diff options
Diffstat (limited to 'docs/configuration')
| -rw-r--r-- | docs/configuration/interfaces/macsec.rst | 48 | ||||
| -rw-r--r-- | docs/configuration/interfaces/wireless.rst | 229 | ||||
| -rw-r--r-- | docs/configuration/nat/nat66.rst | 12 | ||||
| -rw-r--r-- | docs/configuration/protocols/index.rst | 1 | ||||
| -rw-r--r-- | docs/configuration/protocols/openfabric.rst | 237 | ||||
| -rw-r--r-- | docs/configuration/system/option.rst | 24 | ||||
| -rw-r--r-- | docs/configuration/system/syslog.rst | 22 |
7 files changed, 558 insertions, 15 deletions
diff --git a/docs/configuration/interfaces/macsec.rst b/docs/configuration/interfaces/macsec.rst index 0c0c052b..1ab7f361 100644 --- a/docs/configuration/interfaces/macsec.rst +++ b/docs/configuration/interfaces/macsec.rst @@ -236,4 +236,50 @@ the unencrypted but authenticated content. set interfaces macsec macsec1 security static key 'eadcc0aa9cf203f3ce651b332bd6e6c7' set interfaces macsec macsec1 security static peer R2 mac 00:11:22:33:44:01 set interfaces macsec macsec1 security static peer R2 key 'ddd6f4a7be4d8bbaf88b26f10e1c05f7' - set interfaces macsec macsec1 source-interface 'eth1'
\ No newline at end of file + set interfaces macsec macsec1 source-interface 'eth1' + +*************** +MACsec over wan +*************** + +MACsec is an interesting alternative to existing tunneling solutions that +protects layer 2 by performing integrity, origin authentication, and optionally +encryption. The typical use case is to use MACsec between hosts and access +switches, between two hosts, or between two switches. in this example below, +we use VXLAN and MACsec to secure the tunnel. + +**R1 MACsec01** + +.. code-block:: none + + set interfaces macsec macsec1 address '192.0.2.1/24' + set interfaces macsec macsec1 address '2001:db8::1/64' + set interfaces macsec macsec1 security cipher 'gcm-aes-128' + set interfaces macsec macsec1 security encrypt + set interfaces macsec macsec1 security static key 'ddd6f4a7be4d8bbaf88b26f10e1c05f7' + set interfaces macsec macsec1 security static peer SEC02 key 'eadcc0aa9cf203f3ce651b332bd6e6c7' + set interfaces macsec macsec1 security static peer SEC02 mac '00:11:22:33:44:02' + set interfaces macsec macsec1 source-interface 'vxlan1' + set interfaces vxlan vxlan1 mac '00:11:22:33:44:01' + set interfaces vxlan vxlan1 remote '10.1.3.3' + set interfaces vxlan vxlan1 source-address '172.16.100.1' + set interfaces vxlan vxlan1 vni '10' + set protocols static route 10.1.3.3/32 next-hop 172.16.100.2 + +**R2 MACsec02** + +.. code-block:: none + + set interfaces macsec macsec1 address '192.0.2.2/24' + set interfaces macsec macsec1 address '2001:db8::2/64' + set interfaces macsec macsec1 security cipher 'gcm-aes-128' + set interfaces macsec macsec1 security encrypt + set interfaces macsec macsec1 security static key 'eadcc0aa9cf203f3ce651b332bd6e6c7' + set interfaces macsec macsec1 security static peer SEC01 key 'ddd6f4a7be4d8bbaf88b26f10e1c05f7' + set interfaces macsec macsec1 security static peer SEC01 mac '00:11:22:33:44:01' + set interfaces macsec macsec1 source-interface 'vxlan1' + set interfaces vxlan vxlan1 mac '00:11:22:33:44:02' + set interfaces vxlan vxlan1 remote '10.1.2.2' + set interfaces vxlan vxlan1 source-address '172.16.100.2' + set interfaces vxlan vxlan1 vni '10' + set protocols static route 10.1.2.2/32 next-hop 172.16.100.1 diff --git a/docs/configuration/interfaces/wireless.rst b/docs/configuration/interfaces/wireless.rst index 695866a0..e6a29f9a 100644 --- a/docs/configuration/interfaces/wireless.rst +++ b/docs/configuration/interfaces/wireless.rst @@ -60,8 +60,8 @@ Wireless options .. cfgcmd:: set interfaces wireless <interface> channel <number> - Channel number (IEEE 802.11), for 2.4Ghz (802.11 b/g/n) channels range from - 1-14. On 5Ghz (802.11 a/h/j/n/ac) channels available are 0, 34 to 173. + Channel number (IEEE 802.11), for 2.4Ghz (802.11 b/g/n/ax) channels range from + 1-14. On 5Ghz (802.11 