summaryrefslogtreecommitdiff
path: root/docs/ch05-network-interfaces.rst
diff options
context:
space:
mode:
Diffstat (limited to 'docs/ch05-network-interfaces.rst')
-rw-r--r--docs/ch05-network-interfaces.rst573
1 files changed, 0 insertions, 573 deletions
diff --git a/docs/ch05-network-interfaces.rst b/docs/ch05-network-interfaces.rst
deleted file mode 100644
index 2e2a9ee5..00000000
--- a/docs/ch05-network-interfaces.rst
+++ /dev/null
@@ -1,573 +0,0 @@
-Network Interfaces
-==================
-
-Configured interfaces on a VyOS system can be displayed using the `show
-interfaces` command.
-
-.. code-block:: sh
-
- vyos@vyos:~$ show interfaces
- Codes: S - State, L - Link, u - Up, D - Down, A - Admin Down
- Interface IP Address S/L Description
- --------- ---------- --- -----------
- eth0 172.16.51.129/24 u/u OUTSIDE
- eth1 192.168.0.1/24 u/u INSIDE
- lo 127.0.0.1/8 u/u
- ::1/128
- vyos@vyos:~$
-
-A specific interface can be shown using the `show interfaces <type> <name>`
-command.
-
-.. code-block:: sh
-
- vyos@vyos:~$ show interfaces ethernet eth0
- eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
- link/ether 00:0c:29:44:3b:0f brd ff:ff:ff:ff:ff:ff
- inet 172.16.51.129/24 brd 172.16.51.255 scope global eth0
- inet6 fe80::20c:29ff:fe44:3b0f/64 scope link
- valid_lft forever preferred_lft forever
- Description: OUTSIDE
-
- RX: bytes packets errors dropped overrun mcast
- 274397 3064 0 0 0 0
- TX: bytes packets errors dropped carrier collisions
- 257276 1890 0 0 0 0
- vyos@vyos:~$
-
-Different network interfaces provide type-specific configuration. Ethernet
-interfaces, for example, allow the configuration of speed and duplex.
-
-Many services, such as network routing, firewall, and traffic policy also
-maintain interface-specific configuration. These will be covered in their
-respective sections.
-
-Interface Addresses
--------------------
-
-Each interface can be configured with a description and address. Interface
-addresses might be:
-
-* Static IPv4 `address 172.16.51.129/24`
-* Static IPv6 `address 2001:db8:1::ffff/64`
-* DHCP IPv4 `address dhcp`
-* DHCP IPv6 `address dhcpv6`
-
-An interface description is assigned using the following command:
-
-.. code-block:: sh
-
- set interfaces ethernet eth0 description 'OUTSIDE'
-
-IPv4
-^^^^
-
-Static Address
-**************
-
-This method is supported on all interfaces, apart from OpenVPN that uses
-different syntax and wireless modems that are always autoconfigured through
-PPP.
-
-The command is `set interfaces $type $name address $address`. Examples:
-
-.. code-block:: sh
-
- set interfaces ethernet eth0 address 192.0.2.1/24
- set interfaces tunnel tun0 address 10.0.0.1/30
- set interfaces bridge br0 address 203.0.113.45/26
- set interfaces ethernet eth0 vif 30 address 192.0.30.254/24
-
-DHCP
-****
-
-This method is supported on all physical interfaces, and those that are
-directly connected to a physical interface (ethernet, VLAN, bridge, bond,
-pseudo-ethernet, wireless).
-
-The command is `set interfaces $type $name address dhcp`. Examples:
-
-.. code-block:: sh
-
- set interfaces ethernet eth0 vif 90 address dhcp
- set interfaces bridge br0 address dhcp
-
-IPv6
-^^^^
-
-Static Address
-**************
-
-This method is supported on all interfaces, apart from OpenVPN that uses
-different syntax and wireless modems that are always autoconfigured through
-PPP. Static IPv6 addresses are supported on all interfaces except VTI.
