Command reference. Runtime
Runtime is a part of the configuration file that can be changed after Bison Router has been started. It contains settings of virtual interfaces, routing, subscribers, and settings of other BisonRouter subsystems. When configuring, it is important to respect the dependency between objects. If object A is used by object B, then object A must be added first. For example, a VIF should be created before adding an IP address to the VIF.
Control Plane Protection
BisonRouter’s control plane module is responsible for processing protocols such as ARP, PPPoE, DHCP, etc. Handling incoming packets of these protocols is a CPU-intensive task, and therefore, the control plane could be overwhelmed by a storm of such packets. To prevent this scenario, BisonRouter employs a protection mechanism to detect such storms and drop incoming packets if their rate exceeds a defined threshold.
To limit the number of incoming packets processed, BisonRouter utilizes policer objects. Multiple policers are assigned for each of the control plane-protected protocols. Presently, three protocols are protected by policers: ARP, PPPoE, and DHCP. To determine the policer object for processing an incoming packet, BisonRouter calculates a hash value using the header content of the packet. Specifically, for ARP, PPPoE, and DHCP, BisonRouter employs the source MAC address field to compute the hash value and select the appropriate policer.
Note that the total rate of incoming packets for a protocol equals the number of policers multiplied by the rate of each policer.
The number of policers created for a protocol, policer’s ingress packets rates and a protection status of each protocol are controled by the following sysctl variables.
| Sysctl variable | Description | Default
value
|
|---|---|---|
| cplane_protection_arp_enabled | A boolean variable to disable/enable
protection of the ARP protocol.
0 - disabled. 1 - enabled.
|
1 |
| cplane_protection_arp_nb_policers | An integer variable to set up the number
of policer objects for the ARP protocol.
The scope of the variable is startup.
|
32 |
| cplane_protection_arp_rate | An integer variable to set up the maximum rate
of ingress ARP reply packets handled by
a single policer.
The scope of the variable is runtime.
|
50 |
| cplane_protection_pppoe_enabled | A boolean variable to disable/enable protection
of the PPPoE protocol. 0 - disabled. 1 - enabled.
The scope of the variable is runtime.
|
1 |
| cplane_protection_pppoe_nb_policers | An integer variable to set up the number of policer
objects for the PPPoE protocol.
The scope of the variable is startup.
|
32 |
| cplane_protection_pppoe_rate | An integer variable to set up the maximum
rate of ingress PPPoE packets handled
by a single policer.
The scope of the variable is runtime.
|
150 |
| cplane_protection_dhcp_enabled | A boolean variable to disable/enable protection
of DHCP v4, v6 protocols.
0 - disabled. 1 - enabled.
The scope of the variable is runtime.
|
1 |
| cplane_protection_dhcp_nb_policers | An integer variable to set up the number of policer
objects for DHCP v4, v6 protocols.
The scope of the variable is startup.
|
32 |
| cplane_protection_dhcp_rate | An integer variable to set up the maximum rate
of ingress DHCP packets handled by a single policer.
The scope of the variable is runtime.
|
200 |
Example
startup {
sysctl set cplane_protection_arp_nb_policers 32
}
runtime {
sysctl set cplane_protection_arp_rate 200
}
rcli sh cplane protection
This command outputs status of the Control Plane Protection module.
sh cplane protection
Example
rcli sh cplane protection
ARP:
enabled: yes
number of policers: 32
policer rate: 50
dropped ingress ARP replies: 0
PPPoE:
enabled: yes
number of policers: 32
policer rate: 150
dropped packets: 0
DHCP v4 and v6:
enabled: yes
number of policers: 32
policer rate: 200
dropped packets: 0
VLAN Set
VLAN Set is a helper BisonRouter module that enables other modules and functions to operate with multiple VLANs at the same time. For example, if there is a need to create hundreds of similar Virtual Interfaces (VIFs) it is easier to do that by creating a VLAN Set containing all VLAN ids and by running a single command to create VIFs that takes a VLAN Set id as a parameter.
vlan set create
This command creates a new VLAN set.
vlan set create <vlan_set_id>
Description
| Item | Description |
|---|---|
| vlan_set_id | The ID of a new VLAN set |
Example
This example shows how to create a VLAN set with id 2:
vlan set create 2
vlan set destroy
This command deletes a VLAN set.
vlan set destroy <vlan_set_id>
Description
| Item | Description |
|---|---|
| vlan_set_id | The ID of a VLAN set to delete |
Example
This example shows how to delete a VLAN set with id 2:
vlan set destroy 2
vlan set add range
This command adds a range of VLAN identifiers to a VLAN set.
vlan set <vlan_set_id> add port <port_num> range [svid <svid_range>] cvid <cvid_range>
Description
| Item | Description | Value |
|---|---|---|
| vlan_set_id | The ID of a VLAN set virtual interfaces | A numeric value |
| port | Physical NIC Port number associated with VLANs | A numeric value |
| svid_range | Service VLAN ID or Service VLAN range | 1-4095. Mandatory for QinQ VLAN sets |
| cvid_range | Customer VLAN ID or Customer VLAN range | 1-4095. Mandatory for QinQ and Dot1Q VLAN sets |
Examples
This example shows how to add Dot1Q VLANs with id values in the range from 10 to 100 to a VLAN set with id 2.
vlan set 2 add port 1 range cvid 10 100
This example shows how to add Dot1Q VLAN with id 139 to a VLAN set with id 2.
vlan set 2 add port 1 range cvid 139
This example shows how to add QinQ VLAN with svids in the range 10 20 and cvids in the range 1 10.
vlan set 2 add port 1 range svid 10 20 cvid 1 10
vlan set del range
This command deletes a range of VLAN identifiers from a VLAN set.
vlan set <vlan_set_id> del port <port_num> range [svid <svid_range>] cvid <cvid_range>
Description
| Item | Description | Value |
|---|---|---|
| vlan_set_id | The ID of a VLAN set virtual interfaces | A numeric value |
| port | Physical NIC Port number associated with VLANs | A numeric value |
| svid_range | Service VLAN ID or Service VLAN range | 1-4095. Mandatory for QinQ VLAN sets |
| cvid_range | Customer VLAN ID or Customer VLAN range | 1-4095. Mandatory for QinQ and Dot1Q VLAN sets |
Examples
This example shows how to delete Dot1Q VLANs with id values in the range from 10 to 100 from a VLAN set with id 2.
vlan set 2 del port 1 range cvid 10 100
This example shows how to delete Dot1Q VLAN with id 139 from a VLAN set with id 2.
vlan set 2 del port 1 range cvid 139
This example shows how to delete QinQ VLAN with svids in the range 10 20 and cvids in the range 1 10.
vlan set 2 del port 1 range svid 10 20 cvid 1 10
Virtual Interfaces
VIF (virtual interface) is an essential part of Bison Router which provides access to the VLAN.
vif add
This command creates a new virtual L3 interface (VIF).
vif add name <name> port <port_num> type <type> [svid <svid>] [cvid <cvid>] [flags <flag1,flag2...>] [MTU <mtu_size>]
Description
| Item | Description | Value |
|---|---|---|
| name | Name of the virtual interface to be added | The VIF’s
name must
start
with a
letter.
The max.
name
length
is 96
characters
|
| port | The port number to which the VIF is added | |
| type | VIF type | untagged |
| dot1q | ||
| qinq | ||
| svid | Service VLAN ID | 1-4095. Mandatory for QinQ |
| cvid | Customer VLAN ID | 1-4095. Mandatory for QinQ and dot1q |
| flag | Add a flag | |
| MTU | Maximum transmission unit size |
Flags
These flags enable the following network functions:
| Flag | Description |
|---|---|
| npf_on | NPF at interface |
| kni | Kernal Network Interface. Mandatory for FRR/Quagga integration |
| proxy_arp | Proxy ARP |
| flow_acct | Flow Accounting (Netflow/IPFIX) |
| rpf | Reverse path filter |
| dhcp_rel | DHCP relay. Enabled by default |
| vrrp | VRRP |
| pppoe_on | PPPoE |
| l2_subs | L2 subscribers management |
| l3_subs | L3 subscribers management |
vif flags
This command is intended for VIF flags enabling/disabling. Use this command if you need to enable a new flag that you did not specify in the vif add command.
vif flags <up|down> name <name> flags <flag1,flag2...>
Description
| Item | Description |
|---|---|
| up | Enable a flag |
| down | Disable a flag |
| name | VIF’s name |
Flags
These flags enable the following network functions:
| Flag | Description |
|---|---|
| proxy_arp | Proxy ARP |
| flow_acct | Flow Accounting (Netflow/IPFIX) |
| rpf | Reverse path filter |
| dhcp_rel | DHCP relay. Enabled by default |
| pppoe_on | PPPoE |
| l2_subs | L2 subscribers management |
| l3_subs | L3 subscribers management |
Example
This example shows how to disable the dhcp_rel flag for the VIF v20.
vif flags down name v20 flags dhcp_rel
vif del
This command deletes a VIF.
vif del <name>
Description
| Item | Description |
|---|---|
| name | Name of the VIF to delete |
Example
This example shows how to delete a VIF named v20:
vif del v20
vif car
This command enables ingress/egress bandwidth limit for a VIF.
vif car name <name> ingress cir <cir_value> egress cir <cir_value>
Note
Zero value is used to delete a limit.
Description
| Item | Description | Value |
|---|---|---|
| name | Name of the VIF for applying a limit | |
| cir_value | Committed information rate value | Kbit/s |
Example
This example shows how to enable ingress/egress bandwidth equal to 10000 for the VIF named v20:
vif car name v20 ingress cir 10000 egress cir 10000
This example shows how to disable ingress/egress bandwidth for the VIF named v20:
vif car name v20 ingress cir 0 egress cir 0
sh vif
This command outputs all VIFs and information about their configuration.
sh vif
Example
Example of the response for sh vif command:
sh vif
vif v20
id 2
port 0, vlan 0.20, encapsulation dot1q
mac address 0E:7B:2D:2E:F4:13
shaper ingress not set
egress not set
ACL ingress not set
egress not set
flags dhcp_rel,NAT
mtu 1500
vif v30
id 3
port 1, vlan 0.30, encapsulation dot1q
mac address CA:D6:F3:10:39:4A
shaper ingress not set
egress not set
ACL ingress not set
egress not set
flags dhcp_rel
mtu 1500
vif lo
id 1
port 255, vlan 4095.4095, encapsulation qinq
mac address 00:00:00:00:00:01
shaper ingress not set
egress not set
ACL ingress not set
egress not set
flags dhcp_rel
mtu 1500
sh vif <name>
This command outputs information about a particular VIF.
sh vif <name>
Description
| Item | Description |
|---|---|
| name | Name of the VIF to show information about |
Example
This example shows how to output information about the VIF named v20:
sh vif v20
The response has the following format:
vif v20
id 2
port 0, vlan 0.20, encapsulation dot1q
mac address 0E:7B:2D:2E:F4:13
shaper ingress not set
egress not set
ACL ingress not set
egress not set
flags dhcp_rel,NAT
mtu 1500
sh vif counters
This command outputs VIFs traffic statistics.
sh vif counters
Example
Description
vif_id name port svid cvid rx_pkts tx_pkts rx_bytes tx_bytes
2 v20 0 0 20 0 0 0 0
3 v30 1 0 30 2 0 804 0
VIF VLAN set commands
These commands create a series of similar VIFs that differ only by the VLAN parameters. The commands use the VLAN set module to select the VLAN ids for which VIFs are created.
vif add vlan set
This command creates multiple VIFs with the VLAN ids from a VLAN set. Each VIF has the same parameters specified by the command and differs only by the VLAN ids and the name. VIF’s name is composed by concatenating the VIF name prefix, the port number, and VLAN ids. For example ‘v1.10.5’ is the name of a VIF with port number 1, svid 10 and cvid 5. ‘v’ is the default value of the VIF name prefix.
vif add vlan set <vlan_set_id> [flags <flag1,flag2...>] [mtu <mtu>] [prefix <vif_name_prefix>]
Description
| Item | Description | Value |
|---|---|---|
| vlan_set_id | VLAN set id | |
| flag | VIF flags | |
| mtu | Maximum transmission unit size | |
| vif_name_prefix | VIF name prefix. Default value is ‘v’ |
Note
After a VLAN set is modified and a new VLAN is added to it BisonRouter do not automatically executes commands dependent on the modified VLAN set. For example, BisonRouter will not create new VIFs corresponding to the added VLANs, or it will not add an IP address to those VIFs. Commands using a VLAN set as a parameter should be executed again manually.
Example
vif add vlan set 2
This command creates VIFs with the VLAN ids from the VLAN set 2. VIF have default flags, mtu, and prefix name ‘v’.
vif del vlan set
This command deletes multiple VIFs with the VLAN ids from a VLAN set. If VIFs were created with a non default VIF name prefix then the same prefix should be used by this delete commdand. The flag parameter and the mtu parameter should match the same parameters used when VIFs were created by the vif add vlan set command.
vif del vlan set <vlan_set_id> [flags <flag1,flag2...>] [mtu <mtu>] [prefix <vif_name_prefix>]
Description
| Item | Description | Value |
|---|---|---|
| vlan_set_id | VLAN set id | |
| flag | VIF flags | |
| mtu | Maximum transmission unit size | |
| vif_name_prefix | VIF name prefix. Default value is ‘v’ |
Note
After a VLAN set is modified and a new VLAN is added to it BisonRouter do not automatically executes commands dependent on the modified VLAN set. For example, BisonRouter will not create new VIFs corresponding to the added VLANs, or it will not add an IP address to those VIFs. Commands using a VLAN set as a parameter should be executed again manually.
Example
vif del vlan set 2
This command deletes VIFs with the VLAN ids from the VLAN set 2.
VIF range commands
These commands create a series of similar VIFs that differ only by the VLAN parameters. A general command is vif add range.
The syntax varies depending on which VIF parameters need to be specified.
Note
The range parameter in each command represents a range of numbers.
Enter two numbers separated by a space to specify a range (for example, cvid 100 200 means Customer VLAN IDs from 100 to 200)
and one number if it is a particular object (cvid 100 means Customer VLAN ID number 100).
vif add range
vif add name <name> port <port> type <type> range svid <svid_range> cvid <cvid_range> [flags <flag1,flag2...>] [mtu <mtu>]
Description
| Item | Description | Value |
|---|---|---|
| name | Name of the range of virtual interfaces to be added | The VIF’s
name must
start
with a
letter.
The max.
name
length
is 96
characters
|
| port | The port number to which the VIFs range is added | |
| type | VIFs type | untagged |
| dot1q | ||
| qinq | ||
| svid_range | Service VLAN ID or Service VLAN range | 1-4095. Mandatory for QinQ |
| cvid_range | Customer VLAN ID or Customer VLAN range | 1-4095. Mandatory for QinQ and dot1q |
| flag | Add a flag | |
| MTU | Maximum transmission unit size |
Example
To create 101 VIFs with VLAN numbers from 4.100 to 4.200 use the following format svid 4 cvid 100 200. Example of the full command:
vif add name rng1_ port 1 type qinq range svid 4 cvid 100 200 flags l2_subs
To create 202 VIFs with VLAN numbers from 4.100 to 5.200 use the following format svid 4 5 cvid 100 200. Example of the full command:
vif add name rng2_ port 1 type qinq range svid 4 5 cvid 100 200 flags l2_subs
vif del range
This command deletes a VIF’s range.
vif del range svid <vlan_range> cvid <vlan_range> name <name>
Description
| Item | Description | Value |
|---|---|---|
| name | Name of the range of virtual interfaces to be deleted | The VIF’s
name must
start
with a
letter.
The max.
name
length
is 96
characters
|
| svid_range | Service VLAN ID or Service VLAN range | 1-4095. Mandatory for QinQ |
| cvid_range | Customer VLAN ID or Customer VLAN range | 1-4095. Mandatory for QinQ and dot1q |
Example
This example shows how to delete a VIFs range named v20 with VLAN numbers from 4.100 to 5.200:
vif del range svid 4 5 cvid 100 200 v20
Traffic classification
Note
ipset and l2set are subcases of U32 set. in IPv6, only l2set is supported.
U32 sets
u32set create
This command creates a new U32 set.
u32set create <name> size <size> bucket_size <bucket_size> type <set_type>
Description
| Item | Description | Value |
|---|---|---|
| name | U32 set name | The U32
set
name must
start
with a
letter.
The max.
name
length
is 96
characters
|
| size | U32 set size | The max. number of elements in the set |
| bucket_size | Bucket size | 8-256 |
| set_type | U32 set type | ip -
a set
containing
ipv4
addressesl2 -
a set
containing
VIF IDs |
Example
The example shows how to create a U32 set for storing IPv4 addresses:
u32set create ips1 size 16384 bucket_size 16 type ip
u32set destroy
This command deletes a U32 set.
u32set destroy <name>
Description
| Item | Description |
|---|---|
| name | Name of the U32 set to delete |
Example
This command deletes the U32 set named ips1:
u32set destroy ips1
IP set
ipset add
This command adds an IP address to a U32 set.
ipset add <name> <ip_address> [flags <flag>[,...]]
Description
| Item | Description |
|---|---|
| name | Name of the U32 set to add an IP address |
| ip_address | IP address to add |
| flags |
|
Example
This example shows how to add the IP address 10.0.0.1/24 to the U32 set named ips1:
ipset add ips1 10.0.0.1/24
ipset del
This command deletes an IP address from a U32 set.
ipset del <name> <ip_address>
Description
| Item | Description |
|---|---|
| name | Name of the U32 set to delete an IP address from |
| ip_address | IP address to delete |
Example
This example shows how to delete the IP address 10.0.0.1/24 from the U32 set named ips1:
ipset del ips1 10.0.0.1/24
ipset test
This command checks whether a U32 set contains an IP address or not.
ipset test <name> <ip_address>
Description
| Item | Description |
|---|---|
| name | Name of the U32 set to check |
| ip_address | IP address to check |
Example
This example shows how to check whether the U32 set named ips1 contains the IP address 10.0.0.1/24:
ipset test ips1 10.0.0.1/24
sh ipset
This command outputs information about an IP set.
sh ipset <name>
Description
| Item | Description |
|---|---|
| name | Name of an IP set to output information |
Example
The response has the following format:
sh ipset ips1
U32SET name ips1, type IP, hash size 4096, hash bucket size 16, num items: 1
ipv4 address
10.1.1.1
l2 set
l2set add
This command adds a VIF identifier to a U32 set. The VIF identifier is a
combination of port, svid, and cvid values and it is an integral element of the set.
l2set add <name> port <port_number> svid <svid> cvid <cvid> [flags <flag>[,...]]
Description
| Item | Description | Value |
|---|---|---|
| name | Name of the U32 set to add a VIF identifier | The U32
set
name must
start
with a
letter.
The max.
name
length
is 96
characters
|
| port | The port number to which the VIF is added | |
| svid | Service VLAN ID | 1-4095 |
| cvid | Customer VLAN ID | 1-4095 |
| flags | optional flags | persistent adds
a persistent value
that will be savedin a
a configuration file
by the save config
command
|
Example
This example shows how to add the VIF identifier port 1 svid 2 cvid 3 to the U32set named l2s1:
l2set add l2s1 port 1 svid 2 cvid 3
l2set del
This command deletes a VIF identifier (port, svid, and cvid) from a U32 set.
l2set del <u32set_name> port <port_number> svid <svid> cvid <cvid>
Description
| Item | Description | Value |
|---|---|---|
| name | Name of the U32 set to delete a VIF identifier | The U32
set
name must
start
with a
letter.
The max.
name
length
is 96
characters
|
| port | The port number to which the VIF is added | |
| svid | Service VLAN ID | 1-4095 |
| cvid | Customer VLAN ID | 1-4095 |
Example
This example shows how to delete the VIF identifier port 1 svid 2 cvid 3 from the U32set named l2s1:
l2set del l2s1 port 1 svid 2 cvid 3
l2set test
This command checks whether a U32 set contains a VIF identifier or not.
l2set test <u32set_name> port <port_number> svid <svid> cvid <cvid>
Description
| Item | Description | Value |
|---|---|---|
| name | Name of the U32 set to check a VIF identifier | The U32
set
name must
start
with a
letter.
The max.
name
length
is 96
characters
|
| port | The port number to which the VIF is added | |
| svid | Service VLAN ID | 1-4095 |
| cvid | Customer VLAN ID | 1-4095 |
Example
This example shows how to check whether the U32set named l2s1 contains the VIF identifier port 1 svid 2 cvid 3 or not:
l2set test l2s1 port 1 svid 2 cvid 3
sh l2set
This command outputs information about an L2 set.
sh l2set <name>
Description
| Item | Description |
|---|---|
| name | Name of an L2 set to output information |
Example
The response has the following format:
sh l2set l2s1
U32SET name l2s1, type L2, hash size 4096, hash bucket size 16, num items: 1
port_id.svid.cvid
1.0.30
Prefix Map
The prefix map is a map containing IPv4 prefixes and integer values associated with them. It can be used to classify a packet. The value associated with the prefix matched to the packet can be used for further packet processing. For example, the prefix map is used by a multi-policer that applies different policies depending on the source or destination address of the packet. The value associated with the prefix indicates the multi-policer’s ID in this case.
The prefix map performs a search using the LPM algorithm (Longest prefix match).
From two prefixes that differ only in length, the longer prefix will be selected.
For example, in case of 2 prefixes: 10.0.0.0/29 and 10.0.0.0/24, the address 10.0.0.2 matches the prefix 10.0.0.0/29, because 29 is longer than 24.
prefix map create
This command creates a new prefix map.
prefix map create <prefix_map_id> [type <map_type>]
Description
| Item | Description | Value |
|---|---|---|
| prefix_map_id | ID of a prefix map to create | 0-31 |
| map_type | Prefix map type. Default type is ipv4. | ipv4, ipv6 |
Example
This example shows how to create a new ipv4 prefix map with the ID 10:
prefix map create 10 type ipv4
prefix map destroy
This command deletes a prefix map.
prefix map destroy <prefix_map_id>
Description
| Item | Description |
|---|---|
| prefix_map_id | ID of a prefix map to delete |
Example
This example shows how to delete a prefix map with the ID 10:
prefix map destroy 10
prefix map add
This command adds a prefix and a value associated with it into a prefix map.
prefix map add <prefix_map_id> <prefix>/<mask> value <value> [flags <flag[,...]>]
Description
| Item | Description |
|---|---|
| prefix_map_id | ID of a prefix map to add a prefix |
| prefix | IPv4 prefix to add |
| mask | Subnet mask |
| value | The number that will be associated with the prefix |
| flags |
|
Example
This example shows how to add the IPv4 prefix 192.168.1.115/32 and its associated value 2 to the prefix map 10:
prefix map add 10 192.168.1.115/32 value 2
prefix map del
This command deletes a prefix from a prefix map.
prefix map del <prefix_map_id> <ipv4_prefix>
Description
| Item | Description |
|---|---|
| prefix_map_id | ID of a prefix map to delete a prefix |
| ipv4_prefix | IPv4 prefix to delete |
Example
This example shows how to delete the prefix 192.168.1.115/32 from the prefix map 10:
prefix map del 10 192.168.1.115/32
sh prefix map
This command outputs the content of a prefix map.
sh prefix map <prefix_map_id>
Description
| Item | Description |
|---|---|
| prefix_map_id | ID of a prefix map to output |
Example
The response has the following format:
sh prefix map 10
prefix map id 10, num prefixes 4
192.168.1.116/32 3
192.168.1.117/32 4
10.11.1.10/32 101
192.168.1.115/32 2
IPv4 addressing and routing
This section describes the commands for configuring IPv4 routing and addressing.
IP addresses
ip addr add
This command assigns an IP address to a VIF.
ip addr add <ip_address>/<mask> dev <vif_name>
Description
| Item | Description |
|---|---|
| ip_address | IP address to assign |
| mask | Subnet mask (1-32) |
| vif_name | Name of the VIF to assign an IP address |
Example
This example shows how to assign 10.0.0.1/24 IP address to the VIF named v20:
ip addr add 10.0.0.1/24 dev v20
ip addr del
This command deletes an IP address from a VIF.
ip addr del <ip_address>/<mask> dev <vif_name>
Description
| Item | Description |
|---|---|
| ip_address | IP address to delete |
| mask | Subnet mask (1-32) |
| vif_name | Name of the VIF to delete the IP address |
Example
This example shows how to delete 10.0.0.1/24 IP address assigned to the VIF named v20:
ip addr del 10.0.0.1/24 dev v20
sh ip addr
The command outputs a list of IP addresses in use.
sh ip addr
Example
name port vid encapsulation
v20 0 0.20 dot1q
192.168.1.1/24 primary
v30 1 0.30 dot1q
192.168.2.1/24 primary
lo 255 4095.4095 qinq
5.5.5.5/32 h
Note
The vid value consists of <svid_value>.<cvid_value>
IP address VLAN set commands
These commands are used to simultaneously add/delete addresses to/from multiple VIFs. VIFs are selected with the help of the VLAN set module.
ip addr add vlan set
This command adds an IP address to multiple VIFs created by the vif add vlan set command.
ip addr add <ip_address>/<mask> vlan set <vlan_set_id> [prefix <vif_prefix>]
Description
| Item | Description | Value |
|---|---|---|
| ip_address | IP address to assign to VIFs | |
| mask | Subnet mask (1-32) | |
| vlan_set_id | ID of a VLAN set to select the VIFs | |
| vif_prefix | VIF name prefix (optional). It should be the the same VIF name prefix that was used with vif add vlan set command. |
Example
This example shows how to add IP address 10.0.0.1/24 to the VIFs created with VLAN set 2.
ip addr add 10.0.0.1/24 vlan set 2
Note
After a VLAN set is modified and a new VLAN is added to it BisonRouter do not automatically executes commands dependent on the modified VLAN set. For example, BisonRouter will not create new VIFs corresponding to the added VLANs, or it will not add an IP address to those VIFs. Commands using a VLAN set as a parameter should be executed again manually.
ip addr del vlan set
This command deletes an IP address from multiple VIFs created by the vif add vlan set command.
ip addr del <ip_address>/<mask> vlan set <vlan_set_id> [prefix <vif_prefix>]
Description
| Item | Description | Value |
|---|---|---|
| ip_address | IP address to delete from VIFs | |
| mask | Subnet mask (1-32) | |
| vlan_set_id | ID of a VLAN set to select the VIFs | |
| vif_prefix | VIF name prefix (optional). It should be the the same VIF name prefix that was used with vif add vlan set command. |
Example
This example shows how to delete IP address 10.0.0.1/24 from the VIFs created with VLAN set 2.
ip addr del 10.0.0.1/24 vlan set 2
Note
After a VLAN set is modified and a new VLAN is added to it BisonRouter do not automatically executes commands dependent on the modified VLAN set. For example, BisonRouter will not create new VIFs corresponding to the added VLANs, or it will not add an IP address to those VIFs. Commands using a VLAN set as a parameter should be executed again manually.
IP address range commands
These commands are used to simultaneously change (add/remove) addresses of a set of VIFs.
ip addr add range
This command adds an IP address to multiple VIFs.
ip addr add range svid <svid_range> cvid <cvid_range> <ip_address>/<mask> name <name>
Description
| Item | Description | Value |
|---|---|---|
| svid_range | Service VLAN ID or Service VLAN range | 1-4095 |
| cvid_range | Customer VLAN ID or Customer VLAN range | 1-4095 |
| ip_address | IP address to assign | |
| mask | Subnet mask (1-32) | |
| name | Name prefix |
Note
The names output in the table have the following structure prefixsvid.cvid, where the prefix is a VIF name prefix.
For example, if VIF name prefix is v, SVID is 1 and CVID 2, the name will be v1.2.
Example
This example shows how to add the IP address to the VIFs range 4.100-4.200:
ip addr add range svid 4 cvid 100 200 10.0.0.1/24 name v20
ip addr del range
This command deletes an IP address from a VIFs range.
ip addr del range svid <svid_range> cvid <cvid_range> <ip_address>/<mask> name <name>
Description
| Item | Description | Value |
|---|---|---|
| svid_range | Service VLAN ID or Service VLAN range | 1-4095 |
| cvid_range | Customer VLAN ID or Customer VLAN range | 1-4095 |
| ip_address | IP address to delete | |
| mask | Subnet mask (1-32) | |
| name | Name prefix |
Example
This example shows how to delete the IP address from the VIFs range 4.100-4.200:
ip addr add range svid 4 cvid 100 200 10.0.0.1/24 name v20
IP routing tables
Bison Router forward packets based on routing tables, the sum of which forms the FIB (Forwarding Information Base). Multiple routing tables are supported. The main table is created automatically and used by default. All other tables are optional, they are created and edited manually. If multiple tables are used, the table selection is based on PBR (Policy-based Routing).
ip route table add
This command creates a new routing table.
ip route table add <name>
Description
| Item | Description | Value |
|---|---|---|
| name | Name of the routing table to be added | The table
name must
start
with a
letter.
The max.
name
length
is 96
characters
|
Example
This example shows how to create a new routing table named table_1:
ip route table add table_1
ip route table del
This command deletes a routing table.
ip route table del <name>
Description
| Item | Description |
|---|---|
| name | Name of the table to delete |
Example
This example shows how to delete a routing table named table_1:
ip route table del table_1
sh ip route tables
This command shows a list of routing tables.
sh ip route tables
Example
The response has the following format:
sh ip route tables
main
table_1
IP routes
After creating routing tables, you can add routes to them.
ip route add
The following command syntax creates a route to a directly connected network.
ip route add <ip_address>/<mask> dev <vif_name> [src <src_ip>] [table <table_name>] [flags <flag>[, ...]]
Description
| Item | Description |
|---|---|
| ip_address | Directly connected network |
| mask | Directly connected network mask (1-32) |
| vif_name | The name of the VIF to which the network is connected |
| src_ip | Source IP address |
| table_name | Specify the name of the table to add a route, otherwise it is added to the default one |
| flags |
|
Example
This example shows how to add a connected route to a routing table named table_1:
ip route add 10.0.0.0/24 dev v20 table table_1
This command creates a route to a remote network.
ip route add <ip_address>/<mask> via <gw_ip> [src <src_ip>] [table <table_name>]
Note
The IP address of the gateway must be reachable via a directly connected route. A directly connected route is added to the main routing table automatically when an IP address is added to a VIF. All routes in additional tables need to be created manually.
Description
| Item | Description |
|---|---|
| ip_address | Remote network |
| mask | Remote network mask (1-32) |
| gw_ip | IP of the gateway to reach the remote network |
| src_ip | Source IP address |
| table_name | Specify the name of the table to add a route, otherwise it is added to the default one |
Example
This example shows how to add a route to a remote network to the main routing table:
ip route add 10.0.0.0/24 via 192.168.1.15
This command creates an unreachable route.
ip route add <ip_address>/<mask> unreachable [table <table_name>]
Description
| Item | Description |
|---|---|
| ip_address | Unreachable route |
| mask | Network mask (1-32) |
| table_name | Specify the name of the table to add a route, otherwise it is added to the default one |
Example
This example shows how to add an unreachable route to the main routing table:
ip route add 10.0.0.0/24 unreachable
ip route del
This command deletes a route from a routing table.
ip route del <ip_address/mask> [table <table_name>]
Description
| Item | Description |
|---|---|
| ip_address | IP route prefix to delete |
| mask | Network mask (1-32) |
| table_name | Name of the table to delete the route |
Example
This example shows how to delete a route from the main routing table:
ip route del 10.0.0.0/24
sh ip route
This command outputs the content of a routing table.
sh ip route [table_name]
Description
| Item | Description |
|---|---|
| table_name | Name of the table which content is output |
Note
If the table_name parameter is not specified, the content of the main table is output by default.
Example
The response has the following format:
sh ip route
10.114.0.0/29 unreachable proto rcli
5.5.5.5/32 local proto internal
192.168.1.0/24 C dev v20 src 192.168.1.1 proto internal
10.8.0.0/24 via 192.168.2.2 dev v30 src 192.168.2.1 proto rcli
224.0.0.0/4 unreachable proto rcli
192.168.2.0/24 C dev v30 src 192.168.2.1 proto internal
0.0.0.0/0 via 192.168.1.2 dev v20 src 192.168.1.1 proto rcli
In particular, the response contains data on route types and route origin.
Route types
| Name | Description |
|---|---|
| local | Local network |
| C | Directly connected network |
| unreachable | Unreachable network |
| via | Remote network reachable via a gateway |
Route origin
| Name | Description |
|---|---|
| rcli | A route manually created with rcli |
| internal | Created by Bison Router |
| fpm | Created by Quagga/FRR |
ip route get
This command outputs the ip route that is used to forward a particular packet.
ip route get <dst_ip> [table <table_name>] [src <src_ip>]
Description
| Item | Description |
|---|---|
| dst_ip | Destination IP address to lookup a route for. |
| table_name | Optional. Name of the routing table to lookup for a route in. |
| src_ip | Optional. Source IP address to lookup for a particular next-hop
in a multi-hop route. It’s used only with UCMP multi-hop routes
with ‘ip_src_dst’ or ‘ip_src’ hash function types.
|
Note
If the table_name parameter is not specified, the content of the main table is output by default.
