Differences
This shows you the differences between two versions of the page.
| Both sides previous revisionPrevious revisionNext revision | Previous revision | ||
| en:dpi:dpi_components:router:start [2024/08/21 14:47] – [Subscriber announcements and NAT pool] elena.krasnobryzh | en:dpi:dpi_components:router:start [Unknown date] (current) – removed - external edit (Unknown date) 127.0.0.1 | ||
|---|---|---|---|
| Line 1: | Line 1: | ||
| - | ====== Soft-Router (routing function) ====== | ||
| - | {{indexmenu_n> | ||
| - |  | ||
| - | ===== General Description ===== | ||
| - | Stingray Service Gateway (SSG) itself does not build the routing table. It delegates this work to proven specialised tools. The example uses the BIRD root daemon. The router daemon processes the required routing protocols (BGP, OSPF, etc.) and uses them to build a common routing table which it loads into the kernel. SSG performs routing of packets using this table. | ||
| - | <note tip> | ||
| - | Instead of BIRD, any other daemon that builds a routing table in the Linux kernel can be used, such as [[https:// | ||
| - | |||
| - | In future versions, in order to save memory, it is possible to introduce optional specialized APIs for communication with a particular daemon to bypass kernel route table construction and communicate with the daemon directly.</ | ||
| - | |||
| - | Since BIRD builds the routing table in the OS kernel, to avoid application of these rules by the Linux server itself, the BIRD root daemon runs in a separate net namespace (in the diagram it is '' | ||
| - | |||
| - | System requirements are described in the [[en: | ||
| - | |||
| - | ==== The Internal Router Architecture ==== | ||
| - | |||
| - | {{ : | ||
| - | |||
| - | Data from the kernel route table is read (rtnetlink) in the router' | ||
| - | |||
| - | The worker threads use FIB. This structure is designed for multi-threaded search (LPM – longest prefix match), but is not designed for modifications (deletion/ | ||
| - | |||
| - | === Default values in the Router === | ||
| - | **'' | ||
| - | **'' | ||
| - | **'' | ||
| - | **'' | ||
| - | **'' | ||
| - | |||
| - | ==== VRF General Description ==== | ||
| - | |||
| - | <note tip>SSG implements VRF Lite – it shares routing tables, but does not put individual VRF traffic into a unique tunnel (MPLS, VXLAN).</ | ||
| - | |||
| - | VRF (Virtual Routing and Forwarding instance) — is a routing virtualization mechanism. VRF allows you to create virtual routers on the same physical device with independent routing tables, interface lists, and other parameters. This enables virtualized isolated environments and ensures that each VRF has independent settings and does not share parameters with other VRFs and the physical device. Communication between different VRFs is possible, but it is strictly local to the device, and the VRF on one router is not connected in any way to the VRF on another. | ||
| - | |||
| - | Each VRF is a separate VPN and does not interconnect with other VRFs. | ||
| - | |||
| - | An example is the traffic allocation from an IPTV set-top box that is also located in the L2 domain with BRAS, as well as the CPE (Customer Premises Equipment – network equipment that provides user access to the ISP's network). The IPTV set-top box only accesses local resources, the CPE accesses the Internet. | ||
| - | |||
| - | VRF may be called Virtual Routing Instance in Juniper, VRF in Cisco and MikroTik, but they are all routing virtualization mechanism with similar features. | ||
| - | |||
| - | ==== VRF Lite in Stingray Service Gateway | ||
| - | {{ : | ||
| - | |||
| - | The prefix Lite means that SSG only separates routing tables, but does not place the traffic of an individual VRF into a unique tunnel (MPLS, VXLAN). VRF Lite allows isolating the services provided between each other and optimizing routing when using different links. | ||
| - | |||
| - | VRF Lite is implemented in SSG by using Soft-Router, | ||
| - | |||
| - | The routing daemon runs in isolation to keep the OS from becoming a router. SSG sends all signaling to the router, the router itself builds routing rules. Then, using these rules, SSG starts forwarding and routing packets. | ||
| - | |||
| - | The current version (12.3) does not support L3VPN and MPLS, but you can configure special context routing if necessary. | ||
| - | |||
| - | VRF Lite in SSG is service 254, that may or may not be subscriber-enabled. By default, the subscriber falls into the VRF which is specified in SSG. | ||
