address from a VIF. .. code-block:: none ipv6 addr del dev **Description** ============ ============================================== Item Description ============ ============================================== ipv6_address IPv6 address length IPv6 address length vif_name Name of the VIF to assign an IPv6 address ============ ============================================== **Example** This example shows how to delete the IPv6 address ``2001:470:1f0e:1461::2/64`` from the VIF ``v20``: .. code-block:: none ipv6 addr del 2001:470:1f0e:1461::2/64 dev v20 sh ipv6 addr ------------ This command outputs IPv6 addresses assigned to VIFs. .. code-block:: none sh ipv6 addr **Example** Example of the response for ``sh ipv6 addr`` command: .. code-block:: none sh ipv6 addr vif v20 port 0, vlan 0.20, encapsulation dot1q IPv6 is enabled, link-local address is fe80::16d7:64ff:feac:1aee, flags PREF Global unicast address(es): 2001:470:1f0e:1461::1/64, flags PREF Solicited-node mcast address(es): ff02::1:ffac:1aee ff02::1:ff00:1 Joined multicast group address(es): ff02::2 IPv6 routing tables =================== Bison Router forward packets based on routing tables, the sum of which forms the FIB (Forwarding Information Base). Multiple routing tables are supported. The main table is created automatically and used by default. All other tables are optional, they are created and edited manually. If multiple tables are used, the table selection is based on PBR (Policy-based Routing). ipv6 route table add -------------------- This command creates a new IPv6 routing table .. code-block:: none ipv6 route table add **Description** ============ ============================================== ======================================================================= Item Description Value ============ ============================================== ======================================================================= name Name of the routing table to be added | The table name must start with a letter. | The max. name length is 96 characters ============ ============================================== ======================================================================= **Example** This example shows how to create a new IPv6 routing table named ``table_1``: .. code-block:: none ipv6 route table add table_1 ipv6 route table del -------------------- This command deletes an IPv6 routing table from the FIB. .. code-block:: none ipv6 route table del **Description** ============ ============================================== Item Description ============ ============================================== name Name of the routing table to delete ============ ============================================== **Example** This example shows how to delete the IPv6 routing table named ``table_1``: .. code-block:: none ipv6 route table del table_1 sh ipv6 route ------------- This command outputs the content of an IPv6 routing table. .. code-block:: none sh ipv6 route [table ] **Description** ============ ============================================== Item Description ============ ============================================== name IPv6 routing table name ============ ============================================== .. Note:: If the table name is not specified, the content of the main (default) routing table is output. **Example** Example of a response to the command: .. code-block:: none sh ipv6 route 2001:470:1f0e:1461::/64 C dev v20 proto internal ::/0 via 2001:470:1f0e:1461::2 dev v20 proto rcli IPv6 routes =========== After creating routing tables, you can add routes to them. ipv6 route add -------------- **Directly connected network** The following command syntax creates a route to a directly connected network. .. code-block:: none ipv6 route add dev [table ] **Description** ============ ====================================================================================== Item Description ============ ====================================================================================== prefix Directly connected network prefix length Directly connected network prefix length vif_name The name of the VIF to which the network is connected table_name Specify the name of the table to add a route, otherwise it is added to the default one ============ ====================================================================================== **Example** This example shows how to add a connected route to a routing table named ``table_1``: .. code-block:: none ipv6 route add 2001:470:1f0e:1461::/64 dev v20 table_1 **Remote network** This command creates a route to a remote network. .. code-block:: none ipv6 route add via [table ] .. note:: The IP address of the gateway must be reachable via a directly connected route. A directly connected route is added to the main routing table automatically when an IP address is added to a VIF. All routes in additional tables need to be created manually. **Description** ============ ====================================================================================== Item Description ============ ====================================================================================== prefix Remote network prefix length Remote network prefix length ipv6-address IPv6 address of the gateway to reach the remote network table_name Specify the name of the table to add a route, otherwise it is added to the default one ============ ====================================================================================== **Example** This example shows how to add to the main routing table a route to a remote network: .. code-block:: none ipv6 route add 2001:470:1f0e:1461::/64 via 2001:470:1f0e:1462::3 table_1 **Default route** This command adds a default route into a routing table. .. code-block:: none ipv6 route add ::/0 via [table ] **Description** ============ ====================================================================================== Item Description ============ ====================================================================================== ipv6-address IPv6 address of the default gateway table_name Specify the name of the table to add a route, otherwise it is added to the default one ============ ====================================================================================== **Example** This example shows how to add a default route to a routing table named ``table_1``: .. code-block:: none ipv6 route add ::/0 via 2001:470:1f0e:1461::2 table_1 **Unreachable route** This command creates an unreachable route. .. code-block:: none ipv6 route add unreachable [table ] **Description** ============ ====================================================================================== Item Description ============ ====================================================================================== prefix Unreachable route prefix length Prefix length table_name Specify the name of the table to add a route, otherwise it is added to the default one ============ ====================================================================================== **Example** This example shows how to add an unreachable route to the main routing table: .. code-block:: none ipv6 route add 2001:470:1f0e:1461::/64 unreachable ipv6 route del -------------- This command deletes a route from a routing table. .. code-block:: none ipv6 route del [table ] **Description** =========== ============================================================================================= Item Description =========== ============================================================================================= prefix IPv6 route prefix to delete length Network prefix length table_name Name of the table to delete the route =========== ============================================================================================= **Example** This example shows how to delete the route for ``2001:470:1f0e:1461::/64`` from the main routing table: .. code-block:: none ipv6 route del 2001:470:1f0e:1461::/64 ipv6 route default auto ----------------------- This command enables creation of a default route based on information from Router Advertisement messages. After enabling, **Bison Router** will create a default route based on the first Router Advertisement message received by the interface and associate a timer with this route. The timer value will match the ``RA.lifetime`` value from the message. After the timer expires, the default route will be deleted, and **Bison Router** will be ready to create a new default route as soon as it receives another Router Advertisement message. .. code-block:: none ipv6 route default auto dev **Description** ============ ====================================================================== ========= Item Description Value ============ ====================================================================== ========= vif_name Name of the VIF to enable default route creation state Enter ``enable`` to enable creation or ``disable`` to disable it | enable | disable ============ ====================================================================== ========= **Example** This example shows how to enable a default route for the VIF ``v20``: .. code-block:: none ipv6 route default auto dev v20 enable IPv6 Policy-based routing ========================= Policy-based Routing (**PBR**) is a technique used to make routing decisions based on rules and packet data. The rules apply to each incoming packet and determine which routing table will be used to route the packet. The rules are analyzed in the order of the specified priority until the first match is found. The rule matches the packet if the packet data meets the criteria specified in the rule. If no match is found or there are no PBR rules then the main routing table is used. ipv6 pbr rule add prefix ------------------------ This syntax variant creates a PBR rule to match the traffic originating from a particular network. .. code-block:: none ipv6 pbr rule add prio from table **Description** =========== ======================================================== Item Description =========== ======================================================== prio_num Priority number prefix IPv6 prefix prefix to match the traffic originating from length IPv6 prefix length table_name Name of the routing table to use =========== ======================================================== **Example** This example shows how to add a rule with a priority number ``1`` to match the traffic originating from ``2001:470:1f0e:1461::/64``: .. code-block:: none ipv6 pbr rule add prio 1 from 2001:470:1f0e:1461::/64 table table_1 ipv6 pbr rule add set --------------------- This command creates a PBR rule to match the traffic received from one of the VIFs contained in L2 set. .. note:: So far, only ``l2`` value of the ``set type`` parameter is supported. .. code-block:: none ipv6 pbr rule add prio u32set type table **Description** =========== ==================================================== Item Description =========== ==================================================== prio_num Priority number set_name Name of the U32 set to use in a rule set_type Currently, only one type is supported in IPv6 ``l2`` table_name Name of the routing table to use =========== ==================================================== **Example** This example shows how to add a rule with a priority number ``1`` to match the traffic originating from l2 set named ``l2set_test``: .. code-block:: none ipv6 pbr rule add prio 1 u32set l2set_test type "l2" table table_1 ipv6 pbr rule del ----------------- This command deletes a PBR rule with the given priority. .. note:: Removing a priority does not affect the priority numbering of other existing rules. .. note:: Avoid creating rules with the same priority, otherwise it may lead to unpredictable prioritization of these rules. To view the list of existing rules, use the command ``sh ip pbr rules``. .. code-block:: none ipv6 pbr rule del prio **Description** =========== ==================================================== Item Description =========== ==================================================== prio_num Priority number =========== ==================================================== **Example** This example shows how to delete a PBR rule with the priority number ``2``: .. code-block:: none ipv6 pbr rule del prio 2 sh ip pbr rules --------------- This command outputs PBR rules. .. code-block:: none sh ip pbr rules **Example** The response has the following format: .. code-block:: none sh ipv6 pbr rules prio condition rt_table 10 from 2001:470:400e:1461::/64 main6 20 l2set l2s1 main6 IPv6 ARP ******** ARP (Address Resolution Protocol) is used to map IP addresses to MAC addresses. The ARP cache is a table of records consisting of three elements: IPv6 address, MAC address and VIF name. ipv6 arp add ============ This command creates or edits an ARP record. .. code-block:: none ipv6 arp add dev [static] **Description** ============ ================================================= Item Description ============ ================================================= ipv6_address IPv6 address to map mac MAC address to map vif_name Name of the corresponding VIF static Add this parameter to disable TTL (optional) ============ ================================================= .. note:: ARP TTL is configured in ``nd_neighbor_cache_entry_ttl``. This variable can be changed at any time. The default value is 600 seconds. **Example** This example shows how to add an ARP cache record mapping IP address ``2001:470:1f0e:1461::2``, MAC address ``E0:D5:5E:8D:35:2E`` and VIF named ``v20``: .. code-block:: none ipv6 arp add 2001:470:1f0e:1461::2 E0:D5:5E:8D:35:2E dev v20 .. note:: VIF in this case is the scope of the command. Exactly the same IPv6 and MAC addresses may exist within another VIF. ipv6 arp del ============ This command deletes an ARP record. .. code-block:: none ipv6 arp del dev **Description** ============ ================================================= Item Description ============ ================================================= ipv6_address IPv6 address to delete vif_name Name of the corresponding VIF ============ ================================================= **Example** This example shows how to delete the ARP record for IP address ``2001:470:1f0e:1461::2`` and VIF ``v20``: .. code-block:: none arp del 2001:470:1f0e:1461::2 dev v20 sh ipv6 arp =========== This command outputs the content of the IPv6 ARP cache. .. code-block:: none sh ipv6 arp **Example** The response has the following format: .. code-block:: none sh ipv6 arp vif ip mac state flags flags: R - isRouter, P - probing, S - static port 0, vid 0.20, type 0 fe80::cd93:87a6:9c34:f752 DA:AB:79:AA:47:FB stale port 0, vid 0.20, type 0 2001:470:1f0e:1461::2 DA:AB:79:AA:47:FB reachable .. note:: The ``vid`` value consists of ``.`` Possible states: =========== ====================================================================== State Description =========== ====================================================================== reachable Record contains all the necessary data incomplete Response has not been received yet stale Response received, but the value of the MAC address could be outdated =========== ====================================================================== IPv6 ICMP Errors **************** icmp6 error msg =============== This command enables or disables the generation of ICMPv6 error messages with certain type and code. .. code-block:: none icmp6 error msg type code **Description** =========== ====================================================================== ========= Item Description Value =========== ====================================================================== ========= type_number ICMPv6 error message type number code_number ICMPv6 error message code number state Enter ``enable`` to enable the message or ``disable`` to disable | enable | disable =========== ====================================================================== ========= **Example** This example shows how to enable ICMPv6 message type ``3`` code ``6``: .. code-block:: none icmp6 error msg type 3 code 6 enable sh icmpv6 error msg =================== This command outputs the state of an ICMPv6 error message. .. code-block:: none sh icmpv6 error msg type code **Description** =========== ====================================================================== Item Description =========== ====================================================================== type_number ICMPv6 error message type number code_number ICMPv6 error message code number =========== ====================================================================== **Example** This example shows how to output information about the status of an ICMPv6 message type ``3`` code ``6``: .. code-block:: none sh icmpv6 error msg type 3 code 6 The response has the following format: .. code-block:: none sh icmpv6 error msg type 3 code 6 icmpv6 error message type 3, code 6 is enabled Possible statuses: .. code-block:: none icmpv6 error message type x, code x is not supported icmpv6 error message type x, code x is enabled icmpv6 error message type x, code x is disabled IPv6 Neighbor Discovery Router Advertisement ******************************************** ipv6 nd ra ========== This command enables or disables Router Advertisement messages on a VIF. If the Router Advertisement messages are disabled, the router will not transmit Router Advertisement messages on a VIF and will not respond to requests from neighbor routers. .. code-block:: none ipv6 nd ra dev **Description** =========== ====================================================================== ========= Item Description Value =========== ====================================================================== ========= state Enter ``enable`` to enable messages or ``disable`` to disable | enable | disable vif_name Name of a VIF to enable/disable Router Advertisement messages =========== ====================================================================== ========= **Example** This example shows how to enable Router Advertisement messages for the VIF ``v20``: .. code-block:: none ipv6 nd ra enable dev v20 ipv6 nd ra vlan set =================== .. code-block:: none ipv6 nd ra enable|disable vlan set [prefix ] These commands enable or disable transmission of IPv6 ND RA messages at the VIFs with ids from a VLAN set. **Description** +-------------------+---------------------------+-----------+ | Item | Description | Value | +===================+===========================+===========+ | vlan_set_id | VLAN set id | | +-------------------+---------------------------+-----------+ | vif_name_prefix | VIF name prefix. Default | | | | value is 'v' | | +-------------------+---------------------------+-----------+ .. note:: The VIF name prefix value should match the prefix value that was used to create VIFs by `vif add vlan set`_ command. .. note:: After a VLAN set is modified and a new VLAN is added to it BisonRouter do not automatically executes commands dependent on the modified VLAN set. For example, BisonRouter will not create new VIFs corresponding to the added VLANs, or it will not add an IP address to those VIFs. Commands using a VLAN set as a parameter should be executed again manually. **Example** .. code-block:: none ipv6 nd ra enable vlan set 2 This command enables transmission of IPV6 ND RA messages at the VIFs with ids from the VLAN set 2. ipv6 nd ra enable vif range =========================== This command enables or disable Router Advertisement messages on a VLAN range. .. note:: The ``range`` parameter represents a range of numbers. Enter two numbers separated by a space to specify a range (for example, ``cvid 100 200`` means Customer VLAN IDs from 100 to 200) and one number if it is a particular object (``cvid 100`` means Customer VLAN ID number 100). .. code-block:: none ipv6 nd ra vif range svid cvid name **Description** =========== ================================================================================== ========= Item Description Value =========== ================================================================================== ========= state Enter ``enable`` to enable Router Advertisement messages or ``disable`` to disable | enable | disable svid_range Service VLAN ID or Service VLAN range 1-4095 cvid_range Customer VLAN ID or Customer VLAN range 1-4095 vif_name Name of the range of virtual interfaces to be added =========== ================================================================================== ========= **Example** This example shows how to enable Router Advertisement messages on a VLAN range from 4.100 to 5.200 within the VIF ``v20``: .. code-block:: none ipv6 nd ra enable vif range svid 4 5 cvid 100 200 name v20 ipv6 nd ra lifetime =================== This command configures the value of the lifetime field of Router Advertisement messages sent from a VIF. .. code-block:: none ipv6 nd ra lifetime dev **Description** =========== ============================================================================ ========= Item Description Value =========== ============================================================================ ========= number Lifetime value | sec | 16-9000 vif_name Name of a VIF to configure a lifetime value of Router Advertisement messages =========== ============================================================================ ========= **Example** This example shows how to set the lifetime field value equal to ``3600`` for the VIF ``v20``: .. code-block:: none ipv6 nd ra lifetime 3600 dev v20 ipv6 nd ra interval =================== This command configures ``MinRtrAdvInterval`` and ``MaxRtrAdvInterval`` variables and its values. For more information, see `6.2.1. Router Configuration Variables `_. .. code-block:: none ipv6 nd ra interval dev **Description** =========== ============================================================================ ============================ Item Description Value =========== ============================================================================ ============================ min_number MinRtrAdvInterval value | sec | 3-0.75 * MaxRtrAdvInterval max_number MaxRtrAdvInterval value | sec | 4-1800 vif_name Name of a VIF to configure a ``MinRtrAdvInterval`` variable =========== ============================================================================ ============================ **Example** This example shows how to set the ``MinRtrAdvInterval`` value ``3`` and the ``MaxRtrAdvInterval`` value ``10`` on the VIF ``v20``: .. code-block:: none ipv6 nd ra interval 3 10 dev v20 ipv6 nd ra reachable ==================== The command configures the value of the ``Reachable Time`` field in the Router Advertisement messages sent by **Bison Router**. .. note:: The value ``0`` means unspecified. .. code-block:: none ipv6 nd ra reachable dev **Description** =========== ============================================================================ ========================== Item Description Value =========== ============================================================================ ========================== number Reachable time value | ms | <3,600,600 (1 hour) vif_name Name of a VIF to configure the Reachable Time =========== ============================================================================ ========================== **Example** This example shows how to set the Reachable Time field value equal to ``1000000`` on the VIF ``v20``: .. code-block:: none ipv6 nd ra reachable 1000000 dev v20 ipv6 nd ra retrans_timer ======================== This command configures the value of the ``Retrans Timer`` field in the Router Advertisement messages sent by **Bison Router**. .. note:: The value ``0`` means unspecified. .. code-block:: none ipv6 nd ra retrans_timer dev **Description** =========== ============================================================================ ========================== Item Description Value =========== ============================================================================ ========================== number Retrans Timer value | ms | default value ``1000`` vif_name Name of a VIF to configure the Retrans Timer =========== ============================================================================ ========================== **Example** This example shows how to set the Retrans Timer equal to ``2000`` on the VIF ``v20``: .. code-block:: none ipv6 nd ra retrans_timer 2000 dev v20 ipv6 nd ra hop_limit ==================== This command configures the default value of the ``Cur Hop Limit`` field in the Router Advertisement messages sent by **Bison Router**. The