diff options
Diffstat (limited to 'docs/_include')
| -rw-r--r-- | docs/_include/interface-common.txt | 7 | ||||
| -rw-r--r-- | docs/_include/interface-ip.txt | 157 | ||||
| -rw-r--r-- | docs/_include/interface-ipv6.txt (renamed from docs/_include/interface-ipv6-address.txt) | 22 | ||||
| -rw-r--r-- | docs/_include/interface-vlan-8021ad.txt | 12 | ||||
| -rw-r--r-- | docs/_include/interface-vlan-8021q.txt | 9 |
5 files changed, 202 insertions, 5 deletions
diff --git a/docs/_include/interface-common.txt b/docs/_include/interface-common.txt index f9bc640a..cbe32cfb 100644 --- a/docs/_include/interface-common.txt +++ b/docs/_include/interface-common.txt @@ -22,11 +22,14 @@ :var0: {{ var0 }} :var1: {{ var1 }} -.. cmdinclude:: ../_include/interface-ipv6-address.txt +.. cmdinclude:: ../_include/interface-ip.txt :var0: {{ var0 }} :var1: {{ var1 }} -.. cmdinclude:: ../_include/interface-vrf.txt +.. cmdinclude:: ../_include/interface-ipv6.txt :var0: {{ var0 }} :var1: {{ var1 }} +.. cmdinclude:: ../_include/interface-vrf.txt + :var0: {{ var0 }} + :var1: {{ var1 }} diff --git a/docs/_include/interface-ip.txt b/docs/_include/interface-ip.txt new file mode 100644 index 00000000..89937806 --- /dev/null +++ b/docs/_include/interface-ip.txt @@ -0,0 +1,157 @@ +.. cfgcmd:: set interfaces {{ var0 }} <interface> {{ var2 }} {{ var3 }} + {{ var5 }} {{ var6 }} ip arp-cache-timeout + + Once a neighbor has been found, the entry is considered to be valid for at + least for this specifc time. An entry's validity will be extended if it + receives positive feedback from higher level protocols. + + This defaults to 30 seconds. + + Example: + + .. code-block:: none + + set interfaces {{ var0 }} {{ var1 }} {{ var2 }} {{ var4 }} {{ var5 }} {{ var7 }} ip arp-cache-timeout 180 + +.. cfgcmd:: set interfaces {{ var0 }} <interface> {{ var2 }} {{ var3 }} + {{ var5 }} {{ var6 }} ip disable-arp-filter + + If set the kernel can respond to arp requests with addresses from other + interfaces. This may seem wrong but it usually makes sense, because it + increases the chance of successful communication. IP addresses are owned by + the complete host on Linux, not by particular interfaces. Only for more + complex setups like load-balancing, does this behaviour cause problems. + + If not set (default) allows you to have multiple network interfaces on the + same subnet, and have the ARPs for each interface be answered based on whether + or not the kernel would route a packet from the ARP'd IP out that interface + (therefore you must use source based routing for this to work). + + In other words it allows control of which cards (usually 1) will respond to an + arp request. + + Example: + + .. code-block:: none + + set interfaces {{ var0 }} {{ var1 }} {{ var2 }} {{ var4 }} {{ var5 }} {{ var7 }} ip disable-arp-filter + +.. cfgcmd:: set interfaces {{ var0 }} <interface> {{ var2 }} {{ var3 }} + {{ var5 }} {{ var6 }} ip disable-forwarding + + Configure interface-specific Host/Router behaviour. If set, the interface will + switch to host mode and IPv6 forwarding will be disabled on this interface. + + .. code-block:: none + + set interfaces {{ var0 }} {{ var1 }} {{ var2 }} {{ var4 }} {{ var5 }} {{ var7 }} ip disable-forwarding + +.. cfgcmd:: set interfaces {{ var0 }} <interface> {{ var2 }} {{ var3 }} + {{ var5 }} {{ var6 }} ip enable-arp-accept + + Define behavior for gratuitous ARP frames who's IP is not already present in + the ARP table. If configured create new entries in the ARP table. + + Both replies and requests