| - | |||
| - | === Behavior === | ||
| - | Routing in the SSG can be done using the FRR or BIRD routing daemons, which is a separate process that handles the exchange of dynamic routing signaling protocols (BGP, OSPF). In the context of VRF Lite, BIRD suits better since the SSG runs on the Linux architecture. When using BIRD, it is possible to handle route leaking in the routing tables. | ||
| - | |||
| - | This section covers the single namespace and multiple routing tables option, which is more suitable for the BIRD routing daemon. There is also a concept with multiple namespaces and a single table. This concept is more typical of FRR. | ||
| - | |||
| - | GRT (Global routing table) in this scheme is a conventional name, it is exactly the same kernel route table as the others in the scheme. The table is named so for the convenience and complexity of testing. It uses own routing rules from several routers, they can be multiple or have their own contexts. | ||
| - | |||
| - | All rules and filters are configured in the router (in this case, BIRD). When BIRD starts, when SSG is running and BGP neighboring is up, some incoming routes are folded into the Kernel_rt N table, others are folded into GRT and then flow into Kernel_rt 1 and Kernel_rt 2 according to specified rules. | ||
| - | |||
| - | The SSG describes the same VRFs targeting specific tables with routing rules. Each instance reads from the tables and builds isolated FIBs based on those tables. | ||
| - | |||
| - | The SSG has its own unique ARP cache, which it builds based on responses to ARP requests. An SSG can have multiple ARP tables, multiple VRFs can have one common table. | ||
| - | |||
| - | Due to **isolation**, | ||
| - | |||
| - | <note important> | ||
| - | |||
| - | Actions when traffic is outgoing from a subscriber: | ||
| - | - Find which VRF the subscriber belongs to. | ||
| - | - Find the destination of the packet. | ||
| - | - In the FIB, find which hop is to terminate the packet and terminate it. **Relevant only when creating flow, then nexthop is memorized for flow**. | ||
| - | |||
| - | Actions on incoming traffic: | ||
| - | - Analyze dest. | ||
| - | - Check subscriber status. | ||
| - | - Test for packet origination. | ||
| - | |||
| - | For other groups of subscribers everything happens similarly in isolation, according to the rules. Announcement is performed from the VRF on which the subscriber is located. | ||
| - | |||
| - | ===== TAP Subnets Configuration ===== | ||
| - | For each '' | ||
| - | |||
| - | Subnets are defined by the '' | ||
| - | For example, the following configuration specifies two IPv4 subnets for device '' | ||
| - | |||
| - | <code bash> | ||
| - | router_device { | ||
| - | # Device name from in_dev/ | ||
| - | device=41-00.1 | ||
| - | # TAP interface name for the device (default=' | ||
| - | tap=tap41 | ||
| - | # Name of the paired TAP interface in netns for the device (default=' | ||
| - | peer=bgp41 | ||
| - | |||
| - | # Which IPv4 subnets to allocate to TAP | ||
| - | subnet=10.0.2.0/ | ||
| - | subnet=8.8.8.0/ | ||
| - | |||
| - | # Which IPv6 subnets to allocate to TAP | ||
| - | subnet6=2001:: | ||
| - | # link-local the address of the interface with which bird communicates | ||
| - | subnet6=fe80:: | ||
| - | } | ||
| - | </ | ||
| - | |||
| - | <note important> | ||
| - | |||
| - | OSPF uses the multicast addresses 224.0.0.5 and 224.0.0.6, so if the '' | ||
| - | <code bash> | ||
| - | router_device { | ||
| - | device=41-00.1 | ||
| - | tap=tap41 | ||
| - | peer=bgp41 | ||
| - | |||
| - | # OSPF multicast | ||
| - | subnet=224.0.0.5/ | ||
| - | subnet=224.0.0.6/ | ||
| - | } | ||
| - | </ | ||
| - | |||
| - | <note warning> | ||
| - | |||
| - | ===== Creating veth interfaces ===== | ||
| - | <note important> | ||
| - | |||
| - | Suppose we have the following devices specified in fastdpi.conf: | ||
| - | <code bash> | ||
| - | in_dev=41-00.0 | ||
| - | out_dev=41-00.1 | ||
| - | </ | ||
| - | Suppose we need to configure the BGP protocol for uplink in BIRD, i.e. on the '' | ||
| - | <note tip> | ||
| - | To redirect BGP traffic from '' | ||
| - | |||
| - | Create '' | ||
| - | <code bash> | ||
| - | ip netns add bird | ||
| - | </ | ||
| - | |||
| - | Create the veth pair: | ||
| - | <code bash> | ||
| - | ip link add dpi41-00.1 type veth peer name rib41-00.1 netns bird | ||
