summaryrefslogtreecommitdiff
path: root/docs/configuration/interfaces
diff options
context:
space:
mode:
Diffstat (limited to 'docs/configuration/interfaces')
-rw-r--r--docs/configuration/interfaces/macsec.rst49
-rw-r--r--docs/configuration/interfaces/vxlan.rst32
-rw-r--r--docs/configuration/interfaces/wireguard.rst4
-rw-r--r--docs/configuration/interfaces/wireless.rst13
4 files changed, 92 insertions, 6 deletions
diff --git a/docs/configuration/interfaces/macsec.rst b/docs/configuration/interfaces/macsec.rst
index 60877d73..0c0c052b 100644
--- a/docs/configuration/interfaces/macsec.rst
+++ b/docs/configuration/interfaces/macsec.rst
@@ -44,6 +44,30 @@ MACsec options
A physical interface is required to connect this MACsec instance to. Traffic
leaving this interface will now be authenticated/encrypted.
+Static Keys
+-----------
+Static :abbr:`SAK (Secure Authentication Key)` mode can be configured manually on each
+device wishing to use MACsec. Keys must be set statically on all devices for traffic
+to flow properly. Key rotation is dependent on the administrator updating all keys
+manually across connected devices. Static SAK mode can not be used with MKA.
+
+.. cfgcmd:: set interfaces macsec <interface> security static key <key>
+
+ Set the device's transmit (TX) key. This key must be a hex string that is 16-bytes
+ (GCM-AES-128) or 32-bytes (GCM-AES-256).
+
+.. cfgcmd:: set interfaces macsec <interface> security static peer <peer> mac <mac address>
+
+ Set the peer's MAC address
+
+.. cfgcmd:: set interfaces macsec <interface> security static peer <peer> key <key>
+
+ Set the peer's key used to receive (RX) traffic
+
+.. cfgcmd:: set interfaces macsec <interface> security static peer <peer> disable
+
+ Disable the peer configuration
+
Key Management
--------------
@@ -188,3 +212,28 @@ the unencrypted but authenticated content.
0x0070: 3031 3233 3435 3637 87d5 eed3 3a39 d52b 01234567....:9.+
0x0080: a282 c842 5254 ef28 ...BRT.(
+**R1 Static Key**
+
+.. code-block:: none
+
+ set interfaces macsec macsec1 address '192.0.2.1/24'
+ set interfaces macsec macsec1 address '2001:db8::1/64'
+ set interfaces macsec macsec1 security cipher 'gcm-aes-128'
+ set interfaces macsec macsec1 security encrypt
+ set interfaces macsec macsec1 security static key 'ddd6f4a7be4d8bbaf88b26f10e1c05f7'
+ set interfaces macsec macsec1 security static peer R2 mac 00:11:22:33:44:02
+ set interfaces macsec macsec1 security static peer R2 key 'eadcc0aa9cf203f3ce651b332bd6e6c7'
+ set interfaces macsec macsec1 source-interface 'eth1'
+
+**R2 Static Key**
+
+.. code-block:: none
+
+ set interfaces macsec macsec1 address '192.0.2.2/24'
+ set interfaces macsec macsec1 address '2001:db8::2/64'
+ set interfaces macsec macsec1 security cipher 'gcm-aes-128'
+ set interfaces macsec macsec1 security encrypt
+ set interfaces macsec macsec1 security static key 'eadcc0aa9cf203f3ce651b332bd6e6c7'
+ set interfaces macsec macsec1 security static peer R2 mac 00:11:22:33:44:01
+ set interfaces macsec macsec1 security static peer R2 key 'ddd6f4a7be4d8bbaf88b26f10e1c05f7'
+ set interfaces macsec macsec1 source-interface 'eth1' \ No newline at end of file
diff --git a/docs/configuration/interfaces/vxlan.rst b/docs/configuration/interfaces/vxlan.rst
index 86568686..2cb0b2f1 100644
--- a/docs/configuration/interfaces/vxlan.rst
+++ b/docs/configuration/interfaces/vxlan.rst
@@ -132,6 +132,36 @@ For optimal scalability, Multicast shouldn't be used at all, but instead use BGP
to signal all connected devices between leaves. Unfortunately, VyOS does not yet
support this.
