I was looking at the configuration and found that dummy interface is used for bgp peering. I am not sure what benefits it would give me by doing so? I have 4 peer hub-spoke setup and then found this can someone please explain?
set interfaces dummy dum1 address '10.80.80.1/32'
set protocols bgp neighbor 10.80.80.191 update-source '10.80.80.1'
set protocols bgp neighbor 10.80.80.192 address-family ipv4-unicast nexthop-self
set protocols bgp neighbor 10.80.80.192 address-family ipv4-unicast route-map export 'OUT'
set protocols bgp neighbor 10.80.80.192 address-family ipv4-unicast soft-reconfiguration inbound
set protocols bgp neighbor 10.80.80.192 remote-as '65500'
set protocols bgp neighbor 10.80.80.192 update-source '10.80.80.1'
It’s considered best practice for multipathed peers - the loopback/dummy will remain visible over other paths even if the main interface goes down and loses its IP.
We use it to present a single peer IP that may be facing multiple interfaces and peers or direct interface addresses that might change in future. It’s commonly paired with OSPF or (rarely) static routes to the dummy /32 on downstream peers. We’ll usually also set the router-id to the IP of the loopback so that everything is consistent for diagnostics.
It’s not an appropriate configuration for all use cases - you often want to predict your physical pathing, don’t just dump a bunch of peers into a mixed bag of L2 links and hope OSPF figures it all out - but it is a good best practice, very convenient for intercap interior routers, RR clusters and BGP sessions with multiple L2 paths between peers.
It will also regularly simplify peer-group configs and allow downstream peer configs to be copy-pasted, even across routers facing different direct interfaces.
The loopback interface (as the “dummy interface” is called in other NOS - “dummy” comes from the Linux lingo which unfortunately is broken in other parts too when it comes to NOS lingo such as VRF with Linux (and VyOS) isnt the level of isolation you would expect where you also need NETNS to get same level of isolation etc) is /32 with IPv4 and /128 with IPv6.
Sometimes you can configure a larger netmask but effectively its a single IP-address.
Except that this IP will be reachable through all interfaces who are part of the same VRF as this loopback interface this interface will also be “always on”. Even if you nowadays can set a VLAN-interface to become always on (through “autostate on”) the difference is if you use the loopback (well dummy interface) as source-interface for your routing protocol such as BGP just because a physical interface goes down this event wont trigger all the BGP route entries to be dropped from the RIB.
Since this interface is always-on and reachable through all interfaces who are part of the same VRF this also means that you can have multiple physical paths between this box and whoever needs to reach it (for example for BGP purposes, or mgmt purposes etc).
So to wrap it up:
Dummy interface in Linux/VyOS is the same as Loopback interface with other NOS.
The dummy interface is always-on.
The dummy interface is reachable through all physical routed interfaces (and VLAN-interfaces) who are part of the same VRF as the dummy interface.
Due to the above the dummy interface can be reached multipath between this devices and other devices such as to exchange BGP information.
Does that mean if I have lets say 4 rotuers and each one has dual ISP and I have configured wireguard tunnels with all those. In tat case I would set only one dummy interface on each router and then set the BGP neighbor ship with dummy interfaces?
is that a right thing? will that work with IPSec/VTI as well?
Does that mean if I have lets say 4 rotuers and each one has dual ISP and I have configured wireguard tunnels with all those. In tat case I would set only one dummy interface on each router and then set the BGP neighbor ship with dummy interfaces?
That’s the rough idea, yes. I am assuming that the BGP in question is just running across the VPN mesh and not interacting with the ISPs.
will that work with IPSec/VTI as well?
Yes, if you’re just running BGP “over the top”. It will need to be a routeable tunnel.
Otherwise, if you mean using a dummy interface as a source for the VPN traffic, it very much depends and gets complicated, but you usually do not want to.
Do you have a configuration where you’re multihoming portable ranges at each site as well (and thus have BGP sessions with the ISPs), or is it just to manage dynamic routing over the VPN mesh?