Equal-cost multipath (ECMP) and Unequal-cost multipath (UCMP) routing
BisonRouter supports both Equal-cost multipath (ECMP) and Unequal-cost multipath or Weighted mulltipath (UCMP) routing schemes. ECMP/UCMP routes can be created either manually or received from FRR routing daemons. Packets of the same L3 flow are always forwarded via the same path.
ECMP/UCMP ip route add
This command creates a multi-path route (ECMP or UCMP) to a remote network.
ip route add <ip_address>/<mask> via nexthop <nexthop1_ip> weight <nexthop1_weight>
[nexthop <nexthop2_ip> weight <nexthop2_weight>...]
[hash type <hash_type>] [table <table_name>] [flags <flag>[, ...]]
Note
Nexthop IP addresses must be reachable via a directly connected route. A directly connected route is added to the main routing table automatically when an IP address is added to a VIF. All routes in additional tables need to be created manually.
Description
| Item | Description |
|---|---|
| ip_address | Remote network |
| mask | Remote network mask (1-32) |
| nexthop1_ip | IP address of the nexthop 1 gateway |
| nexthop1_weight | Nexthop 1 weight |
| nexthop2_ip | IP address of the nexthop 2 gateway |
| nexthop2_weight | Nexthop 2 weight |
| hash_type | Optional parameter. Specifies a type of hash-function to determine
a next hop index for a particular packet.
Possible values:
ip_src_dst - a hash function that calculates the next hop indexusing src-ip and dst-ip packet header fields
ip_src - a hash function that calculates the next hop indexusing src-ip packet header field
ip_dst - a hash function that calculates the next hop indexusing dst-ip packet header field
When omitted default global hash function type is used.
Default global hash function is set up with
fib_multihop_default_hash_typesysctl string variable that uses the same hash function type names.
|
| table_name | The name of the table to add a route. The Main routing table is used by default. |
| flags | Optional flags:
redistribute - redistribute this route to Quagga/FRR. |
Example
This example shows how to add a UCMP default route to the main routing table. The route is a two-path route. Path #1 has a weight 1. Path #2 has a weight 3. Those weights will result in 25% of traffic being forwarded via the path #1, and 75% of traffic via path #2.
rcli ip route add 0.0.0.0/0 via nexthop 192.168.1.3 weight 1 nexthop 192.168.1.5 weight 3 hash type ip_src table main
This example shows how to add a ECMP default route to the main routing table:
rcli ip route add 0.0.0.0/0 via nexthop 192.168.1.3 weight 1 nexthop 192.168.1.5 weight 1 table main
This example shows how to set up global default next hop hash function type for UCMP routes.
rcli 'sysctl set fib_multihop_default_hash_type "ip_dst"'
FRR and UCMP/ECMP
UCMP and ECMP routes can be created dynamically with the help of FRR software. https://docs.frrouting.org/en/latest/bgp.html#weighted-ecmp-using-bgp-link-bandwidth
Note
FRR should be compiled with the options ‘–enable-fpm’ ‘–enable-multipath=8’.
Policy-based Routing (PBR)
Policy-based Routing (PBR) is a technique used to make routing decisions based on rules and packet data. The rules apply to each incoming packet and determine which routing table will be used to route the packet. The rules are analyzed in the order of the specified priority until the first match is found. The rule matches the packet if the packet data meets the criteria specified in the rule. If no match is found or there are no PBR rules then the main routing table is used.
ip pbr rule add
This command creates a PBR rule. There are several syntax types to create rules with different matching criteria.
Add a PBR rule for a U32 set
This command creates a PBR rule to match the traffic originating from one of the IP addresses contained in the IP set or VIFs contained in L2 set.
ip pbr rule add prio <prio_num> u32set <u32set_name> type <type> table <table_name>
Description
| Item | Description | Value |
|---|---|---|
| prio_num | Priority number | |
| u32set_name | Name of the U32 set to add to the rule | |
| type | ip - traffic originating from one
of the addresses contained in the IP set
l2 - traffic originating from one
of VIFs contained in an L2 set.
|
|
| table_name | Name of the routing table to use |
Examples
This example shows how to add a rule with a priority number 1 to match the traffic originating from one of the addresses contained in the IP set ips1:
ip pbr rule add prio 1 u32set ips1 type ip table table_1
This example shows how to add a rule with a priority number 2 to match the traffic originating from one of the VIFs contained in an L2 set l2settest:
ip pbr rule add prio 2 u32set l2settest type l2 table table_1
Add a PBR rule for a network
This syntax variant creates a PBR rule to match the traffic originating from a particular network.
To additionally match a destination network specify it in the parameter to <dest_ip_address/mask> (can be omitted).
ip pbr rule add prio <prio_num> from <src>/<src_mask> [to <dst>/<dest_mask>] table <table_name>
Description
| Item | Description |
|---|---|
| prio_num | Priority number |
| src | Source network |
| src_mask | Source network mask |
| dst | Destination network |
| dest_mask | Destination network mask |
| table_name | Name of the routing table to use |
Examples
This example shows how to create a rule with a priority number 1 to match the traffic originating from a particular network:
ip pbr rule add prio 1 from 10.0.0.1/24 table table_1
This example shows how to create a rule with a priority number 1 to match the traffic originating from a particular network and destinated to another network:
ip pbr rule add prio 1 from 10.200.22.0/24 to 10.200.23.0/24 table table_1
Add an L4 PBR rule
This syntax variant creates a PBR rule to match the traffic sourced from or destinated to a specific L4 port.
ip pbr rule add prio <prio_num> proto <ip_proto> src|dst <port> table <table_name>
Description
| Item | Description |
|---|---|
| prio_num | Priority number |
| ip_proto | IP protocol |
| port | L4 port number |
| table_name | Name of the routing table to use |
Examples
This example shows how to create a rule with a priority number 1
to match the UDP traffic desinated to port 53:
ip pbr rule add prio 1 proto udp dst port 53 table table_1
This example shows how to create a rule with a priority number 1
to match the UDP traffic sourced from port 80:
ip pbr rule add prio 1 proto udp src port 80 table table_1
ip pbr rule del
This command deletes a PBR rule with the given priority.
Note
Removing a priority does not affect the priority numbering of other existing rules.
Note
Avoid creating rules with the same priority, otherwise it may lead to unpredictable prioritization of these rules. To view the list of existing rules, use the command sh ip pbr rules.
ip pbr rule del prio <prio_num>
Description
| Item | Description |
|---|---|
| prio_num | Priority number |
Example
This example shows how to delete a PBR rule with the priority number 2:
ip pbr rule del prio 2
sh ip pbr rules
This command outputs all PBR rules.
sh ip pbr rules
Example
The response has the following format:
sh ip pbr
prio condition rt_table
10 ipset ips1 rt_bl
20 l2set l2s1 rt_bl
30 from 10.200.22.0/24 rt_bl
40 from 10.200.22.0/24 to 10.200.23.0/24 rt_bl
IPv4 ARP
ARP (Address Resolution Protocol) is used to map IP addresses to MAC addresses. The ARP cache is a table of records consisting of three elements: IP address, MAC address, and VIF name.
arp add
This command creates or edits an ARP record.
arp add <ip_address> <mac> dev <vif_name> [type]
Description
| Item | Description | Value |
|---|---|---|
| ip_address | IP address to map | |
| mac | MAC address to map | |
| vif_name | Name of the corresponding VIF | |
| type | ARP record type | static - doesn’t have a TTL
dynamic - has a TTL (default type)
|
Note
ARP TTL is configured in sysctl <arp_cache_timeout>. This variable can be changed at any time. The default value is 300 seconds.
Example
This example shows how to add an ARP cache record mapping IP address 10.0.0.1, MAC address E0:D5:5E:8D:35:2E and VIF named v20:
arp add 10.0.0.1 E0:D5:5E:8D:35:2E dev v20
Note
VIF, in this case, is the scope of the command. Exactly the same IP and MAC addresses may exist within another VIF.
arp del
This command deletes an ARP record.
arp del <ip_address> dev <vif_name>
Description
| Item | Description |
|---|---|
| ip_address | IP address to delete |
| vif_name | Name of the corresponding VIF |
Example
This example shows how to delete the ARP record for IP address 10.0.0.1 and VIF v20:
arp del 10.0.0.1 dev v20
sh arp cache
This command outputs the content of the ARP cache.
sh arp cache
Example
sh arp cache
port vid ip mac type state
2 0.3 192.168.1.165 E0:D5:5E:8D:35:2E dynamic ok
2 0.5 192.168.5.101 A8:5B:78:09:0C:E1 dynamic ok
2 0.3 192.168.1.3 D4:CA:6D:7C:D0:DF dynamic ok
2 0.20 192.168.20.3 E0:D5:5E:8D:35:2E dynamic ok
2 0.20 192.168.20.2 60:A4:4C:41:0A:24 dynamic ok
Note
The vid value consists of <svid_value>.<cvid_value>
Possible types:
| Type | Description |
|---|---|
| Dynamic | Has a TTL |
| Static | Doesn’t have a TTL |
Possible states:
| State | Description |
|---|---|
| ok | Ready to use |
| resolving | ARP request sent, but still no response received |
| failed | ARP request sent, no response received (final state) |
| stale | Response received, but the value of the MAC address could be outdated |
Utilities
ping
Ping is a utility used to test the reachability of a host on an IP network. Ping measures the round-trip time for messages sent from the originating host to a destination device that are echoed back to the source.
Note
This command is only used on the command line.
ping --help
Usage: ping [-c,--count <count>] [-i,--interval <interval>] [-s <icmp_payload_size>]
[-f,--dont_frag] [-a,--source_address <src_ip_address>] [-w,--nowait]
[-h,--help] <dest_ip_address>
Description
| Parameter | Description | Value |
|---|---|---|
| count | Number of test packets (default value - 5) | |
| interval | Time interval between requests | ms |
| icmp_payload_size | Request size | bytes |
| dont_frag | Don’t fragment | |
| src_ip_address | VIF IP address from which the request is sent | |
| nowait | Send requests without pauses | |
| help | Output help | |
| dest_ip_address | Destination IP address |
Example
ping 8.8.8.8
Ping 8.8.8.8 56(84) bytes of data.
reply 56 bytes icmp_seq=1 time=103.515 ms
reply 56 bytes icmp_seq=2 time=109.306 ms
reply 56 bytes icmp_seq=3 time=103.933 ms
reply 56 bytes icmp_seq=4 time=119.942 ms
reply 56 bytes icmp_seq=5 time=121.397 ms
---
Ping 8.8.8.8 statistics:
sent: 5, recv: 5 (100%), lost: 0 (0%)
round-trip min/avg/max = 103.515/111.617/121.397
traceroute
Traceroute is an utility to discover the route packets take to a specified network host.
Note
This command is only used on the command line.
rcli traceroute --help
Usage: traceroute [-c dont_inc_dst_port] [-f first_ttl] [-m max_ttl] [-P proto]
[-l payload_len] [-s src_address] [-q nprobes] [-t tos]
[-w waittime] [-o src_port] [-b base_dst_port] [-h,--help] host
Description
| Parameter | Description | Value |
|---|---|---|
| dont_inc_dst_port | Don’t increment the destination port number in UDP packets | |
| first_ttl | Set the initial TTL number | |
| max_ttl | Set the max TTL number | |
| proto | Set the protocol being used to discover the route. icmp and udp protocol are supported | |
| payload_len | Set the length of payloads | |
| src_address | Set the source IP addres of probes | |
| nprobes | Set the number of probes to send for each TTL | |
| tos | Set the TOS value of probes | |
| waittime | Wait time in ms for a response to a probe | |
| src_port | Set the source port of probes. Only for UDP. | |
| base_dst_port | Set the base destination port number. Only for UDP. | |
| help | Output the help message | |
| host | Destination host |
Example
rcli traceroute -p icmp xx.xx.1.1
traceroute to xx.xx.1.1, 64 hops max, payload 16 bytes
1 192.168.1.2 0.332ms 0.169ms 0.150ms
2 xx.xx.1.1 0.756ms 0.283ms 0.165ms
arping
ARPING is an utility to test reachability of a host on a connected IP network. ARPING sends ARP requests to the specified host and ouputs hosts replies.
Note
This command is only used on the command line.
rcli arping --help
Usage: arping [-c,--count count] [-i,--interval interval_in_ms]
[-h,--help] destination ip
Description
| Parameter | Description | Value |
|---|---|---|
| count | Number of probe ARP requests (default value is 5) | |
| interval | Time interval between requests | ms |
| help | Output the help message | |
| destination ip | Destination IP address |
Example
rcli arping 192.168.1.2
arping 192.168.1.2
reply time 0.168 ms from xx:xx:xx:xx:xx:1B
reply time 0.147 ms from xx:xx:xx:xx:xx:1B
reply time 0.216 ms from xx:xx:xx:xx:xx:1B
reply time 0.211 ms from xx:xx:xx:xx:xx:1B
reply time 0.135 ms from xx:xx:xx:xx:xx:1B
---
arping 192.168.1.2 statistics:
sent: 5, recv: 5 (100%), lost: 0 (0%)
round-trip min/avg/max ms 0.135/0.175/0.216
IPv6 addressing and routing
This section describes the commands for configuring IPv6 routing and addressing.
Virtual interface IPv6 addressing
ipv6 enable
This command enables IPv6 protocol on a VIF and creates a link-local address using the EUI-64 scheme.
ipv6 enable dev <vif_name>
Description
| Item | Description |
|---|---|
| vif_name | Name of the VIF to enable the protocol |
Example
This example shows how to enable IPv6 protocol on the VIF named v20:
ipv6 enable dev v20
ipv6 disable
This command disables IPv6 protocol for a VIF and deletes all corresponding addresses and routes.
ipv6 disable dev <vif_name>
Description
| Item | Description |
|---|---|
| vif_name | Name of the VIF to disable the protocol |
Example
This example shows how to disable IPv6 protocol for the VIF named v20:
ipv6 disable dev v20
ipv6 enable vlan set
This command enables the IPv6 protocol at the VIFs with the VLAN ids from a VLAN set.
ipv6 enable vlan set <vlan_set_id> [prefix <vif_name_prefix>]
Description
| Item | Description | Value |
|---|---|---|
| vlan_set_id | VLAN set id | |
| vif_name_prefix | VIF name prefix. Default value is ‘v’ |
Note
The VIF name prefix value should match the prefix value that was used to create VIFs by vif add vlan set command.
Note
After a VLAN set is modified and a new VLAN is added to it BisonRouter do not automatically executes commands dependent on the modified VLAN set. For example, BisonRouter will not create new VIFs corresponding to the added VLANs, or it will not add an IP address to those VIFs. Commands using a VLAN set as a parameter should be executed again manually.
Example
ipv6 enable vlan set 2
This command enables the IPv6 protocol at the VIFs with the VLAN ids from the VLAN set 2.
ipv6 disable vlan set
This command disables the IPv6 protocol at the VIFs with the VLAN ids from a VLAN set.
ipv6 disable vlan set <vlan_set_id> [prefix <vif_name_prefix>]
Description
| Item | Description | Value |
|---|---|---|
| vlan_set_id | VLAN set id | |
| vif_name_prefix | VIF name prefix. Default value is ‘v’ |
Note
The VIF name prefix value should match the prefix value that was used to create VIFs by vif add vlan set command.
Note
After a VLAN set is modified and a new VLAN is added to it BisonRouter do not automatically executes commands dependent on the modified VLAN set. For example, BisonRouter will not create new VIFs corresponding to the added VLANs, or it will not add an IP address to those VIFs. Commands using a VLAN set as a parameter should be executed again manually.
Example
ipv6 disable vlan set 2
This command disables the IPv6 protocol at the VIFs with the VLAN ids from the VLAN set 2.
ipv6 enable vif range
This command enables or disables IPv6 protocol for a VLAN range.
Note
The range parameter represents a range of numbers.
Enter two numbers separated by a space to specify a range (for example, cvid 100 200 means Customer VLAN IDs from 100 to 200) and one number if it is a particular object (cvid 100 means Customer VLAN ID number 100).
ipv6 <state> vif range svid <svid_range> cvid <cvid_range> name <vif_name>
Description
| Item | Description | Value |
|---|---|---|
| state | Enter enable to enable Router Advertisement messages or disable to disable |
enable
disable
|
| svid_range | Service VLAN ID or Service VLAN range | 1-4095 |
| cvid_range | Customer VLAN ID or Customer VLAN range | 1-4095 |
| vif_name | Name of the range of virtual interfaces to enable |
Example
This example shows how to enable IPv6 protocol on a VLAN range from 4.100 to 5.200 within the VIF v20:
ipv6 enable vif range svid 4 5 cvid 100 200 name v20
ipv6 addr add eui-64
This command generates an address using the given prefix and the VIF ID (EUI-64 scheme) and assigns the address to the VIF.
ipv6 addr add eui-64 <ipv6_prefix>/<length> eui-64 dev <vif_name>
Description
| Item | Description |
|---|---|
| prefix | IPv6 prefix |
| length | IPv6 prefix length |
| vif_name | Name of the VIF to assign an IPv6 address |
Example
This example shows how to generate an IPv6 address using the prefix 2001:470:1f0e:1461:: and assign it to the VIF v20.
ipv6 addr add eui-64 2001:470:1f0e:1461::/64 eui-64 dev v20
ipv6 addr add
This command assigns an IPv6 address to a VIF.
ipv6 addr add <ipv6_address>/<length> dev <vif_name>
Description
| Item | Description |
|---|---|
| ipv6_address | IPv6 address |
| length | IPv6 address length |
| vif_name | Name of the VIF to assign an IPv6 address |
Example
This example shows how to assign IPv6 address 2001:470:1f0e:1461::2/64 to VIF v20:
ipv6 addr add 2001:470:1f0e:1461::2/64 dev v20
ipv6 addr link-local
This command assigns an IPv6 link-local address to a VIF.
ipv6 addr link-local <ipv6_address> dev <vif_name>
Description
| Item | Description |
|---|---|
| ipv6_address | IPv6 address |
| vif_name | Name of the VIF to assign an IPv6 address |
Example
This example shows how to assign IPv6 link-local address fe80::1269:ddac:fe32:d336 to VIF v20:
ipv6 addr link-local fe80::1269:ddac:fe32:d336 dev v20
ipv6 addr link-local eui-64
This command generates a link-local address using the EUI-64 scheme and assigns it to a VIF.
ipv6 addr link-local eui-64 dev <vif_name>
Description
| Item | Description |
|---|---|
| vif_name | Name of the VIF to assign an IPv6 address |
Example
This example shows how to assign a link-local address generated using the EUI-64 scheme to the VIF v20:
ipv6 addr link-local eui-64 dev v20
ipv6 addr auto
This command enables/disables SLAAC client on a VIF. After enabling, Bison Router starts assigning dynamic IPv6 addresses on an interface based on the information received in Router Advertisement messages.
ipv6 addr auto dev <vif_name> <state>
Description
| Item | Description | Value |
|---|---|---|
| vif_name | Name of the VIF to enable SLAAC | |
| state | Enter enable to enable SLAAC or disable to disable |
enable
disable
|
ipv6 addr del
This command deletes an address from a VIF.
ipv6 addr del <ipv6_address/<length> dev <vif_name>
Description
| Item | Description |
|---|---|
| ipv6_address | IPv6 address |
| length | IPv6 address length |
| vif_name | Name of the VIF to assign an IPv6 address |
Example
This example shows how to delete the IPv6 address 2001:470:1f0e:1461::2/64 from the VIF v20:
ipv6 addr del 2001:470:1f0e:1461::2/64 dev v20
sh ipv6 addr
This command outputs IPv6 addresses assigned to VIFs.
sh ipv6 addr
Example
Example of the response for sh ipv6 addr command:
sh ipv6 addr
vif v20
port 0, vlan 0.20, encapsulation dot1q
IPv6 is enabled, link-local address is fe80::16d7:64ff:feac:1aee, flags PREF
Global unicast address(es):
2001:470:1f0e:1461::1/64, flags PREF
Solicited-node mcast address(es):
ff02::1:ffac:1aee
ff02::1:ff00:1
Joined multicast group address(es):
ff02::2
IPv6 routing tables
Bison Router forward packets based on routing tables, the sum of which forms the FIB (Forwarding Information Base). Multiple routing tables are supported. The main table is created automatically and used by default. All other tables are optional, they are created and edited manually. If multiple tables are used, the table selection is based on PBR (Policy-based Routing).
ipv6 route table add
This command creates a new IPv6 routing table
ipv6 route table add <name>
Description
| Item | Description | Value |
|---|---|---|
| name | Name of the routing table to be added | The table name must start with a letter.
The max. name length is 96 characters
|
Example
This example shows how to create a new IPv6 routing table named table_1:
ipv6 route table add table_1
ipv6 route table del
This command deletes an IPv6 routing table from the FIB.
ipv6 route table del <name>
Description
| Item | Description |
|---|---|
| name | Name of the routing table to delete |
Example
This example shows how to delete the IPv6 routing table named table_1:
ipv6 route table del table_1
sh ipv6 route
This command outputs the content of an IPv6 routing table.
sh ipv6 route [table <name>]
Description
| Item | Description |
|---|---|
| name | IPv6 routing table name |
Note
If the table name is not specified, the content of the main (default) routing table is output.
Example
Example of a response to the command:
sh ipv6 route
2001:470:1f0e:1461::/64 C dev v20 proto internal
::/0 via 2001:470:1f0e:1461::2 dev v20 proto rcli
IPv6 routes
After creating routing tables, you can add routes to them.
ipv6 route add
Directly connected network
The following command syntax creates a route to a directly connected network.
ipv6 route add <prefix/length> dev <vif_name> [table <table_name>]
Description
| Item | Description |
|---|---|
| prefix | Directly connected network prefix |
| length | Directly connected network prefix length |
| vif_name | The name of the VIF to which the network is connected |
| table_name | Specify the name of the table to add a route, otherwise it is added to the default one |
Example
This example shows how to add a connected route to a routing table named table_1:
ipv6 route add 2001:470:1f0e:1461::/64 dev v20 table_1
Remote network
This command creates a route to a remote network.
ipv6 route add <prefix/length> via <ipv6-address> [table <table_name>]
Note
The IP address of the gateway must be reachable via a directly connected route. A directly connected route is added to the main routing table automatically when an IP address is added to a VIF. All routes in additional tables need to be created manually.
Description
| Item | Description |
|---|---|
| prefix | Remote network prefix |
| length | Remote network prefix length |
| ipv6-address | IPv6 address of the gateway to reach the remote network |
| table_name | Specify the name of the table to add a route, otherwise it is added to the default one |
Example
This example shows how to add to the main routing table a route to a remote network:
ipv6 route add 2001:470:1f0e:1461::/64 via 2001:470:1f0e:1462::3 table_1
Default route
This command adds a default route into a routing table.
ipv6 route add ::/0 via <ipv6-address> [table <table_name>]
Description
| Item | Description |
|---|---|
| ipv6-address | IPv6 address of the default gateway |
| table_name | Specify the name of the table to add a route, otherwise it is added to the default one |
Example
This example shows how to add a default route to a routing table named table_1:
ipv6 route add ::/0 via 2001:470:1f0e:1461::2 table_1
Unreachable route
This command creates an unreachable route.
ipv6 route add <prefix/length> unreachable [table <table_name>]
Description
| Item | Description |
|---|---|
| prefix | Unreachable route prefix |
| length | Prefix length |
| table_name | Specify the name of the table to add a route, otherwise it is added to the default one |
Example
This example shows how to add an unreachable route to the main routing table:
ipv6 route add 2001:470:1f0e:1461::/64 unreachable
ipv6 route del
This command deletes a route from a routing table.
ipv6 route del <prefix/length> [table <table_name>]
Description
| Item | Description |
|---|---|
| prefix | IPv6 route prefix to delete |
| length | Network prefix length |
| table_name | Name of the table to delete the route |
Example
This example shows how to delete the route for 2001:470:1f0e:1461::/64 from the main routing table:
ipv6 route del 2001:470:1f0e:1461::/64
ipv6 route default auto
This command enables creation of a default route based on information from Router Advertisement messages.
After enabling, Bison Router will create a default route based on the first Router Advertisement message received by the interface and associate a timer with this route.
The timer value will match the RA.lifetime value from the message.
After the timer expires, the default route will be deleted, and Bison Router will be ready to create a new default route as soon as it receives another Router Advertisement message.
ipv6 route default auto dev <vif_name> <state>
Description
| Item | Description | Value |
|---|---|---|
| vif_name | Name of the VIF to enable default route creation | |
| state | Enter enable to enable creation or disable to disable it |
enable
disable
|
Example
This example shows how to enable a default route for the VIF v20:
ipv6 route default auto dev v20 enable
IPv6 Policy-based routing
Policy-based Routing (PBR) is a technique used to make routing decisions based on rules and packet data. The rules apply to each incoming packet and determine which routing table will be used to route the packet. The rules are analyzed in the order of the specified priority until the first match is found. The rule matches the packet if the packet data meets the criteria specified in the rule. If no match is found or there are no PBR rules then the main routing table is used.
ipv6 pbr rule add prefix
This syntax variant creates a PBR rule to match the traffic originating from a particular network.
ipv6 pbr rule add prio <prio_num> from <prefix/length> table <table_name>
Description
| Item | Description |
|---|---|
| prio_num | Priority number |
| prefix | IPv6 prefix prefix to match the traffic originating from |
| length | IPv6 prefix length |
| table_name | Name of the routing table to use |
Example
This example shows how to add a rule with a priority number 1 to match the traffic originating from 2001:470:1f0e:1461::/64:
ipv6 pbr rule add prio 1 from 2001:470:1f0e:1461::/64 table table_1
ipv6 pbr rule add set
This command creates a PBR rule to match the traffic received from one of the VIFs contained in L2 set.
Note
So far, only l2 value of the set type parameter is supported.
ipv6 pbr rule add prio <prio_num> u32set <set_name> type <set_type> table <table_name>
Description
| Item | Description |
|---|---|
| prio_num | Priority number |
| set_name | Name of the U32 set to use in a rule |
| set_type | Currently, only one type is supported in IPv6 l2 |
| table_name | Name of the routing table to use |
Example
This example shows how to add a rule with a priority number 1 to match the traffic originating from l2 set named l2set_test:
ipv6 pbr rule add prio 1 u32set l2set_test type "l2" table table_1
ipv6 pbr rule del
This command deletes a PBR rule with the given priority.
Note
Removing a priority does not affect the priority numbering of other existing rules.
Note
Avoid creating rules with the same priority, otherwise it may lead to unpredictable prioritization of these rules. To view the list of existing rules, use the command sh ip pbr rules.
ipv6 pbr rule del prio <prio_num>
Description
| Item | Description |
|---|---|
| prio_num | Priority number |
Example
This example shows how to delete a PBR rule with the priority number 2:
ipv6 pbr rule del prio 2
sh ip pbr rules
This command outputs PBR rules.
sh ip pbr rules
Example
The response has the following format:
sh ipv6 pbr rules
prio condition rt_table
10 from 2001:470:400e:1461::/64 main6
20 l2set l2s1 main6
IPv6 ARP
ARP (Address Resolution Protocol) is used to map IP addresses to MAC addresses. The ARP cache is a table of records consisting of three elements: IPv6 address, MAC address and VIF name.
ipv6 arp add
This command creates or edits an ARP record.
ipv6 arp add <ipv6_address> <mac> dev <vif_name> [static]
Description
| Item | Description |
|---|---|
| ipv6_address | IPv6 address to map |
| mac | MAC address to map |
| vif_name | Name of the corresponding VIF |
| static | Add this parameter to disable TTL (optional) |
Note
ARP TTL is configured in nd_neighbor_cache_entry_ttl. This variable can be changed at any time. The default value is 600 seconds.
Example
This example shows how to add an ARP cache record mapping IP address 2001:470:1f0e:1461::2, MAC address E0:D5:5E:8D:35:2E and VIF named v20:
ipv6 arp add 2001:470:1f0e:1461::2 E0:D5:5E:8D:35:2E dev v20
Note
VIF in this case is the scope of the command. Exactly the same IPv6 and MAC addresses may exist within another VIF.
ipv6 arp del
This command deletes an ARP record.
ipv6 arp del <ipv6_address> dev <vif_name>
Description
| Item | Description |
|---|---|
| ipv6_address | IPv6 address to delete |
| vif_name | Name of the corresponding VIF |
Example
This example shows how to delete the ARP record for IP address 2001:470:1f0e:1461::2 and VIF v20:
arp del 2001:470:1f0e:1461::2 dev v20
sh ipv6 arp
This command outputs the content of the IPv6 ARP cache.
sh ipv6 arp
Example
The response has the following format:
sh ipv6 arp
vif ip mac state flags
flags: R - isRouter, P - probing, S - static
port 0, vid 0.20, type 0 fe80::cd93:87a6:9c34:f752 DA:AB:79:AA:47:FB stale
port 0, vid 0.20, type 0 2001:470:1f0e:1461::2 DA:AB:79:AA:47:FB reachable
Note
The vid value consists of <svid_value>.<cvid_value>
Possible states:
| State | Description |
|---|---|
| reachable | Record contains all the necessary data |
| incomplete | Response has not been received yet |
| stale | Response received, but the value of the MAC address could be outdated |
IPv6 ICMP Errors
icmp6 error msg
This command enables or disables the generation of ICMPv6 error messages with certain type and code.
icmp6 error msg type <type_number> code <code_number> <state>
Description
| Item | Description | Value |
|---|---|---|
| type_number | ICMPv6 error message type number | |
| code_number | ICMPv6 error message code number | |
| state | Enter enable to enable the message or disable to disable |
enable
disable
|
Example
This example shows how to enable ICMPv6 message type 3 code 6:
icmp6 error msg type 3 code 6 enable
sh icmpv6 error msg
This command outputs the state of an ICMPv6 error message.
sh icmpv6 error msg type <type_number> code <code_number>
Description
| Item | Description |
|---|---|
| type_number | ICMPv6 error message type number |
| code_number | ICMPv6 error message code number |
Example
This example shows how to output information about the status of an ICMPv6 message type 3 code 6:
sh icmpv6 error msg type 3 code 6
The response has the following format:
sh icmpv6 error msg type 3 code 6
icmpv6 error message type 3, code 6 is enabled
Possible statuses:
icmpv6 error message type x, code x is not supported
icmpv6 error message type x, code x is enabled
icmpv6 error message type x, code x is disabled
IPv6 Neighbor Discovery Router Advertisement
ipv6 nd ra
This command enables or disables Router Advertisement messages on a VIF. If the Router Advertisement messages are disabled, the router will not transmit Router Advertisement messages on a VIF and will not respond to requests from neighbor routers.
ipv6 nd ra <state> dev <vif_name>
Description
| Item | Description | Value |
|---|---|---|
| state | Enter enable to enable messages or disable to disable |
enable
disable
|
| vif_name | Name of a VIF to enable/disable Router Advertisement messages |
Example
This example shows how to enable Router Advertisement messages for the VIF v20:
ipv6 nd ra enable dev v20
ipv6 nd ra vlan set
ipv6 nd ra enable|disable vlan set <vlan_set_id> [prefix <vif_name_prefix>]
These commands enable or disable transmission of IPv6 ND RA messages at the VIFs with ids from a VLAN set.
Description
| Item | Description | Value |
|---|---|---|
| vlan_set_id | VLAN set id | |
| vif_name_prefix | VIF name prefix. Default value is ‘v’ |
Note
The VIF name prefix value should match the prefix value that was used to create VIFs by vif add vlan set command.
Note
After a VLAN set is modified and a new VLAN is added to it BisonRouter do not automatically executes commands dependent on the modified VLAN set. For example, BisonRouter will not create new VIFs corresponding to the added VLANs, or it will not add an IP address to those VIFs. Commands using a VLAN set as a parameter should be executed again manually.
Example
ipv6 nd ra enable vlan set 2
This command enables transmission of IPV6 ND RA messages at the VIFs with ids from the VLAN set 2.
ipv6 nd ra enable vif range
This command enables or disable Router Advertisement messages on a VLAN range.
Note
The range parameter represents a range of numbers.
Enter two numbers separated by a space to specify a range (for example, cvid 100 200 means Customer VLAN IDs from 100 to 200) and one number if it is a particular object (cvid 100 means Customer VLAN ID number 100).
ipv6 nd ra <state> vif range svid <svid_range> cvid <cvid_range> name <vif_name>
Description
| Item | Description | Value |
|---|---|---|
| state | Enter enable to enable Router Advertisement messages or disable to disable |
enable
disable
|
| svid_range | Service VLAN ID or Service VLAN range | 1-4095 |
| cvid_range | Customer VLAN ID or Customer VLAN range | 1-4095 |
| vif_name | Name of the range of virtual interfaces to be added |
Example
This example shows how to enable Router Advertisement messages on a VLAN range from 4.100 to 5.200 within the VIF v20:
ipv6 nd ra enable vif range svid 4 5 cvid 100 200 name v20
ipv6 nd ra lifetime
This command configures the value of the lifetime field of Router Advertisement messages sent from a VIF.
ipv6 nd ra lifetime <number> dev <vif_name>
Description
| Item | Description | Value |
|---|---|---|
| number | Lifetime value | sec
16-9000
|
| vif_name | Name of a VIF to configure a lifetime value of Router Advertisement messages |
Example
This example shows how to set the lifetime field value equal to 3600 for the VIF v20:
ipv6 nd ra lifetime 3600 dev v20
ipv6 nd ra interval
This command configures MinRtrAdvInterval and MaxRtrAdvInterval variables and its values. For more information, see 6.2.1. Router Configuration Variables.
ipv6 nd ra interval <min_number> <max_number> dev <vif_name>
Description
| Item | Description | Value |
|---|---|---|
| min_number | MinRtrAdvInterval value | sec
3-0.75 * MaxRtrAdvInterval
|
| max_number | MaxRtrAdvInterval value | sec
4-1800
|
| vif_name | Name of a VIF to configure a MinRtrAdvInterval variable |
Example
This example shows how to set the MinRtrAdvInterval value 3 and the MaxRtrAdvInterval value 10 on the VIF v20:
ipv6 nd ra interval 3 10 dev v20
ipv6 nd ra reachable
The command configures the value of the Reachable Time field in the Router Advertisement messages sent by Bison Router.
