Navigating the BIRD/Stormshield Network environment
In factory configuration, the BIRD routing mode is not enabled.
Stormshield Network firewall routing can coexist with BIRD dynamic routing. For example, the internal zone can be managed with a dynamic routing protocol, while the external zone is managed with the firewall's routing features (static routing, gateways, policy-based routing (PBR), or router objects).
Refer to the section Interactions with Stormshield Network routing.
Unlike BIRD v1, which used two separate configuration files, BIRD v2 dynamic routing for IPv4 and IPv6 is configured in a single file: /usr/Firewall/ConfigFiles/Bird/bird.conf.
Starting BIRD v2 routing from the web administration interface
To enable and start BIRD v2 routing:
- Go to Configuration > Network > Dynamic routing > General tab,
- Switch the Enable dynamic routing cursor to ON,
- In the General configuration section, select the BIRD v2 radio button.
Monitoring BIRD v2 dynamic routing in interactive mode
BIRD offers an interactive mode: birdc for BIRD Client.
In this interactive mode, you can view BIRD statuses, test the operation of a new configuration with the possibility of backtracking, and create temporary configurations.
However, this interactive mode does not allow you to make permanent changes to the BIRD configuration file.
In the firewall's console, run this mode by calling up birdc to monitor dynamic routing.
The first detail that is shown is the BIRD version:
BIRDv2-VMSNSX09I0390A9>birdc
BIRD 2.15.1 ready.
bird>
"Show" commands
The “?” character makes it possible to to display the list of available options:
bird> show ? show status Show router status show memory Show memory usage show protocols [<protocol> | "<pattern>"] Show routing protocols show interfaces Show network interfaces show route ... Show routing table show symbols ... Show all known symbolic names show babel ... Show information about Babel protocol show bfd ... Show information about BFD protocol show ospf ... Show information about OSPF protocol show rip ... Show information about RIP protocol show static [<name>] Show details of static protocol
Example:
Show all routes:
bird> show route
Table master4:
0.0.0.0/0 unicast [kernel1 09:02:35.632] * (254)
via 172.20.151.254 on em0(out)
172.16.1.125/32 unicast [kernel1 09:02:35.632] * (254)
dev lo0(loopback)
192.168.220.0/24 unicast [direct1 09:02:35.632] ! (240)
dev em2(dmz1)
unicast [MyOSPF 09:02:35.732] I (150/10) [192.168.97.219]
dev em2(dmz1)
172.20.151.3/32 unicast [kernel1 09:02:35.632] * (254)
dev lo0(loopback)
192.168.220.21/32 unicast [kernel1 09:02:35.632] * (254)
dev lo0(loopback)
Example:
Show routes by protocol instance. The instance in this case is MyOSPF.
bird> show route protocol MyOSPF Table master4: 192.168.220.0/24 unicast [MyOSPF 09:02:35.732] I (150/10) [192.168.97.219] dev em2(dmz1) bird>
In birdc, most of the commands are the same across protocols. So for example, the routes announced to a BGP neighbor are viewed by a command that relies on the export filter (filter named ospfexport in this example):
bird> show route filter ospfexport Table master4: 0.0.0.0/0 unicast [kernel1 09:02:35.632] * (254) via 172.20.151.254 on em0(out) 192.168.220.0/24 unicast [direct1 09:02:35.632] ! (240) dev em2(dmz1)
Debug
Show commands provide many details on instances. With these commands, issues can be diagnosed, whether they are due to a wrong configuration, network issue or other cause.
bird> show protocol all router1 Name Proto Net Type Table State Since Info router1 BGP Undefined --- start 14:11:41.925 Active Socket: Connection closed Description: My 1st BGP uplink BGP state: Active Neighbor address: 100.100.100.100 Neighbor AS: 65001 Local AS: 65065 Connect delay: 1.041/5 Last error: Socket: Connection closed Channel ipv4 State: DOWN Table: master4 Preference: 100 Input filter: ACCEPT Output filter: (unnamed) IGP IPv4 table: master4
To enable reception of system messages on the console, enter the command "echo all", then "echo off" to stop such logs.
bird> echo all bird> >>> router1: Connecting to 100.100.100.100 from local address 200.200.200.200 >>> router1: Socket error: bind: Can't assign requested address >>> router1: Connection closed >>> router1: Connect delayed by 5 seconds
Debug events are viewed globally or for example, by protocol instance. The use of debug commands effectively complements status visualization commands.
bird> debug ospf_router2_v4 all bird> echo all >>> ospf_router2_v4 < added 0.0.0.0/0 via 192.168.97.1 on em0 >>> ospf_router2_v4 < replaced 100.100.100.100/32 via 192.168.97.101 on em0 >>> ospf_router2_v4 > updated 1.1.1.0/24 via 192.168.97.1 on em0 >>> ospf_router2_v4 < rejected by protocol 1.1.1.0/24 via 192.168.97.1 on em0 >>> ospf_router2_v4 > updated [best] 1.1.1.0/24 via 192.168.97.1 on em0 >>> ospf_router2_v4 < replaced 2.2.2.0/24 via 192.168.97.101 on em0 >>> ospf_router2_v4 < replaced 2.2.4.0/24 via 192.168.97.101 on em0
Temporary test of new configurations
Here, we would like to test a new configuration bird_conf_to_test.conf. To do so, enable BIRD by using a bird.conf configuration that has been validated, then run the interactive birdc mode from the firewall's console.
To check the syntax of the file without applying it:
bird> configure check "bird_conf_to_test.conf"
Next, apply this configuration temporarily for 60 seconds by using the command:
bird> configure "bird_conf_to_test.conf" timeout 60
The new configuration will be applied. If the firewall can no longer be reached, or if the administrator has not given any confirmation, the previous configuration will be automatically applied once more after 60 seconds.
If the new configuration is considered valid, it can be confirmed using:
bird> configure confirm
If the new configuration has not been validated, and the firewall is still reachable, you can immediately backtrack by using:
bird> configure undo