| - | </ | ||
| - | |||
| - | The rib interface must have an IP address (and IPv6 if IPv6 is supported). This address will be the BGP peer address for the BGP neighbour. | ||
| - | <code bash> | ||
| - | ip netns exec bird ip address add 10.0.0.4/24 broadcast 10.0.0.255 dev rib41-00.1 | ||
| - | ip netns exec bird ip address add 2098::4/124 dev rib41-00.1 | ||
| - | # enable ARP on the interface | ||
| - | ip netns exec bird ip link set dev rib41-00.1 arp on | ||
| - | |||
| - | # set tx checksum offload off - turn off checksum calculation on the interface | ||
| - | # noticed that the CRC calculation on the interface may not be correct (at least on some CentOS-8 kernel builds) | ||
| - | ip netns exec bird ethtool -K rib41-00.1 tx off | ||
| - | </ | ||
| - | <note warning> | ||
| - | |||
| - | The dpi interface **should have neither IPv4 nor IPv6 addresses**, | ||
| - | <code bash> | ||
| - | ip link set dev dpi41-00.1 arp off | ||
| - | # Disable IPv6 on dpiXXX interfaces (so that there is not even a link-local address) | ||
| - | echo 1>/ | ||
| - | </ | ||
| - | |||
| - | Finally, bring up all created interfaces: | ||
| - | <code bash> | ||
| - | ip link set dpi41-00.1 up | ||
| - | ip netns exec bird ip link set lo up | ||
| - | ip netns exec bird ip link set rib41-00.1 up | ||
| - | </ | ||
| - | |||
| - | Do not forget the firewall: | ||
| - | <code bash> | ||
| - | firewall-cmd --zone=internal --add-source=10.0.0.1/ | ||
| - | firewall-cmd --zone=internal --add-rich-rule=' | ||
| - | </ | ||
| - | |||
| - | Remember that BIRD must be run in '' | ||
| - | <code bash> | ||
| - | ip netns exec bird / | ||
| - | </ | ||
| - | |||
| - | <note important> | ||
| - | |||
| - | < | ||
| - | SSG sends packets to the rib interfaces "as is" without any conversion. It means that if you have a VLAN, you have to use Linux to create vlan interfaces on the rib interface and bind the bird to those vlan interfaces.\\ | ||
| - | In fastdpi.conf vlan interfaces created on a rib interface must not be listed anywhere - you must specify the two ends of the veth pair as '' | ||
| - | |||
| - | < | ||
| - | SSG **does not set** the MTU on the veth interfaces. When configuring the veth interfaces, the MTU must be set using the standard Linux tools. | ||
| - | </ | ||
| - | |||
| - | ===== SSG Settings ===== | ||
| - | ==== SSG Configuration ==== | ||
| - | === Mandatory parameters === | ||
| - | To enable the routing function, you need to activate the parameter in fastdpi.conf | ||
| - | <code bash> | ||
| - | # [cold] enabling the router | ||
| - | # Boolean parameter: | ||
| - | # 0, false, off - router is off (default) | ||
| - | # 1, true, on - router is on | ||
| - | # Does not allow changes on-the-fly via reload | ||
| - | router=1 | ||
| - | </ | ||
| - | |||
| - | Next you need to specify in which netns BIRD runs and the number of the kernel routing table it builds: | ||
| - | <code bash> | ||
| - | # [cold] net namespace in which BIRD is running | ||
| - | router_netns=bird | ||
| - | # [cold] Number of the kernel routing table that fastDPI uses | ||
| - | router_kernel_table=1 | ||
| - | </ | ||
| - | |||
| - | The following BRAS parameters must also be set, even if none of the BRAS modes are enabled: | ||
| - | <code bash> | ||
| - | # Stingray Virtual MAC Address | ||
| - | bras_arp_mac=00: | ||
| - | |||
| - | # Stingray Virtual IP Address | ||
| - | bras_arp_ip=188.227.73.40 | ||
| - | |||
| - | # If IPv6 is used, virtual IPv6 addresses must be set: | ||
| - | |||
| - | # Sets the global IPv6 address of the Stingray | ||
| - | bras_ipv6_address=2098:: | ||
| - | |||
| - | # Sets the IPv6 link-local address of the Stingray (prefix FE80::/10) | ||
| - | # If this parameter is not set explicitly, it is calculated by bras_arp_mac | ||
| - | # | ||
| - | </ | ||
| - | |||
| - | <note tip> | ||
| - | The other parameters listed below are optional and are for fine-tuning the router in Stingray Service Gateway.</ | ||
| - | |||
| - | === Additional parameters === | ||
| - | The maximum number of routes is set by the parameters: | ||
| - | <code bash> | ||
| - | # [cold] Maximum number of routes in IPv4 route table | ||
| - | # Default value = 1000000 | ||
| - | # | ||
| - | |||
| - | # [cold] Maximum number of routes in IPv6 route table | ||
| - | # Default value = 200000 | ||
| - | # | ||
| - | </ | ||