type gratuitous arp will trigger the ARP table to be + updated, if this setting is on. + + If the ARP table already contains the IP address of the gratuitous arp frame, + the arp table will be updated regardless if this setting is on or off. + + .. code-block:: none + + set interfaces {{ var0 }} {{ var1 }} {{ var2 }} {{ var4 }} {{ var5 }} {{ var7 }} ip enable-arp-accept + +.. cfgcmd:: set interfaces {{ var0 }} <interface> {{ var2 }} {{ var3 }} + {{ var5 }} {{ var6 }} ip enable-arp-announce + + Define different restriction levels for announcing the local source IP address + from IP packets in ARP requests sent on interface. + + Use any local address, configured on any interface if this is not set. + + If configured, try to avoid local addresses that are not in the target's + subnet for this interface. This mode is useful when target hosts reachable via + this interface require the source IP address in ARP requests to be part of + their logical network configured on the receiving interface. When we generate + the request we will check all our subnets that include the target IP and will + preserve the source address if it is from such subnet. If there is no such + subnet we select source address according to the rules for level 2. + + .. code-block:: none + + set interfaces {{ var0 }} {{ var1 }} {{ var2 }} {{ var4 }} {{ var5 }} {{ var7 }} ip enable-arp-announce + +.. cfgcmd:: set interfaces {{ var0 }} <interface> {{ var2 }} {{ var3 }} + {{ var5 }} {{ var6 }} ip enable-arp-ignore + + Define different modes for sending replies in response to received ARP + requests that resolve local target IP addresses: + + If configured, reply only if the target IP address is local address configured + on the incoming interface. + + If this option is unset (default), reply for any local target IP address, + configured on any interface. + + .. code-block:: none + + set interfaces {{ var0 }} {{ var1 }} {{ var2 }} {{ var4 }} {{ var5 }} {{ var7 }} ip enable-arp-ignore + +.. cfgcmd:: set interfaces {{ var0 }} <interface> {{ var2 }} {{ var3 }} + {{ var5 }} {{ var6 }} ip enable-proxy-arp + + Use this command to enable proxy Address Resolution Protocol (ARP) on this + interface. Proxy ARP allows an Ethernet interface to respond with its own + :abbr:`MAC (Media Access Control)` address to ARP requests for destination IP + addresses on subnets attached to other interfaces on the system. Subsequent + packets sent to those destination IP addresses are forwarded appropriately by + the system. + + Example: + + .. code-block:: none + + set interfaces {{ var0 }} {{ var1 }} {{ var2 }} {{ var4 }} {{ var5 }} {{ var7 }} ip enable-proxy-arp + +.. cfgcmd:: set interfaces {{ var0 }} <interface> {{ var2 }} {{ var3 }} + {{ var5 }} {{ var6 }} ip proxy-arp-pvlan + + Private VLAN proxy arp. Basically allow proxy arp replies back to the same + interface (from which the ARP request/solicitation was received). + + This is done to support (ethernet) switch features, like :rfc:`3069`, where + the individual ports are NOT allowed to communicate with each other, but they + are allowed to talk to the upstream router. As described in :rfc:`3069`, it is + possible to allow these hosts to communicate through the upstream router by + proxy_arp'ing. + + .. note:: Don't need to be used together with proxy_arp. + + This technology is known by different names: + + - In :rfc:`3069` it is called VLAN Aggregation + + - Cisco and Allied Telesyn call it Private VLAN + + - Hewlett-Packard call it Source-Port filtering or