diff options
Diffstat (limited to 'docs/configuration')
| -rw-r--r-- | docs/configuration/highavailability/index.rst | 47 | ||||
| -rw-r--r-- | docs/configuration/interfaces/ethernet.rst | 15 | ||||
| -rw-r--r-- | docs/configuration/interfaces/l2tpv3.rst | 2 | ||||
| -rw-r--r-- | docs/configuration/interfaces/openvpn.rst | 87 | ||||
| -rw-r--r-- | docs/configuration/loadbalancing/reverse-proxy.rst | 6 | ||||
| -rw-r--r-- | docs/configuration/loadbalancing/wan.rst | 2 | ||||
| -rw-r--r-- | docs/configuration/nat/nat44.rst | 70 | ||||
| -rw-r--r-- | docs/configuration/protocols/bfd.rst | 3 | ||||
| -rw-r--r-- | docs/configuration/protocols/ospf.rst | 149 | ||||
| -rw-r--r-- | docs/configuration/service/dhcp-relay.rst | 8 | ||||
| -rw-r--r-- | docs/configuration/service/dns.rst | 6 | ||||
| -rw-r--r-- | docs/configuration/service/pppoe-server.rst | 6 | ||||
| -rw-r--r-- | docs/configuration/system/login.rst | 116 |
13 files changed, 421 insertions, 96 deletions
diff --git a/docs/configuration/highavailability/index.rst b/docs/configuration/highavailability/index.rst index bc8aad99..2f20e783 100644 --- a/docs/configuration/highavailability/index.rst +++ b/docs/configuration/highavailability/index.rst @@ -229,8 +229,8 @@ is needed. .. cfgcmd:: set high-availability vrrp global-parameters startup_delay <1-600> -This option specifies a delay in seconds before vrrp instances start up after -keepalived starts. + This option specifies a delay in seconds before vrrp instances start up + after keepalived starts. Gratuitous ARP -------------- @@ -242,20 +242,19 @@ need to configure it. But if necessary, Gratuitous ARP can be configured in .. cfgcmd:: set high-availability vrrp global-parameters garp interval <0.000-1000> -.. cfgcmd:: set high-availability vrrp group <name> garp interval - <0.000-1000> +.. cfgcmd:: set high-availability vrrp group <name> garp interval <0.000-1000> + + Set delay between gratuitous ARP messages sent on an interface. + + 0 if not defined. -Set delay between gratuitous ARP messages sent on an interface. 0 if not -defined. +.. cfgcmd:: set high-availability vrrp global-parameters garp master-delay <1-255> -.. cfgcmd:: set high-availability vrrp global-parameters garp master-delay - <1-255> +.. cfgcmd:: set high-availability vrrp group <name> garp master-delay <1-255> -.. cfgcmd:: set high-availability vrrp group <name> garp master-delay - <1-255> + Set delay for second set of gratuitous ARPs after transition to MASTER. -Set delay for second set of gratuitous ARPs after transition to MASTER. 5 if -not defined. + 5 if not defined. .. cfgcmd:: set high-availability vrrp global-parameters garp master-refresh <1-600> @@ -263,8 +262,9 @@ not defined. .. cfgcmd:: set high-availability vrrp group <name> garp master-refresh <1-600> -Set minimum time interval for refreshing gratuitous ARPs while MASTER. 0 if -not defined, which means no refreshing. + Set minimum time interval for refreshing gratuitous ARPs while MASTER. + + 0 if not defined, which means no refreshing. .. cfgcmd:: set high-availability vrrp global-parameters garp master-refresh-repeat <1-600> @@ -272,8 +272,9 @@ not defined, which means no refreshing. .. cfgcmd:: set high-availability vrrp group <name> garp master-refresh-repeat <1-600> -Set number of gratuitous ARP messages to send at a time while MASTER. 1 if not -defined. + Set number of gratuitous ARP messages to send at a time while MASTER. + + 1 if not defined. .. cfgcmd:: set high-availability vrrp global-parameters garp master-repeat <1-600> @@ -281,8 +282,18 @@ defined. .. cfgcmd:: set high-availability vrrp group <name> garp master-repeat <1-600> -Set number of gratuitous ARP messages to send at a time after transition to -MASTER. 5 if not defined. + Set number of gratuitous ARP messages to send at a time after transition to + MASTER. + + 5 if not defined. + +Version +------- + +.. cfgcmd:: set high-availability vrrp global-parameters version 2|3 + + Set the default VRRP version to use. This defaults to 2, but IPv6 instances + will always use version 3. Scripting --------- diff --git a/docs/configuration/interfaces/ethernet.rst b/docs/configuration/interfaces/ethernet.rst index 4eb1b5f4..bbf52112 100644 --- a/docs/configuration/interfaces/ethernet.rst +++ b/docs/configuration/interfaces/ethernet.rst @@ -53,21 +53,6 @@ Ethernet options VyOS default will be `auto`. -.. cfgcmd:: set interfaces ethernet <interface> mirror <interface> - - Use this command to mirror the inbound traffic from one Ethernet interface to - another interface. This feature is typically