12.6.6. Configuring Virtual Routers

enabled

Enable/disable usage of a static route:

• on.

• off.

name

Route name.

description

Route description.

type

Route type:

• unicast: the standard route type. Forwards the traffic destined for the specified address via the specified gateway.

• unreachable: drops the traffic. ICMP message "Host unreachable" (type 3 code 1) is sent to the source.

• prohibit: drops the traffic. ICMP message "Host unreachable" (type 3 code 13) is sent to the source.

• blackhole: drops the traffic without informing the source that the data did not reach the addressee.

destination-ip

IP address of the destination subnet, format: <ip/mask>.

gateway-address

IP address of the gateway through which the specified subnet will be reachable. The IP address must be reachable from the UserGate server.

interface

Interface through which the route is added.

metric

Route metric. The lower the metric, the higher the priority of the route (if there is more than one route to a network).

enabled

Enable/disable an OSPF router:

• on.

• off.

router-id

Router IP address. Must match one of the IP addresses assigned to the UserGate network interfaces that belong to this virtual router.

If the OSPF is disabled (enabled off), the router-id value can be deleted (none).

connected

Redistribute routes to other OSPF routers on networks directly connected to UserGate:

• on.

• off.

kernel

Redistribute routes added by an administrator to other OSPF routers:

• on.

• off.

metric

Redistributed route metric.

default-originate

Notify other routers that this router has a default route configured:

• on.

• off.

interface

Select one of the existing interfaces on which OSPF will run. Only the interfaces belonging to this virtual router are available for selection.

To add an interface or change parameters for an existing interface, use the following commands:

Admin@UGOS# set network virtual-router <virtual-router-name> ospf interface new 

Admin@UGOS# set network virtual-router <virtual-router-name> ospf interface <interface-name>

Next, specify the following parameters:

• enabled <on | off>: enable/disable the interface.

• interface: name of the interface in this virtual router.

• description: interface description.

• cost: interface link cost. This value is reported in the LSA (link-state advertisement) to the neighboring routers which use it to compute the shortest path. Default value: 1.

• priority: an integer from 0 to 255. The higher the value, the higher the probability that this router will become the network's designated router for sending out LSAs. A value of 0 excludes the router from being designated. Default value: 1.

• hello-interval: time between sending hello packets (in seconds). This should be the same for all routers in an autonomous system. The default value is 10 seconds.

• dead-interval: time after which the router is considered offline (in seconds). The time is counted from the moment of receiving the last hello packet from the neighboring router. The default value is 40 seconds.

• retransmit-interval: time before the LSA packet is retransmitted (in seconds). The default value is 5 seconds.

• transmit-delay: approximate time required to deliver link state updates to neighbor routers (in seconds). The default value is 1 second.

• authentication: authentication type. Available values:

  • enabled <on | off>: enable/disable mandatory authentication for each OSPF message received by the router. Authentication is normally used to prevent the injection of a fake route from illegitimate routers.

  • auth-type: select authentication type: plain (transmit the key as plain text to authenticate routers) or digest (use an MD5 hash of the key to authenticate OSPF packets).

  • md5-key-id: key identifier.

  • key: a key. A key can only contain Latin letters, numbers, and the underscore. Maximum length: 16 characters.

area

Configuring the OSPF area.

To add a new area or change parameters for an existing one, use the following commands:

Admin@UGOS# set network virtual-router <virtual-router-name> ospf area new 

Admin@UGOS# set network virtual-router <virtual-router-name> ospf area <area-name>

Next, specify the following parameters:

• enabled <on | off>: enable/disable the area.

• name: area name.

• description: area description.

• cost: cost of the LSAs announced in the stub area.

• area-id: zone identifier (area ID). The ID can be specified in decimal format or IP address record format. However, zone IDs are not IP addresses and can match any assigned IP address.

• auth-type: authentication type. Available values:

  • none: do not require OSPF packet authentication.

  • plain: transmit the key as plain text to authenticate OSPF packets. The key specified in the interface settings is used.

  • digest: use an MD5 hash of the key to authenticate OSPF packets. The key specified in the interface settings is used.

  The interface-level authentication takes precedence over zone-level authentication.

• area-type: OSPF area type. Available types:

  • normal: normal zone, which is created by default. This zone receives link updates, summary routes, and external routes.

  • nssa: Not-So-Stubby Area defines an additional LSA type, which is LSA type 7. A boundary router (ASBR) can be located in the NSSA zone.

  • stub: stub zone, which does not receive any external route information for an autonomous system, but does receive routes from other zones. If routers from a stub area need to send information outside of the autonomous system, they use the default route. An ASBR cannot reside in a stub area.

• no-summary: allow/deny summarized routes to be injected into stub zone area types:

  • on.

  • off.

• interface: select OSPF interfaces on which this zone will be available.

• virtual-links: this is a special type of connection that makes it possible, for example, to interconnect a partitioned area or connect an area to the backbone area via another area. It is configured between two ABRs and allows routers to forward OSPF packets through virtual links by encapsulating them in IP packets. This mechanism is used as a temporary solution or as a backup in case the primary connections fail.

