High-performance Software Router
Industry-leading price-performance, scalability, and solution flexibility for all edge, campus, data center and cloud router and site-to-site VPN needs.
Get to Know TNSR
Pronounced “tensor”, TNSR software is Netgate’s answer for businesses, governments, educational institutions and service providers looking for super-scale routing without the six-figure price tag.
Feature List
Router VPN Interface / Tunneling Protocols Network Services Configuration Mgmt User / Privilege Mgmt Resilience/Reliability Mgmt System Reporting/Monitoring SecurityRouter
-
Bridging joins two or more interfaces to the same layer 2 (broadcast/collision) domain, as if they were joined to the same switch. Bridging is commonly used to connect interfaces across different types of links (such as Ethernet to VXLAN), or to enable filtering between two segments of the same network.
More information can be found in our documentation here.
-
Static routing relies upon manually-configured routing entry rather than information from dynamic routing traffic. Static routes are fixed and do not change if the network is changed or reconfigured. Static routing and dynamic routing are not mutually exclusive.
More information can be found in our documentation here.
-
Dynamic routing enables routers to select paths based upon real-time logical network layout changes. Popular dynamic routing protocols include Border Gateway protocol (BGP), Open Shortest Path First (OSPF), and Routing Information Protocol (RIP).
More information can be found in our documentation here.
-
Border Gateway Protocol (BGP), the routing protocol used by the global internet, finds the best route path by weighing the latest network conditions based on reachability and routing information.
More information can be found in our documentation here.
-
Open Shortest Path First (OSPF) is an interior gateway protocol that uses a link state routing algorithm to find the best path between a source and destination router. TNSR supports both OSPF v2 (OSPF) and OSPF v3 (OSPF6).
More information can be found in our documentation here.
-
ACL-Based Forwarding (ABF) is a type of routing which makes decisions based on whether or not a packet matches a Standard Access List (ACL). This type of routing is also commonly called Policy-Based Routing (PBR). ABF can make routing decisions based on any property of a packet that an ACL is capable of matching.
-
Service providers around the world face a problem of IPv4 address space exhaustion. This is, of course, driving not only IPv6, but the use of address space mapping technologies that help extend the life of compute and networking equipment that are bound to IPv4 address usage.
Carrier-grade NAT (CGN or CGNAT), also known as large-scale NAT (LSN), is an approach to IPv4 network design where end sites, particularly residential networks, are configured with private network addresses that are translated to public IPv4 addresses by network address translator solutions located within the service provider’s network, permitting the sharing of small pools of public addresses among many end sites. This shifts the NAT function from the end customer network to the service provider network.
TNSR supports two technologies useful to CGNAT:
- NAT44 - maps each application flow on the customer side to the public IPv4 address and one of its TCP or UDP ports as identified by the combination of a private IPv4 address and a TCP or UDP port
- Mapping of Address and Port (MAP) - MAP is a carrier-grade IPv6 transition mechanism capable of efficiently transporting high volumes of line-rate IPv4 traffic across IPv6 networks. TNSR supports both MAP-T (which uses translation) and MAP-E (which uses encapsulation). TNSR can currently act as a Border Relay (BR) providing service to Customer Edge (CE) clients.
- Network Address Translation-Traversal (NAT-T) - the standards-based approach for IPsec encapsulation in User Datagram Protocol (UDP) to ensure that data protected by IPsec can pass through NAT without discarding packets - key for IPsec VPN connections that traverse connections where NAT is present, especially for service providers
More information about NAT can be found in our documentation here, and information about MAP can be found here.
-
Network address translation (NAT) is a method of mapping an IP address space into another by modifying network address information in the IP header of packets while they are in transit across a traffic routing device.
TNSR supports the following NAT functionality:
- Port Forwards - allows external devices access to computers on private networks by mapping an external port to an internal IP address and port
- 1:1 NAT - maps a single external IPv4 address (usually public) to a single internal IPv4 address (usually private)
- Outbound NAT - (sometimes referred to as Source NAT, Overload NAT or Port Address Translation (PAT)) changes the source address and port of packets exiting a given interface in order to 1) hide the origin of a packet, or 2) allow multiple IPv4 hosts inside a network to share one, or a limited number of, external or outside addresses on a router
- Network Prefix Translation (NPt) works similarly to 1:1 NAT but operates on IPv6 prefixes instead
More information about NAT can be found in our documentation here.
-
Equal-cost multi-path (ECMP) is a dynamic routing protocol where packet forwarding to a single destination can occur over multiple best paths with equal routing priority.
More information can be found in our documentation here.
-
Static Address Resolution Protocol (Static ARP) is used to manually map IP network addresses to the hardware MAC address so they are retained in the router cache on a permanent basis.
More information can be found in our documentation here.
-
Bidirectional Forwarding Detection (BFD) is a protocol that can detect link failures within milliseconds, or even microseconds.
More information can be found in our documentation here.
-
Virtual Routing and Forwarding (VRF) is a component of MPLS which allows a service provider to provide BGP routing to many customer VPNs while also isolating each customer's routing tables from one another.