value should be set to the current diameter of the Internet. .. note:: The value ``0`` means unspecified. .. code-block:: none ipv6 nd ra hop_limit dev **Description** =========== ============================================================================ ========================== Item Description Value =========== ============================================================================ ========================== number Cur Hop Limit value 1-255 vif_name Name of a VIF to configure the Cur Hop Limit =========== ============================================================================ ========================== **Example** This example shows how to set the ``Cur Hop Limit`` equal to ``4`` on the VIF ``v20``: .. code-block:: none ipv6 nd ra hop_limit 4 dev v20 ipv6 nd ra prefix add ===================== This command adds a prefix to Router Advertisement messages sent from a VIF. .. code-block:: none ipv6 nd ra prefix add [valid_lt ] [preferred_lt ] [flags ] dev **Description** ============ =============================================================================== ======================================================= Item Description Value ============ =============================================================================== ======================================================= prefix IPv6 prefix length IPv6 prefix length valid_lt The length of time the prefix is valid for the purpose of on-link determination sec preferred_lt | The length of time in that addresses generated from the prefix via stateless sec | address autoconfiguration remain preferred flags | A - 1-bit autonomous address-configuration flag. When set, indicates that A, O | this prefix can be used for stateless address configuration | O - 1-bit "Other configuration" flag. When set, it indicates that | other configuration information is available via DHCPv6 ============ =============================================================================== ======================================================= **Example** This example shows how to add the prefix ``2001:470:1f0e:1461::/64`` to Router Advertisement messages sent from the VIF ``v20``: .. code-block:: none ipv6 nd ra prefix add 2001:470:1f0e:1461::/64 dev v20 ipv6 nd ra prefix update ======================== This command updates a prefix in Router Advertisement messages sent from a VIF. .. code-block:: none ipv6 nd ra prefix update [valid_lt ] [preferred_lt ] [flags ] dev **Description** ============ =============================================================================== ======================================================= Item Description Value ============ =============================================================================== ======================================================= prefix IPv6 prefix length IPv6 prefix length valid_lt The length of time the prefix is valid for the purpose of on-link determination sec preferred_lt | The length of time in that addresses generated from the prefix via stateless sec | address autoconfiguration remain preferred flags | A - 1-bit autonomous address-configuration flag. When set, indicates that A, O | this prefix can be used for stateless address configuration | O - 1-bit "Other configuration" flag. When set, it indicates that | other configuration information is available via DHCPv6 ============ =============================================================================== ======================================================= **Example** This example shows how to update the prefix ``2001:470:1f0e:1461::/64`` in Router Advertisement messages sent from the VIF ``v20``: .. code-block:: none ipv6 nd ra prefix update 2001:470:1f0e:1461::/64 dev v20 ipv6 nd ra prefix del ===================== This command deletes a prefix from Router Advertisement messages sent from a VIF. .. code-block:: none ipv6 nd ra prefix add dev **Description** =========== ===================================================================== Item Description =========== ===================================================================== prefix IPv6 on-link prefix length IPv6 on-link prefix length vif_name Name of the VIF to delete a prefix form Router Advertisement messages =========== ===================================================================== **Example** This example shows how to delete the prefix ``2001:470:1f0e:1461::/64`` from Router Advertisement messages sent from the VIF ``v20``: .. code-block:: none ipv6 nd ra prefix add 2001:470:1f0e:1461::/64 dev v20 VRRP **** VRRP ==== vrrp create group ----------------- This command creates a new VRRP group. .. code-block:: none vrrp create group dev **Description** =========== ===================================================================== Item Description =========== ===================================================================== vrrp_id ID of a VRRP group to create vif_name Name of a VIF to create a VRRP group =========== ===================================================================== **Example** This example shows how to create the VRRP group ``10`` on the VIF ``v5``: .. code-block:: none vrrp create group 10 dev v5 vrrp del group -------------- This command deletes a VRRP group. .. code-block:: none vrrp del group dev **Description** =========== ===================================================================== Item Description =========== ===================================================================== vrrp_id ID of a VRRP group to delete vif_name Name of a VIF to delete a VRRP group =========== ===================================================================== **Example** This example shows how to delete the VRRP group ``10`` from the VIF ``v5``: .. code-block:: none vrrp del group 10 dev v5 vrrp group ip add ----------------- This command adds the primary or a secondary IP address to a VRRP group. .. code-block:: none vrrp group dev ip add [secondary] **Description** =========== ====================================================================== Item Description =========== ====================================================================== vrrp_id ID of a VRRP group to add primary or secondary IP address vif_name Name of a VIF to add primary or secondary IP address to a VRRP group ip_address | IP address to add. Use ``secondary`` parameter, if the IP address is | secondary. Omit ``secondary`` parameter, if the IP address | is primary. =========== ====================================================================== **Examples** This example shows how to add the primary IP address ``10.0.5.10`` to the VRRP group ``10`` on the VIF ``v5``: .. code-block:: none vrrp group 10 dev v5 ip add 10.0.5.10 This example shows how to add the secondary IP address ``10.0.55.11`` to the VRRP group ``11`` on the VIF ``v5``: .. code-block:: none vrrp group 11 dev v5 ip add 10.0.55.11 secondary vrrp group ip del ----------------- This command deletes an IP address from a VRRP group. .. code-block:: none vrrp group dev ip del **Description** =========== ====================================================================== Item Description =========== ====================================================================== vrrp_id ID of a VRRP group to delete an IP address vif_name Name of a VIF to delete an IP address from a VRRP group ip_address IP address to delete =========== ====================================================================== **Examples** This example shows how to delete the IP address ``10.0.5.10`` from the VRRP group ``10`` on the VIF ``v5``: .. code-block:: none vrrp group 10 dev v5 ip del 10.0.5.10 vrrp group prio --------------- This command changes the priority of a VRRP group. .. code-block:: none vrrp group dev prio **Description** =========== ====================================================================== Item Description =========== ====================================================================== vrrp_id ID of a VRRP group to change the priority vif_name Name of a VIF to change the priority of a VRRP group prio_num Priority number of a VRRP group =========== ====================================================================== **Examples** This example shows how to set the priority number ``100`` for the VRRP group ``10`` on the VIF ``v5``: .. code-block:: none vrrp group 10 dev v5 prio 100 vrrp group advert_int --------------------- This command changes the advertisement transmission interval of a VRRP group. .. code-block:: none vrrp group dev advert_int **Description** =========== ============================================================================ ========================== Item Description Value =========== ============================================================================ ========================== vrrp_id | ID of a VRRP group to change the advertisement | transmission interval vif_name | Name of a VIF to change the advertisement transmission | interval of a VRRP group value Interval value | Cetiseconds | 100 centiseconds = 1 sec =========== ============================================================================ ========================== **Example** This example shows how to set the advertisement transmission interval ``200`` for the VRRP group ``10`` on the VIF ``v5``: .. code-block:: none vrrp group 10 dev v5 advert_int 200 vrrp group preempt_mode ----------------------- This command changes the Preempt_Mode of a VRRP group. .. code-block:: none vrrp group dev preempt_mode **Description** =========== ============================================================================ ========================== Item Description Value =========== ============================================================================ ========================== vrrp_id ID of a VRRP group to change the Preempt_Mode vif_name | Name of a VIF to change the Preempt_Mode of a VRRP group mode | **on** - enables preemption | on | **off** - disables preemption | off =========== ============================================================================ ========================== **Example** This example shows how to enable the preemption of the VRRP group ``10`` on the VIF ``v5``: .. code-block:: none vrrp group 10 dev v5 preempt_mode on sh vrrp ------- This command outputs a VRRP group. .. code-block:: none sh vrrp **Example** The response has the following format: .. code-block:: none sh vrrp vif v5 - group 11 vif v5 - port 0, vid 0.5, type 0 state is backup virtual mac address is 00:00:5E:00:01:0B primary ip address is 10.0.55.10 secondary ip address is 10.0.55.11 advertisement interval is 1 sec preemption is on priority is 100 master router is 10.0.5.2, priority is 150 master router advertisement interval is 1 sec master down interval is 3.609 sec vif v5 - group 10 vif v5 - port 0, vid 0.5, type 0 state is master virtual mac address is 00:00:5E:00:01:0A primary ip address is 10.0.5.10 secondary ip address is 10.0.5.11 advertisement interval is 1 sec preemption is on priority is 150 master router is 10.0.55.1 (this system), priority is 150 master router advertisement interval is 1 sec master down interval is 3.414 sec VRRP version 3 ============== vrrp create group ----------------- This command creates a new VRRP3 IPv6 group. .. code-block:: none vrrp create group dev address-family af_ipv6 version 3 **Description** =========== ===================================================================== Item Description =========== ===================================================================== vrrp_id ID of a VRRP3 IPv6 group to create vif_name Name of a VIF to create a VRRP3 IPv6 group =========== ===================================================================== **Example** This example shows how to create the VRRP3 group ``10`` on the VIF ``v5``: .. code-block:: none vrrp create group 10 dev v5 address-family af_ipv6 version 3 vrrp group del -------------- This command deletes a VRRP3 IPv6 group. .. code-block:: none vrrp del group dev **Description** =========== ===================================================================== Item Description =========== ===================================================================== vrrp_id ID of a VRRP3 IPv6 group to delete vif_name Name of a VIF to delete a VRRP3 IPv6 group =========== ===================================================================== **Example** This example shows how to delete the VRRP3 group ``10`` from the VIF ``v5``: .. code-block:: none vrrp del group 10 dev v5 vrrp group ipv6 add ------------------- This command sets or changes an IPv6 link-local address of a VRRP3 IPv6 group. .. code-block:: none vrrp group dev ipv6 add **Description** ============ ===================================================================== Item Description ============ ===================================================================== vrrp_id ID of a VRRP3 IPv6 group to set or change an IPv6 link-local address vif_name | Name of a VIF to set or change an IPv6 link-local address | of a VRRP3 IPv6 group ipv6_address IPv6 link-local address ============ ===================================================================== **Example** This example shows how to set the IPv6 link-local address ``fe80::1269:ddac:fe32:d336`` for the VRRP3 IPv6 group ``10`` on the VIF ``v5``: .. code-block:: none vrrp group 10 dev v5 ipv6 add fe80::1269:ddac:fe32:d336 vrrp group ipv6 add ------------------- This command adds a secondary IPv6 global address to a VRRP3 IPv6 group. .. code-block:: none vrrp group dev ipv6 add secondary **Description** ============ ===================================================================== Item Description ============ ===================================================================== vrrp_id ID of a VRRP3 IPv6 group to add a secondary IPv6 global address vif_name | Name of a VIF to add a secondary IPv6 global address | to a VRRP3 IPv6 group ipv6_address Secondary IPv6 global address ============ ===================================================================== **Example** This example shows how to add the secondary IPv6 global address ``2001:470:1f0e:1461::10`` to the VRRP3 IPv6 group ``10`` on the VIF ``v5``: .. code-block:: none vrrp group 10 dev v5 ipv6 add 2001:470:1f0e:1461::10 secondary vrrp group ipv6 del ------------------- This command deletes a secondary IPv6 global address from a VRRP3 IPv6 group. .. code-block:: none vrrp group dev ipv6 del secondary **Description** ============ ===================================================================== Item Description ============ ===================================================================== vrrp_id ID of a VRRP3 IPv6 group to delete a secondary IPv6 global address vif_name | Name of a VIF to delete a secondary IPv6 global address | from a VRRP3 IPv6 group ipv6_address Secondary IPv6 global address ============ ===================================================================== **Example** This example shows how to delete the secondary IPv6 global address ``2001:470:1f0e:1461::10`` from the VRRP3 IPv6 group ``10`` on the VIF ``v5``: .. code-block:: none vrrp group 10 dev v5 ipv6 del 2001:470:1f0e:1461::10 secondary vrrp group prio --------------- This command changes the priority of a VRRP3 IPv6 group. .. code-block:: none vrrp group dev prio **Description** =========== ====================================================================== Item Description =========== ====================================================================== vrrp_id ID of a VRRP3 IPv6 group to change the priority vif_name Name of a VIF to change the priority of a VRRP3 IPv6 group prio_num Priority number of a VRRP3 IPv6 group =========== ====================================================================== **Examples** This example shows how to set the priority number ``100`` for the VRRP3 IPv6 group ``10`` on the VIF ``v5``: .. code-block:: none vrrp group 10 dev v5 prio 100 vrrp group advert_int --------------------- This command changes the advertisement transmission interval of a VRRP IPv6 group. .. code-block:: none vrrp group dev advert_int **Description** =========== ============================================================================ ========================== Item Description Value =========== ============================================================================ ========================== vrrp_id | ID of a VRRP3 IPv6 group to change | the advertisement transmission interval vif_name | Name of a VIF to change the advertisement transmission | interval of a VRRP3 IPv6 group value Interval value | Cetiseconds | 100 centiseconds = 1 sec =========== ============================================================================ ========================== **Example** This example shows how to set the advertisement transmission interval ``200`` for the VRRP3 IPv6 group ``10`` on the VIF ``v5``: .. code-block:: none vrrp group 10 dev v5 advert_int 200 vrrp group accept_mode ---------------------- This command changes the Accept_Mode of a VRRP3 IPv6 group. For more details, see `RFC 5798 6.1 `_. .. code-block:: none vrrp group dev accept_mode **Description** =========== ============================================================================ ========================== Item Description Value =========== ============================================================================ ========================== vrrp_id ID of a VRRP3 IPv6 group to change the Accept_Mode vif_name | Name of a VIF to change Accept_Mode of a VRRP3 IPv6 group mode | **on** - enables Accept_Mode | on | **off** - disables Accept_Mode | off =========== ============================================================================ ========================== **Example** This example shows how to enable the Accept_mode for the VRRP3 IPv6 group ``10`` on the VIF ``v5``: .. code-block:: none vrrp group 10 dev v5 accept_mode on vrrp group preempt_mode ----------------------- This command changes the preempt_mode of a VRRP3 IPv6 group. .. code-block:: none vrrp group dev preempt_mode **Description** =========== ============================================================================ ========================== Item Description Value =========== ============================================================================ ========================== vrrp_id ID of a VRRP3 IPv6 group to change the Preempt_Mode vif_name | Name of a VIF to change Preempt_Mode of a VRRP3 IPv6 group mode | **on** - enables preemption | on | **off** - disables preemption | off =========== ============================================================================ ========================== **Example** This example shows how to enable the preemption of the VRRP3 IPv6 group ``10`` on the VIF ``v5``: .. code-block:: none vrrp group 10 dev v5 preempt_mode on sh vrrp ------- This command outputs a VRRP3 IPv6 group. .. code-block:: none sh vrrp **Example** The response has the following format: .. code-block:: none sh vrrp vif p0 - group 10 vrrp version is 3 vif p0 - port 0, vid 0.0, type 0 state is master virtual mac address is 00:00:5E:00:01:0A primary ip address is fe80::ae1f:6bff:fe98:21be secondary ip address is 2001:470:1f0e:1461::10 advertisement interval is 1 sec preemption is on accept-mode is off priority is 150 effective priority is 150 flags is 18 master router is fe80::21b:21ff:febc:ca3c (this system), priority is 150 master router advertisement interval is 1 sec master down interval is 3.41 sec vrrp group nd ra enable/disable ------------------------------- This command enables or disables transmission of ND Router Advertisement messages for a VRRP3 IPV6 group. .. code-block:: none vrrp group dev nd ra **Description** =========== ============================================================================ ========================== Item Description Value =========== ============================================================================ ========================== vrrp_id | ID of a VRRP3 IPv6 group to enalbe/disable transmission of ND Router | Advertisement messages vif_name | Name of a VIF to enalbe/disable transmission of ND Router | Advertisement messages for a VRRP3 IPv6 group mode | **enable** - enables transmission | enable | **disable** - disables transmission | disable =========== ============================================================================ ========================== **Example** This example shows how to enable the transmission of ND Router Advertisement messages for the VRRP3 IPV6 group ``10`` on the VIF ``v5``: .. code-block:: none vrrp group 10 dev v5 nd ra enable vrrp group nd ra lifetime ------------------------- This command configures a lifetime field value of Router Advertisement messages sent for a VRRP3 IPV6 group. .. code-block:: none vrrp group dev nd ra lifetime **Description** =========== ============================================================================ ========================== Item Description Value =========== ============================================================================ ========================== vrrp_id | ID of a VRRP3 IPv6 group to set a lifetime field value of Router | Advertisement messages vif_name | Name of a VIF to set a lifetime field value of Router Advertisement | messages for a VRRP3 IPv6 group value Lifetime field value of Router Advertisement messages | sec | 16-9000 =========== ============================================================================ ========================== **Example** This example shows how to set the lifetime field value of Router Advertisement messages ``1000`` sent for the VRRP3 IPV6 group ``10`` on the VIF ``v5``: .. code-block:: none vrrp group 10 dev v5 nd ra lifetime 1000 vrrp group nd ra interval ------------------------- This command configures ``MinRtrAdvInterval`` and ``MaxRtrAdvInterval`` variables and its values for a VRRP3 IPV6 group. For more information, see `RFC 4861 6.2.1 `_. .. code-block:: none vrrp group dev nd ra interval **Description** =========== ============================================================================ ============================ Item Description Value =========== ============================================================================ ============================ min_number MinRtrAdvInterval value | sec | 3-0.75 * MaxRtrAdvInterval max_number MaxRtrAdvInterval value | sec | 4-1800 vrrp_id | ID of a VRRP3 IPv6 group to set ``MinRtrAdvInterval`` | and ``MaxRtrAdvInterval`` values vif_name | Name of a VIF to configure ``MinRtrAdvInterval`` | and ``MaxRtrAdvInterval`` values for a VRRP3 IPV6 group =========== ============================================================================ ============================ **Example** This example shows how to set the ``MinRtrAdvInterval`` value ``3`` and the ``MaxRtrAdvInterval`` value ``10`` for the VRRP3 IPV6 group ``10`` on the VIF ``v20``: .. code-block:: none vrrp group 10 dev v20 nd ra interval 3 10 vrrp group nd ra reachable -------------------------- The command configures the value of the ``Reachable Time`` field in the Router Advertisement messages sent for a VRRP3 IPv6 group by **Bison Router**. .. note:: The value 0 means unspecified. .. code-block:: none vrrp group dev nd ra reachable **Description** =========== ============================================================================ ========================== Item Description Value =========== ============================================================================ ========================== vrrp_id ID of a VRRP3 IPv6 group to set the Reachable Time value vif_name | Name of a VIF to configure the Reachable Time | for a VRRP3 IPv6 group number Reachable time value | ms | <3,600,600 (1 hour) =========== ============================================================================ ========================== **Example** This example shows how to set the Reachable Time field value equal to ``1000000`` in the Router Advertisement messages sent for the VRRP3 IPv6 group ``10`` on the VIF ``v20``: .. code-block:: none vrrp group 10 dev v20 nd ra reachable 1000000 vrrp group nd ra retrans_timer ------------------------------ This command configures the value of the ``Retrans Timer`` field in the Router Advertisement messages sent for a VRRP3 IPv6 group by **Bison Router**. .. note:: The value ``0`` means unspecified. .. code-block:: none vrrp group dev nd ra retrans_timer **Description** =========== ============================================================================ ========================== Item Description Value =========== ============================================================================ ========================== vrrp_id ID of a