proxmox-mirrors/mirror_frr
1
0
Fork 0
mirror of https://git.proxmox.com/git/mirror_frr synced 2025-08-07 13:13:08 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

doc: Expand ACL and multicast boundary documentation

Browse Source 
Add documentation for existing extended access-list functionality and
the new "ip multicast boundary" command leveraging that functionality.

Signed-off-by: Corey Siltala <csiltala@atcorp.com>
This commit is contained in:
Corey Siltala 2024-11-14 13:08:52 -06:00
parent 7c2c70dd2b
commit ff5309ca2d
2 changed files with 65 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

27
doc/user/filter.rst
View File

@ -9,9 +9,7 @@ defined, it can be applied in any direction.
IP Access List IP Access List
============== ==============
.. clicmd:: access-list NAME [seq (1-4294967295)] permit IPV4-NETWORK .. clicmd:: access-list NAME [seq (1-4294967295)] <permit|deny> <A.B.C.D/M [exact-match]|any>
.. clicmd:: access-list NAME [seq (1-4294967295)] deny IPV4-NETWORK
seq seq
seq `number` can be set either automatically or manually. In the seq `number` can be set either automatically or manually. In the
@ -35,6 +33,29 @@ IP Access List
access-list filter permit 10.0.0.0/8 access-list filter permit 10.0.0.0/8
access-list filter seq 13 permit 10.0.0.0/7 access-list filter seq 13 permit 10.0.0.0/7
.. clicmd:: access-list NAME [seq (1-4294967295)] <deny|permit> ip <A.B.C.D A.B.C.D|host A.B.C.D|any> <A.B.C.D A.B.C.D|host A.B.C.D|any>
The extended access-list syntax enables filtering on both source and destination
IP addresses (or source and group, if used for multicast boundaries). The
source address is first in order in the command.
If providing a mask, note that the access-lists use wildcard masks (inverse
matching logic of subnet masks). If specifying ``host``, only the single address
given will be matched.
A basic example is as follows:
.. code-block:: frr
access-list filter seq 5 permit ip host 10.0.20.2 232.1.1.0 0.0.0.128
access-list filter seq 10 deny ip 10.0.20.0 0.0.0.255 232.1.1.0 0.0.0.255
access-list filter seq 15 permit ip any any
.. note ::
If an access-list is specified but no match is found, the default verdict
is deny.
.. clicmd:: show <ip|ipv6> access-list [json] .. clicmd:: show <ip|ipv6> access-list [json]
Display all IPv4 or IPv6 access lists. Display all IPv4 or IPv6 access lists.

46
doc/user/pim.rst
View File

@ -6,9 +6,9 @@ PIM
PIM -- Protocol Independent Multicast PIM -- Protocol Independent Multicast
*pimd* supports pim-sm as well as igmp v2 and v3. pim is *pimd* supports PIM-SM as well as IGMP v2 and v3. PIM is
vrf aware and can work within the context of vrf's in order to VRF aware and can work within the context of VRFs in order to
do S,G mrouting. Additionally PIM can be used in the EVPN underlay do S,G mrouting. Additionally, PIM can be used in the EVPN underlay
network for optimizing forwarding of overlay BUM traffic. network for optimizing forwarding of overlay BUM traffic.
.. note:: .. note::
@ -348,10 +348,46 @@ is in a vrf, enter the interface command with the vrf keyword at the end.
.. clicmd:: ip multicast boundary oil WORD .. clicmd:: ip multicast boundary oil WORD
Set a pim multicast boundary, based upon the WORD prefix-list. If a pim join Set a PIM multicast boundary, based upon the WORD prefix-list. If a PIM join
or IGMP report is received on this interface and the Group is denied by the or IGMP report is received on this interface and the group is denied by the
prefix-list, PIM will ignore the join or report. prefix-list, PIM will ignore the join or report.
.. code-block:: frr
prefix-list multicast-acl seq 5 permit 232.1.1.1/32
prefix-list multicast-acl seq 10 deny 232.1.1.0/24
prefix-list multicast-acl seq 15 permit any
!
interface r1-eth0
ip pim
ip igmp
ip multicast boundary oil multicast-acl
exit
.. clicmd:: ip multicast boundary ACCESS-LIST
Set a PIM multicast boundary, based upon the ACCESS-LIST. If a PIM join
or IGMP report is received on this interface and the (S,G) tuple is denied by the
access-list, PIM will ignore the join or report.
To filter on both source and group, the extended access-list syntax must be used.
If both a prefix-list and access-list are configured for multicast boundaries,
the prefix-list will be evaluated first (and must have a terminating "permit any"
in order to also evaluate against the access-list).
.. code-block:: frr
access-list multicast-acl seq 5 permit ip host 10.0.20.2 host 232.1.1.1
access-list multicast-acl seq 10 deny ip 10.0.20.0 0.0.0.255 232.1.1.0 0.0.0.255
access-list multicast-acl seq 15 permit ip any any
!
interface r1-eth0
ip pim
ip igmp
ip multicast boundary pim-acl
exit
.. clicmd:: ip igmp last-member-query-count (1-255) .. clicmd:: ip igmp last-member-query-count (1-255)
Set the IGMP last member query count. The default value is 2. 'no' form of Set the IGMP last member query count. The default value is 2. 'no' form of