-
-The command is `set interfaces $type $name address $address`. Examples:
-
-.. code-block:: sh
-
- set interfaces ethernet eth0 address 2001:db8:100::ffff/64
- set interfaces tunnel tun0 address 2001:db8::1/64
- set interfaces bridge br0 address 2001:db8:200::1/64
- set interfaces ethernet eth0 vif 30 address 2001:db8:3::ffff/64
-
-DHCP
-****
-
-This method is supported on all physical interfaces, and those that are
-directly connected to a physical interface (ethernet, VLAN, bridge, bond,
-pseudo-ethernet, wireless).
-
-The command is `set interfaces $type $name address dhcpv6`. Examples:
-
-.. code-block:: sh
-
- set interfaces bonding bond1 address dhcpv6
- set interfaces bridge br0 vif 56 address dhcpv6
-
-Autoconfiguration (SLAAC)
-*************************
-
-SLAAC is specified in RFC4862_. This method is supported on all physical
-interfaces, and those that are directly connected to a physical interface
-(ethernet, VLAN, bridge, bond, pseudo-ethernet, wireless).
-
-The command is `set interfaces $type $name ipv6 address autoconf`. Examples:
-
-.. code-block:: sh
-
- set interfaces ethernet eth0 vif 90 ipv6 address autoconf
- set interfaces bridge br0 ipv6 address autoconf
-
-.. note:: This method automatically disables IPv6 traffic forwarding on the
- interface in question.
-
-EUI-64
-******
-
-EUI-64 (64-Bit Extended Unique Identifier) as specified in RFC4291_. IPv6
-addresses in /64 networks can be automatically generated from the prefix and
-MAC address, if you specify the prefix.
-
-The command is `set interfaces $type $name ipv6 address eui64 $prefix`. Examples:
-
-.. code-block:: sh
-
- set interfaces bridge br0 ipv6 address eui64 2001:db8:beef::/64
- set interfaces pseudo-ethernet peth0 ipv6 address eui64 2001:db8:aa::/64
-
-Ethernet Interfaces
--------------------
-
-Ethernet interfaces allow for the configuration of speed, duplex, and hw-id
-(MAC address). Below is an example configuration:
-
-.. code-block:: sh
-
- set interfaces ethernet eth1 address '192.168.0.1/24'
- set interfaces ethernet eth1 address '2001:db8:1::ffff/64'
- set interfaces ethernet eth1 description 'INSIDE'
- set interfaces ethernet eth1 duplex 'auto'
- set interfaces ethernet eth1 speed 'auto'
-
-Resulting in:
-
-.. code-block:: sh
-
- ethernet eth1 {
- address 192.168.0.1/24
- address 2001:db8:1::ffff/64
- description INSIDE
- duplex auto
- hw-id 00:0c:29:44:3b:19
- smp_affinity auto
- speed auto
- }
-
-In addition, Ethernet interfaces provide the extended operational commands
-`show interfaces ethernet <name> physical` and `show interfaces ethernet <name>
-statistics`. Statistics available are driver dependent.
-
-.. code-block:: sh
-
- vyos@vyos:~$ show interfaces ethernet eth0 physical
- Settings for eth0:
- Supported ports: [ TP ]
- Supported link modes: 10baseT/Half 10baseT/Full
- 100baseT/Half 100baseT/Full
- 1000baseT/Full
- Supports auto-negotiation: Yes
- Advertised link modes: 10baseT/Half 10baseT/Full
- 100baseT/Half 100baseT/Full
- 1000baseT/Full
- Advertised pause frame use: No
- Advertised auto-negotiation: Yes
- Speed: 1000Mb/s
- Duplex: Full
- Port: Twisted Pair
- PHYAD: 0
- Transceiver: internal
- Auto-negotiation: on
- MDI-X: Unknown
- Supports Wake-on: d
- Wake-on: d
- Current message level: 0x00000007 (7)
- Link detected: yes
- driver: e1000
- version: 7.3.21-k8-NAPI
- firmware-version:
- bus-info: 0000:02:01.0
-
- vyos@vyos:~$ show interfaces ethernet eth0 statistics
- NIC statistics:
- rx_packets: 3530
- tx_packets: 2179
- [...]
-
-VLAN Sub-Interfaces (802.1Q)
-----------------------------
-
-802.1Q VLAN interfaces are represented as virtual sub-interfaces in VyOS. The
-term used for this is `vif`. Configuration of a tagged sub-interface is
-accomplished using the configuration command `set interfaces ethernet <name>
-vif <vlan-id>`.