VRRP3 IPv6 group to set the Retrans Timer value vif_name | Name of a VIF to configure the Retrans Timer | for a VRRP3 IPv6 group number Retrans Timer value | ms | default value ``1000`` =========== ============================================================================ ========================== **Example** This example shows how to set the Retrans Timer equal to ``2000`` in the Router Advertisement messages sent for the VRRP3 IPv6 group ``10`` on the VIF ``v20``: .. code-block:: none vrrp group 10 dev v20 nd ra retrans_timer 2000 vrrp group nd ra hop_limit -------------------------- This command configures the default value of the ``Cur Hop Limit`` field in the Router Advertisement messages sent by **Bison Router**. The value should be set to the current diameter of the Internet. .. note:: The value ``0`` means unspecified. .. code-block:: none vrrp group dev nd ra hop_limit **Description** =========== ============================================================================ ========================== Item Description Value =========== ============================================================================ ========================== vrrp_id ID of a VRRP3 IPv6 group to set the Cur Hop Limit value vif_name Name of a VIF to configure the Cur Hop Limit for a VRRP3 IPv6 group number Cur Hop Limit value 1-255 =========== ============================================================================ ========================== **Example** This example shows how to set the ``Cur Hop Limit`` equal to ``4`` in the Router Advertisement messages sent for the VRRP3 IPv6 group ``10`` on the VIF ``v20``: .. code-block:: none vrrp group 10 dev v20 nd ra hop_limit 4 vrrp group nd ra prefix add --------------------------- This command adds a prefix in Router Advertisement messages sent for a VRRP3 IPv6 group. .. code-block:: none vrrp group dev nd ra prefix add [valid_lt ] [preferred_lt ] [flags ] **Description** ============ =============================================================================== ======================================================= Item Description Value ============ =============================================================================== ======================================================= vrrp_id ID of a VRRP3 IPv6 group to add a prefix in Router Advertisement messages vif_name | Name of a VIF to add a prefix in Router Advertisement messages for a VRRP3 | IPv6 group prefix IPv6 prefix length IPv6 prefix length valid_lt The length of time the prefix is valid for the purpose of on-link determination sec preferred_lt | The length of time in that addresses generated from the prefix via stateless sec | address autoconfiguration remain preferred flags | A - 1-bit autonomous address-configuration flag. When set, indicates that A, O | this prefix can be used for stateless address configuration | O - 1-bit "Other configuration" flag. When set, it indicates that | other configuration information is available via DHCPv6 ============ =============================================================================== ======================================================= **Example** This example shows how to add the prefix ``2001:470:1f0e:1461::/64`` in Router Advertisement messages sent for the VRRP3 IPv6 group on the VIF ``v20``: .. code-block:: none vrrp group 10 dev v20 nd ra prefix add 2001:470:1f0e:1461::/64 vrrp group nd ra prefix update ------------------------------ This command updates a prefix in Router Advertisement messages sent for a VRRP3 IPv6 group. .. code-block:: none vrrp group dev nd ra prefix add [valid_lt ] [preferred_lt ] [flags ] **Description** ============ =============================================================================== ======================================================= Item Description Value ============ =============================================================================== ======================================================= vrrp_id ID of a VRRP3 IPv6 group to update a prefix in Router Advertisement messages vif_name | Name of a VIF to update a prefix in Router Advertisement messages for a | VRRP3 IPv6 group prefix IPv6 prefix length IPv6 prefix length valid_lt The length of time the prefix is valid for the purpose of on-link determination sec preferred_lt | The length of time in that addresses generated from the prefix via stateless sec | address autoconfiguration remain preferred flags | A - 1-bit autonomous address-configuration flag. When set, indicates that A, O | this prefix can be used for stateless address configuration | O - 1-bit "Other configuration" flag. When set, it indicates that | other configuration information is available via DHCPv6 ============ =============================================================================== ======================================================= **Example** This example shows how to update the prefix ``2001:470:1f0e:1461::/64`` in Router Advertisement messages sent for the VRRP3 IPv6 group ``10`` on the VIF ``v20``: .. code-block:: none vrrp group 10 dev v20 nd ra prefix update 2001:470:1f0e:1461::/64 vrrp group nd ra prefix del --------------------------- This command deletes a prefix from Router Advertisement messages sent for a VRRP IPV6 group. .. code-block:: none vrrp group dev nd ra prefix add **Description** ============ =============================================================================== Item Description ============ =============================================================================== vrrp_id ID of a VRRP3 IPv6 group to delete a prefix in Router Advertisement messages vif_name | Name of a VIF to delete a prefix in Router Advertisement messages sent for | a VRRP3 IPv6 group prefix IPv6 prefix length IPv6 prefix length ============ =============================================================================== **Example** This example shows how to delete the prefix ``2001:470:1f0e:1461::/64`` from Router Advertisement messages sent for the VRRP3 IPv6 group ``10`` on the VIF ``v20``: .. code-block:: none vrrp group 10 dev v20 nd ra prefix add 2001:470:1f0e:1461::/64 Flow accounting *************** flow ipfix_collector (deprecated) ================================= This command configures flow accounting IPFIX collector address and port. Default port value is 4739. .. note:: This command is still supported, but its use is not recommended since it may be removed in future releases. Please use the command `flow collector`_ instead. .. code-block:: none flow ipfix_collector addr [port ] **Description** ============ =============================================================================== ======================================================= Item Description Value ============ =============================================================================== ======================================================= ipv4_address IPv4 address of a flow accounting IPFIX collector port_number Port number of a flow accounting IPFIX collector Default = 4739 ============ =============================================================================== ======================================================= **Example** This example shows how to set ``192.168.1.202`` and the default port number for the flow accounting IPFIX collector: .. code-block:: none flow ipfix_collector addr 192.168.1.202 flow collector ============== This command configures flow accounting collector address and port. .. code-block:: none flow collector addr [port ] [proto ] [scope ] **Description** ============ =============================================================================== ======================================================= Item Description Value ============ =============================================================================== ======================================================= ipv4_address IPv4 address of a flow accounting collector port_number Port number of a flow accounting collector Default = 4739 proto_value | Supported protocols: Defaul = 10 | 9 - NetFlow V9 | 10 - IPFIX scope_value | Scope. Scope determines what messages will be sent to the collector. Default = ip | ip - both IPv4 and IPv6 messages | ipv4 - only ipv4 messages | ipv6 - only ipv6 messages ============ =============================================================================== ======================================================= **Example** This example shows how to set ``192.168.1.202`` and the default port number for the flow accounting collector: .. code-block:: none flow collector addr 192.168.1.202 flow collector add ================== This command adds a Flow collector to the list of Flow collectors. Flow accounting messages are sent to all collectors on the list at the same time. .. code-block:: none flow collector add addr [port ] [proto ] [scope ] **Description** ============ =============================================================================== ======================================================= Item Description Value ============ =============================================================================== ======================================================= ipv4_address IPv4 address of a Flow collector port_number Port number of a Flow collector Default = 4739 proto_value | Supported protocols: Default = 9 | 9 - NetFlow V9 | 10 - IPFIX scope_value | Scope. Scope determines what messages will be sent to the collector. Default = ip | ip - both IPv4 and IPv6 messages | ipv4 - only ipv4 messages | ipv6 - only ipv6 messages ============ =============================================================================== ======================================================= **Example** This example shows how to add a Flow collector with IP address ``10.0.0.1`` and port number ``9995``. .. code-block:: none flow collector add addr 10.0.0.1 port 9995 proto 9 flow collector del ================== This command deletes a Flow collector from the list of Flow collectors. Flow accounting messages are sent to all collectors on the list at the same time. .. code-block:: none flow collector del addr [port ] [proto ] **Description** ============ =============================================================================== ======================================================= Item Description Value ============ =============================================================================== ======================================================= ipv4_address IPv4 address of a Flow collector port_number Port number of a Flow collector Default = 4739 proto_value | Supported protocols: Default = 9 | 9 - NetFlow V9 | 10 - IPFIX ============ =============================================================================== ======================================================= **Example** This example shows how to delete a Flow collector with IP address ``10.0.0.1`` and port number ``9995``. .. code-block:: none flow collector del addr 10.0.0.1 port 9995 proto 9 flow acl add ============ This command adds an ACL with a given ID to the list of ALCs used by the Flow accounting module to filter the traffic it processes. .. code-block:: none rcli flow acl add prio **Description** ============ =============================================================================== ======================================================= Item Description Value ============ =============================================================================== ======================================================= aclid ID of existing ACL prio position of added ACL in the Flow accounting list of ACLs ============ =============================================================================== ======================================================= **Example** This example shows how to add existing ACL with ID 21 into the Flow accounting list of ACLs at position 10 .. code-block:: none flow acl add aclid 21 prio 10 flow acl del ============ This command deletes an ACL with a given ID from the list of ALCs used by the Flow accounting module to filter the traffic it processes. .. code-block:: none flow acl del **Description** ============ =============================================================================== ======================================================= Item Description Value ============ =============================================================================== ======================================================= aclid ID of existing ACL ============ =============================================================================== ======================================================= **Example** This example shows how to delete ACL with ID 21 from the Flow accounting list of ACLs .. code-block:: none flow acl del aclid 21 sh flow ======= This command outputs the Flow accounting configuration. .. code-block:: none sh flow **Example** .. code-block:: none # sh flow flow accounting enabled: yes flow accounting collectors: addr port proto 192.168.1.3 4739 10 192.168.1.2 4739 10 flow export filter src filter enabled: 0 src filter prefix map id: - dst filter enabled: 0 dst filter prefix map id: - IPFIX shaper not defined sh flow stat ============ This command outputs Flow accounting statistic counters. .. code-block:: none sh flow stat **Example** The response has the following format: .. code-block:: none sh flow stat flow ipv4 allocated: 0 flow ipv4 free: 32768 flow ipv4 exported: 16 flow ipv6 allocated: 0 flow ipv6 free: 32768 flow ipv6 exported: 0 flow export failures: 0 lcore 1 overflow count: 0 lcore 1 flow created: 16 total overflow: 0 total flow created: 16 NAT *** NAT timeouts ============ Commands in this section are applicable to all types of NAT. sh nat timeout -------------- This command outputs NAT session state's timeout values. .. code-block:: none sh nat timeout **Example** The output has the following format: .. code-block:: none sh nat timeout unknown: 30 active: 40 syn_sent: 30 established: 7200 fin_wait: 30 close_wait: 30 closing: 30 last_ack: 30 closed: 30 icmp_active: 30 dns: 4 gre: 7200 nat timeout ----------- This command sets the timeout for NAT translations with a particular state. .. code-block:: none nat timeout **Description** ============= ======================================= ======================================================= Item Description Value ============= ======================================= ======================================================= timeout Timeout value sec state Name of the translation session state | unknown | active | syn_sent | established | fin_wait | close_wait | closing | last_ack | closed | icmp_active | dns | gre ============= ======================================= ======================================================= **Example** This example shows how to set timeout ``1200`` seconds for translations with the state ``established``: .. code-block:: none nat timeout established 1200 SNAT44 ====== SNAT44 is an implementation of the IPv4 Source NAT port-block-based algorithm. It is the most flexible and feature-rich SNAT module of **Bison Router**. SNAT44 allows to dynamically change the internal and the out/translation IP address spaces of the SNAT44 map, temporarily exclude out/translation IP addresses from operation. SNAT features: - SNAT44, DNAT44. - EIM, Endpoint Independent Mapping. - NAT translation session limit per host. - Hairpinning (NAT loopback). - NEL (NAT Event Logging) via IPFIX, Netflow v9. - Performance up to 15 Mpps and 120 Gbit/s. - ALG support: PPtP, ICMP, traceroute. - Supports all major protocols and applications including SIP, FTP, RTSP, IPSec and GRE based VPNs, and gaming console. To activate the SNAT function, you need to perform these steps in the following order: 1. Create a map (`snat create map`_). 2. Enable the SNAT function on a VIF (`snat vif enable`_). 3. Add a map to a VIF (`snat add map`_). These steps order and corresponding commands are mandatory. The rest are used for additional configuration. **Example** This example shows the order in which the required commands should be executed: .. code-block:: none snat create map 1 in entries 20000 sess 8000000 snat vif v20 enable snat vif v20 add map 1 snat create map --------------- This command creates a map to translate an internal IPv4 address space (in) to a public IPv4 address space (out). The internal IP address space can include a number of internal IP address prefixes. The out address spaces consist of a number of IP address ranges. .. code-block:: none snat create map [in entries ] [sess ] [port block ] [ratio ] [ip port block ] **Description** =============== =================================================================================== =============== Item Description Default values =============== =================================================================================== =============== nb_in_entries Maximum number of internal IP records 32768 nb_sessions Maximum number of NAT sessions 8388608 port_block_size Port block size 128 ratio | The ratio of internal to out addresses. 256 | For example, a ratio value 32 would mean | that each out (public) address could be used | by max. 32 internal IP addresses | at the same time nb_pb_per_in_ip | Maximum number of port blocks 4 | that an internal IP can use at the same time =============== =================================================================================== =============== .. note:: | It is recommended to use default values for the following variables: | ``port_block_size 128`` | ``ratio 256`` | ``nb_pb_per_in_ip 4`` The ``nb_in_entries`` value should be equal to the number of subscribers. | The ``nb_sessions`` value is calculated as follows: | ``nb_sessions = nb_in_entries * 4000``, | where 4000 is the maximum number of NAT sessions for a residential CPE. **Example** This example shows how to create a SNAT map ``1`` with the ratio of internal to out address ``32``: .. code-block:: none snat create map 1 ratio 32 Example with all the specified parameters: .. code-block:: none snat create map 1 in entries 40000 sess 16000000 port block 128 ratio 64 ip port block 4 sh snat maps ------------ This command outputs information on all translation maps. .. code-block:: none sh snat maps **Example** The response has the following format: .. code-block:: none sh snat maps SNAT map map id: 1 internal prefixes: 192.168.2.0/24 10.8.0.0/24 out ranges: 10.114.0.0 - 10.114.0.7 active sessions: 0 max internal hosts: 32768 max sessions: 8388608 in/out ratio: 32 port block size: 128 port blocks per out address: 504 port blocks per in address: 4 state counters: unknown: 0 active: 0 syn_sent: 0 established: 0 fin_wait: 0 close_wait: 0 closing: 0 last_ack: 0 closed: 0 icmp_active: 0 dns: 0 gre: 0 sh snat sessions map -------------------- This command outputs NAT sessions within a map or all session for an IP address if such a parameter is specified. .. code-block:: none sh snat sessions map [in ] **Description** ============== =============================================================================== Item Description ============== =============================================================================== map_id ID of a map to show sessions ip_address Internal IPv4 address to output sessions (optional) ============== =============================================================================== **Example** The response has the following format: .. code-block:: none sh snat sessions map 1 in 10.64.3.27 in addr:port out addr:port ext addr:port proto state expire in secs 10.64.3.27:62695 103.165.12.223:62472 89.58.26.17:60534 udp active 29 10.64.3.27:53889 xx.xx.12.223:62510 219.91.170.228:31889 tcp established 7198 10.64.3.27:62695 xx.xx.12.223:62472 219.91.170.228:31889 udp active 28 10.64.3.27:53888 xx.xx.12.223:62583 87.201.193.150:22295 tcp syn_sent 29 10.64.3.27:62695 xx.xx.12.223:62472 87.201.193.150:22295 udp active 28 10.64.3.27:53887 xx.xx.12.223:62543 45.118.159.191:32815 tcp syn_sent 29 10.64.3.27:62695 xx.xx.12.223:62472 45.118.159.191:32815 udp active 28 10.64.3.27:53886 xx.xx.12.223:62526 49.244.101.124:1026 tcp syn_sent 29 sh snat int_ip map ------------------ This command outputs internal IP records of a SNAT44 map. The internal IP record contains the following information: - the out/translation IP address used by the internal IP address. - port blocks used exclusively by the translation IP address. .. code-block:: none sh snat int_ip map **Description** ============== =============================================================================== Item Description ============== =============================================================================== map_id ID of a map to output internal IP records ============== =============================================================================== **Example** The response has the following view: .. code-block:: none sh snat int_ip map 1 | head int-ip out-ip port-blocks 10.64.0.24 xx.xx.12.62 ports 60928 - 61055, rc 28, closed 0 10.64.3.187 xx.xx.12.32 ports 53632 - 53759, rc 50, closed 0 10.64.6.5 xx.xx.12.41 ports 51968 - 52095, rc 1, closed 0 10.64.9.52 xx.xx.12.57 ports 55296 - 55423, rc 6, closed 0 snat del map ------------ This command deletes a translation map. .. code-block:: none snat del map **Description** ============== =============================================================================== Item Description ============== =============================================================================== map_id ID of a map to delete ============== =============================================================================== **Example** This example shows how to delete the translation map ``1``: .. code-block:: none snat del map 1 snat map add in prefix ---------------------- This command adds an IP address prefix to the map's internal IP address space. .. code-block:: none snat map add in prefix / **Description** ============== =============================================================================== Item Description ============== =============================================================================== map_id ID of a map to add a prefix prefix IPv4 prefix to add mask Subnet mask ============== =============================================================================== **Example** This example shows how to add the prefix ``10.0.0.0/16`` to the map ``1`` internal IP address space: .. code-block:: none snat map 1 add in prefix 10.0.0.0/16 snat map del in prefix ---------------------- This command deletes an IP address prefix from the map's internal IP address space. .. code-block:: none snat map del in prefix / **Description** ============== =============================================================================== Item Description ============== =============================================================================== map_id ID of a map to delete a prefix prefix IPv4 prefix to delete mask Subnet mask ============== =============================================================================== **Example** This example shows how to delete the prefix ``10.0.0.0/16`` from the map ``1`` internal IP address space: .. code-block:: none snat map 1 del in prefix 10.0.0.0/16 snat map add out range ---------------------- This command adds an IP range to the map's out IP address space. .. code-block:: none snat map add out range **Description** =============== =============================================================================== Item Description =============== =============================================================================== map_id ID of a map to add a range ipv4_addr_from The first IPv4 address of the range ipv4_addr_to The last IPv4 address of the range =============== =============================================================================== **Example** This example shows how to add the IP range 1.1.1.10-1.1.1.20 to the map ``1`` out IP address space: .. code-block:: none snat map 1 add out range 1.1.1.10 1.1.1.20 snat map del out range ---------------------- This command deletes an IP range from the map's out IP address space. .. code-block:: none snat map del out range **Description** =============== =============================================================================== Item Description =============== =============================================================================== map_id ID of a map to delete a range ipv4_addr_from The first IPv4 address of the range ipv4_addr_to The last IPv4 address of the range =============== =============================================================================== **Example** This