a/h/j/n/ac) channels available are 0, 34 to 177. On 6GHz (802.11 ax) channels range from 1 to 233. .. cfgcmd:: set interfaces wireless <interface> disable-broadcast-ssid @@ -116,7 +116,7 @@ Wireless options * ``ac`` - 802.11ac - 1300 Mbits/sec * ``ax`` - 802.11ax - exceeds 1GBit/sec - .. note:: In VyOS, 802.11ax is only implemented for 6GHz as of yet. + .. note:: In VyOS, 802.11ax is only implemented for 2.4GHz and 6GHz. .. cfgcmd:: set interfaces wireless <interface> physical-device <device> @@ -164,6 +164,8 @@ PPDU HT (High Throughput) capabilities (802.11n) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + Configuring HT mode options is required when using 802.11n or 802.11ax at 2.4GHz. + .. cfgcmd:: set interfaces wireless <interface> capabilities ht 40mhz-incapable Device is incapable of 40 MHz, do not advertise. This sets ``[40-INTOLERANT]`` @@ -378,11 +380,30 @@ HE (High Efficiency) capabilities (802.11ax) <number> must be one of: - * ``131`` - 20 MHz channel width - * ``132`` - 40 MHz channel width - * ``133`` - 80 MHz channel width - * ``134`` - 160 MHz channel width - * ``135`` - 80+80 MHz channel width + * ``81`` - 20 MHz channel width (2.4GHz) + * ``83`` - 40 MHz channel width, secondary 20MHz channel above primary + channel (2.4GHz) + * ``84`` - 40 MHz channel width, secondary 20MHz channel below primary + channel (2.4GHz) + * ``131`` - 20 MHz channel width (6GHz) + * ``132`` - 40 MHz channel width (6GHz) + * ``133`` - 80 MHz channel width (6GHz) + * ``134`` - 160 MHz channel width (6GHz) + * ``135`` - 80+80 MHz channel width (6GHz) + +.. cfgcmd:: set interfaces wireless <interface> + capabilities he coding-scheme <number> + + This setting configures Spacial Stream and Modulation Coding Scheme + settings for HE mode (HE-MCS). It is usually not needed to set this + explicitly, but it might help with some WiFi adapters. + + <number> must be one of: + + * ``0`` - HE-MCS 0-7 + * ``1`` - HE-MCS 0-9 + * ``2`` - HE-MCS 0-11 + * ``3`` - HE-MCS is not supported Wireless options (Station/Client) ================================= @@ -693,16 +714,200 @@ Resulting in type access-point } } - system { - [...] - wifi-regulatory-domain DE - } To get it to work as an access point with this configuration you will need to set up a DHCP server to work with that network. You can - of course - also bridge the Wireless interface with any configured bridge (:ref:`bridge-interface`) on the system. +WiFi-6(e) - 802.11ax +==================== + +The following examples will show valid configurations for WiFi-6 (2.4GHz) +and WiFi-6e (6GHz) Access-Points with the following characteristics: + +* Network ID (SSID) ``test.ax`` +* WPA passphrase ``super-dooper-secure-passphrase`` +* Use 802.11ax protocol +* Wireless channel ``11`` for 2.4GHz +* Wireless channel ``5`` for 6GHz + + +Example Configuration: WiFi-6 at 2.4GHz +--------------------------------------- + +You may expect real throughputs around 10MBytes/s or higher in crowded areas. + +.. code-block:: none + + set system wireless country-code de + set interfaces wireless wlan0 capabilities he antenna-pattern-fixed + set interfaces wireless wlan0 capabilities he beamform multi-user-beamformer + set interfaces wireless wlan0 capabilities he beamform single-user-beamformee + set interfaces wireless wlan0 capabilities he beamform single-user-beamformer + set interfaces wireless wlan0 capabilities he bss-color 13 + set interfaces wireless wlan0 capabilities he channel-set-width 81 + set interfaces wireless wlan0 capabilities ht 40mhz-incapable + set interfaces wireless wlan0 capabilities ht channel-set-width ht20 + set interfaces wireless wlan0 capabilities ht channel-set-width ht40+ + set interfaces wireless wlan0 capabilities ht channel-set-width ht40- + set interfaces wireless wlan0 capabilities ht short-gi 20 + set interfaces wireless wlan0 capabilities ht short-gi 40 + set interfaces wireless wlan0 capabilities ht stbc rx 2 + set interfaces