- Table of Contents
- Configuration overview
- Commands
- Startup commands
- Global parameters
- Virtual interfaces
- IP addresses
- ip route tables
- ip routes
- U32 sets
- Prefix Map
- PBR rules
- ARP
- ICMP
- ping
- VRRP
- SNAT44
- snat create map
- show snat maps
- show snat sessions
- snat delete map
- snat map add in prefix
- snat map del in prefix
- snat map add out range
- snat map del out range
- snat map add out prefix
- snat map del out prefix
- snat map out ip disable
- snat map out ip enable
- snat vif enable
- snat vif disable
- snat add map
- snat del map
- DNAT
- Deterministic SNAT44
- det snat create map
- det snat delete map
- det snat flush sess
- show det snat maps
- det snat vif enable
- det snat vif disable
- det snat add map
- det snat del map
- det snat sh mapping alg in
- det snat sh mapping alg out
- sh det snat timeout
- det snat timeout
- det snat close host sessions
- det snat close host session in
- det snat close host session out
- det snat show session in
- det snat show session out
- det snat show sessions
- det_nat_sess_bucket_size
- det snat map add to prefix map
- det snat map del from prefix map
- enabling debug statistic counters
- sh det snat debug stat
- sh det snat debug stat ipv4
- det snat debug stat clear
- Deterministic DNAT44
- NAT44 1:1
- NAT Policy
- NPF
- npf load
- sh npf conndb size
- sh npf conndb summary
- sh npf conndb summary sip
- sh npf stat
- npf clear stat
- npf connection limit filter add
- npf connection limit filter del
- rcli npf connection limit get
- rcli npf connection limit set
- npf_conn_limit_group_by
- npf_conn_limit_filter_mode
- npf_conn_limit_default_max_conn
- NPF sysctl variables controlling connection tracking state timeouts
- NAT events logging - NEL
- Other commands
- Router statistic commands
- Sysctl interface
- IPv6
- ipv6 enable
- ipv6 disable
- sh ipv6 addr
- ipv6 addr add eui-64
- ipv6 addr add
- ipv6 addr link-local
- ipv6 addr link-local eui-64
- ipv6 addr auto
- ipv6 addr del
- sh ipv6 route
- ipv6 route add
- ipv6 route add
- ipv6 route add
- ipv6 route add
- ipv6 route del
- ipv6 route default auto
- ipv6 route table add
- ipv6 route table del
- ipv6 pbr rule add prefix
- ipv6 pbr rule add set
- ipv6 pbr rule del
- ipv6 nd ra
- sh ipv6 arp
- ipv6 arp add
- ipv6 arp del
- icmp6 error msg
- sh icmp6 error msg
- ipv6 nd ra lifetime
- ipv6 nd ra interval
- ipv6 nd ra reachable
- ipv6 nd ra retrans_timer
- ipv6 nd ra hop_limit
- ipv6 nd ra prefix add|update
- ipv6 nd ra prefix del
- IPv6 sysctl variables
- VRRP version 3 (IPV6)
- vrrp create group
- vrrp group ipv6 add
- vrrp group ipv6 add
- vrrp group ipv6 del
- vrrp group prio
- vrrp group advert_int
- vrrp group accept_mode
- vrrp group preempt_mode
- sh vrrp
- vrrp group del
- vrrp group nd ra enable/disable
- vrrp group nd ra lifetime
- vrrp group nd ra interval
- vrrp group nd ra reachable
- vrrp group nd ra retrans_timer
- vrrp group nd ra hop_limit
- vrrp group nd ra prefix add|update
- vrrp group nd ra prefix del
- Flow accounting IPFIX.
- enabling flow accounting on an interface
- Access control lists (ACL)
- PPPoE subscribers
- sh pppoe subsc
- sh pppoe subsc
- pppoe disconnect
- Enable PPPoE at VIF
- pppoe ac_cookie key
- pppoe ac_name
- pppoe service name
- pppoe blocked subsc add
- pppoe blocked subsc del
- sh pppoe blocked subsc
- ppp dns primary
- ppp dns secondary
- ppp ipcp server ip
- ppp ip pool add
- ppp ip pool del
- pppoe profile create
- pppoe profile destroy
- pppoe profile set
- pppoe profile add service name
- pppoe profile del service name
- pppoe profile add ip pool
- pppoe profile del ip pool
- pppoe profile add vif
- pppoe profile del vif
- pppoe profile add vif range
- pppoe profile del vif range
- sh pppoe profile
- sh pppoe profile <profile_id>
- sh pppoe profile vif <vif_name>
- PPPoE verbose logging
- PPPoE sysctl variables
- pppoe_max_subsc
- pppoe_max_online_subsc
- pppoe_inactive_ttl
- tcp_mss_fix
- ppp_max_terminate
- ppp_max_configure
- ppp_initial_restart_time
- pppoe_sub_uniq_check
- ppp_1session_per_username
- ppp_install_subsc_linux_routes
- lcp_keepalive_interval
- lcp_keepalive_probe_interval
- lcp_keepalive_num_retries
- ppp_username_strip_domain_cli_log
- pppoe_sub_uptime_in_sec
- ppp_auth_max_peer_name_len
- ppp_default_auth_proto
- rad_acct_on_off_pkts
- pppoe_max_nb_delayed_pado
- pppoe_nb_delayed_pado
- ppp_username_trim_trailing_spaces
- ppp_username_to_lower_case
- PPPoE IPv6
- PPP IPv6 sysctl variables
- DHCPv6
- IPv6 Pools
- ipv6 pool add
- ipv6 pool del
- ipv6 pool modify
- IP pools
- IP pools sysct variables
- RADIUS and CoA
- RADIUS Accounting
- Radius sysctl variables
- Radius Accounting sysctl variables
- Radius attributes
- therouter_ingress_cir
- therouter_egress_cir
- therouter_subsc_ttl
- therouter_install_subsc_route
- therouter_subsc_static_arp
- therouter_subsc_proxy_arp
- therouter_subsc_rp_filter
- therouter_shaper_ingress_params
- therouter_shaper_egress_params
- therouter_subsc_addr_prefix_map_id
- therouter_subsc_addr_prefix_map_value
- therouter_pbr
- IPoE subscribers
- ipoe subsc username
- show subscribers
- subsc disconnect
- Default IPoE DHCP pools
- subsc_vif_max
- ipoe_ttl
- install_subsc_linux_routes
- subsc_initiate_by_egress_pkts
- subsc_initiate_by_ingress_pkts
- l2_subsc_initiate_by_dhcp
- subsc_update_expiration_by_ingress_pkts
- subsc_update_expiration_by_egress_pkts
- l2_subsc_arp_security
- install_subsc_routes
- IPoE IPv6 subscribers
- IPv6oE sysctl variables
- DHCP server
- DHCP Relay
- Hierarchical QoS
- Range commands
- VIF range commands
- UDP API
- Captive portal
There are three groups of configuration options and commands:
- command line options
- configuration file commands
- rcli commands
Command line options can be modified by editing the run script /usr/local/sbin/router_run.sh. Most of them are DPDK EAL command line options, therefore you can refer to DPDK documentation EAL Command-line Options for detailed description of them.
Before running TheRouter you must check the following options and use your own values depending on the hardware you use:
Map lcore set to physical cpu set
Set the number of memory channels to use.
Add a PCI device in white list.
Example of the startup script cmd options:
the_router --proc-type=primary --lcores='0@0,1@1,2@2,3@3' --syslog='daemon' -n2 -w 0000:01:00.0 -w 0000:01:00.1 -- -c $1 -d
Note: Lcore 0 is used by the TheRouter's control plane function and can be shared with linux. Other cores are used by TheRouter's data plane functions and should be isolated during the linux starup process by using the linux kernel command line parameter isolcpus. Otherwise, performance of TheRouter's data plane working threads might be very low due the context switching.
This commands are stored a configuration file. To configure TheRouter to use a particular configuration file -c command line option is used.
The configuration file consists of two sections:
- startup
- runtime
Each section contains commands. A section line is considered as a single command. Symbol # is used to comment a whole line.
startup {
startup_command_1
startup_command_2
...
startup_command_n
}
runtime {
runtime_command_1
runtime_command_2
...
runtime_command_n
}
startup {
# total number of mbufs
sysctl set mbuf 32768
port 0 mtu 1500 tpid 0x8100 state enabled
port 1 mtu 1500 tpid 0x8100 state enabled
rx_queue port 0 queue 0 lcore 1
rx_queue port 0 queue 1 lcore 2
rx_queue port 0 queue 2 lcore 3
rx_queue port 1 queue 0 lcore 3
rx_queue port 1 queue 1 lcore 2
rx_queue port 1 queue 2 lcore 1
sysctl set global_packet_counters 1
}
runtime {
vif add name p0 port 0 type untagged
ip addr add 10.0.0.1/24 dev p0
vif add name p1 port 1 type untagged
ip addr add 10.0.1.1/24 dev p1
ip route add 0.0.0.0/0 via 10.0.1.2 src 10.0.1.1
}
alg "icmp"
alg "pptp"
group default {
pass final on p0 all
pass final on p1 all
}
The startup command is a command that is used to initilize TheRouter's susbystems and properties that can't be modified once TheRouter have started. Such commands can only be used in the startup section of a configuration file and can't be used with rcli configuration tool.
port <dpdk_port_number> mtu <mtu_size> tpid <tpid_value> state enabled flags [flag, ...] [bond_slaves <slave>,...]
Flags:
- qinq_enabled
- extend_vlan_offload
Examples:
port 2 mtu 1500 tpid 0x8100 state enabled bond_slaves 0,1
or
port 0 mtu 1500 tpid 0x8100 state enabled flags qinq_enabled,extend_vlan_offload
Creates a new bonding (link aggregation group) port. Note that to complete port configuration the "port" command should be used after the "bond port" command.
bond port mode <mode> bond_slaves <slave_port,...> primary port <port_number> policy <transmit_policy>
mode:
- 2 - Balance
In this mode all packets transmitted will be balanced across the available slaves using one of three available transmit policies - l2, l2+3 or l3+4.
- 4 - LACP (802.3AD)
This mode provides auto negotiation/configuration of peers and well as link status changes monitoring using out of band LACP (link aggregation control protocol) messages. For further details of LACP specification see the IEEE 802.3ad/802.1AX standards. It is also described here https://www.kernel.org/doc/Documentation/networking/bonding.txt.
transmit_policy:
- 0 - BALANCE_XMIT_POLICY_LAYER2
- 1 - BALANCE_XMIT_POLICY_LAYER23
- 2 - BALANCE_XMIT_POLICY_LAYER34
Examples:
bond port mode 4 bond_slaves 0,1 primary port 1 policy 2
port 2 mtu 1500 tpid 0x8100 state enabled bond_slaves 0,1
Note that bonding port start its numeration after the standart ports. For example, if there are total two standart port in the system with numbers 0 and 1, then a bonding port will have number 2.
rx_queue port <dpdk_port_number> queue <queue_number> lcore <lcore>
sysctl set <name> <value>
A string sysctl variable that defines the system name.
Example
sysctl set system_name "tr1"
A string sysctl variable that defines the format of convertion MAC addresses to strings.
Valid values are:
cisco - xxxx.xxxx.xxxx
linux - xx:xx:xx:xx:xx:xx
raw - no delimiters, xxxxxxxxxxxx
Example:
sysctl set mac_addr_format linux
An integer sysctl variable that defines the route proto type of linux routes TheRouter creates for subscribers, etc.
Note: FRR 4.0 bgpd redistribute kernel command doesn't see linux routes with proto STATIC, but it sees BOOT routes.
Valid values are:
2 - RTPROT_KERNEL
3 - RTPROT_BOOT
4 - RTPROT_STATIC
Example:
sysctl set linux_route_proto 3
An integet startup sysctl variable that defines the number of mbufs. 16384 value is a typical number of mbufs that is enough for normal operations.
Example:
sysctl set mbuf linux 16384
Creates a new virtual L3 interface (VIF)
vif add name <name> port <port_num> type <type> [svid <svid>] [cvid <cvid>] [flags <flag1,flag2...>] [MTU <mtu_size>]
The Type parameter can take one of the following values:
- untagged
- dot1q
- qinq
Flags:
- npf_on
- kni
- proxy_arp
- flow_acct
- rpf
- dhcp_rel
- ipv6oe
rpf - reverse path filter
The following flags are enabled by default:
- dhcp_rel
Up/down (enable/disable) a VIF's flag.
vif flags <up|down> name <name> flags <flag1,flag2...>
The name parameter is the name of a VIF.