example shows how to delete the IP range 1.1.1.10-1.1.1.20 from the map ``1`` out IP address space: .. code-block:: none snat map 1 del out range 1.1.1.10 1.1.1.20 snat map add out prefix ----------------------- This command adds an IPv4 prefix to the map's out IP address space. .. code-block:: none snat map add out prefix / **Description** ============== =============================================================================== Item Description ============== =============================================================================== map_id ID of a map to add a prefix prefix IPv4 prefix to add mask Subnet mask ============== =============================================================================== **Example** This example shows how to add the prefix ``1.1.1.0/24`` to the map ``1`` out IP address space: .. code-block:: none snat map 1 add out prefix 1.1.1.0/24 snat map del out prefix ----------------------- This command deletes an IPv4 prefix from the map's out IP address space. .. code-block:: none snat map del out prefix / **Description** ============== =============================================================================== Item Description ============== =============================================================================== map_id ID of a map to delete a prefix prefix IPv4 prefix to delete mask Subnet mask ============== =============================================================================== **Example** This example shows how to delete the prefix ``10.0.0.0/24`` from the map ``1`` out IP address space: .. code-block:: none snat map 1 del out prefix 1.1.1.0/24 snat map out ip disable ----------------------- This command excludes one of out IP addresses from the map's out IP address space. .. code-block:: none snat map out ip disable **Description** ============== =============================================================================== Item Description ============== =============================================================================== map_id ID of a map to exclude an IP address ip_address IPv4 address to exclude ============== =============================================================================== **Example** This example shows how to exclude the IPv4 address ``1.1.1.128`` from the map ``1`` out IP address space: .. code-block:: none snat map 1 out ip 1.1.1.128 disable snat map out ip enable ---------------------- This command restores one of the previously excluded out IP addresses. .. code-block:: none snat map out ip enable **Description** ============== =============================================================================== Item Description ============== =============================================================================== map_id ID of a map to restore an IP address ip_address IPv4 address to restore ============== =============================================================================== **Example** This example shows how to restore previously excluded IPv4 address ``1.1.1.128`` in the map ``1`` out IP address space: .. code-block:: none snat map 1 out ip 1.1.1.128 enable snat close host sessions ------------------------ This command closes and deletes all translation sessions of a host with a particular IPv4 address. .. code-block:: none snat close sess map in **Description** ============= ========================================================================================== Item Description ============= ========================================================================================== map_id ID of a map addr_in IPv4 address of a host from one of map's ``internal`` networks to close and delete sessions ============= ========================================================================================== **Example** This example shows how to close and delete all sessions of the host ``192.168.2.10`` from the map ``1``: .. code-block:: none snat close sess map 1 in 192.168.2.10 snat close host session in -------------------------- This command closes and deletes a translation session with particular internal and external endpoints values. .. code-block:: none snat close sess map in ext **Description** ============= =============================================================================== ========== Item Description Value ============= =============================================================================== ========== map_id ID of a map to close and delete a session addr:port_in IPv4 address and port of the internal endpoint of the translation addr:port_ext IPv4 address and port of the external endpoint of the translation ip_proto Name of IPv4 protocol | icmp | tcp | udp | gre ============= =============================================================================== ========== **Example** This example shows how to close and delete the translation session with internal endpoint ``10.114.0.0:65448`` and external endpoint ``8.8.8.8:0``: .. code-block:: none snat close sess map 1 out 10.114.0.0:65448 ext 8.8.8.8:0 icmp snat close host session out --------------------------- This command closes and deletes a translation session with a particular combination of ``out`` address and port and an external endpoint value. .. code-block:: none snat close sess map out ext **Description** ============= =============================================================================== ========== Item Description Value ============= =============================================================================== ========== map_id ID of a map to close and delete a session addr:port_out Translated/out IPv4 address and port of the translation addr:port_ext IPv4 address and port of the external endpoint of the translation ip_proto Name of IPv4 protocol | icmp | tcp | udp | gre ============= =============================================================================== ========== **Example** This example shows how to close and delete the translation session with a combination of ``out`` address and port ``10.114.0.0:21828`` and external endpoint ``13.94.102.123:443``: .. code-block:: none snat close sess map 1 out 10.114.0.0:21828 ext 13.94.102.123:443 tcp snat vif enable --------------- This command enables the SNAT function on a VIF. .. code-block:: none snat vif enable **Description** ============== =============================================================================== Item Description ============== =============================================================================== vif_name Name of a VIF to enable SNAT ============== =============================================================================== **Example** This example shows how to enable the SNAT function on the VIF ``v20``: .. code-block:: none snat vif v20 enable snat vif disable ---------------- This command disables the SNAT function on a VIF. .. code-block:: none snat vif disable **Description** ============== =============================================================================== Item Description ============== =============================================================================== vif_name Name of a VIF to disable SNAT ============== =============================================================================== **Example** This example shows how to disable the SNAT function on the VIF ``v20``: .. code-block:: none snat vif v20 disable snat add map ------------ This command adds a map to a VIF. .. note:: Once a map is added to a VIF and the SNAT function is enabled, the VIF will start performing SNAT translations according to the map's parameters. .. code-block:: none snat vif add map **Description** ============== =============================================================================== Item Description ============== =============================================================================== vif_name Name of a VIF to add a translation map map_id ID of a map to add ============== =============================================================================== **Example** This example shows how to add the map ``1`` to the VIF ``v20``: .. code-block:: none snat vif v20 add map 1 snat del map ------------ This command deletes a map from a VIF. .. code-block:: none snat vif del map **Description** ============== =============================================================================== Item Description ============== =============================================================================== vif_name Name of a VIF to delete a translation map map_id ID of a map to delete ============== =============================================================================== **Example** This example shows how to delete the map ``1`` from the VIF ``v20``: .. code-block:: none snat vif v20 del map 1 snat connection limit get ------------------------- This command outputs the current number of established sessions and the max. number of allowed sessions for an internal IP address. .. code-block:: none snat connection limit get **Description** ============== =============================================================================== Item Description ============== =============================================================================== addr_in IPv4 address of host from ``in`` network ============== =============================================================================== **Example** The response has the following view: .. code-block:: none snat connection limit get 192.168.2.20 ip connections max connections 192.168.2.20 0 4096 snat connection limit set ------------------------- This command sets the max. number of allowed sessions for an internal IP address. .. code-block:: none snat connection limit set **Description** ============== =============================================================================== Item Description ============== =============================================================================== addr_in IPv4 address of host from ``in`` network value The max. number of allowed sessions ============== =============================================================================== **Example** This example shows how to set the max. number of allowed session equal to ``300`` for the internal IP address ``192.168.2.20``: .. code-block:: none snat connection limit set 192.168.2.20 300 sysctl variables to configure the session limit feature ------------------------------------------------------- To activate the SNAT sessions limit feature, you need to perform these steps in the following order: 1. Group sessions (`sysctl set snat_conn_limit_group_by`_). 2. Set the max. number of sessions for a group (`sysctl set snat_conn_limit_default_max_conn`_). **Example** This example shows the order in which the required variables should be set: .. code-block:: none sysctl set snat_conn_limit_group_by 1 sysctl set snat_conn_limit_default_max_conn 4096 sysctl set snat_conn_limit_group_by ----------------------------------- This ``sysctl`` variable defines the criteria for grouping sessions. .. code-block:: none sysctl set snat_conn_limit_group_by **Description** ============== =============================================================================== Item Description ============== =============================================================================== mode | 0 - don't group sessions and don't limit the number of sessions in a group. | This mode disables the feature. | 1 - limit the number of sessions in a group. | Sessions are grouped by the source IP address. | 2 - limit the number of sessions in a group. | Sessions are grouped by the destination IP address. ============== =============================================================================== sysctl set snat_conn_limit_default_max_conn ------------------------------------------- This ``sysctl`` variable defines the default maximum number of sessions in a group. .. code-block:: none sysctl set snat_conn_limit_default_max_conn **Description** ============== =============================================================================== Item Description ============== =============================================================================== number Max. number of sessions in a group ============== =============================================================================== sysctl set snat_conn_limit_filter_mode -------------------------------------- The filtering function is used to exclude particular NAT sessions from groups, in other words it's used to ignore particular sessions when applying session limits. To find out which sessions should be excluded **Bison Router** maintains a list of prefixes. If the session's IP address matches one of the prefixes on the list, the session is ignored. ``snat_conn_limit_filter_mode`` variable defines what session's IP address is used during the matching process. .. code-block:: none sysctl set snat_conn_limit_filter_mode **Description** ============== =============================================================================== Item Description ============== =============================================================================== mode | 0 - disables the feature | 1 - applies filtering by source IP address of a session | 2 - applies filtering by destination IP address of a session ============== =============================================================================== snat connection limit filter add -------------------------------- This command adds a prefix to the SNAT sessions limit list. .. code-block:: none snat connection limit filter add / **Description** ============== =============================================================================== Item Description ============== =============================================================================== ip_address IPv4 address mask Subnet mask ============== =============================================================================== **Example** This example shows how to add the prefix ``10.11.1.0/24`` to the SNAT sessions limit list: .. code-block:: none snat connection limit filter add 10.11.1.0/24 snat connection limit filter del -------------------------------- This command deletes a prefix from the SNAT sessions limit list. .. code-block:: none snat connection limit filter del / **Description** ============== =============================================================================== Item Description ============== =============================================================================== ip_address IPv4 address mask Subnet mask ============== =============================================================================== **Example** This example shows how to delete the prefix ``10.11.1.0/24`` from the SNAT sessions limit list: .. code-block:: none snat connection limit filter del 10.11.1.0/24 SNAT44 NEL ========== SNAT44 module supports the following NEL events: - Session create and delete events; - Port block allocation and de-allocation events; - Addresses Exhausted event; - Ports Exhausted event; - Internal IP address Ports Exhausted event; - Maximum Session Entries Exceeded event; - Maximum Entries per User Exceeded event; - Maximum Active Hosts or Subscribers Exceeded event; snat map nel sess ----------------- This command enables or disables NEL session events for a SNAT44 map. .. code-block:: none snat map nel sess **Description** ============== =============================================================================== Item Description ============== =============================================================================== map-id ID of an SNAT44 map state 1 - enable; 0 - disable ============== =============================================================================== **Example** This example shows how to disable NEL session events for the map with ID 1. .. code-block:: none snat map 1 nel sess 0 snat map nel port block ----------------------- This command enables or disables NEL port block allocation/de-allocation events for a SNAT44 map. .. code-block:: none snat map nel port block **Description** ============== =============================================================================== Item Description ============== =============================================================================== map-id ID of an SNAT44 map state 1 - enable; 0 - disable ============== =============================================================================== **Example** This example shows how to enable NEL port block allocation/de-allocation events for the map with ID 1. .. code-block:: none snat map 1 nel port block 1 Addresses Exhausted Event ------------------------- This event is generated when there are no available translated/public IP addresses in a SNAT MAP pool. Note that each translated IP address can be used at the same time only by a particular number of subscribers which is specified by the 'ratio' parameter of `snat create map`_ command. https://www.rfc-editor.org/rfc/rfc8158#section-4.6.5 Ports Exhausted Event --------------------- This event is generated when there are no available port-block in a port-block pool of a translated IP address. https://www.rfc-editor.org/rfc/rfc8158#section-4.6.6 Internal IP address Ports Exhausted Event ----------------------------------------- It's a non-standard NEL event. The event is generated when there are no available ports in any of the port blocks allocated for a subscriber and no more port-blocks can be allocated for that subscriber. The event uses a natEvent ID 200. Maximum Session Entries Exceeded Event -------------------------------------- This event is generated when the configured NAT session limit is reached. The session limit is specified by the 'nb_sessions' parameter of the `snat create map`_ command. https://www.rfc-editor.org/rfc/rfc8158#section-4.6.7.1 Maximum Entries per User Exceeded Event --------------------------------------- This event is generated when the configured NAT subscriber session limit is reached. Subscriber session limits are specified by the `snat connection limit set`_ command or by the sysctl variable 'snat_conn_limit_default_max_conn'. https://www.rfc-editor.org/rfc/rfc8158#section-4.6.7.3 Maximum Active Hosts or Subscribers Exceeded Event -------------------------------------------------- This event is generated when the configured NAT limit of the number of internal hosts or subscribers is reached. The limit is specified by the 'nb_in_entries' parameter of the `snat create map`_ command. https://www.rfc-editor.org/rfc/rfc8158#section-4.6.7.4 NEL events rate-limiting ------------------------ BisonRouter limits the transmission rate of the following NEL events using a token-bucket algorithm: - Addresses Exhausted event; - Ports Exhausted event; - Internal IP address Ports Exhausted event; - Maximum Session Entries Exceeded event; - Maximum Entries per User Exceeded event; - Maximum Active Hosts or Subscribers Exceeded event; Sysctl variables to configure parameters of trasmission of NEL events - nel_ratelimit_buckets It's an integer sysctl variable with the startup configuration scope. It configures the number of token buckets of the NEL event rate-limit module. Each bucket limits the transmission rate of NEL events mapped to that bucket. Some NEL event types are always mapped to the same bucket depending on a NEL event type value. For example, Maximum Active Hosts or Subscribers Exceeded events always use the same bucket, while Maximum Entries per User Exceeded events use different buckets depending on a particular value of subscriber/user source IP address. - nel_ratelimit_msg_rate It's an integer sysctl variable with the runtime configuration scope. It configures the number of NEL events per second or the transmission rate of NEL events that are transmitted via the same token-bucket. - nel_ratelimit_burst It's an integer sysctl variable with the runtime configuration scope. It configures the maximum number of NEL events that can be sent at once. DNAT44 ====== snat add dnat ------------- This command creates a DNAT rules table for a SNAT map. .. code-block:: none snat add dnat map size **Description** ============= =============================================================================== Item Description ============= =============================================================================== map_id ID of an existing SNAT map dnat_map_size Max. number of DNAT rules that can be stored in a DNAT table ============= =============================================================================== **Example** This example shows how to create and add a DNAT rules table with a max. number of rules ``256`` to a SNAT map ``1``: .. code-block:: none snat add dnat map 1 size 256 snat del dnat ------------- This command deletes a DNAT rules table from an SNAT map. .. code-block:: none snat del dnat map **Description** ============= =============================================================================== Item Description ============= =============================================================================== map_id ID of an existing SNAT map to delete a DNAT table from ============= =============================================================================== **Example** This example shows how to delete the DNAT rules table from the SNAT map ``1``: .. code-block:: none snat del dnat map 1 snat add dnat rule ------------------ This command adds a new DNAT rule. .. code-block:: none snat add dnat rule map out in **Description** ============== =============================================================================== ======= Item Description Value ============== =============================================================================== ======= map_id ID of an existing SNAT map addr:port_out Translated/out IPv4 address and port of the translation addr:port_in IPv4 address and port of the internal endpoint of the translation ip_proto Name of IPv4 protocol | icmp | tcp | udp | gre ============== =============================================================================== ======= **Example** This example shows how to create a new DNAT rule in the SNAT map ``1`` to translate out address and port ``10.114.0.0:23200`` into internal address and port ``10.11.1.11:63140``: .. code-block:: none snat add dnat rule map 1 out 10.114.0.0:23200 in 10.11.1.11:63140 tcp snat del dnat rule ------------------ This command deletes a DNAT rule. .. code-block:: none snat del dnat rule map out **Description** ============== =============================================================================== ======= Item Description Value ============== =============================================================================== ======= map_id ID of a SNAT map to delete a rule from addr:port_out Translated/out IPv4 address and port of the translation ip_proto Name of IPv4 protocol | icmp | tcp | udp | gre ============== =============================================================================== ======= **Example** This example shows how to delete a DNAT rule with an out/translated address and port value ``10.114.0.0:23200`` from the SNAT map ``1``: .. code-block:: none snat del dnat rule map 1 out 10.114.0.0:23200 tcp sh dnat rules ------------- This command outputs DNAT rules. .. code-block:: none sh dnat rules map **Description** ============== =============================================================================== Item Description ============== =============================================================================== map_id ID of a SNAT map to output rules ============== =============================================================================== **Example** The response has the following view: .. code-block:: none sh dnat rules map 1 out addr:port int addr:port proto 10.114.0.0:23200 10.11.1.11:63140 tcp 10.114.0.0:80 10.11.1.11:80 tcp Deterministic SNAT44 ==================== **Bison Router** Deterministic NAT is an implementation of the Deterministic SNAT44 algorithm described in `RFC 7422 `_. Main Deterministic SNAT features: - SNAT44, DNAT44. - EIM, Endpoint Independent Mapping. - NAT translation session limit per host. - Deterministic address and port selection. - Hairpinning (NAT loopback). - NEL (NAT Event Logging) via IPFIX, Netflow v9. - Performance up to 15 Mpps and 120 Gbit/s. - ALG support: PPtP, ICMP, traceroute. - Supports all the major protocols and applications including SIP, FTP, RTSP, IPSec and GRE based VPNs, and gaming console. Pros: - Better performance in comparison to other **Bison Router** NAT implementations. - Due to the deterministic nature of the port selection process there is no need to use NEL. Cons: - The internal IP space should not be sparsely filled with subscribers. Otherwise, it will lead to non-optimal use of memory and out IP space. - The ratio of the internal IP space size to the out IP space size should be less or equal to 256, for example in 10.0.0.0/24 out x.x.x.1/32. Otherwise, the number of the out ports per internal IP/subscriber will be too low for the normal operation. To activate Deterministic SNAT, you need to perform these steps in the following order: 1. Create a map (`det snat create map`_). 