diff options
Diffstat (limited to 'docs/configuration')
| -rw-r--r-- | docs/configuration/interfaces/vxlan.rst | 19 | ||||
| -rw-r--r-- | docs/configuration/pki/index.rst | 2 | ||||
| -rw-r--r-- | docs/configuration/policy/route-map.rst | 4 | ||||
| -rw-r--r-- | docs/configuration/service/dhcp-server.rst | 42 | ||||
| -rw-r--r-- | docs/configuration/vrf/index.rst | 6 |
5 files changed, 46 insertions, 27 deletions
diff --git a/docs/configuration/interfaces/vxlan.rst b/docs/configuration/interfaces/vxlan.rst index af00fdec..831870c5 100644 --- a/docs/configuration/interfaces/vxlan.rst +++ b/docs/configuration/interfaces/vxlan.rst @@ -31,10 +31,6 @@ If configuring VXLAN in a VyOS virtual machine, ensure that MAC spoofing (Hyper-V) or Forged Transmits (ESX) are permitted, otherwise forwarded frames may be blocked by the hypervisor. -.. note:: As VyOS is based on Linux and there was no official IANA port assigned - for VXLAN, VyOS uses a default port of 8472. You can change the port on a - per VXLAN interface basis to get it working across multiple vendors. - Configuration ============= @@ -58,11 +54,7 @@ VXLAN specific options Configure port number of remote VXLAN endpoint. - .. note:: As VyOS is Linux based the default port used is not using 4789 - as the default IANA-assigned destination UDP port number. Instead VyOS - uses the Linux default port of 8472. - -.. cfgcmd:: set interfaces vxlan <interface> source-address <interface> +.. cfgcmd:: set interfaces vxlan <interface> source-address <IP address> Source IP address used for VXLAN underlay. This is mandatory when using VXLAN via L2VPN/EVPN. @@ -331,10 +323,9 @@ multicast-address. set interfaces vxlan vxlan241 port 12345 -The destination port used for creating a VXLAN interface in Linux defaults to -its pre-standard value of 8472 to preserve backward compatibility. A -configuration directive to support a user-specified destination port to override -that behavior is available using the above command. +The destination port used for creating a VXLAN interface defaults to +4789. Aconfiguration directive to support a user-specified destination port +to override that behavior is available using the above command. Unicast VXLAN ============= @@ -354,5 +345,5 @@ set directly. Let's change the Multicast example from above: # leaf3 set interface vxlan vxlan241 remote 10.1.2.2 -The default port udp is set to 8472. +The default port udp is set to 4789. It can be changed with ``set interface vxlan <vxlanN> port <port>`` diff --git a/docs/configuration/pki/index.rst b/docs/configuration/pki/index.rst index 99bd2815..70b89d9f 100644 --- a/docs/configuration/pki/index.rst +++ b/docs/configuration/pki/index.rst @@ -255,6 +255,8 @@ ACME The VyOS PKI subsystem can also be used to automatically retrieve Certificates using the :abbr:`ACME (Automatic Certificate Management Environment)` protocol. +VyOS 1.4.1 does not store the intermediate certificates from ACME. Which makes +this functionality limited. See :vytask:`T7299`. .. cfgcmd:: set pki certificate <name> acme domain-name <name> diff --git a/docs/configuration/policy/route-map.rst b/docs/configuration/policy/route-map.rst index ccc4cef0..909f7e25 100644 --- a/docs/configuration/policy/route-map.rst +++ b/docs/configuration/policy/route-map.rst @@ -179,6 +179,10 @@ Route Map Match RPKI validation result. +.. cfgcmd:: set policy route-map <text> rule <1-65535> match source-vrf <text> + + Source VRF to match. + .. cfgcmd:: set policy route-map <text> rule <1-65535> match tag <1-65535> Route tag to match. diff --git a/docs/configuration/service/dhcp-server.rst b/docs/configuration/service/dhcp-server.rst index 45555336..a02f60d1 100644 --- a/docs/configuration/service/dhcp-server.rst +++ b/docs/configuration/service/dhcp-server.rst @@ -170,28 +170,44 @@ Individual Client Subnet Enable DHCP failover configuration for this address pool. -Failover --------- +High Availability +----------------- + +VyOS provides High Availability support for DHCP server. DHCP High +Availability can act in two different modes: + +* **Active-active**: both DHCP servers will respond to DHCP requests. If + ``mode`` is not defined, this is the default behavior. + +* **Active-passive**: only ``primary`` server will respond to DHCP requests. + If this server goes offline, then ``secondary`` server will take place. + +DHCP High Availability must be configured explicitly by the following +statements on both servers: + +.. cfgcmd:: set service dhcp-server high-availability mode [active-active + | active-passive] -VyOS provides support for DHCP failover. DHCP failover must be configured -explicitly by the following statements. + Define operation mode of High Availability feature. Default value if command + is not specified is `active-active` -.. cfgcmd:: set service dhcp-server failover source-address <address> +.. cfgcmd:: set service dhcp-server high-availability source-address <address> - Local IP `<address>` used when communicating to the failover peer. + Local IP `<address>` used when communicating to the HA peer. -.. cfgcmd:: set service dhcp-server failover remote <address> +.. cfgcmd:: set service dhcp-server high-availability remote <address> - Remote peer IP `<address>` of the second DHCP server in this failover + Remote peer IP `<address>` of the second DHCP server in this HA cluster. -.. cfgcmd:: set service dhcp-server failover name <name> +.. cfgcmd:: set service dhcp-server high-availability name <name> A generic `<name>` referencing this sync service. .. note:: `<name>` must be identical on both sides! -.. cfgcmd:: set service dhcp-server failover status <primary | secondary> +.. cfgcmd:: set service dhcp-server high-availability status <primary + | secondary> The primary and secondary statements determines whether the server is primary or secondary. @@ -200,12 +216,12 @@ explicitly by the following statements. their lease tables in sync, they must be able to reach each other on TCP port 647. If you have firewall rules in effect, adjust them accordingly. - .. hint:: The dialogue between failover partners is neither encrypted nor + .. hint:: The dialogue between HA partners is neither encrypted nor authenticated. Since most DHCP servers exist within an organisation's own secure Intranet, this would be an unnecessary overhead. However, if you - have DHCP failover peers whose communications traverse insecure networks, + have DHCP HA peers whose communications traverse insecure networks, then we recommend that you consider the use of VPN tunneling between them - to ensure that the failover partnership is immune to disruption + to ensure that the HA partnership is immune to disruption (accidental or otherwise) via third parties. Static mappings diff --git a/docs/configuration/vrf/index.rst b/docs/configuration/vrf/index.rst index 08f489bb..0d44e326 100644 --- a/docs/configuration/vrf/index.rst +++ b/docs/configuration/vrf/index.rst @@ -505,6 +505,12 @@ address-family. derived and should not be specified explicitly for either the source or destination VRF’s. +.. cfgcmd:: set vrf name <name> protocols bgp address-family + <ipv4-unicast|ipv6-unicast> route-map vrf import + [route-map <name>] + + Specifies an optional route-map to be applied to routes imported from VRFs. + .. cfgcmd:: set vrf name <name> protocols bgp interface <interface> mpls forwarding |