Note
The value 0 means unspecified.
ipv6 nd ra reachable <number> dev <vif_name>
Description
| Item | Description | Value |
|---|---|---|
| number | Reachable time value | ms
<3,600,600 (1 hour)
|
| vif_name | Name of a VIF to configure the Reachable Time |
Example
This example shows how to set the Reachable Time field value equal to 1000000 on the VIF v20:
ipv6 nd ra reachable 1000000 dev v20
ipv6 nd ra retrans_timer
This command configures the value of the Retrans Timer field in the Router Advertisement messages sent by Bison Router.
Note
The value 0 means unspecified.
ipv6 nd ra retrans_timer <number> dev <vif_name>
Description
| Item | Description | Value |
|---|---|---|
| number | Retrans Timer value | ms
default value
1000 |
| vif_name | Name of a VIF to configure the Retrans Timer |
Example
This example shows how to set the Retrans Timer equal to 2000 on the VIF v20:
ipv6 nd ra retrans_timer 2000 dev v20
ipv6 nd ra hop_limit
This command configures the default value of the Cur Hop Limit field in the Router Advertisement messages sent by Bison Router.
The value should be set to the current diameter of the Internet.
Note
The value 0 means unspecified.
ipv6 nd ra hop_limit <number> dev <vif_name>
Description
| Item | Description | Value |
|---|---|---|
| number | Cur Hop Limit value | 1-255 |
| vif_name | Name of a VIF to configure the Cur Hop Limit |
Example
This example shows how to set the Cur Hop Limit equal to 4 on the VIF v20:
ipv6 nd ra hop_limit 4 dev v20
ipv6 nd ra prefix add
This command adds a prefix to Router Advertisement messages sent from a VIF.
ipv6 nd ra prefix add <prefix/length> [valid_lt <number>] [preferred_lt <number>] [flags <flags>] dev <vif_name>
Description
| Item | Description | Value |
|---|---|---|
| prefix | IPv6 prefix | |
| length | IPv6 prefix length | |
| valid_lt | The length of time the prefix is valid for the purpose of on-link determination | sec |
| preferred_lt | The length of time in that addresses generated from the prefix via stateless
address autoconfiguration remain preferred
|
sec |
| flags | A - 1-bit autonomous address-configuration flag. When set, indicates that
this prefix can be used for stateless address configuration
O - 1-bit “Other configuration” flag. When set, it indicates that
other configuration information is available via DHCPv6
|
A, O |
Example
This example shows how to add the prefix 2001:470:1f0e:1461::/64 to Router Advertisement messages sent from the VIF v20:
ipv6 nd ra prefix add 2001:470:1f0e:1461::/64 dev v20
ipv6 nd ra prefix update
This command updates a prefix in Router Advertisement messages sent from a VIF.
ipv6 nd ra prefix update <prefix/length> [valid_lt <number>] [preferred_lt <number>] [flags <flags>] dev <vif_name>
Description
| Item | Description | Value |
|---|---|---|
| prefix | IPv6 prefix | |
| length | IPv6 prefix length | |
| valid_lt | The length of time the prefix is valid for the purpose of on-link determination | sec |
| preferred_lt | The length of time in that addresses generated from the prefix via stateless
address autoconfiguration remain preferred
|
sec |
| flags | A - 1-bit autonomous address-configuration flag. When set, indicates that
this prefix can be used for stateless address configuration
O - 1-bit “Other configuration” flag. When set, it indicates that
other configuration information is available via DHCPv6
|
A, O |
Example
This example shows how to update the prefix 2001:470:1f0e:1461::/64 in Router Advertisement messages sent from the VIF v20:
ipv6 nd ra prefix update 2001:470:1f0e:1461::/64 dev v20
ipv6 nd ra prefix del
This command deletes a prefix from Router Advertisement messages sent from a VIF.
ipv6 nd ra prefix add <prefix/length> dev <vif_name>
Description
| Item | Description |
|---|---|
| prefix | IPv6 on-link prefix |
| length | IPv6 on-link prefix length |
| vif_name | Name of the VIF to delete a prefix form Router Advertisement messages |
Example
This example shows how to delete the prefix 2001:470:1f0e:1461::/64 from Router Advertisement messages sent from the VIF v20:
ipv6 nd ra prefix add 2001:470:1f0e:1461::/64 dev v20
VRRP
VRRP
vrrp create group
This command creates a new VRRP group.
vrrp create group <vrrp_id> dev <vif_name>
Description
| Item | Description |
|---|---|
| vrrp_id | ID of a VRRP group to create |
| vif_name | Name of a VIF to create a VRRP group |
Example
This example shows how to create the VRRP group 10 on the VIF v5:
vrrp create group 10 dev v5
vrrp del group
This command deletes a VRRP group.
vrrp del group <vrrp_id> dev <vif_name>
Description
| Item | Description |
|---|---|
| vrrp_id | ID of a VRRP group to delete |
| vif_name | Name of a VIF to delete a VRRP group |
Example
This example shows how to delete the VRRP group 10 from the VIF v5:
vrrp del group 10 dev v5
vrrp group ip add
This command adds the primary or a secondary IP address to a VRRP group.
vrrp group <vrrp_id> dev <vif_name> ip add <ip_address> [secondary]
Description
| Item | Description |
|---|---|
| vrrp_id | ID of a VRRP group to add primary or secondary IP address |
| vif_name | Name of a VIF to add primary or secondary IP address to a VRRP group |
| ip_address | IP address to add. Use
secondary parameter, if the IP address issecondary. Omit
secondary parameter, if the IP addressis primary.
|
Examples
This example shows how to add the primary IP address 10.0.5.10 to the VRRP group 10 on the VIF v5:
vrrp group 10 dev v5 ip add 10.0.5.10
This example shows how to add the secondary IP address 10.0.55.11 to the VRRP group 11 on the VIF v5:
vrrp group 11 dev v5 ip add 10.0.55.11 secondary
vrrp group ip del
This command deletes an IP address from a VRRP group.
vrrp group <vrrp_id> dev <vif_name> ip del <ip_address>
Description
| Item | Description |
|---|---|
| vrrp_id | ID of a VRRP group to delete an IP address |
| vif_name | Name of a VIF to delete an IP address from a VRRP group |
| ip_address | IP address to delete |
Examples
This example shows how to delete the IP address 10.0.5.10 from the VRRP group 10 on the VIF v5:
vrrp group 10 dev v5 ip del 10.0.5.10
vrrp group prio
This command changes the priority of a VRRP group.
vrrp group <vrrp_id> dev <vif_name> prio <prio_num>
Description
| Item | Description |
|---|---|
| vrrp_id | ID of a VRRP group to change the priority |
| vif_name | Name of a VIF to change the priority of a VRRP group |
| prio_num | Priority number of a VRRP group |
Examples
This example shows how to set the priority number 100 for the VRRP group 10 on the VIF v5:
vrrp group 10 dev v5 prio 100
vrrp group advert_int
This command changes the advertisement transmission interval of a VRRP group.
vrrp group <vrrp_id> dev <vif_name> advert_int <value>
Description
| Item | Description | Value |
|---|---|---|
| vrrp_id | ID of a VRRP group to change the advertisement
transmission interval
|
|
| vif_name | Name of a VIF to change the advertisement transmission
interval of a VRRP group
|
|
| value | Interval value | Cetiseconds
100 centiseconds = 1 sec
|
Example
This example shows how to set the advertisement transmission interval 200 for the VRRP group 10 on the VIF v5:
vrrp group 10 dev v5 advert_int 200
vrrp group preempt_mode
This command changes the Preempt_Mode of a VRRP group.
vrrp group <vrrp_id> dev <vif_name> preempt_mode <mode>
Description
| Item | Description | Value |
|---|---|---|
| vrrp_id | ID of a VRRP group to change the Preempt_Mode | |
| vif_name | Name of a VIF to change the Preempt_Mode of a VRRP group
|
|
| mode | on - enables preemption
off - disables preemption
|
on
off
|
Example
This example shows how to enable the preemption of the VRRP group 10 on the VIF v5:
vrrp group 10 dev v5 preempt_mode on
sh vrrp
This command outputs a VRRP group.
sh vrrp
Example
The response has the following format:
sh vrrp
vif v5 - group 11
vif v5 - port 0, vid 0.5, type 0
state is backup
virtual mac address is 00:00:5E:00:01:0B
primary ip address is 10.0.55.10
secondary ip address is 10.0.55.11
advertisement interval is 1 sec
preemption is on
priority is 100
master router is 10.0.5.2, priority is 150
master router advertisement interval is 1 sec
master down interval is 3.609 sec
vif v5 - group 10
vif v5 - port 0, vid 0.5, type 0
state is master
virtual mac address is 00:00:5E:00:01:0A
primary ip address is 10.0.5.10
secondary ip address is 10.0.5.11
advertisement interval is 1 sec
preemption is on
priority is 150
master router is 10.0.55.1 (this system), priority is 150
master router advertisement interval is 1 sec
master down interval is 3.414 sec
VRRP version 3
vrrp create group
This command creates a new VRRP3 IPv6 group.
vrrp create group <vrrp_id> dev <vif_name> address-family af_ipv6 version 3
Description
| Item | Description |
|---|---|
| vrrp_id | ID of a VRRP3 IPv6 group to create |
| vif_name | Name of a VIF to create a VRRP3 IPv6 group |
Example
This example shows how to create the VRRP3 group 10 on the VIF v5:
vrrp create group 10 dev v5 address-family af_ipv6 version 3
vrrp group del
This command deletes a VRRP3 IPv6 group.
vrrp del group <vrrp_id> dev <vif_name>
Description
| Item | Description |
|---|---|
| vrrp_id | ID of a VRRP3 IPv6 group to delete |
| vif_name | Name of a VIF to delete a VRRP3 IPv6 group |
Example
This example shows how to delete the VRRP3 group 10 from the VIF v5:
vrrp del group 10 dev v5
vrrp group ipv6 add
This command sets or changes an IPv6 link-local address of a VRRP3 IPv6 group.
vrrp group <vrrp_id> dev <vif_name> ipv6 add <ipv6_address>
Description
| Item | Description |
|---|---|
| vrrp_id | ID of a VRRP3 IPv6 group to set or change an IPv6 link-local address |
| vif_name | Name of a VIF to set or change an IPv6 link-local address
of a VRRP3 IPv6 group
|
| ipv6_address | IPv6 link-local address |
Example
This example shows how to set the IPv6 link-local address fe80::1269:ddac:fe32:d336 for the VRRP3 IPv6 group 10 on the VIF v5:
vrrp group 10 dev v5 ipv6 add fe80::1269:ddac:fe32:d336
vrrp group ipv6 add
This command adds a secondary IPv6 global address to a VRRP3 IPv6 group.
vrrp group <vrrp_id> dev <vif_name> ipv6 add <ipv6_address> secondary
Description
| Item | Description |
|---|---|
| vrrp_id | ID of a VRRP3 IPv6 group to add a secondary IPv6 global address |
| vif_name | Name of a VIF to add a secondary IPv6 global address
to a VRRP3 IPv6 group
|
| ipv6_address | Secondary IPv6 global address |
Example
This example shows how to add the secondary IPv6 global address 2001:470:1f0e:1461::10 to the VRRP3 IPv6 group 10 on the VIF v5:
vrrp group 10 dev v5 ipv6 add 2001:470:1f0e:1461::10 secondary
vrrp group ipv6 del
This command deletes a secondary IPv6 global address from a VRRP3 IPv6 group.
vrrp group <vrrp_id> dev <vif_name> ipv6 del <ipv6_address> secondary
Description
| Item | Description |
|---|---|
| vrrp_id | ID of a VRRP3 IPv6 group to delete a secondary IPv6 global address |
| vif_name | Name of a VIF to delete a secondary IPv6 global address
from a VRRP3 IPv6 group
|
| ipv6_address | Secondary IPv6 global address |
Example
This example shows how to delete the secondary IPv6 global address 2001:470:1f0e:1461::10 from the VRRP3 IPv6 group 10 on the VIF v5:
vrrp group 10 dev v5 ipv6 del 2001:470:1f0e:1461::10 secondary
vrrp group prio
This command changes the priority of a VRRP3 IPv6 group.
vrrp group <vrrp_id> dev <vif_name> prio <prio_num>
Description
| Item | Description |
|---|---|
| vrrp_id | ID of a VRRP3 IPv6 group to change the priority |
| vif_name | Name of a VIF to change the priority of a VRRP3 IPv6 group |
| prio_num | Priority number of a VRRP3 IPv6 group |
Examples
This example shows how to set the priority number 100 for the VRRP3 IPv6 group 10 on the VIF v5:
vrrp group 10 dev v5 prio 100
vrrp group advert_int
This command changes the advertisement transmission interval of a VRRP IPv6 group.
vrrp group <vrrp_id> dev <vif_name> advert_int <value>
Description
| Item | Description | Value |
|---|---|---|
| vrrp_id | ID of a VRRP3 IPv6 group to change
the advertisement transmission interval
|
|
| vif_name | Name of a VIF to change the advertisement transmission
interval of a VRRP3 IPv6 group
|
|
| value | Interval value | Cetiseconds
100 centiseconds = 1 sec
|
Example
This example shows how to set the advertisement transmission interval 200 for the VRRP3 IPv6 group 10 on the VIF v5:
vrrp group 10 dev v5 advert_int 200
vrrp group accept_mode
This command changes the Accept_Mode of a VRRP3 IPv6 group. For more details, see RFC 5798 6.1.
vrrp group <vrrp_id> dev <vif_name> accept_mode <mode>
Description
| Item | Description | Value |
|---|---|---|
| vrrp_id | ID of a VRRP3 IPv6 group to change the Accept_Mode | |
| vif_name | Name of a VIF to change Accept_Mode of a VRRP3 IPv6 group
|
|
| mode | on - enables Accept_Mode
off - disables Accept_Mode
|
on
off
|
Example
This example shows how to enable the Accept_mode for the VRRP3 IPv6 group 10 on the VIF v5:
vrrp group 10 dev v5 accept_mode on
vrrp group preempt_mode
This command changes the preempt_mode of a VRRP3 IPv6 group.
vrrp group <vrrp_id> dev <vif_name> preempt_mode <mode>
Description
| Item | Description | Value |
|---|---|---|
| vrrp_id | ID of a VRRP3 IPv6 group to change the Preempt_Mode | |
| vif_name | Name of a VIF to change Preempt_Mode of a VRRP3 IPv6 group
|
|
| mode | on - enables preemption
off - disables preemption
|
on
off
|
Example
This example shows how to enable the preemption of the VRRP3 IPv6 group 10 on the VIF v5:
vrrp group 10 dev v5 preempt_mode on
sh vrrp
This command outputs a VRRP3 IPv6 group.
sh vrrp
Example
The response has the following format:
sh vrrp
vif p0 - group 10
vrrp version is 3
vif p0 - port 0, vid 0.0, type 0
state is master
virtual mac address is 00:00:5E:00:01:0A
primary ip address is fe80::ae1f:6bff:fe98:21be
secondary ip address is 2001:470:1f0e:1461::10
advertisement interval is 1 sec
preemption is on
accept-mode is off
priority is 150
effective priority is 150
flags is 18
master router is fe80::21b:21ff:febc:ca3c (this system), priority is 150
master router advertisement interval is 1 sec
master down interval is 3.41 sec
vrrp group nd ra enable/disable
This command enables or disables transmission of ND Router Advertisement messages for a VRRP3 IPV6 group.
vrrp group <vrrp_id> dev <vif_name> nd ra <mode>
Description
| Item | Description | Value |
|---|---|---|
| vrrp_id | ID of a VRRP3 IPv6 group to enalbe/disable transmission of ND Router
Advertisement messages
|
|
| vif_name | Name of a VIF to enalbe/disable transmission of ND Router
Advertisement messages for a VRRP3 IPv6 group
|
|
| mode | enable - enables transmission
disable - disables transmission
|
enable
disable
|
Example
This example shows how to enable the transmission of ND Router Advertisement messages for the VRRP3 IPV6 group 10 on the VIF v5:
vrrp group 10 dev v5 nd ra enable
vrrp group nd ra lifetime
This command configures a lifetime field value of Router Advertisement messages sent for a VRRP3 IPV6 group.
vrrp group <vrrp_id> dev <vif_name> nd ra lifetime <value>
Description
| Item | Description | Value |
|---|---|---|
| vrrp_id | ID of a VRRP3 IPv6 group to set a lifetime field value of Router
Advertisement messages
|
|
| vif_name | Name of a VIF to set a lifetime field value of Router Advertisement
messages for a VRRP3 IPv6 group
|
|
| value | Lifetime field value of Router Advertisement messages | sec
16-9000
|
Example
This example shows how to set the lifetime field value of Router Advertisement messages 1000 sent for the VRRP3 IPV6 group 10 on the VIF v5:
vrrp group 10 dev v5 nd ra lifetime 1000
vrrp group nd ra interval
This command configures MinRtrAdvInterval and MaxRtrAdvInterval variables and its values for a VRRP3 IPV6 group.
For more information, see RFC 4861 6.2.1.
vrrp group <vrrp_id> dev <vif_name> nd ra interval <min_number> <max_number>
Description
| Item | Description | Value |
|---|---|---|
| min_number | MinRtrAdvInterval value | sec
3-0.75 * MaxRtrAdvInterval
|
| max_number | MaxRtrAdvInterval value | sec
4-1800
|
| vrrp_id | ID of a VRRP3 IPv6 group to set
MinRtrAdvIntervaland
MaxRtrAdvInterval values |
|
| vif_name | Name of a VIF to configure
MinRtrAdvIntervaland
MaxRtrAdvInterval values for a VRRP3 IPV6 group |
Example
This example shows how to set the MinRtrAdvInterval value 3 and the MaxRtrAdvInterval value 10 for the VRRP3 IPV6 group 10 on the VIF v20:
vrrp group 10 dev v20 nd ra interval 3 10
vrrp group nd ra reachable
The command configures the value of the Reachable Time field in the Router Advertisement messages sent for a VRRP3 IPv6 group by Bison Router.
Note
The value 0 means unspecified.
vrrp group <vrrp_id> dev <vif_name> nd ra reachable <number>
Description
| Item | Description | Value |
|---|---|---|
| vrrp_id | ID of a VRRP3 IPv6 group to set the Reachable Time value | |
| vif_name | Name of a VIF to configure the Reachable Time
for a VRRP3 IPv6 group
|
|
| number | Reachable time value | ms
<3,600,600 (1 hour)
|
Example
This example shows how to set the Reachable Time field value equal to 1000000 in the Router Advertisement messages sent for the VRRP3 IPv6 group 10 on the VIF v20:
vrrp group 10 dev v20 nd ra reachable 1000000
vrrp group nd ra retrans_timer
This command configures the value of the Retrans Timer field in the Router Advertisement messages sent for a VRRP3 IPv6 group by Bison Router.
Note
The value 0 means unspecified.
vrrp group <vrrp_id> dev <vif_name> nd ra retrans_timer <number>
Description
| Item | Description | Value |
|---|---|---|
| vrrp_id | ID of a VRRP3 IPv6 group to set the Retrans Timer value | |
| vif_name | Name of a VIF to configure the Retrans Timer
for a VRRP3 IPv6 group
|
|
| number | Retrans Timer value | ms
default value
1000 |
Example
This example shows how to set the Retrans Timer equal to 2000 in the Router Advertisement messages sent for the VRRP3 IPv6 group 10 on the VIF v20:
vrrp group 10 dev v20 nd ra retrans_timer 2000
vrrp group nd ra hop_limit
This command configures the default value of the Cur Hop Limit field in the Router Advertisement messages sent by Bison Router.
The value should be set to the current diameter of the Internet.
Note
The value 0 means unspecified.
vrrp group <vrrp_id> dev <vif_name> nd ra hop_limit <number>
Description
| Item | Description | Value |
|---|---|---|
| vrrp_id | ID of a VRRP3 IPv6 group to set the Cur Hop Limit value | |
| vif_name | Name of a VIF to configure the Cur Hop Limit for a VRRP3 IPv6 group | |
| number | Cur Hop Limit value | 1-255 |
Example
This example shows how to set the Cur Hop Limit equal to 4 in the Router Advertisement messages sent for the VRRP3 IPv6 group 10 on the VIF v20:
vrrp group 10 dev v20 nd ra hop_limit 4
vrrp group nd ra prefix add
This command adds a prefix in Router Advertisement messages sent for a VRRP3 IPv6 group.
vrrp group <vrrp_id> dev <vif_name> nd ra prefix add <prefix/length> [valid_lt <number>] [preferred_lt <number>] [flags <flags>]
Description
| Item | Description | Value |
|---|---|---|
| vrrp_id | ID of a VRRP3 IPv6 group to add a prefix in Router Advertisement messages | |
| vif_name | Name of a VIF to add a prefix in Router Advertisement messages for a VRRP3
IPv6 group
|
|
| prefix | IPv6 prefix | |
| length | IPv6 prefix length | |
| valid_lt | The length of time the prefix is valid for the purpose of on-link determination | sec |
| preferred_lt | The length of time in that addresses generated from the prefix via stateless
address autoconfiguration remain preferred
|
sec |
| flags | A - 1-bit autonomous address-configuration flag. When set, indicates that
this prefix can be used for stateless address configuration
O - 1-bit “Other configuration” flag. When set, it indicates that
other configuration information is available via DHCPv6
|
A, O |
Example
This example shows how to add the prefix 2001:470:1f0e:1461::/64 in Router Advertisement messages sent for the VRRP3 IPv6 group on the VIF v20:
vrrp group 10 dev v20 nd ra prefix add 2001:470:1f0e:1461::/64
vrrp group nd ra prefix update
This command updates a prefix in Router Advertisement messages sent for a VRRP3 IPv6 group.
vrrp group <vrrp_id> dev <vif_name> nd ra prefix add <prefix/length> [valid_lt <number>] [preferred_lt <number>] [flags <flags>]
Description
| Item | Description | Value |
|---|---|---|
| vrrp_id | ID of a VRRP3 IPv6 group to update a prefix in Router Advertisement messages | |
| vif_name | Name of a VIF to update a prefix in Router Advertisement messages for a
VRRP3 IPv6 group
|
|
| prefix | IPv6 prefix | |
| length | IPv6 prefix length | |
| valid_lt | The length of time the prefix is valid for the purpose of on-link determination | sec |
| preferred_lt | The length of time in that addresses generated from the prefix via stateless
address autoconfiguration remain preferred
|
sec |
| flags | A - 1-bit autonomous address-configuration flag. When set, indicates that
this prefix can be used for stateless address configuration
O - 1-bit “Other configuration” flag. When set, it indicates that
other configuration information is available via DHCPv6
|
A, O |
Example
This example shows how to update the prefix 2001:470:1f0e:1461::/64 in Router Advertisement messages sent for the VRRP3 IPv6 group 10 on the VIF v20:
vrrp group 10 dev v20 nd ra prefix update 2001:470:1f0e:1461::/64
vrrp group nd ra prefix del
This command deletes a prefix from Router Advertisement messages sent for a VRRP IPV6 group.
vrrp group <vrrp_id> dev <vif_name> nd ra prefix add <prefix/length>
Description
| Item | Description |
|---|---|
| vrrp_id | ID of a VRRP3 IPv6 group to delete a prefix in Router Advertisement messages |
| vif_name | Name of a VIF to delete a prefix in Router Advertisement messages sent for
a VRRP3 IPv6 group
|
| prefix | IPv6 prefix |
| length | IPv6 prefix length |
Example
This example shows how to delete the prefix 2001:470:1f0e:1461::/64 from Router Advertisement messages sent for the VRRP3 IPv6 group 10 on the VIF v20:
vrrp group 10 dev v20 nd ra prefix add 2001:470:1f0e:1461::/64
Flow accounting
flow ipfix_collector (deprecated)
This command configures flow accounting IPFIX collector address and port. Default port value is 4739.
Note
This command is still supported, but its use is not recommended since it may be removed in future releases. Please use the command flow collector instead.
flow ipfix_collector addr <ipv4_address> [port <port_number>]
Description
| Item | Description | Value |
|---|---|---|
| ipv4_address | IPv4 address of a flow accounting IPFIX collector | |
| port_number | Port number of a flow accounting IPFIX collector | Default = 4739 |
Example
This example shows how to set 192.168.1.202 and the default port number for the flow accounting IPFIX collector:
flow ipfix_collector addr 192.168.1.202
flow collector
This command configures flow accounting collector address and port.
flow collector addr <ipv4_address> [port <port_number>] [proto <proto_value>] [scope <scope_value>]
Description
| Item | Description | Value |
|---|---|---|
| ipv4_address | IPv4 address of a flow accounting collector | |
| port_number | Port number of a flow accounting collector | Default = 4739 |
| proto_value | Supported protocols:
9 - NetFlow V9
10 - IPFIX
|
Defaul = 10 |
| scope_value | Scope. Scope determines what messages will be sent to the collector.
ip - both IPv4 and IPv6 messages
ipv4 - only ipv4 messages
ipv6 - only ipv6 messages
|
Default = ip |
Example
This example shows how to set 192.168.1.202 and the default port number for the flow accounting collector:
flow collector addr 192.168.1.202
flow collector add
This command adds a Flow collector to the list of Flow collectors. Flow accounting messages are sent to all collectors on the list at the same time.
flow collector add addr <ipv4_address> [port <port_number>] [proto <proto_value>] [scope <scope_value>]
Description
| Item | Description | Value |
|---|---|---|
| ipv4_address | IPv4 address of a Flow collector | |
| port_number | Port number of a Flow collector | Default = 4739 |
| proto_value | Supported protocols:
9 - NetFlow V9
10 - IPFIX
|
Default = 9 |
| scope_value | Scope. Scope determines what messages will be sent to the collector.
ip - both IPv4 and IPv6 messages
ipv4 - only ipv4 messages
ipv6 - only ipv6 messages
|
Default = ip |
Example
This example shows how to add a Flow collector with IP address 10.0.0.1 and port number 9995.
flow collector add addr 10.0.0.1 port 9995 proto 9
flow collector del
This command deletes a Flow collector from the list of Flow collectors. Flow accounting messages are sent to all collectors on the list at the same time.
flow collector del addr <ipv4_address> [port <port_number>] [proto <proto_value>]
Description
| Item | Description | Value |
|---|---|---|
| ipv4_address | IPv4 address of a Flow collector | |
| port_number | Port number of a Flow collector | Default = 4739 |
| proto_value | Supported protocols:
9 - NetFlow V9
10 - IPFIX
|
Default = 9 |
Example
This example shows how to delete a Flow collector with IP address 10.0.0.1 and port number 9995.
flow collector del addr 10.0.0.1 port 9995 proto 9
flow acl add
This command adds an ACL with a given ID to the list of ALCs used by the Flow accounting module to filter the traffic it processes.
rcli flow acl add <aclid> prio <prio>
Description
| Item | Description | Value |
|---|---|---|
| aclid | ID of existing ACL | |
| prio | position of added ACL in the Flow accounting list of ACLs |
Example
This example shows how to add existing ACL with ID 21 into the Flow accounting list of ACLs at position 10
flow acl add aclid 21 prio 10
flow acl del
This command deletes an ACL with a given ID from the list of ALCs used by the Flow accounting module to filter the traffic it processes.
flow acl del <aclid>
Description
| Item | Description | Value |
|---|---|---|
| aclid | ID of existing ACL |
Example
This example shows how to delete ACL with ID 21 from the Flow accounting list of ACLs
flow acl del aclid 21
sh flow
This command outputs the Flow accounting configuration.
sh flow
Example
# sh flow
flow accounting enabled: yes
flow accounting collectors:
addr port proto
192.168.1.3 4739 10
192.168.1.2 4739 10
flow export filter
src filter enabled: 0
src filter prefix map id: -
dst filter enabled: 0
dst filter prefix map id: -
IPFIX shaper not defined
sh flow stat
This command outputs Flow accounting statistic counters.
sh flow stat
Example
The response has the following format:
sh flow stat
flow ipv4 allocated: 0
flow ipv4 free: 32768
flow ipv4 exported: 16
flow ipv6 allocated: 0
flow ipv6 free: 32768
flow ipv6 exported: 0
flow export failures: 0
lcore 1 overflow count: 0
lcore 1 flow created: 16
total overflow: 0
total flow created: 16
NAT
NAT timeouts
Commands in this section are applicable to all types of NAT.
sh nat timeout
This command outputs NAT session state’s timeout values.
sh nat timeout
Example
The output has the following format:
sh nat timeout
unknown: 30
active: 40
syn_sent: 30
established: 7200
fin_wait: 30
close_wait: 30
closing: 30
last_ack: 30
closed: 30
icmp_active: 30
dns: 4
gre: 7200
nat timeout
This command sets the timeout for NAT translations with a particular state.
nat timeout <state> <timeout>
Description
| Item | Description | Value |
|---|---|---|
| timeout | Timeout value | sec |
| state | Name of the translation session state | unknown
active
syn_sent
established
fin_wait
close_wait
closing
last_ack
closed
icmp_active
dns
gre
|
Example
This example shows how to set timeout 1200 seconds for translations with the state established:
nat timeout established 1200
SNAT44
SNAT44 is an implementation of the IPv4 Source NAT port-block-based algorithm. It is the most flexible and feature-rich SNAT module of Bison Router. SNAT44 allows to dynamically change the internal and the out/translation IP address spaces of the SNAT44 map, temporarily exclude out/translation IP addresses from operation.
SNAT features:
- SNAT44, DNAT44.
- EIM, Endpoint Independent Mapping.
- NAT translation session limit per host.
- Hairpinning (NAT loopback).
- NEL (NAT Event Logging) via IPFIX, Netflow v9.
- Performance up to 15 Mpps and 120 Gbit/s.
- ALG support: PPtP, ICMP, traceroute.
- Supports all major protocols and applications including SIP, FTP, RTSP, IPSec and GRE based VPNs, and gaming console.
To activate the SNAT function, you need to perform these steps in the following order:
- Create a map (snat create map).
- Enable the SNAT function on a VIF (snat vif enable).
- Add a map to a VIF (snat add map).
These steps order and corresponding commands are mandatory. The rest are used for additional configuration.
Example
This example shows the order in which the required commands should be executed:
snat create map 1 in entries 20000 sess 8000000
snat vif v20 enable
snat vif v20 add map 1
snat create map
This command creates a map to translate an internal IPv4 address space (in) to a public IPv4 address space (out). The internal IP address space can include a number of internal IP address prefixes. The out address spaces consist of a number of IP address ranges.
snat create map <map_id> [in entries <nb_in_entries>] [sess <nb_sessions>] [port block <port_block_size>] [ratio <ratio>] [ip port block <nb_pb_per_in_ip>]
Description
| Item | Description | Default values |
|---|---|---|
| nb_in_entries | Maximum number of internal IP records | 32768 |
| nb_sessions | Maximum number of NAT sessions | 8388608 |
| port_block_size | Port block size | 128 |
| ratio | The ratio of internal to out addresses.