| - | When starting in the router mode, SSG preallocates memory for the internal route table in accordance with these parameters. It is recommended to set these options (if necessary) with 20-30% reserve to ensure that the preallocated memory will be enough during the router operation. | ||
| - | |||
| - | The forwarding information base (FIB) in SSG is updated every '' | ||
| - | <code bash> | ||
| - | # [hot] FIB update period, seconds | ||
| - | # Default value - every 15 seconds | ||
| - | # | ||
| - | </ | ||
| - | It makes no sense to set this parameter too small (less than 5 seconds). | ||
| - | |||
| - | The maximum size of neighbor cache (ARP cache) and the timeout for updating the records of this cache is set by the parameters: | ||
| - | <code bash> | ||
| - | # [cold] Max size of ARP cache (neighbor сache for IPv6) | ||
| - | # Default value - 1024, max = 32K | ||
| - | # | ||
| - | </ | ||
| - | The Stingray SG contains separate neighbor caches for IPv4 and IPv6, each of size '' | ||
| - | |||
| - | The Stingray SG itself does not send ARP requests for obsolete cache entries. Instead, it relies on updates from the Linux kernel: Stingray monitors the ARP responses coming to the TAP-interfaces subnet address, and updates its ARP cache in accordance with these responses. The same applies to IPv6 (monitoring ICMPv6 neighbor discovery). | ||
| - | |||
| - | The router runs in a separate thread on a separate CPU core. At start Stingray sets parameters of this thread by default, which can be changed by parameters: | ||
| - | <code bash> | ||
| - | # [cold] Adding to the priority of the router' | ||
| - | # | ||
| - | |||
| - | # [cold] Router thread binding kernel, -1 - autodetection | ||
| - | # | ||
| - | </ | ||
| - | Do not change these parameters unless absolutely necessary; it is better to let SSG determine the core and priority itself. For example, explicitly specifying a core for router '' | ||
| - | <note warning> | ||
| - | |||
| - | |||
| - | === VRF Configuration === | ||
| - | The '' | ||
| - | |||
| - | When preparing the fastDPI for router mode, the administrator needs to create the necessary netns and TAP interfaces to divert traffic to route-demons. In the '' | ||
| - | |||
| - | Each VRF is specified by a separate new section in the router configuration: | ||
| - | |||
| - | == Routing table description (VRF) == | ||
| - | <code bash> | ||
| - | router_vrf { | ||
| - | id= | ||
| - | netns= | ||
| - | kernel_table= | ||
| - | neighbor_cache= | ||
| - | } | ||
| - | </ | ||
| - | <code bash> | ||
| - | router_default_vrf= | ||
| - | </ | ||
| - | |||
| - | **'' | ||
| - | **'' | ||
| - | **'' | ||
| - | **'' | ||
| - | **'' | ||
| - | |||
| - | Parameters for this VRF: | ||
| - | |||
| - | **'' | ||
| - | **'' | ||
| - | **'' | ||
| - | **'' | ||
| - | **'' | ||
| - | |||
| - | These parameters define the required memory and refresh frequency for this VRF. Default values can be specified here (taken from global options) or overridden. | ||
| - | |||
| - | * If there are **no** '' | ||
| - | * If the configuration **has** '' | ||
| - | |||
| - | **'' | ||
| - | When this option is enabled: | ||
| - | - subscriber' | ||
| - | - gateway ICMP ping — processed by fastDPI only if the subscriber and the gateway are in the same VRF. | ||
| - | - local interconnect — applies only if both subscribers are in the same VRF | ||
| - | |||
| - | **'' | ||
| - | When enabled, the packet will be dropped if the following conditions are met: | ||
| - | - the subscriber' | ||
| - | - bras_term_by_as = 0 | ||
| - | - subscriber' | ||
| - | |||
| - | == Description of router_device == | ||
| - | |||
| - | A VRF id is added to the '' | ||
| - | Description of one router interface: | ||
| - | |||
| - | <code bash> | ||
| - | router_device { | ||
| - | device= | ||
| - | tap= | ||
| - | peer= | ||
| - | vrf= | ||
| - | subnet= | ||
| - | subnet= | ||
| - | subnet6= | ||
| - | subnet6= | ||
| - | } | ||
| - | </ | ||
| - | |||
| - | **'' | ||
| - | **'' | ||
| - | **'' | ||
| - | **'' | ||
| - | |||
| - | **'' | ||
| - | |||
| - | **'' | ||
| - | **'' | ||
| - | |||
| - | Each IPv4 and IPv6 subnet is specified separately in the '' | ||
| - | |||
| - | <note important> | ||
| - | For example, BGP1 from VRF1 is subnet 10.20.30.0/ | ||
| - | |||
| - | == VRF subscriber management == | ||
| - | VRF ID is received by fastDPI at authorization in the new service 254. | ||
| - | |||
| - | '' | ||
| - | |||
| - | Here “VRF_ID” is the VRF identifier. | ||
| - | |||
