diff options
Diffstat (limited to 'docs')
| -rw-r--r-- | docs/configuration/interfaces/l2tpv3.rst | 2 | ||||
| -rw-r--r-- | docs/configuration/interfaces/openvpn.rst | 87 | ||||
| -rw-r--r-- | docs/configuration/protocols/ospf.rst | 89 |
3 files changed, 156 insertions, 22 deletions
diff --git a/docs/configuration/interfaces/l2tpv3.rst b/docs/configuration/interfaces/l2tpv3.rst index 897e38dc..4fa47199 100644 --- a/docs/configuration/interfaces/l2tpv3.rst +++ b/docs/configuration/interfaces/l2tpv3.rst @@ -24,7 +24,7 @@ not be re-engineered in or on top of L2TPv3 in later products. The protocol overhead of L2TPv3 is also significantly bigger than MPLS. -L2TPv3 is described in :rfc:`3921`. +L2TPv3 is described in :rfc:`3931`. ************* Configuration diff --git a/docs/configuration/interfaces/openvpn.rst b/docs/configuration/interfaces/openvpn.rst index 5850591c..c0019577 100644 --- a/docs/configuration/interfaces/openvpn.rst +++ b/docs/configuration/interfaces/openvpn.rst @@ -48,8 +48,8 @@ Site-to-site mode supports x.509 but doesn't require it and can also work with static keys, which is simpler in many cases. In this example, we'll configure a simple site-to-site OpenVPN tunnel using a 2048-bit pre-shared key. -First, one of the systems generate the key using the :ref:`generate pki openvpn shared-secret<configuration/pki/index:pki>` -command. Once generated, you will need to install this key on the local system, +First, one of the systems generate the key using the :ref:`generate pki openvpn shared-secret<configuration/pki/index:pki>` +command. Once generated, you will need to install this key on the local system, then copy and install this key to the remote router. In our example, we used the key name ``openvpn-1`` which we will reference @@ -82,7 +82,7 @@ Local Configuration: Configure mode commands to install OpenVPN key: set pki openvpn shared-secret openvpn-1 key 'generated_key_string' set pki openvpn shared-secret openvpn-1 version '1' - + set interfaces openvpn vtun1 mode site-to-site set interfaces openvpn vtun1 protocol udp set interfaces openvpn vtun1 persistent-tunnel @@ -97,13 +97,13 @@ Local Configuration - Annotated: .. code-block:: none - run generate pki openvpn shared-secret install openvpn-1 # Locally genearated OpenVPN shared secret. - The generated secret is the output to + run generate pki openvpn shared-secret install openvpn-1 # Locally genearated OpenVPN shared secret. + The generated secret is the output to the console. Configure mode commands to install OpenVPN key: - set pki openvpn shared-secret openvpn-1 key 'generated_key_string' # Generated secret displayed in the output to + set pki openvpn shared-secret openvpn-1 key 'generated_key_string' # Generated secret displayed in the output to the console. - set pki openvpn shared-secret openvpn-1 version '1' # Generated secret displayed in the output to + set pki openvpn shared-secret openvpn-1 version '1' # Generated secret displayed in the output to the console. set interfaces openvpn vtun1 mode site-to-site @@ -138,7 +138,7 @@ Remote Configuration - Annotated: .. code-block:: none - set pki openvpn shared-secret openvpn-1 key 'generated_key_string' # Locally genearated OpenVPN shared secret + set pki openvpn shared-secret openvpn-1 key 'generated_key_string' # Locally genearated OpenVPN shared secret (from the Local Configuration Block). set pki openvpn shared-secret openvpn-1 version '1' @@ -304,8 +304,8 @@ closing on connection resets or daemon reloads. set interfaces openvpn vtun10 persistent-tunnel set interfaces openvpn vtun10 protocol udp -Then we need to generate, add and specify the names of the cryptographic materials. -Each of the install command should be applied to the configuration and commited +Then we need to generate, add and specify the names of the cryptographic materials. +Each of the install command should be applied to the configuration and commited before using under the openvpn interface configuration. .. code-block:: none @@ -314,18 +314,18 @@ before using under the openvpn interface configuration. Configure mode commands to install: set pki ca ca-1 certificate 'generated_cert_string' set pki ca ca-1 private