used to provide a copy of traffic - inbound on one interface to a system running a monitoring or IPS application - on another interface. The benefit of mirroring the traffic is that the - application is isolated from the source traffic and so application processing - does not affect the traffic or the system performance. - - Example: - - .. code-block:: none - - set interfaces ethernet eth0 mirror eth1 - Offloading ---------- diff --git a/docs/configuration/interfaces/l2tpv3.rst b/docs/configuration/interfaces/l2tpv3.rst index 897e38dc..4fa47199 100644 --- a/docs/configuration/interfaces/l2tpv3.rst +++ b/docs/configuration/interfaces/l2tpv3.rst @@ -24,7 +24,7 @@ not be re-engineered in or on top of L2TPv3 in later products. The protocol overhead of L2TPv3 is also significantly bigger than MPLS. -L2TPv3 is described in :rfc:`3921`. +L2TPv3 is described in :rfc:`3931`. ************* Configuration diff --git a/docs/configuration/interfaces/openvpn.rst b/docs/configuration/interfaces/openvpn.rst index 5850591c..c0019577 100644 --- a/docs/configuration/interfaces/openvpn.rst +++ b/docs/configuration/interfaces/openvpn.rst @@ -48,8 +48,8 @@ Site-to-site mode supports x.509 but doesn't require it and can also work with static keys, which is simpler in many cases. In this example, we'll configure a simple site-to-site OpenVPN tunnel using a 2048-bit pre-shared key. -First, one of the systems generate the key using the :ref:`generate pki openvpn shared-secret<configuration/pki/index:pki>` -command. Once generated, you will need to install this key on the local system, +First, one of the systems generate the key using the :ref:`generate pki openvpn shared-secret<configuration/pki/index:pki>` +command. Once generated, you will need to install this key on the local system, then copy and install this key to the remote router. In our example, we used the key name ``openvpn-1`` which we will reference @@ -82,7 +82,7 @@ Local Configuration: Configure mode commands to install OpenVPN key: set pki openvpn shared-secret openvpn-1 key 'generated_key_string' set pki openvpn shared-secret openvpn-1 version '1' - + set interfaces openvpn vtun1 mode site-to-site set interfaces openvpn vtun1 protocol udp set interfaces openvpn vtun1 persistent-tunnel @@ -97,13 +97,13 @@ Local Configuration - Annotated: .. code-block:: none - run generate pki openvpn shared-secret install openvpn-1 # Locally genearated OpenVPN shared secret. - The generated secret is the output to + run generate pki openvpn shared-secret install openvpn-1 # Locally genearated OpenVPN shared secret. + The generated secret is the output to the console. Configure mode commands to install OpenVPN key: - set pki openvpn shared-secret openvpn-1 key 'generated_key_string' # Generated secret displayed in the output to + set pki openvpn shared-secret openvpn-1 key 'generated_key_string' # Generated secret displayed in the output to the console. - set pki openvpn shared-secret openvpn-1 version '1' # Generated secret displayed in the output to + set pki openvpn shared-secret openvpn-1 version '1' # Generated secret displayed in the output to the console. set interfaces openvpn vtun1 mode site-to-site @@ -138,7 +138,7 @@ Remote Configuration - Annotated: .. code-block:: none - set pki openvpn shared-secret openvpn-1 key 'generated_key_string' # Locally genearated OpenVPN shared secret + set pki openvpn shared-secret openvpn-1 key 'generated_key_string' # Locally genearated OpenVPN shared secret (from the Local Configuration Block). set pki openvpn shared-secret openvpn-1 version '1' @@ -304,8 +304,8 @@ closing on connection resets or daemon reloads. set interfaces openvpn vtun10 persistent-tunnel set interfaces openvpn vtun10 protocol udp -Then we need to generate, add and specify the names of the cryptographic materials. -Each of the install command should be applied to the configuration and commited +Then we need to generate, add and specify the names of the cryptographic materials. +Each of the install command should be applied to the configuration and commited before using under the openvpn interface configuration. .. code-block:: none @@ -314,18 +314,18 @@ before using under the openvpn interface configuration. Configure mode commands to install: set pki ca ca-1 certificate 'generated_cert_string' set pki ca ca-1 private key 'generated_private_key' - + run generate pki certificate sign ca-1 install srv-1 # Follow the instructions to generate server cert. Configure mode commands to install: set pki certificate srv-1 certificate 'generated_server_cert' set