Re: [Vyatta-users] Advises on configuring BGP
Hi, Thanks! I am a noob in setting up BGP and we have the following info from our upstream provider Upstream Router Server IP Address Customer Primary Interface Address Upstream Secondary Router Server IP Address Customer Secondary Interface Address Plus my ASN number as well as my IP range XX.XX.XX.XX/21 So is all these information be enough to configure it? Is there any examples I can follow? Thanks! Yongsan On Dec 11, 2007 11:33 AM, Justin Fletcher <[EMAIL PROTECTED]> wrote: > Well, yes - Vyatta has full BGP support, so you'll be able to peer > with your provider. > > Best, > Justin > > On Dec 10, 2007 7:26 PM, Poh Yong Hwang <[EMAIL PROTECTED]> wrote: > > Hi, > > > > New here and to Vynatta and hope to get advises on getting this up. I > wish > > to setup a BGP router for our current setup (We have got our ASN number, > IP > > range) and we will peer with our upstream provider for MLPA. > > > > Just some simple BGP routes for testing purposes. So just wondering if > > Vynatta is able to do that? > > > > Thanks! > > > > Yongsan > > > > ___ > > Vyatta-users mailing list > > Vyatta-users@mailman.vyatta.com > > http://mailman.vyatta.com/mailman/listinfo/vyatta-users > > > > > ___ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users
Re: [Vyatta-users] Advises on configuring BGP
Well, yes - Vyatta has full BGP support, so you'll be able to peer with your provider. Best, Justin On Dec 10, 2007 7:26 PM, Poh Yong Hwang <[EMAIL PROTECTED]> wrote: > Hi, > > New here and to Vynatta and hope to get advises on getting this up. I wish > to setup a BGP router for our current setup (We have got our ASN number, IP > range) and we will peer with our upstream provider for MLPA. > > Just some simple BGP routes for testing purposes. So just wondering if > Vynatta is able to do that? > > Thanks! > > Yongsan > > ___ > Vyatta-users mailing list > Vyatta-users@mailman.vyatta.com > http://mailman.vyatta.com/mailman/listinfo/vyatta-users > > ___ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users
[Vyatta-users] Advises on configuring BGP
Hi, New here and to Vynatta and hope to get advises on getting this up. I wish to setup a BGP router for our current setup (We have got our ASN number, IP range) and we will peer with our upstream provider for MLPA. Just some simple BGP routes for testing purposes. So just wondering if Vynatta is able to do that? Thanks! Yongsan ___ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users
Re: [Vyatta-users] Restricting traffic between networks
While obvious, make certain that the computers on the 10.20.0.0/24 have the Vyatta router as their default gateway -- Justin On Dec 10, 2007 12:39 PM, Lance Franklin <[EMAIL PROTECTED]> wrote: > After reading some of the recent posts and configuring only one > interface, I have gotten this to work. > > With the below configuration, I can remote desktop from the > 10.10.0.0/24 network to computers on the 10.20.0.0/24 network. The > computers on the 10.20.0.0/24 network cannot get to any other network. > I may go back and add a firewall rule to the 10.20.0.0/24 interface > and only allow established comunication into the router. > > ethernet eth0 { > disable: false > discard: false > description: "Production Network" > hw-id: 00:0e:0c:b8:4d:12 > duplex: "auto" > speed: "auto" > address 10.10.0.199 { > prefix-length: 24 > disable: false > } > firewall { > in { > name: "Prod2Dev" > } > } > } > > > > firewall { > log-martians: "enable" > send-redirects: "disable" > receive-redirects: "disable" > ip-src-route: "disable" > broadcast-ping: "disable" > syn-cookies: "enable" > name Prod2Dev { > description: "Production to Development" > rule 1 { > description: "Remote Desktop" > protocol: "tcp" > action: "accept" > log: "enable" > source { > network: "10.10.0.0/24" > } > destination { > network: "10.20.0.0/24" > port-number 3389 > > } > } > } > > > > > > > Quoting Justin Fletcher <[EMAIL PROTECTED]>: > > > You also need to apply the firewall rules to an interface, as in > > > > firewall { > > in { > > name: "inbound" > > } > > local { > > name: "inbound" > > } > > } > > > > In the above case, it's for inbound traffic, and traffic destined for > > the router itself. > > > > Also remember that traffic will flow in both directions, unless you > > just want to block the inbound traffic from the development network. > > > > Your current rule 4 prevents new connections - as well as everything else > > ;-) > > > > Looks like your