diff options
Diffstat (limited to 'docs/configuration')
| -rw-r--r-- | docs/configuration/protocols/bfd.rst | 7 | ||||
| -rw-r--r-- | docs/configuration/service/dhcp-server.rst | 44 | ||||
| -rw-r--r-- | docs/configuration/service/ipoe-server.rst | 10 | ||||
| -rw-r--r-- | docs/configuration/service/ntp.rst | 31 | ||||
| -rw-r--r-- | docs/configuration/service/pppoe-server.rst | 25 | ||||
| -rw-r--r-- | docs/configuration/vpn/ipsec.rst | 12 | ||||
| -rw-r--r-- | docs/configuration/vpn/site2site_ipsec.rst | 12 | ||||
| -rw-r--r-- | docs/configuration/vpn/sstp.rst | 12 |
8 files changed, 108 insertions, 45 deletions
diff --git a/docs/configuration/protocols/bfd.rst b/docs/configuration/protocols/bfd.rst index 496c0cf9..30876efc 100644 --- a/docs/configuration/protocols/bfd.rst +++ b/docs/configuration/protocols/bfd.rst @@ -56,6 +56,13 @@ Configure BFD Disable a BFD peer +.. cfgcmd:: set protocols bfd peer <address> minimum-ttl <1-254> + + For multi hop sessions only. Configure the minimum expected TTL for an + incoming BFD control packet. + + This feature serves the purpose of thightening the packet validation + requirements to avoid receiving BFD control packets from other sessions. Enable BFD in BGP ----------------- diff --git a/docs/configuration/service/dhcp-server.rst b/docs/configuration/service/dhcp-server.rst index c51a0aff..6813d2c0 100644 --- a/docs/configuration/service/dhcp-server.rst +++ b/docs/configuration/service/dhcp-server.rst @@ -178,12 +178,18 @@ MAC address of the station and your desired IP address. The address must be inside the subnet definition but can be outside of the range statement. .. cfgcmd:: set service dhcp-server shared-network-name <name> subnet - <subnet> static-mapping <description> mac-address <address> + <subnet> static-mapping <description> mac <address> Create a new DHCP static mapping named `<description>` which is valid for the host identified by its MAC `<address>`. .. cfgcmd:: set service dhcp-server shared-network-name <name> subnet + <subnet> static-mapping <description> duid <identifier> + + Create a new DHCP static mapping named `<description>` which is valid for + the host identified by its DHCP unique identifier (DUID) `<identifier>`. + +.. cfgcmd:: set service dhcp-server shared-network-name <name> subnet <subnet> static-mapping <description> ip-address <address> Static DHCP IP address assign to host identified by `<description>`. IP @@ -205,7 +211,7 @@ inside the subnet definition but can be outside of the range statement. set service dhcp-server shared-network-name 'NET1' subnet 192.168.1.0/24 subnet-id 1 set service dhcp-server shared-network-name 'NET1' subnet 192.168.1.0/24 static-mapping client1 ip-address 192.168.1.100 - set service dhcp-server shared-network-name 'NET1' subnet 192.168.1.0/24 static-mapping client1 mac-address aa:bb:11:22:33:00 + set service dhcp-server shared-network-name 'NET1' subnet 192.168.1.0/24 static-mapping client1 mac aa:bb:11:22:33:00 The configuration will look as follows: @@ -215,7 +221,7 @@ The configuration will look as follows: subnet 192.168.1.0/24 { static-mapping client1 { ip-address 192.168.1.100 - mac-address aa:bb:11:22:33:00 + mac aa:bb:11:22:33:00 } subnet-id 1 } @@ -528,35 +534,35 @@ Configuration values need to be supplied in seconds. .. cfgcmd:: set service dhcpv6-server shared-network-name <name> subnet - <prefix> nis-domain <domain-name> + <prefix> option nis-domain <domain-name> A :abbr:`NIS (Network Information Service)` domain can be set to be used for DHCPv6 clients. .. cfgcmd:: set service dhcpv6-server shared-network-name <name> subnet - <prefix> nisplus-domain <domain-name> + <prefix> option nisplus-domain <domain-name> The procedure to specify a :abbr:`NIS+ (Network Information Service Plus)` domain is similar to the NIS domain one: .. cfgcmd:: set service dhcpv6-server shared-network-name <name> subnet - <prefix> nis-server <address> + <prefix> option nis-server <address> Specify a NIS server address for DHCPv6 clients. .. cfgcmd:: set service dhcpv6-server shared-network-name <name> subnet - <prefix> nisplus-server <address> + <prefix> option nisplus-server <address> Specify a NIS+ server address for DHCPv6 clients. .. cfgcmd:: set service dhcpv6-server shared-network-name <name> subnet - <prefix> sip-server <address | fqdn> + <prefix> option sip-server <address | fqdn> Specify a :abbr:`SIP (Session Initiation Protocol)` server by IPv6 address of Fully Qualified Domain Name for all DHCPv6 clients. .. cfgcmd:: set service dhcpv6-server shared-network-name <name> subnet - <prefix> sntp-server-address <address> + <prefix> option sntp-server-address <address> A SNTP server address can be specified for DHCPv6 clients. @@ -594,8 +600,9 @@ server. The following example describes a common scenario. .. code-block:: none - set service dhcpv6-server shared-network-name 'NET1' subnet 2001:db8::/64 address-range start 2001:db8::100 stop 2001:db8::199 - set service dhcpv6-server shared-network-name 'NET1' subnet 2001:db8::/64 name-server 2001:db8::ffff + set service dhcpv6-server shared-network-name 'NET1' subnet 2001:db8::/64 range 1 start 2001:db8::100 stop 2001:db8::199 + set service dhcpv6-server shared-network-name 'NET1' subnet 2001:db8::/64 range 1 stop 2001:db8::199 + set service dhcpv6-server shared-network-name 'NET1' subnet 2001:db8::/64 option name-server 2001:db8::ffff set service dhcpv6-server shared-network-name 'NET1' subnet 2001:db8::/64 subnet-id 1 The configuration will look as follows: @@ -605,12 +612,13 @@ The configuration will look as follows: show service dhcpv6-server shared-network-name NET1 { subnet 2001:db8::/64 { - address-range { - start 2001:db8::100 { - stop 2001:db8::199 - } + range 1 { + start 2001:db8::100 + stop 2001:db8::199 + } + option { + name-server 2001:db8::ffff } - name-server 2001:db8::ffff subnet-id 1 } } @@ -639,7 +647,7 @@ be created. The following example explains the process. set service dhcpv6-server shared-network-name 'NET1' subnet 2001:db8::/64 static-mapping client1 ipv6-address 2001:db8::101 set service dhcpv6-server shared-network-name 'NET1' subnet 2001:db8::/64 static-mapping client1 ipv6-prefix 2001:db8:0:101::/64 - set service dhcpv6-server shared-network-name 'NET1' subnet 2001:db8::/64 static-mapping client1 identifier 00:01:00:01:12:34:56:78:aa:bb:cc:dd:ee:ff + set service dhcpv6-server shared-network-name 'NET1' subnet 2001:db8::/64 static-mapping client1 duid 00:01:00:01:12:34:56:78:aa:bb:cc:dd:ee:ff The configuration will look as follows: @@ -650,7 +658,7 @@ The configuration will look as follows: show service dhcpv6-server shared-network-name NET1 subnet 2001:db8::/64 { static-mapping client1 { - identifier 00:01:00:01:12:34:56:78:aa:bb:cc:dd:ee:ff + duid 00:01:00:01:12:34:56:78:aa:bb:cc:dd:ee:ff ipv6-address 2001:db8::101 ipv6-prefix 2001:db8:0:101::/64 } diff --git a/docs/configuration/service/ipoe-server.rst b/docs/configuration/service/ipoe-server.rst index c219a063..ed4ade1a 100644 --- a/docs/configuration/service/ipoe-server.rst +++ b/docs/configuration/service/ipoe-server.rst @@ -72,8 +72,9 @@ IPv6 DNS addresses are optional. set service ipoe-server authentication interface eth3 mac 08:00:27:2F:D8:06 set service ipoe-server authentication mode 'local' - set service ipoe-server