pki certificate srv-1 private key 'generated_private_key' - - run generate pki dh install dh-1 # Follow the instructions to generate set of + + run generate pki dh install dh-1 # Follow the instructions to generate set of Diffie-Hellman parameters. Generating parameters... Configure mode commands to install DH parameters: set pki dh dh-1 parameters 'generated_dh_params_set' - + set interfaces openvpn vtun10 tls ca-certificate ca-1 set interfaces openvpn vtun10 tls certificate srv-1 set interfaces openvpn vtun10 tls dh-params dh-1 @@ -361,18 +361,18 @@ internally, so we need to create a route to the 10.23.0.0/20 network ourselves: set protocols static route 10.23.0.0/20 interface vtun10 Additionally, each client needs a copy of ca cert and its own client key and -cert files. The files are plaintext so they may be copied either manually from the CLI. -Client key and cert files should be signed with the proper ca cert and generated on the -server side. +cert files. The files are plaintext so they may be copied either manually from the CLI. +Client key and cert files should be signed with the proper ca cert and generated on the +server side. HQ's router requires the following steps to generate crypto materials for the Branch 1: .. code-block:: none - - run generate pki certificate sign ca-1 install branch-1 # Follow the instructions to generate client + + run generate pki certificate sign ca-1 install branch-1 # Follow the instructions to generate client cert for Branch 1 Configure mode commands to install: - + Branch 1's router might have the following lines: .. code-block:: none @@ -380,7 +380,7 @@ Branch 1's router might have the following lines: set pki ca ca-1 certificate 'generated_cert_string' # CA cert generated on HQ router set pki certificate branch-1 certificate 'generated_branch_cert' # Client cert generated and signed on HQ router set pki certificate branch-1 private key 'generated_private_key' # Client cert key generated on HQ router - + set interfaces openvpn vtun10 tls ca-cert ca-1 set interfaces openvpn vtun10 tls certificate branch-1 @@ -513,6 +513,7 @@ example: } } + ****** Client ****** @@ -600,6 +601,50 @@ Will add ``push "keepalive 1 10"`` to the generated OpenVPN config file. quotes using the ``"`` statement. +********************************** +OpenVPN Data Channel Offload (DCO) +********************************** + +OpenVPN Data Channel Offload (DCO) enables significant performance enhancement +in encrypted OpenVPN data processing. By minimizing context switching for each +packet, DCO effectively reduces overhead. This optimization is achieved by +keeping most data handling tasks within the kernel, avoiding frequent switches +between kernel and user space for encryption and packet handling. + +As a result, the processing of each packet becomes more efficient, potentially +leveraging hardware encryption offloading support available in the kernel. + +.. note:: OpenVPN DCO is not full OpenVPN features supported , is currently + considered experimental. Furthermore, there are certain OpenVPN features and + use cases that remain incompatible with DCO. To get a comprehensive + understanding of the limitations associated with DCO, refer to the list of + known limitations in the documentation. + + https://community.openvpn.net/openvpn/wiki/DataChannelOffload/Features + + +Enabling OpenVPN DCO +==================== + +DCO support is a per-tunnel option and it is not automatically enabled by +default for new or upgraded tunnels. Existing tunnels will continue to function +as they have in the past. + +DCO can be enabled for both new and existing tunnels,VyOS adds an option in each +tunnel configuration where we can enable this function .The current best +practice is to create a new tunnel with DCO to minimize the chance of problems +with existing clients. + +.. cfgcmd:: set interfaces openvpn <name> offload dco + + Enable OpenVPN Data Channel Offload feature by loading the appropriate kernel + module. + + Disabled by default - no kernel module loaded. + + .. note:: Enable this feature causes an interface reset. + + Troubleshooting =============== diff --git a/docs/configuration/loadbalancing/reverse-proxy.rst b/docs/configuration/loadbalancing/reverse-proxy.rst index 24f26af0..04b612f5 100644 --- a/docs/configuration/loadbalancing/reverse-proxy.rst +++ b/docs/configuration/loadbalancing/reverse-proxy.rst @@ -1,9 +1,8 @@ -.. _load-balancing: - ############# Reverse-proxy ############# + .. include:: /_include/need_improvement.txt VyOS reverse-proxy is balancer and