| - | === Example of VRF configuration in SSG === | ||
| - | <code bash> | ||
| - | in_dev=0b-00.0 | ||
| - | out_dev=13-00.0 | ||
| - | |||
| - | scale_factor=1 | ||
| - | |||
| - | ctrl_port=29000 | ||
| - | ctrl_dev=lo | ||
| - | |||
| - | federal_black_list=0 | ||
| - | black_list_sm=1 | ||
| - | black_list_redirect=http:// | ||
| - | |||
| - | num_threads=1 | ||
| - | |||
| - | router=1 | ||
| - | router_vrf { | ||
| - | id=ROUTER | ||
| - | netns=router | ||
| - | kernel_table=100 | ||
| - | neighbor_cache=shared | ||
| - | } | ||
| - | |||
| - | router_vrf { | ||
| - | id=ROUTER2 | ||
| - | netns=router | ||
| - | kernel_table=101 | ||
| - | neighbor_cache=shared | ||
| - | } | ||
| - | router_device { | ||
| - | device=13-00.0 | ||
| - | vrf=ROUTER | ||
| - | tap=dpi | ||
| - | peer=rib | ||
| - | subnet=224.0.0.5/ | ||
| - | subnet=192.168.123.69/ | ||
| - | } | ||
| - | router_device { | ||
| - | device=13-00.0 | ||
| - | vrf=ROUTER2 | ||
| - | tap=dpi | ||
| - | peer=rib | ||
| - | subnet=192.168.123.70/ | ||
| - | } | ||
| - | router_subs_announce=6 | ||
| - | |||
| - | enable_auth=1 | ||
| - | auth_servers=127.0.0.1%lo: | ||
| - | bras_enable=1 | ||
| - | bras_arp_ip=10.10.102.189 | ||
| - | bras_arp_mac=00: | ||
| - | bras_dhcp_mode=1 | ||
| - | bras_dhcp_server=10.10.99.3%ens256; | ||
| - | bras_pppoe_enable=1 | ||
| - | bras_pppoe_session=100 | ||
| - | bras_ppp_auth_list=2, | ||
| - | |||
| - | enable_acct=1 | ||
| - | netflow=4 | ||
| - | netflow_timeout=300 | ||
| - | bras_pppoe_service_name=demoDPI | ||
| - | </ | ||
| - | |||
| - | ==== Setting veth-Interface Names ==== | ||
| - | The fastdpi.conf describes all TAP-interfaces associated with the devices: | ||
| - | <code bash> | ||
| - | # Description of one router interface | ||
| - | # WARNING! ' | ||
| - | router_device { | ||
| - | # Device name from in_dev/ | ||
| - | device= | ||
| - | # TAP interface name for the device (default=' | ||
| - | #tap= | ||
| - | # Name of the paired TAP interface in netns for the device (default=' | ||
| - | #peer= | ||
| - | # WARNING! ' | ||
| - | } | ||
| - | </ | ||
| - | |||
| - | For example, for this configuration | ||
| - | <code bash> | ||
| - | in_dev=41-00.0 | ||
| - | out_dev=41-00.1 | ||
| - | </ | ||
| - | where only '' | ||
| - | <code bash> | ||
| - | in_dev=41-00.0 | ||
| - | out_dev=41-00.1 | ||
| - | |||
| - | router_device { | ||
| - | # Device name from in_dev/ | ||
| - | device=41-00.1 | ||
| - | # TAP interface name for the device (default=' | ||
| - | tap=tap41 | ||
| - | # Name of the paired TAP interface in netns for the device (default=' | ||
| - | peer=bgp41 | ||
| - | } | ||
| - | </ | ||
| - | |||
| - | It is possible not to specify the names of the '' | ||
| - | <code bash> | ||
| - | in_dev=41-00.0 | ||
| - | out_dev=41-00.1 | ||
| - | |||
| - | # TAP for out_dev: | ||
| - | router_device { | ||
| - | device=41-00.1 | ||
| - | } | ||
| - | |||
| - | # TAP for in_dev | ||
| - | router_device { | ||
| - | device=41-00.0 | ||
| - | } | ||
| - | </ | ||
| - | In this case the TAP interface names are assumed to be as follows: | ||
| - | * for '' | ||
| - | * for '' | ||
| - | |||
| - | |||
| - | ==== LAG Support ==== | ||
| - | Stingray Service Gateway 10.1 adds support for link aggregation in the router. | ||
| - | |||
| - | For aggregated channels, packets that need to be diverted to a TAP interface can go to any device that is part of a LAG. To avoid creating the same TAP interface for each device in a LAG, the router takes into account which devices are included in the LAG and for all such devices does a diversion of traffic of the specified subnets to the TAP (to the BIRD daemon). | ||
| - | |||
| - | Each LAG is defined by a separate section in fastdpi.conf which lists all the devices included in the LAG: | ||
| - | <code bash> | ||
| - | # In/out devices, combined in a LAG | ||
| - | in_dev=01-00.0: | ||
| - | out_dev=01-00.1: | ||
| - | |||
| - | # Describing the LAG towards the inet | ||
| - | lag { | ||
| - | # Optional LAG name, used only for log output | ||
| - | name=inet | ||
| - | # Each device included in a LAG is described by a separate device parameter | ||
| - | device=01-00.1 | ||
| - | device=02-00.1 | ||
| - | } | ||
| - | |||
| - | # Description of one router interface | ||
| - | router_device { | ||
| - | # Device name from out_dev. Only for this device create a veth pair of TAP interfaces | ||
| - | device=01-00.1 | ||
