summaryrefslogtreecommitdiff
path: root/docs/configuration
diff options
context:
space:
mode:
Diffstat (limited to 'docs/configuration')
-rw-r--r--docs/configuration/protocols/bgp.rst50
-rw-r--r--docs/configuration/vpn/l2tp.rst2
-rw-r--r--docs/configuration/vpn/sstp.rst71
3 files changed, 104 insertions, 19 deletions
diff --git a/docs/configuration/protocols/bgp.rst b/docs/configuration/protocols/bgp.rst
index 8fc69111..3c983aae 100644
--- a/docs/configuration/protocols/bgp.rst
+++ b/docs/configuration/protocols/bgp.rst
@@ -209,35 +209,35 @@ Defining Peers
.. cfgcmd:: set protocols bgp neighbor <address|interface> local-role
<role> [strict]
- BGP roles are defined in RFC :rfc:`9234` and provide an easy way to
- add route leak prevention, detection and mitigation. The local Role
- value is negotiated with the new BGP Role capability which has a
- built-in check of the corresponding value. In case of a mismatch the
+ BGP roles are defined in RFC :rfc:`9234` and provide an easy way to
+ add route leak prevention, detection and mitigation. The local Role
+ value is negotiated with the new BGP Role capability which has a
+ built-in check of the corresponding value. In case of a mismatch the
new OPEN Roles Mismatch Notification <2, 11> would be sent.
The correct Role pairs are:
-
+
Provider - Customer
Peer - Peer
RS-Server - RS-Client
- If :cfgcmd:`strict` is set the BGP session won’t become established
- until the BGP neighbor sets local Role on its side. This
+ If :cfgcmd:`strict` is set the BGP session won’t become established
+ until the BGP neighbor sets local Role on its side. This
configuration parameter is defined in RFC :rfc:`9234` and is used to
enforce the corresponding configuration at your counter-parts side.
-
- Routes that are sent from provider, rs-server, or the peer local-role
- (or if received by customer, rs-client, or the peer local-role) will
+
+ Routes that are sent from provider, rs-server, or the peer local-role
+ (or if received by customer, rs-client, or the peer local-role) will
be marked with a new Only to Customer (OTC) attribute.
-
+
Routes with this attribute can only be sent to your neighbor if your
local-role is provider or rs-server. Routes with this attribute can
- be received only if your local-role is customer or rs-client.
-
+ be received only if your local-role is customer or rs-client.
+
In case of peer-peer relationship routes can be received only if OTC
value is equal to your neighbor AS number.
-
+
All these rules with OTC will help to detect and mitigate route leaks
and happen automatically if local-role is set.
@@ -584,6 +584,12 @@ General Configuration
Common parameters
^^^^^^^^^^^^^^^^^
+.. cfgcmd:: set protocols bgp parameters allow-martian-nexthop
+
+ When a peer receives a martian nexthop as part of the NLRI for a route
+ permit the nexthop to be used as such, instead of rejecting and resetting
+ the connection.
+
.. cfgcmd:: set protocols bgp parameters router-id <id>
This command specifies the router-ID. If router ID is not specified it will
@@ -598,6 +604,12 @@ Common parameters
Path (both AS number and AS path length), Origin code, MED, IGP
metric. Also, the next hop address for each path must be different.
+.. cfgcmd:: set protocols bgp parameters no-hard-administrative-reset
+
+ Do not send Hard Reset CEASE Notification for "Administrative Reset"
+ events. When set and Graceful Restart Notification capability is exchanged
+ between the peers, Graceful Restart procedures apply, and routes will be retained.
+
.. cfgcmd:: set protocols bgp parameters log-neighbor-changes
This command enable logging neighbor up/down changes and reset reason.
@@ -643,6 +655,16 @@ Common parameters
compatibility with older versions of VyOS. With this option one can
enable :rfc:`8212` functionality to operate.
+.. cfgcmd:: set protocols bgp parameters labeled-unicast <explicit-null |
+ ipv4-explicit-null | ipv6-explicit-null>
+
+ By default, locally advertised prefixes use the implicit-null label to
+ encode in the outgoing NLRI.
+
+ The following command uses the explicit-null label value for all the
+ BGP instances.