Example: disable/down the dhcp_rel flag of the VIF v20.
vif flags down name v20 flags dhcp_rel
Deletes a VIF
vif del <name>
Defines ingress/egress bandwidth limit for a VIF. <cir_val> unit is Kbit/s. Zero value is used to delete a limit.
vif car name <name> ingress cir <cir_val> egress cir <cir_value>
Displays all VIFs
sh vif
Displays information about a particular VIF
sh vif <name>
sh vif counters
clear vif counters
ip addr add <net>/<mask> dev <vif_name>
ip addr del <net>/<mask> dev <vif_name>
sh ip addr
Creates a new routing table.
ip route table add <route_table_name>
Deletes a routing table.
ip route table del <route_table_name>
Displays routing tables.
sh ip route tables
Creates a connected route.
ip route add <net>/<mask> dev <vif_name> src <src_ip> [table <table_name>]
Creates a route to a prefix reachable via a gateway. Note that the IP address of the gateway should be reachable via a directly connected route. A directly connected route is created automatically when an ip address is added to an interface, but only for the main routing table. All routes for additional route tables should be created manually.
ip route add <net>/<mask> via <gw_ip> src <src_ip> [table <table_name>]
Creates an unreachable route.
ip route add <net>/<mask> unreachable [table <table_name>]
Deletes a route from a routing table.
ip route del <net/mask> [table <table_name>]
Displays content of a routing table.
sh ip route [table <name>]
Creates a new U32 set.
u32set create <u32set_name> size <size> bucket_size <bucket_size>
Deletes a U32 set.
u32set destroy <u32set_name>
Adds an ip address to a U32 set.
ipset add <u32set_name> <ipv4>
Deletes an ip address from a U32 set.
ipset del <u32set_name> <ipv4>
Tests whether a u32 set containts an ip address or not.
ipset test <u32set_name> <ipv4>
Adds an VIF identifier (port, svid, and cvid) to a u32 set.
l2set add <u32set_name> port <port_number> svid <svid> cvid <cvid>
Delete a VIF identifier (port, svid, and cvid) from a u32 set.
l2set del <u32set_name> port <port_number> svid <svid> cvid <cvid>
Tests whether a u32 set containts a VIF identifier or not.
l2set test <u32set_name> port <port_number> svid <svid> cvid <cvid>
The prefix map is a map containing ipv4 prefixes and integer values associated with them. It can be used to classify a packet and then use the value associated with the prefix the packet belongs to in further packet processing. For example, the prefix map is used by the multi policer which applies different policers depending on the packet's source or destination address. The values associated with the prefix indicates the policer's number in that case.
Creates a new prefix map with the given id.
prefix map create <prefix_map_id>
Destroys the prefix map with the given id.
prefix map destroy <prefix_map_id>
Adds a prefix and associated with it value into the prefix map with the given id.
prefix map add <prefix_map_id> <ipv4_prefix> value <value>
Example:
prefix map add 10 192.168.1.115/32 value 2
Deletes a prefix from the prefix map with the given id.
prefix map del <prefix_map_id> <ipv4_prefix>
Example:
prefix map del 10 192.168.1.115/32
Outputs the content of a prefix map.
sh prefix map <prefix_map_id>
For example:
rcli sh prefix map 10
prefix map id 10, num prefixes 4
192.168.1.116/32 3
192.168.1.117/32 4
10.11.1.10/32 101
192.168.1.115/32 2
Creates a PBR rule to match the traffic originated from one of addresses contained in an ip set.
ip pbr rule add prio <prio_num> u32set <u32set_name> type "ip" table <route_table_name>
Creates a PBR rule to match the traffic originated from one of VIFs contained in a L2 set.
ip pbr rule add prio <prio_num> u32set <u32set_name> type "l2" table <route_table_name>
Creates a PBR rule to match the traffic originated from a given network.
ip pbr rule add prio <prio_num> from <net/mask> table <route_table_name>
Creates a PBR rule to match the traffic originated from a particular network and destined to another network
ip pbr rule add prio <prio_num> from <net/mask> to <net/mask> table <route_table_name>
Deletes a PBR rule with the given priority.
ip pbr rule del prio <prio_num>
Deletes all PBR rules.
ip pbr flush
Displays PBR rules.
sh ip pbr rules
Creates an ARP record.
arp add <ip> <mac> dev <vif_name> [static]
Deletes an ARP record.
arp del <ip> dev <vif_name>
Displays content of the ARP cache.
sh arp cache
An integer startup scope sysctl variable. ICMP error transmission rate in packets per seconds.
An integer startup scope sysctl variable. Max number of ICMP error messages that could be sent at once.
An integer startup scope sysctl variable. Number of ICMP buckets.
rcli ping --help
Usage: ping [-c,--count count] [-i,--interval interval_in_ms] [-s icmp_payload_size]
[-f,--dont_frag] [-a,--source_address ip_source_address] [-w,--nowait]
[-h,--help] destination
Creates a new vrrp group.
vrrp create group <vrrp_id> dev <vif_name>
Example
vrrp create group 10 dev v5
Deletes a vrrp group.
vrrp del group <vrrp_id> dev <vif_name>
Example
vrrp del group 10 dev v5
Adds a primary or secondary IP address to a vrrp group.
vrrp group <vrrp_id> dev <vif_name> ip add <ip_address> [secondary]
Examples
vrrp group 10 dev v5 ip add 10.0.5.10
vrrp group 11 dev v5 ip add 10.0.55.11 secondary
Deletes an IP address from a vrrp group.
vrrp group <vrrp_id> dev <vif_name> ip del <ip_address>
Example
vrrp group 10 dev v5 ip del 10.0.5.10
Changes the priority of a vrrp group.
vrrp group <vrrp_id> dev <vif_name> prio <value>
Example
vrrp group 10 dev v5 prio 100
Changes the advertisement transmission interval (cetiseconds, 100 centiseconds == 1 sec) of a vrrp group.
vrrp group <vrrp_id> dev <vif_name> advert_int <value>
Example
vrrp group 10 dev v5 advert_int 200
Changes the preempt_mode of a vrrp group.
vrrp group <vrrp_id> dev <vif_name> preempt_mode <on|off>
Example
vrrp group 10 dev v5 preempt_mode on
Displays a vrrp group.
sh vrrp
Example
h5 ~ # rcli sh vrrp
vif v5 - group 11
vif v5 - port 0, vid 0.5, type 0
state is backup
virtual mac address is 00:00:5E:00:01:0B
primary ip address is 10.0.55.10
secondary ip address is 10.0.55.11
advertisement interval is 1 sec
preemption is on
priority is 100
master router is 10.0.5.2, priority is 150
master router advertisement interval is 1 sec
master down interval is 3.609 sec
vif v5 - group 10
vif v5 - port 0, vid 0.5, type 0
state is master
virtual mac address is 00:00:5E:00:01:0A
primary ip address is 10.0.5.10
secondary ip address is 10.0.5.11
advertisement interval is 1 sec
preemption is on
priority is 150
master router is 10.0.55.1 (this system), priority is 150
master router advertisement interval is 1 sec
master down interval is 3.414 sec
Creates a map to translate an internal ipv4 address space (in) to a public ipv4 address space (out). Internal ip address space can include a number of internal ip address prefixes. The out address spaces consists from a number of ip address ranges.
snat create map <map-id> [in entries <nb_in_entries>] [sess <nb_sessions>] [port block <port_block_size>] [ratio <ratio>] [ip port block <nb_pb_per_in_ip>]
- nb_in_entries - maximum number of internal ip records;
- nb_sessions - maximum number of NAT sessions;
- port_block_size - port block size;
- ratio between internal and out address. For example, a ratio value 32 would mean that each out (public) address could be used no more than by 32 internal ip addresses at the same time;
- nb_pb_per_in_ip - maximum number of port blocks that an internal ip can use at the same time.
Example:
snat create map 1 ratio 32
or
snat create map 1 in entries 40000 sess 16000000 port block 128 ratio 64 ip port block 4
Output translation maps.
sh snat maps
Example:
# rcli sh snat maps
SNAT map
map id: 1
internal prefixes:
192.168.2.0/24
10.8.0.0/24
out ranges:
10.114.0.0 - 10.114.0.7
active sessions: 0
max internal hosts: 32768
max sessions: 8388608
in/out ratio: 32
port block size: 128
port blocks per out address: 504
port blocks per in address: 4
state counters:
unknown: 0
active: 0
syn_sent: 0
established: 0
fin_wait: 0
close_wait: 0
closing: 0
last_ack: 0
closed: 0
icmp_active: 0
dns: 0
gre: 0
Output NAT sessions
sh snat sessions map 1
Example:
# rcli sh snat sessions map 1
in addr:port out addr:port ext addr:port proto state expire in secs
Deletes a translation map.
snat del map <map-id>
Adds an ip address prefix to the map's internal ip adddress space
snat map <map-id> add in prefix <net/mask>
Example:
snat map 1 add in prefix 10.0.0.0/16
Deletes an ip address prefix from the map's internal ip adddress space
snat map <map-id> del in prefix <net/mask>
Example:
snat map 1 del in prefix 10.0.0.0/16
Adds an ip range to the map's out ip adddress space
snat map <map-id> add out range <ipv4-from> <ipv4-to>
Example:
snat map 1 add out range 1.1.1.10 1.1.1.20
Deletes an ip range from the map's out ip adddress space
snat map <map-id> del out range <ipv4-from> <ipv4-to>
Example:
snat map 1 del out range 1.1.1.10 1.1.1.20
Adds an ipv4 prefix to the map's out ip adddress space
snat map <map-id> add out prefix <net/mask>
Example:
snat map 1 add out prefix 1.1.1.0/24
Deletes an ipv4 prefix from the map's out ip adddress space
snat map <map-id> del out prefix <net/mask>
Example:
snat map 1 del out prefix 1.1.1.0/24
Excludes one of out ip addresses from the map's out ip adddress space
snat map <map-id> out ip <ipv4_address> disable
Example:
snat map 1 out ip 1.1.1.128 disable
Restores one of the previously disabled out ip addresses
snat map <map-id> out ip <ipv4_address> enable
Example:
snat map 1 out ip 1.1.1.128 enable
Enables snat function on a particular interface.
snat vif <vif-name> enable
Example:
snat vif v20 enable
Disables snat function on a particular interface.
snat vif <vif-name> disable
snat vif <vif-name> add map <map-id>
Adds a map to an interface.
Once a map is added to an interface and snat function is enabled the interface will start performing SNAT translations accoriding with the map's parameters.
Example:
snat vif v20 add map 1
Deletes a map from an interface.
snat vif <vif-name> del map <map-id>
Example:
snat vif v20 del map 1
Creates a DNAT rules table for a SNAT map.
rcli snat add dnat map <map-id> size <dnat-map-size>
- map-id - id of already existing SNAT map;
- dnat-map-size - maximum number of DNAT rules that can be stored in a DNAT map;
Deletes the DNAT rules table from a SNAT map.
rcli snat del dnat map <map-id>
- map-id - id of already existing SNAT map;
Adds a new DNAT rule.
rcli snat add dnat rule map <map-id> out <addr:port> in <addr:port> <ip_proto>
- map-id - id of already existing SNAT map;
- ip_proto - name of ipv4 protocol: icmp, tcp, udp or gre
Deletes a DNAT rule.
rcli snat del dnat rule map <map-id> out <addr:port> <ip_proto>
- map-id - id of already existing SNAT map;
- ip_proto - name of ipv4 protocol: icmp, tcp, udp or gre
rcli sh dnat rules map <map-id>
Outputs DNAT rules.