  You can specify the IDs of the routers available via this zone.

enabled

Enable/disable an BGP router:

• on.

• off.

router-id

Router IP address. Must match one of the IP addresses assigned to the UserGate network interfaces that belong to this virtual router.

If the BGP is disabled (enabled off), the router-id value can be deleted (none).

as-number

An autonomous system is a system of IP networks and routers managed by one or more operators that have a single routing policy. The autonomous system number identifies the router as belonging to that system.

multiple-path

Enable/disable traffic balancing to routes with the same cost:

• on.

• off.

connected

Redistribute routes to other BGP routers on networks directly connected to UserGate:

• on.

• off.

kernel

Redistribute routes added by an administrator to other BGP routers:

• on.

• off.

ospf-redistribute

Distribute routes received via the OSPF protocol to other BGP routers:

• on.

• off.

network-addrs

A list of networks that belong to this autonomous system. Format: <ip/mask>.

routemaps

Routemaps are used to manage routing tables and specify the match conditions under which routes are passed between domains.

To create a routemap or change parameters for an existing routemap, use the following commands:

Admin@UGOS# set network virtual-router <virtual-router-name> bgp routemaps new

Admin@UGOS# set network virtual-router <virtual-router-name> bgp routemaps <routemap-name>

Routemap parameters:

• name: routemap name.

• description: routemap description.

• action: the action:

  • allow: allow data that matches the routemap conditions to pass through.

  • block: deny data that matches the routemap conditions to pass through.

• match-by: match condition to apply a routemap. Match by:

  • ip: IP address.

  • aspath: AS path.

  • community: Community.

• next-hop: set next hop value for filtered routes to the specified IP address.

• weight: set the weight for filtered routes to the specified value.

• metric: set the metric for filtered routes to the specified value.

• preference: set the preference for filtered routes to the specified value.

• as-prepend: set the AS-prepend value, which is a list of autonomous systems being added for this route.

• community: set the BGP community value for filtered routes.

• append-community: append community.

• ip-match: add all required IP addresses when selecting IP address matching.

• as-path-match: add all required autonomous network numbers when selecting AS path matching. POSIX 1003.2 regular expressions are allowed, supplemented by the underscore (_) character that is interpreted as:

  • A space.

  • A comma.

  • Start of line.

  • End of line.

  • AS set delimiter { and }.

  • AS confederation delimiter ( and ).

• community-match: add strings of all BGP communities you need when selecting matching by Community.

filters

Filters allow you to filter routes when redistributing.

To create a filter or change parameters for an existing one, use the following commands:

Admin@UGOS# set network virtual-router <virtual-router-name> bgp filters new 

Admin@UGOS# set network virtual-router <virtual-router-name> bgp filters <filter-name>

Parameters:

• name: the filter name.

• description: the filter description.

• action: the action:

  • allow: allow data that matches the routemap conditions to pass through.

  • block: deny data that matches the routemap conditions to pass through.

• filter-by: conditions on application of the filter. Available values:

  • ip: filter by the IP address.

  • aspath: filter by the AS path.

• ip-filter: add all required IP addresses when selecting IP address filtering. The addresses can be specified in the following formats:

  • 10.0.0.0/8 for the 10.0.0.0/8 subnet only.

  • 10.0.0.0/8:11 for routes where the first octet is 10 and the prefix is from 8 to 11.

  • 10.0.0.0/8:11:13 for routes where the first octet is 10 and the prefix is from 11 to 13.

• as-path-filter: add all required autonomous network numbers when selecting filtering by AS path.

neighbors

BGP neighbors.

To add new neighbors or change data for existing ones, use the following commands:

Admin@UGOS# set network virtual-router <virtual-router-name> bgp neighbors new 

Admin@UGOS# set network virtual-router <virtual-router-name> bgp neighbors <host-ip>

Parameters:

• enabled: enable/disable use of the neighbor:

  • on.

  • off.

• description: BGP neighbor description.

• host: neighbor IP address.

• remote-asn: neighbor's autonomous system number.

• weight: weight of routes received from this neighbor.

• ttl: maximum allowed hop number to this neighbor.

• allowas-in: this function allows to receive and process routes even if the router detects its autonomous system number in the AS Path in the aggregation route.

  • on.

  • off.

• allowas-in-number: how many times the autonomous BGP neighbor's system number can be included in the AS Path. Available values: from 0 to 10 (0 is the origin).

• next-hop-self: if the neighbor is a BGP, replace the next-hop-self value with its own IP address:

  • on.

  • off.

• ebgp-multihop: the connection to this BGP neighbor is not direct (more than one hop):

  • on.

  • off.

• route-reflector-client: determine if a BGP neighbor is a Route reflector client:

  • on.

  • off.

• soft-reconfiguration: use soft reconfiguration (without disconnecting) to update the configuration:

  • on.

  • off.

• default-originate: announce the default route to a neighbor:

  • on.

  • off.

• send-community: redirect the community to BGP neighbors:

  • on.

  • off.

• enable-auth: enable/disable authentication for a neighbor:

  • on.

  • off.

• password: neighbor authentication password.

• filter-in: restrict information about the routes received from neighbors.