More information can be found in our documentation here.
VPN
-
A site-to-site IPsec tunnel interconnects two networks as if they were directly connected by a router. Systems at Site A can reach servers or other systems at Site B, and vice versa. This traffic may also be regulated via firewall rules, as with any other network interface. If more than one client will be connecting to another site from the same controlled location, a site-to-site tunnel will likely be more efficient, not to mention more convenient and easier to support.
With a site-to-site tunnel, the systems on either network need not have any knowledge that a VPN exists. No client software is needed, and all of the tunnel work is handled by the tunnel endpoints.
More information can be found in our documentation here.
-
WireGuard® is a modern VPN Layer 3 protocol designed for speed and simplicity. It is designed for high performance and has only a small number of options in its configuration.
WireGuard® utilizes a private and public key pair for itself and each peer. Communication with a peer is encrypted using its public key, and a peer decrypts the messages using its private key. Peers never need to know the private key of other peers, they only need their own private key.
-
Internet Key Exchange (IKE) is the protocol used to set up a secure, authenticated communications channel between two parties. IKE typically uses X. 509 PKI certificates for authentication and the Diffie–Hellman key exchange protocol to set up a shared session secret. TNSR supports both IKE-v1 (more widely supported) and IKE-v2 (more secure).
More information can be found in our documentation here.
-
Diffie-Hellman (DH) groups determine the strength of the key used in the key exchange process. Higher group numbers are more secure, but require additional time to compute the key. TNSR supports DH Groups 1-24, and 31.
More information can be found in our documentation here.
-
A Message Authentication Code (MAC) algorithm is an integrity algorithm - based on a symmetric key cryptographic technique - used to provide message integrity and authentication. TNSR supports aescmac, aesxcbc, md5, sha1, sha256, sha384 and sha512 message integrity algorithms.
More information can be found in our documentation here.
-
Ciphers (algorithms) are used to encrypt and decrypt data as it traverses a VPN connection. Algorithms based on AES are common and secure, and are widely supported by VPN implementations. AES-GCM, or AES Galois/Counter Mode is an efficient and fast authenticated encryption algorithm, which means it provides data privacy as well as integrity validation, without the need for a separate integrity algorithm. Additionally, AES-based algorithms can often be accelerated by AES-NI.
TNSR supports a number of common, secure encryption algorithms including 3DES, AES-128-CBC, AES-192-CBC, AES-256-CBC, AES-ICV16-GCM-128, AES-ICV16-GCM-192, AES-ICV16-GCM-256, Camellia-128,Camellia-192, Camellia-256 and CHACHA20-POLY1305.
More information can be found in our documentation here.
Interface / Tunneling Protocols
-
IPsec is a group of protocols used together to set up encrypted connections between devices. It helps keep data sent over public networks secure. IPsec is often used to set up VPNs, where it both encrypts IP packets and authenticates the source from where the packets originated.
More information can be found in our documentation here.
-
Switched Port Analyzer (SPAN) enables all packets that come into or out of an interface (SPAN source) to be copied (mirrored) to a local port or CPU (SPAN destination) for monitoring. The original packet is still switched.
More information can be found in our documentation here.
-
Encapsulated Remote SPAN (ERSPAN) enables mirrored packets to be sent to a monitoring node located anywhere across the routed network. The original Layer 2 packet is encapsulated with GRE for IP delivery.
More information can be found in our documentation here.
-
Virtual Extensible LAN (VXLAN) is a network virtualization technology that attempts to address the scalability problems associated with large cloud computing deployments. VxLAN virtually extends a Layer 2 segment across a Layer 3 network infrastructure by encapsulating Layer 2 Ethernet frames inside a VXLAN packet that includes an IP address. VxLAN is similar to VLAN, which also encapsulates Layer 2 frames and segments networks. The main difference is that VXLAN encapsulates the MAC in UDP, and can scale up to 16 million VxLAN segments, where VLAN uses the tag on the Layer 2 frame for encapsulation and can only scale to 4,000 VLANs.
More information can be found in our documentation here.
-
Generic Routing Encapsulation (GRE) wraps (encapsulates) one data packet within another - to create a direct point-to-point connection across a network - to simplify connections between separate networks.
More information can be found in our documentation here.
-
802.1q tunneling enables the use of a single VLAN to support multiple customer VLANs, i.e., service provider switches use a single service provider VLAN to carry all customer VLANs as opposed to directly carrying all customer VLANs independently.
More information can be found in our documentation here.
-
802.1ad VLAN (QinQ) enables VLAN traffic to be carried over Ethernet. Based upon 802.1Q, QinQ allows VLANs to be nested by adding two tags to each frame instead of one, i.e., VLAN stacking or QinQ). QinQ also makes it possible to have more than the 4094 separate VLANs in a 802.1q tunnel.
More information can be found in our documentation here.
-
memif is a high performance, direct memory interface - via a file socket for a control channel to set up shared memory - that can be used between FD.io VPP instances.
More information can be found in our documentation here.