TheRouter implements the Deterministic SNAT44 algorithm according with rfc7422 https://tools.ietf.org/html/rfc7422
Creates a map to translate one ipv4 address space (in) to another (out) ipv4 address space.
det snat create map <map-id> in <addrs/mask> out <addr/mask> sess <nb_sess_per_host>
- nb_sess_per_host - maximum number of translation sessions per "in" network's host
Example:
det snat create map 1 in 10.11.1.0/24 out 10.114.0.0/29 sess 1024
Deletes a translation map.
det snat del map <map-id>
Deletes all translation sessions from the map.
det snat flush sess map <map-id>
Output translation maps.
sh det snat maps
Example:
h5 ~ # rcli sh det snat maps
SNAT deterministic map
map id: 2
internal net: 10.xx.1.0/24
external net: 10.xx.0.0/29
size: 524288
active sessions: 63
ports per host: 2016
sessions per host: 2048
dnat map: none
state counters:
unknown: 0
active: 0
syn_sent: 0
established: 62
fin_wait: 0
close_wait: 0
closing: 0
last_ack: 0
closed: 0
icmp_active: 0
dns: 1
gre: 0
Enables deterministic snat function on a particular interface.
det snat vif <vif-name> enable
Example:
det snat vif v3 enable
Disables deterministic snat function on a particular interface.
det snat vif <vif-name> disable
det snat vif <vif-name> add map <map-id>
Adds a map to an interface.
Once a map is added to an interface and snat function is enabled the interface will start performing SNAT translations accoriding with the map's parameters.
Example:
det snat vif v3 add map 1
Deletes a map from an interface.
det snat vif <vif-name> del map <map-id>
Example:
det snat vif v3 del map 1
Show mapping ports of a particulat host. According to the Deterministic NAT algorithm all host translations will exclusively use ports from a specific port range.
sh det snat mapping alg map <map-id> in <host>
- host - ipv4 address of host from "in" network
Example:
h5 ~ # rcli sh det snat mapping alg map 1 in 10.11.1.10
in 10.11.1.10 -> out 10.114.0.0 ports 21184 - 23199
Determines a host address from "in" network by address and port from "out" network.
sh det snat mapping alg map <map-id> out <addr:port>
- addr - a translated (out) address
- port - a translated (out) port
Example:
h5 ~ # rcli sh det snat mapping alg map 1 out 10.114.0.0:23199
out 10.114.0.0:23199 -> in 10.11.1.10
Outputs session state's timeout values.
Example:
~ rcli sh det snat timeout
unknown: 30
active: 40
syn_sent: 30
established: 7200
fin_wait: 30
close_wait: 30
closing: 30
last_ack: 30
closed: 30
icmp_active: 30
dns: 4
gre: 7200
Sets timeout for translations with a particular state.
det snat timeout <state-name> <timeout>
- timeout - timeout value in seconds
- state-name - name of the translation session state
List of states:
unknown
active
syn_sent
established
fin_wait
close_wait
closing
last_ack
closed
icmp_active
dns
gre
Example:
det snat timeout established 1200
Closes and deletes all translation sessions of a particular host.
det snat close sess map <map-id> in <addr>
- addr - ipv4 address of host from "in" network
Example:
det snat close sess map 1 in 10.11.1.10
Closes and deletes a translation session of a particular host.
det snat close sess map <map-id> in <addr:port> ext <addr:port> <ip_proto>
- in addr:port - ipv4 address and port of the internal endpoint of the translation
- ext addr:port - ipv4 addres and port of the external endpoint of the translation
- ip_proto - name of ipv4 protocol: icmp, tcp, udp or gre
Example:
det snat close sess map 1 in 10.11.1.10:63140 ext 13.94.102.123:443 tcp
Closes and deletes a translation session of a particular host.
det snat close sess map <map-id> out <addr:port> ext <addr:port> <ip_proto>
- in addr:port - translated (out) ipv4 address and port of the internal endpoint of the translation
- ext addr:port - ipv4 addres and port of the external endpoint of the translation
- ip_proto - name of ipv4 protocol: icmp, tcp, udp or gre
Example:
det snat close sess map 1 out 10.114.0.0:21828 ext 13.94.102.123:443 tcp
Outputs a translation session with "in" address.
sh det snat sess map <map-id> in <addr:port> ext <addr:port> <ip_proto>
- ip_proto - name of ipv4 protocol: icmp, tcp, udp or gre
Outputs a translation session with "out" address.
sh det snat sess map <map-id> out <addr:port> ext <addr:port> <ip_proto>
- ip_proto - name of ipv4 protocol: icmp, tcp, udp or gre
Output translations sessions of a host.
sh det snat sessions map <map-id> in <in-addr>
Example:
h5 ~ # rcli sh det snat sessions map 1 in 10.11.1.10 | head
in addr:port out addr:port ext addr:port state expire in secs
10.11.1.10:62829 10.114.0.0:21517 xx.xx.xx.95:443 tcp_established 1637
10.11.1.10:62862 10.114.0.0:21550 xx.xx.xx.95:443 tcp_established 1652
10.11.1.10:63160 10.114.0.0:21848 xx.xx.xx.95:443 tcp_established 2631
10.11.1.10:63161 10.114.0.0:21849 xx.xx.xx.95:443 tcp_established 2631
10.11.1.10:63222 10.114.0.0:21910 xx.xx.xx.95:443 tcp_established 2657
10.11.1.10:63223 10.114.0.0:21911 xx.xx.xx.95:443 tcp_established 2657
10.11.1.10:63233 10.114.0.0:21921 xx.xx.xx.95:443 tcp_established 2669
10.11.1.10:63234 10.114.0.0:21922 xx.xx.xx.95:443 tcp_established 2669
10.11.1.10:63275 10.114.0.0:21963 xx.xx.xx.95:443 tcp_established 2773
An integer sysctl variable that defines size of the session hashtable's bucket.
To increase the performance of NAT session lookups a subscriber's session array is organized like a hashtable. It means that sessions are stored in the array in a special order which is based on a session's hash value. The hash value is calculated based on the session's external address and external port. All sessions with the same hash value are always stored in the same bucket. Using buckets increase performance, since the lookup operation have to scan only the bucket area (200 slots, for example) instead of on scanning the whole array (2048 slots, for example) in order to find a nat session.
Example
rcli sysctl get det_nat_sess_bucket_size
200
Adds map's internal and external prefixes to a prefix map.
det snat map <nat-map-id> add to prefix map <prefix-map-id>
Deletes map's internal and external prefixes from a prefix map.
det snat map <nat-map-id> del from prefix map <prefix-map-id>
Enables collecting debug statistic for "no-free-ports" and "session-overflow" events.
sysctl set det_snat_debug_stat 1
Outputs debug statistic counters of the deterministic nat module
Example:
# rcli sh det snat debug stat
ip no_free_ports sess_overflows
Outputs debug statistic counters for a particular ip address
Example:
# rcli sh det snat debug stat 1.1.1.1
ip no_free_ports sess_overflows
Clears debug statistic counters.
Creates a DNAT rules table for an SNAT map.
rcli det snat add dnat map <map-id> size <dnat-map-size>
- map-id - id of already existing SNAT map;
- dnat-map-size - maximum number of DNAT rules that can be stored in a DNAT map;
Deletes a DNAT rules table from an SNAT map.
rcli det snat del dnat map <map-id>
- map-id - id of already existing SNAT map;
Adds a new DNAT rule.
rcli det snat add dnat rule map <map-id> out <addr:port> in <addr:port> <ip_proto>
- map-id - id of already existing SNAT map;
- ip_proto - name of ipv4 protocol: icmp, tcp, udp or gre
Note that when creating a DNAT rule you have to use an output port number from a port range reserved for the input ip address used in the rule.
To determine the port range reserved for the input ip address use the command "sh det snat mapping". For example:
# rcli sh det snat mapping alg map 1 in 10.11.1.11
in 10.11.1.11 -> out 10.114.0.0 ports 23200 - 25215
Deletes a DNAT rule.
rcli det snat del dnat rule map <map-id> out <addr:port> <ip_proto>
- map-id - id of already existing SNAT map;
- ip_proto - name of ipv4 protocol: icmp, tcp, udp or gre
rcli sh det dnat rules map <map-id>
Outputs DNAT rules.
Creates a map to translate one set of ipv4 addresses into another using 1:1 relations.
nat11 create map <map-id> in <addrs/mask> size <map_size> sess <nb_sess_per_host>
- in <addrs/mask> - internal ipv4 address space
- nb_sess_per_host - maximum number of translation sessions per internal network host
- map_size - maximum number of 1:1 translation rules
Example:
nat11 create map 1 in 10.11.1.0/24 size 1024 sess 2048
Deletes a translation map.
nat11 del map <map-id>
Enables nat 1:1 function on a particular interface.
nat11 vif <vif-name> enable
Example:
nat11 vif v3 enable
Disables nat 1:1 function on a particular interface.
nat11 vif <vif-name> disable
nat11 vif <vif-name> add map <map-id>
Adds a map to an interface.
Once a map is added to an interface and nat 1:1 function is enabled the interface will start performing NAT 1:1 translations accoriding with the map's parameters.
Example:
nat11 vif v3 add map 1
Deletes a map from an interface.
nat11 vif <vif-name> del map <map-id>
Example:
nat11 vif v3 del map 1
Adds a NAT 1:1 translation rule to the map
nat11 rule add map <map-id> <internal ipv4 address> <translation ipv4 addres>
Example:
nat11 rule add map 1 10.0.0.1 10.114.0.5
Deletes a NAT 1:1 translation rule from the map.
nat11 rule del map <map-id> <internal ipv4 address>
Example:
nat11 rule del map 1 10.0.0.1
Closes and deletes a translation session of a particular host.
nat11 close sess map <map-id> in <addr:port> ext <addr:port>
- in addr:port - ipv4 address and port of the internal endpoint of the translation
- ext addr:port - ipv4 addres and port of the external endpoint of the translation
Example:
nat11 close sess map 1 in 10.11.1.10:63140 ext 13.94.102.123:443
Outputs translation maps.
sh nat11 maps
Outputs translation rules.
sh nat11 rules map <map-id>
Outputs nat11 translation sessions of a particular internal ipv4 host.
sh nat11 sessions map <map-id> in <internal-ipv4-address>
A NAT policy functions enable to apply different NAT maps to traffic based on various ip matching criteria such as prefix, prefix map, ipset.
A NAT policy is a sorted list of policy rules. The policy rule uses one of matching criteria to apply a particular nat map to the packets matching that criterion. The module starts at the rule with the lowerest position and once the rule's match criterion fires the module stops the searching process.
Outputs NAT policy rules.
Example:
# rcli sh nat policy
nat policy id 1:
nat policy rules:
10: from prefix map 1 -> nat map snat44
100: from ipset nat_ipset -> nat map snat1to1:10
Creates a new NAT policy.
nat policy add <policy_id>
Example
nat policy add 1
snat44
snat1to1
Deletes a NAT policy.
nat policy del <policy_id>
Example
nat policy del 1
Adds a prefix rule to the policy. This rule uses a prefix to match ingress packets source ip addresses.
nat policy rule add <policy_id> pos <number> from prefix <ipv4/mask> map <nat_map_type> <nat_map_id>
Example
nat policy rule add 1 pos 10 from prefix 10.0.0.0/24 map snat44 2
Adds a prefix rule to the policy. This rule uses a prefix map to match ingress packets source ip addresses.
nat policy rule add <policy_id> pos <number> from prefix map <prefix_map_id> map <nat_map_type> [<nat_map_id>]
When the nat_map_id value is omited, prefix map's values are used as map's id values to lookup the right NAT map.
Example
nat policy rule add 1 pos 20 from prefix map 1 map snat1to1 10
prefix_map_id is the id of an already created prefix map.
Adds a prefix rule to the policy. This rule uses a ipset to match ingress packets source ip addresses.
nat policy rule add <policy_id> pos <number> from ipset <ipset_name> map <nat_map_type> <nat_map_id>
Example
nat policy rule add 1 pos 100 from ipset nat_ipset map snat1to1 10
ipset_name is the name of an already created ipset.