+Single VXLAN device (SVD)
+=========================
+
+FRR supports a new way of configuring VLAN-to-VNI mappings for EVPN-VXLAN, when
+working with the Linux kernel. In this new way, the mapping of a VLAN to a
+:abbr:`VNI (VXLAN Network Identifier (or VXLAN Segment ID))` is configured
+against a container VXLAN interface which is referred to as a
+:abbr:`SVD (Single VXLAN device)`.
+
+Multiple VLAN to VNI mappings can be configured against the same SVD. This
+allows for a significant scaling of the number of VNIs since a separate VXLAN
+interface is no longer required for each VNI.
+
+.. cfgcmd:: set interfaces vxlan <interface> vlan-to-vni <vlan> vni <vni>
+
+ Maps the VNI to the specified VLAN id. The VLAN can then be consumed by
+ a bridge.
+
+ Sample configuration of SVD with VLAN to VNI mappings is shown below.
+
+ .. code-block:: none
+
+ set interfaces bridge br0 member interface vxlan0
+ set interfaces vxlan vxlan0 external
+ set interfaces vxlan vxlan0 source-interface 'dum0'
+ set interfaces vxlan vxlan0 vlan-to-vni 10 vni '10010'
+ set interfaces vxlan vxlan0 vlan-to-vni 11 vni '10011'
+ set interfaces vxlan vxlan0 vlan-to-vni 30 vni '10030'
+ set interfaces vxlan vxlan0 vlan-to-vni 31 vni '10031'
+
Example
-------
@@ -252,7 +282,7 @@ advertised.
set interfaces bridge br241 member interface 'eth1.241'
set interfaces bridge br241 member interface 'vxlan241'
-Binds eth1.241 and vxlan241 to each other by making them both member
+Binds eth1.241 and vxlan241 to each other by making them both member
interfaces of the same bridge.
.. code-block:: none
diff --git a/docs/configuration/interfaces/wireguard.rst b/docs/configuration/interfaces/wireguard.rst
index 5eb10fe8..d2916d9f 100644
--- a/docs/configuration/interfaces/wireguard.rst
+++ b/docs/configuration/interfaces/wireguard.rst
@@ -183,6 +183,10 @@ traffic.
The command :opcmd:`show interfaces wireguard wg01 public-key` will then show the
public key, which needs to be shared with the peer.
+.. cmdinclude:: /_include/interface-per-client-thread.txt
+ :var0: wireguard
+ :var1: wg01
+
**remote side - commands**
.. code-block:: none
diff --git a/docs/configuration/interfaces/wireless.rst b/docs/configuration/interfaces/wireless.rst
index f45101b5..e853a1ec 100644
--- a/docs/configuration/interfaces/wireless.rst
+++ b/docs/configuration/interfaces/wireless.rst
@@ -122,6 +122,10 @@ Wireless options
* ``station`` - Connects to another access point
* ``monitor`` - Passively monitor all packets on the frequency/channel
+.. cmdinclude:: /_include/interface-per-client-thread.txt
+ :var0: wireless
+ :var1: wlan0
+
PPDU
----
@@ -304,6 +308,7 @@ default physical device (``phy0``) is used.
set interfaces wireless wlan0 type station
set interfaces wireless wlan0 address dhcp
+ set interfaces wireless wlan0 country-code de
set interfaces wireless wlan0 ssid Test
set interfaces wireless wlan0 security wpa passphrase '12345678'
@@ -315,6 +320,7 @@ Resulting in
[...]
wireless wlan0 {
address dhcp
+ country-code de
security {
wpa {
passphrase "12345678"
@@ -350,6 +356,7 @@ The WAP in this example has the following characteristics:
.. code-block:: none
set interfaces wireless wlan0 address '192.168.2.1/24'
+ set interfaces wireless wlan0 country-code de
set interfaces wireless wlan0 type access-point
set interfaces wireless wlan0 channel 1
set interfaces wireless wlan0 mode n
@@ -367,6 +374,7 @@ Resulting in
[...]
wireless wlan0 {
address 192.168.2.1/24
+ country-code de
channel 1
mode n
security {
@@ -385,11 +393,6 @@ Resulting in
type access-point
}
}
- system {
- [...]
- wifi-regulatory-domain DE
- }
-
VLAN
====
generated by cgit v1.2.3 (git 2.39.1) at 2025-02-13 06:15:49 +0000