-
-.. code-block:: sh
-
- set interfaces ethernet eth1 vif 100 description 'VLAN 100'
- set interfaces ethernet eth1 vif 100 address '192.168.100.1/24'
- set interfaces ethernet eth1 vif 100 address '2001:db8:100::1/64'
-
-Resulting in:
-
-.. code-block:: sh
-
- ethernet eth1 {
- address 192.168.100.1/24
- address 2001:db8:100::1/64
- description INSIDE
- duplex auto
- hw-id 00:0c:29:44:3b:19
- smp_affinity auto
- speed auto
- vif 100 {
- address 192.168.100.1/24
- description "VLAN 100"
- }
- }
-
-VLAN interfaces are shown as `<name>.<vlan-id>`, e.g. `eth1.100`:
-
-.. code-block:: sh
-
- vyos@vyos:~$ show interfaces
- Codes: S - State, L - Link, u - Up, D - Down, A - Admin Down
- Interface IP Address S/L Description
- --------- ---------- --- -----------
- eth0 172.16.51.129/24 u/u OUTSIDE
- eth1 192.168.0.1/24 u/u INSIDE
- eth1.100 192.168.100.1/24 u/u VLAN 100
- lo 127.0.0.1/8 u/u
- ::1/128
-
-Bridging
---------
-
-Interfaces in VyOS can be bridged together to provide software switching of
-Layer-2 traffic.
-
-A bridge is created when a bridge interface is defined. In the example below
-we will be creating a bridge for VLAN 100 and assigning a VIF to the bridge.
-
-.. code-block:: sh
-
- set interfaces bridge 'br100'
- set interfaces ethernet eth1 vif 100 bridge-group bridge br100
-
-Interfaces assigned to a bridge-group do not have address configuration. An IP
-address can be assigned to the bridge interface itself, however, like any
-normal interface.
-
-.. code-block:: sh
-
- set interfaces bridge br100 address '192.168.100.1/24'
- set interfaces bridge br100 address '2001:db8:100::1/64'
-
-Example Result:
-
-.. code-block:: sh
-
- bridge br100 {
- address 192.168.100.1/24
- address 2001:db8:100::1/64
- }
- [...]
- ethernet eth1 {
- [...]
- vif 100 {
- bridge-group {
- bridge br100
- }
- }
- }
-
-In addition to normal IP interface configuration, bridge interfaces support
-Spanning-Tree Protocol. STP is disabled by default.
-
-.. note:: Please use caution when introducing spanning-tree protocol on a
- network as it may result in topology changes.
-
-To enable spanning-tree use the `set interfaces bridge <name> stp true` command:
-
-.. code-block:: sh
-
- set interfaces bridge br100 stp true
-
-STP `priority`, `forwarding-delay`, `hello-time`, and `max-age` can be
-configured for the bridge-group. The MAC aging time can also be configured
-using the `aging` directive.
-
-For member interfaces, the bridge-group `priority` and `cost` can be configured.
-
-The `show bridge` operational command can be used to display configured bridges:
-
-.. code-block:: sh
-
- vyos@vyos:~$ show bridge
- bridge name bridge id STP enabled interfaces
- br100 0000.000c29443b19 yes eth1.100
-
-If spanning-tree is enabled, the `show bridge <name> spanning-tree` command
-can be used to show STP configuration:
-
-.. code-block:: sh
-
- vyos@vyos:~$ show bridge br100 spanning-tree
- br100
- bridge id 0000.000c29443b19
- designated root 0000.000c29443b19
- root port 0 path cost 0
- max age 20.00 bridge max age 20.00
- hello time 2.00 bridge hello time 2.00
- forward delay 15.00 bridge forward delay 15.00
- ageing time 300.00
- hello timer 0.47 tcn timer 0.00
- topology change timer 0.00 gc timer 64.63
- flags
-
- eth1.100 (1)
- port id 8001 state forwarding
- designated root 0000.000c29443b19 path cost 4
- designated bridge 0000.000c29443b19 message age timer 0.00
- designated port 8001 forward delay timer 0.00
- designated cost 0 hold timer 0.00
- flags
-
-The MAC address-table for a bridge can be displayed using the `show bridge
-<name> macs` command:
-
-.. code-block:: sh
-
- vyos@vyos:~$ show bridge br100 macs
- port no mac addr is local? ageing timer
- 1 00:0c:29:44:3b:19 yes 0.00
-
-Bonding
--------
-
-You can combine (aggregate) 2 or more physical interfaces into a single
-logical one. It's called bonding, or LAG, or ether-channel, or port-channel.