proxy server that provides @@ -65,7 +64,8 @@ perform action accordingly. * ``req-ssl-sni`` SSL Server Name Indication (SNI) request match * ``ssl-fc-sni`` SSL frontend connection Server Name Indication match * ``ssl-fc-sni-end`` SSL frontend match end of connection Server Name - Indication + + Indication .. cfgcmd:: set load-balancing reverse-proxy service <name> rule <rule> url-path <match> <url> diff --git a/docs/configuration/loadbalancing/wan.rst b/docs/configuration/loadbalancing/wan.rst index 18f01347..745cd8c2 100644 --- a/docs/configuration/loadbalancing/wan.rst +++ b/docs/configuration/loadbalancing/wan.rst @@ -1,7 +1,5 @@ :lastproofread: 2023-01-27 -.. _load-balancing: - WAN load balancing ================== diff --git a/docs/configuration/nat/nat44.rst b/docs/configuration/nat/nat44.rst index b2ba61af..9aeb581e 100644 --- a/docs/configuration/nat/nat44.rst +++ b/docs/configuration/nat/nat44.rst @@ -273,6 +273,42 @@ Example: set nat destination rule 10 translation address 192.0.2.10 +Also, in :ref:`destination-nat`, redirection to localhost is supported. +The redirect statement is a special form of dnat which always translates +the destination address to the local host’s one. + +Example of redirection: + +.. code-block:: none + + set nat destination rule 10 translation redirect port 22 + +NAT Load Balance +---------------- + +Advanced configuration can be used in order to apply source or destination NAT, +and within a single rule, be able to define multiple translated addresses, +so NAT balances the translations among them. + +NAT Load Balance uses an algorithm that generates a hash and based on it, then +it applies corresponding translation. This hash can be generated randomly, or +can use data from the ip header: source-address, destination-address, +source-port and/or destination-port. By default, it will generate the hash +randomly. + +When defining the translated address, called ``backends``, a ``weight`` must +be configured. This lets the user define load balance distribution according +to their needs. Them sum of all the weights defined for the backends should +be equal to 100. In oder words, the weight defined for the backend is the +percentage of the connections that will receive such backend. + +.. cfgcmd:: set nat [source | destination] rule <rule> load-balance hash + [source-address | destination-address | source-port | destination-port + | random] +.. cfgcmd:: set nat [source | destination] rule <rule> load-balance backend + <x.x.x.x> weight <1-100> + + Configuration Examples ====================== @@ -592,6 +628,40 @@ provide access to their internal resources, and require that a connecting organisation translate all traffic to the service provider network to a source address provided by the ASP. +Load Balance +------------ +Here we provide two examples on how to apply NAT Load Balance. + +First scenario: apply destination NAT for all HTTP traffic comming through +interface eth0, and user 4 backends. First backend should received 30% of +the request, second backend should get 20%, third 15% and the fourth 35% +We will use source and destination address for hash generation. + +.. code-block:: none + + set nat destination rule 10 inbound-interface eth0 + set nat destination rule 10 protocol tcp + set nat destination rule 10 destination port 80 + set nat destination rule 10 load-balance hash source-address + set nat destination rule 10 load-balance hash destination-address + set nat destination rule 10 laod-balance backend 198.51.100.101 weight 30 + set nat destination rule 10 laod-balance backend 198.51.100.102 weight 20 + set nat destination rule 10 laod-balance backend 198.51.100.103 weight 15 + set nat destination rule 10 laod-balance backend 198.51.100.104 weight 35 + +Second scenario: apply source NAT for all outgoing connections from +LAN 10.0.0.0/8, using 3 public addresses and equal distribution. +We will generate the hash randomly. + +.. code-block:: none + + set nat source rule 10 outbound-interface eth0 + set nat source rule 10 source address 10.0.0.0/8 + set nat source rule 10 load-balance hash random + set nat source rule 10 load-balance backend 192.0.2.251 weight 33 + set nat source rule 10 load-balance backend 192.0.2.252 weight 33 + set nat source rule 10 load-balance backend 192.0.2.253 weight 34 + Example Network ^^^^^^^^^^^^^^^ diff --git a/docs/configuration/protocols/bfd.rst b/docs/configuration/protocols/bfd.rst index 260e86fb..496c0cf9 100644 --- a/docs/configuration/protocols/bfd.rst +++ b/docs/configuration/protocols/bfd.rst @@ -168,6 +168,9 @@ Configuration , use source address to indentify the peer when is multi-hop session and the gateway address as BFD peer destination address. + +.. _BFD Operational Commands: + Operational Commands ==================== diff --git a/docs/configuration/protocols/ospf.rst b/docs/configuration/protocols/ospf.rst index 089f30a1..e360d86a 100644 --- a/docs/configuration/protocols/ospf.rst +++ b/docs/configuration/protocols/ospf.rst @@ -38,12 +38,12 @@ starts when the first ospf enabled interface is configured. specified in decimal notation in the range from 0 to 4294967295. Or it can be specified in dotted decimal notation similar to ip address. - Prefix length in interface must be equal or bigger (i.e. smaller network) + Prefix length in interface must be equal or bigger (i.e. smaller network) than prefix length in network statement. For example statement above doesn't - enable ospf on interface with address 192.168.1.1/23, but it does on + enable ospf on interface with address 192.168.1.1/23, but it does on interface with address 192.168.1.129/25. - In some cases it may be more convenient to enable OSPF on a per + In some cases it may be more convenient to enable OSPF on a per interface/subnet basis :cfgcmd:`set protocols ospf interface <interface> area <x.x.x.x | x>` @@ -196,12 +196,23 @@ Optional requires for LDP to be functional. This is described in :rfc:`5443`. By default all interfaces operational in OSPF are enabled for synchronization. Loopbacks are exempt. - + .. cfgcmd:: set protocols ospf ldp-sync holddown <seconds> This command will change the hold down value globally for IGP-LDP - synchronization during convergence/interface flap events. + synchronization during convergence/interface flap events. + +.. cfgcmd:: set protocols ospf capability opaque + + ospfd supports Opaque LSA :rfc:`2370` as partial support for MPLS Traffic + Engineering LSAs. The opaque-lsa capability must be enabled in the + configuration. + + An alternate command could be "mpls-te on" (Traffic Engineering) + .. note:: FRR offers only partial support for some of the routing + protocol extensions that are used with MPLS-TE; it does not + support a complete RSVP-TE solution. Area Configuration ------------------ @@ -290,15 +301,15 @@ Area Configuration intra area paths from this range are not advertised into other areas. This command makes sense in ABR only. -.. cfgcmd:: set protocols ospf area <number> export-list <acl_number> +.. cfgcmd:: set protocols ospf area <number> export-list <acl_number> - Filter Type-3 summary-LSAs announced to other areas originated from + Filter Type-3 summary-LSAs announced to other areas originated from intra- area paths from specified area. This command makes sense in ABR only. -.. cfgcmd:: set protocols ospf area <number> import-list <acl_number> +.. cfgcmd:: set protocols ospf area <number> import-list <acl_number> - Same as export-list, but it applies to paths announced into specified + Same as export-list, but it applies to paths announced into specified area as Type-3 summary-LSAs. This command makes sense in ABR only. @@ -459,6 +470,69 @@ Interface Configuration This command will change the hold down value for IGP-LDP synchronization during convergence/interface flap events, but for this interface only. +External Route Summarisation +---------------------------- + +This feature summarises originated external LSAs (Type-5 and Type-7). Summary +Route will be originated on-behalf of all matched external LSAs. + +.. cfgcmd:: set protocols ospf aggregation timer <seconds> + + Configure aggregation delay timer interval. + + Summarisation starts only after this delay timer expiry. + +.. cfgcmd:: set protocols ospf summary-address x.x.x.x/y [tag (1-4294967295)] + + This command enable/disables summarisation for the configured address range. + + Tag is the optional parameter. If tag configured Summary route will be + originated with the configured tag. + +.. cfgcmd:: set protocols ospf summary-address x.x.x.x/y no-advertise + + This command to ensure not advertise the summary lsa for the matched + external LSAs. + +Graceful Restart +---------------- + +.. cfgcmd:: set protocols ospf graceful-restart [grace-period (1-1800)] + + Configure Graceful Restart :rfc:`3623` restarting support. When enabled, + the default grace period is 120 seconds. + + To perform a graceful shutdown, the FRR ``graceful-restart prepare ip + ospf`` EXEC-level command needs to be issued before restarting the + ospfd daemon. + +.. cfgcmd:: set protocols ospf graceful-restart helper enable [router-id