For example, a ratio value 32 would mean
that each out (public) address could be used
by max. 32 internal IP addresses
at the same time
|
256 |
| nb_pb_per_in_ip | Maximum number of port blocks
that an internal IP can use at the same time
|
4 |
Note
port_block_size 128ratio 256nb_pb_per_in_ip 4The nb_in_entries value should be equal to the number of subscribers.
nb_sessions value is calculated as follows:nb_sessions = nb_in_entries * 4000,Example
This example shows how to create a SNAT map 1 with the ratio of internal to out address 32:
snat create map 1 ratio 32
Example with all the specified parameters:
snat create map 1 in entries 40000 sess 16000000 port block 128 ratio 64 ip port block 4
sh snat maps
This command outputs information on all translation maps.
sh snat maps
Example
The response has the following format:
sh snat maps
SNAT map
map id: 1
internal prefixes:
192.168.2.0/24
10.8.0.0/24
out ranges:
10.114.0.0 - 10.114.0.7
active sessions: 0
max internal hosts: 32768
max sessions: 8388608
in/out ratio: 32
port block size: 128
port blocks per out address: 504
port blocks per in address: 4
state counters:
unknown: 0
active: 0
syn_sent: 0
established: 0
fin_wait: 0
close_wait: 0
closing: 0
last_ack: 0
closed: 0
icmp_active: 0
dns: 0
gre: 0
sh snat sessions map
This command outputs NAT sessions within a map or all session for an IP address if such a parameter is specified.
sh snat sessions map <map_id> [in <ip_address>]
Description
| Item | Description |
|---|---|
| map_id | ID of a map to show sessions |
| ip_address | Internal IPv4 address to output sessions (optional) |
Example
The response has the following format:
sh snat sessions map 1 in 10.64.3.27
in addr:port out addr:port ext addr:port proto state expire in secs
10.64.3.27:62695 103.165.12.223:62472 89.58.26.17:60534 udp active 29
10.64.3.27:53889 xx.xx.12.223:62510 219.91.170.228:31889 tcp established 7198
10.64.3.27:62695 xx.xx.12.223:62472 219.91.170.228:31889 udp active 28
10.64.3.27:53888 xx.xx.12.223:62583 87.201.193.150:22295 tcp syn_sent 29
10.64.3.27:62695 xx.xx.12.223:62472 87.201.193.150:22295 udp active 28
10.64.3.27:53887 xx.xx.12.223:62543 45.118.159.191:32815 tcp syn_sent 29
10.64.3.27:62695 xx.xx.12.223:62472 45.118.159.191:32815 udp active 28
10.64.3.27:53886 xx.xx.12.223:62526 49.244.101.124:1026 tcp syn_sent 29
sh snat int_ip map
This command outputs internal IP records of a SNAT44 map. The internal IP record contains the following information:
- the out/translation IP address used by the internal IP address.
- port blocks used exclusively by the translation IP address.
sh snat int_ip map <map_id>
Description
| Item | Description |
|---|---|
| map_id | ID of a map to output internal IP records |
Example
The response has the following view:
sh snat int_ip map 1 | head
int-ip out-ip port-blocks
10.64.0.24 xx.xx.12.62 ports 60928 - 61055, rc 28, closed 0
10.64.3.187 xx.xx.12.32 ports 53632 - 53759, rc 50, closed 0
10.64.6.5 xx.xx.12.41 ports 51968 - 52095, rc 1, closed 0
10.64.9.52 xx.xx.12.57 ports 55296 - 55423, rc 6, closed 0
snat del map
This command deletes a translation map.
snat del map <map_id>
Description
| Item | Description |
|---|---|
| map_id | ID of a map to delete |
Example
This example shows how to delete the translation map 1:
snat del map 1
snat map add in prefix
This command adds an IP address prefix to the map’s internal IP address space.
snat map <map_id> add in prefix <prefix>/<mask>
Description
| Item | Description |
|---|---|
| map_id | ID of a map to add a prefix |
| prefix | IPv4 prefix to add |
| mask | Subnet mask |
Example
This example shows how to add the prefix 10.0.0.0/16 to the map 1 internal IP address space:
snat map 1 add in prefix 10.0.0.0/16
snat map del in prefix
This command deletes an IP address prefix from the map’s internal IP address space.
snat map <map_id> del in prefix <prefix>/<mask>
Description
| Item | Description |
|---|---|
| map_id | ID of a map to delete a prefix |
| prefix | IPv4 prefix to delete |
| mask | Subnet mask |
Example
This example shows how to delete the prefix 10.0.0.0/16 from the map 1 internal IP address space:
snat map 1 del in prefix 10.0.0.0/16
snat map add out range
This command adds an IP range to the map’s out IP address space.
snat map <map_id> add out range <ipv4_addr_from> <ipv4_addr_to>
Description
| Item | Description |
|---|---|
| map_id | ID of a map to add a range |
| ipv4_addr_from | The first IPv4 address of the range |
| ipv4_addr_to | The last IPv4 address of the range |
Example
This example shows how to add the IP range 1.1.1.10-1.1.1.20 to the map 1 out IP address space:
snat map 1 add out range 1.1.1.10 1.1.1.20
snat map del out range
This command deletes an IP range from the map’s out IP address space.
snat map <map_id> del out range <ipv4_addr_from> <ipv4_addr_to>
Description
| Item | Description |
|---|---|
| map_id | ID of a map to delete a range |
| ipv4_addr_from | The first IPv4 address of the range |
| ipv4_addr_to | The last IPv4 address of the range |
Example
This example shows how to delete the IP range 1.1.1.10-1.1.1.20 from the map 1 out IP address space:
snat map 1 del out range 1.1.1.10 1.1.1.20
snat map add out prefix
This command adds an IPv4 prefix to the map’s out IP address space.
snat map <map_id> add out prefix <prefix>/<mask>
Description
| Item | Description |
|---|---|
| map_id | ID of a map to add a prefix |
| prefix | IPv4 prefix to add |
| mask | Subnet mask |
Example
This example shows how to add the prefix 1.1.1.0/24 to the map 1 out IP address space:
snat map 1 add out prefix 1.1.1.0/24
snat map del out prefix
This command deletes an IPv4 prefix from the map’s out IP address space.
snat map <map_id> del out prefix <prefix>/<mask>
Description
| Item | Description |
|---|---|
| map_id | ID of a map to delete a prefix |
| prefix | IPv4 prefix to delete |
| mask | Subnet mask |
Example
This example shows how to delete the prefix 10.0.0.0/24 from the map 1 out IP address space:
snat map 1 del out prefix 1.1.1.0/24
snat map out ip disable
This command excludes one of out IP addresses from the map’s out IP address space.
snat map <map_id> out ip <ip_address> disable
Description
| Item | Description |
|---|---|
| map_id | ID of a map to exclude an IP address |
| ip_address | IPv4 address to exclude |
Example
This example shows how to exclude the IPv4 address 1.1.1.128 from the map 1 out IP address space:
snat map 1 out ip 1.1.1.128 disable
snat map out ip enable
This command restores one of the previously excluded out IP addresses.
snat map <map_id> out ip <ipv4_address> enable
Description
| Item | Description |
|---|---|
| map_id | ID of a map to restore an IP address |
| ip_address | IPv4 address to restore |
Example
This example shows how to restore previously excluded IPv4 address 1.1.1.128 in the map 1 out IP address space:
snat map 1 out ip 1.1.1.128 enable
snat close host sessions
This command closes and deletes all translation sessions of a host with a particular IPv4 address.
snat close sess map <map_id> in <addr_in>
Description
| Item | Description |
|---|---|
| map_id | ID of a map |
| addr_in | IPv4 address of a host from one of map’s internal networks to close and delete sessions |
Example
This example shows how to close and delete all sessions of the host 192.168.2.10 from the map 1:
snat close sess map 1 in 192.168.2.10
snat close host session in
This command closes and deletes a translation session with particular internal and external endpoints values.
snat close sess map <map_id> in <addr:port_in> ext <addr:port_ext> <ip_proto>
Description
| Item | Description | Value |
|---|---|---|
| map_id | ID of a map to close and delete a session | |
| addr:port_in | IPv4 address and port of the internal endpoint of the translation | |
| addr:port_ext | IPv4 address and port of the external endpoint of the translation | |
| ip_proto | Name of IPv4 protocol | icmp
tcp
udp
gre
|
Example
This example shows how to close and delete the translation session with internal endpoint 10.114.0.0:65448 and external endpoint 8.8.8.8:0:
snat close sess map 1 out 10.114.0.0:65448 ext 8.8.8.8:0 icmp
snat close host session out
This command closes and deletes a translation session with a particular combination of out address and port and an external endpoint value.
snat close sess map <map_id> out <addr:port_out> ext <addr:port_ext> <ip_proto>
Description
| Item | Description | Value |
|---|---|---|
| map_id | ID of a map to close and delete a session | |
| addr:port_out | Translated/out IPv4 address and port of the translation | |
| addr:port_ext | IPv4 address and port of the external endpoint of the translation | |
| ip_proto | Name of IPv4 protocol | icmp
tcp
udp
gre
|
Example
This example shows how to close and delete the translation session with a combination of out address and port 10.114.0.0:21828 and external endpoint 13.94.102.123:443:
snat close sess map 1 out 10.114.0.0:21828 ext 13.94.102.123:443 tcp
snat vif enable
This command enables the SNAT function on a VIF.
snat vif <vif_name> enable
Description
| Item | Description |
|---|---|
| vif_name | Name of a VIF to enable SNAT |
Example
This example shows how to enable the SNAT function on the VIF v20:
snat vif v20 enable
snat vif disable
This command disables the SNAT function on a VIF.
snat vif <vif_name> disable
Description
| Item | Description |
|---|---|
| vif_name | Name of a VIF to disable SNAT |
Example
This example shows how to disable the SNAT function on the VIF v20:
snat vif v20 disable
snat add map
This command adds a map to a VIF.
Note
Once a map is added to a VIF and the SNAT function is enabled, the VIF will start performing SNAT translations according to the map’s parameters.
snat vif <vif_name> add map <map_id>
Description
| Item | Description |
|---|---|
| vif_name | Name of a VIF to add a translation map |
| map_id | ID of a map to add |
Example
This example shows how to add the map 1 to the VIF v20:
snat vif v20 add map 1
snat del map
This command deletes a map from a VIF.
snat vif <vif_name> del map <map_id>
Description
| Item | Description |
|---|---|
| vif_name | Name of a VIF to delete a translation map |
| map_id | ID of a map to delete |
Example
This example shows how to delete the map 1 from the VIF v20:
snat vif v20 del map 1
snat connection limit get
This command outputs the current number of established sessions and the max. number of allowed sessions for an internal IP address.
snat connection limit get <addr_in>
Description
| Item | Description |
|---|---|
| addr_in | IPv4 address of host from in network |
Example
The response has the following view:
snat connection limit get 192.168.2.20
ip connections max connections
192.168.2.20 0 4096
snat connection limit set
This command sets the max. number of allowed sessions for an internal IP address.
snat connection limit set <addr_in> <value>
Description
| Item | Description |
|---|---|
| addr_in | IPv4 address of host from in network |
| value | The max. number of allowed sessions |
Example
This example shows how to set the max. number of allowed session equal to 300 for the internal IP address 192.168.2.20:
snat connection limit set 192.168.2.20 300
sysctl variables to configure the session limit feature
To activate the SNAT sessions limit feature, you need to perform these steps in the following order:
- Group sessions (sysctl set snat_conn_limit_group_by).
- Set the max. number of sessions for a group (sysctl set snat_conn_limit_default_max_conn).
Example
This example shows the order in which the required variables should be set:
sysctl set snat_conn_limit_group_by 1
sysctl set snat_conn_limit_default_max_conn 4096
sysctl set snat_conn_limit_group_by
This sysctl variable defines the criteria for grouping sessions.
sysctl set snat_conn_limit_group_by <mode>
Description
| Item | Description |
|---|---|
| mode | 0 - don’t group sessions and don’t limit the number of sessions in a group.
This mode disables the feature.
1 - limit the number of sessions in a group.
Sessions are grouped by the source IP address.
2 - limit the number of sessions in a group.
Sessions are grouped by the destination IP address.
|
sysctl set snat_conn_limit_default_max_conn
This sysctl variable defines the default maximum number of sessions in a group.
sysctl set snat_conn_limit_default_max_conn <number>
Description
| Item | Description |
|---|---|
| number | Max. number of sessions in a group |
sysctl set snat_conn_limit_filter_mode
The filtering function is used to exclude particular NAT sessions from groups, in other words it’s used to ignore particular sessions when applying session limits.
To find out which sessions should be excluded Bison Router maintains a list of prefixes.
If the session’s IP address matches one of the prefixes on the list, the session is ignored.
snat_conn_limit_filter_mode variable defines what session’s IP address is used during the matching process.
sysctl set snat_conn_limit_filter_mode <mode>
Description
| Item | Description |
|---|---|
| mode | 0 - disables the feature
1 - applies filtering by source IP address of a session
2 - applies filtering by destination IP address of a session
|
snat connection limit filter add
This command adds a prefix to the SNAT sessions limit list.
snat connection limit filter add <ip_address>/<mask>
Description
| Item | Description |
|---|---|
| ip_address | IPv4 address |
| mask | Subnet mask |
Example
This example shows how to add the prefix 10.11.1.0/24 to the SNAT sessions limit list:
snat connection limit filter add 10.11.1.0/24
snat connection limit filter del
This command deletes a prefix from the SNAT sessions limit list.
snat connection limit filter del <ip_address>/<mask>
Description
| Item | Description |
|---|---|
| ip_address | IPv4 address |
| mask | Subnet mask |
Example
This example shows how to delete the prefix 10.11.1.0/24 from the SNAT sessions limit list:
snat connection limit filter del 10.11.1.0/24
SNAT44 NEL
SNAT44 module supports the following NEL events:
- Session create and delete events;
- Port block allocation and de-allocation events;
- Addresses Exhausted event;
- Ports Exhausted event;
- Internal IP address Ports Exhausted event;
- Maximum Session Entries Exceeded event;
- Maximum Entries per User Exceeded event;
- Maximum Active Hosts or Subscribers Exceeded event;
snat map nel sess
This command enables or disables NEL session events for a SNAT44 map.
snat map <map-id> nel sess <state>
Description
| Item | Description |
|---|---|
| map-id | ID of an SNAT44 map |
| state | 1 - enable; 0 - disable |
Example
This example shows how to disable NEL session events for the map with ID 1.
snat map 1 nel sess 0
snat map nel port block
This command enables or disables NEL port block allocation/de-allocation events for a SNAT44 map.
snat map <map-id> nel port block <state>
Description
| Item | Description |
|---|---|
| map-id | ID of an SNAT44 map |
| state | 1 - enable; 0 - disable |
Example
This example shows how to enable NEL port block allocation/de-allocation events for the map with ID 1.
snat map 1 nel port block 1
Addresses Exhausted Event
This event is generated when there are no available translated/public IP addresses in a SNAT MAP pool. Note that each translated IP address can be used at the same time only by a particular number of subscribers which is specified by the ‘ratio’ parameter of snat create map command.
Ports Exhausted Event
This event is generated when there are no available port-block in a port-block pool of a translated IP address.
Internal IP address Ports Exhausted Event
It’s a non-standard NEL event. The event is generated when there are no available ports in any of the port blocks allocated for a subscriber and no more port-blocks can be allocated for that subscriber. The event uses a natEvent ID 200.
Maximum Session Entries Exceeded Event
This event is generated when the configured NAT session limit is reached. The session limit is specified by the ‘nb_sessions’ parameter of the snat create map command.
Maximum Entries per User Exceeded Event
This event is generated when the configured NAT subscriber session limit is reached. Subscriber session limits are specified by the snat connection limit set command or by the sysctl variable ‘snat_conn_limit_default_max_conn’.
Maximum Active Hosts or Subscribers Exceeded Event
This event is generated when the configured NAT limit of the number of internal hosts or subscribers is reached. The limit is specified by the ‘nb_in_entries’ parameter of the snat create map command.
NEL events rate-limiting
BisonRouter limits the transmission rate of the following NEL events using a token-bucket algorithm:
- Addresses Exhausted event;
- Ports Exhausted event;
- Internal IP address Ports Exhausted event;
- Maximum Session Entries Exceeded event;
- Maximum Entries per User Exceeded event;
- Maximum Active Hosts or Subscribers Exceeded event;
Sysctl variables to configure parameters of trasmission of NEL events
- nel_ratelimit_buckets
It’s an integer sysctl variable with the startup configuration scope. It configures the number of token buckets of the NEL event rate-limit module. Each bucket limits the transmission rate of NEL events mapped to that bucket. Some NEL event types are always mapped to the same bucket depending on a NEL event type value. For example, Maximum Active Hosts or Subscribers Exceeded events always use the same bucket, while Maximum Entries per User Exceeded events use different buckets depending on a particular value of subscriber/user source IP address.
- nel_ratelimit_msg_rate
It’s an integer sysctl variable with the runtime configuration scope. It configures the number of NEL events per second or the transmission rate of NEL events that are transmitted via the same token-bucket.
- nel_ratelimit_burst
It’s an integer sysctl variable with the runtime configuration scope. It configures the maximum number of NEL events that can be sent at once.
DNAT44
snat add dnat
This command creates a DNAT rules table for a SNAT map.
snat add dnat map <map_id> size <dnat_map_size>
Description
| Item | Description |
|---|---|
| map_id | ID of an existing SNAT map |
| dnat_map_size | Max. number of DNAT rules that can be stored in a DNAT table |
Example
This example shows how to create and add a DNAT rules table with a max. number of rules 256 to a SNAT map 1:
snat add dnat map 1 size 256
snat del dnat
This command deletes a DNAT rules table from an SNAT map.
snat del dnat map <map_id>
Description
| Item | Description |
|---|---|
| map_id | ID of an existing SNAT map to delete a DNAT table from |
Example
This example shows how to delete the DNAT rules table from the SNAT map 1:
snat del dnat map 1
snat add dnat rule
This command adds a new DNAT rule.
snat add dnat rule map <map_id> out <addr:port_out> in <addr:port_in> <ip_proto>
Description
| Item | Description | Value |
|---|---|---|
| map_id | ID of an existing SNAT map | |
| addr:port_out | Translated/out IPv4 address and port of the translation | |
| addr:port_in | IPv4 address and port of the internal endpoint of the translation | |
| ip_proto | Name of IPv4 protocol | icmp
tcp
udp
gre
|
Example
This example shows how to create a new DNAT rule in the SNAT map 1 to translate out address and port 10.114.0.0:23200 into internal address and port 10.11.1.11:63140:
snat add dnat rule map 1 out 10.114.0.0:23200 in 10.11.1.11:63140 tcp
snat del dnat rule
This command deletes a DNAT rule.
snat del dnat rule map <map_id> out <addr:port_out> <ip_proto>
Description
| Item | Description | Value |
|---|---|---|
| map_id | ID of a SNAT map to delete a rule from | |
| addr:port_out | Translated/out IPv4 address and port of the translation | |
| ip_proto | Name of IPv4 protocol | icmp
tcp
udp
gre
|
Example
This example shows how to delete a DNAT rule with an out/translated address and port value 10.114.0.0:23200 from the SNAT map 1:
snat del dnat rule map 1 out 10.114.0.0:23200 tcp
sh dnat rules
This command outputs DNAT rules.
sh dnat rules map <map_id>
Description
| Item | Description |
|---|---|
| map_id | ID of a SNAT map to output rules |
Example
The response has the following view:
sh dnat rules map 1
out addr:port int addr:port proto
10.114.0.0:23200 10.11.1.11:63140 tcp
10.114.0.0:80 10.11.1.11:80 tcp
Deterministic SNAT44
Bison Router Deterministic NAT is an implementation of the Deterministic SNAT44 algorithm described in RFC 7422.
Main Deterministic SNAT features:
- SNAT44, DNAT44.
- EIM, Endpoint Independent Mapping.
- NAT translation session limit per host.
- Deterministic address and port selection.
- Hairpinning (NAT loopback).
- NEL (NAT Event Logging) via IPFIX, Netflow v9.
- Performance up to 15 Mpps and 120 Gbit/s.
- ALG support: PPtP, ICMP, traceroute.
- Supports all the major protocols and applications including SIP, FTP, RTSP, IPSec and GRE based VPNs, and gaming console.
Pros:
- Better performance in comparison to other Bison Router NAT implementations.
- Due to the deterministic nature of the port selection process there is no need to use NEL.
Cons:
- The internal IP space should not be sparsely filled with subscribers. Otherwise, it will lead to non-optimal use of memory and out IP space.
- The ratio of the internal IP space size to the out IP space size should be less or equal to 256, for example in 10.0.0.0/24 out x.x.x.1/32. Otherwise, the number of the out ports per internal IP/subscriber will be too low for the normal operation.
To activate Deterministic SNAT, you need to perform these steps in the following order:
- Create a map (det snat create map).
- Enable deterministic SNAT function on a VIF (det snat vif enable).
- Add a map to a VIF (det snat add map).
These steps order and corresponding commands are mandatory. The rest are used for additional configuration.
Example
This example shows the order in which the required commands should be executed:
det snat create map 1 in 10.0.0.0/16 out 10.114.0.0/29 sess 4096
det snat vif uplink enable
det snat vif uplink add map 1
det snat create map
This command creates a map to translate one IPv4 address space (in) to another IPv4 address space (out).
The map consists of records that store data about subscribers’ active connections to internet sites.
The record is called a NAT session.
The optimal maximum number of NAT sessions for a residential subscriber with 3-4 devices is 4096, which is set up by the sess parameter.
det snat create map <map_id> in <in_prefix/in_prefix_len> out <out_prefix/out_prefix_len> sess <sess_per_host>
Description
| Item | Description | Value |
|---|---|---|
| map_id | ID of a map to create | 0-127 |
| in_prefix | Internal IP prefix | |
| in_prefix_len | Internal IP prefix size | in_prefix_len < out_prefix_len |
| out_prefix | Out/translation IP prefix | |
| out_prefix_len | Out/translation IP prefix size | |
| sess_per_host | Max. number of sessions per in network’s host |
A power of 2 |
Note
When creating a map, keep in mind that there must be at least 256 ports for each internal IP address/host. The recommended value is 512.
The value is calculated using the formula:
ports per in host = 64512 * out_ip_address_space_size / in_ip_address_space_size,
To view the current ports per host value, use the command sh det snat maps. The value will be output among other information about the map.
Example
This example shows how to create a map 1 translating internal addresses 10.11.1.0/24 to out 10.114.0.0/29 with a maximum number of sessions per host 1024:
det snat create map 1 in 10.11.1.0/24 out 10.114.0.0/29 sess 1024
det snat delete map
This command deletes a translation map.
det snat del map <map_id>
Description
| Item | Description |
|---|---|
| map_id | ID of a map to delete |
Example
This example shows how to delete the translation map 1:
det snat del map 1
det snat flush sess
This command deletes all translation sessions from a map.
det snat flush sess map <map_id>
Description
| Item | Description |
|---|---|
| map_id | ID of a map to delete all translation sessions |
Example
This example shows how to delete all translation sessions from the map 1:
det snat flush sess map 1
sh det snat maps
This command outputs information on all translation maps.
sh det snat maps
Example
The response has the following format:
sh det snat maps
SNAT deterministic map
map id: 2
internal net: 10.xx.1.0/24
external net: 10.xx.0.0/29
size: 524288
active sessions: 63
ports per host: 2016
sessions per host: 2048
dnat map: none
state counters:
unknown: 0
active: 0
syn_sent: 0
established: 62
fin_wait: 0
close_wait: 0
closing: 0
last_ack: 0
closed: 0
icmp_active: 0
dns: 1
gre: 0
det snat vif enable
This command enables Deterministic SNAT function on a VIF.
det snat vif <vif_name> enable
Description
| Item | Description |
|---|---|
| vif_name | Name of a VIF to enable the SNAT function |
Example
This example shows how to enable the Deterministic SNAT funtion on the VIF v20:
det snat vif v20 enable
det snat vif disable
This command disables Deterministic SNAT function on a VIF.
det snat vif <vif_name> disable
Description
| Item | Description |
|---|---|
| vif_name | Name of a VIF to disable the SNAT function |
Example
This example shows how to disable the Determenistic SNAT funtion on the VIF v20:
det snat vif v20 disable
det snat add map
This command adds a map to a VIF. Once a map is added to a VIF and the SNAT function is enabled, the VIF will start performing SNAT translations according to the map’s parameters.
det snat vif <vif_name> add map <map_id>
Note
Up to 8 maps can be added to 1 VIF. If you need to use more than 8 maps on 1 VIF, follow the instruction of the NAT Policy section.
Description
| Item | Description |
|---|---|
| vif_name | Name of a VIF to add a map |
| map_id | ID of a map to add to a VIF |
Example
This example shows how to add the map 1 to the VIF v3:
det snat vif v3 add map 1
det snat del map
This command deletes a map from a VIF.
det snat vif <vif_name> del map <map_id>
Example
This example shows how to delete the map 1 from the VIF v3:
det snat vif v3 del map 1
sh det snat mapping alg in
This command shows out port range reserved for an internal IP address/host.
According to the Deterministic NAT algorithm, NAT translations of a particular internal host exclusively use a specific port range allocated once a map has been created and that can not be changed later.
sh det snat mapping alg map <map_id> in <addr_in>
Description
| Item | Description |
|---|---|
| map_id | ID of a map to show a port range |
| addr_in | IPv4 address of host from in network to show a port range |
Example
The response has the following format:
sh det snat mapping alg map 1 in 10.11.1.10
in 10.11.1.10 -> out 10.114.0.0 ports 21184 - 23199
sh det snat mapping alg out
This command shows which internal in IP address corresponds to the combination of out IP address and port.
sh det snat mapping alg map <map_id> out <addr_out>:<port>
Description
| Item | Description |
|---|---|
| map_id | ID of a map |
| addr_out | Translated (out) IPv4 address |
| port | Translated (out) port (L4 port) |
Example
The response has the following format:
sh det snat mapping alg map 1 out 10.114.0.0:23199
out 10.114.0.0:23199 -> in 10.11.1.10
sh det snat timeout
This command outputs session state’s timeout values.
sh det snat timeout
Example
The response has the following format:
sh det snat timeout
unknown: 30
active: 40
syn_sent: 30
established: 7200
fin_wait: 30
close_wait: 30
closing: 30
last_ack: 30
closed: 30
icmp_active: 30
dns: 4
gre: 7200
det snat timeout
This command sets a timeout for translations with a particular state.
det snat timeout <state> <timeout>
Description
| Item | Description | Value |
|---|---|---|
| timeout | Timeout value | sec |
| state | Name of the translation session state | unknown
active
syn_sent
established
fin_wait
close_wait
closing
last_ack
closed
icmp_active
dns
gre
|
Example
This example shows how to set timeout 1200 for translations with the state established:
det snat timeout established 1200
det snat close host sessions
This command closes and deletes all translation sessions of a host.
det snat close sess map <map_id> in <addr_in>
Description
| Item | Description |
|---|---|
| map_id | ID of a map |
| addr_in | IPv4 address of a host from in network to close and delete sessions |
Example
This example shows how to close and delete all sessions of the host 10.11.1.10 from the map 1:
det snat close sess map 1 in 10.11.1.10
det snat close host session in
This command closes and deletes a translation session with a particular internal and external endpoints values.
det snat close sess map <map_id> in <addr:port_in> ext <addr:port_ext> <ip_proto>
Description
| Item | Description | Value |
|---|---|---|
| map_id | ID of a map to close and delete a session | |
| addr:port_in | IPv4 address and port of the internal endpoint of the translation | |
| addr:port_ext | IPv4 address and port of the external endpoint of the translation | |
| ip_proto | Name of IPv4 protocol | icmp
tcp
udp
gre
|
Example
This example shows how to close and delete the translation session with internal endpoint 10.11.1.10:63140 and external endpoint 13.94.102.123:443:
det snat close sess map 1 in 10.11.1.10:63140 ext 13.94.102.123:443 tcp
det snat close host session out
This command closes and deletes a translation session with a particular combination of out address and port and an external endpoint value.
det snat close sess map <map_id> out <addr:port_out> ext <addr:port_ext> <ip_proto>
Description
| Item | Description | Value |
|---|---|---|
| map_id | ID of a map to close and delete a session | |
| addr:port_out | Translated/out IPv4 address and port of the translation | |
| addr:port_ext | IPv4 address and port of the external endpoint of the translation | |
| ip_proto | Name of IPv4 protocol | icmp
tcp
udp
gre
|
Example
This example shows how to close and delete the translation session with a combination of out address and port 10.114.0.0:21828 and external endpoint 13.94.102.123:443:
det snat close sess map 1 out 10.114.0.0:21828 ext 13.94.102.123:443 tcp
det snat show session in
This command outputs a translation session with particular internal and external endpoints values.
sh det snat sess map <map_id> in <addr:port_in> ext <addr:port_ext> <ip_proto>
Description
| Item | Description | Value |
|---|---|---|
| map_id | ID of a map to output | |
| addr:port_in | IPv4 address and port of the internal endpoint of the translation | |
| addr:port_ext | IPv4 address and port of the external endpoint of the translation | |
| ip_proto | Name of IPv4 protocol | icmp
tcp
udp
gre
|
Example
The response has the following format:
sh det snat sess map 1 in 10.11.1.10:62829 ext xx.xx.xx.95:443 tcp
in addr:port out addr:port ext addr:port state expire in secs
10.11.1.10:62829 10.114.0.0:21517 xx.xx.xx.95:443 tcp_established 1637
det snat show session out
This command outputs a translation session with a particular combination of out address and port and a particular external endpoint value.
sh det snat sess map <map_id> out <addr:port_out> ext <addr:port_ext> <ip_proto>
Description
| Item | Description | Value |
|---|---|---|
| map_id | ID of a map to close and delete a session | |
| addr:port_out | Translated/out IPv4 address and port | |
| addr:port_ext | IPv4 address and port of the external endpoint of the translation | |
| ip_proto | Name of IPv4 protocol | icmp
tcp
udp
gre
|
Example
The response has the following format:
sh det snat sess map 1 out 10.114.0.0:21517 ext xx.xx.xx.95:443 tcp
in addr:port out addr:port ext addr:port state expire in secs
10.11.1.10:62829 10.114.0.0:21517 xx.xx.xx.95:443 tcp_established 1637
sh det snat sessions map
This command outputs translation sessions of a host.
sh det snat sessions map <map_id> [in <addr_in>]
Note
in <addr_in> is optional. If it is omitted, the command outputs all sessions of the table.
Description
| Item | Description |
|---|---|
| map_id | ID of a map to output sessions |
| addr_in | Internal IPv4 address of a host |
Example
The response has the following format:
sh det snat sessions map 1 in 10.11.1.10 | head
in addr:port out addr:port ext addr:port state expire in secs
10.11.1.10:62829 10.114.0.0:21517 xx.xx.xx.95:443 tcp_established 1637
10.11.1.10:62862 10.114.0.0:21550 xx.xx.xx.95:443 tcp_established 1652
10.11.1.10:63160 10.114.0.0:21848 xx.xx.xx.95:443 tcp_established 2631
10.11.1.10:63161 10.114.0.0:21849 xx.xx.xx.95:443 tcp_established 2631
10.11.1.10:63222 10.114.0.0:21910 xx.xx.xx.95:443 tcp_established 2657
10.11.1.10:63223 10.114.0.0:21911 xx.xx.xx.95:443 tcp_established 2657
10.11.1.10:63233 10.114.0.0:21921 xx.xx.xx.95:443 tcp_established 2669
10.11.1.10:63234 10.114.0.0:21922 xx.xx.xx.95:443 tcp_established 2669
10.11.1.10:63275 10.114.0.0:21963 xx.xx.xx.95:443 tcp_established 2773
sh det snat sessions <addr_in>
This is a variant of the previous command without a specified map ID. It outputs all sessions
for a host with internal ip address <addr_in>. The map will be found automatically.
sh det snat sessions in <addr_in>
Description
| Item | Description |
|---|---|
| addr_in | Internal IPv4 address of a host |
det_nat_sess_bucket_size
det_nat_sess_bucket_size is in integer sysctl variable which determines the bucket size of the session hash table.
To improve performance of the NAT session lookup process, the subscriber session table is organized as a hash table. NAT sessions are placed into a table in a special order based on a hash value of the session. The hash value is calculated based on the session external address and external port. All sessions with the same hash value are stored in the same bucket. Using buckets increases the lookup performance because the lookup operation has to scan only a limited bucket area (for example 200 slots) instead of scanning the entire hash table to find a NAT session.
Example
sysctl get det_nat_sess_bucket_size
200
det snat map add to prefix map
This command adds map’s internal and external prefixes to a prefix map.
Note
The command is used in combination with NAT policy.
det snat map <map_id> add to prefix map <prefix_map_id>
Description
| Item | Description |
|---|---|
| map_id | ID of a NAT map to add prefixes to a prefix map |
| prefix_map_id | ID of a prefix map to add prefixes from a NAT map |
Example
This example shows how to add the prefixes from the NAT map 1 to the prefix map 10:
det snat map 1 add to prefix map 10
det snat map del from prefix map
This command deletes map’s internal and external prefixes from a prefix map.
Note
The command is used in combination with NAT policy.
det snat map <map_id> del from prefix map <prefix_map_id>
Description
| Item | Description |
|---|---|
| map_id | ID of a NAT map to delete prefixes from a prefix map |
| prefix_map_id | ID of a prefix map to delete NAT map prefixes |
Example
This example shows how to delete the prefixes of the NAT map 1 from the prefix map 10:
det snat map 1 del from prefix map 10
Enabling debug statistic counters
This sysctl variable enables collecting debug statistic for no-free-ports and session-overflow events.
sysctl set det_snat_debug_stat 1
The no-free-ports counter is increased when a subscriber is trying to establish a new connection but there are no out ports available in the out port range reserved for the subscriber.
In practice this happens when a subscriber is trying to establish a lot of connections with the same internet site.
To find out the number of out ports available for a subscriber see ports per host line in the output of the sh det snat maps command.
The session-overflow counter is increased when a subscriber is trying to establish a new connection but there are no available slots in the session table reserved for the subscriber.
The size of the session table is configured by the sess parameter of the det snat create map command.
Note that the session table can not be used 100% due to the nature of the hash table algorithm controlling the way sessions are placed into the table.