-
-Create interface bondX, where X is just a number:
-
-.. code-block:: sh
-
- set interfaces bonding bond0 description 'my-sw1 int 23 and 24'
-
-You are able to choose a hash policy:
-
-.. code-block:: sh
-
- vyos@vyos# set interfaces bonding bond0 hash-policy
- Possible completions:
- layer2 use MAC addresses to generate the hash (802.3ad)
- layer2+3 combine MAC address and IP address to make hash
- layer3+4 combine IP address and port to make hash
-
-For example:
-
-.. code-block:: sh
-
- set interfaces bonding bond0 hash-policy 'layer2'
-
-You may want to set IEEE 802.3ad Dynamic link aggregation (802.3ad) AKA LACP
-(don't forget to setup it on the other end of these links):
-
-.. code-block:: sh
-
- set interfaces bonding bond0 mode '802.3ad'
-
-or some other modes:
-
-.. code-block:: sh
-
- vyos@vyos# set interfaces bonding bond0 mode
- Possible completions:
- 802.3ad IEEE 802.3ad Dynamic link aggregation (Default)
- active-backup
- Fault tolerant: only one slave in the bond is active
- broadcast Fault tolerant: transmits everything on all slave interfaces
- round-robin Load balance: transmit packets in sequential order
- transmit-load-balance
- Load balance: adapts based on transmit load and speed
- adaptive-load-balance
- Load balance: adapts based on transmit and receive plus ARP
- xor-hash Load balance: distribute based on MAC address
-
-Now bond some physical interfaces into bond0:
-
-.. code-block:: sh
-
- set interfaces ethernet eth0 bond-group 'bond0'
- set interfaces ethernet eth0 description 'member of bond0'
- set interfaces ethernet eth1 bond-group 'bond0'
- set interfaces ethernet eth1 description 'member of bond0'
-
-After a commit you may treat bond0 as almost a physical interface (you can't
-change its` duplex, for example) and assign IPs or VIFs on it.
-
-You may check the result:
-
-.. code-block:: sh
-
- vyos@vyos# run sh interfaces bonding
- Codes: S - State, L - Link, u - Up, D - Down, A - Admin Down
- Interface IP Address S/L Description
- --------- ---------- --- -----------
- bond0 - u/u my-sw1 int 23 and 24
- bond0.10 192.168.0.1/24 u/u office-net
- bond0.100 10.10.10.1/24 u/u management-net
-
-Tunnel Interfaces
------------------
-
-Set Virtual Tunnel interface
-
-.. code-block:: sh
-
- set interfaces vti vti0 address 192.168.2.249/30
- set interfaces vti vti0 address 2001:db8:2::249/64
-
-Results in:
-
-.. code-block:: sh
-
- vyos@vyos# show interfaces vti
- vti vti0 {
- address 192.168.2.249/30
- address 2001:db8:2::249/64
- description "Description"
- }
-
-WireGuard VPN Interface
------------------------
-
-WireGuard_ is an extremely simple yet fast and modern VPN that utilizes
-state-of-the-art cryptography. See https://www.wireguard.com for more
-information.
-
-Configuration
-^^^^^^^^^^^^^
-
-Generate the keypair, which creates a public and private part and stores it
-within VyOS.
-
-.. code-block:: sh
-
- wg01:~$ configure
- wg01# run generate wireguard keypair
-
-The public key is being shared with your peer(s), your peer will encrypt all
-traffic to your system using this public key.