A.B.C.D] + + Configure Graceful Restart :rfc:`3623` helper support. By default, helper support + is disabled for all neighbours. This config enables/disables helper support + on this router for all neighbours. + + To enable/disable helper support for a specific neighbour, the router-id + (A.B.C.D) has to be specified. + +.. cfgcmd:: set protocols ospf graceful-restart helper no-strict-lsa-checking + + By default `strict-lsa-checking` is configured then the helper will abort + the Graceful Restart when a LSA change occurs which affects the restarting + router. + + This command disables it. + +.. cfgcmd:: set protocols ospf graceful-restart helper supported-grace-time + + Supports as HELPER for configured grace period. + +.. cfgcmd:: set protocols ospf graceful-restart helper planned-only + + It helps to support as HELPER only for planned restarts. + + By default, it supports both planned and unplanned outages. + Manual Neighbor Configuration ----------------------------- @@ -627,7 +701,7 @@ Operational Mode Commands .. opcmd:: show ip ospf route [detail] This command displays the OSPF routing table, as determined by the most - recent SPF calculation. With the optional :cfgcmd:`detail` argument, + recent SPF calculation. With the optional :cfgcmd:`detail` argument, each route item's advertiser router and network attribute will be shown. .. code-block:: none @@ -903,7 +977,7 @@ a holddown timer of zero seconds: Holddown timer in seconds: 0 State: Sync achieved - + Enable OSPF with Segment Routing (Experimental): ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ @@ -914,7 +988,7 @@ Enable OSPF with Segment Routing (Experimental): set interfaces loopback lo address 10.1.1.1/32 set interfaces ethernet eth0 address 192.168.0.1/24 - + set protocols ospf area 0 network '192.168.0.0/24' set protocols ospf area 0 network '10.1.1.1/32' set protocols ospf parameters opaque-lsa @@ -930,7 +1004,7 @@ Enable OSPF with Segment Routing (Experimental): set interfaces loopback lo address 10.1.1.2/32 set interfaces ethernet eth0 address 192.168.0.2/24 - + set protocols ospf area 0 network '192.168.0.0/24' set protocols ospf area 0 network '10.1.1.2/32' set protocols ospf parameters opaque-lsa @@ -1009,7 +1083,7 @@ General VyOS does not have a special command to start the OSPFv3 process. The OSPFv3 process starts when the first ospf enabled interface is configured. -.. cfgcmd:: set protocols ospfv3 interface <interface> area <number> +.. cfgcmd:: set protocols ospfv3 interface <interface> area <number> This command specifies the OSPFv3 enabled interface. This command is also used to enable the OSPF process. The area number can be specified in @@ -1132,6 +1206,45 @@ Interface Configuration .. _ospf:v3_redistribution_config: +Graceful Restart +---------------- + +.. cfgcmd:: set protocols ospfv3 graceful-restart [grace-period (1-1800)] + + Configure Graceful Restart :rfc:`3623` restarting support. When enabled, + the default grace period is 120 seconds. + + To perform a graceful shutdown, the FRR ``graceful-restart prepare ip + ospf`` EXEC-level command needs to be issued before restarting the + ospfd daemon. + +.. cfgcmd:: set protocols ospfv3 graceful-restart helper enable [router-id A.B.C.D] + + Configure Graceful Restart :rfc:`3623` helper support. By default, helper support + is disabled for all neighbours. This config enables/disables helper support + on this router for all neighbours. + + To enable/disable helper support for a specific neighbour, the router-id + (A.B.C.D) has to be specified. + +.. cfgcmd:: set protocols ospfv3 graceful-restart helper lsa-check-disable + + By default `strict-lsa-checking` is configured then the helper will abort + the Graceful Restart when a LSA change occurs which affects the restarting + router. + + This command disables it. + +.. cfgcmd:: set protocols ospfv3 graceful-restart helper supported-grace-time + + Supports as HELPER for configured grace period. + +.. cfgcmd:: set protocols ospfv3 graceful-restart helper planned-only + + It helps to support as HELPER only for planned restarts. + + By default, it supports both planned and unplanned outages. + Redistribution Configuration ---------------------------- @@ -1206,7 +1319,7 @@ A typical configuration using 2 nodes. .. code-block:: none - set protocols ospfv3 interface eth1 area 0.0.0.0 + set protocols ospfv3 interface eth1 area 0.0.0.0 set protocols ospfv3 area 0.0.0.0 range 2001:db8:1::/64 set protocols ospfv3 parameters router-id 192.168.1.1 set protocols ospfv3 redistribute connected @@ -1215,7 +1328,7 @@ A typical configuration using 2 nodes. .. code-block:: none - set protocols ospfv3 interface eth1 area 0.0.0.0 + set protocols ospfv3 interface eth1 area 0.0.0.0 set protocols ospfv3 area 0.0.0.0 range 2001:db8:2::/64 set protocols ospfv3 parameters router-id 192.168.2.1 set protocols ospfv3 redistribute connected @@ -1244,7 +1357,7 @@ Example configuration for WireGuard interfaces: set interfaces wireguard wg01 peer ospf02 pubkey 'ie3...