client-ipv6-pool delegate '2001:db8:1::/48' delegation-prefix '56' - set service ipoe-server client-ipv6-pool prefix '2001:db8::/48' mask '64' + set service ipoe-server client-ipv6-pool IPv6-POOL delegate '2001:db8:1::/48' delegation-prefix '56' + set service ipoe-server client-ipv6-pool IPv6-POOL prefix '2001:db8::/48' mask '64' + set service ipoe-server default-ipv6-pool IPv6-POOL set service ipoe-server name-server '2001:db8::' set service ipoe-server name-server '2001:db8:aaa::' set service ipoe-server name-server '2001:db8:bbb::' @@ -171,8 +172,9 @@ Server configuration set service ipoe-server authentication interface eth1.51 mac 00:0c:29:b7:49:a7 rate-limit upload '50000' set service ipoe-server authentication mode 'local' - set service ipoe-server client-ipv6-pool delegate 2001:db8:ffff::/48 delegation-prefix '56' - set service ipoe-server client-ipv6-pool prefix 2001:db8:fffe::/48 mask '64' + set service ipoe-server client-ipv6-pool IPv6-POOL delegate 2001:db8:ffff::/48 delegation-prefix '56' + set service ipoe-server client-ipv6-pool IPv6-POOL prefix 2001:db8:fffe::/48 mask '64' + set service ipoe-server default-ipv6-pool IPv6-POOL set service ipoe-server interface eth1.50 client-subnet '100.64.50.0/24' set service ipoe-server interface eth1.50 mode 'l2' set service ipoe-server interface eth1.51 client-subnet '100.64.51.0/24' diff --git a/docs/configuration/service/ntp.rst b/docs/configuration/service/ntp.rst index 08be047c..e7ee392b 100644 --- a/docs/configuration/service/ntp.rst +++ b/docs/configuration/service/ntp.rst @@ -81,4 +81,33 @@ Configuration .. cfgcmd:: set service ntp vrf <name> - Specify name of the :abbr:`VRF (Virtual Routing and Forwarding)` instance. + Specify name of the :abbr:`VRF (Virtual Routing and Forwarding)` instance. + +.. cfgcmd:: set service ntp leap-second [ignore|smear|system|timezone] + + Define how to handle leaf-seonds. + + * `ignore`: No correction is applied to the clock for the leap second. The + clock will be corrected later in normal operation when new measurements are + made and the estimated offset includes the one second error. + + * `smear`: When smearing a leap second, the leap status is suppressed on the + server and the served time is corrected slowly by slewing instead of + stepping. The clients do not need any special configuration as they do not + know there is any leap second and they follow the server time which + eventually brings them back to UTC. Care must be taken to ensure they use + only NTP servers which smear the leap second in exactly the same way for + synchronisation. + + * `system`: When inserting a leap second, the kernel steps the system clock + backwards by one second when the clock gets to 00:00:00 UTC. When deleting + a leap second, it steps forward by one second when the clock gets to + 23:59:59 UTC. + + * `timezone`: This directive specifies a timezone in the system timezone + database which chronyd can use to determine when will the next leap second + occur and what is the current offset between TAI and UTC. It will + periodically check if 23:59:59 and 23:59:60 are valid times in the + timezone. This normally works with the right/UTC timezone which is the + default + diff --git a/docs/configuration/service/pppoe-server.rst b/docs/configuration/service/pppoe-server.rst index a230d9fe..56fcb968 100644 --- a/docs/configuration/service/pppoe-server.rst +++ b/docs/configuration/service/pppoe-server.rst @@ -266,11 +266,11 @@ other servers. Last command says that this PPPoE server can serve only IPv6 ---- -IPv6 client's prefix assignment -^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ +IPv6 client's