2. Enable deterministic SNAT function on a VIF (`det snat vif enable`_). 3. Add a map to a VIF (`det snat add map`_). These steps order and corresponding commands are mandatory. The rest are used for additional configuration. **Example** This example shows the order in which the required commands should be executed: .. code-block:: none det snat create map 1 in 10.0.0.0/16 out 10.114.0.0/29 sess 4096 det snat vif uplink enable det snat vif uplink add map 1 det snat create map ------------------- This command creates a map to translate one IPv4 address space (in) to another IPv4 address space (out). The map consists of records that store data about subscribers' active connections to internet sites. The record is called a NAT session. The optimal maximum number of NAT sessions for a residential subscriber with 3-4 devices is 4096, which is set up by the ``sess`` parameter. .. code-block:: none det snat create map in out sess **Description** ============== =============================================================================== ======================================================= Item Description Value ============== =============================================================================== ======================================================= map_id ID of a map to create 0-127 in_prefix Internal IP prefix in_prefix_len Internal IP prefix size ``in_prefix_len`` < ``out_prefix_len`` out_prefix Out/translation IP prefix out_prefix_len Out/translation IP prefix size sess_per_host Max. number of sessions per ``in`` network's host A power of 2 ============== =============================================================================== ======================================================= .. note:: When creating a map, keep in mind that there must be at least 256 ports for each internal IP address/host. The recommended value is 512. The value is calculated using the formula: ``ports per in host = 64512 * out_ip_address_space_size / in_ip_address_space_size``, | where | 64512 is a number of ports of one out address | out_ip_address_space_size = 2 ^ (32 - out_prefix_len) | in_ip_address_space_size = 2 ^ (32 - in_prefix_len) To view the current ``ports per host`` value, use the command `sh det snat maps`_. The value will be output among other information about the map. **Example** This example shows how to create a map ``1`` translating internal addresses ``10.11.1.0/24`` to out ``10.114.0.0/29`` with a maximum number of sessions per host ``1024``: .. code-block:: none det snat create map 1 in 10.11.1.0/24 out 10.114.0.0/29 sess 1024 det snat delete map ------------------- This command deletes a translation map. .. code-block:: none det snat del map **Description** ============= =============================================================================== Item Description ============= =============================================================================== map_id ID of a map to delete ============= =============================================================================== **Example** This example shows how to delete the translation map ``1``: .. code-block:: none det snat del map 1 det snat flush sess ------------------- This command deletes all translation sessions from a map. .. code-block:: none det snat flush sess map **Description** ============= =============================================================================== Item Description ============= =============================================================================== map_id ID of a map to delete all translation sessions ============= =============================================================================== **Example** This example shows how to delete all translation sessions from the map ``1``: .. code-block:: none det snat flush sess map 1 sh det snat maps ---------------- This command outputs information on all translation maps. .. code-block:: none sh det snat maps **Example** The response has the following format: .. code-block:: none sh det snat maps SNAT deterministic map map id: 2 internal net: 10.xx.1.0/24 external net: 10.xx.0.0/29 size: 524288 active sessions: 63 ports per host: 2016 sessions per host: 2048 dnat map: none state counters: unknown: 0 active: 0 syn_sent: 0 established: 62 fin_wait: 0 close_wait: 0 closing: 0 last_ack: 0 closed: 0 icmp_active: 0 dns: 1 gre: 0 det snat vif enable ------------------- This command enables Deterministic SNAT function on a VIF. .. code-block:: none det snat vif enable **Description** ============= =============================================================================== Item Description ============= =============================================================================== vif_name Name of a VIF to enable the SNAT function ============= =============================================================================== **Example** This example shows how to enable the Deterministic SNAT funtion on the VIF ``v20``: .. code-block:: none det snat vif v20 enable det snat vif disable -------------------- This command disables Deterministic SNAT function on a VIF. .. code-block:: none det snat vif disable **Description** ============= =============================================================================== Item Description ============= =============================================================================== vif_name Name of a VIF to disable the SNAT function ============= =============================================================================== **Example** This example shows how to disable the Determenistic SNAT funtion on the VIF ``v20``: .. code-block:: none det snat vif v20 disable det snat add map ---------------- This command adds a map to a VIF. Once a map is added to a VIF and the SNAT function is enabled, the VIF will start performing SNAT translations according to the map's parameters. .. code-block:: none det snat vif add map .. note:: Up to 8 maps can be added to 1 VIF. If you need to use more than 8 maps on 1 VIF, follow the instruction of the `NAT Policy`_ section. **Description** ============= =============================================================================== Item Description ============= =============================================================================== vif_name Name of a VIF to add a map map_id ID of a map to add to a VIF ============= =============================================================================== **Example** This example shows how to add the map ``1`` to the VIF ``v3``: .. code-block:: none det snat vif v3 add map 1 det snat del map ---------------- This command deletes a map from a VIF. .. code-block:: none det snat vif del map **Example** This example shows how to delete the map ``1`` from the VIF ``v3``: .. code-block:: none det snat vif v3 del map 1 sh det snat mapping alg in -------------------------- This command shows ``out`` port range reserved for an internal IP address/host. According to the Deterministic NAT algorithm, NAT translations of a particular internal host exclusively use a specific port range allocated once a map has been created and that can not be changed later. .. code-block:: none sh det snat mapping alg map in **Description** ============= =============================================================================== Item Description ============= =============================================================================== map_id ID of a map to show a port range addr_in IPv4 address of host from ``in`` network to show a port range ============= =============================================================================== **Example** The response has the following format: .. code-block:: none sh det snat mapping alg map 1 in 10.11.1.10 in 10.11.1.10 -> out 10.114.0.0 ports 21184 - 23199 sh det snat mapping alg out --------------------------- This command shows which internal ``in`` IP address corresponds to the combination of ``out`` IP address and port. .. code-block:: none sh det snat mapping alg map out : **Description** ============= =============================================================================== Item Description ============= =============================================================================== map_id ID of a map addr_out Translated (out) IPv4 address port Translated (out) port (L4 port) ============= =============================================================================== **Example** The response has the following format: .. code-block:: none sh det snat mapping alg map 1 out 10.114.0.0:23199 out 10.114.0.0:23199 -> in 10.11.1.10 sh det snat timeout ------------------- This command outputs session state's timeout values. .. code-block:: none sh det snat timeout **Example** The response has the following format: .. code-block:: none sh det snat timeout unknown: 30 active: 40 syn_sent: 30 established: 7200 fin_wait: 30 close_wait: 30 closing: 30 last_ack: 30 closed: 30 icmp_active: 30 dns: 4 gre: 7200 det snat timeout ---------------- This command sets a timeout for translations with a particular state. .. code-block:: none det snat timeout **Description** ============= ======================================= ======================================================= Item Description Value ============= ======================================= ======================================================= timeout Timeout value sec state Name of the translation session state | unknown | active | syn_sent | established | fin_wait | close_wait | closing | last_ack | closed | icmp_active | dns | gre ============= ======================================= ======================================================= **Example** This example shows how to set timeout ``1200`` for translations with the state ``established``: .. code-block:: none det snat timeout established 1200 det snat close host sessions ---------------------------- This command closes and deletes all translation sessions of a host. .. code-block:: none det snat close sess map in **Description** ============= =============================================================================== Item Description ============= =============================================================================== map_id ID of a map addr_in IPv4 address of a host from ``in`` network to close and delete sessions ============= =============================================================================== **Example** This example shows how to close and delete all sessions of the host ``10.11.1.10`` from the map ``1``: .. code-block:: none det snat close sess map 1 in 10.11.1.10 det snat close host session in ------------------------------ This command closes and deletes a translation session with a particular internal and external endpoints values. .. code-block:: none det snat close sess map in ext **Description** ============= =============================================================================== ========== Item Description Value ============= =============================================================================== ========== map_id ID of a map to close and delete a session addr:port_in IPv4 address and port of the internal endpoint of the translation addr:port_ext IPv4 address and port of the external endpoint of the translation ip_proto Name of IPv4 protocol | icmp | tcp | udp | gre ============= =============================================================================== ========== **Example** This example shows how to close and delete the translation session with internal endpoint ``10.11.1.10:63140`` and external endpoint ``13.94.102.123:443``: .. code-block:: none det snat close sess map 1 in 10.11.1.10:63140 ext 13.94.102.123:443 tcp det snat close host session out ------------------------------- This command closes and deletes a translation session with a particular combination of ``out`` address and port and an external endpoint value. .. code-block:: none det snat close sess map out ext **Description** ============= =============================================================================== ========== Item Description Value ============= =============================================================================== ========== map_id ID of a map to close and delete a session addr:port_out Translated/out IPv4 address and port of the translation addr:port_ext IPv4 address and port of the external endpoint of the translation ip_proto Name of IPv4 protocol | icmp | tcp | udp | gre ============= =============================================================================== ========== **Example** This example shows how to close and delete the translation session with a combination of ``out`` address and port ``10.114.0.0:21828`` and external endpoint ``13.94.102.123:443``: .. code-block:: none det snat close sess map 1 out 10.114.0.0:21828 ext 13.94.102.123:443 tcp det snat show session in ------------------------ This command outputs a translation session with particular internal and external endpoints values. .. code-block:: none sh det snat sess map in ext **Description** ============= =============================================================================== ========== Item Description Value ============= =============================================================================== ========== map_id ID of a map to output addr:port_in IPv4 address and port of the internal endpoint of the translation addr:port_ext IPv4 address and port of the external endpoint of the translation ip_proto Name of IPv4 protocol | icmp | tcp | udp | gre ============= =============================================================================== ========== **Example** The response has the following format: .. code-block:: none sh det snat sess map 1 in 10.11.1.10:62829 ext xx.xx.xx.95:443 tcp in addr:port out addr:port ext addr:port state expire in secs 10.11.1.10:62829 10.114.0.0:21517 xx.xx.xx.95:443 tcp_established 1637 det snat show session out ------------------------- This command outputs a translation session with a particular combination of ``out`` address and port and a particular external endpoint value. .. code-block:: none sh det snat sess map out ext **Description** ============= =============================================================================== ========== Item Description Value ============= =============================================================================== ========== map_id ID of a map to close and delete a session addr:port_out Translated/out IPv4 address and port addr:port_ext IPv4 address and port of the external endpoint of the translation ip_proto Name of IPv4 protocol | icmp | tcp | udp | gre ============= =============================================================================== ========== **Example** The response has the following format: .. code-block:: none sh det snat sess map 1 out 10.114.0.0:21517 ext xx.xx.xx.95:443 tcp in addr:port out addr:port ext addr:port state expire in secs 10.11.1.10:62829 10.114.0.0:21517 xx.xx.xx.95:443 tcp_established 1637 sh det snat sessions map ------------------------ This command outputs translation sessions of a host. .. code-block:: none sh det snat sessions map [in ] .. note:: ``in `` is optional. If it is omitted, the command outputs all sessions of the table. **Description** ============= =============================================================================== Item Description ============= =============================================================================== map_id ID of a map to output sessions addr_in Internal IPv4 address of a host ============= =============================================================================== **Example** The response has the following format: .. code-block:: none sh det snat sessions map 1 in 10.11.1.10 | head in addr:port out addr:port ext addr:port state expire in secs 10.11.1.10:62829 10.114.0.0:21517 xx.xx.xx.95:443 tcp_established 1637 10.11.1.10:62862 10.114.0.0:21550 xx.xx.xx.95:443 tcp_established 1652 10.11.1.10:63160 10.114.0.0:21848 xx.xx.xx.95:443 tcp_established 2631 10.11.1.10:63161 10.114.0.0:21849 xx.xx.xx.95:443 tcp_established 2631 10.11.1.10:63222 10.114.0.0:21910 xx.xx.xx.95:443 tcp_established 2657 10.11.1.10:63223 10.114.0.0:21911 xx.xx.xx.95:443 tcp_established 2657 10.11.1.10:63233 10.114.0.0:21921 xx.xx.xx.95:443 tcp_established 2669 10.11.1.10:63234 10.114.0.0:21922 xx.xx.xx.95:443 tcp_established 2669 10.11.1.10:63275 10.114.0.0:21963 xx.xx.xx.95:443 tcp_established 2773 sh det snat sessions ------------------------------ This is a variant of the previous command without a specified map ID. It outputs all sessions for a host with internal ip address ````. The map will be found automatically. .. code-block:: none sh det snat sessions in **Description** ============= =============================================================================== Item Description ============= =============================================================================== addr_in Internal IPv4 address of a host ============= =============================================================================== det_nat_sess_bucket_size ------------------------ ``det_nat_sess_bucket_size`` is in integer ``sysctl`` variable which determines the bucket size of the session hash table. To improve performance of the NAT session lookup process, the subscriber session table is organized as a hash table. NAT sessions are placed into a table in a special order based on a hash value of the session. The hash value is calculated based on the session external address and external port. All sessions with the same hash value are stored in the same bucket. Using buckets increases the lookup performance because the lookup operation has to scan only a limited bucket area (for example 200 slots) instead of scanning the entire hash table to find a NAT session. **Example** .. code-block:: none sysctl get det_nat_sess_bucket_size 200 det snat map add to prefix map ------------------------------ This command adds map's internal and external prefixes to a prefix map. .. note:: The command is used in combination with `NAT policy`_. .. code-block:: none det snat map add to prefix map **Description** ============= =============================================================================== Item Description ============= =============================================================================== map_id ID of a NAT map to add prefixes to a prefix map prefix_map_id ID of a prefix map to add prefixes from a NAT map ============= =============================================================================== **Example** This example shows how to add the prefixes from the NAT map ``1`` to the prefix map ``10``: .. code-block:: none det snat map 1 add to prefix map 10 det snat map del from prefix map -------------------------------- This command deletes map's internal and external prefixes from a prefix map. .. note:: The command is used in combination with `NAT policy`_. .. code-block:: none det snat map del from prefix map **Description** ============= =============================================================================== Item Description ============= =============================================================================== map_id ID of a NAT map to delete prefixes from a prefix map prefix_map_id ID of a prefix map to delete NAT map prefixes ============= =============================================================================== **Example** This example shows how to delete the prefixes of the NAT map ``1`` from the prefix map ``10``: .. code-block:: none det snat map 1 del from prefix map 10 Enabling debug statistic counters --------------------------------- This ``sysctl`` variable enables collecting debug statistic for ``no-free-ports`` and ``session-overflow`` events. .. code-block:: none sysctl set det_snat_debug_stat 1 The ``no-free-ports`` counter is increased when a subscriber is trying to establish a new connection but there are no ``out`` ports available in the out port range reserved for the subscriber. In practice this happens when a subscriber is trying to establish a lot of connections with the same internet site. To find out the number of out ports available for a subscriber see ``ports per host`` line in the output of the `sh det snat maps`_ command. The ``session-overflow`` counter is increased when a subscriber is trying to establish a new connection but there are no available slots in the session table reserved for the subscriber. The size of the session table is configured by the ``sess`` parameter of the ``det snat create map`` command. Note that the session table can not be used 100% due to the nature of the hash table algorithm controlling the way sessions are placed into the table. The typical usage value is about 80-90%, which means that the effective size of the session table is only 80-90% of the nominal size. sh det snat debug stat ---------------------- This command outputs debug statistic counters of the Deterministic NAT module. .. code-block:: none sh det snat debug stat **Example** The response has the following format: .. code-block:: none sh det snat debug stat ip no_free_ports sess_overflows sh det snat debug stat ipv4 --------------------------- This command outputs debug statistic counters for an IPv4 address. .. code-block:: none sh det snat debug stat **Description** ============= =============================================================================== Item Description ============= =============================================================================== ipv4_address IPv4 address to output a debug statistic ============= =============================================================================== **Example** The response has the following format: .. code-block:: none sh det snat debug stat 1.1.1.1 ip no_free_ports sess_overflows det snat debug stat clear ------------------------- This command clears debug statistic counters. .. code-block:: none det snat debug stat clear Deterministic DNAT44 ==================== det snat add dnat ----------------- This command creates a DNAT rules table for a SNAT map. .. code-block:: none det snat add dnat map size **Description** ============= =============================================================================== Item Description ============= =============================================================================== map_id ID of an existing SNAT map dnat_map_size Max. number of DNAT rules that can be stored in a DNAT table ============= =============================================================================== .. note:: The size of the DNAT table is output by the `sh det snat maps`_ command in the line ``dnat map: size``. **Example** This example shows how to create and add a DNAT rules table with a max. number of rules ``256`` to a SNAT map ``1``: .. code-block:: none det snat add dnat map 1 size 256 det snat del dnat ----------------- This command deletes a DNAT rules table from an SNAT map. .. code-block:: none det snat del dnat map **Description** ============= =============================================================================== Item Description ============= =============================================================================== map_id ID of an existing SNAT map to delete a DNAT table from ============= =============================================================================== **Example** This example shows how to delete the DNAT rules table from the SNAT map ``1``: .. code-block:: none det snat del dnat map 1 det snat add dnat rule ---------------------- This command adds a new DNAT rule. .. note:: | This command (within the Deterministic DNAT44 framework) has limitations on the value of the ``out`` port. When creating a DNAT rule, you have to use an ``out`` port number from the port range reserved for the internal IP address used in the rule. | To find out that range, use `sh det snat mapping alg in`_ command. .. code-block:: none det snat add dnat rule map out in **Description** ============== =============================================================================== ======= Item Description Value ============== =============================================================================== ======= map_id ID of an existing SNAT map addr:port_out Translated/out IPv4 address and port of the translation addr:port_in IPv4 address and port of the internal endpoint of the translation ip_proto Name of IPv4 protocol | icmp | tcp | udp | gre ============== =============================================================================== ======= **Example** To add a rule for the internal address ``10.11.1.11``, first of all it is necessary to find out the valid range of values of the out port using the command ``sh det snat mapping alg``: .. code-block:: none sh det snat mapping alg map 1 in 10.11.1.11 in 10.11.1.11 -> out 10.114.0.0 ports 23200 - 25215 In the example above, we can see the range of ports ``23200 - 25215`` from which we can select a value for the rule. Taking it into consideration, the following example shows how to create a new DNAT rule in the SNAT map ``1`` to translate out address and port ``10.114.0.0:23200`` into internal address and port ``10.11.1.11:63140``: .. code-block:: none det snat add dnat rule map 1 out 10.114.0.0:23200 in 10.11.1.11:63140 tcp det snat del dnat rule ---------------------- This command deletes a DNAT rule. .. code-block:: none det snat del dnat rule map out **Description** ============== =============================================================================== ======= Item Description Value ============== =============================================================================== ======= map_id ID of a SNAT map to delete a rule from addr:port_out Translated/out IPv4 address and port of the translation ip_proto Name of IPv4 protocol | icmp | tcp | udp | gre ============== =============================================================================== ======= **Example** This example shows how to delete a DNAT rule with an out/translated address and port value ``10.114.0.0:23200`` from the SNAT map ``1``: .. code-block:: none det snat del dnat rule map 1 out 10.114.0.0:23200 tcp sh det dnat rules ----------------- This command outputs DNAT rules. .. code-block:: none sh det dnat rules map **Description** ============== =============================================================================== Item Description ============== =============================================================================== map_id ID of a SNAT map to output the rule ============== =============================================================================== **Example** The response has the following view: .. code-block:: none sh det dnat rules map 1 out addr:port int addr:port proto 10.124.0.0:23201 10.102.1.11:63141 tcp 10.124.0.0:23200 10.102.1.11:63140 tcp NAT44 1:1 ========= **NAT44 1:1** is used to assign to a subscriber his own unique IP address so that an ingress connection to the subscriber can be initiated by an Internet host. To activate NAT44 1:1, you need to perform these steps in the following order: 1. Create a map (`nat11 create map`_). 