-
Virtual network tap interfaces give daemons and clients in the host operating system access to send and receive network traffic through TNSR to other networks. A tap interface can carry layer 2 and layer 3 frames between the host OS and TNSR, and be a bridge member.
More information can be found in our documentation here.
-
A loopback interface routes a data stream back to its source without modification. It is a core utility for testing communications infrastructure.
More information can be found in our documentation here.
-
A bridge interface joins two or more interfaces to the same layer 2 (broadcast/collision) domain, as if they were joined to the same switch. Bridging is commonly used to connect interfaces across different types of links (such as Ethernet to VXLAN), or to enable filtering between two segments of the same network.
More information can be found in our documentation here.
-
Host interfaces are interfaces which have not been allocated to the dataplane, and are used primarily for host OS management.
More information can be found in our documentation here.
-
Link Aggregation Control Protocol (LACP) is a bonding interface used to aggregate one or more physical ethernet interfaces to form a logical point-to-point link, referred to as a Link Aggregation Group (LAG), virtual link, or bundle.
More information can be found in our documentation here.
-
Link Aggregation Group (LAG) allows a router to treat multiple physical links as a single logical link.
More information can be found in our documentation here.
Network Services
-
A Dynamic Host Configuration Protocol (DHCP) Server is a network server that automatically provides and assigns IP addresses, default gateways and other network parameters to client devices. TNSR can be configured as a client or server.
More information can be found in our documentation here.
-
A Domain Name Server (DNS) resolver receives and resolves DNS (URL to IP address) queries from web browsers and other applications.
More information can be found in our documentation here.
-
Network timing protocol (NTP) is an internet protocol used to synchronise clocks on network devices to within a few milliseconds of universal coordinated time (UTC). The NTP service on TNSR synchronizes the host clock with reference sources (typically remote servers), and also acts as an NTP server for clients.
More information can be found in our documentation here.
Configuration Management
-
TNSR has a comprehensive Command Line Interface (CLI) that is analogous to CLI of other routers or networking equipment. All aspects of system and application configuration, status information, and diagnostics are able to be discovered, configured, and monitored by networking engineers through the CLI.
More information can be found in our documentation here.
-
TNSR can be controlled via a RESTCONF API. RESTCONF is an HTTP-based protocol that provides a programmatic interface for accessing data defined in Yet Another Next Generation (YANG). YANG is a data modeling language for the definition of data sent over RESTCONF for both configuration and state data of network elements.
More information can be found in our documentation here.
User / Privilege Management
-
TNSR administrators can create additional users where each user may save and load configurations.
More information can be found in our documentation here.
-
TNSR supports two methods for authenticating users: passwords and user keys.
More information can be found in our documentation here.
-
TNSR supports authenticating users using a Remote Authentication Dial-In User Service (RADIUS) server.
-
TNSR utilizes NETCONF Access Control Model (NACM) to provide role-based access control (RBAC).
More information can be found in our documentation here.
Resilience/Reliability Management
-
The Virtual Router Redundancy Protocol (VRRP) enables hosts on a LAN to make use of redundant routing platforms on that LAN without requiring more than the static configuration of a single default route on the hosts. This increases the availability and reliability of routing paths via automatic default gateway selections - via an election protocol - on an IP subnetwork. The advantage of VRRP is high availability without requiring configuration of dynamic routing or router discovery protocols on every end-host.
More information can be found in our documentation here.
System Reporting and Monitoring
-
The Simple Network Management Protocol (SNMP) service on TNSR enables the router to be monitored by a Network Monitoring System (NMS) or other software which supports SNMP. View-based Access Control Model (VACM) is used to manage access to SNMP information.
More information can be found in our documentation here.
-
Each TNSR interface has associated counters - which enable traffic volume and error monitoring - accessible either through the CLI or RESTCONF API.
More information can be found in our documentation here.
-
TNSR includes a Prometheus exporter which supports statistical data from the dataplane (VPP) only. Collected data is typically fed into Grafana, an open source analytics and interactive visualization web application.
More information can be found in our documentation here.
-
TNSR status information can be viewed using the show command from either basic or configuration mode.
More information can be found in our documentation here.
-
The Link Layer Discovery Protocol (LLDP) service provides a method for discovering which routers are connected to a LAN segment, and offers a way to discover the topology of a network.
More information can be found in our documentation here.
-
Internet Protocol Flow Information Export (IPFIX) allows network engineers and administrators to collect traffic flow information from routers and any other network devices (that support the protocol), and then analyze it through a network/netflow analyzer. TNSR can send UDP IPFIX data to an external flow collector for tracking and analyzing connections between hosts routing through TNSR.
More information can be found in our documentation here.
-
The TNSR CLI supports a number of utilities for testing connectivity including diagnostic routing behavior, Ping and Traceroute.
More information can be found in our documentation here.
Security
-
Access Control Lists (ACLs) are a collection of permit and deny rules that provide security by blocking unauthorized users and allowing authorized users to access specific resources.
TNSR software supports L2 MACIP ACLs, L3 ACLs (IPv4 and v6), L4 ACLs, and Host ACLs.
More information can be found in our documentation here.