port-isolation + + - Ericsson call it MAC-Forced Forwarding (RFC Draft) + +.. cfgcmd:: set interfaces {{ var0 }} <interface> {{ var2 }} {{ var3 }} + {{ var5 }} {{ var6 }} ip source-validation <strict | loose | disable> + + Enable policy for source validation by reversed path, as specified in + :rfc:`3704`. Current recommended practice in :rfc:`3704` is to enable strict + mode to prevent IP spoofing from DDos attacks. If using asymmetric routing + or other complicated routing, then loose mode is recommended. + + - strict: Each incoming packet is tested against the FIB and if the interface + is not the best reverse path the packet check will fail. By default failed + packets are discarded. + + - loose: Each incoming packet's source address is also tested against the FIB + and if the source address is not reachable via any interface the packet + check will fail. + + - disable: No source validation diff --git a/docs/_include/interface-ipv6-address.txt b/docs/_include/interface-ipv6.txt index d57cecde..e03817cf 100644 --- a/docs/_include/interface-ipv6-address.txt +++ b/docs/_include/interface-ipv6.txt @@ -25,6 +25,8 @@ :abbr:`EUI-64 (64-Bit Extended Unique Identifier)` as specified in :rfc:`4291` allows a host to assign iteslf a unique 64-Bit IPv6 address. + Example: + .. code-block:: none set interfaces {{ var0 }} {{ var1 }} {{ var2 }} {{ var4 }} {{ var5 }} {{ var7 }} ipv6 address eui64 2001:db8:beef::/64 @@ -32,4 +34,22 @@ .. cfgcmd:: set interfaces {{ var0 }} <interface> {{ var2 }} {{ var3 }} {{ var5 }} {{ var6 }} ipv6 address no-default-link-local - Do not assign a link-local IPv6 address to this interface + Do not assign a link-local IPv6 address to this interface. + + Example: + + .. code-block:: none + + set interfaces {{ var0 }} {{ var1 }} {{ var2 }} {{ var4 }} {{ var5 }} {{ var7 }} ipv6 address no-default-link-local + +.. cfgcmd:: set interfaces {{ var0 }} <interface> {{ var2 }} {{ var3 }} + {{ var5 }} {{ var6 }} ipv6 disable-forwarding + + Configure interface-specific Host/Router behaviour. If set, the interface will + switch to host mode and IPv6 forwarding will be disabled on this interface. + + Example: + + .. code-block:: none + + set interfaces {{ var0 }} {{ var1 }} {{ var2 }} {{ var4 }} {{ var5 }} {{ var7 }} ipv6 disable-forwarding diff --git a/docs/_include/interface-vlan-8021ad.txt b/docs/_include/interface-vlan-8021ad.txt index 6ccfbe82..a6ee87d9 100644 --- a/docs/_include/interface-vlan-8021ad.txt +++ b/docs/_include/interface-vlan-8021ad.txt @@ -88,7 +88,17 @@ tag is the one closer/closest to the Ethernet header, its name is S-TAG :var6: <vlan-id> :var7: 20 -.. cmdinclude:: ../_include/interface-ipv6-address.txt +.. cmdinclude:: ../_include/interface-ip.txt + :var0: {{ var0 }} + :var1: {{ var1 }} + :var2: vif-s + :var3: <vlan-id> + :var4: 1000 + :var5: vif-c + :var6: <vlan-id> + :var7: 20 + +.. cmdinclude:: ../_include/interface-ipv6.txt :var0: {{ var0 }} :var1: {{ var1 }} :var2: vif-s diff --git a/docs/_include/interface-vlan-8021q.txt b/docs/_include/interface-vlan-8021q.txt index 69e8227f..c906feb9 100644 --- a/docs/_include/interface-vlan-8021q.txt +++ b/docs/_include/interface-vlan-8021q.txt @@ -71,7 +71,14 @@ term used for this is ``vif``. :var3: <vlan-id> :var4: 10 -.. cmdinclude:: ../_include/interface-ipv6-address.txt +.. cmdinclude:: ../_include/interface-ip.txt + :var0: {{ var0 }} + :var1: {{ var1 }} + :var2: vif + :var3: <vlan-id> + :var4: 10 + +.. cmdinclude:: ../_include/interface-ipv6.txt :var0: {{ var0 }} :var1: {{ var1 }} :var2: vif |