wireless wlan0 capabilities ht stbc tx + set interfaces wireless wlan0 channel 11 + set interfaces wireless wlan0 description "802.11ax 2.4GHz" + set interfaces wireless wlan0 mode ax + set interfaces wireless wlan0 security wpa cipher CCMP + set interfaces wireless wlan0 security wpa cipher CCMP-256 + set interfaces wireless wlan0 security wpa cipher GCMP-256 + set interfaces wireless wlan0 security wpa cipher GCMP + set interfaces wireless wlan0 security wpa mode wpa2 + set interfaces wireless wlan0 security wpa passphrase super-dooper-secure-passphrase + set interfaces wireless wlan0 ssid test.ax + set interfaces wireless wlan0 type access-point + commit + +Resulting in + +.. code-block:: none + + system { + wireless { + country-code de + } + } + interfaces { + [...] + wireless wlan0 { + capabilities { + he { + antenna-pattern-fixed + beamform { + multi-user-beamformer + single-user-beamformee + single-user-beamformer + } + bss-color 13 + channel-set-width 81 + } + ht { + 40mhz-incapable + channel-set-width ht20 + channel-set-width ht40+ + channel-set-width ht40- + short-gi 20 + short-gi 40 + stbc { + rx 2 + tx + } + } + } + channel 11 + description "802.11ax 2.4GHz" + hw-id [...] + mode ax + physical-device phy0 + security { + wpa { + cipher CCMP + cipher CCMP-256 + cipher GCMP-256 + cipher GCMP + mode wpa2 + passphrase super-dooper-secure-passphrase + } + } + ssid test.ax + type access-point + } + } + +Example Configuration: WiFi-6e at 6GHz +-------------------------------------- + +You may expect real throughputs around 50MBytes/s to 150MBytes/s, +depending on obstructions by walls, water, metal or other materials +with high electro-magnetic dampening at 6GHz. Best results are achieved +with the AP being in the same room and in line-of-sight. + +.. code-block:: none + + set system wireless country-code de + set interfaces wireless wlan0 capabilities he antenna-pattern-fixed + set interfaces wireless wlan0 capabilities he beamform multi-user-beamformer + set interfaces wireless wlan0 capabilities he beamform single-user-beamformee + set interfaces wireless wlan0 capabilities he beamform single-user-beamformer + set interfaces wireless wlan0 capabilities he bss-color 13 + set interfaces wireless wlan0 capabilities he channel-set-width 134 + set interfaces wireless wlan0 capabilities he capabilities he center-channel-freq freq-1 15 + set interfaces wireless wlan0 channel 5 + set interfaces wireless wlan0 description "802.11ax 6GHz" + set interfaces wireless wlan0 mode ax + set interfaces wireless wlan0 security wpa cipher CCMP + set interfaces wireless wlan0 security wpa cipher CCMP-256 + set interfaces wireless wlan0 security wpa cipher GCMP-256 + set interfaces wireless wlan0 security wpa cipher GCMP + set interfaces wireless wlan0 security wpa mode wpa3 + set interfaces wireless wlan0 security wpa passphrase super-dooper-secure-passphrase + set interfaces wireless wlan0 mgmt-frame-protection required + set interfaces wireless wlan0 enable-bf-protection + set interfaces wireless wlan0 ssid test.ax + set interfaces wireless wlan0 type access-point + set interfaces wireless wlan0 stationary-ap + commit + +Resulting in + +.. code-block:: none + + system { + wireless { + country-code de + } + } + interfaces { + [...] + wireless wlan0 { + capabilities { + he { + antenna-pattern-fixed + beamform { + multi-user-beamformer + single-user-beamformee + single-user-beamformer + } + bss-color 13 + center-channel-freq { + freq-1 15 + } + channel-set-width 134 + } + } + channel 5 + description "802.11ax 6GHz" + enable-bf-protection + hw-id [...] + mgmt-frame-protection required + mode ax + physical-device phy0 + security { + wpa { + cipher CCMP + cipher CCMP-256 + cipher GCMP-256 + cipher GCMP + mode wpa3 + passphrase super-dooper-secure-passphrase + } + } + ssid test.ax + stationary-ap + type access-point + } + } + .. _wireless-interface-intel-ax200: Intel AX200 diff --git