Deletes a prefix rule from the policy.
nat policy rule del <policy_id> pos <number>
Example
nat policy rule add 1 pos 10
Adds a nat policy to a VIF.
nat policy add vif <vif_name> <policy_id>
Example
nat policy add vif v3 1
Deletes a nat policy from a VIF.
nat policy del vif <vif_name> <policy_id>
Example
nat policy del vif v3 1
Loads NPF configuration file. Note that a path to the file should be double-quoted.
npf load "<path_to_npf_configuration_file>"
sh npf conndb size
sh npf conndb summary
sh npf conndb summary sip
sh npf stat
npf clear stat
Adds a prefix to the NPF connection limit list. NPF uses the connection limit list when decides whether or not to limit the number of connections in a group. See the description of the "npf_conn_limit_group_by" and "npf_conn_limit_filter_mode" sysctl variables for more details.
npf connection limit filter add <net>/<mask>
Example:
rcli npf connection limit filter add 10.11.1.0/24
Deletes a prefix from the NPF connection limit list. NPF uses the connection limit list when decides whether or not to limit the number of connections in a group. See the description of the "npf_conn_limit_group_by" and "npf_conn_limit_filter_mode" sysctl variables for more details.
npf connection limit filter del <net>/<mask>
Example:
rcli npf connection limit filter del 10.11.1.0/24
Outputs the number of connections in the group with the given ip address and the maximum number of connections that can be in the group. See the description of "npf_conn_limit_group_by" sysctl variable to see how connections could be grouped.
rcli npf connection limit get <ip>
Example:
rcli npf connection limit get 10.11.1.10
ip connections max connections
10.11.1.10 114 1024
Sets the maximum number of connections of a group. See the description of "npf_conn_limit_group_by" sysctl variable to see how connections could be grouped.
rcli npf connection limit set <ip> <max_connections>
Example:
rcli npf connection limit set 10.11.1.10 1024
An integer sysctl variable that defines a criteria how to group connections.
sysctl set npf_conn_limit_group_by <mode>
or
sysctl get npf_conn_limit_group_by
Where mode is:
0 - don't group connections and don't limit the number of connections
in a group;
1 - limit the number of connection in a group. group connections
by the source ip address;
2 - limit the number of connection in a group. group connections
by the destination ip address;
An integer sysctl variable that sets up a filtering mode of the NPF connection limit function.
sysctl set npf_conn_limit_filter_mode <mode>
or
sysctl get npf_conn_limit_filter_mode
Where mode is:
0 - turn filtering off, i.e. limit all connections;
1 - turn filtering on and limit only the conections with source ip addresses
that match prefixes in the connection limit list;
2 - turn filtering on and limit only the conections with destination ip addresses
that match prefixes in the connection limit list;
An integer sysctl variable that defines the default maximum number of connections in the group.
* NPF_TCPS_CLOSED
* NPF_TCPS_SYN_SENT
* NPF_TCPS_SIMSYN_SENT
* NPF_TCPS_SYN_RECEIVED
* NPF_TCPS_ESTABLISHED
* NPF_TCPS_FIN_SENT
* NPF_TCPS_FIN_RECEIVED
* NPF_TCPS_CLOSE_WAIT
* NPF_TCPS_FIN_WAIT
* NPF_TCPS_CLOSING
* NPF_TCPS_LAST_ACK
* NPF_TCPS_TIME_WAIT
* NPF_ANY_CONN_CLOSED
* NPF_ANY_CONN_NEW
* NPF_ANY_CONN_ESTABLISHED
Example:
runtime {
...
# any protocol timeouts (UDP)
sysctl set NPF_ANY_CONN_CLOSED 2
sysctl set NPF_ANY_CONN_NEW 30
sysctl set NPF_ANY_CONN_ESTABLISHED 60
# TCP timeouts
sysctl set NPF_TCPS_CLOSED 10
sysctl set NPF_TCPS_SYN_SENT 30
sysctl set NPF_TCPS_SIMSYN_SENT 30
sysctl set NPF_TCPS_SYN_RECEIVED 60
sysctl set NPF_TCPS_ESTABLISHED 600
sysctl set NPF_TCPS_FIN_SENT 240
sysctl set NPF_TCPS_FIN_RECEIVED 240
sysctl set NPF_TCPS_CLOSE_WAIT 45
sysctl set NPF_TCPS_FIN_WAIT 60
sysctl set NPF_TCPS_CLOSING 30
sysctl set NPF_TCPS_LAST_ACK 30
sysctl set NPF_TCPS_TIME_WAIT 120
...
}
sysctl set nat_events 1
nel collector addr <collector ipv4 address> [port <port>] [proto 9 | 10]
Example
nel collector addr 10.0.0.1 port 9995 proto 9
Proto:
- 9 - netflow v9
- 10 - ipfix
shutdown
Displays the version of TheRouter software.
sh ver
Displays the uptime of TheRouter process.
sh uptime
Displays port's packet counters.
Example:
sh port general stat
port 0
pkts rx 2701128
pkts tx 2221199
bytes rx 1586718600
bytes tx 1540072355
errors rx 0
errors tx 0
missed 0
rx_nombuf 0
Displays packet counters grouped by lcores.
Example:
# rcli sh port stat
port send_failed send_ok
lcore 1: 0 0 1556192
lcore 2: 0 0 437540
lcore 3: 0 0 227333
lcore 4: 0 0 0
lcore 5: 0 0 0
lcore 6: 0 0 0
lcore 7: 0 0 0
lcore 8: 0 0 0
lcore 9: 0 0 0
lcore 10: 0 0 0
lcore 11: 0 0 0
lcore 12: 0 0 0
lcore 13: 0 0 0
lcore 14: 0 0 0
lcore 15: 0 0 0
total: 0 0 2221065
Displays port's extended packet counters.
Example:
# rcli sh port xstat
port 0
rx_good_packets 2702535
tx_good_packets 2221993
rx_good_bytes 1586895940
tx_good_bytes 1540186436
rx_q0packets 2702535
rx_q0bytes 1586895940
tx_q0packets 2221993
tx_q0bytes 1540034116
mac_local_errors 3
mac_remote_errors 1
rx_size_64_packets 350936
rx_size_65_to_127_packets 1050314
rx_size_128_to_255_packets 257371
rx_size_256_to_511_packets 47232
rx_size_512_to_1023_packets 32387
rx_size_1024_to_max_packets 964295
rx_broadcast_packets 35939
rx_multicast_packets 98145
rx_total_packets 2702819
rx_total_bytes 1586951636
tx_total_packets 2221993
tx_size_64_packets 18027
tx_size_65_to_127_packets 1035247
tx_size_128_to_255_packets 155297
tx_size_256_to_511_packets 27883
tx_size_512_to_1023_packets 21215
tx_size_1024_to_max_packets 964324
tx_multicast_packets 1016
tx_broadcast_packets 62
rx_l3_l4_xsum_error 8513
out_pkts_untagged 2221993
Displays the mbuf usage.
Example:
# rcli sh mbuf stats
socket 0 mbuf: free 14450, allocated 1934
Displays global statistics counters.
Example:
# rcli sh stat
dropped local 0
dropped unknown_vif 43027
dropped invalid_ipv4 0
dropped dst unreachable 12
dropped blackhole 52084
dropped bad_port 0
dropped dst_mac_is_unknown 4
dropped npf_in 0
dropped npf_out 7003
blocked by npf_in 0
blocked by npf_out 0
dropped other_errs 0
local pkts in 92539
local pkts out 0
local UDP pkts in 5578
local UDP pkts out 0
local pkts dropped 0
fragmentation overflow 0
no ctrl mbuf left 0
no mbuf left 0
no timer left 0
worker-cplane ring overflow 0
invalid ipv6 pkts 0
Clears global statistic counters.
Sets a sysctl variable value.
sysctl set <name> <value>
for string variables:
sysctl set <name> "<value>"
Display a sysctl variable value.
sysctl get <name> <value>
Enables IPv6 protocol on an interface, create link-local address using the eui-64 scheme.
ipv6 enable dev <vif_name>
Disables IPv6 protocol on the interface. Deletes all addresses and routes depending on the interface.
ipv6 disable dev <vif_name>
Displays ipv6 addresses assigned to interfaces.
sh ipv6 addr
Generates an address using the given prefix and the interface id (EUI64 scheme) and assigns the address to the interface.
ipv6 addr add eui-64 <prefix>/<length> eui-64 dev <vif_name>
Assigns an ipv6 address to an interface.
ipv6 addr add <address>/<length> dev <vif_name>
Assigns the given ipv6 link-local address to an interface.
ipv6 addr link-local <address> dev <vif_name>
Generates a link-local address using the eui-64 scheme and assigns it to an interface.
ipv6 addr link-local eui-64 dev <vif_name>
Enables SLAAC client on an interface. Once enabled TheRouter starts assigning dynamic ipv6 addresses on an interface based on the information received in Router Advertisement messages.
ipv6 addr auto dev <vif_name> enable|disable
Deletes an address from an interface.
ipv6 addr del <address or prefix>/<length> dev <vif_name>
Displays content of an ipv6 routing table.
sh ipv6 route [table <rt_table_name>]
Adds a connected route to a prefix into a routing table.
ipv6 route add <prefix/prefix-length> dev <vif_name> [table <ipv6_routing_table>]
Adds a route to a prefix reachable via a gateway into a routing table.
ipv6 route add <prefix/length> dev <vif_name> via <ipv6-address> [table <ipv6_routing_table>]
Adds the default route into a routing table.
ipv6 route add ::/0 via <ipv6-address> [table <ipv6_routing_table>]
Adds an unreachable route into a routing table.
ipv6 route add <prefix/length> unreachable [table <ipv6_routing_table>]
Deletes a route from a routing table.
ipv6 route del <prefix/length> [table <ipv6_routing_table>]
Enables installation of the default route based on the information from Router Advertisement messages. Once enabled TheRouter will create the default route based on the first RA message received on the interface and will associate a timer with that route. The timer will be set to RA.lifetime value. When it expires the default route will be deleted and TheRouter will be ready to install a new default route as soon as it receives another RA message.
ipv6 route default auto dev <vif_name> enable|disable
Adds an new ipv6 route table to the FIB.
ipv6 route table add <route table name>
Deletes an ipv6 route table from the FIB.
ipv6 route table del <route table name>
Adds an ipv6 PBR rule to the rule list at the given position "rule priority number".
ipv6 pbr rule add prio <rule priority number> from <ipv6 prefix/length> table <route table name>
Adds an ipv6 PBR rule to the rule list at the position "rule priority number". Only 'l2' value of the 'set type' parameter is supported so far
ipv6 pbr rule add prio <rule priority number> u32set <set name> <set type> table <route table name>
Deletes an ipv6 PBR rule from the rule list from the position "rule priority number".
ipv6 pbr rule del prio <rule priority number>
Enables or disables Router Advertisements at an interface. If disabled router will not transmit Router Advertisement messages at an interface and will not answer to Router Solicitation messages.
ipv6 nd ra enable|disable dev <vif_name>
Displays ipv6 neighbor cache entries.
sh ipv6 arp
Creates or alters an ipv6 neighbor cache entry.
ipv6 arp add <ipv6-address> <mac-address> dev <vif_name> [static]
Deletes an ipv6 neighbor cache entry.
ipv6 arp del <ipv6-address> dev <vif_name>
Enables or disables generation of ICMP messages with the given type and code.
icmp6 error msg type <number> code <number> enable|disable
Displays the state of an ICMP error message.
sh icmp6 error msg type <number> code <number>
Configures the value of the lifetime field of Router Advertisement messages sent from an interface.
ipv6 nd ra lifetime <number> dev <vif_name>
Configures the MinRtrAdvInterval and MaxRtrAdvInterval values (seconds) See https://tools.ietf.org/html/rfc4861#page-40 6.2.1. Router Configuration Variables.
ipv6 nd ra interval <min_number> <max_number> dev <vif_name>
Configures the value to be placed in the Reachable Time field
in the Router Advertisement messages sent by the router.
The value zero means unspecified (by this router).
MUST be no greater than 3,600,000 milliseconds (1 hour).
ipv6 nd ra reachable <number> dev <vif_name>
Configures the value to be placed in the Retrans Timer field
in the Router Advertisement messages sent by the router.
The value zero means unspecified (by this router).
ipv6 nd ra retrans_timer <number> dev <vif_name>
Configures the default value to be placed in the Cur Hop Limit field in the Router Advertisement messages sent by TheRouter. The value should be set to the current diameter of the Internet. The value zero means unspecified (by this router).
ipv6 nd ra hop_limit <number> dev <vif_name>
Adds or updates a prefix to/in Router Advertisement messages sent from an interface.
ipv6 nd ra prefix add|update <prefix/length> [valid_lt <number>]
[preferred_lt <number>] [flags O,A] dev <vif_name>
Deletes a prefix from Router Advertisement messages sent from an interface.
ipv6 nd ra prefix add <prefix/length> dev <vif_name>
The time in milliseconds between retransmissions of Neighbor Solicitation messages to a neighbor when resolving the address or when probing the reachability of a neighbor.