2. Enable NAT44 1:1 function on a VIF (`nat11 vif enable`_). 3. Add a map to a VIF (`nat11 add map`_). These step's order and corresponding commands are mandatory. The rest are used for additional configuration. **Example** This example shows the order in which the required commands should be executed: .. code-block:: none nat11 create map 1 in 10.11.1.0/24 size 1024 sess 4096 nat11 vif v20 enable nat11 vif v20 add map 1 nat11 create map ---------------- This command creates a map to translate one set of IPv4 addresses into another using 1:1 relations. .. code-block:: none nat11 create map in / size sess **Description** ================ =============================================================================== ============= Item Description Value ================ =============================================================================== ============= map_id ID of a NAT44 1:1 map to create addr_in IPv4 address of host from ``in`` network mask Subnet mask map_size Max. number of 1:1 translation rules sess_per_host Max. number of sessions per ``in`` network's host A power of 2 ================ =============================================================================== ============= .. note:: The optimal maximum number of NAT sessions for a residential subscriber with 3-4 devices is 4096, which is set up by the ``sess`` parameter. **Example** This example shows how to create a map ``1`` translating internal addresses ``10.11.1.0/24`` with a maximum number of sessions per host ``4096``: .. code-block:: none nat11 create map 1 in 10.11.1.0/24 size 1024 sess 4096 nat11 delete map ---------------- This command deletes a translation map. .. code-block:: none nat11 del map **Description** ============== =============================================================================== Item Description ============== =============================================================================== map_id ID of a NAT44 1:1 map to delete ============== =============================================================================== **Example** This example shows how to delete the translation map ``1``: .. code-block:: none nat11 del map 1 nat11 vif enable ---------------- This command enables the NAT44 1:1 function on a VIF. .. code-block:: none nat11 vif enable **Description** ============== =============================================================================== Item Description ============== =============================================================================== vif_name Name of a VIF to enable the NAT44 1:1 function ============== =============================================================================== **Example** This example shows how to enable the NAT44 1:1 on the VIF ``v20``: .. code-block:: none nat11 vif v20 enable nat11 vif disable ----------------- This command disables the NAT44 1:1 function on a VIF. .. code-block:: none nat11 vif enable **Description** ============== =============================================================================== Item Description ============== =============================================================================== vif_name Name of a VIF to disable the NAT44 1:1 function ============== =============================================================================== **Example** This example shows how to disable the NAT44 1:1 on the VIF ``v20``: .. code-block:: none nat11 vif v20 disable nat11 add map ------------- This command adds a map to a VIF. Once a map is added to a VIF and NAT44 1:1 function is enabled, the VIF will start performing NAT44 1:1 translations according to the map's parameters. .. code-block:: none nat11 vif add map **Description** ============== =============================================================================== Item Description ============== =============================================================================== vif_name Name of a VIF to add a translation map map_id ID of a map to add to a VIF ============== =============================================================================== **Example** This example shows how to add the NAT44 1:1 map ``1`` to the VIF ``v20``: .. code-block:: none nat11 vif v20 add map 1 nat11 del map ------------- This command deletes a translation map from a VIF. .. code-block:: none nat11 vif del map **Description** ============== =============================================================================== Item Description ============== =============================================================================== vif_name Name of a VIF to delete a translation map map_id ID of a map to delete from a VIF ============== =============================================================================== **Example** This example shows how to delete the NAT44 1:1 map ``1`` from the VIF ``v20``: .. code-block:: none nat11 vif v20 del map 1 nat11 add translation rule -------------------------- This command adds a NAT 1:1 translation rule to a map. .. code-block:: none nat11 rule add map **Description** ============== =============================================================================== Item Description ============== =============================================================================== map_id ID of a map to add a rule addr_in IPv4 address of host from ``in`` network addr_out Translation (out) IPv4 address ============== =============================================================================== **Example** This example shows how to add a rule translating the in IP address ``10.0.0.1`` to the out IP address ``10.114.0.5`` to the map ``1``: .. code-block:: none nat11 rule add map 1 10.0.0.1 10.114.0.5 nat11 del translation rule -------------------------- This command deletes a NAT44 1:1 translation rule from a map. .. code-block:: none nat11 rule del map **Description** ============== =============================================================================== Item Description ============== =============================================================================== map_id ID of a map to delete a rule addr_in IPv4 address of host from ``in`` network to delete a rule ============== =============================================================================== **Example** This example shows how to delete the translation rule for the in IP address ``10.0.0.1`` from the map ``1``: .. code-block:: none nat11 rule del map 1 10.0.0.1 nat11 close host session in --------------------------- This command closes and deletes a NAT session with a particular internal and external endpoints values. .. code-block:: none nat11 close sess map in ext **Description** ============== =============================================================================== Item Description ============== =============================================================================== map_id ID of a map to close and delete a session addr:port_in IPv4 address and port of the internal endpoint of the translation addr:port_ext IPv4 address and port of the external endpoint of the translation ============== =============================================================================== **Example** This example shows how to close and delete the NAT session with internal endpoint ``10.11.1.10:63140`` and external endpoint ``13.94.102.123:443``: .. code-block:: none nat11 close sess map 1 in 10.11.1.10:63140 ext 13.94.102.123:443 sh nat11 maps ------------- This command outputs information on all translation maps. .. code-block:: none sh nat11 maps **Example** The response has the following format: .. code-block:: none sh nat11 maps NAT11 map map id: 1 internal net: 192.168.2.0/24 size: 1024 active sessions: 1 sessions per host: 4096 state counters: unknown: 0 active: 0 syn_sent: 0 established: 0 fin_wait: 0 close_wait: 0 closing: 0 last_ack: 0 closed: 0 icmp_active: 1 dns: 0 gre: 0 show nat11 translation rules ---------------------------- This command outputs NAT44 1:1 rules. .. code-block:: none sh nat11 rules map **Description** ============== =============================================================================== Item Description ============== =============================================================================== map_id ID of a map to output NAT44 1:1 rules ============== =============================================================================== **Example** The response has the following format: .. code-block:: none sh nat11 rules map 1 internal addr translated addr 192.168.2.20 10.114.0.0 sh nat11 sessions ----------------- This command outputs translation sessions of a host. .. code-block:: none sh nat11 sessions map in **Description** ============== =============================================================================== Item Description ============== =============================================================================== map_id ID of a map to output sessions addr_in IPv4 address of host from ``in`` network ============== =============================================================================== **Example** The response has the following format: .. code-block:: none sh nat11 sessions map 1 in 192.168.2.20 in addr:port out addr:port ext addr:port state expire in secs 192.168.2.20:63838 10.114.0.0:63838 8.8.8.8:0 icmp icmp_active 28 NAT Policy ========== **NAT Policy** functions allow using different NAT maps for different packets. The decision on which map to use to translate a particular packet is based on packet data and is made using various packet classification tools such as prefix map, IP set, etc. A NAT policy is a sorted list of policy rules. The rules are processed in the order of their position in the list until the first match is found. The rule matches the packet if the packet data meets the criteria specified in the rule. As matching criteria, the rule can use one of the classification tools. Once a match is found, packet is translated by a NAT map defined by the matching rule. The general procedure for activating the NAT policy is as follows: 1. Create a NAT policy (`nat policy add`_). 2. Add NAT policy rules. There are 3 types of rules configuration: - using prefixes: `nat policy prefix rule add`_ - using a prefix map: `nat policy add prefix map rule`_ - using an IP set: `nat policy ipset rule add`_ 3. Add a NAT policy to a VIF (`nat policy vif add`_). In particular, in practice, it may be appropriate to use NAT policy rules based on the **Prefix map** classification. The Prefix map classification algorithm is based on the LPM (Longest Prefix Match) algorithm, therefore such a rule allows to translate more specific internal IP subnets using a different NAT map. Such a need may arise when one of the out/public IP addresses of a NAT map should be excluded from operation due to various reasons such as ban. **Example** Consider a scenario where there is a Deterministic SNAT map 10 that translates the internal prefix 10.0.0.0/16 into the out prefix 1.1.1.0/24. To exclude the out (public) IP address 1.1.1.0 from operation: 1. Create a second Deterministic SNAT map 20 with the internal prefix equal to the first map's internal prefix matching the excluded translated IP 1.1.1.0. 2. Create a prefix map. 3. Add both SNAT maps internal and out prefixes to the created prefix map with values equal to the corresponding NAT map ID. 4. Create a NAT policy rule based on the created prefix map. As a result the banned out/public IP 1.1.1.0 will be excluded and the affected internal IP addresses will be translated using the public IP 2.2.2.2. .. code-block:: none det snat create map 10 in 10.0.0.0/16 out 1.1.1.0/24 sess 4096 det snat create map 20 in 10.0.0.0/24 out 2.2.2.2/32 sess 4096 prefix map create 1 det snat map 10 add to prefix map 1 det snat map 20 add to prefix map 1 nat policy add 1 nat policy rule add 1 pos 10 from prefix map 1 map snat44 sh nat policy ------------- This command outputs NAT policy rules. .. code-block:: none sn nat policy **Example** The response has the following format: .. code-block:: none sh nat policy nat policy id 1: nat policy rules: 10: from prefix map 2 -> nat map snat44 100: from ipset nat_ipset -> nat map snat1to1:10 nat policy add -------------- This command creates a new NAT policy. .. code-block:: none nat policy add **Description** ============== =============================================================================== Item Description ============== =============================================================================== policy_id ID of a NAT policy to create ============== =============================================================================== **Example** This example shows how to create a NAT policy with the ID number ``1``: .. code-block:: none nat policy add 1 nat policy del -------------- This command deletes a NAT policy. .. code-block:: none nat policy del **Description** ============== =============================================================================== Item Description ============== =============================================================================== policy_id ID of a NAT policy to delete ============== =============================================================================== **Example** This example shows how to delete a NAT policy with the ID number ``1``: .. code-block:: none nat policy del 1 nat policy prefix rule add -------------------------- This command adds a new rule to a NAT policy. This rule uses a **prefix** to match packet's IP address. .. code-block:: none nat policy rule add pos from prefix / map **Description** ============== =============================================================================== ========== Item Description Value ============== =============================================================================== ========== policy_id ID of a NAT policy to add a rule number Position number (priority) in the list of rules prefix IPv4 prefix to add mask Subnet mask nat_map_type NAT map type | snat44 | snat1to1 | det_snat44 nat_map_id ID of a NAT map to use ============== =============================================================================== ========== **Example** This example shows how to add a rule with the position number ``10`` to the NAT policy ``1``, for the prefix ``10.0.0.0/24`` to apply the SNAT44 map ``2``: .. code-block:: none nat policy rule add 1 pos 10 from prefix 10.0.0.0/24 map snat44 2 nat policy add no-nat prefix rule --------------------------------- This command adds a new rule to a NAT policy. This kind of rule instructs BisonRouter not to use NAT for packets that match the rule's conditions. This rule uses a **prefix** to match the packet's IP address. I.e. the rule configures BisonRouter not to use NAT for egress packets destinated to the rule's prefix as well as ingress packets originated from the same prefix. .. code-block:: none nat policy rule add pos to prefix / no nat **Description** ============== =============================================================================== ========== Item Description Value ============== =============================================================================== ========== policy_id ID of a NAT policy to add a rule number Position number (priority) in the list of rules prefix IPv4 prefix mask Subnet mask ============== =============================================================================== ========== **Example** This example shows how to add a rule with the position number ``6`` to the NAT policy ``1``. The rule configures BisonRouter not to use NAT for egress packets destinated to a prefix ``15.0.0.0/32`` as well as ingress packets originated from the same prefix: .. code-block:: none nat policy rule add 1 pos 6 to prefix 15.0.0.0/32 no nat nat policy add prefix map rule ------------------------------ This command adds a rule to a NAT policy. This rule uses a `Prefix map`_ classification to determine what NAT map to be used. First, **Bison Router** uses a prefix map to look up for the prefix matching the IP address of the packet. Then the prefix map value associated with the found prefix is used as the NAT map ID to translate the packet. .. code-block:: none nat policy rule add pos from prefix map map [] **Description** ============== =============================================================================== ========== Item Description Value ============== =============================================================================== ========== policy_id ID of a NAT policy to add a rule number Position number (priority) in the list of rules prefix_map_id ID of an existing prefix map to add to a rule nat_map_type NAT map type | snat44 | snat1to1 | det_snat44 nat_map_id | ID of a NAT map to use (Optional. When the ``nat_map_id`` value is omitted, | the prefix map values are used as NAT map ID) ============== =============================================================================== ========== **Example** This example shows how to add a rule with the position number ``20`` to the NAT policy ``1``. The rule uses the prefix map ``1`` to find out what Deterministic SNAT44 map should be used. More specifically, **Bison Router** uses the value associated with the found prefix as the NAT map ID. .. code-block:: none nat policy rule add 1 pos 20 from prefix map 1 map snat44 nat policy add no-nat prefix map rule ------------------------------------- This command adds a rule to a NAT policy. This rule configures BisonRouter not to use NAT for packets that match the rule's condition. The rule uses the `Prefix map`_ classification as a condition to select packets to process. I.e. the rule configures BisonRouter not to use NAT for the egress packets desitinated to any prefix from the rule's prefix map, as well as ingress packets originated from any prefix from the rule's prefix map. .. code-block:: none nat policy rule add pos to prefix map no nat **Description** ============== =============================================================================== ========== Item Description Value ============== =============================================================================== ========== policy_id ID of a NAT policy to add a rule number Position number (priority) in the list of rules prefix_map_id ID of a prefix map to add to a rule ============== =============================================================================== ========== **Example** This example shows how to add a rule with the position number ``5`` to the NAT policy ``1``. The rule uses the prefix map ``1`` to select packets that should not be NATed, i.e. the rule configures BisonRouter not to use NAT for the egress packets desitinated to any prefix from the prefix map 1, as well as ingress packets originated from any prefix from the prefix map 1. .. code-block:: none nat policy rule add 1 pos 5 to prefix map 1 no nat nat policy ipset rule add ------------------------- This command adds a new rule to a NAT policy. This rule uses an `IP set`_ to match packet's IP address. .. code-block:: none nat policy rule add pos from ipset map **Description** ============== =============================================================================== ========== Item Description Value ============== =============================================================================== ========== policy_id ID of a NAT policy to add a rule number Position number (priority) in the list of rules ipset_name Name of an existing IP set to add to a rule nat_map_type NAT map type | snat44 | snat1to1 | det_snat44 nat_map_id ID of a NAT map to use ============== =============================================================================== ========== **Example** This example shows how to add a rule with the position number ``100`` to the NAT policy ``1``, for the IP set ``nat_ipset`` to apply the SNAT 1-to-1 map with the ID number ``10``: .. code-block:: none nat policy rule add 1 pos 100 from ipset nat_ipset map snat1to1 10 nat policy rule del ------------------- This command deletes a rule from a NAT policy. .. code-block:: none nat policy rule del pos **Description** ============== =============================================================================== Item Description ============== =============================================================================== policy_id ID of a NAT policy to delete a rule number Position number (priority) in the list of rules ============== =============================================================================== **Example** This example shows how to delete the rule with the position number ``10`` from the NAT policy ``1``: .. code-block:: none nat policy rule add 1 pos 10 nat policy vif add ------------------ This command adds a NAT policy to a VIF. .. code-block:: none nat policy add vif **Description** ============== =============================================================================== Item Description ============== =============================================================================== vif_name Name of a VIF to add a NAT policy policy_id ID of a NAT policy to add to a VIF ============== =============================================================================== **Example** This example shows how to add the NAT policy ``1`` to the VIF ``v3``: .. code-block:: none nat policy add vif v3 1 nat policy vif del ------------------ This command deletes a NAT policy from a VIF. .. code-block:: none nat policy del vif **Description** ============== =============================================================================== Item Description ============== =============================================================================== vif_name