key 'generated_private_key' - + run generate pki certificate sign ca-1 install srv-1 # Follow the instructions to generate server cert. Configure mode commands to install: set pki certificate srv-1 certificate 'generated_server_cert' set pki certificate srv-1 private key 'generated_private_key' - - run generate pki dh install dh-1 # Follow the instructions to generate set of + + run generate pki dh install dh-1 # Follow the instructions to generate set of Diffie-Hellman parameters. Generating parameters... Configure mode commands to install DH parameters: set pki dh dh-1 parameters 'generated_dh_params_set' - + set interfaces openvpn vtun10 tls ca-certificate ca-1 set interfaces openvpn vtun10 tls certificate srv-1 set interfaces openvpn vtun10 tls dh-params dh-1 @@ -361,18 +361,18 @@ internally, so we need to create a route to the 10.23.0.0/20 network ourselves: set protocols static route 10.23.0.0/20 interface vtun10 Additionally, each client needs a copy of ca cert and its own client key and -cert files. The files are plaintext so they may be copied either manually from the CLI. -Client key and cert files should be signed with the proper ca cert and generated on the -server side. +cert files. The files are plaintext so they may be copied either manually from the CLI. +Client key and cert files should be signed with the proper ca cert and generated on the +server side. HQ's router requires the following steps to generate crypto materials for the Branch 1: .. code-block:: none - - run generate pki certificate sign ca-1 install branch-1 # Follow the instructions to generate client + + run generate pki certificate sign ca-1 install branch-1 # Follow the instructions to generate client cert for Branch 1 Configure mode commands to install: - + Branch 1's router might have the following lines: .. code-block:: none @@ -380,7 +380,7 @@ Branch 1's router might have the following lines: set pki ca ca-1 certificate 'generated_cert_string' # CA cert generated on HQ router set pki certificate branch-1 certificate 'generated_branch_cert' # Client cert generated and signed on HQ router set pki certificate branch-1 private key 'generated_private_key' # Client cert key generated on HQ router - + set interfaces openvpn vtun10 tls ca-cert ca-1 set interfaces openvpn vtun10 tls certificate branch-1 @@ -513,6 +513,7 @@ example: } } + ****** Client ****** @@ -600,6 +601,50 @@ Will add ``push "keepalive 1 10"`` to the generated OpenVPN config file. quotes using the ``"`` statement. +********************************** +OpenVPN Data Channel Offload (DCO) +********************************** + +OpenVPN Data Channel Offload (DCO) enables significant performance enhancement +in encrypted OpenVPN data processing. By minimizing context switching for each +packet, DCO effectively reduces overhead. This optimization is achieved by +keeping most data handling tasks within the kernel, avoiding frequent switches +between kernel and user space for encryption and packet handling. + +As a result, the processing of each packet becomes more efficient, potentially +leveraging hardware encryption offloading support available in the kernel. + +.. note:: OpenVPN DCO is not full OpenVPN features supported , is currently + considered experimental. Furthermore, there are certain OpenVPN features and + use cases that remain incompatible with DCO. To get a comprehensive + understanding of the limitations associated with DCO, refer to the list of + known limitations in the documentation. + + https://community.openvpn.net/openvpn/wiki/DataChannelOffload/Features + + +Enabling OpenVPN DCO +==================== + +DCO support is a per-tunnel option and it is not automatically enabled by +default for new or upgraded tunnels. Existing tunnels will continue to function +as they have in the past. + +DCO can be enabled for both new and existing tunnels,VyOS adds an option in each +tunnel configuration where we can enable this function .The current best +practice is to create a new tunnel with DCO to minimize the chance of problems +with existing clients. + +.. cfgcmd:: set interfaces openvpn <name> offload dco + + Enable OpenVPN Data Channel Offload feature by loading the