| - | # TAP interface name for the device (default=' | ||
| - | tap=tap0 | ||
| - | # Name of the paired TAP interface in netns for the device (default=' | ||
| - | peer=peer0 | ||
| - | # Subnets diverted from total traffic to the TAP device (example) | ||
| - | subnet=10.0.10.0/ | ||
| - | #...other subnets... | ||
| - | } | ||
| - | </ | ||
| - | With this description, | ||
| - | |||
| - | The '' | ||
| - | If the router works both inet and subs direction (e.g. BGP on the inet side and OSPF inside the network, subs side), two '' | ||
| - | <code bash> | ||
| - | # LAG towards inet | ||
| - | lag { | ||
| - | name=inet | ||
| - | device=01-00.1 | ||
| - | device=02-00.1 | ||
| - | } | ||
| - | |||
| - | # LAG towards subs | ||
| - | lag { | ||
| - | name=subs | ||
| - | device=01-00.0 | ||
| - | device=02-00.0 | ||
| - | } | ||
| - | </ | ||
| - | and a separate '' | ||
| - | |||
| - | A maximum of 10 different lag sections can be configured in total. | ||
| - | |||
| - | <note tip>The '' | ||
| - | |||
| - | ==== ARP Management ==== | ||
| - | |||
| - | NeighborDB is a nexthop database maintained by fastDPI itself: it sends ARP requests to determine the MAC address of the nexthop and updates the ARP cache for these nexthops. The following options are used for updating: | ||
| - | * '' | ||
| - | * '' | ||
| - | * '' | ||
| - | * '' | ||
| - | |||
| - | A nexthop entry consists of: | ||
| - | * nexthop IP; | ||
| - | * // | ||
| - | * // | ||
| - | * // | ||
| - | |||
| - | IPv4 and IPv6 NeighborDB is stored in SDR in the '' | ||
| - | |||
| - | NeighborDB management (adding/ | ||
| - | * '' | ||
| - | * '' | ||
| - | * '' | ||
| - | * '' | ||
| - | * '' | ||
| - | * '' | ||
| - | * '' | ||
| - | |||
| - | <note tip>For the syntax of each of these commands, see '' | ||
| - | |||
| - | **ARP Cache Priority**\\ | ||
| - | With the introduction of NeighborDB in fastDPI, there are now two independent sources of entries in the ARP cache: | ||
| - | * [previous] BIRD/FRR: fastDPI intercepts the interaction of BIRD/FRR with neighbors and accordingly fills its ARP cache for nexthops; fastDPI does not update the status of such entries by sending ARP Requests, relying instead on BIRD/FRR to do so. | ||
| - | * [new] NeighborDB: fastDPI itself monitors the validity of entries, sending ARP Requests in a timely manner. **NeighborDB entries have higher priority** than entries from BIRD/FRR. | ||
| - | ===== Multi-path routing (ECMP) ===== | ||
| - | Support for multi-path routing ([[https:// | ||
| - | |||
| - | SSG performs traffic balancing (round-robin) at the flow level for all routes from the multi-path. | ||
| - | Balancing at the flow level means that a specific flow will be assigned to one of the routes from the multi-path, and the selected route will not change until the end of this flow (unless the composition of the multi-path is changed by external events from the routing daemon). | ||
| - | |||
| - | No configuration is required to enable multi-path in SSG. ECMP support is enabled in the configuration parameters of the routing daemon. | ||
| - | For example, in BIRD, ECMP support is enabled by specifying '' | ||
| - | |||
| - | ===== Specifics of addresses announcement ===== | ||
| - | ==== Subscriber announcements and NAT pool ==== | ||
| - | |||
| - | <note important> | ||
| - | NAT is applied to a subscriber if the subscriber is connected to a NAT service and belongs to a VRF in which NAT pools are announced.</ | ||
| - | |||
| - | Announcing subscriber addresses is enabled by a parameter in fastdpi.conf: | ||
| - | <code bash> | ||
| - | # [cold] Subscriber address announcement flags | ||
| - | # Bit mask | ||
| - | # Values: | ||
| - | # | ||
| - | # | ||
| - | # | ||
| - | # | ||
| - | # | ||
| - | # Default value: 0 - not to announce anything | ||
| - | # | ||
| - | |||
| - | # [hot] Metric for subscriber address announcements | ||
| - | # Default value = 32 | ||
| - | # | ||
| - | </ | ||
| - | {{ : | ||
| - | NAT public address subnets are announced only towards the inet when the SSG starts and when adding/ | ||
| - | |||
| - | {{ : | ||
| - | Subscriber addresses can be announced both towards inet and subs side. But if the subscriber' | ||
| - | |||
| - | |||
| - | ====Announcement of L3 subscriber addresses ==== | ||
| - | |||
| - | In SSG 10.2, the following algorithm of announcing IP-addresses of [[en: | ||