Name of a VIF to delete a NAT policy policy_id ID of a NAT policy to remove from a VIF ============== =============================================================================== **Example** This example shows how to delete the NAT policy ``1`` from the VIF ``v3``: .. code-block:: none nat policy del vif v3 1 NAT events logging - NEL ======================== Enabling NEL ------------ The NEL function is enabled by ``sysctl`` variable ``nat_events``. ====================== ========= ============================================ ================== | Variable name | Type, | Description | Value | Scope ====================== ========= ============================================ ================== nat_events | Boolean | Enables the NEL function | 1 = on | Runtime | | 0 = off ====================== ========= ============================================ ================== **Example** This example shows how to enable the NEL function: .. code-block:: none sysctl set nat_events 1 nel collector add ----------------- This command adds a NEL collector to the list of NEL collectors to send events to. NAT events are sent to all collectors on the list at the same time. .. code-block:: none nel collector add addr [port ] [proto ] [events event_type[, ...]] **Description** ============ =============================================================================== ======================================================= Item Description Value ============ =============================================================================== ======================================================= ipv4_address IPv4 address of a NEL collector port_number Port number of a NEL collector Default = 4739 proto_value | Supported protocols: Default = 9 | 9 - NetFlow V9 | 10 - IPFIX | 100 - syslog events | A comma separated list of type of events | Event types: | to send to a collector. Optional. When omitted | "pb" - NAT port-block events | all events are sent to a collector. | "nat_sess" - NAT session events | "others" - all other NAT events ============ =============================================================================== ======================================================= **Example** This example shows how to add a NEL collector with IP address ``10.0.0.1`` and port number ``9995``. .. code-block:: none nel collector add addr 10.0.0.1 port 9995 proto 9 events pb,nat_sess nel collector del ----------------- This command deletes a NEL collector from the list of NEL collectors to send events to. NAT events are sent to all collectors on the list at the same time. .. code-block:: none nel collector del addr [port ] [proto ] **Description** ============ =============================================================================== ======================================================= Item Description Value ============ =============================================================================== ======================================================= ipv4_address IPv4 address of a NEL collector port_number Port number of a NEL collector Default = 4739 proto_value | Supported protocols: Default = 9 | 9 - NetFlow V9 | 10 - IPFIX | 100 - syslog ============ =============================================================================== ======================================================= **Example** This example shows how to delete a NEL collector with IP address ``10.0.0.1`` and port number ``9995``. .. code-block:: none nel collector del addr 10.0.0.1 port 9995 proto 9 sh nel ------ This command outputs the NEL configuration. .. code-block:: none sh nel **Example** .. code-block:: none # sh nel NEL enabled: yes NEL collectors: addr port proto 192.168.1.2 9995 9 192.168.1.3 9995 9 export filters: src filter enabled: 0 src filter prefix map id: - dst filter enabled: 0 dst filter prefix map id: - nel collector addr ------------------ This command configures NEL collector address and port. .. code-block:: none nel collector addr [port ] [proto ] [events event_type[, ...]] **Description** ============ =============================================================================== ======================================================= Item Description Value ============ =============================================================================== ======================================================= ipv4_address IPv4 address of a NEL collector port_number Port number of a NEL collector Default = 4739 proto_value | Supported protocols: Default = 9 | 9 - NetFlow V9 | 10 - IPFIX | 100 - syslog events | A comma separated list of type of events | Event types: | to send to a collector. Optional. When omitted | "pb" - NAT port-block events | all events are sent to a collector. | "nat_sess" - NAT session events | "others" - all other NAT events ============ =============================================================================== ======================================================= **Example** This example shows how to set ``10.0.0.1`` IP address, ``9995`` port number and NetFlow V9 protocol for the NEL collector. .. code-block:: none nel collector addr 10.0.0.1 port 9995 proto 9 events pb,nat_sess Hairpinning =========== NAT hairpinning, also known as NAT loopback, is a feature enabling two hosts behind the same BisonRouter NAT map to communicate to each other using a NAT public IPv4 address and without sending traffic to any BisonRouter uplink ports. To enable or disable NAT loopback for SNAT44 use the following commands .. code-block:: none # enable loopback snat loopback enable map # disable loopback snat loopback disable map To enable or disable NAT loopback for Deterministic SNAT44 use the following commands .. code-block:: none # enable loopback det snat loopback enable map # disable loopback det snat loopback disable map Implementation details ---------------------- To impelement NAT loopback feature BisonRouter perform the follwings steps for each NAT map: - creates a Loopback VIF for a NAT map with enabled loopback feature; - assigns an IPv4 address 127.0.0.1 to the map's loopback VIF and create a static ARP recored for that IP adress; - routes map's public/translated IPv4 addresses to the map's loopback VIF; Those steps ensure that egress packets destinated to map's public IPv4 address will not be sent to an uplink router but instead will be immediately routed back to BR and handled as any other incoming traffic. Example .. code-block:: none # rcli snat loopback enable map 1 # rcli sh vif vif loopback_nat3_map1 id 1194 port 8, vlan 0.101, encapsulation dot1q mac address 00:00:00:00:00:01 vrf main shaper ingress not set egress not set ACL ingress not set egress not set flags NAT mtu 9000 IPv6 state is disabled IPv6 ND RA state is not advertising # rcli sh arp cache port vid ip mac type state 8 0.101 127.0.0.1 00:00:00:00:00:01 static ok # rcli sh ip route | grep loopback 10.114.0.1/32 via 127.0.0.1 dev loopback_nat3_map1 src 127.0.0.1 proto internal 10.114.0.3/32 via 127.0.0.1 dev loopback_nat3_map1 src 127.0.0.1 proto internal 10.114.0.4/32 via 127.0.0.1 dev loopback_nat3_map1 src 127.0.0.1 proto internal # rcli sh snat maps SNAT map map id: 1 internal prefixes: 192.168.2.0/24, usage 0/256, %0 10.8.0.0/24, usage 0/256, %0 out ranges: 10.114.0.1 - 10.114.0.1, port-block usage 0/4032, %0 10.114.0.3 - 10.114.0.3, port-block usage 0/4032, %0 10.114.0.4 - 10.114.0.4, port-block usage 0/4032, %0 NAT High availability ********************* Introduction ============ A high-availability SNAT44 module enables the creation of a 2-node/server cluster that performs Network Address Translation (NAT) functions. The cluster operates in a Master-Backup mode, where one node runs as the Master and performs the SNAT44 functions, while the other node runs in Backup mode. The node in Backup mode does not process traffic or perform NAT; its sole job is to mirror the Master's SNAT44 session database and be ready to take over as the new Master if the Master node fails. Currently high-availability mode is only supported with SNAT44 maps. Master Election process ======================= In a situation where there are no designated Backup or Master nodes, such as when both nodes are starting a SNAT44 HA cluster for the first time and have not yet decided their roles, an initial election process takes place. The node with the higher priority wins the initial election process. The priority of a node is an administratively assigned value. In a situation where only one node is currently running and performing the Master role, and the second node has just been powered on or configured to run in HA mode, the current Master retains its role even if its priority is lower than that of the second node. In this case, the second node always becomes the Backup node. Swithing the Master role ======================== It is possible to switch the roles of nodes in a running cluster using an RCLI command. To do this, an administrator should run the command 'snat ha group transfer master' on the Backup node. After executing this command, the Backup node will become the new Master node, and the old Master node will become the new Backup node. When a Master node becomes a Backup node it first resets the NAT map, deletes all existings NAT sessions and starts replicating the new Master's NAT session database. A replication process takes some time to complete. SNAT44 session database synchronization ======================================= Whenever the Master node creates a new NAT TCP session in the 'established' state or a UDP session in the 'active' state, it sends an update message to the Backup node. The Backup node listens for these update messages and updates its NAT session database accordingly, creating identical NAT sessions. The expiration time of the Backup NAT sessions is ignored. A Backup NAT session can only be deleted either manually or when the corresponding Master session is deleted. ARP === The HA module takes control of the ARP protocol for the IP addresses associated with an HA group. Only the Master node responds to ARP requests, while Backup nodes ignore ARP requests for HA group IP addresses. Upon becoming the Master, a node sends gratuitous ARP replies for the IP addresses of the HA group. By default, BisonRouter uses virtual MAC addresses for the nodes' IP addresses. However, some hardware does not support adding additional MAC addresses. To accommodate this, the behavior can be disabled using the sysctl variable 'vrrp_dont_use_virtual_mac_for_arp'. A virtual MAC address is based solely on the HA group ID and is identical on both cluster nodes. sysctl set vrrp_dont_use_virtual_mac_for_arp 0 When this feature is disabled, BisonRouter uses the NIC's original MAC address with the HA group IP addresses. NAT operations ============== Only the Master node performs NAT operations on the traffic. The Backup node is transparent from a NAT perspective. Configuration examples ====================== Master node .. code-block:: none # # HA # # create a p-t-p link to the other HA node vif add name ha_link port 2 type untagged ip addr add 10.100.100.2/28 dev ha_link # disable usage of virtual MAC addresses sysctl set vrrp_dont_use_virtual_mac_for_arp 1 # # configure the HA module to use VIF 'ha_link' as a virutual vlan link to # communicate with the neighbour HA node # snat ha init dev ha_link # create a HA group with ID 10 snat ha create group 10 prio 100 neighbor 10.100.100.3 map 1 # # add an existing IP address 192.168.1.1 to the group # note: the IP address should be already created # snat ha group 10 add ip 192.168.1.1 # # start the HA group # snat ha group 10 enable Backup node .. code-block:: none # # HA # # create a p-t-p link to the other HA node vif add name ha_link port 2 type untagged ip addr add 10.100.100.3/28 dev ha_link # disable usage of virtual MAC addresses sysctl set vrrp_dont_use_virtual_mac_for_arp 1 # # configure the HA module to use VIF 'ha_link' as a virutual vlan link to # communicate with the neighbour HA node # snat ha init dev ha_link # create a HA group with ID 10 snat ha create group 10 prio 50 neighbor 10.100.100.3 map 1 # # add an existing IP address 192.168.1.1 to the group # note: the IP address should be already created # snat ha group 10 add ip 192.168.1.1 # # start the HA group # snat ha group 10 enable Status of HA groups .. code-block:: none rcli sh snat ha groups group id: 10 snat44 map id: 1 state: master prio: 100 sync list size: 0 unsync list size: 0 backup list size: 0 neighbor ip: 10.100.100.3 neighbor prio: 50 neighbor state: backup source ip: 10.100.100.2 max entries: 3000000 flags: IP addresses: 192.168.1.1 pkt counters: rx: 0 tx: 21 restransmits: 0 ack rx: 27 ack tx: 0 nack rx: 0 nack tx: 0 error counters: sess add failures: 0 sess del failures: 0 db add failures: 0 db del failures: 0 high-availability commands ========================== snat ha init ------------ This command initializes the SNAT High availability module. .. code-block:: none snat ha init dev **Description** ================ =============================================================================== ============= Item Description Value ================ =============================================================================== ============= vif_name | Name of an existing Virtual Interface (VIF) to use for communicating | with the group's neighbor node. ================ =============================================================================== ============= **Example** .. code-block:: none snat ha init dev ha_link snat ha create group -------------------- This command creates a SNAT high-availability group. The group consists of two server nodes (neighbors) communicating with each other. .. code-block:: none snat ha create group prio neighbor map **Description** ================ =============================================================================== ============= Item Description Value ================ =============================================================================== ============= group_id ID of a high-availability group. Numeric value. prio Group's priority. ip_addr IP address of the neighbor node. snat44_map_id ID of SNAT44 map to controll by the group. ================ =============================================================================== ============= **Example** .. code-block:: none snat ha create group 10 prio 100 neighbor 10.100.100.3 map 1 snat ha destroy group --------------------- This command destroys a SNAT high-availability group. .. code-block:: none snat ha destroy group **Description** ================ =============================================================================== ============= Item Description Value ================ =============================================================================== ============= group_id ID of a high-availability group. ================ =============================================================================== ============= **Example** .. code-block:: none snat ha destroy group 10 snat ha add/del ip ------------------ This command adds or deletes an IP address to/from a group. ARP behavior of addresses added to the group is controlled by group and depends on the group's state. .. code-block:: none snat ha group add ip snat ha group del ip **Description** ================ =============================================================================== ============= Item Description Value ================ =============================================================================== ============= group_id ID of a high-availability group. ip_addr An existing IP address assigned to a VIF to be controlled by the group. ================ =============================================================================== ============= **Example** .. code-block:: none snat ha group 10 add ip 192.168.1.1 snat ha group 10 del ip 192.168.1.1 snat ha group enable/disable ---------------------------- This command enables or disables a SNAT high-availability group. .. code-block:: none snat ha group enable|disable **Description** ================ =============================================================================== ============= Item Description Value ================ =============================================================================== ============= group_id ID of a high-availability group. ================ =============================================================================== ============= **Example** .. code-block:: none snat ha group 10 enable snat ha group transfer master ----------------------------- This command starts a master trasfer procedure. The command is supposed to be run at a backup node in order the node to become a new master and take control over IP addresses added to the group and SNATT44 map associated with the group. .. code-block:: none snat ha group transfer master **Description** ================ =============================================================================== ============= Item Description Value ================ =============================================================================== ============= group_id ID of a high-availability group. ================ =============================================================================== ============= **Example** .. code-block:: none snat ha group 10 transfer master RADIUS ****** This section is dedicated to the operation of **Bison Router** within the RADIUS protocol described in `RFS 2865 `_. RADIUS and CoA ============== radius_client create -------------------- This command creates a new RADIUS client. .. code-block:: none radius_client create **Description** ============== =============================================================================== Item Description ============== =============================================================================== client_id ID number of a client to create ============== =============================================================================== .. Note:: The RADIUS client with the ID number 0 is created by default. It will be used by default in other commands of the section if the ID is omitted. **Example** This example shows how to create a RADIUS client with the ID number ``1``: .. code-block:: none radius_client create 1 radius_client add server ------------------------ This command adds a RADIUS server to the list of servers. RADIUS requests will be sent to servers a the round-robin way. .. note:: The maximum number of servers in the list is 8. The default port number is 1812. .. code-block:: none radius_client [] add server [port ] [secret <"secret">] **Description** ============== =============================================================================== Item Description ============== =============================================================================== client_id | ID number of a client to add a server. Optional, if omitted, | the default client is used. ip_address Server IP address port Server port number. Optional, if omitted, the default number is used. secret RADIUS shared secret. Optional, if omitted, the radius client secret is used. ============== =============================================================================== **Example** This example shows how to add a server with the IP address ``192.168.5.2`` and the port number ``1612`` to the default RADIUS client server list: .. code-block:: none radius_client add server 192.168.5.2 port 1612 radius_client del server ------------------------ This command deletes a RADIUS server from the list of servers. .. code-block:: none radius_client [] del server [port ] **Description** ============== ================================================================================ Item Description ============== ================================================================================ client_id | ID number of a client to delete a server. Optional, if omitted, | the default client is used. ip_address Server IP address port Server port number. Optional, if omitted, the default number is used. ============== ================================================================================ **Example** This example shows how to delete a server with the IP address ``192.168.5.2`` and the port number ``1612`` from the default RADIUS client server list: .. code-block:: none radius_client del server 192.168.5.2 port 1612 radius_client add src ip ------------------------ This command adds an IP address to the list of source IP addresses that will be used by **Bison Router** RADIUS client to send RADIUS requests. A source IP address must be assigned to a VIF. .. code-block:: none radius_client [] add src ip **Description** ============== ================================================================================ Item Description ============== ================================================================================ client_id | ID number of a client add a source IP address. Optional, if omitted, | the default client is used. ip_address Source IP address ============== ================================================================================ **Example** This example shows how to add a source IP address ``192.168.5.111`` to the list of source IP addresses of the default client: .. code-block:: none radius_client add src ip 192.168.5.111 radius_client set secret ------------------------ This command sets a RADIUS client's shared secret. .. code-block:: none radius_client [client_id] set secret "" **Description** ============== ================================================================================ ====================== Item Description Value ============== ================================================================================ ====================== client_id | ID number of a client to set a secret. Optional, if omitted, | the default client is used. secret RADIUS shared secret | 256 bytes max., | case sensitive ============== ================================================================================ ====================== **Example** This example shows how to set a shared secret ``1234abcd`` for the default client: .. code-block:: none radius_client set secret "1234abcd" coa server set secret --------------------- This command sets a RADIUS CoA server's shared secret. .. code-block:: none coa server set secret "" **Description** ============== ================================================================================ ====================== Item Description Value ============== ================================================================================ ====================== secret RADIUS shared secret | 256 bytes max., | case sensitive ============== ================================================================================ ====================== **Example** This example shows how to set the CoA server's shared secret ``abcd1234``: .. code-block:: none coa server set secret "abcd1234" sh radius client ---------------- This command outputs RADIUS clients settings. .. code-block:: none sh radius client **Example** The response has the following format: .. code-block:: none sh radius client radius client 0 src ip addresses: 192.168.1.1 auth secret: xxx auth servers: ip 192.168.1.20 port 1812, dead: no, secret: accounting secret: xxx accounting servers: ip 192.168.1.2 port 1813, dead: no, secret: radius client 1 src ip addresses: 192.168.1.1 auth secret: undefined auth servers: ip 192.168.1.2 port 1812, dead: no, secret: xxx accounting secret: undefined accounting servers: ip 192.168.1.2 port 1813, dead: no, secret: xxx RADIUS Accounting ================= radius_client set secret ------------------------ This command sets a RADIUS accounting client's shared secret. .. code-block:: none radius_client set accounting secret "" **Description** ============== ================================================================================ ================= Item Description Value ============== ================================================================================ ================= secret RADIUS shared secret | 256 bytes max., | case sensitive ============== ================================================================================ ================= **Example** This example shows how to set the RADIUS accounting client's shared secret ``1234abcd``: .. code-block:: none radius_client set accounting secret "1234abcd" radius_client add accounting server ----------------------------------- This command adds a new RADIUS accounting server to the list of servers. RADIUS requests will be sent to servers in a