appropriate kernel + module. + + Disabled by default - no kernel module loaded. + + .. note:: Enable this feature causes an interface reset. + + Troubleshooting =============== diff --git a/docs/configuration/protocols/ospf.rst b/docs/configuration/protocols/ospf.rst index c46497a1..e360d86a 100644 --- a/docs/configuration/protocols/ospf.rst +++ b/docs/configuration/protocols/ospf.rst @@ -202,6 +202,17 @@ Optional This command will change the hold down value globally for IGP-LDP synchronization during convergence/interface flap events. +.. cfgcmd:: set protocols ospf capability opaque + + ospfd supports Opaque LSA :rfc:`2370` as partial support for MPLS Traffic + Engineering LSAs. The opaque-lsa capability must be enabled in the + configuration. + + An alternate command could be "mpls-te on" (Traffic Engineering) + + .. note:: FRR offers only partial support for some of the routing + protocol extensions that are used with MPLS-TE; it does not + support a complete RSVP-TE solution. Area Configuration ------------------ @@ -483,6 +494,45 @@ Route will be originated on-behalf of all matched external LSAs. This command to ensure not advertise the summary lsa for the matched external LSAs. +Graceful Restart +---------------- + +.. cfgcmd:: set protocols ospf graceful-restart [grace-period (1-1800)] + + Configure Graceful Restart :rfc:`3623` restarting support. When enabled, + the default grace period is 120 seconds. + + To perform a graceful shutdown, the FRR ``graceful-restart prepare ip + ospf`` EXEC-level command needs to be issued before restarting the + ospfd daemon. + +.. cfgcmd:: set protocols ospf graceful-restart helper enable [router-id A.B.C.D] + + Configure Graceful Restart :rfc:`3623` helper support. By default, helper support + is disabled for all neighbours. This config enables/disables helper support + on this router for all neighbours. + + To enable/disable helper support for a specific neighbour, the router-id + (A.B.C.D) has to be specified. + +.. cfgcmd:: set protocols ospf graceful-restart helper no-strict-lsa-checking + + By default `strict-lsa-checking` is configured then the helper will abort + the Graceful Restart when a LSA change occurs which affects the restarting + router. + + This command disables it. + +.. cfgcmd:: set protocols ospf graceful-restart helper supported-grace-time + + Supports as HELPER for configured grace period. + +.. cfgcmd:: set protocols ospf graceful-restart helper planned-only + + It helps to support as HELPER only for planned restarts. + + By default, it supports both planned and unplanned outages. + Manual Neighbor Configuration ----------------------------- @@ -1156,6 +1206,45 @@ Interface Configuration .. _ospf:v3_redistribution_config: +Graceful Restart +---------------- + +.. cfgcmd:: set protocols ospfv3 graceful-restart [grace-period (1-1800)] + + Configure Graceful Restart :rfc:`3623` restarting support. When enabled, + the default grace period is 120 seconds. + + To perform a graceful shutdown, the FRR ``graceful-restart prepare ip + ospf`` EXEC-level command needs to be issued before restarting the + ospfd daemon. + +.. cfgcmd:: set protocols ospfv3 graceful-restart helper enable [router-id A.B.C.D] + + Configure Graceful Restart :rfc:`3623` helper support. By default, helper support + is disabled for all neighbours. This config enables/disables helper support + on this router for all neighbours. + + To enable/disable helper support for a specific neighbour, the router-id + (A.B.C.D) has to be specified. + +.. cfgcmd:: set protocols ospfv3 graceful-restart helper lsa-check-disable + + By default `strict-lsa-checking` is configured then the helper will abort + the Graceful Restart when a LSA change occurs which affects the restarting + router. + + This command disables it. + +.. cfgcmd:: set protocols ospfv3 graceful-restart helper supported-grace-time + + Supports as HELPER for configured grace period. + +.. cfgcmd:: set protocols ospfv3 graceful-restart helper planned-only + + It helps to support as HELPER only for planned restarts. + + By default, it supports both planned and unplanned outages. + Redistribution Configuration ---------------------------- |