diff options
| author | LiudmylaNad <l.nadolina@vyos.io> | 2026-02-16 13:13:04 +0100 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2026-02-16 12:13:04 +0000 |
| commit | eb85660173a3a0b0e3dcd63221ec104471948958 (patch) | |
| tree | e9b037a8b561ec8a8bd29152a2307c44fc9bff88 | |
| parent | 986b820aa94093220b58efb413a4b1f9dff00d6b (diff) | |
| download | vyos-documentation-eb85660173a3a0b0e3dcd63221ec104471948958.tar.gz vyos-documentation-eb85660173a3a0b0e3dcd63221ec104471948958.zip | |
DOC: Proofreading ethernet.rst (#1740)
* DOC: Proofreading ethernet.rst
* doc: indentation configuration
* Apply suggestions from code review
Co-authored-by: Daniil Baturin <daniil@baturin.org>
* Remove mentions of Metro Ethernet
---------
Co-authored-by: Daniil Baturin <daniil@baturin.org>
| -rw-r--r-- | docs/_include/interface-eapol.txt | 81 | ||||
| -rw-r--r-- | docs/_include/interface-evpn-uplink.txt | 2 | ||||
| -rw-r--r-- | docs/_include/interface-vlan-8021ad.txt | 55 | ||||
| -rw-r--r-- | docs/configuration/interfaces/ethernet.rst | 243 |
4 files changed, 234 insertions, 147 deletions
diff --git a/docs/_include/interface-eapol.txt b/docs/_include/interface-eapol.txt index 640fc6e3..fc3d9e34 100644 --- a/docs/_include/interface-eapol.txt +++ b/docs/_include/interface-eapol.txt @@ -1,41 +1,82 @@ -:abbr:`EAP (Extensible Authentication Protocol)` over LAN (EAPoL) is a network -port authentication protocol used in IEEE 802.1X (Port Based Network Access -Control) developed to give a generic network sign-on to access network -resources. +**Overview** -EAPoL comes with an identify option. We automatically use the interface MAC -address as identity parameter. +IEEE 802.1X is a security standard that enforces access control at the data link layer. It blocks all traffic on a port until the connecting device proves +its identity. The :abbr:`EAPOL (Extensible Authentication Protocol over LAN)` +protocol transports credentials between the client (supplicant) and the network +switch (authenticator). The switch forwards these credentials to a backend +authentication server, typically RADIUS, which verifies them and authorizes +the connection. + +The VyOS router acts as the supplicant, authenticating with upstream network +equipment such as ISP gateways or enterprise switches. Authentication uses +X.509 certificates to validate the identities of both the router and the +authentication server. + +The :abbr:`EAPOL (Extensible Authentication Protocol over LAN)` protocol +requires the supplicant (the router) to provide an identity string to the +authentication server during the initial handshake. If no identity is +configured, VyOS uses the Ethernet interface's MAC address as the identity +string. + +**Configuration** + +Prerequisites: Before configuring 802.1X (:abbr:`EAPOL (Extensible +Authentication Protocol over LAN)`) authentication, upload the required +:abbr:`CA (Certificate Authority)` certificate, client certificate, and +private key to the router and import them into the PKI system. + +.. note:: The client certificate and private key must share the **same** PKI + name. + +.. seealso:: For more information about managing certificates and keys, see + the :ref:`PKI <pki>` section. .. cfgcmd:: set interfaces {{ var0 }} <interface> {{ var2 }} {{ var3 }} {{ var5 }} {{ var6 }} eapol ca-certificate <name> - Set the name of the SSL :abbr:`CA (Certificate Authority)` PKI entry used for - authentication of the remote side. If an intermediate CA certificate is - specified, then all parent CA certificates that exist in the PKI, such as the - root CA or additional intermediate CAs, will automatically be used during - certificate validation to ensure that the full chain of trust is available. + **Configure the trusted** :abbr:`CA (Certificate Authority)` **certificate for + the interface.** + + The router uses this certificate to validate the authentication server’s + identity. + + ``<name>`` is the :abbr:`CA (Certificate Authority)` certificate name as + defined in the PKI system. + + .. note:: If you specify an intermediate :abbr:`CA (Certificate Authority)` + certificate, ensure the full certificate chain, including the root and all + higher-level intermediate :abbr:`CA (Certificate Authority)` certificates, is + available to the system. Example: .. code-block:: none - set pki ca eapol-server-intermediate-ca <Server intermediate CA contents> - set pki ca eapol-server-root-ca <Server root CA contents> + set pki ca eapol-server-intermediate-ca <server intermediate CA contents> + set pki ca eapol-server-root-ca <server root CA contents> set interfaces {{ var0 }} {{ var1 }} {{ var2 }} {{ var4 }} {{ var5 }} {{ var7 }} eapol ca-certificate eapol-server-intermediate-ca .. cfgcmd:: set interfaces {{ var0 }} <interface> {{ var2 }} {{ var3 }} {{ var5 }} {{ var6 }} eapol certificate <name> - Set the name of the x509 client keypair used to authenticate against the - 802.1x system. All parent CA certificates of the client certificate, such as - intermediate and root CAs, will be sent as part of the EAP-TLS handshake. + **Configure the client certificate for the interface.