Max number of ipv6 routing tables
Max number of ipv6 route entries
Max number of ipv6 next hop entries
Max number of lpm6 tbl8. See https://doc.dpdk.org/guides/prog_guide/lpm6_lib.html
Max number of solicited node addresses
Size of the ipv6 neighbor cache.
ipv6 neigbour cache entry time to live. Seconds.
Icmpv6 error transmission rate in packets per seconds.
Max number of icmpv6 error messages that could be send at once.
Num icmp6 buckets.
Number of seconds to delay the transmission of router solicitation messages.
Number of attempts for Duplicate address detection algorithm.
Creates a new vrrp group.
vrrp create group <vrrp_id> dev <vif_name> address-family af_ipv6 version 3
Setups or changes ipv6 link-local address of a vrrp3 ipv6 group.
vrrp group <vrrp_id> dev <vif_name> ipv6 add <link-local ipv6 address>
Adds a secondary ipv6 global address to a vrrp3 ipv6 group.
vrrp group <vrrp_id> dev <vif_name> ipv6 add <ipv6_address> secondary
Deletes a secondary ipv6 global address from a vrrp3 ipv6 group.
vrrp group <vrrp_id> dev <vif_name> ipv6 del <ipv6_address> secondary
Changes the priority of a vrrp group.
vrrp group <vrrp_id> dev <vif_name> prio <value>
Changes the advertisement transmission interval (cetiseconds, 100 centiseconds == 1 sec) of a vrrp group.
vrrp group <vrrp_id> dev <vif_name> advert_int <value>
Changes the accept_mode of a vrrp group.
vrrp group <vrrp_id> dev <vif_name> accept_mode <on|off>
Changes the preempt_mode of a vrrp group.
vrrp group <vrrp_id> dev <vif_name> preempt_mode <on|off>
Displays a vrrp group.
sh vrrp
Deletes a vrrp group.
vrrp del group <vrrp_id> dev <vif_name>
Enables or disables transmission of ND Router Advertisement messages for a VRRP IPV6 group.
vrrp group <vrrp_id> dev <vif_name> nd ra enable|disable
Configures lifetime field value of Router Advertisement messages sent for a VRRP IPV6 group.
vrrp group <vrrp_id> dev <vif_name> nd ra lifetime <value>
Configures the MinRtrAdvInterval and MaxRtrAdvInterval values (seconds) See https://tools.ietf.org/html/rfc4861#page-40 6.2.1. Router Configuration Variables.
vrrp group <vrrp_id> dev <vif_name> nd ra interval <min_number> <max_number>
Configures the value to be placed in the Reachable Time field
in the Router Advertisement messages sent by TheRouter.
The value zero means unspecified (by this router).
MUST be no greater than 3,600,000 milliseconds (1 hour).
vrrp group <vrrp_id> dev <vif_name> nd ra reachable <number>
Configures the value to be placed in the Retrans Timer field
in the Router Advertisement messages sent by the router.
The value zero means unspecified (by this router).
vrrp group <vrrp_id> dev <vif_name> nd ra retrans_timer <number>
Configures the default value to be placed in the Cur Hop Limit field in the Router Advertisement messages sent by the router. The value should be set to the current diameter of the Internet. The value zero means unspecified (by this router).
vrrp group <vrrp_id> dev <vif_name> nd ra hop_limit <number>
Adds or updates a prefix to/in Router Advertisement messages sent for a VRRP IPV6 group.
vrrp group <vrrp_id> dev <vif_name> nd ra prefix add|update <prefix/length> [valid_lt <number>]
[preferred_lt <number>] [flags O,A]
Deletes a prefix from Router Advertisement messages sent for a VRRP IPV6 group.
vrrp group <vrrp_id> dev <vif_name> nd ra prefix add <prefix/length> dev <vif_name>
Configures flow accounting ipfix collector address and port. Default port value is 4739.
flow ipfix_collector addr <ipv4 address> [port <port-number>]
Configures flow accounting collector address and port. Default port value is 4739. Default proto value is 10. Current supported protocols: 9 - netflow v9, 10 - IPFIX.
flow collector addr <ipv4 address> [port <port-number>] [proto 9|10]
Shows flow accounting statistic counters.
sh flow stat
To enable flow accounting on a particular VIF use the VIF flag "flow_acct". For example:
vif add name v3 port 2 type dot1q cvid 3 flags flow_acct
or use "vif flags" command
vif flags up name v3 flags flow_acct
A boolen sysctl variable that defines the flow accounting state. When enabled flow accouting is generated for forwarded/transit traffic.
0 - disabled
1 - enabled
A boolean sysctl variable that controls whether to generate flow accounting for the input/output traffic or not.
0 - disabled
1 - enabled
A boolean sysctl variable that enables flow accounting of dropped packets.
0 - disabled
1 - enabled
An integer sysctl variable. It defines the idle timeout of traffic flow in seconds. When the idle timeout expires a traffic flow is exported.
An integer sysctl variable that defines the active timeout of traffic flow in seconds. When the active timeout expires a traffic flow is exported.
An integer sysctl variable that defines the maximum number of concurrent ipv4 flows entries.
An integer sysctl variable that defines the maximum number of concurrent ipv6 flows entries.
An integer sysctl variable that defines the maximum number of ipv4 flows entries that a worker lcore can process concurrently.
An integer sysctl variable that defines the maximum number of ipv6 flows entries that a worker lcore can process concurrently.
Access control lists can be used to filter traffic incoming to an interface (ingress) or outging from an interface. Multiple ACL can be applied to the same interface and a single ACL can be applied to many interfaces.
Each interface has two ACL list: ingress and egress. An interface ACL list stores ACL in sorted order. The position of ACL in the list is defined by a priority specified by a user.
An ACL, in turn, consists of rules. The position of a rule in an ACL is also defined by priority.
When a packet comes into an interface it is compared to the rules of ACLs from the ingress list, when a packet is transmitted from an interface it is compared to the rules of ACLs from the egress list. First, a packet is compared to the rules of the ACL with the minimum priority. Then the process goes to the next ACL with greater priority.
When a packet is matched to an ACL rule, the ACL process is stopped and the action defined by the ACL is taken to the packet. It could be a drop or permit action.
If a packet is not matched to any ACL rule the process goes to the next ACL in the list. If there are no more ACL in the list, then the action opposite to the action defined by ACL is taken. For example, if a packet is not matched to any rule of a deny ACL, then the packet is permitted. And when a packet isn't matched to any rule of a permit ACL the packet is dropped. So, the last ACL in the list defines the fate of a packet when no matches are found. Note that empty ACLs are not included into interfaces list of ACL and won't be taken into account when a packet isn't matched to any ACL rules.
Creates a new access control list.
vif acl create aclid <acl_id> type <acl_type> <action>
Parameters:
- acl_id - unique numeric identificator
- acl_type - type. It can be one of the following types:
- ipv4_tuple - define an ACL that can classify packets using combination of following fields: protocol type, ipv4 source address, ipv4 destination address, l4 source port, l4 destination port
- ipv6_tuple - define an ACL that can classify packets using combination of following fields: protocol type, ipv6 source address, ipv6 destination address, l4 source port, l4 destination port
- action: action to take for a packet when a match is found. It can be one of the following
values:
- deny - drop a packet when a match is found
- permit - permit a packet when a match is found
Example:
vif acl create aclid 10 type ipv6_tuple deny
Destroys the ACL with the given ID.
vif acl destroy aclid <acl_id>
Parameters:
- acl_id - unique numeric identificator of a ACL to delete
Example:
vif acl destroy aclid 10
Apply an ACL to an interface. The command adds an ACL to the ingress or egress list of ACLs of an interface at position with number prio.
vif acl add dev <vif_name> dir <direction> aclid <acl_id> prio <prio>
Parameters:
- vif_name - the name of the interface to add the ACL to;
- direction - specifies the interface list of ACLs to add to Can be one the two values: ingress or egress;
- acl_id - the numeric identificator of the ACL to add to the interface;
- prio - position in the interface's ACL list to put the ACL at
Example:
vif acl add dev v5 dir ingress aclid 10 prio 30
Removes an ACL from an interface. The command deletes an ACL from the ingress or egress list of ACLs of an interface.
vif acl del dev <vif_name> dir <direction> aclid <acl_id>
Parameters:
- vif_name - the name of the interface to delete the ACL from;
- direction - specifies the interface list of ACLs to delete from. Can be one the two values: ingress or egress;
- acl_id - the numeric identificator of the ACL to delete
Example:
vif acl del dev v5 dir ingress aclid 10
Changes the position of an ACL in the list of ACLs on an interface
vif acl modify dev <vif_name> dir <direction> aclid <acl_id> prio <prio>
Parameters:
- vif_name - the name of the interface;
- direction - specifies the interface list of ACLs. Can be one the two values: ingress or egress;
- acl_id - the numeric identificator of the ACL to modify;
- prio - a new position of the ACL;
Example:
vif acl modify dev v5 dir ingress aclid 10 prio 40
Deletes all rules from an ACL.
vif acl flush aclid <acl_id>
Parameters:
- acl_id - the numeric identificator of the ACL to delete rules from
Example:
vif acl flush aclid 10
Adds a rule to an ACL.
vif acl rule <ip_version> add aclid <acl_id> prio <prio> [proto <protocol_number>]
[src <src_prefix>] [dst <dst_prefix>] [sport <src_port_range>] [dport <dst_port_range>]
Parameters:
- ip_version - version of the IP protocol. Can be on of two values: ipv4 or ipv6;
- acl_id - the numeric identificator of the ACL to add the rule to;
- prio - position of the rule in the ACL
- proto - ip protocol number
- src_prefix - source ip prefix
- dst_prefix - destination ip prefix
- src_port_range - l4 source port range: for example: 8080 8090
- dst_port_range - l4 destination port range
Examples:
vif acl rule ipv4 add aclid 11 prio 21 proto 6 src 10.1.0.0/24 dst 10.2.0.0/24 sport 10 20 dport 80
or
vif acl rule ipv4 add aclid 11 prio 21 dst 10.1.0.0/24 dport 80
or
vif acl rule ipv6 add aclid 10 prio 20 dst 2a00:1450:400c:c07::8b dport 80
Deletes a rule from an ACL.
vif acl rule <ip_version> del aclid <acl_id> prio <prio>
Parameters:
- ip_version - version of the IP protocol. Can be on of two values: ipv4 or ipv6
- acl_id - numeric identificator of an ACL to add a rule to
- prio - position of a rule in the ACL
Example:
vif acl rule ipv4 del aclid 11 prio 21
Modify a rule in an ACL.
vif acl rule <ip_version> modify aclid <acl_id> prio <prio> [proto <protocol_number>]
[src <src_prefix>] [dst <dst_prefix>] [sport <src_port_range>] [dport <dst_port_range>]
Parameters:
- ip_version - version of the IP protocol. Can be on of two values: ipv4 or ipv6
- acl_id - the numeric identificator of the ACL to add the rule to
- prio - position of the rule in the ACL
- proto - ip protocol number
- src_prefix - source ip prefix
- dst_prefix - destination ip prefix
- src_port_range - l4 source port range: for example: 8080 8090
- dst_port_range - l4 destination port range
Examples:
vif acl rule ipv4 modify aclid 11 prio 21 proto 6 src 10.1.0.0/24 dst 10.2.0.0/24 sport 10 20 dport 80
or
vif acl rule ipv4 modify aclid 11 prio 21 dst 10.1.0.0/24 dport 80
or
vif acl rule ipv6 modify aclid 10 prio 20 dst 2a00:1450:400c:c07::8b dport 80
Outputs ACL rules.
sh vif acl rules aclid <acl_id>
Parameters:
- acl_id - numeric identificator of an ACL to show
Example:
sh vif acl rules aclid 11
acl id 11, type ipv4_tuple, action deny, num rules 1
--
prio 21, proto any, src any, dst 10.1.1.0/24, sport any, dport 81
Outputs interfaces and ACL applied to them
sh vif
Example:
# rcli sh vif
vif v5, id 3
port 0, vlan 0.5, encapsulation dot1q
mac address 00:1B:21:A3:0C:88
NPF index 12
CAR ingress not set
egress not set
ACL ingress prio 30 acl 10, prio 40 acl 11
egress not set
Outputs connected/online pppoe subscribers
sh pppoe subsc
Outputs the particular pppoe subscriber with the given user-name
sh pppoe subsc <user-name>
Example:
sh pppoe subsc alexk
vif_id username mac svid cvid session_id ip addr mtu ingress cir egress cir rx_pkts tx_pkts rx_bytes tx_bytes uptime
5 alexk 84:16:F9:BD:54:F7 0 3 1 10.11.12.30 1492 100000 100000 182057 269266 18608751 328714627 2 hour(s), 58 min(s), 7 sec(s)
Disconnects the pppoe subscriber with id <pppoe_vif_id>
pppoe disconnect <pppoe_vif_id>
Enables PPPoE protocol on the interface. See "vif add" for details.