=' set interfaces wireguard wg01 port '12345' set protocols ospfv3 parameters router-id 192.168.1.1 - set protocols ospfv3 interface 'wg01' area 0.0.0.0 + set protocols ospfv3 interface 'wg01' area 0.0.0.0 set protocols ospfv3 interface 'lo' area 0.0.0.0 **Node 2** @@ -1259,7 +1372,7 @@ Example configuration for WireGuard interfaces: set interfaces wireguard wg01 peer ospf01 pubkey 'NHI...=' set interfaces wireguard wg01 port '12345' set protocols ospfv3 parameters router-id 192.168.1.2 - set protocols ospfv3 interface 'wg01' area 0.0.0.0 + set protocols ospfv3 interface 'wg01' area 0.0.0.0 set protocols ospfv3 interface 'lo' area 0.0.0.0 **Status** diff --git a/docs/configuration/service/dhcp-relay.rst b/docs/configuration/service/dhcp-relay.rst index 43abf254..e1fbe1d2 100644 --- a/docs/configuration/service/dhcp-relay.rst +++ b/docs/configuration/service/dhcp-relay.rst @@ -45,6 +45,10 @@ Configuration The router should discard DHCP packages already containing relay agent information to ensure that only requests from DHCP clients are forwarded. +.. cfgcmd:: set service dhcp-relay disable + + Disable dhcp-relay service. + Options ------- @@ -146,6 +150,10 @@ Configuration .. _dhcp-relay:ipv6_options: +.. cfgcmd:: set service dhcpv6-relay disable + + Disable dhcpv6-relay service. + Options ------- diff --git a/docs/configuration/service/dns.rst b/docs/configuration/service/dns.rst index 92677d86..c96c0ab4 100644 --- a/docs/configuration/service/dns.rst +++ b/docs/configuration/service/dns.rst @@ -251,6 +251,12 @@ Configuration Configure optional TTL value on the given resource record. This defaults to 600 seconds. +.. cfgcmd:: set service dns dynamic timeout <60-3600> + + Specify timeout / update interval to check if IP address changed. + + This defaults to 300 seconds. + .. _dns:dynmaic_example: Example diff --git a/docs/configuration/service/pppoe-server.rst b/docs/configuration/service/pppoe-server.rst index 69e357f3..3a0adee7 100644 --- a/docs/configuration/service/pppoe-server.rst +++ b/docs/configuration/service/pppoe-server.rst @@ -92,13 +92,13 @@ used, multiple subnets can be setup which are used sequentially. Use this command for every pool of client IP addresses you want to define. The addresses of this pool will be given to PPPoE clients. - You must use CIDR notation and it must be within a /24 subnet. + You must use CIDR notation. .. code-block:: none set service pppoe-server client-ip-pool subnet '10.1.1.0/24' - set service pppoe-server client-ip-pool subnet '10.1.2.0/24' - set service pppoe-server client-ip-pool subnet '10.1.3.0/24' + set service pppoe-server client-ip-pool subnet '10.1.2.0/23' + set service pppoe-server client-ip-pool subnet '10.1.4.0/22' **RADIUS based IP pools (Framed-IP-Address)** diff --git a/docs/configuration/system/login.rst b/docs/configuration/system/login.rst index d920afe3..bb7bdc86 100644 --- a/docs/configuration/system/login.rst +++ b/docs/configuration/system/login.rst @@ -82,8 +82,8 @@ The third part is simply an identifier, and is for your own reference. <identifier> options <options> Set the options for this public key. See the ssh ``authorized_keys`` man - page for details of what you can specify here. To place a ``"`` - character in the options field, use ``"``, for example + page for details of what you can specify here. To place a ``"`` + character in the options field, use ``"``, for example ``from="10.0.0.0/24"`` to restrict where the user may connect from when using this key. @@ -189,7 +189,7 @@ Display OTP key for user To display the configured OTP user key, use the command: -.. cfgcmd:: sh system login authentication user <username> otp +.. cfgcmd:: sh system login authentication user <username> otp <full|key-b32|qrcode|uri> An example: @@ -242,35 +242,92 @@ Configuration .. cfgcmd:: set system login radius server <address> key <secret> - Specify the `<address>` of the RADIUS server user with the pre-shared-secret - given in `<secret>`. Multiple servers can be specified. + Specify the IP `<address>` of the RADIUS server user with the pre-shared-secret + given in `<secret>`. + + Multiple servers can