• filter-out: restrict routing information announced to neighbors.

• routemap-in: restrict routing information the BGP receives from neighbors.

• routemap-out: restrict routing information a BGP sends to neighbors.

enabled

Enable/disable an RIP router:

• on.

• off.

rip-version

RIP protocol version:

• 1.

• 2.

Usually, the 2nd version of the protocol is used.

default-metric

RIP metric. Default value of metric: 1; max value: 15. A value of 16 is considered infinite.

admin-distance

The cost of routes received using the RIP protocol. Default value for RIP protocol: 120. This is used for route selection when routes can be received using multiple methods (OSPF, BGP, static).

default-originate

Sends itself as the router by default.

network-cidr

Specify the network as a CIDR. Format: <ip/mask>.

network-interface

Specify the network interface from which to send route information updates. Provide interfaces that belong to the virtual router.

redistribute

Route redistribution:

• connected: redistribute routes to other RIP routers on networks directly connected to UserGate:

  • <metric>: metric value; available values: from 0 to 16.

  • off.

• static: redistribute static routes to other routers:

  • <metric>: metric value; available values: from 0 to 16.

  • off.

• kernel: redistribute routes added by an administrator to other RIP routers:

  • <metric>: metric value; available values: from 0 to 16.

  • off.

• ospf-redistribute: redistribute routes received via OSPF to other RIP routers:

  • <metric>: metric value; available values: from 0 to 16.

  • off.

• bgp-redistribute: redistribute routes received via BGP to other RIP routers:

  • <metric>: metric value; available values: from 0 to 16.

  • off.

interfaces

Configure interfaces where the RIP protocol is supported. The interfaces should be added to the virtual router.

To add new interfaces or change data for existing ones, use the following commands:

Admin@UGOS# set network virtual-router <virtual-router-name> rip interfaces new 

Admin@UGOS# set network virtual-router <virtual-router-name> rip interfaces <interface-name>

Parameters:

• interface: select the interface.

• send-version: RIP protocol version that the router will send. Available values:

  • 0.

  • 1.

  • 2.

  • 3.

• receive-version: RIP protocol version that the router will receive. Available values:

  • 0.

  • 1.

  • 2.

  • 3.

• password: authentication string that will be sent and received in RIP packets. All routes participating in RIP information exchange must have an identical password.

• split-horizon: routing loop avoidance method in which the router does not redistribute network information through the interface on which the update arrived.

  • on.

  • off.

• poison-reverse: routing loop avoidance method in which the router sets the route cost to 16 and sends it to the neighbor it received it from.

  • on.

  • off.

• passive-mode: interface mode in which the interface receives RIP updates but does not send them.

  • on.

  • off.

enabled

Enable/disable an RIP router:

• on.

• off.

use-ecmp

Enable traffic distribution using Equal Cost Multi Path (ECMP) technology:

• on.

• off.

Requires that several routes exist to the network node of interest. If this option is disabled, all traffic to a specific destination host will be sent through only one of the routers (next hop).

use-ecmp-rebalance

Use ECMP rebalance:

• on: if one of the interfaces through which traffic was sent is disconnected, then all existing flows are redistributed among the remaining routes (next hop).

• off: if one of the interfaces through which traffic was sent is disconnected, only the flows sent through the disconnected interface will be redistributed.

join-prune

Interval for sending messages to PIM neighbors about the multicast groups whose traffic the router wants to receive or no longer wants to receive.

register-suppress

Interval after which the router sends a register suppress message.

keep-alive

Interval after which the router sends keepalive messages to neighbors, and the interval the router waits before considering a neighbor unavailable.

interfaces

Interface to use for multicasting. You can only specify interfaces added to the virtual router.

To add new interfaces or change data for existing ones, use the following commands:

Admin@UGOS# set network virtual-router <virtual-router-name> multicast-router interfaces new 

Admin@UGOS# set network virtual-router <virtual-router-name> multicast-router interfaces <interface-name>

Parameters:

• interface: select an interface for multicast. Only the interfaces belonging to this virtual router are available for selection.

• hello-timeout: interval to send PIM HELLO messages (in seconds). PIM Hello messages are sent periodically from all interfaces for which multicast support is enabled. These messages let the router know about neighbor routers that support multicasting.

• dr-priority: priority for Designated router (DR) selection, which allows the administrator to control the process of DR selection for the LAN.

• enable-igmp: receive IGMP report and IGMP query messages on this interface.

• use-igmpv2: use IGMP v2 (default is IGMP v3).

rendezvous-points

When configuring Rendezvous points, you can specify the following parameters:

• enabled: enable/disable this RP:

  • on.

  • off.

• name: RP name.

• ip: RP unicast IP address.

• asm-allowed-groups: list of allowed group addresses for any source multicast from this RP. Any networks in the range 224.0.0.0/4. If nothing is specified, there are no restrictions.

ssm-allowed-groups

A multicast router setting that defines a list of allowed group addresses for source-specific multicast. You can specify any networks in the range 232.0.0.0/8. If nothing is specified, there are no restrictions.

spt-exclusions

Multicast router setting that defines a list of IPv4 multicast groups excluded from switching to the shortest path tree.