Example:
vif add name v3 port 0 type dot1q cvid 3 flags pppoe_on
pppoe ac_cookie key "key_data"
Sets ac_cookie key value.
Example:
pppoe ac_cookie key "13071232717"
Sets PPPoE AC name.
pppoe ac_name "ac_name"
Example:
pppoe ac_name "trouter1"
Sets PPPoE service name.
pppoe service name "service_name"
Example:
pppoe service name "*"
Adds the subscriber link-layer address to the block list.
pppoe blocked subsc add <lladdr>
Deletes the subscriber link-layer address from the block list.
pppoe blocked subsc del <lladdr>
Outputs the content of the PPPoE subscriber block list
sh pppoe blocked subsc
Sets the ip address of the primary DNS server for ppp subscribers.
ppp dns primary <ip_address>
Example:
ppp dns primary 8.8.8.8
Sets the ip address of the secondary DNS server for ppp subscribers.
ppp dns secondary <ip_address>
Example:
ppp dns primary 8.8.4.4
Sets the ip address of TheRouter side ot PPP p-t-p tunnels
ppp ipcp server ip <ip_address>
Example:
ppp ipcp server ip 10.10.1.1
Configures the PPP stack to use the local ip pool with the given name. The pool will be used if all others ip address sources are failed. For example, the pool will be used if an authorization response doesn't include Framed-ip-address or Framed-pool atributes.
Multiple pools can be added to ppp. In that case they will be used in a round-robin way.
ppp ip pool add <pool_name>
Stops using the local ip pool that was configured with the command "ppp ip pool add"
ppp ip pool del <pool_name>
Creates a new pppoe profile.
pppoe profile create <id>
Destroys a pppoe profile.
pppoe profile destroy <id>
Configures a pppoe profile.
Sets profiles's service name.
pppoe profile set <id> service name "<service_name>"
Sets profiles's PADO delay value in milliseconds.
pppoe profile set <id> pado delay <pado_delay_in_ms>
Sets profiles's PADI accept rate in sessions per second.
pppoe profile set <id> accept rate <sess_per_sec>
Once the incoming PADI rate overflows the limit TR will start silently drop PADI packets.
Sets profiles's radius client id.
pppoe profile set <id> radius_client [radius_client_id]
Sets profiles's MTU.
pppoe profile set <id> mtu <mtu_value>
Adds a pppoe service-name to a pppoe profile.
pppoe profile <id> add service name "<name>"
Deletes a pppoe service-name from a pppoe profile.
pppoe profile <id> del service name "<name>"
Adds an ip pool to a pppoe profile.
pppoe profile <id> add ip pool <name>
Example:
pppoe profile 1 add ip pool p_subs_1
Deletes an ip pool from a pppoe profile.
pppoe profile <id> del ip pool <name>
Example:
pppoe profile 1 del ip pool p_subs_1
Adds an interface into a pppoe profile. As a result the interface will start using PPPoE parameters defined by the profile.
pppoe profile add <id> vif <vif_name>
Deletes an interface from a pppoe profile. As a result the interface will start using globally defined PPPoE parameters (profile 0)
pppoe profile del <id> vif <vif_name>
Adds a range of interfaces into a pppoe profile. As a result the interfaces will start using PPPoE parameters defined by the profile.
pppoe profile add <id> vif range svid <vlan_range> cvid <vlan_range> name <name>
Deletes a range of interfaces from a pppoe profile. As a result the interfaces will start using globally defined PPPoE parameters (profile 0)
pppoe profile del <id> vif range svid <vlan_range> cvid <vlan_range> name <name>
Outputs all pppoe profiles.
Example:
h5 the_router_build # rcli sh pppoe profile
profile id 2
pado delay: 10000 ms
service name: sn1
radius client id: 0
profile id 1
pado delay: 100 ms
service name: *
radius client id: 0
profile id 0
pado delay: 0 ms
service name: *
radius client id: 0
Outputs the pppoe profile with the given id.
Outputs the pppoe profile used by a particular iinterface
h5 ~ # rcli sh pppoe profile vif v3
profile id 1
pado delay: 100 ms
service name: *
PPPoE verbose log feature can be used to output log_level 8 syslog messages only for particular set of PPPoE subscribers. PPPoE subscribers are choosed by their MAC addresses. Once at least one MAC address has been added to a verbose list the router will output syslog log_level 8 messages only for those subscribers. When the verbose list is empty the router outputs log_level 8 messages for all pppoe subscribers. Not that log_level 8 should be enabled by setting sysctl "log_level" variable value to 8.
Adds a pppoe subscriber's MAC address to the verbose list.
pppoe verbose add <MAC>
Deletes a pppoe subscriber's MAC address from the verbose list of subscribers.
pppoe verbose del <MAC>
Deletes all MAC addresses from the verbose list.
pppoe verbose flush
The maximum number of concurrent pppoe subscribers.
This variable can be used only in the startup configuration file section.
Maximum number of online pppoe subscribers. Once the number of online pppoe subscribers reaches this limit TheRouter will stop answering to the pppoe discovery initiation packets (PADI). The difference between this variable and pppoe_max_subsc variable is that pppoe_max_online_subsc variable can be changed at runtime. Use 0 value to turn off the limit.
Time in seconds. A PPPoE subscriber will be disconnected if there are no packets during this period of time.
1 - on, 0 - off. Enables or disables using TCP MSS fix for pppoe traffic.
The maximum number of PPP FSM (LCP or NCP(IPCP)) terminate packets that may be sent.
The maximum number of PPP FSM (LCP or NCP(IPCP)) configure packets that may be sent.
Time is milliseconds to wait before resend a PPP FSM configure request. This time will be multiplied by 1.5 with each attempt to resend a request.
1 - on, 0 - off. Check that each pppoe subscriber has a uniq pair: Host-Uniq TAG and MAC address. If a new pppoe discover request containging already existing pair of the values is received it will be dropped. The pppoe_sub_uniq_check variable can be used only in the startup configuration file section.
1 - on, 0 - off. When enabled the_router will disconnect/prevent from connecting new pppoe subscribers that use a username already being used by another subscriber's session
1 - on, 0 - off. When enabled the_router will add/remove linux kernel /32 routes for ppp subscribers ip addresses. Linux kernel routes are installed to 'lo' interface in the namespace therouter is running in. This option allows to announce subscriber's /32 prefixes by using "redisribute kernel" command in FRR/Quagga bgpd or ospfd daemons.
Interval in seconds beetween keepalive tests. Use 0 to turn off keeplive.
Interval in milliseconds beetween keepalive probes (LCP echo-requests).
Maximum number of keepalive probes that could be send during one keepalive test.
A booean sysctl variable. When enabled instructs TheRouter to strip the domain part of the PPP username before output the username to CLI or log files.
An integer sysctl variable. When enabled TheRouter outputs the PPPoE subscriber uptime in seconds instead of a human-readable time format.
An integers read-only sysctl variable that stores the maximum length of the PPP peers name (usernames) supported by TheRouter.
A string sysctl variable that defines the default PPP auth proto. The default value is "chap".
Valid values:
chap
pap
Example
sysctl set ppp_default_auth_proto "chap"
An boolean startup sysctl variable that enables the use of the radius accounting on/off packets.
An integer variable that defines the maximum number of PPPoE PADO packets that could be delayed. at the same time. Once TR receives and delays that number of PADI/PADO all new PADI packets will be dropped.
An integer read-only sysctl variable which contains the number of currently delayed PADO packets that are waiting to be sent to the wire.
An boolean sysctl variable that instructs the router to trim trailing spaces from pppoe usernames that come from CoA protocol and CHAP/PAP auth protocols.
An boolean sysctl variable that instructs the router to lower pppoe usernames that come from CoA protocol and CHAP/PAP auth protocols.
Outputs connected/online PPPoE IPv6 subscribers
sh pppoe ipv6 subsc
Output the PPPoE subscriber with the given name
sh pppoe ipv6 subsc <name>
Example:
rcli sh pppoe ipv6 subsc alexk
vif_id username mac svid cvid session_id ia_na ia_pd slaac mtu ingress cir egress cir rx_pkts tx_pkts rx_bytes tx_bytes uptime
5 alexk 84:16:F9:BD:54:F7 0 3 1 xxx:237f:ee39:5584:17eb xxx60::/64 xxxaf::/64 1492 100000 100000 182736 26991718793821
Sets the default address pool for PPP IPv6 addresses of a particular type
ppp ipv6 pool <ppp_address_type> <pool_name>
Where <address_type> can take one of the following values:
ia_na
ia_pd
slaac
Example
# default pools
ppp ipv6 pool ia_na ppp6_na_pool
ppp ipv6 pool ia_pd ppp6_pd_pool
ppp ipv6 pool slaac ppp6_slaac_pool
Unsets the default address pool for PPP adresses of a particular type
ppp ipv6 pool <ppp_address_type> disable
Example:
ppp ipv6 pool ia_na disable
ppp ipv6 pool ia_pd disable
ppp ipv6 pool slaac disable
A startup bolean sysctl variable that enables/disables the IPv6 protocol for PPP subscribers
An integer sysctl variables that defines the size of the MTU Router Advertisement option of RA messages sent to PPP interfaces.
A bolean sysctl variable that enables/disables the MSS fix/clumping for IPv6.
An integer sysctl variable that defines the IA_NA option behavior of the PPP DHCPv6 server.
Valid values are:
- 0 - disable, the IA_NA option is not included in DHCPv6 messages;
- 1 - enable, the IA_NA option is included to the DHCPv6 replies, IA_NA value will be allocated from a pool only if the DHCPv6 client asks for that option;
- 2 - allways allocate, the IA_NA option is included in the DHCPv6 replies, IA_NA value will be allocated from a pool immidiately after the PPP subscriber has connected;
Setup the IA_PD for PPP DHCPv6 server.
Valid values are:
- 0 - disable, the IA_PD option is not included in the DHCPv6 messages;
- 1 - enable, the IA_PD option is included in the DHCPv6 reply messages, the IA_PD value will be allocated from a pool only if the DHCPv6 client asks for that option;
- 2 - allways allocate, the IA_PD option is included in the DHCPv6 replies messages, the IA_PD value will be allocated from a pool immidiately after the PPP subscriber has connected;
A boolean sysctl varialbe that enables/disables the use of SLAAC for the PPP interfaces.
0 - disable 1 - enable
A boolen sysctl variable that controls whether or not to include into the radius accounting start messages the Framed-IPv6-Prefix attribute carrying the PPP subscriber's SLAAC prefix.
0 - disable 1 - enable
A boolen sysctl variable that controls whether or not to include into the radius accounting start messages the Framed-IPv6-Address attribute with the PPP subscriber's IA_NA address.
0 - disable 1 - enable
A boolen sysctl variable that controls whether or not to include into the radius accounting start messages the Delegated-IPv6-Prefix attribute carrying the PPP subscriber's IA_PD prefix
0 - disable 1 - enable
Adds a recursive DNS server to the global list of servers. Values on the list will be used in the RA messages sent to PPPoE and IPv6oE subsribers by DHCPv6 server.
dhcpv6 add dns <ipv6_address>
Deletes a recursive DNS server address from the RDNSS list.
dhcpv6 del dns <ipv6_address>
dhcpv6 domain search list <string>
Example
dhcpv6 domain search list i6.therouter.net
An integer sysctl variable that defines the default preferred value for IPv6 addresses. For example, This value will be used for IPv6 addresses received via RADIUS protocol.
An integer sysctl variable that defines the default valid value for IPv6 addresses. For example, this value will be used for IPv6 addresses received via RADIUS protocol.