be specified. .. cfgcmd:: set system login radius server <address> port <port> Configure the discrete port under which the RADIUS server can be reached. - This defaults to 1812. - -.. cfgcmd:: set system login radius server <address> timeout <timeout> - Setup the `<timeout>` in seconds when querying the RADIUS server. + This defaults to 1812. .. cfgcmd:: set system login radius server <address> disable Temporary disable this RADIUS server. It won't be queried. +.. cfgcmd:: set system login radius server <address> timeout <timeout> + + Setup the `<timeout>` in seconds when querying the RADIUS server. + .. cfgcmd:: set system login radius source-address <address> RADIUS servers could be hardened by only allowing certain IP addresses to connect. As of this the source address of each RADIUS query can be - configured. If this is not set, incoming connections to the RADIUS server - will use the nearest interface address pointing towards the server - making - it error prone on e.g. OSPF networks when a link fails and a backup route is - taken. + configured. + + If unset, incoming connections to the RADIUS server will use the nearest + interface address pointing towards the server - making it error prone on + e.g. OSPF networks when a link fails and a backup route is taken. + +.. cfgcmd:: set system login radius vrf <name> + + Source all connections to the RADIUS servers from given VRF `<name>`. .. hint:: If you want to have admin users to authenticate via RADIUS it is essential to sent the ``Cisco-AV-Pair shell:priv-lvl=15`` attribute. Without the attribute you will only get regular, non privilegued, system users. +TACACS+ +======= + +In addition to :abbr:`RADIUS (Remote Authentication Dial-In User Service)`, +:abbr:`TACACS (Terminal Access Controller Access Control System)` can also be +found in large deployments. + +TACACS is defined in :rfc:`8907`. + +.. _TACACS Configuration: + +Configuration +------------- + +.. cfgcmd:: set system login tacas server <address> key <secret> + + Specify the IP `<address>` of the TACACS server user with the pre-shared-secret + given in `<secret>`. + + Multiple servers can be specified. + +.. cfgcmd:: set system login tacas server <address> port <port> + + Configure the discrete port under which the TACACS server can be reached. + + This defaults to 49. + +.. cfgcmd:: set system login tacas server <address> disable + + Temporary disable this TACACS server. It won't be queried. + +.. cfgcmd:: set system login tacas server <address> timeout <timeout> + + Setup the `<timeout>` in seconds when querying the TACACS server. + +.. cfgcmd:: set system login tacas source-address <address> + + TACACS servers could be hardened by only allowing certain IP addresses to + connect. As of this the source address of each TACACS query can be + configured. + + If unset, incoming connections to the TACACS server will use the nearest + interface address pointing towards the server - making it error prone on + e.g. OSPF networks when a link fails and a backup route is taken. + +.. cfgcmd:: set system login tacas vrf <name> + + Source all connections to the TACACS servers from given VRF `<name>`. + Login Banner ============ @@ -299,13 +356,13 @@ Login limits Set a limit on the maximum number of concurrent logged-in users on the system. - This option should be used with ``timeout`` option. + + This option must be used with ``timeout`` option. .. cfgcmd:: set system login timeout <timeout> Configure session timeout after which the user will be logged out. - Example ======= @@ -326,3 +383,32 @@ the password. set system login user vyos authentication otp key OHZ3OJ7U2N25BK4G7SOFFJTZDTCFUUE2 set system login user vyos authentication plaintext-password vyos + +TACACS Example +-------------- + +We use a vontainer providing the TACACS serve rin this example. + +Load the container image in op-mode. + +.. code-block:: none + + add container image lfkeitel/tacacs_plus:latest + +.. code-block:: none + + set container network tac-test prefix '100.64.0.0/24' + + set container name tacacs1 image 'lfkeitel/tacacs_plus:latest' + set container name tacacs1 network tac-test address '100.64.0.11' + + set container name tacacs2 image 'lfkeitel/tacacs_plus:latest' + set container name tacacs2 network tac-test address '100.64.0.12' + + set system login tacacs server 100.64.0.11 key 'tac_plus_key' + set system login tacacs server 100.64.0.12 key 'tac_plus_key' + + commit + +You can now SSH into your system using admin/admin as a default user supplied +from the ``lfkeitel/tacacs_plus:latest`` container. |