diff options
Diffstat (limited to 'docs/configuration/interfaces')
| -rw-r--r-- | docs/configuration/interfaces/openvpn.rst | 6 | ||||
| -rw-r--r-- | docs/configuration/interfaces/vxlan.rst | 31 | ||||
| -rw-r--r-- | docs/configuration/interfaces/wireguard.rst | 4 | ||||
| -rw-r--r-- | docs/configuration/interfaces/wireless.rst | 2 |
4 files changed, 33 insertions, 10 deletions
diff --git a/docs/configuration/interfaces/openvpn.rst b/docs/configuration/interfaces/openvpn.rst index 70161e1e..d92ac080 100644 --- a/docs/configuration/interfaces/openvpn.rst +++ b/docs/configuration/interfaces/openvpn.rst @@ -71,7 +71,7 @@ In both cases, we will use the following settings: dynamic IP for our remote router. Setting up certificates ------------------------ +======================= Setting up a full-blown PKI with a CA certificate would arguably defeat the purpose of site-to-site OpenVPN, since its main goal is supposed to be configuration simplicity, @@ -129,7 +129,7 @@ Note: certificate names don't matter, we use 'openvpn-local' and 'openvpn-remote Repeat the procedure on the other router. Setting up OpenVPN ------------------- +================== Local Configuration: @@ -166,7 +166,7 @@ Remote Configuration: on the local router Pre-shared keys ---------------- +=============== Until VyOS 1.4, the only option for site-to-site OpenVPN without PKI was to use pre-shared keys. That option is still available but it is deprecated and will be removed in the future. diff --git a/docs/configuration/interfaces/vxlan.rst b/docs/configuration/interfaces/vxlan.rst index 2cb0b2f1..af00fdec 100644 --- a/docs/configuration/interfaces/vxlan.rst +++ b/docs/configuration/interfaces/vxlan.rst @@ -67,15 +67,36 @@ VXLAN specific options Source IP address used for VXLAN underlay. This is mandatory when using VXLAN via L2VPN/EVPN. -.. cfgcmd:: set interfaces vxlan <interface> external +.. cfgcmd:: set interfaces vxlan <interface> gpe + + Enables the Generic Protocol extension (VXLAN-GPE). Currently, this is only + supported together with the external keyword. + +.. cfgcmd:: set interfaces vxlan <interface> parameters external Specifies whether an external control plane (e.g. BGP L2VPN/EVPN) or the internal FDB should be used. -.. cfgcmd:: set interfaces vxlan <interface> gpe +.. cfgcmd:: set interfaces vxlan <interface> parameters neighbor-suppress - Eenables the Generic Protocol extension (VXLAN-GPE). Currently, this is only - supported together with the external keyword. + In order to minimize the flooding of ARP and ND messages in the VXLAN network, + EVPN includes provisions :rfc:`7432#section-10` that allow participating VTEPs + to suppress such messages in case they know the MAC-IP binding and can reply + on behalf of the remote host. + +.. cfgcmd:: set interfaces vxlan <interface> parameters nolearning + + Specifies if unknown source link layer addresses and IP addresses are entered + into the VXLAN device forwarding database. + +.. cfgcmd:: set interfaces vxlan <interface> parameters vni-filter + + Specifies whether the VXLAN device is capable of vni filtering. + + Only works with a VXLAN device with external flag set. + + .. note:: The device can only receive packets with VNIs configured in + the VNI filtering table. Unicast ^^^^^^^ @@ -155,7 +176,7 @@ interface is no longer required for each VNI. .. code-block:: none set interfaces bridge br0 member interface vxlan0 - set interfaces vxlan vxlan0 external + set interfaces vxlan vxlan0 parameters external set interfaces vxlan vxlan0 source-interface 'dum0' set interfaces vxlan vxlan0 vlan-to-vni 10 vni '10010' set interfaces vxlan vxlan0 vlan-to-vni 11 vni '10011' diff --git a/docs/configuration/interfaces/wireguard.rst b/docs/configuration/interfaces/wireguard.rst index 8b829b64..885720e1 100644 --- a/docs/configuration/interfaces/wireguard.rst +++ b/docs/configuration/interfaces/wireguard.rst @@ -222,7 +222,7 @@ firewall exception. set firewall ipv4 name OUTSIDE_LOCAL rule 20 protocol udp set firewall ipv4 name OUTSIDE_LOCAL rule 20 source -You should also ensure that the OUTISDE_LOCAL firewall group is applied to the +You should also ensure that the OUTSIDE_LOCAL firewall group is applied to the WAN interface and a direction (local). .. code-block:: none @@ -413,7 +413,7 @@ the VyOS CLI. into the VyOS CLI if needed. The supplied ``<name>`` on the CLI will become the peer name in the snippet. - In addition you will specifiy the IP address or FQDN for the client where it + In addition you will specify the IP address or FQDN for the client where it will connect to. The address parameter can be used up to two times and is used to assign the clients specific IPv4 (/32) or IPv6 (/128) address. diff --git a/docs/configuration/interfaces/wireless.rst b/docs/configuration/interfaces/wireless.rst index e853a1ec..df153763 100644 --- a/docs/configuration/interfaces/wireless.rst +++ b/docs/configuration/interfaces/wireless.rst @@ -562,6 +562,7 @@ The WAP in this example has the following characteristics: set interfaces wireless wlan0 security wpa mode wpa2 set interfaces wireless wlan0 security wpa cipher CCMP set interfaces wireless wlan0 security wpa passphrase '12345678' + set interfaces wireless wlan0 country-code de Resulting in @@ -572,6 +573,7 @@ Resulting in wireless wlan0 { address 192.168.2.1/24 channel 1 + country-code de mode n security { wpa { |