round-robin way. Maximum number of servers in the list is 8. Default port number is 1813. .. code-block:: none radius_client add accounting server [port ] [secret <"secret">] **Description** ============== =================================================================================== Item Description ============== =================================================================================== client_id | ID number of a client to add an accounting server. Optional, if omitted, | the default client is used. ip_address Accounting server IP address port Accounting server port number. Optional, if omitted, the default number is used. secret RADIUS shared secret. Optional, if omitted, the radius client secret is used. ============== =================================================================================== **Example** This command shows how to add the accounting server with the IP address ``192.168.5.2`` and the port number ``1813``: .. code-block:: none radius_client add accounting server 192.168.5.2 port 1813 Radius sysctl variables ======================= ================================= ========= ============================ ================== | Variable name | Type, | Description | Value | Scope ================================= ========= ============================ ================== radius_initial_retransmit_timeout | Integer | Initial RADIUS retransmit | ms | Runtime | timeout | Default = 500 | Min = 200 | Max = UINT16_MAX radius_num_retransmit | Integer | Number of RADIUS | Default = 3 | Runtime | retransmits | Min = 1 | Max = 16 ================================= ========= ============================ ================== Radius accounting sysctl variables ================================== ================================= ========= ============================ ================== | Variable name | Type, | Description | Value | Scope ================================= ========= ============================ ================== radius_accounting | Boolean | Globally enables/disables | Default = off | Runtime | the RADIUS accounting | 1 - on | 0 - off ================================= ========= ============================ ================== .. note:: the ``vif_stat`` sysctl variable should be set to 1, otherwise accounting request's packets and bytes counters will contain zero values. =================================== ========= ================================ ================== radius_accounting_interim | Boolean | Enables/disables RADIUS | Default = off | Runtime | accounting interim requests | 1 - on | 0 - off radius_accounting_interim_interval | Integer | Sets the interval for sending | sec | Runtime | interim requests | Default = 60 | Min = 5 | Max = UINT16_MAX =================================== ========= ================================ ================== Bison Router VSA ================ RADIUS Attribute Dictionary for FreeRADIUS: .. code-block:: none VENDOR TheRouter 12345 BEGIN-VENDOR TheRouter ATTRIBUTE therouter_ingress_cir 1 integer ATTRIBUTE therouter_engress_cir 2 integer ATTRIBUTE therouter_ipv4_addr 3 integer ATTRIBUTE therouter_ipv4_mask 4 integer ATTRIBUTE therouter_outer_vid 5 integer ATTRIBUTE therouter_inner_vid 6 integer ATTRIBUTE therouter_ip_unnumbered 7 integer ATTRIBUTE therouter_port_id 8 integer ATTRIBUTE therouter_ipv4_gw 9 integer ATTRIBUTE therouter_pbr 10 integer ATTRIBUTE therouter_install_subsc_route 17 integer ATTRIBUTE therouter_subsc_ttl 18 integer ATTRIBUTE therouter_subsc_static_arp 19 integer ATTRIBUTE therouter_subsc_proxy_arp 20 integer ATTRIBUTE therouter_subsc_rp_filter 21 integer ATTRIBUTE therouter_shaper_ingress_params 23 string ATTRIBUTE therouter_shaper_egress_params 24 string ATTRIBUTE therouter_subsc_addr_prefix_map_id 25 integer ATTRIBUTE therouter_subsc_addr_prefix_map_value 26 integer END-VENDOR TheRouter therouter_ingress_cir --------------------- | Ingress CIR (committed information rate) - kbit/s. | It's used to limit the bandwidth available for any type of subscribers. Ingress direction means the direction from the subscriber to the **Bison Router** interface. therouter_egress_cir -------------------- | Egress CIR (committed information rate) - kbit/s. | It's used to limit the bandwidth available for any type of subscribers. Egress direction means the direction from **Bison router** to the subscriber. therouter_subsc_ttl ------------------- Subscriber's session time to live - sec. therouter_install_subsc_route ----------------------------- The value ``1`` of this attribute instructs **Bison Router** to add the subscriber IPv4 address /32 prefix into the main routing table. therouter_subsc_static_arp -------------------------- The value ``1`` of this attribute instructs **Bison Router** to set a static ARP record for a L2 subscriber. therouter_subsc_proxy_arp ------------------------- The value ``1`` of this attribute instructs **Bison Router** to enable the Proxy ARP on dynamic VIFs (VLAN per subscriber). .. note:: To enable the Proxy ARP for L2 subscribers, the ``proxy_arp`` flag should be used in the `vif add`_ command while creating a VIF, or in the `vif flags`_ after its creation. therouter_subsc_rp_filter ------------------------- The value ``1`` of this attribute instructs **Bison Router** to enable the Reverse Path Filter on dynamic VIFs (VLAN per subscriber). .. note:: To enable the Reverse Path Filter for L2 subscribers, the ``rpf`` flag should be used in the `vif add`_ command while creating a VIF, or in the `vif flags`_ after its creation. therouter_shaper_ingress_params ------------------------------- therouter_shaper_egress_params ------------------------------ The following description is relevant for both ``therouter_shaper_ingress_params`` and ``therouter_shaper_egress_params`` attributes. These attributes contain a string with the parameters for subscriber's ingress/egress QoS discipline. The string format depends on the type of QoS discipline, but must always start with an integer indicating the QoS type. ============== =================================================================================== Value QoS type ============== =================================================================================== 1 | General policer. The default QoS type, no need to use | ``therouter_shaper_ingress_params`` or ``therouter_shaper_egress_params``. | Use ``therouter_ingress_cir`` and ``therouter_egress_cir`` attributes for its | configuration 2 | Multi-policer. The multi-policer applies different bandwidth limits depending on | the packet src/dst IP address. QoS of this type is configured using | ``therouter_shaper_ingress_params`` and ``therouter_shaper_egress_params`` attributes 4 DPDK QoS scheduler 6 DSCP policer ============== =================================================================================== **Multi-policer** The format of ``therouter_shaper_ingress_params`` and ``therouter_shaper_egress_params`` attribute values for the multi-policer is as follows: .. code-block:: none <2/nb_policers/limit1/limit2/../prefix_map_id/prefix_map_mode> **Description** +-----------------+---------------------------------------------------------------+ | Item | Description | +=================+===============================================================+ | nb_policers | Number of policers | +-----------------+---------------------------------------------------------------+ | limit1 | Bandwidth limit of policer 1 | +-----------------+---------------------------------------------------------------+ | limit2 | Bandwidth limit of policer 2. Optional. | +-----------------+---------------------------------------------------------------+ | prefix_map_id | ID of a prefix map to classify a packet | | | and to select a policer | +-----------------+---------------------------------------------------------------+ | prefix_map_mode || Prefix map's mode of operation: | | || 0 - use packet's src IP address to find a match | | || 1 - use packet's dst IP address to find a match | +-----------------+---------------------------------------------------------------+ **DPDK QoS Scheduler** The value ``4`` of the attributes ``therouter_shaper_ingress_params`` and ``therouter_shaper_egress_params`` is DPDK based QoS discipline. The format of ``therouter_shaper_ingress_params`` and ``therouter_shaper_egress_params`` attribute values for this QoS is as follows: .. code-block:: none <4/nb_ports/port1,profile1/port2,profile2/../prefix_map_id/prefix_map_mode> **Description** +-----------------+---------------------------------------------------------------+ | Item | Description | +=================+===============================================================+ | nb_ports | Number of QoS scheduler ports/pipes to allocate | | | for a subscriber | +-----------------+---------------------------------------------------------------+ | port1 | QoS scheduler port number for traffic direction #1 | +-----------------+---------------------------------------------------------------+ | profile1 | Profile ID for port1 | +-----------------+---------------------------------------------------------------+ | prefix_map_id | ID of a prefix map to classify a packet | +-----------------+---------------------------------------------------------------+ | prefix_map_mode || Prefix map's mode of operation: | | || 0 - use packet's src IP address to find a match | | || 1 - use packet's dst IP address to find a match | +-----------------+---------------------------------------------------------------+ **DSCP policer** DSCP policer is a type of of QoS discipline used to apply different traffic policer depending on IP packet's DSCP field value. A DSCP policer may consist of several sub policers (simple policers). Decision on which sub policer to use with a packet is made based on the packet's IP DSCP value and on a DSCP map. The DSCP map translates DSCP values into sub policer numbers. DSCP policers can only be created for subscriber interfaces. The format of ``therouter_shaper_ingress_params`` and ``therouter_shaper_egress_params`` attribute values for the DSCP policer is as follows: .. code-block:: none <6/nb_policers/limit1/limit2/..> **Description** +-----------------+---------------------------------------------------------------+ | Item | Description | +=================+===============================================================+ | nb_policers | Number of policers | +-----------------+---------------------------------------------------------------+ | limit1 | Bandwidth limit of policer 1 | +-----------------+---------------------------------------------------------------+ | limit2 | Bandwidth limit of policer 2 | +-----------------+---------------------------------------------------------------+ therouter_subsc_addr_prefix_map_id ---------------------------------- This attribute instructs BisonRouter to add subscriber's IPv4 address to the prefix map with the given ID upon subscriber connection and to delete subscriber's IPv4 address from the prefix map after the subscriber has been disconnected. therouter_subsc_addr_prefix_map_value ------------------------------------- Defines a value associated with the subscriber's IPv4 address added to a prefix map. See the description of the therouter_subsc_addr_prefix_map_id attribute. IP pools ******** IPv4 pools ========== ip pool add ----------- This command adds a new IPv4 pool. .. code-block:: none ip pool add **Description** ============== ========================================== ================================================ Item Description Value ============== ========================================== ================================================ ip_pool_name Name of an IP pool to create | Must start with a letter. | Max. pool name length is 16 characters. ============== ========================================== ================================================ **Example** This example shows how to create a new IPv4 pool named ``pool2``: .. code-block:: none ip pool add pool2 ip pool del ----------- This command deletes an IPv4 pool. .. code-block:: none ip pool del **Description** ============== ========================================== Item Description ============== ========================================== ip_pool_name Name of an IP pool to delete ============== ========================================== **Example** This example shows how to delete the IPv4 pool named ``pool2``: .. code-block:: none ip pool del pool2 ip pool add range ----------------- This command adds an IP address range to a pool. .. code-block:: none ip pool add range - **Description** ============== =================================================================================== Item Description ============== =================================================================================== ip_pool_name Name of an IP pool to add an IP address range ip_addr_from The first IPv4 address of the range ip_addr_to The last IPv4 address of the range ============== =================================================================================== **Example** This example shows how to add the IP range 1.1.1.10-1.1.1.20 to the IP pool ``pool2``: .. code-block:: none ip pool add range pool2 1.1.1.10 - 1.1.1.20 ip pool del range ----------------- This command deletes an IP address range from a pool. .. code-block:: none ip pool del range - **Description** ============== =================================================================================== Item Description ============== =================================================================================== ip_pool_name Name of an IP pool to delete an IP address range ip_addr_from The first IPv4 address of the range ip_addr_to The last IPv4 address of the range ============== =================================================================================== **Example** This example shows how to delete the IP range 1.1.1.10-1.1.1.20 from the IP pool ``pool2``: .. code-block:: none ip pool del range pool2 1.1.1.10 - 1.1.1.20 sh ip pool ---------- This command outputs information about an IPv4 pool. .. code-block:: none sh ip pool **Example** The response has the following format: .. code-block:: none sh ip pool --- name pool_1 addresses 192.168.2.10 - 192.168.2.100 free 91 used 0 router 192.168.2.1 mask /16 broadcast 192.168.255.255 mtu 1500 lease time 600 secs dns 8.8.8.8 dns 8.8.4.4 IP pools sysctl variables ========================= ====================== ========= ============================================ ================== | Variable name | Type, | Description | Value | Scope ====================== ========= ============================================ ================== ippool_cache_size | Integer | Startup Size of the IP pool's global pool cache | Default = 4096 | Min = 1024 | Max = UINT32_MAX ippool_cache_entry_ttl | Integer Time to live of an IP pool cache entry | sec | Runtime | Default = 60 | Min = 1 | Max = 259200 ====================== ========= ============================================ ================== IPv6 pools ========== ipv6 pool add ------------- This command creates a new IPv6 address pool. .. code-block:: none ipv6 pool add length [preferred_lt ] [valid_lt ] [flags ] **Description** ============== ============================================ ================================================ Item Description Value ============== ============================================ ================================================ ip_pool_name Name of an IPv6 pool to create | Must start with a letter. | Max. pool name length is 16 characters. ipv6_prefix A pool's address space length Length of prefixes allocated from a pool preferred_lt | The time interval that a valid address | sec | is preferred (i.e., the time until | Default value is 604800 seconds (7 days) | deprecation). When expires, the address | | becomes deprecated. | valid_lt | The time interval during which an address | sec | remains in a valid state (i.e., the time | Default value is 2592000 seconds (30 days) | until invalidation). | valid_lt ⩾ preferred_lt flags | rand - allocates random values. rand, cache | | cache - an address/prefix is reserved for | a ``valid_lt`` period for the user | allocated the value; during this interval, | the subscriber will be provided with | the same address/prefix if he reconnects. | After ``valid_lt`` have elapsed, | and the address/prefix is not used, | it will be returned back to the pool. ============== ============================================ ================================================ **Example** This example shows how to create a new IPv6 pool named ``ppp6_slaac_pool``: .. code-block:: none ipv6 pool add ppp6_slaac_pool xxx::/48 length 64 preferred_lt 3600 valid_lt 7200 flags rand,cache ipv6 pool del ------------- This command deletes an IPv6 pool. .. code-block:: none ipv6 pool del **Description** ============== ========================================== Item Description ============== ========================================== ip_pool_name Name of an IPv6 pool to delete ============== ========================================== **Example** This example shows how to delete the IPv6 pool named ``ppp6_slaac_pool``: .. code-block:: none ipv6 pool del ppp6_slaac_pool ipv6 pool modify ---------------- This command modifies an existing IPv6 pool lifetime values. .. code-block:: none ipv6 pool modify valid_lt preferred_lt **Description** ============== ============================================ ================================================ Item Description Value ============== ============================================ ================================================ ip_pool_name Name of an IPv6 pool to modify preferred_lt | The time interval that a valid address | sec | is preferred (i.e., the time until | Default value is 604800 seconds (7 days) | deprecation). When expires, the address | | becomes deprecated. | valid_lt | The time interval during which an address | sec | remains in a valid state (i.e., the time | Default value is 2592000 seconds (30 days) | until invalidation). | valid_lt ⩾ preferred_lt ============== ============================================ ================================================ sh ipv6 pool ------------ This command outputs information about IPv6 pools. .. code-block:: none sh ipv6 pools **Example** The response has the following format: .. code-block:: none sh ipv6 pools --- name ppp6_pd_pool address space xxxe::/48 address/prefix length 64 preferred lifetime 3600 valid lifetime 7200 free 65536 used 0 --- name ppp6_na_pool address space xxx1::/64 address/prefix length 128 preferred lifetime 3600 valid lifetime 7200 free 4294967294 used 1 --- name ppp6_slaac_pool address space xxx0b::/48 address/prefix length 64 preferred lifetime 3600 valid lifetime 7200 free 65535 used 1 IP Pool cache ============= IP addresses are not immediately returned to an IP pool but are stored in an IP pool cache for a certain period of time to be reserved for their last user. This ensures that the user is able to obtain the same IP address again. Users of pool IP addresses are identified by MAC addresses, and an IP pool cache entry stores a MAC address. The IPv4 pool cache has a fixed size that can be configured using the ``ippool_cache_size`` sysctl startup variable. The duration for which an IP pool cache entry remains in the cache before the IP address is returned to the pool is configured by the ``ippool_cache_entry_ttl`` sysctl variable. More information about these sysctl variables can be found in the section titled `IP pools sysctl variables`_. sh ip pool cache ---------------- This command outputs the content of the ipv4 pool cache. .. code-block:: none sh ip pool cache The output has the following structure: .. code-block:: none owner ip ip-pool da9c1db9fe4f0100 192.168.2.10 pool_1 ====================== ============================================== | Field name | Description ====================== ============================================== owner | A string id of the owner of an IP pool entry ip | IPv4 address ip-pool | IP pool name ====================== ============================================== sh ipv6 pool cache ------------------ This command outputs the content of the ipv6 pool cache. .. code-block:: none sh ipv6 pool cache The output has the following structure: .. code-block:: none owner ip sub-ip ip-pool da9c1db9fe4f0101 2001:470:1f0b:1461:4c8c:dd7f:24fb:442d na_pool da9c1db9fe4f0101 2001:470:1f0c:58c5:: pd_pool ====================== ================================================ | Field name | Description ====================== ================================================ owner | A string id of the owner of an IPv6 pool entry ip | IPv6 address sub-ip | Additional IPv6 address ip-pool | IPv6 pool name ====================== ================================================ ip pool cache del ----------------- This command deletes an IP pool entry from the IPv4 pool cache. .. code-block:: none ip pool cache del "" **Description** ============== ================================================================================ Item Description ============== ================================================================================ owner_id | A string identifier of the owner of an IPv4 pool entry ============== ================================================================================ **Example** This example shows how to delete the IPv4 pool cache entry with id ``da9c1db9fe4f0100``: .. code-block:: none ip pool cache del "da9c1db9fe4f0100" Note that when this command is executed in rcli it must enclosed with '': .. code-block:: none rcli 'ip pool cache del "da9c1db9fe4f0100"' ipv6 pool cache del ------------------- This command deletes an IPv6 pool entry from the IPv6 pool cache. .. code-block:: none ipv6 pool cache del "" **Description** ============== ================================================================================ Item Description ============== ================================================================================ owner_id | A string identifier of the owner of an IPv6 pool entry ============== ================================================================================ **Example** This example shows how to delete the IPv6 pool cache entry with id ``da9c1db9fe4f0100``: .. code-block:: none ipv6 pool cache del na_pool "da9c1db9fe4f0101" Note that when this command is executed in rcli it must enclosed with '': .. code-block:: none rcli 'ipv6 pool cache del na_pool "da9c1db9fe4f0101"' ip pool cache flush ------------------- This command deletes all IPv4 entries from the IPv4 pool cache. .. code-block:: none ip pool cache flush ipv6 pool cache flush --------------------- This command deletes all IPv6 entries from the IPv6 pool cache. .. code-block:: none ipv6 pool cache flush DHCP **** DHCPv4 server ============= Enabling DHCP server -------------------- The DHCP server function is enabled by ``sysctl`` variable ``dhcp_server``. ====================== ========= ============================================ ================== | Variable name | Type, | Description | Value | Scope ====================== ========= ============================================ ================== dhcp_server | Boolean | Enables the DHCP server function | 1 = on | Runtime | | 0 = off ====================== ========= ============================================ ================== **Example** This example shows how to enable the DHCP server function: .. code-block:: none sysctl set dhcp_server 1 Configuring DHCP server's IP pools ---------------------------------- .. note:: Before configuring DHCP parameters of an IP pool, it should be created by using the command `ip pool add `_. The general order of configuring the DHCP server's IP pools is as follows: 1. Create an IP pool (`ip pool add `_). 2. Add an IP address range to the created IP pool (`ip pool add range `_). 3. Configure the necessary DHCP parameters. **Example** This example shows the order in which the required commands should be executed. DNS, NTP and NBNS configuration is optional and can be configured in any order or be omitted. .. code-block:: none # create pool with name "pool_1" ip pool add pool_1 ip pool add range pool_1 10.11.1.10 - 10.11.200.255 # setup pool's DHCP parameters ip pool set pool_1 router 10.0.0.1 mask 24 lease time 600 ip pool add pool_1 dns 8.8.8.8 ip pool add pool_1 dns 8.8.4.4 ip pool add pool_1 ntp 192.36.143.130 ip pool add pool_1 nbns 1.1.1.1 ip pool add pool_1 nbns 1.1.1.3 ip pool set ----------- This command sets the DHCP parameters of an IP pool. .. code-block:: none ip pool set router mask lease time