| - | * by default, the address announcement is performed for successful authorization (accept) and is NOT performed for unsuccessful authorization (reject) | ||
| - | * fastdpi.conf parameter '' | ||
| - | <code bash> | ||
| - | # [hot] To announce (1) or not (0) the unauthorized (Reject) subscribers | ||
| - | # Default value - 0 (do not announce) | ||
| - | # | ||
| - | </ | ||
| - | * added new Radius-attribute '' | ||
| - | |||
| - | To sum up, when deciding whether to announce the IP-address of the subscriber or not, the following algorithm applies: | ||
| - | * If the '' | ||
| - | * If the '' | ||
| - | * For Access-Accept (successful authorization), | ||
| - | * For Access-Reject (unsuccessful authorization), | ||
| - | |||
| - | < | ||
| - | |||
| - | This algorithm is also used for ARP authorization and GTP authorization, | ||
| - | For other types of L2 authorization (DHCP, PPP, - all where the IP address is explicitly **allocated**), | ||
| - | |||
| - | ===== Root Daemon Configuration (BIRD, FRR, etc.) ===== | ||
| - | The settings of the Root daemon (BIRD, FRR, etc.) and SSG must be consistent: the root daemon must create a kernel route table with the number given by the '' | ||
| - | Supported Routing Daemons: | ||
| - | - [[https:// | ||
| - | - [[http:// | ||
| - | - [[https:// | ||
| - | - [[https:// | ||
| - | |||
| - | <note tip>The example shows a special case, for more information please refer to the documentation of the specific root daemon. In the context of VRF Lite, BIRD suits better since the SSG runs on the Linux architecture.</ | ||
| - | |||
| - | ==== BIRD configuration example ==== | ||
| - | <code bash> | ||
| - | # Specify additional features to be tested: | ||
| - | |||
| - | # Any public address | ||
| - | function is_public() { | ||
| - | if net !~ [ 10.0.0.0/ | ||
| - | return true; | ||
| - | return false; | ||
| - | } | ||
| - | |||
| - | # Any private address | ||
| - | function is_private() { | ||
| - | if net ~ [ 10.0.0.0/ | ||
| - | return true; | ||
| - | return false; | ||
| - | } | ||
| - | |||
| - | # Default gateway | ||
| - | filter default_gw { | ||
| - | if net ~ [0.0.0.0/0] then | ||
| - | accept; | ||
| - | reject; | ||
| - | } | ||
| - | |||
| - | # Specify the filters: | ||
| - | # Routes that are not acquired from other routing protocols (and the prefix is not /32) | ||
| - | filter exclude_external_routes { | ||
| - | if (source = RTS_INHERIT) && (net.len != 32) then | ||
| - | accept; | ||
| - | reject; | ||
| - | } | ||
| - | |||
| - | # Exclude routes from other routing protocols, public subnets, private subnets — not /32 | ||
| - | filter exclude_ext_1_ip { | ||
| - | if (source = RTS_INHERIT) && (is_public() || (is_private() && (net.len != 32))) then | ||
| - | accept; | ||
| - | reject; | ||
| - | } | ||
| - | |||
| - | |||
| - | log "/ | ||
| - | router id 192.168.123.65; | ||
| - | |||
| - | debug protocols all; | ||
| - | |||
| - | # Describe the tables | ||
| - | ipv4 table grt; | ||
| - | ipv4 table bird00; | ||
| - | ipv4 table bird01; | ||
| - | |||
| - | protocol device { | ||
| - | } | ||
| - | |||
| - | |||
| - | protocol direct { | ||
| - | disabled; | ||
| - | ipv4; # Connection to the default IPv4 table | ||
| - | ipv6; # ... and to the default IPv6 table | ||
| - | } | ||
| - | |||
| - | # Describe kernel " | ||
| - | protocol kernel kernel_grt { | ||
| - | ipv4 { # Connect the protocol to the IPv4 table | ||
| - | table grt; | ||
| - | import all; # Import to table, default is import all | ||
| - | export all; # Export to protocol. Default value - no export | ||
| - | }; | ||
| - | scan time 5; | ||
| - | learn; # Examine incoming routes from the kernel table | ||
| - | kernel table 99; # Kernel table to synchronize with (default: main) | ||
| - | } | ||
| - | protocol kernel kernel_bird00 { | ||
| - | ipv4 { # Connect the protocol to the IPv4 table over the link | ||
| - | table bird00; | ||
| - | import all; # Import to table, default is import all | ||
| - | export all; # Export to protocol. Default value - no export | ||
| - | }; | ||
| - | scan time 5; | ||
| - | learn; # Examine incoming routes from the kernel table | ||
| - | kernel table 100; # Kernel table to synchronize with (default: main) | ||
| - | } | ||
| - | |||
| - | protocol kernel kernel_bird01 { | ||
| - | ipv4 { # Connection of the protocol to the IPv4 table | ||
| - | table bird01; | ||
| - | import all; # Import to table, default is import all | ||