The typical usage value is about 80-90%, which means that the effective size of the session table is only 80-90% of the nominal size.
sh det snat debug stat
This command outputs debug statistic counters of the Deterministic NAT module.
sh det snat debug stat
Example
The response has the following format:
sh det snat debug stat
ip no_free_ports sess_overflows
sh det snat debug stat ipv4
This command outputs debug statistic counters for an IPv4 address.
sh det snat debug stat <ipv4_address>
Description
| Item | Description |
|---|---|
| ipv4_address | IPv4 address to output a debug statistic |
Example
The response has the following format:
sh det snat debug stat 1.1.1.1
ip no_free_ports sess_overflows
Deterministic DNAT44
det snat add dnat
This command creates a DNAT rules table for a SNAT map.
det snat add dnat map <map_id> size <dnat_map_size>
Description
| Item | Description |
|---|---|
| map_id | ID of an existing SNAT map |
| dnat_map_size | Max. number of DNAT rules that can be stored in a DNAT table |
Note
The size of the DNAT table is output by the sh det snat maps command in the line dnat map: size.
Example
This example shows how to create and add a DNAT rules table with a max. number of rules 256 to a SNAT map 1:
det snat add dnat map 1 size 256
det snat del dnat
This command deletes a DNAT rules table from an SNAT map.
det snat del dnat map <map_id>
Description
| Item | Description |
|---|---|
| map_id | ID of an existing SNAT map to delete a DNAT table from |
Example
This example shows how to delete the DNAT rules table from the SNAT map 1:
det snat del dnat map 1
det snat add dnat rule
This command adds a new DNAT rule.
Note
out port. When creating a DNAT rule, you have to use an out port number from the port range reserved for the internal IP address used in the rule.det snat add dnat rule map <map_id> out <addr:port_out> in <addr:port_in> <ip_proto>
Description
| Item | Description | Value |
|---|---|---|
| map_id | ID of an existing SNAT map | |
| addr:port_out | Translated/out IPv4 address and port of the translation | |
| addr:port_in | IPv4 address and port of the internal endpoint of the translation | |
| ip_proto | Name of IPv4 protocol | icmp
tcp
udp
gre
|
Example
To add a rule for the internal address 10.11.1.11, first of all it is necessary to find out the valid range of values of the out port using the command sh det snat mapping alg:
sh det snat mapping alg map 1 in 10.11.1.11
in 10.11.1.11 -> out 10.114.0.0 ports 23200 - 25215
In the example above, we can see the range of ports 23200 - 25215 from which we can select a value for the rule.
Taking it into consideration, the following example shows how to create a new DNAT rule in the SNAT map 1 to translate out address and port 10.114.0.0:23200 into internal address and port 10.11.1.11:63140:
det snat add dnat rule map 1 out 10.114.0.0:23200 in 10.11.1.11:63140 tcp
det snat del dnat rule
This command deletes a DNAT rule.
det snat del dnat rule map <map_id> out <addr:port_out> <ip_proto>
Description
| Item | Description | Value |
|---|---|---|
| map_id | ID of a SNAT map to delete a rule from | |
| addr:port_out | Translated/out IPv4 address and port of the translation | |
| ip_proto | Name of IPv4 protocol | icmp
tcp
udp
gre
|
Example
This example shows how to delete a DNAT rule with an out/translated address and port value 10.114.0.0:23200 from the SNAT map 1:
det snat del dnat rule map 1 out 10.114.0.0:23200 tcp
sh det dnat rules
This command outputs DNAT rules.
sh det dnat rules map <map_id>
Description
| Item | Description |
|---|---|
| map_id | ID of a SNAT map to output the rule |
Example
The response has the following view:
sh det dnat rules map 1
out addr:port int addr:port proto
10.124.0.0:23201 10.102.1.11:63141 tcp
10.124.0.0:23200 10.102.1.11:63140 tcp
NAT44 1:1
NAT44 1:1 is used to assign to a subscriber his own unique IP address so that an ingress connection to the subscriber can be initiated by an Internet host.
To activate NAT44 1:1, you need to perform these steps in the following order:
- Create a map (nat11 create map).
- Enable NAT44 1:1 function on a VIF (nat11 vif enable).
- Add a map to a VIF (nat11 add map).
These step’s order and corresponding commands are mandatory. The rest are used for additional configuration.
Example
This example shows the order in which the required commands should be executed:
nat11 create map 1 in 10.11.1.0/24 size 1024 sess 4096
nat11 vif v20 enable
nat11 vif v20 add map 1
nat11 create map
This command creates a map to translate one set of IPv4 addresses into another using 1:1 relations.
nat11 create map <map_id> in <addr_in>/<mask> size <map_size> sess <sess_per_host>
Description
| Item | Description | Value |
|---|---|---|
| map_id | ID of a NAT44 1:1 map to create | |
| addr_in | IPv4 address of host from in network |
|
| mask | Subnet mask | |
| map_size | Max. number of 1:1 translation rules | |
| sess_per_host | Max. number of sessions per in network’s host |
A power of 2 |
Note
The optimal maximum number of NAT sessions for a residential subscriber with 3-4 devices is 4096, which is set up by the sess parameter.
Example
This example shows how to create a map 1 translating internal addresses 10.11.1.0/24 with a maximum number of sessions per host 4096:
nat11 create map 1 in 10.11.1.0/24 size 1024 sess 4096
nat11 delete map
This command deletes a translation map.
nat11 del map <map_id>
Description
| Item | Description |
|---|---|
| map_id | ID of a NAT44 1:1 map to delete |
Example
This example shows how to delete the translation map 1:
nat11 del map 1
nat11 vif enable
This command enables the NAT44 1:1 function on a VIF.
nat11 vif <vif_name> enable
Description
| Item | Description |
|---|---|
| vif_name | Name of a VIF to enable the NAT44 1:1 function |
Example
This example shows how to enable the NAT44 1:1 on the VIF v20:
nat11 vif v20 enable
nat11 vif disable
This command disables the NAT44 1:1 function on a VIF.
nat11 vif <vif_name> enable
Description
| Item | Description |
|---|---|
| vif_name | Name of a VIF to disable the NAT44 1:1 function |
Example
This example shows how to disable the NAT44 1:1 on the VIF v20:
nat11 vif v20 disable
nat11 add map
This command adds a map to a VIF. Once a map is added to a VIF and NAT44 1:1 function is enabled, the VIF will start performing NAT44 1:1 translations according to the map’s parameters.
nat11 vif <vif_name> add map <map_id>
Description
| Item | Description |
|---|---|
| vif_name | Name of a VIF to add a translation map |
| map_id | ID of a map to add to a VIF |
Example
This example shows how to add the NAT44 1:1 map 1 to the VIF v20:
nat11 vif v20 add map 1
nat11 del map
This command deletes a translation map from a VIF.
nat11 vif <vif_name> del map <map_id>
Description
| Item | Description |
|---|---|
| vif_name | Name of a VIF to delete a translation map |
| map_id | ID of a map to delete from a VIF |
Example
This example shows how to delete the NAT44 1:1 map 1 from the VIF v20:
nat11 vif v20 del map 1
nat11 add translation rule
This command adds a NAT 1:1 translation rule to a map.
nat11 rule add map <map_id> <addr_in> <addr_out>
Description
| Item | Description |
|---|---|
| map_id | ID of a map to add a rule |
| addr_in | IPv4 address of host from in network |
| addr_out | Translation (out) IPv4 address |
Example
This example shows how to add a rule translating the in IP address 10.0.0.1 to the out IP address 10.114.0.5 to the map 1:
nat11 rule add map 1 10.0.0.1 10.114.0.5
nat11 del translation rule
This command deletes a NAT44 1:1 translation rule from a map.
nat11 rule del map <map_id> <addr_in>
Description
| Item | Description |
|---|---|
| map_id | ID of a map to delete a rule |
| addr_in | IPv4 address of host from in network to delete a rule |
Example
This example shows how to delete the translation rule for the in IP address 10.0.0.1 from the map 1:
nat11 rule del map 1 10.0.0.1
nat11 close host session in
This command closes and deletes a NAT session with a particular internal and external endpoints values.
nat11 close sess map <map_id> in <addr:port_in> ext <addr:port_ext>
Description
| Item | Description |
|---|---|
| map_id | ID of a map to close and delete a session |
| addr:port_in | IPv4 address and port of the internal endpoint of the translation |
| addr:port_ext | IPv4 address and port of the external endpoint of the translation |
Example
This example shows how to close and delete the NAT session with internal endpoint 10.11.1.10:63140 and external endpoint 13.94.102.123:443:
nat11 close sess map 1 in 10.11.1.10:63140 ext 13.94.102.123:443
sh nat11 maps
This command outputs information on all translation maps.
sh nat11 maps
Example
The response has the following format:
sh nat11 maps
NAT11 map
map id: 1
internal net: 192.168.2.0/24
size: 1024
active sessions: 1
sessions per host: 4096
state counters:
unknown: 0
active: 0
syn_sent: 0
established: 0
fin_wait: 0
close_wait: 0
closing: 0
last_ack: 0
closed: 0
icmp_active: 1
dns: 0
gre: 0
show nat11 translation rules
This command outputs NAT44 1:1 rules.
sh nat11 rules map <map_id>
Description
| Item | Description |
|---|---|
| map_id | ID of a map to output NAT44 1:1 rules |
Example
The response has the following format:
sh nat11 rules map 1
internal addr translated addr
192.168.2.20 10.114.0.0
sh nat11 sessions
This command outputs translation sessions of a host.
sh nat11 sessions map <map_id> in <addr_in>
Description
| Item | Description |
|---|---|
| map_id | ID of a map to output sessions |
| addr_in | IPv4 address of host from in network |
Example
The response has the following format:
sh nat11 sessions map 1 in 192.168.2.20
in addr:port out addr:port ext addr:port state expire in secs
192.168.2.20:63838 10.114.0.0:63838 8.8.8.8:0 icmp icmp_active 28
NAT Policy
NAT Policy functions allow using different NAT maps for different packets. The decision on which map to use to translate a particular packet is based on packet data and is made using various packet classification tools such as prefix map, IP set, etc.
A NAT policy is a sorted list of policy rules. The rules are processed in the order of their position in the list until the first match is found. The rule matches the packet if the packet data meets the criteria specified in the rule. As matching criteria, the rule can use one of the classification tools. Once a match is found, packet is translated by a NAT map defined by the matching rule.
The general procedure for activating the NAT policy is as follows:
- Create a NAT policy (nat policy add).
- Add NAT policy rules. There are 3 types of rules configuration:
- using prefixes: nat policy prefix rule add
- using a prefix map: nat policy add prefix map rule
- using an IP set: nat policy ipset rule add
- Add a NAT policy to a VIF (nat policy vif add).
In particular, in practice, it may be appropriate to use NAT policy rules based on the Prefix map classification. The Prefix map classification algorithm is based on the LPM (Longest Prefix Match) algorithm, therefore such a rule allows to translate more specific internal IP subnets using a different NAT map. Such a need may arise when one of the out/public IP addresses of a NAT map should be excluded from operation due to various reasons such as ban.
Example
Consider a scenario where there is a Deterministic SNAT map 10 that translates the internal prefix 10.0.0.0/16 into the out prefix 1.1.1.0/24. To exclude the out (public) IP address 1.1.1.0 from operation:
- Create a second Deterministic SNAT map 20 with the internal prefix equal to the first map’s internal prefix matching the excluded translated IP 1.1.1.0.
- Create a prefix map.
- Add both SNAT maps internal and out prefixes to the created prefix map with values equal to the corresponding NAT map ID.
- Create a NAT policy rule based on the created prefix map.
As a result the banned out/public IP 1.1.1.0 will be excluded and the affected internal IP addresses will be translated using the public IP 2.2.2.2.
det snat create map 10 in 10.0.0.0/16 out 1.1.1.0/24 sess 4096
det snat create map 20 in 10.0.0.0/24 out 2.2.2.2/32 sess 4096
prefix map create 1
det snat map 10 add to prefix map 1
det snat map 20 add to prefix map 1
nat policy add 1
nat policy rule add 1 pos 10 from prefix map 1 map snat44
sh nat policy
This command outputs NAT policy rules.
sn nat policy
Example
The response has the following format:
sh nat policy
nat policy id 1:
nat policy rules:
10: from prefix map 2 -> nat map snat44
100: from ipset nat_ipset -> nat map snat1to1:10
nat policy add
This command creates a new NAT policy.
nat policy add <policy_id>
Description
| Item | Description |
|---|---|
| policy_id | ID of a NAT policy to create |
Example
This example shows how to create a NAT policy with the ID number 1:
nat policy add 1
nat policy del
This command deletes a NAT policy.
nat policy del <policy_id>
Description
| Item | Description |
|---|---|
| policy_id | ID of a NAT policy to delete |
Example
This example shows how to delete a NAT policy with the ID number 1:
nat policy del 1
nat policy prefix rule add
This command adds a new rule to a NAT policy. This rule uses a prefix to match packet’s IP address.
nat policy rule add <policy_id> pos <number> from prefix <prefix>/<mask> map <nat_map_type> <nat_map_id>
Description
| Item | Description | Value |
|---|---|---|
| policy_id | ID of a NAT policy to add a rule | |
| number | Position number (priority) in the list of rules | |
| prefix | IPv4 prefix to add | |
| mask | Subnet mask | |
| nat_map_type | NAT map type | snat44
snat1to1
det_snat44
|
| nat_map_id | ID of a NAT map to use |
Example
This example shows how to add a rule with the position number 10 to the NAT policy 1, for the prefix 10.0.0.0/24 to apply the SNAT44 map 2:
nat policy rule add 1 pos 10 from prefix 10.0.0.0/24 map snat44 2
nat policy add no-nat prefix rule
This command adds a new rule to a NAT policy. This kind of rule instructs BisonRouter not to use NAT for packets that match the rule’s conditions. This rule uses a prefix to match the packet’s IP address. I.e. the rule configures BisonRouter not to use NAT for egress packets destinated to the rule’s prefix as well as ingress packets originated from the same prefix.
nat policy rule add <policy_id> pos <number> to prefix <prefix>/<mask> no nat
Description
| Item | Description | Value |
|---|---|---|
| policy_id | ID of a NAT policy to add a rule | |
| number | Position number (priority) in the list of rules | |
| prefix | IPv4 prefix | |
| mask | Subnet mask |
Example
This example shows how to add a rule with the position number 6 to the NAT policy 1. The rule
configures BisonRouter not to use NAT for egress packets destinated to a prefix 15.0.0.0/32
as well as ingress packets originated from the same prefix:
nat policy rule add 1 pos 6 to prefix 15.0.0.0/32 no nat
nat policy add prefix map rule
This command adds a rule to a NAT policy. This rule uses a Prefix map classification to determine what NAT map to be used. First, Bison Router uses a prefix map to look up for the prefix matching the IP address of the packet. Then the prefix map value associated with the found prefix is used as the NAT map ID to translate the packet.
nat policy rule add <policy_id> pos <number> from prefix map <prefix_map_id> map <nat_map_type> [<nat_map_id>]
Description
| Item | Description | Value |
|---|---|---|
| policy_id | ID of a NAT policy to add a rule | |
| number | Position number (priority) in the list of rules | |
| prefix_map_id | ID of an existing prefix map to add to a rule | |
| nat_map_type | NAT map type | snat44
snat1to1
det_snat44
|
| nat_map_id | ID of a NAT map to use (Optional. When the
nat_map_id value is omitted,the prefix map values are used as NAT map ID)
|
Example
This example shows how to add a rule with the position number 20 to the NAT policy 1.
The rule uses the prefix map 1 to find out what Deterministic SNAT44 map should be used.
More specifically, Bison Router uses the value associated with the found prefix as the NAT map ID.
nat policy rule add 1 pos 20 from prefix map 1 map snat44
nat policy add no-nat prefix map rule
This command adds a rule to a NAT policy. This rule configures BisonRouter not to use NAT for packets that match the rule’s condition. The rule uses the Prefix map classification as a condition to select packets to process. I.e. the rule configures BisonRouter not to use NAT for the egress packets desitinated to any prefix from the rule’s prefix map, as well as ingress packets originated from any prefix from the rule’s prefix map.
nat policy rule add <policy_id> pos <number> to prefix map <prefix_map_id> no nat
Description
| Item | Description | Value |
|---|---|---|
| policy_id | ID of a NAT policy to add a rule | |
| number | Position number (priority) in the list of rules | |
| prefix_map_id | ID of a prefix map to add to a rule |
Example
This example shows how to add a rule with the position number 5 to the NAT policy 1.
The rule uses the prefix map 1 to select packets that should not be NATed, i.e. the rule
configures BisonRouter not to use NAT for the egress packets desitinated to any prefix from
the prefix map 1, as well as ingress packets originated from any prefix from the prefix map 1.
nat policy rule add 1 pos 5 to prefix map 1 no nat
nat policy ipset rule add
This command adds a new rule to a NAT policy. This rule uses an IP set to match packet’s IP address.
nat policy rule add <policy_id> pos <number> from ipset <ipset_name> map <nat_map_type> <nat_map_id>
Description
| Item | Description | Value |
|---|---|---|
| policy_id | ID of a NAT policy to add a rule | |
| number | Position number (priority) in the list of rules | |
| ipset_name | Name of an existing IP set to add to a rule | |
| nat_map_type | NAT map type | snat44
snat1to1
det_snat44
|
| nat_map_id | ID of a NAT map to use |
Example
This example shows how to add a rule with the position number 100 to the NAT policy 1, for the IP set nat_ipset to apply the SNAT 1-to-1 map with the ID number 10:
nat policy rule add 1 pos 100 from ipset nat_ipset map snat1to1 10
nat policy rule del
This command deletes a rule from a NAT policy.
nat policy rule del <policy_id> pos <number>
Description
| Item | Description |
|---|---|
| policy_id | ID of a NAT policy to delete a rule |
| number | Position number (priority) in the list of rules |
Example
This example shows how to delete the rule with the position number 10 from the NAT policy 1:
nat policy rule add 1 pos 10
nat policy vif add
This command adds a NAT policy to a VIF.
nat policy add vif <vif_name> <policy_id>
Description
| Item | Description |
|---|---|
| vif_name | Name of a VIF to add a NAT policy |
| policy_id | ID of a NAT policy to add to a VIF |
Example
This example shows how to add the NAT policy 1 to the VIF v3:
nat policy add vif v3 1
nat policy vif del
This command deletes a NAT policy from a VIF.
nat policy del vif <vif_name> <policy_id>
Description
| Item | Description |
|---|---|
| vif_name | Name of a VIF to delete a NAT policy |
| policy_id | ID of a NAT policy to remove from a VIF |
Example
This example shows how to delete the NAT policy 1 from the VIF v3:
nat policy del vif v3 1
NAT events logging - NEL
Enabling NEL
The NEL function is enabled by sysctl variable nat_events.
Variable name
|
Type,
Scope
|
Description
|
Value
|
|---|---|---|---|
| nat_events | Boolean
Runtime
|
Enables the NEL function
|
1 = on
0 = off
|
Example
This example shows how to enable the NEL function:
sysctl set nat_events 1
nel collector add
This command adds a NEL collector to the list of NEL collectors to send events to. NAT events are sent to all collectors on the list at the same time.
nel collector add addr <ipv4_address> [port <port_number>] [proto <proto_value>] [events event_type[, ...]]
Description
| Item | Description | Value |
|---|---|---|
| ipv4_address | IPv4 address of a NEL collector | |
| port_number | Port number of a NEL collector | Default = 4739 |
| proto_value | Supported protocols:
9 - NetFlow V9
10 - IPFIX
100 - syslog
|
Default = 9 |
| events | A comma separated list of type of events
to send to a collector. Optional. When omitted
all events are sent to a collector.
|
Event types:
“pb” - NAT port-block events
“nat_sess” - NAT session events
“others” - all other NAT events
|
Example
This example shows how to add a NEL collector with IP address 10.0.0.1 and port number 9995.
nel collector add addr 10.0.0.1 port 9995 proto 9 events pb,nat_sess
nel collector del
This command deletes a NEL collector from the list of NEL collectors to send events to. NAT events are sent to all collectors on the list at the same time.
nel collector del addr <ipv4_address> [port <port_number>] [proto <proto_value>]
Description
| Item | Description | Value |
|---|---|---|
| ipv4_address | IPv4 address of a NEL collector | |
| port_number | Port number of a NEL collector | Default = 4739 |
| proto_value | Supported protocols:
9 - NetFlow V9
10 - IPFIX
100 - syslog
|
Default = 9 |
Example
This example shows how to delete a NEL collector with IP address 10.0.0.1 and port number 9995.
nel collector del addr 10.0.0.1 port 9995 proto 9
sh nel
This command outputs the NEL configuration.
sh nel
Example
# sh nel
NEL enabled: yes
NEL collectors:
addr port proto
192.168.1.2 9995 9
192.168.1.3 9995 9
export filters:
src filter enabled: 0
src filter prefix map id: -
dst filter enabled: 0
dst filter prefix map id: -
nel collector addr
This command configures NEL collector address and port.
nel collector addr <ipv4_address> [port <port_number>] [proto <proto_value>] [events event_type[, ...]]
Description
| Item | Description | Value |
|---|---|---|
| ipv4_address | IPv4 address of a NEL collector | |
| port_number | Port number of a NEL collector | Default = 4739 |
| proto_value | Supported protocols:
9 - NetFlow V9
10 - IPFIX
100 - syslog
|
Default = 9 |
| events | A comma separated list of type of events
to send to a collector. Optional. When omitted
all events are sent to a collector.
|
Event types:
“pb” - NAT port-block events
“nat_sess” - NAT session events
“others” - all other NAT events
|
Example
This example shows how to set 10.0.0.1 IP address, 9995 port number and NetFlow V9 protocol for the NEL collector.
nel collector addr 10.0.0.1 port 9995 proto 9 events pb,nat_sess
Hairpinning
NAT hairpinning, also known as NAT loopback, is a feature enabling two hosts behind the same BisonRouter NAT map to communicate to each other using a NAT public IPv4 address and without sending traffic to any BisonRouter uplink ports.
To enable or disable NAT loopback for SNAT44 use the following commands
# enable loopback
snat loopback enable map <map-id>
# disable loopback
snat loopback disable map <map-id>
To enable or disable NAT loopback for Deterministic SNAT44 use the following commands
# enable loopback
det snat loopback enable map <map-id>
# disable loopback
det snat loopback disable map <map-id>
Implementation details
To impelement NAT loopback feature BisonRouter perform the follwings steps for each NAT map:
- creates a Loopback VIF for a NAT map with enabled loopback feature;
- assigns an IPv4 address 127.0.0.1 to the map’s loopback VIF and create a static ARP recored for that IP adress;
- routes map’s public/translated IPv4 addresses to the map’s loopback VIF;
Those steps ensure that egress packets destinated to map’s public IPv4 address will not be sent to an uplink router but instead will be immediately routed back to BR and handled as any other incoming traffic.
Example
# rcli snat loopback enable map 1
# rcli sh vif
vif loopback_nat3_map1
id 1194
port 8, vlan 0.101, encapsulation dot1q
mac address 00:00:00:00:00:01
vrf main
shaper ingress not set
egress not set
ACL ingress not set
egress not set
flags NAT
mtu 9000
IPv6 state is disabled
IPv6 ND RA state is not advertising
# rcli sh arp cache
port vid ip mac type state
8 0.101 127.0.0.1 00:00:00:00:00:01 static ok
# rcli sh ip route | grep loopback
10.114.0.1/32 via 127.0.0.1 dev loopback_nat3_map1 src 127.0.0.1 proto internal
10.114.0.3/32 via 127.0.0.1 dev loopback_nat3_map1 src 127.0.0.1 proto internal
10.114.0.4/32 via 127.0.0.1 dev loopback_nat3_map1 src 127.0.0.1 proto internal
# rcli sh snat maps
SNAT map
map id: 1
internal prefixes:
192.168.2.0/24, usage 0/256, %0
10.8.0.0/24, usage 0/256, %0
out ranges:
10.114.0.1 - 10.114.0.1, port-block usage 0/4032, %0
10.114.0.3 - 10.114.0.3, port-block usage 0/4032, %0
10.114.0.4 - 10.114.0.4, port-block usage 0/4032, %0
NAT High availability
Introduction
A high-availability SNAT44 module enables the creation of a 2-node/server cluster that performs Network Address Translation (NAT) functions. The cluster operates in a Master-Backup mode, where one node runs as the Master and performs the SNAT44 functions, while the other node runs in Backup mode. The node in Backup mode does not process traffic or perform NAT; its sole job is to mirror the Master’s SNAT44 session database and be ready to take over as the new Master if the Master node fails.
Currently high-availability mode is only supported with SNAT44 maps.
Master Election process
In a situation where there are no designated Backup or Master nodes, such as when both nodes are starting a SNAT44 HA cluster for the first time and have not yet decided their roles, an initial election process takes place. The node with the higher priority wins the initial election process. The priority of a node is an administratively assigned value.
In a situation where only one node is currently running and performing the Master role, and the second node has just been powered on or configured to run in HA mode, the current Master retains its role even if its priority is lower than that of the second node. In this case, the second node always becomes the Backup node.
Swithing the Master role
It is possible to switch the roles of nodes in a running cluster using an RCLI command. To do this, an administrator should run the command ‘snat ha group <id> transfer master’ on the Backup node. After executing this command, the Backup node will become the new Master node, and the old Master node will become the new Backup node.
When a Master node becomes a Backup node it first resets the NAT map, deletes all existings NAT sessions and starts replicating the new Master’s NAT session database. A replication process takes some time to complete.
SNAT44 session database synchronization
Whenever the Master node creates a new NAT TCP session in the ‘established’ state or a UDP session in the ‘active’ state, it sends an update message to the Backup node. The Backup node listens for these update messages and updates its NAT session database accordingly, creating identical NAT sessions. The expiration time of the Backup NAT sessions is ignored. A Backup NAT session can only be deleted either manually or when the corresponding Master session is deleted.
ARP
The HA module takes control of the ARP protocol for the IP addresses associated with an HA group. Only the Master node responds to ARP requests, while Backup nodes ignore ARP requests for HA group IP addresses.
Upon becoming the Master, a node sends gratuitous ARP replies for the IP addresses of the HA group. By default, BisonRouter uses virtual MAC addresses for the nodes’ IP addresses. However, some hardware does not support adding additional MAC addresses. To accommodate this, the behavior can be disabled using the sysctl variable ‘vrrp_dont_use_virtual_mac_for_arp’. A virtual MAC address is based solely on the HA group ID and is identical on both cluster nodes.
sysctl set vrrp_dont_use_virtual_mac_for_arp 0
When this feature is disabled, BisonRouter uses the NIC’s original MAC address with the HA group IP addresses.
NAT operations
Only the Master node performs NAT operations on the traffic. The Backup node is transparent from a NAT perspective.
Configuration examples
Master node
#
# HA
#
# create a p-t-p link to the other HA node
vif add name ha_link port 2 type untagged
ip addr add 10.100.100.2/28 dev ha_link
# disable usage of virtual MAC addresses
sysctl set vrrp_dont_use_virtual_mac_for_arp 1
#
# configure the HA module to use VIF 'ha_link' as a virutual vlan link to
# communicate with the neighbour HA node
#
snat ha init dev ha_link
# create a HA group with ID 10
snat ha create group 10 prio 100 neighbor 10.100.100.3 map 1
#
# add an existing IP address 192.168.1.1 to the group
# note: the IP address should be already created
#
snat ha group 10 add ip 192.168.1.1
#
# start the HA group
#
snat ha group 10 enable
Backup node
#
# HA
#
# create a p-t-p link to the other HA node
vif add name ha_link port 2 type untagged
ip addr add 10.100.100.3/28 dev ha_link
# disable usage of virtual MAC addresses
sysctl set vrrp_dont_use_virtual_mac_for_arp 1
#
# configure the HA module to use VIF 'ha_link' as a virutual vlan link to
# communicate with the neighbour HA node
#
snat ha init dev ha_link
# create a HA group with ID 10
snat ha create group 10 prio 50 neighbor 10.100.100.3 map 1
#
# add an existing IP address 192.168.1.1 to the group
# note: the IP address should be already created
#
snat ha group 10 add ip 192.168.1.1
#
# start the HA group
#
snat ha group 10 enable
Status of HA groups
rcli sh snat ha groups
group id: 10
snat44 map id: 1
state: master
prio: 100
sync list size: 0
unsync list size: 0
backup list size: 0
neighbor ip: 10.100.100.3
neighbor prio: 50
neighbor state: backup
source ip: 10.100.100.2
max entries: 3000000
flags:
IP addresses:
192.168.1.1
pkt counters:
rx: 0
tx: 21
restransmits: 0
ack rx: 27
ack tx: 0
nack rx: 0
nack tx: 0
error counters:
sess add failures: 0
sess del failures: 0
db add failures: 0
db del failures: 0
high-availability commands
snat ha init
This command initializes the SNAT High availability module.
snat ha init dev <vif_name>
Description
| Item | Description | Value |
|---|---|---|
| vif_name | Name of an existing Virtual Interface (VIF) to use for communicating
with the group’s neighbor node.
|
Example
snat ha init dev ha_link
snat ha create group
This command creates a SNAT high-availability group. The group consists of two server nodes (neighbors) communicating with each other.
snat ha create group <group_id> prio <prio> neighbor <ip_addr> map <snat44_map_id>
Description
| Item | Description | Value |
|---|---|---|
| group_id | ID of a high-availability group. Numeric value. | |
| prio | Group’s priority. | |
| ip_addr | IP address of the neighbor node. | |
| snat44_map_id | ID of SNAT44 map to controll by the group. |
Example
snat ha create group 10 prio 100 neighbor 10.100.100.3 map 1
snat ha destroy group
This command destroys a SNAT high-availability group.
snat ha destroy group <group_id>
Description
| Item | Description | Value |
|---|---|---|
| group_id | ID of a high-availability group. |
Example
snat ha destroy group 10
snat ha add/del ip
This command adds or deletes an IP address to/from a group. ARP behavior of addresses added to the group is controlled by group and depends on the group’s state.
snat ha group <group_id> add ip <ip_addr>
snat ha group <group_id> del ip <ip_addr>
Description
| Item | Description | Value |
|---|---|---|
| group_id | ID of a high-availability group. | |
| ip_addr | An existing IP address assigned to a VIF to be controlled by the group. |
Example
snat ha group 10 add ip 192.168.1.1
snat ha group 10 del ip 192.168.1.1
snat ha group enable/disable
This command enables or disables a SNAT high-availability group.
snat ha group <group_id> enable|disable
Description
| Item | Description | Value |
|---|---|---|
| group_id | ID of a high-availability group. |
Example
snat ha group 10 enable
snat ha group transfer master
This command starts a master trasfer procedure. The command is supposed to be run at a backup node in order the node to become a new master and take control over IP addresses added to the group and SNATT44 map associated with the group.
snat ha group <group_id> transfer master
Description
| Item | Description | Value |
|---|---|---|
| group_id | ID of a high-availability group. |
Example
snat ha group 10 transfer master
RADIUS
This section is dedicated to the operation of Bison Router within the RADIUS protocol described in RFS 2865.
RADIUS and CoA
radius_client create
This command creates a new RADIUS client.
radius_client create <client_id>
Description
| Item | Description |
|---|---|
| client_id | ID number of a client to create |
Note
The RADIUS client with the ID number 0 is created by default. It will be used by default in other commands of the section if the ID is omitted.
Example
This example shows how to create a RADIUS client with the ID number 1:
radius_client create 1
radius_client add server
This command adds a RADIUS server to the list of servers. RADIUS requests will be sent to servers a the round-robin way.