Outputs details about IPv6 pools
Example:
rcli sh ipv6 pools
---
name ppp6_pd_pool
address space xxxe::/48
address/prefix length 64
preferred lifetime 3600
valid lifetime 7200
free 65536
used 0
---
name ppp6_na_pool
address space xxx1::/64
address/prefix length 128
preferred lifetime 3600
valid lifetime 7200
free 4294967294
used 1
---
name ppp6_slaac_pool
address space xxx0b::/48
address/prefix length 64
preferred lifetime 3600
valid lifetime 7200
free 65535
used 1
Create a new IPv6 address pool.
ipv6 pool add <pool_name> <prefix> length <len> [preferred_lt <integer>] [valid_lt <integer>] [flags <flag,...>]
Parameters:
- prefix - the pool's address space;
- len - length of prefixes allocated from the pool;
- preferred_lt - the length of time in seconds that a valid address is preferred (i.e., the time until deprecation). When the preferred lifetime expires, the address becomes deprecated. Default value is 604800 seconds (7 days);
- valid_lt - the length of time in seconds an address remains in the valid state (i.e., the time until invalidation). The valid lifetime must be greater then or equal to the preferred lifetime. When the valid lifetime expires, the address becomes invalid. Default value is 2592000 seconds (30 days);
Flags:
- rand - allocate random values;
- cache - an address/prefix is reserved for a valid_lt seconds for the user allocated the value; During this time the subscriber will be given the same address/prefix if it reconnects. After the valid_lt seconds has ellapsed and the address/prefix is not in use it will be returned back to the pool;
Example:
ipv6 pool add ppp6_slaac_pool xxx::/48 length 64 preferred_lt 3600 valid_lt 7200 flags rand,cache
Deletes the ipv6 pool with the given name.
ipv6 pool del <pool_name>
Modifies an existing ipv6 pool lifetime values.
ipv6 pool modify <pool_name> valid_lt <integer> preferred_lt <integer>
Adds a new ip pool with the given name. Maximum pool name length is 16.
ip pool add <ip_pool_name>
Deletes ip pool with the given name. Maximum pool name length is 16.
ip pool del <ip_pool_name>
Adds ip address range to the pool. Maximum pool name length is 16.
ip pool add range <ip_pool_name> <ip from> - <ip to>
Deletes ip address range from the pool. Maximum pool name length is 16.
ip pool del range <ip_pool_name> <ip from> - <ip to>
Outputs ip pool details
sh ip pool
Size of the ip pool's glabal pool cache. Default value is 4096.
Time to live of the ip pool cache entry, seconds. Default value is 60 seconds.
Creates a new radius client with the given id. Note that radius client with id 0 is created by default, it's the default radius client.
radius_client create [id]
Example:
radius_client create 1
Adds RADIUS server to the list of servers. RADIUS requests will be sent to servers in the round-robin way. Maximum numbers of servers in the list is 8. Default port number is 1812.
radius_client [id] add server <ip address> [port <port number>]
id value might be omitted, in this case default radius client id 0 is used.
Example:
radius_client add server 192.168.5.2 port 1612
Deletes RADIUS server from the list of servers.
radius_client [id] del server <ip address> [port <port number>]
id value might be omitted, in this case default radius client id 0 is used.
Example:
radius_client del server 192.168.5.2 port 1612
Adds an ip address to the list of source ip addresses that will be used by the TheRouter RADIUS client to send RADIUS requests. A source ip address must be assigned to a VIF.
radius_client [id] add src ip <ip address>
id value might be omitted, in this case default radius client id 0 is used.
Example:
radius_client add src ip 192.168.5.111
Sets the RADIUS client secret.
radius_client [id] set secret "secret"
id value might be omitted, in this case default radius client id 0 is used.
Example:
radius_client set secret "1234abcd"
Sets the RADIUS CoA server secret.
coa server set secret "secret"
Example:
coa server set secret "abcd1234"
Outputs radius clients settings
Sets the RADIUS accounting client secret.
radius_client set accounting secret "secret"
Example:
radius_client set accounting secret "1234abcd"
Adds a new RADIUS accounting server to the list of servers. RADIUS requests will be sent to servers in the round-robin way. Maximum numbers of servers in the list is 8. Default port number is 1813.
radius_client add accounting server <ip address> [port <port number>]
Example:
radius_client add accounting server 192.168.5.2 port 1813
A integer sysctl variable that defines the initial radius restransmit timeout in milliseconds.
A integer sysctl variable that defines the number of radius restransmit.
A boolean sysctl variable that globally enables or disables the radius accounting
Note that the "vif_stat" sysctl variable should be set to 1, otherwise accounting request's packets and bytes counters will contain zero values.
A boolean sysctl variable that enables or disables sending radius accounting interim requests.
A integer sysctl variable that defines how often to send interim requests, seconds.
TheRouter VAS:
VENDOR TheRouter 12345
BEGIN-VENDOR TheRouter
ATTRIBUTE therouter_ingress_cir 1 integer
ATTRIBUTE therouter_engress_cir 2 integer
ATTRIBUTE therouter_ipv4_addr 3 integer
ATTRIBUTE therouter_ipv4_mask 4 integer
ATTRIBUTE therouter_outer_vid 5 integer
ATTRIBUTE therouter_inner_vid 6 integer
ATTRIBUTE therouter_ip_unnumbered 7 integer
ATTRIBUTE therouter_port_id 8 integer
ATTRIBUTE therouter_ipv4_gw 9 integer
ATTRIBUTE therouter_pbr 10 integer
ATTRIBUTE therouter_install_subsc_route 17 integer
ATTRIBUTE therouter_subsc_ttl 18 integer
ATTRIBUTE therouter_subsc_static_arp 19 integer
ATTRIBUTE therouter_subsc_proxy_arp 20 integer
ATTRIBUTE therouter_subsc_rp_filter 21 integer
ATTRIBUTE therouter_shaper_ingress_params 23 string
ATTRIBUTE therouter_shaper_egress_params 24 string
ATTRIBUTE therouter_subsc_addr_prefix_map_id 25 integer
ATTRIBUTE therouter_subsc_addr_prefix_map_value 26 integer
END-VENDOR TheRouter
Ingress CIR (commited information rate) - kbit/s It's used to limit the bandwith availabe for any type of subscriber. Ingress direction means the direction from the subscriber to TheRouter interface.
Egress CIR (commited information rate) - kbit/s It's used to limit the bandwith availabe for any type of subscriber. Egress direction means the direction from the TheRouter to the subscriber.
Subscriber's session time to live in seconds.
Value 1 of this attribute instructs TheRouter to intstall subscriber ipv4 address /32 prefix into the main routing table.
Value 1 of this attribute instructs TheRouter to intstall the static arp record for L2 subscriber.
The attribute with value 1 instructs TheRouter to enable the Proxy ARP on dynamic VIFs (vlan per subscriber).
Note that to enable the Proxy ARP for L2 subscribers the Proxy ARP flag should be used in the VIF configuration command when the L2 subscriber parent interface is created.
The attribute with value 1 instructs TheRouter to enable the Reverse Path Filter on dynamic VIFs (vlan per subscriber)
Note that to enable the Reverse Path Filter for L2 subscribers the 'rpf' flag should be used in the VIF configuration command when the L2 subscriber's parent interface is created.
This attributes carry a string containing parameters for subscriber's ingress/egress qos discipline. The string format depends on a qos discipline but should always starts with an integer number indicating qos type.
QoS types:
- 1 - policer
- 2 - multi policer
- 4 - qos scheduler
This attribute carries a string containing parameters for subscriber's egress shaper. A string format depends on a shaper type. see therouter_shaper_type for the details.
-
1 - a general policer. This is the default qos type, no need to use therouter_shaper_ingress_params or therouter_shaper_egress_params for this type. General policers should be configured using therouter_ingress_cir and therouter_egress_cir attributes.
-
2 - a multi policer. The multi policer applies different bandwidth limits depending on the packet src/dst ip address.
QoS of this type are configured using therouter_shaper_ingress_params and therouter_shaper_egress_params attributes. Format of therouter_shaper_ingress_params/therouter_shaper_egress_params attribute values for the multi policer is
<2/nb_policers/limit1/limit2/../prefix_map_id/prefix_map_mode>
Where
- nb_policers - number of policers;
- limit1 - bandwidth limit of policer 1;
- ...
- limitN - bandwidth limit of policer N;
- prefix_map_id - id of a prefix map to classify a packet
and to decide which policer apply;
- prefix_map_mode - prefix map's mode of operation:
0 - use packet's src ip address to find a match;
1 - use packet's dst ip address to find a match;
- 4 - DPDK QoS Scheduler
DPDK based QoS discipline. Format of therouter_shaper_ingress_params/therouter_shaper_egress_params attribute values for this qos is
<4/nb_ports/port1,profile1/port2,profile2/../prefix_map_id/prefix_map_mode>
Where
- nb_ports - number of qos scheduler ports/pipes that will be allocated for the subscriber;
- port1 - qos scheduler port number for traffic direction #1
- profile1 - profile id for port1
- ...
- prefix_map_id - id of a prefix map to classify a packet
and to decide which traffic direction (qos port/pipe) should be used for the packet;
- prefix_map_mode - prefix map's mode of operation:
0 - use packet's src ip address to find a match;
1 - use packet's dst ip address to find a match;
This attribute instructs TheRouter to add subscriber's ipv4 address to the prefix map with the given id upon subscriber connection and to delete subscriber's ipv4 address from the prefix map after the subscriber has been disconnected.
Defines a value associated with the subscriber's ipv4 address added to a prefix map. See the description of the therouter_subsc_addr_prefix_map_id attribute.
Description is available here
Configures IPoE subscriber's username. The username will be used in RADIUS packets. The command can only be used in the startup section of a configuration file.
ipoe subsc username format "<field>[:<field>]..." [delimiter ":"]
A list of fields that can be used to compose the username includes:
port
svid
cvid
ipv4
mac
remote_id
subscriber_id
example:
ipoe subsc username format "mac"
or
ipoe subsc username format "ipv4:mac" delimiter ":"
Note that remote_id and subscriber_id field values are defined only when DHCP subscriber's session is initiated by DHCP or DHCPv6 packets. Those values correspond to DHCP option82 values or DHCPv6 option 18/ option 37 values.
Outputs IPoE subscriber online sessions.
rcli sh subsc
Example:
# rcli sh subsc
vif_id port vlan ip mac sess-id circuit-id remote-id ingress_car egress_car rx_pkts tx_pkts rx_bytes tx_bytes pbr ttl expire_in uptime
8 2 0.931 10.x.x.x xx:16:xx:xx:xx:xx 1641657854-8 250M 250M 7841 7606 1356631 3446740 0 600 291 0 day(s), 2 hour(s), 17 min(s), 19 sec(s)
Disconnects an IPoE subscriber
subsc disconnect <vif-id>
Example:
rcli subsc disconnect 8
Default IPoE DHCP pools are used by IPoE subscribers when no other pools specified in the radius access-reply message.
Adds an ip pool to the list of default IPoE subscriber ip pools
ipoe ip pool add <pool-name>
Deletes an ip pools from the list of default IPoE subscriber ip pools
ipoe ip pool del <pool-name>
Example:
# global ipoe pools
ipoe ip pool add ppp_pool_1
ipoe ip pool add ppp_pool_2
A startup integer sysctl variable that defines the maximum number of concurrent IPoE subscribers. The variable can be used only in the startup configuration file section.
An integer sysctl variable that defines IPoE subscriber's Time-To-Live parameter value in seconds.
A boolean sysctl variable. When enabled TheRouter will add/remove linux kernel /32 routes for ipoe subscriber's ip addresses. Linux kernel routes are installed to the linux 'lo' interface in the namespace therouter is running in. This option allows to announce subscriber's /32 prefixes by using the "redisribute kernel" command of FRR/Quagga bgpd or ospfd daemons.
A boolean sysctl variable that instructs TheRouter to initiate a new L2 connected subscriber sessions if an unclassified egress packet is received.
A boolean sysctl variable that instructs TheRouter to initiate a new L2 connected subscriber sessions if an unclassified ingress packets is received.
A boolean sysctl variable that instructs TheRouter to initiate a new L2 connected subscriber sessions when the DHCP ACK message goes through TheRouter's DHCP Relay subsystem.