** + + The router uses this certificate to prove its identity to the authentication + server. + + ``<name>`` is the client certificate name as defined in the PKI system. + + During authentication, all parent :abbr:`CA (Certificate Authority)` + certificates of the client certificate, such as intermediate and root :abbr:`CA + (Certificate Authority)` certificates, are automatically sent as part of the + EAP-TLS handshake. Example: .. code-block:: none - set pki ca eapol-client-intermediate-ca <Client intermediate CA contents> - set pki ca eapol-client-root-ca <Client root CA contents> - set pki certificate eapol-client certificate <Client certificate contents> - set pki certificate eapol-client private key <Client private key contents> + set pki ca eapol-client-intermediate-ca <client intermediate CA contents> + set pki ca eapol-client-root-ca <client root CA contents> + set pki certificate eapol-client certificate <client certificate contents> + set pki certificate eapol-client private key <client private key contents> set interfaces {{ var0 }} {{ var1 }} {{ var2 }} {{ var4 }} {{ var5 }} {{ var7 }} eapol certificate eapol-client diff --git a/docs/_include/interface-evpn-uplink.txt b/docs/_include/interface-evpn-uplink.txt index 84b09727..67bf2abc 100644 --- a/docs/_include/interface-evpn-uplink.txt +++ b/docs/_include/interface-evpn-uplink.txt @@ -6,7 +6,7 @@ to the VXLAN overlay. To prevent traffic blackholing, the PE device forces a protocol shutdown (protodown) of its downstream EVPN-MH interfaces. - The following example configures bond0 as an EVPN-MH uplink interface: + The following example configures {{ var1 }} as an EVPN-MH uplink interface: .. code-block:: none diff --git a/docs/_include/interface-vlan-8021ad.txt b/docs/_include/interface-vlan-8021ad.txt index 0a1722dc..a6413679 100644 --- a/docs/_include/interface-vlan-8021ad.txt +++ b/docs/_include/interface-vlan-8021ad.txt @@ -1,32 +1,31 @@ -.. include:: /_include/need_improvement.txt - -IEEE 802.1ad_ was an Ethernet networking standard informally known as QinQ as -an amendment to IEEE standard 802.1q VLAN interfaces as described above. -802.1ad was incorporated into the base 802.1q_ standard in 2011. The technique -is also known as provider bridging, Stacked VLANs, or simply QinQ or Q-in-Q. -"Q-in-Q" can for supported devices apply to C-tag stacking on C-tag (Ethernet -Type = 0x8100). - -The original 802.1q_ specification allows a single Virtual Local Area Network -(VLAN) header to be inserted into an Ethernet frame. QinQ allows multiple -VLAN tags to be inserted into a single frame, an essential capability for -implementing Metro Ethernet network topologies. Just as QinQ extends 802.1Q, -QinQ itself is extended by other Metro Ethernet protocols. - -In a multiple VLAN header context, out of convenience the term "VLAN tag" or -just "tag" for short is often used in place of "802.1q_ VLAN header". QinQ -allows multiple VLAN tags in an Ethernet frame; together these tags constitute -a tag stack. When used in the context of an Ethernet frame, a QinQ frame is a -frame that has 2 VLAN 802.1q_ headers (double-tagged). - -In VyOS the terms ``vif-s`` and ``vif-c`` stand for the ethertype tags that -are used. - -The inner tag is the tag which is closest to the payload portion of the frame. -It is officially called C-TAG (customer tag, with ethertype 0x8100). The outer -tag is the one closer/closest to the Ethernet header, its name is S-TAG -(service tag with Ethernet Type = 0x88a8). +**Overview** +IEEE 802.1ad_, commonly known as QinQ, is an Ethernet standard first published +as an amendment to 802.1q_ in 2005, then officially merged into the base +standard in 2011. + +Unlike the original 802.1q_, which allows a single VLAN header per Ethernet +frame, QinQ allows two VLAN headers per Ethernet frame, for the inner and the outer VLAN tags. +Most often the inner VLAN tag comes from a customer while the outer tag is used by the service +provider to differentiate between traffic of different customers. + + +**Frame structure and ethertypes** + +The IEEE 802.1ad_ (QinQ) frame includes two VLAN tags: + +* **The outer service tag (S-TAG):** The S-TAG is typically