Note
The maximum number of servers in the list is 8. The default port number is 1812.
radius_client [<client_id>] add server <ip_address> [port <port>] [secret <"secret">]
Description
| Item | Description |
|---|---|
| client_id | ID number of a client to add a server. Optional, if omitted,
the default client is used.
|
| ip_address | Server IP address |
| port | Server port number. Optional, if omitted, the default number is used. |
| secret | RADIUS shared secret. Optional, if omitted, the radius client secret is used. |
Example
This example shows how to add a server with the IP address 192.168.5.2 and the port number 1612 to the default RADIUS client server list:
radius_client add server 192.168.5.2 port 1612
radius_client del server
This command deletes a RADIUS server from the list of servers.
radius_client [<client_id>] del server <ip_address> [port <port>]
Description
| Item | Description |
|---|---|
| client_id | ID number of a client to delete a server. Optional, if omitted,
the default client is used.
|
| ip_address | Server IP address |
| port | Server port number. Optional, if omitted, the default number is used. |
Example
This example shows how to delete a server with the IP address 192.168.5.2 and the port number 1612 from the default RADIUS client server list:
radius_client del server 192.168.5.2 port 1612
radius_client add src ip
This command adds an IP address to the list of source IP addresses that will be used by Bison Router RADIUS client to send RADIUS requests. A source IP address must be assigned to a VIF.
radius_client [<client_id>] add src ip <ip_address>
Description
| Item | Description |
|---|---|
| client_id | ID number of a client add a source IP address. Optional, if omitted,
the default client is used.
|
| ip_address | Source IP address |
Example
This example shows how to add a source IP address 192.168.5.111 to the list of source IP addresses of the default client:
radius_client add src ip 192.168.5.111
radius_client set secret
This command sets a RADIUS client’s shared secret.
radius_client [client_id] set secret "<secret>"
Description
| Item | Description | Value |
|---|---|---|
| client_id | ID number of a client to set a secret. Optional, if omitted,
the default client is used.
|
|
| secret | RADIUS shared secret | 256 bytes max.,
case sensitive
|
Example
This example shows how to set a shared secret 1234abcd for the default client:
radius_client set secret "1234abcd"
coa server set secret
This command sets a RADIUS CoA server’s shared secret.
coa server set secret "<secret>"
Description
| Item | Description | Value |
|---|---|---|
| secret | RADIUS shared secret | 256 bytes max.,
case sensitive
|
Example
This example shows how to set the CoA server’s shared secret abcd1234:
coa server set secret "abcd1234"
sh radius client
This command outputs RADIUS clients settings.
sh radius client
Example
The response has the following format:
sh radius client
radius client 0
src ip addresses:
192.168.1.1
auth secret: xxx
auth servers:
ip 192.168.1.20 port 1812, dead: no, secret:
accounting secret: xxx
accounting servers:
ip 192.168.1.2 port 1813, dead: no, secret:
radius client 1
src ip addresses:
192.168.1.1
auth secret: undefined
auth servers:
ip 192.168.1.2 port 1812, dead: no, secret: xxx
accounting secret: undefined
accounting servers:
ip 192.168.1.2 port 1813, dead: no, secret: xxx
RADIUS Accounting
radius_client set secret
This command sets a RADIUS accounting client’s shared secret.
radius_client set accounting secret "<secret>"
Description
| Item | Description | Value |
|---|---|---|
| secret | RADIUS shared secret | 256 bytes max.,
case sensitive
|
Example
This example shows how to set the RADIUS accounting client’s shared secret 1234abcd:
radius_client set accounting secret "1234abcd"
radius_client add accounting server
This command adds a new RADIUS accounting server to the list of servers. RADIUS requests will be sent to servers in a round-robin way. Maximum number of servers in the list is 8. Default port number is 1813.
radius_client add accounting server <ip_address> [port <port>] [secret <"secret">]
Description
| Item | Description |
|---|---|
| client_id | ID number of a client to add an accounting server. Optional, if omitted,
the default client is used.
|
| ip_address | Accounting server IP address |
| port | Accounting server port number. Optional, if omitted, the default number is used. |
| secret | RADIUS shared secret. Optional, if omitted, the radius client secret is used. |
Example
This command shows how to add the accounting server with the IP address 192.168.5.2 and the port number 1813:
radius_client add accounting server 192.168.5.2 port 1813
Radius sysctl variables
Variable name
|
Type,
Scope
|
Description
|
Value
|
|---|---|---|---|
| radius_initial_retransmit_timeout | Integer
Runtime
|
Initial RADIUS retransmit
timeout
|
ms
Default = 500
Min = 200
Max = UINT16_MAX
|
| radius_num_retransmit | Integer
Runtime
|
Number of RADIUS
retransmits
|
Default = 3
Min = 1
Max = 16
|
Radius accounting sysctl variables
Variable name
|
Type,
Scope
|
Description
|
Value
|
|---|---|---|---|
| radius_accounting | Boolean
Runtime
|
Globally enables/disables
the RADIUS accounting
|
Default = off
1 - on
0 - off
|
Note
the vif_stat sysctl variable should be set to 1, otherwise accounting request’s packets and bytes counters will contain zero values.
| radius_accounting_interim | Boolean
Runtime
|
Enables/disables RADIUS
accounting interim requests
|
Default = off
1 - on
0 - off
|
| radius_accounting_interim_interval | Integer
Runtime
|
Sets the interval for sending
interim requests
|
sec
Default = 60
Min = 5
Max = UINT16_MAX
|
Bison Router VSA
RADIUS Attribute Dictionary for FreeRADIUS:
VENDOR TheRouter 12345
BEGIN-VENDOR TheRouter
ATTRIBUTE therouter_ingress_cir 1 integer
ATTRIBUTE therouter_engress_cir 2 integer
ATTRIBUTE therouter_ipv4_addr 3 integer
ATTRIBUTE therouter_ipv4_mask 4 integer
ATTRIBUTE therouter_outer_vid 5 integer
ATTRIBUTE therouter_inner_vid 6 integer
ATTRIBUTE therouter_ip_unnumbered 7 integer
ATTRIBUTE therouter_port_id 8 integer
ATTRIBUTE therouter_ipv4_gw 9 integer
ATTRIBUTE therouter_pbr 10 integer
ATTRIBUTE therouter_install_subsc_route 17 integer
ATTRIBUTE therouter_subsc_ttl 18 integer
ATTRIBUTE therouter_subsc_static_arp 19 integer
ATTRIBUTE therouter_subsc_proxy_arp 20 integer
ATTRIBUTE therouter_subsc_rp_filter 21 integer
ATTRIBUTE therouter_shaper_ingress_params 23 string
ATTRIBUTE therouter_shaper_egress_params 24 string
ATTRIBUTE therouter_subsc_addr_prefix_map_id 25 integer
ATTRIBUTE therouter_subsc_addr_prefix_map_value 26 integer
END-VENDOR TheRouter
therouter_ingress_cir
therouter_egress_cir
therouter_subsc_ttl
Subscriber’s session time to live - sec.
therouter_install_subsc_route
The value 1 of this attribute instructs Bison Router to add the subscriber IPv4 address /32 prefix into the main routing table.
therouter_subsc_static_arp
The value 1 of this attribute instructs Bison Router to set a static ARP record for a L2 subscriber.
therouter_subsc_proxy_arp
The value 1 of this attribute instructs Bison Router to enable the Proxy ARP on dynamic VIFs (VLAN per subscriber).
therouter_subsc_rp_filter
The value 1 of this attribute instructs Bison Router to enable the Reverse Path Filter on dynamic VIFs (VLAN per subscriber).
therouter_shaper_ingress_params
therouter_shaper_egress_params
The following description is relevant for both therouter_shaper_ingress_params and therouter_shaper_egress_params attributes.
These attributes contain a string with the parameters for subscriber’s ingress/egress QoS discipline. The string format depends on the type of QoS discipline, but must always start with an integer indicating the QoS type.
| Value | QoS type |
|---|---|
| 1 | General policer. The default QoS type, no need to use
therouter_shaper_ingress_params or therouter_shaper_egress_params.Use
therouter_ingress_cir and therouter_egress_cir attributes for itsconfiguration
|
| 2 | Multi-policer. The multi-policer applies different bandwidth limits depending on
the packet src/dst IP address. QoS of this type is configured using
therouter_shaper_ingress_params and therouter_shaper_egress_params attributes |
| 4 | DPDK QoS scheduler |
| 6 | DSCP policer |
Multi-policer
The format of therouter_shaper_ingress_params and therouter_shaper_egress_params attribute values for the multi-policer is as follows:
<2/nb_policers/limit1/limit2/../prefix_map_id/prefix_map_mode>
Description
| Item | Description |
|---|---|
| nb_policers | Number of policers |
| limit1 | Bandwidth limit of policer 1 |
| limit2 | Bandwidth limit of policer 2. Optional. |
| prefix_map_id | ID of a prefix map to classify a packet and to select a policer |
| prefix_map_mode | Prefix map’s mode of operation:
0 - use packet’s src IP address to find a match
1 - use packet’s dst IP address to find a match
|
DPDK QoS Scheduler
The value 4 of the attributes therouter_shaper_ingress_params and therouter_shaper_egress_params is DPDK based QoS discipline.
The format of therouter_shaper_ingress_params and therouter_shaper_egress_params attribute values for this QoS is as follows:
<4/nb_ports/port1,profile1/port2,profile2/../prefix_map_id/prefix_map_mode>
Description
| Item | Description |
|---|---|
| nb_ports | Number of QoS scheduler ports/pipes to allocate for a subscriber |
| port1 | QoS scheduler port number for traffic direction #1 |
| profile1 | Profile ID for port1 |
| prefix_map_id | ID of a prefix map to classify a packet |
| prefix_map_mode | Prefix map’s mode of operation:
0 - use packet’s src IP address to find a match
1 - use packet’s dst IP address to find a match
|
DSCP policer
DSCP policer is a type of of QoS discipline used to apply different traffic policer depending on IP packet’s DSCP field value. A DSCP policer may consist of several sub policers (simple policers). Decision on which sub policer to use with a packet is made based on the packet’s IP DSCP value and on a DSCP map. The DSCP map translates DSCP values into sub policer numbers. DSCP policers can only be created for subscriber interfaces.
The format of therouter_shaper_ingress_params and therouter_shaper_egress_params
attribute values for the DSCP policer is as follows:
<6/nb_policers/limit1/limit2/..>
Description
| Item | Description |
|---|---|
| nb_policers | Number of policers |
| limit1 | Bandwidth limit of policer 1 |
| limit2 | Bandwidth limit of policer 2 |
therouter_subsc_addr_prefix_map_id
This attribute instructs BisonRouter to add subscriber’s IPv4 address to the prefix map with the given ID upon subscriber connection and to delete subscriber’s IPv4 address from the prefix map after the subscriber has been disconnected.
therouter_subsc_addr_prefix_map_value
Defines a value associated with the subscriber’s IPv4 address added to a prefix map. See the description of the therouter_subsc_addr_prefix_map_id attribute.
IP pools
IPv4 pools
ip pool add
This command adds a new IPv4 pool.
ip pool add <ip_pool_name>
Description
| Item | Description | Value |
|---|---|---|
| ip_pool_name | Name of an IP pool to create | Must start with a letter.
Max. pool name length is 16 characters.
|
Example
This example shows how to create a new IPv4 pool named pool2:
ip pool add pool2
ip pool del
This command deletes an IPv4 pool.
ip pool del <ip_pool_name>
Description
| Item | Description |
|---|---|
| ip_pool_name | Name of an IP pool to delete |
Example
This example shows how to delete the IPv4 pool named pool2:
ip pool del pool2
ip pool add range
This command adds an IP address range to a pool.
ip pool add range <ip_pool_name> <ip_addr_from> - <ip_addr_to>
Description
| Item | Description |
|---|---|
| ip_pool_name | Name of an IP pool to add an IP address range |
| ip_addr_from | The first IPv4 address of the range |
| ip_addr_to | The last IPv4 address of the range |
Example
This example shows how to add the IP range 1.1.1.10-1.1.1.20 to the IP pool pool2:
ip pool add range pool2 1.1.1.10 - 1.1.1.20
ip pool del range
This command deletes an IP address range from a pool.
ip pool del range <ip_pool_name> <ip_addr_from> - <ip_addr_to>
Description
| Item | Description |
|---|---|
| ip_pool_name | Name of an IP pool to delete an IP address range |
| ip_addr_from | The first IPv4 address of the range |
| ip_addr_to | The last IPv4 address of the range |
Example
This example shows how to delete the IP range 1.1.1.10-1.1.1.20 from the IP pool pool2:
ip pool del range pool2 1.1.1.10 - 1.1.1.20
sh ip pool
This command outputs information about an IPv4 pool.
sh ip pool
Example
The response has the following format:
sh ip pool
---
name pool_1
addresses
192.168.2.10 - 192.168.2.100
free 91
used 0
router 192.168.2.1
mask /16
broadcast 192.168.255.255
mtu 1500
lease time 600 secs
dns 8.8.8.8
dns 8.8.4.4
IP pools sysctl variables
Variable name
|
Type,
Scope
|
Description
|
Value
|
|---|---|---|---|
| ippool_cache_size | Integer
Startup
|
Size of the IP pool’s global pool cache | Default = 4096
Min = 1024
Max = UINT32_MAX
|
| ippool_cache_entry_ttl | Integer
Runtime
|
Time to live of an IP pool cache entry | sec
Default = 60
Min = 1
Max = 259200
|
IPv6 pools
ipv6 pool add
This command creates a new IPv6 address pool.
ipv6 pool add <ip_pool_name> <ipv6_prefix> length <length> [preferred_lt <integer>] [valid_lt <integer>] [flags <flag,...>]
Description
| Item | Description | Value |
|---|---|---|
| ip_pool_name | Name of an IPv6 pool to create | Must start with a letter.
Max. pool name length is 16 characters.
|
| ipv6_prefix | A pool’s address space | |
| length | Length of prefixes allocated from a pool | |
| preferred_lt | The time interval that a valid address
is preferred (i.e., the time until
deprecation). When expires, the address
becomes deprecated.
|
sec
Default value is 604800 seconds (7 days)
|
| valid_lt | The time interval during which an address
remains in a valid state (i.e., the time
until invalidation).
|
sec
Default value is 2592000 seconds (30 days)
valid_lt ⩾ preferred_lt
|
| flags | rand - allocates random values.
cache - an address/prefix is reserved for
a
valid_lt period for the userallocated the value; during this interval,
the subscriber will be provided with
the same address/prefix if he reconnects.
After
valid_lt have elapsed,and the address/prefix is not used,
it will be returned back to the pool.
|
rand, cache |
Example
This example shows how to create a new IPv6 pool named ppp6_slaac_pool:
ipv6 pool add ppp6_slaac_pool xxx::/48 length 64 preferred_lt 3600 valid_lt 7200 flags rand,cache
ipv6 pool del
This command deletes an IPv6 pool.
ipv6 pool del <ip_pool_name>
Description
| Item | Description |
|---|---|
| ip_pool_name | Name of an IPv6 pool to delete |
Example
This example shows how to delete the IPv6 pool named ppp6_slaac_pool:
ipv6 pool del ppp6_slaac_pool
ipv6 pool modify
This command modifies an existing IPv6 pool lifetime values.
ipv6 pool modify <ip_pool_name> valid_lt <integer> preferred_lt <integer>
Description
| Item | Description | Value |
|---|---|---|
| ip_pool_name | Name of an IPv6 pool to modify | |
| preferred_lt | The time interval that a valid address
is preferred (i.e., the time until
deprecation). When expires, the address
becomes deprecated.
|
sec
Default value is 604800 seconds (7 days)
|
| valid_lt | The time interval during which an address
remains in a valid state (i.e., the time
until invalidation).
|
sec
Default value is 2592000 seconds (30 days)
valid_lt ⩾ preferred_lt
|
sh ipv6 pool
This command outputs information about IPv6 pools.
sh ipv6 pools
Example
The response has the following format:
sh ipv6 pools
---
name ppp6_pd_pool
address space xxxe::/48
address/prefix length 64
preferred lifetime 3600
valid lifetime 7200
free 65536
used 0
---
name ppp6_na_pool
address space xxx1::/64
address/prefix length 128
preferred lifetime 3600
valid lifetime 7200
free 4294967294
used 1
---
name ppp6_slaac_pool
address space xxx0b::/48
address/prefix length 64
preferred lifetime 3600
valid lifetime 7200
free 65535
used 1
IP Pool cache
IP addresses are not immediately returned to an IP pool but are stored in an IP pool cache for a certain period of time to be reserved for their last user. This ensures that the user is able to obtain the same IP address again.
Users of pool IP addresses are identified by MAC addresses, and an IP pool cache entry
stores a MAC address. The IPv4 pool cache has a fixed size that can be configured
using the ippool_cache_size sysctl startup variable. The duration for which an IP pool cache
entry remains in the cache before the IP address is returned to the pool is configured by the
ippool_cache_entry_ttl sysctl variable. More information about these sysctl variables can be
found in the section titled IP pools sysctl variables.
sh ip pool cache
This command outputs the content of the ipv4 pool cache.
sh ip pool cache
The output has the following structure:
owner ip ip-pool
da9c1db9fe4f0100 192.168.2.10 pool_1
Field name
|
Description
|
|---|---|
| owner | A string id of the owner of an IP pool entry
|
| ip | IPv4 address
|
| ip-pool | IP pool name
|
sh ipv6 pool cache
This command outputs the content of the ipv6 pool cache.
sh ipv6 pool cache
The output has the following structure:
owner ip sub-ip ip-pool
da9c1db9fe4f0101 2001:470:1f0b:1461:4c8c:dd7f:24fb:442d na_pool
da9c1db9fe4f0101 2001:470:1f0c:58c5:: pd_pool
Field name
|
Description
|
|---|---|
| owner | A string id of the owner of an IPv6 pool entry
|
| ip | IPv6 address
|
| sub-ip | Additional IPv6 address
|
| ip-pool | IPv6 pool name
|
ip pool cache del
This command deletes an IP pool entry from the IPv4 pool cache.
ip pool cache del "<owner_id>"
Description
| Item | Description |
|---|---|
| owner_id | A string identifier of the owner of an IPv4 pool entry
|
Example
This example shows how to delete the IPv4 pool cache entry with id da9c1db9fe4f0100:
ip pool cache del "da9c1db9fe4f0100"
Note that when this command is executed in rcli it must enclosed with ‘’:
rcli 'ip pool cache del "da9c1db9fe4f0100"'
ipv6 pool cache del
This command deletes an IPv6 pool entry from the IPv6 pool cache.
ipv6 pool cache del "<owner_id>"
Description
| Item | Description |
|---|---|
| owner_id | A string identifier of the owner of an IPv6 pool entry
|
Example
This example shows how to delete the IPv6 pool cache entry with id da9c1db9fe4f0100:
ipv6 pool cache del na_pool "da9c1db9fe4f0101"
Note that when this command is executed in rcli it must enclosed with ‘’:
rcli 'ipv6 pool cache del na_pool "da9c1db9fe4f0101"'
ip pool cache flush
This command deletes all IPv4 entries from the IPv4 pool cache.
ip pool cache flush
ipv6 pool cache flush
This command deletes all IPv6 entries from the IPv6 pool cache.
ipv6 pool cache flush
DHCP
DHCPv4 server
Enabling DHCP server
The DHCP server function is enabled by sysctl variable dhcp_server.
Variable name
|
Type,
Scope
|
Description
|
Value
|
|---|---|---|---|
| dhcp_server | Boolean
Runtime
|
Enables the DHCP server function
|
1 = on
0 = off
|
Example
This example shows how to enable the DHCP server function:
sysctl set dhcp_server 1
Configuring DHCP server’s IP pools
Note
Before configuring DHCP parameters of an IP pool, it should be created by using the command ip pool add.
The general order of configuring the DHCP server’s IP pools is as follows:
- Create an IP pool (ip pool add).
- Add an IP address range to the created IP pool (ip pool add range).
- Configure the necessary DHCP parameters.
Example
This example shows the order in which the required commands should be executed. DNS, NTP and NBNS configuration is optional and can be configured in any order or be omitted.
# create pool with name "pool_1"
ip pool add pool_1
ip pool add range pool_1 10.11.1.10 - 10.11.200.255
# setup pool's DHCP parameters
ip pool set pool_1 router 10.0.0.1 mask 24 lease time 600
ip pool add pool_1 dns 8.8.8.8
ip pool add pool_1 dns 8.8.4.4
ip pool add pool_1 ntp 192.36.143.130
ip pool add pool_1 nbns 1.1.1.1
ip pool add pool_1 nbns 1.1.1.3
ip pool set
This command sets the DHCP parameters of an IP pool.
ip pool set <ip_pool_name> router <ipv4_address> mask <mask> lease time <time>
Description
| Item | Description | Value |
|---|---|---|
| ip_pool_name | Name of an IP pool to set DHCP parameters | |
| ipv4_address | IPv4 address to set | |
| mask | Network mask | |
| time | Lease time to set | sec
min = 60
|
Example
This example shows how to set DHCP parameters (router IPv4 address 192.168.2.1, mask 16 and lease time value 600) for the IP pool pool_1:
ip pool set pool_1 router 192.168.2.1 mask 16 lease time 600
ip pool add dns
This command adds a DNS server to the list of IP pool DNS servers.
ip pool add <ip_pool_name> dns <ip_address>
Description
| Item | Description |
|---|---|
| ip_pool_name | Name of an IP pool to add a DNS server to its list |
| ip_address | IPv4 address of a DNS server to add |
Example
This example shows how to add a DNS server 8.8.8.8 to the list of DNS servers of the IP pool pool_1:
ip pool add pool_1 dns 8.8.8.8
ip pool del dns
This command shows how to delete a DNS server from the list of IP pool DNS servers.
ip pool del <ip_pool_name> dns <ip_address>
Description
| Item | Description |
|---|---|
| ip_pool_name | Name of an IP pool to delete a DNS server from its list |
| ip_address | IPv4 address of a DNS server to delete |
Example
This example shows how to delete the DNS server 8.8.8.8 from the list of DNS servers of the IP pool pool_1:
ip pool del pool_1 dns 8.8.8.8
ip pool add ntp
This command adds a NTP server to the list of IP pool NTP servers.
ip pool add <ip_pool_name> ntp <ip_address>
Description
| Item | Description |
|---|---|
| ip_pool_name | Name of an IP pool to add a NTP server to its list |
| ip_address | IPv4 address of a NTP server to add |
Example
This example shows how to add the NTP server 192.36.143.130 to the list of NTP servers of the IP pool pool_1:
ip pool add pool_1 ntp 192.36.143.130
ip pool del ntp
This command deletes a NTP server from the list of IP pool NTP servers.
ip pool del <ip_pool_name> ntp <ip_address>
Description
| Item | Description |
|---|---|
| ip_pool_name | Name of an IP pool to delete a NTP server from its list |
| ip_address | IPv4 address of a NTP server to delete |
Example
This example shows how to delete the NTP server 192.36.143.130 from the list of NTP servers of the IP pool pool_1:
ip pool del pool_1 ntp 192.36.143.130
ip pool add nbns
This command adds a NBNS (NetBios Name Server) server to the list of IP pool NBNS servers.
ip pool add <ip_pool_name> nbns <ip_address>
Description
| Item | Description |
|---|---|
| ip_pool_name | Name of an IP pool to add a NBNS server to its list |
| ip_address | IPv4 address of a NBNS server to add |
Example
This example shows how to add the NBNS server 1.1.1.1 to the list of NBNS servers of the IP pool pool_1:
ip pool add pool_1 nbns 1.1.1.1
ip pool del nbns
This command deletes a NBNS server from the list of IP pool NBNS servers.
ip pool del <ip_pool_name> nbns <ip_address>
Description
| Item | Description |
|---|---|
| ip_pool_name | Name of an IP pool to delete a NBNS server from its list |
| ip_address | IPv4 address of a NBNS server to delete |
Example
This example shows how to delete the NBNS server 1.1.1.1 from the list of NBNS servers of the IP pool pool_1:
ip pool del pool_1 nbns 1.1.1.1
DHCPv4 relay
Enabling DHCP relay
The DHCP relay function is enabled by sysctl variable dhcp_relay_enabled.
Variable name
|
Type,
Scope
|
Description
|
Value
|
|---|---|---|---|
| dhcp_relay_enabled | Boolean
Runtime
|
Enables the DHCP relay function
|
1 = on
0 = off
|
Example
This example shows how to enable the DHCP relay function:
sysctl set dhcp_relay_enabled 1
dhcp_relay
This command sets an address of DHCP server to relay requests.
dhcp_relay <ip_address>
Description
| Item | Description |
|---|---|
| ip_address | IPv4 address of a DHCP server to set |
Example
This example shows how to set the DHCP server 192.168.1.102:
dhcp_relay 192.168.1.102
dhcp_relay opt82 mode
This command configures a DHCP Option82 rewrite function.
dhcp_relay opt82 mode <mode>
Description
| Item | Description |
|---|---|
| mode | Possible modes:
rewrite_off - turn off option82 rewrite/insert function
rewrite_if_doesnt_exist - insert remote_id and circuit_id suboptions
only if the request doesn’t already contain dhcp option82
rewrite - rewrite or insert both remote_id and circuit_id DHCP
option82 suboptions
rewrite_circuit_id - rewrite or insert only the circuit_id DHCP
option82 suboption
rewrite_remote_id - rewrite or insert only the remote_id DHCP
option82 suboption
|
Example
This example shows how to enable and configure a DHCP Option82 rewrite function:
#
# DHCP relay
#
sysctl set dhcp_relay_enabled 1
dhcp_relay opt82 remote_id "tr_h4"
dhcp_relay opt82 mode rewrite
dhcp_relay 192.168.1.2
dhcp_relay giaddr
This command sets the global DHCP relay giaddr address. When defined, Bison Router will use this address instead of choosing the IP address with minimum value from the VIF to which the DHCP request was received.
dhcp_relay giaddr <ip_address>
Description
| Item | Description |
|---|---|
| ip_address | IPv4 DHCP relay giaddr address to set |
Example
This example shows how to set the DHCP relay giaddr address 192.168.1.1:
dhcp_relay giaddr 192.168.1.1
dhcp_relay opt82 remote_id
This command configures the content of the remote_id suboption.
dhcp_relay opt82 remote_id <remote_id>
Description
| Item | Description |
|---|---|
| remote_id | value of the remote_id option82 suboption |
Example
This example shows how to set up the remote_id option82 suboption value tr_h4:
dhcp_relay opt82 remote_id "tr_h4"
circuit_id suboption format
Bison Router writes 6 bytes of data into the circuit_id suboption.
This data includes the following properties of the VIF on which the DHCP request was received:
dhcp_relay_opt82_curcuit_id_plain_text
sysctl variable name
|
Type,
Scope
|
Description
|
Value
|
|---|---|---|---|
| dhcp_relay_opt82_curcuit_id_plain_text | Boolean
Runtime
|
Enables a plain text format for
the circuit_id suboption
|
1 = on
0 = off
|
DHCPv6
dhcpv6 add dns
This command adds a recursive DNS server to the global list of RDNS servers. The values in the list will be used in the Router Advertisement messages sent to PPPoE and IPv6oE subscribers by the DHCPv6 server.
dhcpv6 add dns <ipv6_address>
Description
| Item | Description |
|---|---|
| ipv6_address | IPv6 address of a DNS server to add |
Example
This example shows how to add a recursive DNS server with the IPv6 address 2001:4860:4860::8888 to the list of servers:
dhcpv6 add dns 2001:4860:4860::8888
dhcpv6 del dns
This command deletes a recursive DNS server address from the RDNS list.
dhcpv6 del dns <ipv6_address>
Description
| Item | Description |
|---|---|
| ipv6_address | IPv6 address of a DNS server to delete |
Example
This example shows how to delete a recursive DNS server with the IPv6 address 2001:4860:4860::8888 from the RDNSS list:
dhcpv6 del dns 2001:4860:4860::8888
dhcpv6 domain search list
This command sets a value of the DHCPv6 domain search list parameter.
dhcpv6 domain search list <value>
Description
| Item | Description |
|---|---|
| value | String value |
Example
This example shows how to set the value i6.bisonrouter.com for the DHCPv6 domain search list parameter:
dhcpv6 domain search list i6.bisonrouter.com
DHCPv6 sysctl variables
Variable name
|
Type,
Scope
|
Description
|
Value
|
|---|---|---|---|
| dhcpv6_preferred_lt | Integer
Runtime
|
Defines the default preferred value for
IPv6 addresses. For example, this value
will be used for IPv6 addresses received
via RADIUS protocol
|
Default = 604800
sec (1 week)
Min = 0
Max = UINT32_MAX
|
| dhcpv6_valid_lt | Integer
Runtime
|
Defines the default valid value for IPv6
addresses. For example, this value will be
used for IPv6 addresses received
via RADIUS protocol
|
Default = 1209600
sec (2 weeks)
Min = 0
Max = UINT32_MAX
|
DHCP Syslog
BisonRouter can log the content of DHCP ACK messages to a remote syslog server.
dhcp syslog
This command configures an ipv4 address of a remote syslog server used to log the content of DHCP ACK messages.
dhcp syslog <ipv4_address>
Note
To enable dhcp syslog set the value of sysctl variable ‘dhcp_syslog’ to 1.
Example
dhcp syslog 192.168.1.1
sysctl set dhcp_syslog 1
Subscribers
BisonRouter supports IPoE and PPPoE types of subscribers. This section describes features applicable to both types of subscribers.
MAC ACL
A feature called MAC ACL controls the frequency with which a subscriber can trigger the sending of new RADIUS authorization requests after receiving an access denied response.
To achieve this, BisonRouter maintains a list of MAC ACL entries. When a RADIUS authentication
denied response is received, a new MAC ACL entry is created for the subscriber who triggered that response.
A MAC ACL entry remains in the list for a duration that is configured using either ipoe_mac_acl_ttl or
pppoe_mac_acl_ttl sysctl variables, depending on the subscriber type.
sh mac acl
This command outputs the list of MAC ACL entries.
sh mac acl
The output has the following structure:
sh mac acl
mac expire_in
EA:C8:BB:B0:5C:57
Description
| Item | Description |
|---|---|
| mac | Subscriber’s MAC address
|
| expire_in | The number of seconds in which the entry will be expired and deleted from the list.
If value is ommited the entry is considered a static entry and remains in the list unless
manually deleted by
mac acl del command. |
mac acl add
This command adds a new MAC ACL entry to the list of MAC ACL entries.
mac acl add <mac> [ttl <number>]
Description
| Item | Description |
|---|---|
| mac | Subscriber’s MAC address
|
| ttl | Seconds. Entry time-to-live value. The entry will be expired and deleted from the list
after this number of seconds. If a value is ommited the entry is considered a static entry
and remains in the list unless manually deleted by
mac acl del command. |
Example
This example shows how create a MAC ACL entry for a subscriber with MAC address 01:02:03:04:05:06.
mac acl add 01:02:03:04:05:06 ttl 600
mac acl del
This command deletes a MAC ACL entry from the list of MAC ACL entries.
mac acl del <mac>
Description
| Item | Description |
|---|---|
| mac | Subscriber’s MAC address
|
Example
This example shows how delete a MAC ACL entry with MAC address 01:02:03:04:05:06
mac acl del 01:02:03:04:05:06
mac acl sysctl variables
There are two sysctl runtime variables ipoe_mac_acl_ttl and pppoe_mac_acl_ttl that control
the automatic creation of MAC ACL entries. When non-zero value is set, BisonRouter automatically
creates MAC ACL antries with a coressponding TTL (Time to Live) time. A new MAC ACL entry is created upon receiving
a RADIUS authentication denied response.
| Sysctl variable name | Description |
|---|---|
| ipoe_mac_acl_ttl | TTL (time to live) value in seconds for IPoE subsribers.
Zero value disables the automactic creation of MAC ACl entries for IPoE subscribers.
|
| pppoe_mac_acl_ttl | TTL (time to live) value in seconds for PPPoE subsribers.
Zero value disables the automactic creation of MAC ACl entries for PPPoE subscribers.
|
Example
This example demonstrates how to enable the automactic creation of MAC ACL entries for PPPoE subscribers. The entries will remain in the list for 600 seconds. During this time BisonRouter will reject any requests from subscribers who have previously received a RADIUS acccess denied response.
sysctl set pppoe_mac_acl_ttl 600
PPPoE subscribers
PPPoE protocol enabling
The PPPoE protocol is enabled for a specific VIF at the time of its creation using pppoe_on flag and vif add command (see vif add section).
Also, the flag can be enabled after creating a VIF using the command vif flags (see vif flags section).
Example
This example shows how to enable the PPPoE protocol on the VIF v3 while creating:
vif add name v3 port 0 type dot1q cvid 3 flags pppoe_on
This example shows how to enable the pppoe_on flag for the existing VIF v20:
vif flags up name v20 flags pppoe_on
sh pppoe subsc
This command outputs connected/online PPPoE subscribers.
sh pppoe subsc [<name>]
Description
| Item | Description |
|---|---|
| name | The user name of the specific subscriber to output. Optional, if omitted, the list of all
online subscribers is output.
|
Example
The response has the following format:
sh pppoe
vif_id username mac port svid cvid session_id ip addr mtu ingress cir egress cir rx_pkts tx_pkts rx_bytes tx_bytes uptime
5 110 DA:9C:1D:B9:FE:4F 1 0 30 1655202238-5 10.8.0.10 1492 100000 100000 2 0 96 0 0 day(s), 0 hour(s), 0 min(s), 8 sec(s)
pppoe disconnect
This command disconnects a PPPoE subscriber with an ID.
pppoe disconnect <pppoe_vif_id>
Description
| Item | Description |
|---|---|
| pppoe_vif_id | ID of a PPPoE VIF to disconnect |
Example
This example shows how to disconnect the PPPoE subscriber with the ID 272:
pppoe disconnect 272
PPPoE global parameters
pppoe ac_cookie key
This command sets an AC-Cookie value (See RFC 2516 0x0104 for more details).
pppoe ac_cookie key "<key_value>"
Description
| Item | Description |
|---|---|
| key_value | AC-Cookie value |
Example
This example shows how to set the AC-Cookie value 13071232717:
pppoe ac_cookie key "13071232717"
pppoe ac_name
This command sets a PPPoE AC-Name (See RFC 2516 0x0102 for more details).
pppoe ac_name "ac_name"
Description
| Item | Description |
|---|---|
| ac_name | AC-Name value |
Example
This example shows how to set the AC-Name trouter1:
pppoe ac_name "trouter1"
pppoe service name
This command sets a PPPoE Service-Name (See RFC 2516 0x0101 for more details).
pppoe service name "service_name"
Description
| Item | Description |
|---|---|
| service_name | Service-Name value |
Example
This example shows how to set the Service-Name *:
pppoe service name "*"
ppp dns primary
This command sets an IP address of the primary DNS server for PPP subscribers.
ppp dns primary <ip_address>
Description
| Item | Description |
|---|---|
| ip_address | IP address of the primary DNS server |
Example
This example shows how to set the IP address of the primary DNS server 8.8.8.8 for PPP subscribers.
ppp dns primary 8.8.8.8
ppp dns secondary
This command sets an IP address of the secondary DNS server for PPP subscribers.
ppp dns secondary <ip_address>
Description
| Item | Description |
|---|---|
| ip_address | IP address of the secondary DNS server |
Example
This example shows how to set the IP address of the secondary DNS server 8.8.4.4 for PPP subscribers.
ppp dns secondary 8.8.4.4
ppp ipcp server ip
This command sets an IP address of the Bison Router side of all PPP Point-to-Point tunnels.
ppp ipcp server ip <ip_address>
Description
| Item | Description |
|---|---|
| ip_address | IP address of the Bison Router side of PPP Point-to-Point tunnel |
Example
This example shows how to set the IP address 10.10.1.1 for the Bison Router side of all PPP Point-to-Point tunnels.
ppp ipcp server ip 10.10.1.1
PPP IP pools
The following two commands configure the PPP stack to use local IP pools. Local IP pools are used if other means of IP address allocation are not specified. For example, local IP pools will be used if the authentication RADIUS response doesn’t contain Framed-IP-Address or Framed-pool attributes.