prefix +^^^^^^^^^^^^^^^^^^^^ -.. cfgcmd:: set service pppoe-server client-ipv6-pool prefix <address> - mask <number-of-bits> +.. cfgcmd:: set service pppoe-server client-ipv6-pool <IPv6-POOL-NAME> + prefix <address> mask <number-of-bits> Use this comand to set the IPv6 address pool from which a PPPoE client will get an IPv6 prefix of your defined length (mask) to @@ -281,8 +281,8 @@ IPv6 client's prefix assignment IPv6 Prefix Delegation ^^^^^^^^^^^^^^^^^^^^^^ -.. cfgcmd:: set service pppoe-server client-ipv6-pool delegate <address> - delegation-prefix <number-of-bits> +.. cfgcmd:: set service pppoe-server client-ipv6-pool <IPv6-POOL-NAME> + delegate <address> delegation-prefix <number-of-bits> Use this command to configure DHCPv6 Prefix Delegation (RFC3633). You will have to set your IPv6 pool and the length of the delegation @@ -291,6 +291,14 @@ IPv6 Prefix Delegation delegation prefix can be set from 32 to 64 bit long. +IPv6 default client's pool assignment +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +.. cfgcmd:: set service pppoe-server default-ipv6-pool <POOL-NAME> + + Use this command to define default IPv6 address pool name. + + Maintenance mode ================ @@ -374,8 +382,9 @@ The example below covers a dual-stack configuration via pppoe-server. set service pppoe-server authentication mode 'local' set service pppoe-server client-ip-pool IP-POOL range '192.168.0.1/24' set service pppoe-server default-pool 'IP-POOL' - set service pppoe-server client-ipv6-pool delegate '2001:db8:8003::/48' delegation-prefix '56' - set service pppoe-server client-ipv6-pool prefix '2001:db8:8002::/48' mask '64' + set service pppoe-server client-ipv6-pool IPv6-POOL delegate '2001:db8:8003::/48' delegation-prefix '56' + set service pppoe-server client-ipv6-pool IPV6-POOL prefix '2001:db8:8002::/48' mask '64' + set service pppoe-server default-ipv6-pool IPv6-POOL set service pppoe-server ppp-options ipv6 allow set service pppoe-server name-server '10.1.1.1' set service pppoe-server name-server '2001:db8:4860::8888' diff --git a/docs/configuration/vpn/ipsec.rst b/docs/configuration/vpn/ipsec.rst index b6ee86af..fad69bc3 100644 --- a/docs/configuration/vpn/ipsec.rst +++ b/docs/configuration/vpn/ipsec.rst @@ -49,9 +49,9 @@ VyOS IKE group has the next options: * ``none`` set action to none (default); - * ``hold`` set action to hold; + * ``trap`` installs a trap policy for the CHILD_SA; - * ``restart`` set action to restart; + * ``start`` tries to immediately re-create the CHILD_SA; * ``dead-peer-detection`` controls the use of the Dead Peer Detection protocol (DPD, RFC 3706) where R_U_THERE notification messages (IKEv1) or empty @@ -60,11 +60,13 @@ VyOS IKE group has the next options: * ``action`` keep-alive failure action: - * ``hold`` set action to hold (default) + * ``trap`` installs a trap policy, which will catch matching traffic + and tries to re-negotiate the tunnel on-demand; - * ``clear`` set action to clear; + * ``clear`` closes the CHILD_SA and does not take further action (default); - * ``restart`` set action to restart; + * ``restart`` immediately tries to re-negotiate the CHILD_SA + under a fresh IKE_SA; * ``interval`` keep-alive interval in seconds <2-86400> (default 30); diff --git a/docs/configuration/vpn/site2site_ipsec.rst b/docs/configuration/vpn/site2site_ipsec.rst index 23df1b76..78cadfb5 100644 --- a/docs/configuration/vpn/site2site_ipsec.rst +++ b/docs/configuration/vpn/site2site_ipsec.rst @@ -317,7 +317,7 @@ Imagine the following topology set vpn ipsec esp-group ESP_DEFAULT proposal 10 encryption 'aes256gcm128' set vpn ipsec esp-group ESP_DEFAULT proposal 10 