added by the provider. +It uses the Ethertype 0x88a8 by default. + +* **The inner customer tag (C-TAG):** The C-TAG is generated by the customer's equipment and + remains unchanged during transit. It uses the Ethertype 0x8100. + +**Implementation in VyOS** + +In VyOS, these tag types are associated with the following CLI options: + +* ``vif-s``: Corresponds to the S-TAG (Ethertype 0x88a8). +* ``vif-c``: Corresponds to the C-TAG (Ethertype 0x8100). .. cmdinclude:: /_include/interface-address-with-dhcp.txt :var0: {{ var0 }} diff --git a/docs/configuration/interfaces/ethernet.rst b/docs/configuration/interfaces/ethernet.rst index 8d31fc70..e6c385e7 100644 --- a/docs/configuration/interfaces/ethernet.rst +++ b/docs/configuration/interfaces/ethernet.rst @@ -1,4 +1,4 @@ -:lastproofread: 2023-01-20 +:lastproofread: 2026-01-19 .. _ethernet-interface: @@ -6,8 +6,12 @@ Ethernet ######## -This will be the most widely used interface on a router carrying traffic to the -real world. +Ethernet interfaces (e.g., ``eth0``, ``eth1``) represent the host's physical +or virtual network ports. + +They are the most common interface type, serving as the base layer upon which +IP addresses, VLANs, and tunnels are configured to carry traffic across both +LANs and WANs. ************* Configuration @@ -20,15 +24,16 @@ Common interface configuration :var0: ethernet :var1: eth0 -.. cfgcmd:: set interface ethernet <interface> switchdev +.. cfgcmd:: set interfaces ethernet <interface> switchdev - Switches this interface to `switchdev` mode that allows network interfaces to offload - certain networking functions directly to hardware, like a network switch or a SmartNIC. - This enables higher performance and lower latency for network processing by - bypassing the kernel's network stack for supported operations. + **Enable** ``switchdev`` **mode for the interface.** + + In ``switchdev`` mode, the interface offloads traffic switching between ports + to the hardware, bypassing the host CPU. This increases the interface’s + traffic-handling capacity and reduces its forwarding delay. -.. note:: This is only supported on certain physical network interfaces - and depends on specific models and drivers. +.. note:: ``switchdev`` mode is available only on certain physical network + interfaces and requires a switchdev-compatible driver. Ethernet options @@ -36,40 +41,65 @@ Ethernet options .. cfgcmd:: set interfaces ethernet <interface> duplex <auto | full | half> - Configure physical interface duplex setting. + **Configure duplex mode for the interface.** - * auto - interface duplex setting is auto-negotiated - * full - always use full-duplex - * half - always use half-duplex + The following duplex modes are available: - VyOS default will be `auto`. + * ``auto``: The interface negotiates the duplex mode with the connected device. + * ``full``: The interface sends and receives data simultaneously. The + connected device must also be set to full-duplex to avoid a duplex mismatch. + * ``half``: The interface either sends or receives data, but not both at the + same time. + The default duplex mode is ``auto``. + .. cfgcmd:: set interfaces ethernet <interface> speed <auto | 10 | 100 | 1000 | 2500 | 5000 | 10000 | 25000 | 40000 | 50000 | 100000> - Configure physical interface speed setting. + **Configure the interface's speed, in Mbit/s.** + + The following options are available: + + * ``auto``: The interface negotiates the speed with the connected device. + * ``10, 100, 1000 ...``: The interface operates at the selected speed. The + connected device must be set to the same speed to establish a connection. + + The default option is ``auto``. + +.. cfgcmd:: set interfaces ethernet <interface> ring-buffer rx <value> + + **Configure the receive (RX) ring buffer size for the interface.** + + The RX ring buffer size defines the number of incoming packets the interface + can queue in hardware before the CPU processes them. + + Higher values reduce the risk of drops when the NIC receives network traffic + faster than the CPU can process it, though latency may increase. Lower values + reduce latency but increase the risk of packet drops during incoming traffic + bursts. - * auto - interface speed is auto-negotiated - * 10 - 10 MBit/s - * 100 - 100 MBit/s - * 1000 - 1 GBit/s - * 2500 - 2.5 GBit/s - * 5000 - 5 GBit/s - * 10000 - 10 GBit/s - * 25000 - 25 GBit/s - * 40000 - 40 GBit/s - * 50000 - 50 GBit/s - * 100000 - 100 GBit/s + To view supported values for a specific interface, use: - VyOS default will be `auto`. +.. code-block:: none + + ethtool -g <interface> -.. cfgcmd:: set interface ethernet <interface> ring-buffer rx <value> -.. cfgcmd:: set interface ethernet <interface> ring-buffer tx <value> +.. cfgcmd:: set interfaces ethernet <interface> ring-buffer tx <value> - Configures the ring buffer size of the interface. + **Configure the transmit (TX) ring buffer size.