+
+
Administrative Distance
^^^^^^^^^^^^^^^^^^^^^^^
diff --git a/docs/configuration/vpn/l2tp.rst b/docs/configuration/vpn/l2tp.rst
index 4a7657e7..ce3b6711 100644
--- a/docs/configuration/vpn/l2tp.rst
+++ b/docs/configuration/vpn/l2tp.rst
@@ -98,7 +98,7 @@ Below is an example to configure a LNS:
set vpn l2tp remote-access client-ip-pool L2TP-POOL range 192.168.255.2-192.168.255.254
set vpn l2tp remote-access default-pool 'L2TP-POOL'
set vpn l2tp remote-access lns shared-secret 'secret'
- set vpn l2tp remote-access ccp-disable
+ set vpn l2tp remote-access ppp-options disable-ccp
set vpn l2tp remote-access authentication mode local
set vpn l2tp remote-access authentication local-users username test password 'test'
diff --git a/docs/configuration/vpn/sstp.rst b/docs/configuration/vpn/sstp.rst
index 2c5cef6d..a9def827 100644
--- a/docs/configuration/vpn/sstp.rst
+++ b/docs/configuration/vpn/sstp.rst
@@ -179,35 +179,98 @@ SSL Certificates
PPP Settings
------------
+.. cfgcmd:: set vpn sstp ppp-options disable-ccp
+
+ Disable Compression Control Protocol (CCP).
+ CCP is enabled by default.
+
+.. cfgcmd:: set vpn sstp ppp-options interface-cache <number>
+
+ Specifies number of interfaces to keep in cache. It means that don’t
+ destroy interface after corresponding session is destroyed, instead
+ place it to cache and use it later for new sessions repeatedly.
+ This should reduce kernel-level interface creation/deletion rate lack.
+ Default value is **0**.
+
+.. cfgcmd:: set vpn sstp ppp-options ipv4 <require | prefer | allow | deny>
+
+ Specifies IPv4 negotiation preference.
+
+ * **require** - Require IPv4 negotiation
+ * **prefer** - Ask client for IPv4 negotiation, do not fail if it rejects
+ * **allow** - Negotiate IPv4 only if client requests (Default value)
+ * **deny** - Do not negotiate IPv4
+
+.. cfgcmd:: set vpn sstp ppp-options ipv6 <require | prefer | allow | deny>
+
+ Specifies IPv6 negotiation preference.
+
+ * **require** - Require IPv6 negotiation
+ * **prefer** - Ask client for IPv6 negotiation, do not fail if it rejects
+ * **allow** - Negotiate IPv6 only if client requests
+ * **deny** - Do not negotiate IPv6 (default value)
+
+.. cfgcmd:: set vpn sstp ppp-options ipv6-accept-peer-interface-id
+
+ Accept peer interface identifier. By default is not defined.
+
+.. cfgcmd:: set vpn sstp ppp-options ipv6-interface-id <random | x:x:x:x>
+
+ Specifies fixed or random interface identifier for IPv6.
+ By default is fixed.
+
+ * **random** - Random interface identifier for IPv6
+ * **x:x:x:x** - Specify interface identifier for IPv6
+
+.. cfgcmd:: set vpn sstp ppp-options ipv6-interface-id <random | x:x:x:x>
+
+ Specifies peer interface identifier for IPv6. By default is fixed.
+
+ * **random** - Random interface identifier for IPv6
+ * **x:x:x:x** - Specify interface identifier for IPv6
+ * **ipv4-addr** - Calculate interface identifier from IPv4 address.
+ * **calling-sid** - Calculate interface identifier from calling-station-id.
+
.. cfgcmd:: set vpn sstp ppp-options lcp-echo-failure <number>
Defines the maximum `<number>` of unanswered echo requests. Upon reaching the
- value `<number>`, the session will be reset.
+ value `<number>`, the session will be reset. Default value is **3**.
.. cfgcmd:: set vpn sstp ppp-options lcp-echo-interval <interval>
If this option is specified and is greater than 0, then the PPP module will
send LCP pings of the echo request every `<interval>` seconds.
+ Default value is **30**.
.. cfgcmd:: set vpn sstp ppp-options lcp-echo-timeout
Specifies timeout in seconds to wait for any peer activity. If this option
specified it turns on adaptive lcp echo functionality and "lcp-echo-failure"
- is not used.
+ is not used. Default value is **0**.
+
+.. cfgcmd:: set vpn sstp ppp-options min-mtu <number>
+
+ Defines minimum acceptable MTU. If client will try to negotiate less then
+ specified MTU then it will be NAKed or disconnected if rejects greater MTU.
+ Default value is **100**.
.. cfgcmd:: set vpn sstp ppp-options mppe <require | prefer | deny>
- Specifies :abbr:`MPPE (Microsoft Point-to-Point Encryption)` negotioation
+ Specifies :abbr:`MPPE (Microsoft Point-to-Point Encryption)` negotiation
preference.
* **require** - ask client for mppe, if it rejects drop connection
- * **prefer** - ask client for mppe, if it rejects don't fail
+ * **prefer** - ask client for mppe, if it rejects don't fail. (Default value)
* **deny** - deny mppe
Default behavior - don't ask client for mppe, but allow it if client wants.
Please note that RADIUS may override this option by MS-MPPE-Encryption-Policy
attribute.
+.. cfgcmd:: set vpn sstp ppp-options mru <number>
+
+ Defines preferred MRU. By default is not defined.
+
RADIUS
------