Multiple IP pools can be added to the PPP. In this case, they are used in a round-robin way.
ppp ip pool add
This command adds an IP pool to the list of local IP pools to be used by the PPP stack.
ppp ip pool add <ip_pool_name>
Description
| Item | Description |
|---|---|
| ip_pool_name | Name of an IP pool to add to PPP |
Example
This example shows how to add the IP pool pool2 to the list of local IP pools to be used by the PPP stack:
ppp ip pool add pool2
ppp ip pool del
This command deletes the local IP pool from PPP.
ppp ip pool del <pool_name>
Description
| Item | Description |
|---|---|
| ip_pool_name | Name of an IP pool to delete from PPP |
Example
This example shows how to delete the IP pool pool2 from PPP:
ppp ip pool del pool2
PPPoE profiles
pppoe profile create
This command creates a new PPPoE profile.
pppoe profile create <profile_id>
Description
| Item | Description | Value |
|---|---|---|
| profile_id | ID of a PPPoE profile to create | 1-32 |
Example
This example shows how to create the PPPoE profile with the ID 1:
pppoe profile create 1
pppoe profile destroy
This command deletes a PPPoE profile.
pppoe profile destroy <profile_id>
Description
| Item | Description |
|---|---|
| profile_id | ID of a PPPoE profile to delete |
Example
This example shows how to delete the PPPoE profile with the ID 1:
pppoe profile destroy 1
pppoe profile set
This command configures a PPPoE profile.
pppoe profile <profile_id> set [pado delay <pado_delay>] [service name "<service_name>"] [radius_client <radius_client_id>] [accept rate <padi_rate>] [mtu <mtu_value>] [primary dns <primary_dns>] [secondary dns <secondary_dns>]
Note
Description
| Item | Description | Value |
|---|---|---|
| profile_id | ID of a PPPoE profile to configure | |
| pado_delay | PPPoE PADO delay value to set | ms |
| service_name | Service-Name value to set | |
| radius_client_id | ID number of a RADIUS client to set | |
| padi_rate | Accept rate limit of PADI packets. As soon as the rate of
the incoming PADI packets exceeds the limit, Bison Router will
start silently dropping PADI packets.
|
PADI packets
per sec
|
| mtu_value | Maximum transmission unit size | |
| primary_dns | IP address of primary RDNS server | |
| secondary_dns | IP address of secondary RDNS server |
Examples
This example shows how to set the service name * for the profile 1:
pppoe profile 1 set service name "*" mtu 1480
This example shows how to set service name poe1 and PADO delay 10 for the profile 1:
pppoe profile 1 set service name "poe1" pado delay 10
This example shows how to set a blank service name, PADO delay 20, MTU 1460 and accept rate 50 for the profile 2:
pppoe profile 2 set service name ""
pppoe profile 2 set pado delay 20
pppoe profile 2 set mtu 1460
pppoe profile 2 set accept rate 50
pppoe profile add service name
This command adds a PPPoE Service-Name to a PPPoE profile.
pppoe profile <profile_id> add service name "<service_name>"
Description
| Item | Description |
|---|---|
| profile_id | ID of a PPPoE profile |
| service_name | Service-Name value to add |
Example
This example shows how to add the Service-Name * to the profile 1:
pppoe profile 1 add service name "*"
pppoe profile del service name
This command deletes a PPPoE Service-Name from a PPPoE profile.
pppoe profile <profile_id> del service name "<service_name>"
Description
| Item | Description |
|---|---|
| profile_id | ID of a PPPoE profile |
| service_name | Service-Name value to delete |
Example
This example shows how to delete the Service-Name * from the profile 1:
pppoe profile 1 del service name "*"
pppoe profile add ip pool
This command adds an IP pool to a PPPoE profile.
pppoe profile <profile_id> add ip pool <name>
Description
| Item | Description |
|---|---|
| profile_id | ID of a PPPoE profile |
| name | Name of an IP pool to add |
Example
This example shows how to add the IP pool named p_subs_1 to the profile 1:
pppoe profile 1 add ip pool p_subs_1
pppoe profile del ip pool
This command deletes an IP pool from a PPPoE profile.
pppoe profile <profile_id> del ip pool <name>
Description
| Item | Description |
|---|---|
| profile_id | ID of a PPPoE profile |
| name | Name of an IP pool to delete |
Example
This example shows how to delete the IP pool named p_subs_1 from the profile 1:
pppoe profile 1 del ip pool p_subs_1
pppoe profile add vif
This command adds a VIF to a PPPoE profile. As a result, the VIF will start using the PPPoE parameters defined by the profile.
pppoe profile <profile_id> add vif <vif_name>
Description
| Item | Description |
|---|---|
| profile_id | ID of a PPPoE profile |
| vif_name | Name of a VIF to add |
Example
This example shows how to add the VIF v20 to the profile 1:
pppoe profile 1 add vif v20
pppoe profile del vif
This command deletes a VIF from a PPPoE profile. As a result, the VIF will start using globally defined PPPoE parameters (profile 0).
pppoe profile <profile_id> del vif <vif_name>
Description
| Item | Description |
|---|---|
| profile_id | ID of a PPPoE profile |
| vif_name | Name of a VIF to delete |
Example
This example shows how to delete the VIF v20 from the profile 1:
pppoe profile 1 del vif v20
pppoe profile vlan set
This command adds/deteles VIFs to/from a PPPoE profile. As a result, the VIFs will start using PPPoE parameters defined by the profile. The VIFs to add/delete are selected with the help of the VLAN set module.
pppoe profile <profile_id> add|delete vlan set <vlan_set_id> [prefix <vif_name_prefix>]
Description
| Item | Description | Value |
|---|---|---|
| vlan_set_id | ID of a VLAN set to select the VIFs | |
| vif_name_prefix | VIF name prefix. Default value is ‘v’ |
Note
The VIF name prefix value should match the prefix value that was used to create VIFs by vif add vlan set command.
Note
After a VLAN set is modified and a new VLAN is added to it BisonRouter do not automatically executes commands dependent on the modified VLAN set. For example, BisonRouter will not create new VIFs corresponding to the added VLANs, or it will not add an IP address to those VIFs. Commands using a VLAN set as a parameter should be executed again manually.
Example
pppoe profile 10 add vlan set 2
This command adds the VIFs identified by VLAN set 2 to the PPPoE profile with id 10.
pppoe profile add vif range
This command adds a VIF range to a PPPoE profile. As a result, the VIF range will start using PPPoE parameters defined by the profile.
pppoe profile add <profile_id> vif range svid <svid_range> cvid <cvid_range> name <name>
Description
| Item | Description | Value |
|---|---|---|
| profile_id | ID of a PPPoE profile | |
| svid_range | Service VLAN ID or Service VLAN range | 1-4095 |
| cvid_range | Customer VLAN ID or Customer VLAN range | 1-4095 |
| name | Name of the range of virtual interfaces to be added |
Example
This example shows how to add a VLAN range from 4.100 to 5.200 to the profile 1:
pppoe profile add 1 vif range svid 4 5 cvid 100 200 name rng1_
pppoe profile del vif range
This command deletes a VIF range from a PPPoE profile. As a result, the VIF range will start using globally defined PPPoE parameters (profile 0).
pppoe profile del <profile_id> vif range svid <svid_range> cvid <cvid_range> name <name>
Description
| Item | Description | Value |
|---|---|---|
| profile_id | ID of a PPPoE profile | |
| svid_range | Service VLAN ID or Service VLAN range | 1-4095 |
| cvid_range | Customer VLAN ID or Customer VLAN range | 1-4095 |
| name | Name of the range of virtual interfaces to delete |
Example
This example shows how to delete a VLAN range from 4.100 to 5.200 from the profile 1:
pppoe profile del 1 vif range svid 4 5 cvid 100 200 name rng1_
sh pppoe profile
This command outputs information about PPPoE profiles.
sh pppoe profile [<profile_id>]
Description
| Item | Description |
|---|---|
| profile_id | ID of a PPPoE profile. Optional, if omitted the list of all profiles is output |
Example
The response has the following format:
sh pppoe profile
profile id 2
pado delay: 20 ms
accept rate: 0 per sec
service names:
sn1
ip pools:
radius client id: 0
mtu: 1492
profile id 1
pado delay: 0 ms
accept rate: 0 per sec
service names:
*
ip pools:
ppp_pool_2
ppp_pool_1
radius client id: 0
mtu: 1492
profile id 0
pado delay: 0 ms
accept rate: 0 per sec
service names:
*
ip pools:
radius client id: 0
mtu: 1492
sh pppoe profile vif
This command outputs information about a PPPoE profile used by a particular VIF.
sh pppoe profile vif <vif_name>
Description
| Item | Description |
|---|---|
| vif_name | Name of a VIF to output information about a PPPoE profile it uses |
Example
The response has the following format:
sh pppoe profile vif v3
profile id 1
pado delay: 100 ms
service name: *
Blocking subscribers
pppoe blocked subsc add
This command adds a subscriber’s link-layer address to the block list.
pppoe blocked subsc add <lladdr>
Description
| Item | Description |
|---|---|
| lladdr | Subscriber’s link-layer address to be blocked |
Example
This example shows how to add a link-layer address DA:9C:1D:B9:FE:41 to the block list:
pppoe blocked subsc add DA:9C:1D:B9:FE:41
pppoe blocked subsc del
This command deletes a subscriber’s link-layer address from the block list.
pppoe blocked subsc del <lladdr>
Description
| Item | Description |
|---|---|
| lladdr | Subscriber’s link-layer address to be deleted from the block list |
Example
This example shows how to delete a link-layer address DA:9C:1D:B9:FE:41 from the block list:
pppoe blocked subsc del DA:9C:1D:B9:FE:41
sh pppoe blocked subsc
This command outputs the content of the PPPoE subscriber block list.
sh pppoe blocked subsc
Example
The response has the following format:
sh pppoe blocked subsc
DA:9C:1D:B9:FE:4A
DA:9C:1D:B9:FE:41
PPPoE verbose logging
The PPPoE verbose logging feature can be used to output syslog log_level 8 messages for a set of PPPoE subscribers. PPPoE subscribers are selected by their MAC addresses. Once at least one MAC address has been added to the verbose log list, Bison Router will output syslog log_level 8 messages only for these subscribers. When the verbose log list is empty, Bison Router outputs log_level 8 messages for all PPPoE subscribers.
Note
log_level 8 must be enabled by setting sysctl log_level variable value to 8.
pppoe verbose add
This command adds a PPPoE subscriber’s MAC address to the verbose log list.
pppoe verbose add <mac>
Description
| Item | Description |
|---|---|
| mac | MAC address to add to the verbose log list |
Example
This example shows how to add a subscriber with the MAC address E0:D5:5E:8D:35:2E to the verbose log list:
pppoe verbose add E0:D5:5E:8D:35:2E
pppoe verbose del
This command deletes a PPPoE subscriber’s MAC address from the verbose log list.
pppoe verbose del <mac>
Description
| Item | Description |
|---|---|
| mac | MAC address to delete from the verbose log list |
Example
This example shows how to delete a subsciber with the MAC address E0:D5:5E:8D:35:2E from the verbose log list:
pppoe verbose del E0:D5:5E:8D:35:2E
pppoe verbose flush
This command deletes all MAC addresses from the verbose log list.
pppoe verbose flush
PPPoE sysctl variables
Variable name
|
Type,
Scope
|
Description
|
Value
|
|---|---|---|---|
| pppoe_max_subsc | Integer
Startup
|
The max. number of concurrent
PPPoE subscribers
|
Default = 30000
Min = 1
Max = UINT32_MAX
|
| pppoe_max_online_subsc | Integer
Runtime
|
The max. number of online PPPoE
subscribers. Once the number
of online PPPoE subscribers
reaches this limit, Bison
Router will stop answering to
the PPPoE Discovery Initiation
Packets (PADI).
|
Default = 0
Min = 0
Max = UINT32_MAX
0 turns off
the limit, no re-
strictions on the
number of online
subscribers are
applied by Bison
Router
|
| pppoe_inactive_ttl | Integer
Runtime
|
The PPPoE subscriber will be
disconnected if there are no
packets during this period
|
sec
Default = 7200
(2 hours)
Min = 0
Max = UINT16_MAX
|
| tcp_mss_fix | Boolean
Runtime
|
Enable/disable the use of
TCP MSS fix for PPPoE traffic
|
Default = 0
1 = on
0 = off
|
| ppp_max_terminate | Integer
Runtime
|
The max. number of PPP FSM
(LCP or NCP (IPCP)) terminate
packets that can be sent
|
Default = 2
Min = 1
Max = 10
|
| ppp_max_configure | Integer
Runtime
|
The max. number of PPP FSM
(LCP or NCP (IPCP)) configure
packets that can be sent
|
Default = 5
Min = 1
Max = 10
|
| ppp_initial_restart_time | Integer
Runtime
|
Waiting time before resending
the PPP FSM configure request.
This time will be multiplied
by 1.5 with each attempt to
resend the request.
|
ms
Default = 100
Min = 100
Max = 60000
|
| pppoe_sub_uniq_check | Boolean
Startup
|
Check if a PPPoE subscriber has
a unique pair of Host-Uniq TAG
and MAC address. If a new PPPoE
discovery request is received
containing an already existing
pair of values, it will be
discarded.
|
1 = on
0 = off
|
| ppp_1session_per_username | Boolean
Startup
|
When enabled, Bison Router pre-
vents the connection of new
PPPoE subscribers with a user-
name being used by an already
connected/online PPPoE
subscriber
|
Default = 0
1 = on
0 = off
|
| ppp_install_subsc_linux_routes | Boolean
Startup
|
When enabled, Bison Router will
add/remove linux kernel /32
routes for PPP subscribers IP
addresses. Linux kernel routes
are installed to ‘lo’ interface
in the namespace in which Bison
Router is running. This option
allows announcing subscriber’s
/32 prefixes by using
“redistribute kernel” command
in FRR/Quagga bgpd or ospfd
daemons.
|
Default = 0
1 = on
0 = off
|
| lcp_keepalive_interval | Integer
Runtime
|
Interval beetween keepalive
tests
|
sec
Default = 60
Min = 0
Max = UINT16_MAX
0 turns off
keepalive
|
| lcp_keepalive_probe_interval | Integer
Runtime
|
Interval beetween keepalive
probes
|
ms
Default = 500
Min = 200
Max = 6000
|
| lcp_keepalive_num_retries | Integer
Runtime
|
The max. number of keepalive
probes that could be send
during one keepalive test
|
Default = 3
Min = 1
Max = 16
|
| ppp_username_strip_domain_cli_log | Boolean
Runtime
|
When enabled, Bison Router
deletes the domain part of the
PPP username before output the
username to CLI or log files
|
Default = 0
1 = on
0 = off
|
| pppoe_sub_uptime_in_sec | Integer
Runtime
|
When enabled, Bison Router
outputs the PPPoE subscriber
uptime in seconds
|
sec
Default = 0
|
| ppp_auth_max_peer_name_len | Integer
Startup
|
(Read-only) the maximum length
of the PPP usernames supported
by Bison Router
|
Default = 50
Min = 1
Max = 100
|
| ppp_default_auth_proto | String
Runtime
|
Defines the default PPP
auth proto
|
chap
pap
Default = chap
|
| rad_acct_on_off_pkts | Boolean
Startup
|
Enables the use of the RADIUS
accounting on/off packets
|
Default = 0
1 = on
0 = off
|
| pppoe_max_nb_delayed_pado | Integer
Runtime
|
The max. number of PPPoE PADO
packets that can be delayed at
the same time. Once Bison
Router receives and delays that
number of PADI/PADO all new
PADI packets will be dropped
|
Default = 256
Min = 256
Max = UINT16_MAX
|
| pppoe_nb_delayed_pado | Integer
Runtime
|
(Read-only) the number of
currently delayed PADO packets
that are waiting to be sent
to the wire
|
|
| ppp_username_trim_trailing_spaces | Boolean
Runtime
|
When enabled, BisonRouter trims
trailing spaces from PPPoE
usernames that come from CoA
protocol and
CHAP/PAP auth protocols
|
Default = 0
1 = on
0 = off
|
| ppp_username_to_lower_case | Boolean
Runtime
|
When enabled, Bison Router
lowers PPPoE usernames that
come from CoA protocol and
CHAP/PAP auth protocols
|
Default = 0
1 = on
0 = off
|
PPPoE IPv6
sh pppoe ipv6 subsc
This command outputs connected/online PPPoE IPv6 subscribers.
sh pppoe ipv6 subsc [<name>]
Description
| Item | Description |
|---|---|
| name | The user name of the specific IPv6 subscriber to output. Optional, if omitted, the list
of all online IPv6 subscribers is output.
|
Example
The response has the following format:
vif_id username mac port svid cvid session_id ia_na ia_pd slaac mtu ingress cir egress cir rx_pkts tx_pkts rx_bytes tx_bytes uptime
9 110 DA:9C:1D:B9:FE:4F 1 0 30 1655471322-9 xxx:237f:ee39:5584:17eb xxx60::/64 xxxaf::/64 1492 100000 100000 1 0 48 0 0 day(s), 0 hour(s), 24 min(s), 33 sec(s)
ppp ipv6 pool
This command sets the default address pool for PPP IPv6 addresses of a particular type.
ppp ipv6 pool <ppp_addr_type> <pool_name>
Description
| Item | Description | Value |
|---|---|---|
| ppp_addr_type | PPP address type | ia_na - Identity Association for
Non-temporary Addresses. Non temporary
address are usually assigned to
the WAN interface of a CPE.
ia_pd - Identity Association for
Prefix Delegation.
slaac - Stateless Address
Auto-configuration
|
| pool_name | Name of an IPv6 pool |
Example
This example shows how to set the default IPv6 pools for different PPP IPv6 address types:
ppp ipv6 pool ia_na ppp6_na_pool
ppp ipv6 pool ia_pd ppp6_pd_pool
ppp ipv6 pool slaac ppp6_slaac_pool
ppp ipv6 pool disable
This command unsets the default address pool for PPP addresses of a particular type.
ppp ipv6 pool <ppp_addr_type> disable
Description
| Item | Description | Value |
|---|---|---|
| ppp_addr_type | PPP address type | ia_na
ia_pd
slaac
|
Example
This example shows how to unset the default address pool for PPP addresses of different types:
ppp ipv6 pool ia_na disable
ppp ipv6 pool ia_pd disable
ppp ipv6 pool slaac disable
PPP IPv6 sysctl variables
Variable name
|
Type,
Scope
|
Description
|
Value
|
|---|---|---|---|
| ppp_ipv6 | Boolean
Startup
|
Enables/disables the IPv6 protocol for PPP
subscribers
|
Default = 0
1 = on
0 = off
|
| ppp_ra_mtu | Integer
Runtime
|
Defines the size of the MTU Router
Advertisement option of RA messages sent to
PPP interfaces
|
Default = 0
Min = 0
Max = UINT16_MAX
|
| ipv6_tcp_mss_fix | Boolean
Runtime
|
Enables/disables the MSS fix/clumping
for IPv6
|
Default = 0
1 = on
0 = off
|
| ppp_dhcpv6_ia_na | Integer
Runtime
|
Defines the IA_NA option behavior of the PPP
DHCPv6 server
0 = off, the IA_NA option is not included in
DHCPv6 messages;
1 = on, the IA_NA option is included to the
DHCPv6 replies, IA_NA value will be allocated
from a pool only if the DHCPv6 client asks
for the option;
2 - allways allocate, the IA_NA option is
included in the DHCPv6 replies, IA_NA value
will be allocated from a pool immediately
after the PPP subscriber has connected.
|
Default = 1
0
1
2
|
| ppp_dhcpv6_ia_pd | Integer
Runtime
|
Setups the IA_PD for PPP DHCPv6 server.
0 = off, the IA_PD option is not included in
DHCPv6 messages;
1 = on, the IA_PD option is included to the
DHCPv6 replies, IA_PD value will be allocated
from a pool only if the DHCPv6 client asks
for the option;
2 - allways allocate, the IA_PD option is
included in the DHCPv6 replies, IA_PD value
will be allocated from a pool immediately
after the PPP subscriber has connected.
|
Default = 1
0
1
2
|
| ppp_slaac | Boolean
Runtime
|
Enables/disables the use of SLAAC for
PPP interfaces.
|
0 = off
1 = on
Default = 0
|
| ppp_rad_acct_slaac | Boolean
Runtime
|
Defines whether or not to include the Framed-
IPv6-Prefix attribute containing the PPP
subscriber’s SLAAC prefix to the RADIUS
accounting messages.
|
0 = off
1 = on
Default = 0
|
| ppp_rad_acct_ia_na | Boolean
Runtime
|
Defines whether or not to include the Framed-
IPv6-Address attribute containing the PPP
subscriber’s IA_NA address to the RADIUS
accounting messages.
|
0 = off
1 = on
Default = 0
|
| ppp_rad_acct_ia_pd | Boolean
Runtime
|
Defines whether or not to include the Delega-
ted-IPv6-Address attribute containing the PPP
subscriber’s IA_PD prefix to the RADIUS
accounting messages.
|
0 = off
1 = on
Default = 0
|
IPoE subscribers
IPoE subscribers
Note
The configuration of IPoE subscribers assumes that the format of the username to be used in RADIUS packets was set in the startup section of the configuration file. See the following command for more details.
ipoe subsc username
This command configures IPoE subscriber’s username which will be used in RADIUS packets. The command can only be used in the startup section of a configuration file.
ipoe subsc username format "<field>[:<field>]..." [delimiter ":"] [type "<subsc_type>"]
Description
| Item | Description |
|---|---|
| field | Fields that will be used to compose a username:
port
svid
cvid
ipv4
mac
remote_id
subscriber_id
|
| delimiter | Delimiter character |
| subsc_type | IPoE subscriber type: “l2”, “l3”, “dynamic_vif”. Default is “l2”. |
Examples
This example shows how to set a username format using the mac field:
ipoe subsc username format "mac" type "l2"
This example shows how to set a username format using ipv4 and mac fields and the delimiter character ::
ipoe subsc username format "ipv4:mac" delimiter ":" type "l2"
Note
remote_id and subscriber_id field values are defined only when DHCP subscriber’s session is initiated by DHCP or DHCPv6 packets.
Those values correspond to DHCP option82 values or DHCPv6 option 18/ option 37 values.
sh subsc
This command outputs IPoE subscriber online sessions.
sh subsc
Example
The response has the following format:
sh subsc
vif_id port vlan ip mac sess-id circuit-id remote-id ingress_car egress_car rx_pkts tx_pkts rx_bytes tx_bytes pbr ttl expire_in uptime
8 2 0.931 10.x.x.x xx:16:xx:xx:xx:xx 1641657854-8 250M 250M 7841 7606 1356631 3446740 0 600 291 0 day(s), 2 hour(s), 17 min(s), 19 sec(s)
subsc disconnect
This command disconnects an IPoE subscriber.
subsc disconnect <vif_id>
| Item | Description |
|---|---|
| vif_id | ID of a subscriber’s VIF to disconnect |
Example
This example shows how to disconnect the subscriber VIF with the ID 8:
subsc disconnect 8
IPoE DHCP pools
The following two commands configure the IPoE stack to use local IP pools. Local IP pools are used if other means of IP address allocation are not specified. For example, local IP pools will be used if the authentication RADIUS response doesn’t contain Framed-IP-Address or Framed-pool attributes.
Multiple IP pools can be added to the IPoE. In this case, they are used in a round-robin way.
ipoe ip pool add
This command adds an IP pool to the list of local IP pools to be used by the IPoE stack.
ipoe ip pool add <ip_pool_name>
Description
| Item | Description |
|---|---|
| ip_pool_name | Name of an IP pool to add |
Example
This example shows how to add the IP pool pool1 to the list of local IP pools to be used by the IPoE stack:
ipoe ip pool add pool1
ipoe ip pool del
This command deletes the local IP pool from IPoE stack.
ipoe ip pool del <ip_pool_name>
Description
| Item | Description |
|---|---|
| ip_pool_name | Name of an IP pool to delete |
Example
This example shows how to delete the IP pool pool1 from IPoE stack:
ipoe ip pool del pool1
IPoE profiles
ipoe profile create
This command creates a new IPoE profile.
ipoe profile create <profile_id>
Description
| Item | Description | Value |
|---|---|---|
| profile_id | ID of an IPoE profile to create | 1-32 |
Example
This example shows how to create the IPoE profile with the ID 1:
ipoe profile create 1
ipoe profile destroy
This command deletes an IPoE profile.
ipoe profile destroy <profile_id>
Description
| Item | Description |
|---|---|
| profile_id | ID of an IPoE profile to delete |
Example
This example shows how to delete the IPoE profile with the ID 1:
ipoe profile destroy 1
ipoe profile add dhcp pool
This command adds a DHCP pool to an IPoE profile.
ipoe profile <profile_id> add dhcp pool <name>
Description
| Item | Description |
|---|---|
| profile_id | ID of an IPoE profile |
| name | Name of a DHCP pool to add |
Example
This example shows how to add the DHCP pool named p_subs_1 to the profile 1:
ipoe profile 1 add dhcp pool p_subs_1
ipoe profile del dhcp pool
This command deletes a DHCP pool from an IPoE profile.
ipoe profile <profile_id> del dhcp pool <name>
Description
| Item | Description |
|---|---|
| profile_id | ID of an IPoE profile |
| name | Name of a DHCP pool to delete |
Example
This example shows how to delete the DHCP pool named p_subs_1 from the profile 1:
ipoe profile 1 del ip pool p_subs_1
ipoe profile add vif
This command adds a VIF to an IPoE profile. As a result, the VIF will start using the IPoE parameters defined by the profile.
ipoe profile <profile_id> add vif <vif_name>
Description
| Item | Description |
|---|---|
| profile_id | ID of a IPoE profile |
| vif_name | Name of a VIF to add |
Example
This example shows how to add the VIF v20 to the profile 1:
ipoe profile 1 add vif v20
ipoe profile del vif
This command deletes a VIF from an IPoE profile. As a result, the VIF will start using globally defined IPoE parameters.
ipoe profile <profile_id> del vif <vif_name>
Description
| Item | Description |
|---|---|
| profile_id | ID of an IPoE profile |
| vif_name | Name of a VIF to delete |
Example
This example shows how to delete the VIF v20 to the profile 1:
ipoe profile 1 del vif v20
ipoe profile vlan set
This command adds/deteles VIFs to/from an IPoE profile. As a result, the VIFs will start using IPoE parameters defined by the profile. The VIFs to add/delete are selected with the help of the VLAN set module.
ipoe profile <profile_id> add|delete vlan set <vlan_set_id> [prefix <vif_name_prefix>]
Description
| Item | Description | Value |
|---|---|---|
| vlan_set_id | ID of a VLAN set to select the VIFs | |
| vif_name_prefix | VIF name prefix. Default value is ‘v’ |
Note
The VIF name prefix value should match the prefix value that was used to create VIFs by vif add vlan set command.
Note
After a VLAN set is modified and a new VLAN is added to it BisonRouter do not automatically executes commands dependent on the modified VLAN set. For example, BisonRouter will not create new VIFs corresponding to the added VLANs, or it will not add an IP address to those VIFs. Commands using a VLAN set as a parameter should be executed again manually.
Example
ipoe profile 10 add vlan set 2
This command adds the VIFs identified by VLAN set 2 to the IPoE profile with id 10.
ipoe profile add vif range
This command adds a VIF range to an IPoE profile. As a result, the VIF range will start using IPoE parameters defined by the profile.
ipoe profile <profile_id> add vif range svid <svid_range> cvid <cvid_range> name <name>
Description
| Item | Description | Value |
|---|---|---|
| profile_id | ID of an IPoE profile | |
| svid_range | Service VLAN ID or Service VLAN range | 1-4095 |
| cvid_range | Customer VLAN ID or Customer VLAN range | 1-4095 |
| name | Name of the range of virtual interfaces to be added |
Example
This example shows how to add a VLAN range from 4.100 to 5.200 to the profile 1:
ipoe profile 1 add vif range svid 4 5 cvid 100 200 name rng1_
ipoe profile del vif range
This command deletes a VIF range from an IPoE profile. As a result, the VIF range will start using globally defined IPoE parameters.
ipoe profile <profile_id> del vif range svid <svid_range> cvid <cvid_range> name <name>
Description
| Item | Description | Value |
|---|---|---|
| profile_id | ID of an IPoE profile | |
| svid_range | Service VLAN ID or Service VLAN range | 1-4095 |
| cvid_range | Customer VLAN ID or Customer VLAN range | 1-4095 |
| name | Name of the range of virtual interfaces to delete |
Example
This example shows how to delete a VLAN range from 4.100 to 5.200 from the profile 1:
ipoe profile 1 del vif range svid 4 5 cvid 100 200 name rng1_
ipoe profile set
This command configures parameters of an IPoE profile.
ipoe profile <profile_id> set radius_client <radius_client_id>
Description
| Item | Description |
|---|---|
| profile_id | ID of a IPoE profile |
| radius_client_id | ID of a radius client |
Example
This example shows how to configure IPoE profile 1 to start using radius client with ID 1:
ipoe profile 1 set radius_client 1
sh ipoe profile
This command outputs information about IPoE profiles.
sh ipoe profile [<profile_id>]
Description
| Item | Description |
|---|---|
| profile_id | ID of an IPoE profile. Optional, if omitted all profiles are output |
Example
The response has the following format:
rcli sh ipoe profile
profile id 1
DHCP pools:
pool_2
ref_cnt: 0
sh ipoe profile vif
This command outputs information about the IPoE profile used by a particular VIF.
sh ipoe profile vif <vif_name>
Description
| Item | Description |
|---|---|
| vif_name | Name of a VIF to output information about the IPoE profile it uses |
Example
The response has the following format:
rcli sh ipoe profile vif v20
profile id 1
DHCP pools:
pool_2
ref_cnt: 1
IPoE sysctl variables
Variable name
|
Type,
Scope
|
Description
|
Value
|
|---|---|---|---|
| subsc_vif_max | Integer
Startup
|
Defines the max. number of online
IPoE/PPPoE subscribers
|
Default = 32768
Min = 1
Max = 256
|
| install_subsc_linux_routes | Bollean
Runtime
|
Enables adding/removing linux kernel /32
routes for IPoE subscriber’s IP addresses.
Linux kernel routes are installed to the
linux lo interface in the namespace
where Bison Router is running. This option
allows to announce subscriber’s /32 prefi-
xes by using the
redistribute kernelcommand of FRR/Quagga bgpd or ospfd
daemons.
|
Default = off
0 = off
1 = on
|
| ipoe_ttl | Integer
Runtime
|
Defines IPoE subscriber’s Time-to-Live
parameter value
|
sec
Min = 0
Max = UINT16_MAX
Default = 600
|
| l2_subsc_initiate_by_dhcp | Boolean
Runtime
|
Instructs BisonRouter to initiate a new
IPoE subscriber session upon receiving
the DHCP message
|
Default = off
0 = off
1 = on
|
| l2_subsc_arp_security | Boolean
Runtime
|
Enables filtering of ARP requests on VIFs
with the flag
l2_subsc. Bison Routerwill reply only to requests received from
authorized L2 subscribers. Bison Router
will try to find a match between ARP
source IP, the ARP source hardware address
in a request and a pair of IP and MAC
addresses of one of the online L2 subscri-
bers. If no match is found, the request
will be ignored. It will also check that
the ARP request was received from the VIF
to which the matching subscriber is
connected.
|
Default = off
0 = off
1 = on
|
| install_subsc_routes | Boolean
Runtime
|
Enables installation of a /32 route for
each IPoE L2/L3 subscriber’s IP address
|
Default = off
0 = off
1 = on
|
| subsc_initiate_by_egress_pkts | Boolean
Runtime
|
Instructs Bison Router to initiate a new
L2 connected subscriber session if an
unclassified egress packet is received.
|
Default = on
0 = off
1 = on
|
| subsc_initiate_by_ingress_pkts | Boolean
Runtime
|
Instructs Bison Router to initiate a new
L2 connected subscriber session if an
unclassified ingress packet is received.
|
Default = on
0 = off
1 = on
|
| subsc_update_expiration_by_ingress_pkts | Boolean
Runtime
|
Instructs Bison Router to update the
expiration/TTL time of L2 subscribers
when an ingress packet is received.
|
Default = on
0 = off
1 = on
|
| subsc_update_expiration_by_egress_pkts | Boolean
Runtime
|
Instructs Bison Router to update the
expiration/TTL time of L2 subscribers
when an egress packet is received.
|
Default = on
0 = off
1 = on
|
IPoE IPv6 subscribers
IPoE protocol enabling
The IPoE IPv6 protocol is enabled for a specific VIF at the time of its creation using l2_subs (l3_subs) flags and vif add command (see vif add section).