| - | export all; # Export to protocol. Default value - no export | ||
| - | }; | ||
| - | scan time 20; | ||
| - | learn; # Examine incoming routes from the kernel table | ||
| - | kernel table 101; # Kernel table to synchronize with (default: main) | ||
| - | } | ||
| - | |||
| - | # Another instance for IPv6 that skips default settings | ||
| - | protocol kernel { | ||
| - | ipv6 { export all; }; | ||
| - | } | ||
| - | |||
| - | protocol static { | ||
| - | ipv4; # IPv4 channel with default parameters again | ||
| - | |||
| - | } | ||
| - | |||
| - | # OSPF protocols (each instance with its own table) | ||
| - | protocol ospf v2 ospf_grt { | ||
| - | tick 1; | ||
| - | rfc1583compat no; | ||
| - | stub router no; | ||
| - | ecmp yes limit 16; | ||
| - | ipv4 { | ||
| - | table grt; | ||
| - | import all; | ||
| - | export all; | ||
| - | }; | ||
| - | area 0.0.0.0 { | ||
| - | networks { | ||
| - | 192.168.123.64/ | ||
| - | }; | ||
| - | interface " | ||
| - | cost 1; | ||
| - | rx buffer large; | ||
| - | type broadcast; | ||
| - | authentication none; | ||
| - | }; | ||
| - | }; | ||
| - | }; | ||
| - | protocol ospf v2 ospf_bird01 { | ||
| - | tick 1; | ||
| - | rfc1583compat no; | ||
| - | ecmp yes limit 16; | ||
| - | ipv4 { | ||
| - | table bird01; | ||
| - | import all; | ||
| - | export all; | ||
| - | #export filter exclude_ext_1_ip; | ||
| - | }; | ||
| - | area 0.0.0.0 { | ||
| - | networks { | ||
| - | 192.168.123.68/ | ||
| - | }; | ||
| - | interface " | ||
| - | cost 1; | ||
| - | rx buffer large; | ||
| - | type broadcast; | ||
| - | authentication none; | ||
| - | }; | ||
| - | }; | ||
| - | } | ||
| - | |||
| - | # Describe routing " | ||
| - | protocol pipe grt_bird00 { | ||
| - | table grt; | ||
| - | peer table bird00; | ||
| - | import all; | ||
| - | export filter default_gw; | ||
| - | } | ||
| - | protocol pipe grt_bird01 { | ||
| - | table grt; | ||
| - | peer table bird01; | ||
| - | import all; # filter exclude_ext_1_ip; | ||
| - | export all; #filter default_gw; | ||
| - | } | ||
| - | </ | ||
| - | |||
| - | ===== Router Troubleshooting | ||
| - | SSG Router for debugging purposes can record traffic from BIRD to pcap: | ||
| - | <code bash> | ||
| - | # [hot] Recording pcap from the router' | ||
| - | # Note: You can also record traffic with the tcpdump utility (specify the TAP interface name). | ||
| - | # But the problem is that tcpdump does not work with interfaces in DOWN mode, | ||
| - | # hat is, tcpdump cannot record traffic | ||
| - | # when the interface goes from DOWN to UP. | ||
| - | # AP interface names with ';' | ||
| - | # For each TAP interface, a separate pcap file named tap_< | ||
| - | # in the directory specified by the ajb_udpi_path parameter (by default / | ||
| - | # | ||
| - | |||
| - | # [hot] Direction of packets for pcap recording from TAP interfaces | ||
| - | # Values: | ||
| - | # 1 - TAP -> inward (packets from the TAP interface) | ||
| - | # 2 - outward -> TAP (packets towards the TAP interface) | ||
| - | # 0 or 3 - all directions | ||
| - | # | ||
| - | |||
| - | # [hot] TAP pcap rotation interval, seconds | ||
| - | # 0 - is taken from the ajb_udpi_ftimeout parameter (ajb_udpi_ftimeout is set in minutes) | ||
| - | # | ||
| - | </ | ||
| - | |||
| - | You can also enable recording to pcap the data exchange with the kernel (rtnetlink): | ||
| - | <code bash> | ||
| - | # [hot] To record rtnetlink messages в pcap or not | ||
| - | # 0 - recording disabled | ||
| - | # 1 - recording enabled | ||
| - | # Prefix of pcap files = " | ||
| - | # | ||
| - | </ | ||
| - | |||
| - | Moreover, if packets are recorded to pcap by address mask ('' | ||
| - | |||
| - | ====Tracing==== | ||
| - | <code bash> | ||
| - | # [hot] Trace flags of different parts of the router | ||
| - | # 0x0001 | ||
| - | # 0x0002 | ||
| - | # 0x0004 | ||
| - | # 0x0010 | ||
| - | # 0x0020 | ||
| - | # 0x0040 | ||
| - | # 0x0080 | ||
| - | # 0x0100 | ||
| - | # 0x0200 | ||
| - | # 0x0400 | ||
| - | # | ||
| - | </ | ||
| - | ===== CLI commands ===== | ||
| - | Stingray has a set of CLI commands to view the current router status. For a complete list of commands see: | ||
| - | <code bash> | ||
| - | fdpi_cli help router | ||
| - | </ | ||
| - | |||
| - | < | ||
| - | |||
| - | Also keep in mind that the routing table for BGP, OSPF, etc. is built by BIRD, which has its own command line utility '' | ||
| - | |||
| - | In addition, the standard Linux '' | ||