A boolean sysctl variable that instructs TheRouter to update the expiration/TTL time of L2 subscribers when an ingress packet is received. Default value is true (1).
A boolean sysctl variable that instructs TheRouter to update the expiration/TTL time of L2 subscribers when an egress packet is received. Default value is true (1).
A boolean sysctl variable. When enabled TheRouter will filter ARP requests on VIFs with flag 'l2_subsc' and will reply only to requests received from authorized L2 subscribers. TheRouter will be trying to find a match of the ARP source IP and the ARP source hardware address in a request to the IP and the MAC address pair of one of online L2 subscribers and if no match is found, the request will be ignored. Also it will check that the ARP request has been received from the VIF the matching subscriber is connected to.
A boolean sysctl variable. When enabled TheRouter will install a /32 route for each IPoE L2/L3 subscriber's ip address. Default value is false (0).
"ipoe_ipv6" is a startup only boolean sysctl variable that enables IPv6 protocol for IPoE subscribers.
Example
startup {
..
sysctl set ipoe_ipv6 1
..
}
Outputs connected/online IPv6oE subscribers
sh subsc ipv6
Example:
# rcli sh subsc ipv6
vif_id vlan port mac remote_id subsc_id IA_NA IA_PD ingress_qdisc egress_qdisc rx_pkts tx_pkts rx_bytes tx_bytes ttl expire_in uptime
8 0.820 2 xx:xx:xx:xx:xx:xx xx01:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:c9c3 2000:xxxx:xxxx:xxxx::/64 250M 250M 7852 7609 1359513 3446878 600 416 0 day(s), 2 hour(s), 21 min(s), 14 sec(s)
Sets the default address pool for IPv6oE addresses of a particular type
ipoe ipv6 pool <ipv6oe_address_type> <pool_name>
<ipv6oe_address_type> can take one of the following values:
ia_na
ia_pd
slaac
Example
# default pools
ipoe ipv6 pool ia_na ipv6_na_pool_1
ipoe ipv6 pool ia_pd ipv6_pd_pool_1
ipoe ipv6 pool slaac ipv6_slaac_pool_1
Unsets the default address pool for IPv6oE adresses of a particular type
ipoe ipv6 pool <ipv6oe_address_type> disable
Example:
ipoe ipv6 pool ia_na disable
ipoe ipv6 pool ia_pd disable
ipoe ipv6 pool slaac disable
An integer sysctl variable that controls IA_NA option's behavior of the DHCPv6 server for IPv6oE subscribers.
Valid values are:
- 0 - disable, the IA_NA option is not included in DHCPv6 messages;
- 1 - enable, the IA_NA option is included to the DHCPv6 replies, IA_NA value will be allocated from pool only if the DHCPv6 client asks for that option;
- 2 - allways allocate, the IA_NA option is included in the DHCPv6 replies, IA_NA value will be allocated from pool immidiately after the IPv6oE subscriber has connected;
An integer sysctl variable that controls IA_PD option's behavior of the DHCPv6 server for IPv6oE subscribers.
Valid values are:
- 0 - disable, the IA_PD option is not included in the DHCPv6 messages;
- 1 - enable, the IA_PD option is included in the DHCPv6 reply messages, the IA_PD value will be allocated from pool only if the DHCPv6 client asks for that option;
- 2 - allways allocate, the IA_PD option is included in the DHCPv6 replies messages, the IA_PD value will be allocated from pool immidiately after the IPv6oE subscriber has connected;
Globally enables the DHCP server function.
sysctl set dhcp_server 1
Note that before configuring DHCP parameters of an ip pool it should be created by using command
ip pool add <pool-name>
See IP pools
Setups the DHCP parameters of an ip pool
ip pool set <pool-name> router <ipv4-address> mask <network-mask> lease time <time>
Adds a DNS server to the list of ip pool DNS servers:
ip pool add <pool-name> dns <ip-address>
Deletes a DNS server from the list of ip pool DNS servers:
ip pool del <pool-name> dns <ip-address>
Adds a NTP server to the list of ip pool NTP servers:
ip pool add <pool-name> ntp <ip-address>
Deletes a NTP server from the list of ip pool NTP servers:
ip pool del <pool-name> ntp <ip-address>
Adds a NBNS (NetBios Name Server) server to the list of ip pool NBNS servers:
ip pool add <pool-name> nbns <ip-address>
Deletes a NBNS server from the list of ip pool NBNS servers:
ip pool del <pool-name> nbns <ip-address>
Example:
# create pool with name "pool_1"
ip pool add pool_1
ip pool add range pool_1 10.11.1.10 - 10.11.200.255
# setup pool's DHCP parameters
ip pool set pool_1 router 10.0.0.1 mask 24 lease time 600
ip pool add pool_1 dns 8.8.8.8
ip pool add pool_1 dns 8.8.4.4
ip pool add pool_1 ntp 192.36.143.130
ip pool add pool_1 nbns 1.1.1.1
ip pool add pool_1 nbns 1.1.1.3
Globally enables the DHCP relay function.
sysctl set dhcp_relay_enabled 1
Setups the address of DHCP server to relay requests to
dhcp_relay <ipv4_address>
dhcp_relay opt82 mode <mode>
the mode is one of the following values:
- rewrite_off - turn off option82 rewrite/insert function;
- rewrite_if_doesnt_exist - insert remote_id and circuit_id suboptions only if the request doesn't already contain dhcp option82;
- rewrite - rewrite or insert both remote_id and circuit_id DHCP option82 suboptions;
- rewrite_circuit_id - rewrite or insert only the circuit_id DHCP option82 suboption;
- rewrite_remote_id - rewrite or insert only the remote_id DHCP option82 suboption;
Sets the global DHCP relay giaddr address. When defined TheRouter will use this address instead of choosing an ip address with minimum value from the interface the DHCP request was received at.
dhcp_relay giaddr <ipv4>
dhcp_relay opt82 remote_id "tr_h4"
TheRouter writes 6 bytes of data into the circuit_id option. This data include the following properties of the interface the DHCP request was received on:
- 2 bytes - port_id
- 2 bytes - svlan_id
- 2 bytes - cvlan_id
A boolean sysctl variable that instruct TheRouter to use a plain text format for the circuit_id suboption.
TheRouter's HQoS implementation is based on the DPDK QoS Scheduler framework. http://doc.dpdk.org/guides-18.11/prog_guide/qos_framework.html#hierarchical-scheduler
HQoS hierarchy includes 5 levels: port, subport, pipe, traffic class and queue.
In TR each subport represents a predefined group of subscribers. A pipe represents a particular subsriber.
Traffic classes (TC) represent 4 classes of traffic. A packet is classified to a particular TC based on the IPv4 ToS value.
Each TC consists of 4 queues with id of 1 to 4. A packet goes to a particular queue based on the content of it's L3 header:
(ip src + ip dst) % 3
Traffic shaping is performed on subport and pipe levels using the Token Bucket Algorithm.
TCs of the same pipe handled in strict priority order. Queues of the same TC are serviced using Weighted Round Robin (WRR) algorithm according to predefined weights.
Creates a hqos profile. The profile defines the Token Bucket Algorithm paramers of a pipe.
hqos add profile <profile-id> rate <rate> size <size> tc period <tc-period>
- rate is a traffic limit rate in bit/s. The rate value can include suffixes K, M or G
- size is the bucket size, i.e. upper limit for the tb_credits
- tc-period is time period that should elapse since the last credit update in order for the bucket to be awarded credits
Example:
hqos add profile 1 rate 15 M size 1000000 tc period 40
Sets traffic class's parameters of the profile.
hqos set profile <profile-id> tc <tc-number> rate <rate> wrr weights <weights>
- rate is a traffic limit rate in bit/s. The rate value can include suffixes K, M or G
- tc-number is a number of the traffic class. Valid values are 1 - 4
- weights - traffic class's weights used by the WRR algorithm
By default all TC rates are equal to the profile's rate. Default values for WRR weights are 1 1 1 1.
Example:
hqos set profile 1 tc 1 rate 15 M wrr weights 1 1 1 1
hqos set profile 1 tc 2 rate 15 M wrr weights 1 1 1 1
hqos set profile 1 tc 3 rate 15 M wrr weights 1 1 1 1
hqos set profile 1 tc 4 rate 15 M wrr weights 1 1 1 1
Creates a hqos port.
hqos add port <port-number> rate <rate> mtu <mtu> frame overhead <frame-overhead> queue sizes <queue sizes>
- port-number is number or id of a new hqos port. Valid values are 0 - 15.
- rate is a rate of an egress ethernet port. Typical value is 10 G.
- mtu is packet's MTU. Typical value is 1522.
- frame overhead is packet's frame overhead that takes into account Start of Frame Delimiter, Frame Check Sequence and other packet's fields. Typical value is 24.
- queue sizes - list of TC's queue sizes. Each traffic class has 4 queues of the same size.
Example:
hqos add port 0 rate 10 G mtu 1522 frame overhead 24 queue sizes 64 64 64 64
Creates a subport for the hqos port. Currently only one subport per port is supported.
hqos add port <port-number> subport <subport-number> rate <rate> size <size> tc period <tc-period>
- port-number is number of an already created hqos port.
- subpor-number is number of a new subport.
- rate is traffic shaping rate of subport. It's the upper limit for traffic going through subport's pipes.
- size - is the subport's bucket size. Typical value is 1000000.
- tc-period - is time period that should elapse since the last credit update in order for the subport's bucket to be awarded credits. typical values is 40.
Example:
hqos add port 0 subport 0 rate 150 M size 1000000 tc period 10
Sets traffic classes parameters of the subport. By default all subport's TC rates are equal to the subport's rate.
hqos set port <port-number> subport <subport-number> tc <tc-number> rate <rate>
Example:
hqos set port 0 subport 0 tc 1 rate 150 M
hqos set port 0 subport 0 tc 2 rate 100 M
hqos set port 0 subport 0 tc 3 rate 50 M
hqos set port 0 subport 0 tc 4 rate 50 M
Creates a number of pipes of a particular profile for a port's subport.
hqos add port <port-number> subport <subport-number> pipes <number-of-pipes> profile <profile-id>
Example:
hqos add port 1 subport 0 pipes 40000 profile 1
Radius attributes therouter_shaper_ingress_params and therouter_shaper_egress_params should be used to apply hqos to a subscriber. See the description of those attributes for details.
Some commands could be applied to a set of interfaces or create a set of interfaces. Those type of commands are called 'range' commands.
Syntax of a range command is similar to the syntax of corresponing command that operates on a single VIF.
The main purpuse of the range commands is to create multiple interfaces with the same parameters but different vlan numbers.
vif add name <name> port <port_num> type <type> range svid <vlan_range> cvid <vlan_range> [flags <flag1,flag2...>] [mtu <mtu>]
Where 'vlan_range' is a vlan number, or a vlan range, for example
svid 4 cvid 100 200
would create 101 VIFs with vlan numbers from 4.100 to 4.200
svid 4 5 cvid 100 200
would create 202 VIFs with vlan numbers from 4.100 to 5.200. The rest of parameters is the same as for the simple 'vif add' command.
Example:
vif add name vlanr port 0 type qinq range svid 2079 cvid 2500 2800 flags l2_subs
vif del range svid <vlan_range> cvid <vlan_range> name <name>
ip addr add range svid <vlan_range> cvid <vlan_range> <net>/<mask> name <name>
ip addr del range svid <vlan_range> cvid <vlan_range> <net>/<mask> name <name>
vif acl add range svid <vlan_range> cvid <vlan_range> name <name> dir <direction> aclid <acl_id> prio <prio>
vif acl del range svid <vlan_range> cvid <vlan_range> name <name> dir <direction> aclid <acl_id>
vif acl modify range svid <vlan_range> cvid <vlan_range> name <name> dir <direction> aclid <acl_id> prio <prio>
Configures UDP API secret.
udp_api secret "<secret>"
example
udp_api secret "123"
Configures captive portal redirect URL format.
ipoe captive portal redirect url format "format_string"
The format string can include the following place holders {}:
mac
ipv4
svid
cvid
nas_ip_addr
sess_id
example:
ipoe captive portal redirect url format "http://captive.portal.com/?mac={mac}&subsc_ip={ipv4}&svid={svid}&cvid={cvid}&nas_ip_addr={nas_ip_addr}&sess_id={sess_id}"