a/docs/configuration/nat/nat66.rst b/docs/configuration/nat/nat66.rst index 9345e708..42f63fc9 100644 --- a/docs/configuration/nat/nat66.rst +++ b/docs/configuration/nat/nat66.rst @@ -105,6 +105,18 @@ Example: set nat66 destination rule 1 destination address 'fc00::/64' set nat66 destination rule 1 translation address 'fc01::/64' +For the destination, groups can also be used instead of an address. + +Example: + +.. code-block:: none + + set firewall group ipv6-address-group ADR-INSIDE-v6 address fc00::1 + + set nat66 destination rule 1 inbound-interface name 'eth0' + set nat66 destination rule 1 destination group address-group ADR-INSIDE-v6 + set nat66 destination rule 1 translation address 'fc01::/64' + Configuration Examples ====================== diff --git a/docs/configuration/protocols/index.rst b/docs/configuration/protocols/index.rst index ea217d3c..e7b1b27f 100644 --- a/docs/configuration/protocols/index.rst +++ b/docs/configuration/protocols/index.rst @@ -14,6 +14,7 @@ Protocols isis mpls segment-routing + openfabric ospf pim pim6 diff --git a/docs/configuration/protocols/openfabric.rst b/docs/configuration/protocols/openfabric.rst new file mode 100644 index 00000000..aecb5181 --- /dev/null +++ b/docs/configuration/protocols/openfabric.rst @@ -0,0 +1,237 @@ +.. _openfabric: + +########## +OpenFabric +########## + +OpenFabric, specified in `draft-white-openfabric-06.txt +<https://datatracker.ietf.org/doc/html/draft-white-openfabric-06>`_, is +a routing protocol derived from IS-IS, providing link-state routing with +efficient flooding for topologies like spine-leaf networks. + +OpenFabric a dual stack protocol. +A single OpenFabric instance is able to perform routing for both IPv4 and IPv6. + +******* +General +******* + +Configuration +============= + +Mandatory Settings +------------------ + +For OpenFabric to operate correctly, one must do the equivalent of a Router ID +in Connectionless Network Service (CLNS). This Router ID is called the +:abbr:`NET (Network Entity Title)`. The system identifier must be unique within +the network + +.. cfgcmd:: set protocols openfabric net <network-entity-title> + + This command sets network entity title (NET) provided in ISO format. + + Here is an example :abbr:`NET (Network Entity Title)` value: + + .. code-block:: none + + 49.0001.1921.6800.1002.00 + + The CLNS address consists of the following parts: + + * :abbr:`AFI (Address family authority identifier)` - ``49`` The AFI value + 49 is what OpenFabric uses for private addressing. + + * Area identifier: ``0001`` OpenFabric area number (numerical area ``1``) + + * System identifier: ``1921.6800.1002`` - for system identifiers we recommend + to use IP address or MAC address of the router itself. The way to construct + this is to keep all of the zeroes of the router IP address, and then change + the periods from being every three numbers to every four numbers. The + address that is listed here is ``192.168.1.2``, which if expanded will turn + into ``192.168.001.002``. Then all one has to do is move the dots to have + four numbers instead of three. This gives us ``1921.6800.1002``. + + * :abbr:`NET (Network Entity Title)` selector: ``00`` Must always be 00. This + setting indicates "this system" or "local system." + +.. cfgcmd:: set protocols openfabric domain <name> interface <interface> + address-family <ipv4|ipv6> + + This command enables OpenFabric instance with <NAME> on this interface, and + allows for adjacency to occur for address family (IPv4 or IPv6 or both). + +OpenFabric Global Configuration +------------------------------- + +.. cfgcmd:: set protocols openfabric domain-password <plaintext-password|md5> + <password> + + This command configures the authentication password for a routing domain, + as clear text or md5 one. + +.. cfgcmd:: set protocols openfabric domain <name> purge-originator + + This command enables :rfc:`6232` purge originator identification. + +.. cfgcmd:: set protocols openfabric