rules 1-3 should have the matching source and > > destination networks as rule 4; otherwise, that inbound traffic will > > only match rule 4, and not match one of the earlier rules for > > permitted traffic. > > > > Best, > > Justin > > > > You can do a "show firewall" to see the rules on the system, as well > > as enable logging for a rule to see where the traffic is being > > dropped. > > > > Justin > > > > On Dec 6, 2007 3:42 PM, Lance Franklin <[EMAIL PROTECTED]> wrote: > >> After reading through the Quick Guide to Configuration Statements, I see: > >> state { > >> established: [enable|disable] > >> new: [enable|disable] > >> related: [enable|disable] > >> invalid: [enable|disable] > >> } > >> > >> How can I add this to my rule 4 to prevent new connections to the work > >> network from the development network? > >> > >> Would it be: > >> > >>rule 4 { > >>description: "10.10.0.0/24" > >>protocol: "all" > >>state { > >> new: enable > >>} > >>action: "drop" > >>log: "disable" > >>source { > >>network: "10.20.0.0/24" > >>} > >>destination { > >>network: "10.10.0.0/24" > >>} > >>} > >> > >> > >> > >> > >> > >> > >> ___ > >> Vyatta-users mailing list > >> Vyatta-users@mailman.vyatta.com > >> http://mailman.vyatta.com/mailman/listinfo/vyatta-users > >> > > > > > ___ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users
Re: [Vyatta-users] Restricting traffic between networks
After reading some of the recent posts and configuring only one interface, I have gotten this to work. With the below configuration, I can remote desktop from the 10.10.0.0/24 network to computers on the 10.20.0.0/24 network. The computers on the 10.20.0.0/24 network cannot get to any other network. I may go back and add a firewall rule to the 10.20.0.0/24 interface and only allow established comunication into the router. ethernet eth0 { disable: false discard: false description: "Production Network" hw-id: 00:0e:0c:b8:4d:12 duplex: "auto" speed: "auto" address 10.10.0.199 { prefix-length: 24 disable: false } firewall { in { name: "Prod2Dev" } } } firewall { log-martians: "enable" send-redirects: "disable" receive-redirects: "disable" ip-src-route: "disable" broadcast-ping: "disable" syn-cookies: "enable" name Prod2Dev { description: "Production to Development" rule 1 { description: "Remote Desktop" protocol: "tcp" action: "accept" log: "enable" source { network: "10.10.0.0/24" } destination { network: "10.20.0.0/24" port-number 3389 } } } Quoting Justin Fletcher <[EMAIL PROTECTED]>: > You also need to apply the firewall rules to an interface, as in > > firewall { > in { > name: "inbound" > } > local { > name: "inbound" > } > } > > In the above case, it's for inbound traffic, and traffic destined for > the router itself. > > Also remember that traffic will flow in both directions, unless you > just want to block the inbound traffic from the development network. > > Your current rule 4 prevents new connections - as well as everything else ;-) > > Looks like your rules 1-3 should have the matching source and > destination networks as rule 4; otherwise, that inbound traffic will > only match rule 4, and not match one of the earlier rules for > permitted traffic. > > Best, > Justin > > You can do a "show firewall" to see the rules on the system, as well > as enable logging for a rule to see where the traffic is being > dropped. > > Justin > > On Dec 6, 2007 3:42 PM, Lance Franklin <[EMAIL PROTECTED]> wrote: >> After reading through the Quick Guide to Configuration Statements, I see: >> state { >> established: [enable|disable] >> new: [enable|disable] >> related: [enable|disable] >> invalid: [enable|disable] >> } >> >> How can I add this to my rule 4 to prevent new connections to the work >> network from the development network? >> >> Would it be: >> >>rule 4 { >>description: "10.10.0.0/24" >>protocol: "all" >>state { >> new: enable >>} >>action: "drop" >>log: "disable" >>source { >>network: "10.20.0.0/24" >>} >>destination { >>network: "10.10.0.0/24" >>} >>} >> >> >> >> >> >> >> ___ >> Vyatta-users mailing list >> Vyatta-users@mailman.vyatta.com >> http://mailman.vyatta.com/mailman/listinfo/vyatta-users >> > ___ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users
Re: [Vyatta-users] lacp