** - The supported values for a specific interface can be obtained - with: `ethtool -g <interface>` + The TX ring buffer size defines the number of outgoing packets the interface + can queue in hardware before they are transmitted onto the network. + + Higher values reduce the risk of drops when the CPU generates traffic faster + than the NIC can handle, though latency may increase. Lower values reduce + latency but increase the risk of packet drops during outgoing traffic bursts. + + To view supported values for a specific interface, use: + +.. code-block:: none + + ethtool -g <interface> Interrupt Coalescing ---------- @@ -180,63 +210,79 @@ the CPU for every packet arrival or transmission. Offloading ---------- -.. cfgcmd:: set interfaces ethernet <interface> offload <gro | gso | lro | rps | - sg | tso> - - Enable different types of hardware offloading on the given NIC. - - :abbr:`LRO (Large Receive Offload)` is a technique designed to boost the - efficiency of how your computer's network interface card (NIC) processes - incoming network traffic. Typically, network data arrives in smaller chunks - called packets. Processing each packet individually consumes CPU (central - processing unit) resources. Lots of small packets can lead to a performance - bottleneck. Instead of handing the CPU each packet as it comes in, LRO - instructs the NIC to combine multiple incoming packets into a single, larger - packet. This larger packet is then passed to the CPU for processing. - - .. note:: Under some circumstances, LRO is known to modify the packet headers - of forwarded traffic, which breaks the end-to-end principle of computer - networking. LRO is also only able to offload TCP segments encapsulated in - IPv4 packets. Due to these limitations, it is recommended to use GRO - (Generic Receive Offload) where possible. More information on the - limitations of LRO can be found here: https://lwn.net/Articles/358910/ - - :abbr:`GSO (Generic Segmentation Offload)` is a pure software offload that is - meant to deal with cases where device drivers cannot perform the offloads - described above. What occurs in GSO is that a given skbuff will have its data - broken out over multiple skbuffs that have been resized to match the MSS - provided via skb_shinfo()->gso_size. - - Before enabling any hardware segmentation offload a corresponding software - offload is required in GSO. Otherwise it becomes possible for a frame to be - re-routed between devices and end up being unable to be transmitted. - - :abbr:`GRO (Generic receive offload)` is the complement to GSO. Ideally any - frame assembled by GRO should be segmented to create an identical sequence of - frames using GSO, and any sequence of frames segmented by GSO should be able - to be reassembled back to the original by GRO. The only exception to this is - IPv4 ID in the case that the DF bit is set for a given IP header. If the - value of the IPv4 ID is not sequentially incrementing it will be altered so - that it is when a frame assembled via GRO is segmented via GSO. - - :abbr:`RPS (Receive Packet Steering)` is logically a software implementation - of :abbr:`RSS (Receive Side Scaling)`. Being in software, it is necessarily - called later in the datapath. Whereas RSS selects the queue and hence CPU that - will run the hardware interrupt handler, RPS selects the CPU to perform - protocol processing above the interrupt handler. This is accomplished by - placing the packet on the desired CPU's backlog queue and waking up the CPU - for processing. RPS has some advantages over RSS: - - - it can be used with any NIC - - software filters can easily be added to hash over new protocols - - it does not increase hardware device interrupt rate, although it does - introduce inter-processor interrupts (IPIs) - - .. note:: In order to use TSO/LRO with VMXNET3 adapters, the SG offloading - option must also be enabled. - -Authentication (EAPoL) ----------------------- +.. cfgcmd:: set interfaces ethernet <interface> offload <lro | tso | gso | + gro | rps | sg > + + **Configure the offloading features for the interface.