domain <name> set-overload-bit + + This command sets overload bit to avoid any transit traffic through this + router. + +.. cfgcmd:: set protocols openfabric domain <name> log-adjacency-changes + + Log changes in adjacency state. + +.. cfgcmd:: set protocols openfabric domain <name> fabric-tier <number> + + This command sets a static tier number to advertise as location + in the fabric. + + +Interface Configuration +----------------------- + +.. cfgcmd:: set protocols openfabric interface <interface> hello-interval + <seconds> + + This command sets hello interval in seconds on a given interface. + The range is 1 to 600. Hello packets are used to establish and maintain + adjacency between OpenFabric neighbors. + +.. cfgcmd:: set protocols openfabric domain <name> interface <interface> + hello-multiplier <number> + + This command sets multiplier for hello holding time on a given + interface. The range is 2 to 100. + +.. cfgcmd:: set protocols openfabric domain <name> interface <interface> + metric <metric> + + This command sets default metric for circuit. + The metric range is 1 to 16777215. + +.. cfgcmd:: set protocols openfabric interface <interface> passive + + This command enables the passive mode for this interface. + +.. cfgcmd:: set protocols openfabric domain <name> interface <interface> + password plaintext-password <text> + + This command sets the authentication password for the interface. + +.. cfgcmd:: set protocols openfabric domain <name> interface <interface> + csnp-interval <seconds> + + This command sets Complete Sequence Number Packets (CSNP) interval in seconds. + The interval range is 1 to 600. + +.. cfgcmd:: set protocols openfabric domain <name> interface <interface> + psnp-interval <number> + + This command sets Partial Sequence Number Packets (PSNP) interval in seconds. + The interval range is 1 to 120. + +Timers +------ + +.. cfgcmd:: set protocols openfabric domain <name> lsp-gen-interval <seconds> + + This command sets minimum interval at which link-state packets (LSPs) are + generated. The interval range is 1 to 120. + +.. cfgcmd:: set protocols openfabric domain <name> lsp-refresh-interval <seconds> + + This command sets LSP refresh interval in seconds. The interval range + is 1 to 65235. + +.. cfgcmd:: set protocols openfabric domain <name> max-lsp-lifetime <seconds> + + This command sets LSP maximum LSP lifetime in seconds. The interval range + is 360 to 65535. LSPs remain in a database for 1200 seconds by default. + If they are not refreshed by that time, they are deleted. You can change + the LSP refresh interval or the LSP lifetime. The LSP refresh interval + should be less than the LSP lifetime or else LSPs will time out before + they are refreshed. + +.. cfgcmd:: set protocols openfabric domain <name> spf-interval <seconds> + + This command sets minimum interval between consecutive shortest path first + (SPF) calculations in seconds.The interval range is 1 to 120. + + +******** +Examples +******** + +Enable OpenFabric +================= + +**Node 1:** + +.. code-block:: none + + set interfaces loopback lo address '192.168.255.255/32' + set interfaces ethernet eth1 address '192.0.2.1/24' + + set protocols openfabric domain VyOS interface eth1 address-family ipv4 + set protocols openfabric domain VyOS interface lo address-family ipv4 + set protocols openfabric net '49.0001.1921.6825.5255.00' + +**Node 2:** + +.. code-block:: none + + set interfaces loopback lo address '192.168.255.254/32' + set interfaces ethernet eth1 address '192.0.2.2/24' + + set protocols openfabric domain VyOS interface eth1 address-family ipv4 + set protocols openfabric domain VyOS interface lo address-family ipv4 + set protocols openfabric net '49.0001.1921.6825.5254.00' + + + +This gives us the following neighborships: + +.. code-block:: none + + Node-1@vyos:~$ show openfabric neighbor + show openfabric neighbor + Area VyOS: + System Id Interface L State Holdtime SNPA + vyos eth1 2 Up 27 2020.2020.2020 + + + Node-2@vyos:~$ show openfabric neighbor + show openfabric neighbor + Area VyOS: + System Id Interface L State Holdtime SNPA + vyos eth1 2 Up 30 2020.2020.2020 + +Here's the IP routes that are populated: + +.. code-block:: none + + Node-1@vyos:~$ show ip route openfabric + show ip route openfabric + Codes: K - kernel route, C - connected, S - static, R - RIP, + O - OSPF, I - IS-IS, B - BGP, E - EIGRP, N - NHRP, + T - Table, v - VNC, V - VNC-Direct, A - Babel, F - PBR, + f - OpenFabric, + > - selected route, * - FIB route, q - queued, r - rejected, b - backup + t - trapped, o - offload failure + + f 192.0.2.0/24 [115/20] via 192.0.2.2, eth1 onlink, weight 1, 00:00:10 + f>* 192.168.255.254/32 [115/20] via 192.0.2.2, eth1 onlink, weight 1, 00:00:10 + + Node-2@vyos:~$ show ip route openfabric + show ip route openfabric + Codes: K - kernel route, C - connected, S - static, R - RIP, + O - OSPF, I - IS-IS, B - BGP, E - EIGRP, N - NHRP, + T - Table, v - VNC, V - VNC-Direct, A - Babel, F - PBR, + f - OpenFabric, + > - selected route, * - FIB route, q - queued, r - rejected, b - backup + t - trapped, o - offload failure + + f 192.0.2.0/24 [115/20] via 192.0.2.1, eth1 onlink, weight 1, 00:00:48 + f>* 192.168.255.255/32 [115/20] via 192.0.2.1, eth1 onlink, weight 1, 00:00:48 diff --git a/docs/configuration/system/option.rst b/docs/configuration/system/option.rst index 44c66186..b5ebaaee 100644 --- a/docs/configuration/system/option.rst +++ b/docs/configuration/system/option.rst @@ -43,8 +43,6 @@ Kernel .. cfgcmd:: set system option kernel disable-power-saving - Disable CPU power saving mechanisms also known as C states. - This will add the following two options to the Kernel commandline: * ``intel_idle.max_cstate=0`` Disable intel_idle and fall back on acpi_idle @@ -52,6 +50,28 @@ Kernel .. note:: Setting will only become active with the next reboot! +.. cfgcmd:: set system option kernel amd-pstate-driver <mode> + + Enables and configures p-state driver for modern AMD Ryzen and Epyc CPUs. + + The available modes are: + + * ``active`` This is the low-level firmware control mode based on the profile + set and the system governor has no effect. + * ``passive`` The driver allows the system governor to manage CPU frequency + while providing available performance states. + * ``guided`` The driver allows to set desired performance levels and the firmware + selects a performance level in this range and fitting to the current workload. + + This will add the following two options to the Kernel commandline: + + * ``initcall_blacklist=acpi_cpufreq_init`` Disable default ACPI CPU frequency scale + * ``amd_pstate={mode}`` Sets the p-state mode + + .. note:: Setting will only become active with the next reboot! + + .. seealso:: https://docs.kernel.org/admin-guide/pm/amd-pstate.html + *********** HTTP client *********** diff --git a/docs/configuration/system/syslog.rst b/docs/configuration/system/syslog.rst index cc7ac676..44c290f4 100644 --- a/docs/configuration/system/syslog.rst +++ b/docs/configuration/system/syslog.rst @@ -17,6 +17,28 @@ Syslog supports logging to multiple targets, those targets could be a plain file on your VyOS installation itself, a serial console or a remote syslog server which is reached via :abbr:`IP (Internet Protocol)` UDP/TCP. +Global +------ + +.. cfgcmd:: system syslog global marker interval <number> + +Interval (in seconds) for sending mark messages to the syslog input to +indicate that the logging system is functioning. + +.. cfgcmd:: system syslog global preserve-fqdn + +If set, the domain part of the hostname is always sent, +even within the same domain as the receiving system. + +.. cfgcmd:: system syslog global local-host-name <fqdn> + +Overwrites the local system host name used in syslogs. + +.. cfgcmd:: system rsyslog global facility <keyword> level <keyword> + +Filter syslog messages based on facility and level. + + Console ------- |