-
-.. code-block:: sh
-
- wg01# run show wireguard pubkey
- u41jO3OF73Gq1WARMMFG7tOfk7+r8o8AzPxJ1FZRhzk=
-
-The next step is to configure your local side as well as the policy based
-trusted destination addresses. If you only initiate a connection, the listen
-port and endpoint is optional, if you however act as a server and endpoints
-initiate the connections to your system, you need to define a port your clients
-can connect to, otherwise it's randomly chosen and may make it difficult with
-firewall rules, since the port may be a different one when you reboot your
-system.
-
-You will also need the public key of your peer as well as the network(s) you
-want to tunnel (allowed-ips) to configure a wireguard tunnel. The public key
-below is always the public key from your peer, not your local one.
-
-**local side**
-
-.. code-block:: sh
-
- set interfaces wireguard wg01 address '10.1.0.1/24'
- set interfaces wireguard wg01 description 'VPN-to-wg02'
- set interfaces wireguard wg01 peer to-wg02 allowed-ips '10.2.0.0/24'
- set interfaces wireguard wg01 peer to-wg02 endpoint '192.168.0.142:12345'
- set interfaces wireguard wg01 peer to-wg02 pubkey 'XMrlPykaxhdAAiSjhtPlvi30NVkvLQliQuKP7AI7CyI='
- set interfaces wireguard wg01 port '12345'
- set protocols static interface-route 10.2.0.0/24 next-hop-interface wg01
-
-The last step is to define an interface route for 10.2.0.0/24 to get through
-the wireguard interface `wg01`. Multiple IPs or networks can be defined and
-routed, the last check is allowed-ips which either prevents or allows the
-traffic.
-
-**remote side**
-
-.. code-block:: sh
-
- set interfaces wireguard wg01 address '10.2.0.1/24'
- set interfaces wireguard wg01 description 'VPN-to-wg01'
- set interfaces wireguard wg01 peer to-wg02 allowed-ips '10.1.0.0/24'
- set interfaces wireguard wg01 peer to-wg02 endpoint '192.168.0.124:12345'
- set interfaces wireguard wg01 peer to-wg02 pubkey 'u41jO3OF73Gq1WARMMFG7tOfk7+r8o8AzPxJ1FZRhzk='
- set interfaces wireguard wg01 port '12345'
- set protocols static interface-route 10.1.0.0/24 next-hop-interface wg01
-
-Assure that your firewall rules allow the traffic, in which case you have a
-working VPN using wireguard.
-
-.. code-block:: sh
-
- wg01# ping 10.2.0.1
- PING 10.2.0.1 (10.2.0.1) 56(84) bytes of data.
- 64 bytes from 10.2.0.1: icmp_seq=1 ttl=64 time=1.16 ms
- 64 bytes from 10.2.0.1: icmp_seq=2 ttl=64 time=1.77 ms
-
- wg02# ping 10.1.0.1
- PING 10.1.0.1 (10.1.0.1) 56(84) bytes of data.
- 64 bytes from 10.1.0.1: icmp_seq=1 ttl=64 time=4.40 ms
- 64 bytes from 10.1.0.1: icmp_seq=2 ttl=64 time=1.02 ms
-
-An additional layer of symmetric-key crypto can be used on top of the
-asymmetric crypto, which is optional.
-
-.. code-block:: sh
-
- wg01# run generate wireguard preshared-key
- rvVDOoc2IYEnV+k5p7TNAmHBMEGTHbPU8Qqg8c/sUqc=
-
-Copy the key, it is not stored on the local file system. Make sure you
-distribute that key in a safe manner, it's a symmatric key, so only you and
-your peer should have knowledge if its content.
-
-.. code-block:: sh
-
- wg01# set interfaces wireguard wg01 peer to-wg02 preshared-key 'rvVDOoc2IYEnV+k5p7TNAmHBMEGTHbPU8Qqg8c/sUqc='
- wg02# set interfaces wireguard wg01 peer to-wg01 preshared-key 'rvVDOoc2IYEnV+k5p7TNAmHBMEGTHbPU8Qqg8c/sUqc='
-
-.. _RFC4862: https://tools.ietf.org/html/rfc4862
-.. _RFC4291: http://tools.ietf.org/html/rfc4291#section-2.5.1
-.. _WireGuard: https://www.wireguard.com