> Does Vyatta support LACP/ieee 802.3ad for etherchanneling? > > I didn't see it in the vyatta software page. > http://www.vyatta.com/products/vyatta_software_datasheet.pdf > > It's clear that lacp is generally a feature available on > switches but it could be interseting to have it on the > Vyatta router. (like the Cisco 3750 switch/router) Typically, > the VMARE servers requires link aggregation through lacp. Not yet. We have talked about using ifenslave to do this. Vote for it on the wiki: http://www.vyatta.com/twiki/bin/view/Community/TopEnhancements It's called "Ethernet interface bonding". -- Dave ___ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users
Re: [Vyatta-users] VRRP Configuration Problem
Hi Jim, I'm glad you were able to resolve this by changing the link speed. The disable-vmac option was just added recently and is available via the community testing repository (sorry...I forgot to mention that). This option sets the vrrpd -n flag. If you'd prefer not to upgrade to latest "testing" packages, starting vrrpd from the command line using the -n flag should also resolve this issue. EX: /opt/vyatta/sbin/vrrpd -i eth0 -v 20 -p 1 -d 1 10.4.0.200 -n If you'd like to upgrade to obtain access to this new feature, here are some instructions on how to do this: http://www.vyatta.com/twiki/bin/view/Community/HowToUpdate You would set your repository component as follows: set system package repository community component "testing main" You're absolutely correct about the documentation. The documents were released prior to the availability of the disable-vmac option. I'll let our technical writer know that this needs to be added. Thank you for noticing this. ;-) -Robyn Jim K wrote: > That definitely seems to be the issue as setting the ports to 100Mb seems to > solve the problem. > > The disable-vmac setting does not seem to work nor is it listed in the > documentation > > set interfaces ethernet eth0 vrrp disable-vmac true > > ERROR: path "interfaces ethernet eth0 vrrp disable-vmac" is not valid. > > "turning their LAN interfaces on and off as they switch" == link state going > up and down > > Thanks. > > - Original Message > From: Robyn Orosz <[EMAIL PROTECTED]> > To: Jim K <[EMAIL PROTECTED]> > Cc: Vyatta-users@mailman.vyatta.com > Sent: Friday, December 7, 2007 1:49:20 PM > Subject: Re: [Vyatta-users] VRRP Configuration Problem > > Hi Jim, > > I'm not totally sure what you mean by "turning their LAN interfaces on > and off as they switch" but, it sounds like the following bug: > > https://bugzilla.vyatta.com/show_bug.cgi?id=2350 - bug 2350 > > See comment number 4 which basically tells you to disable the vmac: > > set interfaces ethernet eth0 vrrp disable-vmac true > > Thank you, > > Robyn > > Jim K wrote: > >> I'm been trying to configure a backup router using VRRP, but after retrying >> all the obvious, I've run out of options. >> >> After configuring both the MASTER and SLAVE as below, both switch from >> MASTER to SLAVE mode, and subsequently are turning their LAN interfaces on >> and off as they switch from either mode. >> >> Neither router seems to detect the others multicast VRRP broadcast, even >> though they are both connected to the same VLAN on the same switch (Catalyst >> 2960). >> >> Configuration below >> >> >> - >> >> MASTER router >> >> } >> ethernet eth0 >>hw-id: 00:1c:32:ce:7b:50 >>address xxx.xxx.204.253 >>prefix-length:24 >>} >>vrrp { >> vrrp-group: 204 >> virtual-address: xxx.xxx.204.1 >> priority: 150 >>} >> } >> >> ethernet eth1 >>hw-id: 00:1c:32:ce:7b:A1 >>address xxx.xxx.102.59 >>prefix-length:24 >>} >>vrrp { >> vrrp-group: 102 >> virtual-address: xxx.xxx.102.2 >> priority: 150 >>} >> } >> >> >> SLAVE router >> >> } >> ethernet eth0 >>hw-id: 00:1c:32:ce:7b:64 >>address xxx.xxx.204.254 >>prefix-length:24 >>} >>vrrp { >> vrrp-group: 204 >> virtual-address: xxx.xxx.204.1 >> priority: 10 >>} >> } >> >> ethernet eth1 >>hw-id: 00:1c:32:ce:7b:77 >>address xxx.xxx.102.60 >>prefix-length:24 >>} >>vrrp { >> vrrp-group: 102 >> virtual-address: xxx.xxx.102.2 >> priority: 10 >>} >> } >> >> >> >> >> Never miss a thing. Make Yahoo your home page. >> http://www.yahoo.com/r/hs >> ___ >> Vyatta-users mailing list >> Vyatta-users@mailman.vyatta.com >> http://mailman.vyatta.com/mailman/listinfo/vyatta-users >> >> > ___ > Vyatta-users mailing list > Vyatta-users@mailman.vyatta.com > http://mailman.vyatta.com/mailman/listinfo/vyatta-users > > > > > Be a better friend, newshound, and > know-it-all with Yahoo! Mobile. Try it now. > http://mobile.yahoo.com/;_ylt=Ahu06i62sR8HDtDypao8Wcj9tAcJ > > ___ > Vyatta-users mailing list > Vyatta-users@mailman.vyatta.com > http://mailman.vyatta.com/mailman/listinfo/vyatta-users > ___ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users