hash 'sha256' set vpn ipsec ike-group IKEv2_DEFAULT close-action 'none' - set vpn ipsec ike-group IKEv2_DEFAULT dead-peer-detection action 'hold' + set vpn ipsec ike-group IKEv2_DEFAULT dead-peer-detection action 'trap' set vpn ipsec ike-group IKEv2_DEFAULT dead-peer-detection interval '30' set vpn ipsec ike-group IKEv2_DEFAULT dead-peer-detection timeout '120' set vpn ipsec ike-group IKEv2_DEFAULT disable-mobike @@ -357,7 +357,7 @@ Imagine the following topology set vpn ipsec esp-group ESP_DEFAULT proposal 10 encryption 'aes256gcm128' set vpn ipsec esp-group ESP_DEFAULT proposal 10 hash 'sha256' set vpn ipsec ike-group IKEv2_DEFAULT close-action 'none' - set vpn ipsec ike-group IKEv2_DEFAULT dead-peer-detection action 'hold' + set vpn ipsec ike-group IKEv2_DEFAULT dead-peer-detection action 'trap' set vpn ipsec ike-group IKEv2_DEFAULT dead-peer-detection interval '30' set vpn ipsec ike-group IKEv2_DEFAULT dead-peer-detection timeout '120' set vpn ipsec ike-group IKEv2_DEFAULT disable-mobike @@ -397,18 +397,18 @@ Key Parameters: routes installed in the default table 220 for site-to-site ipsec. It is mostly used with VTI configuration. -* ``dead-peer-detection action = clear | hold | restart`` - R_U_THERE +* ``dead-peer-detection action = clear | trap | restart`` - R_U_THERE notification messages(IKEv1) or empty INFORMATIONAL messages (IKEv2) are periodically sent in order to check the liveliness of the IPsec peer. The - values clear, hold, and restart all activate DPD and determine the action to + values clear, trap, and restart all activate DPD and determine the action to perform on a timeout. With ``clear`` the connection is closed with no further actions taken. - ``hold`` installs a trap policy, which will catch matching traffic and tries + ``trap`` installs a trap policy, which will catch matching traffic and tries to re-negotiate the connection on demand. ``restart`` will immediately trigger an attempt to re-negotiate the connection. -* ``close-action = none | clear | hold | restart`` - defines the action to take +* ``close-action = none | clear | trap | start`` - defines the action to take if the remote peer unexpectedly closes a CHILD_SA (see above for meaning of values). A closeaction should not be used if the peer uses reauthentication or uniqueids. diff --git a/docs/configuration/vpn/sstp.rst b/docs/configuration/vpn/sstp.rst index d9bb4353..2c5cef6d 100644 --- a/docs/configuration/vpn/sstp.rst +++ b/docs/configuration/vpn/sstp.rst @@ -132,7 +132,8 @@ Configuration Use this command to define default address pool name. -.. cfgcmd:: set vpn sstp client-ipv6-pool prefix <address> mask <number-of-bits> +.. cfgcmd:: set vpn sstp client-ipv6-pool <IPv6-POOL-NAME> prefix <address> + mask <number-of-bits> Use this comand to set the IPv6 address pool from which an SSTP client will get an IPv6 prefix of your defined length (mask) to terminate the @@ -140,8 +141,8 @@ Configuration bit long, the default value is 64. -.. cfgcmd:: set vpn sstp client-ipv6-pool delegate <address> delegation-prefix - <number-of-bits> +.. cfgcmd:: set vpn sstp client-ipv6-pool <IPv6-POOL-NAME> delegate <address> + delegation-prefix <number-of-bits> Use this command to configure DHCPv6 Prefix Delegation (RFC3633) on SSTP. You will have to set your IPv6 pool and the length of the @@ -150,6 +151,11 @@ Configuration delegation prefix can be set from 32 to 64 bit long. +.. cfgcmd:: set vpn sstp default-ipv6-pool <IPv6-POOL-NAME> + + Use this command to define default IPv6 address pool name. + + .. cfgcmd:: set vpn sstp name-server <address> Connected client should use `<address>` as their DNS server. This |