** + + The interface offloading features define whether specific packet-processing tasks + are performed by hardware (the NIC) or by software (the kernel). You can enable + multiple offloading features for a single interface. + + + * ``lro`` **(Large Receive Offload):** Instructs the NIC to merge multiple + incoming packets into one larger packet before sending it to the CPU. + + .. note:: :abbr:`LRO (Large Receive Offload)` hardware support is often limited + to TCP/IPv4 packets. For details on LRO limitations, see + https://lwn.net/Articles/358910/ + + .. warning:: :abbr:`LRO (Large Receive Offload)` irreversibly alters packet + headers during merging. This prevents the merged packet from being correctly + split back into the original packets, causing packet drops and forwarding + failures on routers and bridges. Use :abbr:`LRO (Large Receive Offload)` only + for end-hosts that do not forward traffic. + + * ``tso`` **(TCP Segmentation Offload):** Instructs the NIC to split large TCP + packets into smaller ones before transmitting them to the network. + + **Important:** :abbr:`SG (Scatter-Gather/Scatter-Gather DMA)` must be enabled + for :abbr:`TSO (TCP Segmentation Offload)` to work. Additionally, :abbr:`GSO + (Generic Segmentation Offload)` should be enabled as a safety fallback; it + ensures that if traffic is rerouted to hardware without :abbr:`TSO (TCP + Segmentation Offload)` support, the kernel can still segment the packets, + preventing transmission failures. + + * ``gso`` **(Generic Segmentation Offload):** Instructs the kernel to split + large packets into smaller ones before sending them to the NIC. + + :abbr:`GSO (Generic Segmentation Offload)` serves as a software fallback for + hardware that does not support :abbr:`TSO (TCP Segmentation Offload)` or for + protocols (like UDP) that hardware cannot offload. + + **Important:** :abbr:`SG (Scatter-Gather/Scatter-Gather DMA)` must be enabled + for :abbr:`GSO (Generic Segmentation Offload)` to work. + + * ``gro`` **(Generic Receive Offload):** Instructs the kernel to merge multiple + incoming packets into one larger packet before passing it to upper protocol + layers. + + Unlike LRO, GRO preserves the necessary packet metadata so the merged packet + can be correctly split back into the original packets. This makes GRO safe for + use on routers and bridges. + + .. note:: The exception is for IPv4 IDs. If the "Don't Fragment" (DF) bit is + set and IDs are not sequential, :abbr:`GSO (Generic Segmentation Offload)` + alters them to maintain a consistent sequence for :abbr:`GSO (Generic + Segmentation Offload)` compatibility. + + * ``rps`` **(Receive Packet Steering):** Instructs the kernel to distribute + the processing of incoming packets across multiple CPU cores. + + The kernel calculates a hash from packet headers (IP addresses and ports) to + ensure packets from the same flow are processed by the same CPU core. + + .. note:: :abbr:`RPS (Receive Packet Steering)` is a software version of + :abbr:`RSS (Receive Side Scaling)` and is useful for NICs without hardware + multi-queue support. + + * ``sg`` **(Scatter-Gather/Scatter-Gather DMA):** Instructs the NIC to fetch + data fragments from various RAM locations and transmit them as a single packet + to the network, eliminating the need for the kernel to copy them into a + contiguous block first. + +802.1X (EAPOL) authentication +----------------------------- .. cmdinclude:: /_include/interface-eapol.txt :var0: ethernet @@ -245,7 +291,7 @@ Authentication (EAPoL) EVPN Multihoming ---------------- -Uplink/Core tracking. +Uplink/core tracking. .. cmdinclude:: /_include/interface-evpn-uplink.txt :var0: ethernet @@ -261,15 +307,15 @@ Regular VLANs (802.1q) :var0: ethernet :var1: eth0 -QinQ (802.1ad) +802.1ad (QinQ) -------------- .. cmdinclude:: /_include/interface-vlan-8021ad.txt :var0: ethernet :var1: eth0 -Port Mirror (SPAN) -================== +SPAN port mirroring +=================== .. cmdinclude:: ../../_include/interface-mirror.txt :var0: ethernet :var1: eth1 @@ -295,7 +341,7 @@ Operation .. opcmd:: show interfaces ethernet <interface> - Show detailed information on given `<interface>` + Show detailed interface information. .. code-block:: none @@ -314,7 +360,7 @@ Operation .. opcmd:: show interfaces ethernet <interface> physical - Show information about physical `<interface>` + Show interface hardware-level and driver details. .. code-block:: none @@ -355,7 +401,7 @@ Operation .. opcmd:: show interfaces ethernet <interface> physical offload - Show available offloading functions on given `<interface>` + Show the status of the interface offloading features. .. code-block:: none @@ -387,7 +433,8 @@ Operation .. opcmd:: show interfaces ethernet <interface> transceiver - Show transceiver information from plugin modules, e.g SFP+, QSFP + Show information about the transceiver module plugged into the interface + (e.g., SFP+, QSFP). .. code-block:: none |