Also, the flag can be enabled after creating a VIF using the command vif flags (see vif flags section).
Example
This example shows how to enable the IPoE IPv6 protocol on the VIF v3 while creating:
vif add name v3 port 0 type dot1q cvid 3 flags l2_subs
This example shows how to enable the l2_subs flag for the existing VIF v20:
vif flags up name v20 flags l2_subs
ipoe ipv6 pool
This command sets the default address pool for IPv6oE addresses of a particular type.
ipoe ipv6 pool <ipv6oe_addr_type> <pool_name>
Description
| Item | Description | Value |
|---|---|---|
| ipv6oe_addr_type | IPv6oE address type | ia_na - Identity Association for
Non-temporary Addresses. Non temporary
address are usually assigned to
the WAN interface of a CPE.
ia_pd - Identity Association for
Prefix Delegation.
slaac - Stateless Address
Auto-configuration
|
| pool_name | Name of an IPv6 pool |
Example
This example shows how to set the default IPv6 pools for different IPv6oE address types:
ipoe ipv6 pool ia_na ipv6_na_pool_1
ipoe ipv6 pool ia_pd ipv6_pd_pool_1
ipoe ipv6 pool slaac ipv6_slaac_pool_1
ipoe ipv6 pool disable
This command unsets the default address pool for IPv6oE addresses of a particular type.
ipoe ipv6 pool <ipv6oe_address_type> disable
Description
| Item | Description | Value |
|---|---|---|
| ipv6oe_address_type | IPv6oE address type | ia_na
ia_pd
slaac
|
Example
This example shows how to unset the default address pool for IPv6oE addresses of different types:
ipoe ipv6 pool ia_na disable
ipoe ipv6 pool ia_pd disable
ipoe ipv6 pool slaac disable
sh subsc ipv6
This command outputs connected/online IPv6oE subscribers
sh subsc ipv6
Example
The response has the following format:
sh subsc ipv6
vif_id vlan port mac remote_id subsc_id IA_NA IA_PD ingress_qdisc egress_qdisc rx_pkts tx_pkts rx_bytes tx_bytes ttl expire_in uptime
8 0.820 2 xx:xx:xx:xx:xx:xx xx01:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:c9c3 2000:xxxx:xxxx:xxxx::/64 250M 250M 7852 7609 1359513 3446878 600 416 0 day(s), 2 hour(s), 21 min(s), 14 sec(s)
IPv6oE sysctl variables
Variable name
|
Type,
Scope
|
Description
|
Value
|
|---|---|---|---|
| ipoe_ipv6 | Boolean
Startup
|
Enables/disables the IPv6 protocol for IPoE
subscribers
|
Default = 0
1 = on
0 = off
|
| ipoe_dhcpv6_ia_na | Integer
Runtime
|
Defines the IA_NA option behavior of the IPoE
DHCPv6 server
0 = off, the IA_NA option is not included in
DHCPv6 messages;
1 = on, the IA_NA option is included to the
DHCPv6 replies, IA_NA value will be allocated
from a pool only if the DHCPv6 client asks
for the option;
2 - always allocate, the IA_NA option is
included in the DHCPv6 replies, IA_NA value
will be allocated from a pool immediately
after the IPv6oE subscriber has connected.
|
Default = 1
0
1
2
|
| ipoe_dhcpv6_ia_pd | Integer
Runtime
|
Setups the IA_PD for IPoE DHCPv6 server.
0 = off, the IA_PD option is not included in
DHCPv6 messages;
1 = on, the IA_PD option is included to the
DHCPv6 replies, IA_PD value will be allocated
from a pool only if the DHCPv6 client asks
for the option;
2 - always allocate, the IA_PD option is
included in the DHCPv6 replies, IA_PD value
will be allocated from a pool immediately
after the IPv6oE subscriber has connected.
|
Default = 1
0
1
2
|
ARP based keepalive mechanism
An ARP-based keepalive mechanism for IPoE subscribers enables the fast detection and disconnection of IPoE sessions when the corresponding CPE devices are powered off or cannot be reached.
This keepalive mechanism relies on the ARP protocol to detect unreachable CPE devices. To achieve this, BisonRouter periodically sends unicast ARP requests to the MAC address of each subscriber. If BisonRouter receives no replies to these probes, it disconnects the IPoE session.
BisonRouter periodically conducts a keepalive test for each IPoE subscriber. Each keepalive test consists of sending a maximum of ‘ipoe_arp_keepalive_nb_probes’ unicast ARP requests (keepalive probes). These tests are conducted every ‘ipoe_arp_keepalive_interval’ seconds.
During the test, BisonRouter sends the second probe after an interval of ‘ipoe_arp_keepalive_probe_interval’ * 2 milliseconds, the third probe after ‘ipoe_arp_keepalive_probe_interval’ * 3 milliseconds, and so on.
As soon as BisonRouter receives a response to a ARP requests a keepalive test is finished. If BisonRouter receives no APR replies during the test, it disconnects the IPoE session.
The following sysctl variables controls the behavior of the keepalive mechanism.
| Variable name | Type,
Scope
|
Description
|
Value
|
|---|---|---|---|
| ipoe_arp_keepalive_interval | Integer
Runtime
|
Interval in seconds between
running keepalive tests
|
Default = 0 (disbled)
seconds
|
| ipoe_arp_keepalive_probe_interval | Integer
Runtime
|
Interval in milliseconds between
sending ARP probes
|
Default = 200
milliseconds
|
| ipoe_arp_keepalive_nb_probes | Integer
Runtime
|
Maximum number of ARP probes that
can be sent during a keepalive test
|
Default = 3
|
Other commands
save config
This command saves the running configuration into a file.
save config [<file_name>]
| Item | Description |
|---|---|
| file_name | Name of the file to save configuration. Optional.
When omitted current configuration file name is used.
|
sh uptime
This command outputs the uptime of Bison Router process.
sh uptime
Example
The response has the following format:
Uptime: 1 day(s), 7 hour(s), 24 minute(s), 48 sec(s)
sh port link
This command outputs information about physical ports and their link status
sh port link
Example
The response has the following format:
sh port link
port 0
status: up
speed: 10000
duplex: full
auto negotiation: fixed
port 1
status: up
speed: 10000
duplex: full
auto negotiation: fixed
Router statistic commands
sh port general stat
This command outputs port’s packet counters.
sh port general stat
Example
The response has the following format:
sh port general stat
port 0
pkts rx 2701128
pkts tx 2221199
bytes rx 1586718600
bytes tx 1540072355
errors rx 0
errors tx 0
missed 0
rx_nombuf 0
sh port stat
This command outputs packet counters grouped by lcores.
sh port stat
Example
The response has the following format:
sh port stat
port send_failed send_ok
lcore 1: 0 0 1556192
lcore 2: 0 0 437540
lcore 3: 0 0 227333
lcore 4: 0 0 0
lcore 5: 0 0 0
lcore 6: 0 0 0
lcore 7: 0 0 0
lcore 8: 0 0 0
lcore 9: 0 0 0
lcore 10: 0 0 0
lcore 11: 0 0 0
lcore 12: 0 0 0
lcore 13: 0 0 0
lcore 14: 0 0 0
lcore 15: 0 0 0
total: 0 0 2221065
sh port xstat
This command outputs port’s extended packet counters.
sh port xstat
Example
The response has the following format:
sh port xstat
port 0
rx_good_packets 2702535
tx_good_packets 2221993
rx_good_bytes 1586895940
tx_good_bytes 1540186436
rx_q0packets 2702535
rx_q0bytes 1586895940
tx_q0packets 2221993
tx_q0bytes 1540034116
mac_local_errors 3
mac_remote_errors 1
rx_size_64_packets 350936
rx_size_65_to_127_packets 1050314
rx_size_128_to_255_packets 257371
rx_size_256_to_511_packets 47232
rx_size_512_to_1023_packets 32387
rx_size_1024_to_max_packets 964295
rx_broadcast_packets 35939
rx_multicast_packets 98145
rx_total_packets 2702819
rx_total_bytes 1586951636
tx_total_packets 2221993
tx_size_64_packets 18027
tx_size_65_to_127_packets 1035247
tx_size_128_to_255_packets 155297
tx_size_256_to_511_packets 27883
tx_size_512_to_1023_packets 21215
tx_size_1024_to_max_packets 964324
tx_multicast_packets 1016
tx_broadcast_packets 62
rx_l3_l4_xsum_error 8513
out_pkts_untagged 2221993
sh mbuf stats
This command outputs the mbuf usage.
sh mbuf stats
Example
The response has the following format:
sh mbuf stats
socket 0 mbuf: free 14450, allocated 1934
sh stat
This command outputs global statistics counters.
sh stat
Example
The response has the following format:
sh stat
dropped local 0
dropped unknown_vif 43027
dropped invalid_ipv4 0
dropped dst unreachable 12
dropped blackhole 52084
dropped bad_port 0
dropped dst_mac_is_unknown 4
dropped npf_in 0
dropped npf_out 7003
blocked by npf_in 0
blocked by npf_out 0
dropped other_errs 0
local pkts in 92539
local pkts out 0
local UDP pkts in 5578
local UDP pkts out 0
local pkts dropped 0
fragmentation overflow 0
no ctrl mbuf left 0
no mbuf left 0
no timer left 0
worker-cplane ring overflow 0
invalid ipv6 pkts 0
UDP API
udp_api secret
This command configures a UDP API secret.
udp_api secret "<secret>"
Description
| Item | Description |
|---|---|
| secret | UDP API secret |
Example
This example shows how to set the UDP API secret 123:
udp_api secret "123"
Captive portal
ipoe captive portal redirect url
This command configures a captive portal redirect URL format.
ipoe captive portal redirect url format "<format_string>"
Description
| Item | Description |
|---|---|
| format_string | A format of a captive portal redirect URL. The string can include
the following optional elements placed in {}:
mac
ipv4
svid
cvid
nas_ip_addr
sess_id
|
Example
This example shows how to configure a captive portal redirect URL format using all the elements from the list above:
ipoe captive portal redirect url format "http://captive.portal.com/?mac={mac}&subsc_ip={ipv4}&svid={svid}&cvid={cvid}&nas_ip_addr={nas_ip_addr}&sess_id={sess_id}"
Access control lists (ACL)
Access control lists (ACL) can be used to filter incoming (ingress) or outgoing (egress) VIF traffic. Multiple ACLs can be applied to the same VIF, as well as a single ACL can be applied to many VIFs.
Each VIF has two ACL lists: ingress and egress. A VIF ACL list stores the ACLs in sorted order. The position of an ACL in the list is determined by a priority specified by a user.
The ACL, in turn, consists of rules. The position of a rule in the ACL is also determined by priority.
When a packet comes to a VIF, it is compared to the rules of ACLs from the ingress list. When a packet is transmitted from a VIF, it is compared to the rules of ACLs from the egress list. First, a packet is compared to the rules of the ACL with the minimum priority. The process then proceeds to the next ACL with a higher priority.
When a packet matches an ACL rule, the ACL process stops and the action defined by the ACL is applied to the packet (drop or permit action).
If a packet does not match any ACL rule, the process proceeds to the next ACL in the list. If there are no more ACL in the list, then the action which is opposite to the action defined by the ACL is performed. For example, if a packet does not match any rule of a deny ACL, then the packet is permitted. And when a packet does not match any rule of a permit ACL, the packet is dropped. So, the last ACL in the list defines the action to apply when no matches are found.
Note
Empty ACLs are not included in the list of VIF’s ACLs, and will not be taken into account when a packet does not match any ACL rules.
vif acl create
This command creates a new Access Control List.
vif acl create aclid <acl_id> type <acl_type> <action>
Description
| Item | Description | Value |
|---|---|---|
| acl_id | ID of an ACL to create | Number |
| acl_type | ACL type:
ipv4_tuple - an ACL type which classifies packets using
the combination of the following fields :
- protocol type
- IPv4 source address
- IPv4 destination address
- L4 source port
- L4 destination port
ipv6_tuple - an ACL type which classifies packets using
the combination of the following fields :
- protocol type
- IPv6 source address
- IPv6 destination address
- L4 source port
- L4 destination port
|
ipv4_tuple
ipv6_tuple
|
| action | Action performed with a packet if a match is found:
deny - drop a packet if a match is found
permit - forward a packet if a match is found
|
deny
permit
|
Example
This example shows how to create the ACL with ID 10, type ipv6_tuple and action deny:
vif acl create aclid 10 type ipv6_tuple deny
vif acl destroy
This command deletes an ACL.
vif acl destroy aclid <acl_id>
Description
| Item | Description |
|---|---|
| acl_id | ID of an ACL to delete |
Example
This example shows how to delete the ACL with the ID 10:
vif acl destroy aclid 10
vif acl add
This command applies an ACL to a VIF. It adds an ACL to the ingress or egress list of ACLs of a VIF at the position with the specified priority.
Description
| Item | Description | Value |
|---|---|---|
| vif_name | Name of a VIF to add an ACL | |
| direction | Traffic direction. Specifies the list (egress or ingress) to
add an ACL
|
ingress
egress
|
| acl_id | ID of an ACL to add | |
| prio | Position number (priority) in the VIF’s ACL list |
Example
This example shows how to add the ACL with the ID 10 to the ingress list of ACLs of the VIF v5 with the prioriry number 30:
vif acl add dev v5 dir ingress aclid 10 prio 30
vif acl del
This command deletes an ACL from ingress or egress list of ACLs of a VIF.
vif acl del dev <vif_name> dir <direction> aclid <acl_id>
Description
| Item | Description | Value |
|---|---|---|
| vif_name | Name of a VIF to delete an ACL | |
| direction | Traffic direction. Specifies the list (egress or ingress) to
delete an ACL
|
ingress
egress
|
| acl_id | ID of an ACL to delete |
Example
This example shows how to delete the ACL with the ID 10 from the ingress list of ACLs of the VIF v5:
vif acl del dev v5 dir ingress aclid 10
vif acl mod
This command changes the position of an ACL in the list of ACLs of a VIF.
vif acl modify dev <vif_name> dir <direction> aclid <acl_id> prio <prio>
Description
| Item | Description | Value |
|---|---|---|
| vif_name | Name of a VIF to change an ACL priority | |
| direction | Traffic direction. Specifies the list (egress or ingress) to
change an ACL priority
|
ingress
egress
|
| acl_id | ID of an ACL to change its priority | |
| prio | New position number (priority) in the VIF’s ACL list |
Example
This example shows how to set the new priority number 40 for the ACL with the ID 10 in the ingress list of ACLs of the VIF v5:
vif acl modify dev v5 dir ingress aclid 10 prio 40
vif acl add vlan set
This command applies an ACL to the VIFs with ids from a VLAN set. It adds an ACL to the VIF’s ingress or egress list of ACLs at the position with the specified priority.
Description
| Item | Description | Value |
|---|---|---|
| vlan_set_id | VLAN set id to select VIFs to add an ACL | |
| vif_name_prefix | VIF name prefix. Default value is ‘v’ | |
| direction | Traffic direction. Specifies the VIF’s ACL list
(egress or ingress) to add an ACL
|
ingress
egress
|
| acl_id | ID of an ACL to add | |
| prio | Position number (priority) in the VIF’s ACL list |
Note
The VIF name prefix value should match the prefix value that was used to create VIFs by vif add vlan set command.
Note
After a VLAN set is modified and a new VLAN is added to it BisonRouter do not automatically executes commands dependent on the modified VLAN set. For example, BisonRouter will not create new VIFs corresponding to the added VLANs, or it will not add an IP address to those VIFs. Commands using a VLAN set as a parameter should be executed again manually.
Example
This example shows how to add the ACL with the ID 10 to the ingress list of ACLs of the VIFs with ids from a VLAN set 2
with the prioriry number 30:
vif acl add vlan set 2 dir ingress aclid 10 prio 30
vif acl del vlan set
This command deletes an ACL from the VIFs with ids from a VLAN set. It deletes an ACL with the specified id from the VIF’s ingress or egress lists of ACLs.
Description
| Item | Description | Value |
|---|---|---|
| vlan_set_id | VLAN set id to select VIFs to add an ACL | |
| vif_name_prefix | VIF name prefix. Default value is ‘v’ | |
| direction | Traffic direction. Specifies the VIF’s ACL list
(egress or ingress) to add an ACL
|
ingress
egress
|
| acl_id | ID of an ACL to delete |
Note
The VIF name prefix value should match the prefix value that was used to create VIFs by vif add vlan set command.
Note
After a VLAN set is modified and a new VLAN is added to it BisonRouter do not automatically executes commands dependent on the modified VLAN set. For example, BisonRouter will not create new VIFs corresponding to the added VLANs, or it will not add an IP address to those VIFs. Commands using a VLAN set as a parameter should be executed again manually.
Example
This example shows how to delete the ACL with the ID 10 from the ingress list of ACLs of the VIFs with ids from a VLAN set 2:
vif acl del vlan set 2 dir ingress aclid 10
vif acl mod vlan set
This command changes the position of an ACL in the list of ACLs of VIFs with ids from a VLAN set.
Description
| Item | Description | Value |
|---|---|---|
| vlan_set_id | VLAN set id to select VIFs to modify an ACL | |
| vif_name_prefix | VIF name prefix. Default value is ‘v’ | |
| direction | Traffic direction. Specifies the VIF’s ACL list
(egress or ingress)
|
ingress
egress
|
| acl_id | ID of an ACL to modify | |
| prio | New position number (priority) in the VIF’s ACL list |
Note
The VIF name prefix value should match the prefix value that was used to create VIFs by vif add vlan set command.
Note
After a VLAN set is modified and a new VLAN is added to it BisonRouter do not automatically executes commands dependent on the modified VLAN set. For example, BisonRouter will not create new VIFs corresponding to the added VLANs, or it will not add an IP address to those VIFs. Commands using a VLAN set as a parameter should be executed again manually.
Example
This example shows how to modify the position of the ACL with the ID 10 in the ingress list of
ACLs of the VIFs with ids from a VLAN set 2:
vif acl modify vlan set 2 dir ingress aclid 10 prio 30
vif acl add range
This command adds an ACL to a VIF’s range:
vif acl add range svid <svid_range> cvid <cvid_range> name <name> dir <direction> aclid <acl_id> prio <prio>
Description
| Item | Description | Value |
|---|---|---|
| svid_range | Service VLAN ID or Service VLAN range | 1-4095 |
| cvid_range | Customer VLAN ID or Customer VLAN range | 1-4095 |
| name | Name of the range of virtual interfaces to add an ACL | |
| direction | Traffic direction. Specifies the list (egress or ingress)
to add an ACL
|
ingress
egress
|
| acl_id | ID of an ACL to add | |
| prio | Position number (priority) in the VIF range ACL list |
Example
This example shows how to add the ingress ACL 10 with the priority number 30 on a VLAN range from 4.100 to 5.200 within the VIF v20:
vif acl add range svid 4 5 cvid 100 200 name v20 dir ingress aclid 10 prio 30
vif acl del range
This command deletes an ACL from a VIF’s range.
vif acl del range svid <svid_range> cvid <cvid_range> name <name> dir <direction> aclid <acl_id>
Description
| Item | Description | Value |
|---|---|---|
| svid_range | Service VLAN ID or Service VLAN range | 1-4095 |
| cvid_range | Customer VLAN ID or Customer VLAN range | 1-4095 |
| name | Name of the range of virtual interfaces to delete an ACL | |
| direction | Traffic direction. Specifies the list (egress or ingress)
to add an ACL
|
ingress
egress
|
| acl_id | ID of an ACL to delete |
Example
This example shows how to delete the ingress ACL 10 from a VLAN range from 4.100 to 5.200 within the VIF v20:
vif acl del range svid 4 5 cvid 100 200 name v20 dir ingress aclid 10
vif acl mod range
This command changes the position of an ACL in the list of ACLs on a VIF’s range.
vif acl modify range svid <svid_range> cvid <cvid_range> name <name> dir <direction> aclid <acl_id> prio <prio>
Description
| Item | Description | Value |
|---|---|---|
| svid_range | Service VLAN ID or Service VLAN range | 1-4095 |
| cvid_range | Customer VLAN ID or Customer VLAN range | 1-4095 |
| name | Name of the range of virtual interfaces to change an ACL
priority
|
|
| direction | Traffic direction. Specifies the list (egress or ingress)
to change an ACL priority
|
ingress
egress
|
| acl_id | ID of an ACL to change its priority | |
| prio | Position number (priority) in the VIF range ACL list |
Example
This example shows how to set the new priority number 40 for the ACL with the ID 10 in the ingress list of ACLs of the VLAN range from 4.100 to 5.200 within the VIF v20:
vif acl modify range svid 4 5 cvid 100 200 name v20 dir ingress aclid 10 prio 40
vif acl flush
This command deletes all rules from an ACL.
vif acl flush aclid <acl_id>
Description
| Item | Description |
|---|---|
| acl_id | ID of an ACL to delete its rules |
Example
This example shows how to delete all the rules from the ACL with the ID 10:
vif acl flush aclid 10
vif acl rule add
This command adds a rule to an ACL.
vif acl rule <ip_proto> add aclid <acl_id> prio <prio> [proto <proto_number>] [src <src_prefix>]
[dst <dst_prefix>] [sport <src_port_range>] [dport <dst_port_range>]
Description
| Item | Description | Value |
|---|---|---|
| ip_proto | IP protocol name | IPv4
IPv6
|
| acl_id | ID of an ACL to add a rule | |
| prio | Position number (priority) in the VIF’s ACL list | |
| proto_number | IP protocol number | |
| src_prefix | Source IP prefix | |
| dst_prefix | Destination IP prefix | |
| src_port_range | L4 source port range | |
| dst_port_range | L4 destination port range |
Examples
This example shows how to add an IPv4 rule with the priority number 21 for source IP prefix 10.1.0.0/24 and destination IP prefix 10.2.0.0/24, source port range 10-20 and destination port 80 to the ACL 11:
vif acl rule ipv4 add aclid 11 prio 21 proto 6 src 10.1.0.0/24 dst 10.2.0.0/24 sport 10 20 dport 80
This example shows how to add an IPv4 rule with the priority number 21 for destination IP prefix 10.2.0.0/24 and destination port 80 to the ACL 11:
vif acl rule ipv4 add aclid 11 prio 21 dst 10.1.0.0/24 dport 80
This example shows how to add an IPv6 rule with the priority number 20 for destination IP prefix 2a00:1450:400c:c07::8b and destination port 80 to the ACL 10:
vif acl rule ipv6 add aclid 10 prio 20 dst 2a00:1450:400c:c07::8b dport 80
vif acl rule del
This command deletes a rule from an ACL.
vif acl rule <ip_proto> del aclid <acl_id> prio <prio>
Description
| Item | Description | Value |
|---|---|---|
| ip_proto | IP protocol name | IPv4
IPv6
|
| acl_id | ID of an ACL to add a rule | |
| prio | Position number (priority) in the VIF’s ACL list |
Example
This example shows how to delete the IPv4 rule with the priority number 21 from the ACL 11:
vif acl rule ipv4 del aclid 11 prio 21
vif acl rule mod
This command modifies a rule in an ACL.
vif acl rule <ip_proto> modify aclid <acl_id> prio <prio> [proto <protocol_number>]
[src <src_prefix>] [dst <dst_prefix>] [sport <src_port_range>] [dport <dst_port_range>]
Description
| Item | Description | Value |
|---|---|---|
| ip_proto | IP protocol name | IPv4
IPv6
|
| acl_id | ID of an ACL to modify a rule | |
| prio | Position number (priority) in the VIF’s ACL list | |
| proto_number | IP protocol number | |
| src_prefix | Source IP prefix | |
| dst_prefix | Destination IP prefix | |
| src_port_range | L4 source port range | |
| dst_port_range | L4 destination port range |
Examples
This example shows how to modify the IPv4 rule with the priority number 21 for source IP prefix 10.1.0.0/24 and destination IP prefix 10.2.0.0/24, source port range 10-20 and destination port 80 in the ACL 11:
vif acl rule ipv4 modify aclid 11 prio 21 proto 6 src 10.1.0.0/24 dst 10.2.0.0/24 sport 10 20 dport 80
This example shows how to modify the IPv4 rule with the priority number 21 for destination IP prefix 10.2.0.0/24 and destination port 80 in the ACL 11:
vif acl rule ipv4 modify aclid 11 prio 21 dst 10.1.0.0/24 dport 80
This example shows how to modify the IPv6 rule with the priority number 20 for destination IP prefix 2a00:1450:400c:c07::8b and destination port 80 in the the ACL 10:
vif acl rule ipv6 modify aclid 10 prio 20 dst 2a00:1450:400c:c07::8b dport 80
sh vif acl
This command outputs ACL.
sh vif acl
Example
sh vif acl
acl_id type action num_rules
1 ipv4_tuple deny 0
sh vif acl rules
This command outputs ACL rules.
sh vif acl rules aclid <acl_id>
Description
| Item | Description |
|---|---|
| acl_id | ID of an ACL to show its rules |
Example
The response has the following format:
sh vif acl rules aclid 11
acl id 11, type ipv4_tuple, action deny, num rules 1
--
prio 21, proto any, src any, dst 10.1.1.0/24, sport any, dport 81
sh vif
This command outputs the list of VIFs and ACLs applied to them.
sh vif
Example
The response has the following format:
sh vif
vif v5, id 3
port 0, vlan 0.5, encapsulation dot1q
mac address 00:1B:21:A3:0C:88
NPF index 12
CAR ingress not set
egress not set
ACL ingress prio 30 acl 10, prio 40 acl 11
egress not set
QoS
Hierarchical QoS
Bison Router’s HQoS implementation is based on the DPDK QoS Scheduler framework. For more details, see DPDK documentation.
HQoS hierarchy includes 5 levels: port, subport, pipe, traffic class and queue.
Subport: Each subport represents a predefined group of subscribers.
Pipe: A pipe represents a particular subscriber.
Traffic class: There are 4 Traffic Classes (TC). A packet is classified as a particular TC based on the IPv4 ToS value.
Queue: Each TC consists of 4 queues with ID numbers from 1 to 4. A packet goes to a particular queue based on the content of it’s L3 header:
(ip src + ip dst) % 3
Traffic shaping is performed on subport and pipe levels using the Token Bucket Algorithm.
TCs of the same pipe handled in strict priority order. Queues of the same TC are serviced using Weighted Round Robin (WRR) algorithm according to predefined weights.
hqos add profile
This command creates a HQoS profile. The profile defines the Token Bucket Algorithm parameters of a pipe.
hqos add profile <profile_id> rate <rate> size <size> tc period <tc_period>
Description
| Item | Description | Value |
|---|---|---|
| profile_id | ID of a HQoS profile to create | |
| rate | Traffic limit rate. The rate value can include suffixes K, M or G | bit/s
suffixes:
K, M, G
|
| size | Bucket size, i.e. upper limit for the tb_credits | |
| tc_period | The period of time that must have elapsed since the last credit
update in order for the bucket to be awarded credits.
|
Example
This example shows how to create a HQoS profile 1 with the traffic limit rate 15 M, bucket size 1000000 and traffic classification period 40:
hqos add profile 1 rate 15 M size 1000000 tc period 40
hqos set profile
This command sets traffic class’s parameters of the profile.
hqos set profile <profile_id> tc <tc_number> rate <rate> wrr weights <weights>
Description
| Item | Description | Value |
|---|---|---|
| profile_id | ID of a HQoS profile to set TC parameters | |
| rate | Traffic limit rate. The rate value can include suffixes K, M or G | bit/s
suffixes:
K, M, G
|
| tc_number | Number of a traffic class | 1-4 |
| weights | Traffic class weights used by the WRR algorithm | Default:
1 1 1 1
|
Note
By default, all the TC rates are equal to the profile’s rate.
Example
This example shows how to set traffic limit rate 15 M and traffic class weight 1 1 1 1 for the different traffic classes within the HQoS profile 1:
hqos set profile 1 tc 1 rate 15 M wrr weights 1 1 1 1
hqos set profile 1 tc 2 rate 15 M wrr weights 1 1 1 1
hqos set profile 1 tc 3 rate 15 M wrr weights 1 1 1 1
hqos set profile 1 tc 4 rate 15 M wrr weights 1 1 1 1
hqos add port
This command creates a HQoS port.
hqos add port <port_number> rate <rate> mtu <mtu> frame overhead <frame_overhead> queue sizes <queue_sizes>
Description
| Item | Description | Value |
|---|---|---|
| port_number | ID number of a HQoS port to create | 0-15
|
| rate | Rate of an egress ethernet port. Typical value is 10 G. | bit/s
suffixes:
K, M, G
|
| mtu | Packet’s Maximum transmission unit size. Typical value is 1522. | |
| frame_overhead | Packet’s frame overhead that takes into account Start of Frame
Delimiter, Frame Check Sequence, and other packet fields.
A typical value is 24.
|
|
| queue_sizes | List of TC’s queue sizes. Each traffic class has 4 queues
of the same size.
|
Example
This example shows how to create the HQoS port 0 with the parameters: traffic limit rate 10 G, MTU 1522, framne overhead 24 and the list of queue sizes 64 64 64 64:
hqos add port 0 rate 10 G mtu 1522 frame overhead 24 queue sizes 64 64 64 64
hqos add port subport
This command creates a subport for a HQoS port. Currently only one subport per port is supported.
hqos add port <port_number> subport <subport_number> rate <rate> size <size> tc period <tc_period>
Description
| Item | Description | Value |
|---|---|---|
| port_number | Number of an already created HQoS port | |
| subport_number | Number of a subport to create | |
| rate | Traffic shaping rate of subport.
It’s the upper limit for traffic going through subport’s pipes.
|
bit/s
suffixes:
K, M, G
|
| size | Subport bucket size. Typical value 1000000 | |
| tc_period | The period of time that must have elapsed since the last credit
update in order for the bucket to be awarded credits. Typical
value is 40.
|
Example
This example shows how to create the subport 0 on the HQoS port 0 with thr traffic shaping rate 150 M, subport bucket size 1000000 and traffic classification period 10:
hqos add port 0 subport 0 rate 150 M size 1000000 tc period 10
hqos set port subport
This command sets traffic classes parameters of the subport.
hqos set port <port_number> subport <subport_number> tc <tc_number> rate <rate>
Description
| Item | Description | Value |
|---|---|---|
| port_number | Number of a HQoS port | |
| subport_number | Number of a subport to set TC parameters | |
| tc_number | Number of a traffic class | 1-4 |
| rate | Traffic shaping rate of subport.
It’s the upper limit for traffic going through subport’s pipes.
|
bit/s
suffixes:
K, M, G
|
Note
By default, all the subport’s TC rates are equal to the subport’s rate.
Example
This example shows how to set the traffic shaping rate values for the different traffic classes of the port 0 subport 0:
hqos set port 0 subport 0 tc 1 rate 150 M
hqos set port 0 subport 0 tc 2 rate 100 M
hqos set port 0 subport 0 tc 3 rate 50 M
hqos set port 0 subport 0 tc 4 rate 50 M
hqos add port subport pipes
This command creates a number of pipes of a profile for a port’s subport.
hqos add port <port_number> subport <subport_number> pipes <number_of_pipes> profile <profile_id>
Description
| Item | Description |
|---|---|
| port_number | Number of a HQoS port |
| subport_number | Number of a Subport |
| number_of_pipes | Number of pipes to create |
| profile_id | ID of a HQoS profile |
Example
This example shows how to create the number of pipes 40000 of i the HQoS profile 1 for the port 1 subort 0:
hqos add port 1 subport 0 pipes 40000 profile 1
applying hqos to subscriber
To apply HQoS to a subscriber, use the RADIUS attributes therouter_shaper_ingress_params and therouter_shaper_egress_params.
For more details, see therouter_shaper_ingress_params.
DSCP policer
DSCP policer is a type of of QoS discipline used to apply different traffic policer depending on IP packet’s DSCP field value. A DSCP policer may consist of several sub policers (simple policers). Decision on which sub policer to use with a packet is made based on the packet’s IP DSCP value and on a DSCP map. The DSCP map translates DSCP values into sub policer numbers. DSCP policers can only be created for subscriber interfaces and are configured with the RADIUS attribute therouter_shaper_ingress_params.
dscp to hcar filter
This command creates an entry in the DSCP policer mapping table.
dscp to hcar filter <dscp> <policer_nb>
Description
| Item | Description |
|---|---|
| dscp | IP DSCP value |
| policer_nb | Policer number to apply to traffic with the DSCP value |
Example
This example shows how to create a entry mapping DSCP value 4 to policer number 1
dscp to hcar filter 4 1