diff options
Diffstat (limited to 'docs/configuration')
| -rw-r--r-- | docs/configuration/interfaces/bonding.rst | 334 | ||||
| -rw-r--r-- | docs/configuration/interfaces/wireguard.rst | 39 | ||||
| -rw-r--r-- | docs/configuration/protocols/pim.rst | 39 | ||||
| -rw-r--r-- | docs/configuration/service/conntrack-sync.rst | 12 | ||||
| -rw-r--r-- | docs/configuration/vpn/dmvpn.rst | 60 | ||||
| -rw-r--r-- | docs/configuration/vpn/ipsec/ipsec_general.rst | 20 | ||||
| -rw-r--r-- | docs/configuration/vpn/ipsec/site2site_ipsec.rst | 24 | ||||
| -rw-r--r-- | docs/configuration/vrf/index.rst | 21 |
8 files changed, 331 insertions, 218 deletions
diff --git a/docs/configuration/interfaces/bonding.rst b/docs/configuration/interfaces/bonding.rst index 187720a9..7637790c 100644 --- a/docs/configuration/interfaces/bonding.rst +++ b/docs/configuration/interfaces/bonding.rst @@ -62,20 +62,23 @@ Bond modes :widths: 20 80 * - **Description:** - - IEEE 802.3ad Dynamic Link Aggregation. Groups only member interfaces with - the same speed (e.g., 1 Gbps) and duplex settings. Member interfaces with - different speed and duplex settings are not included in the active bond. - - Provides load balancing and fault tolerance. Uses the :abbr:`LACP (Link - Aggregation Control Protocol)` to negotiate the bond with the switch. + - IEEE 802.3ad Dynamic Link Aggregation. Groups only member + interfaces with the same speed (e.g., 1 Gbps) and duplex + settings. Member interfaces with different speed and duplex + settings are not included in the active bond. + + Provides load balancing and fault tolerance. Uses the + :abbr:`LACP (Link Aggregation Control Protocol)` to + negotiate the bond with the switch. * - **Traffic distribution:** - - Traffic is distributed according to the **transmit hash policy** - (default: XOR). - - The bonding driver applies an XOR operation to specific packet header fields, - generating a hash value that maps to a particular member interface. This - ensures the same network flow is consistently transmitted over the same member - interface. + - Traffic is distributed according to the **transmit hash + policy** (default: XOR). + + The bonding driver applies an XOR operation to specific + packet header fields, generating a hash value that maps to + a particular member interface. This ensures the same network + flow is consistently transmitted over the same member + interface. The transmit hash policy is configured via the ``hash-policy`` option. * - **Failover:** @@ -92,15 +95,16 @@ Bond modes :widths: 20 80 * - **Description:** - - Provides fault tolerance. Only one member interface is active at a time. - Other member interfaces remain in a standby mode. - * - **Traffic distribution:** - - All traffic (incoming and outgoing) is routed via one active member interface. - * - **Failover:** - - If the designated member interface fails, all traffic is routed to - another member interface. The bonding driver sends a Gratuitous ARP - to update the peer's MAC address table, linking the bond's MAC address - to another physical port. + - Provides fault tolerance. Only one member interface is active + at a time. Other member interfaces remain in a standby mode. + * - **Traffic distribution:** + - All traffic (incoming and outgoing) is routed via one active + member interface. + * - **Failover:** + - If the designated member interface fails, all traffic is + routed to another member interface. The bonding driver sends + a Gratuitous ARP to update the peer's MAC address table, + linking the bond's MAC address to another physical port. * ``broadcast`` @@ -109,11 +113,12 @@ Bond modes * - **Description:** - Provides maximum fault tolerance by duplicating traffic. - * - **Traffic distribution:** - - Every packet is duplicated and transmitted on **all** member interfaces. - * - **Failover:** - - Traffic flow is not interrupted as long as at least one member interface - remains active. + * - **Traffic distribution:** + - Every packet is duplicated and transmitted on **all** member + interfaces. + * - **Failover:** + - Traffic flow is not interrupted as long as at least one + member interface remains active. * ``round-robin`` @@ -122,12 +127,13 @@ Bond modes * - **Description:** - Provides load balancing and fault tolerance. - * - **Traffic distribution:** - - Packets are transmitted in sequential order across the member interfaces - (e.g., packet 1 > interface A, packet 2 > interface B, etc.). - * - **Failover:** - - If a member interface fails, the sequence skips the failed interface and - continues with the remaining active members. + * - **Traffic distribution:** + - Packets are transmitted in sequential order across the member + interfaces (e.g., packet 1 > interface A, packet 2 > + interface B, etc.). + * - **Failover:** + - If a member interface fails, the sequence skips the failed + interface and continues with the remaining active members. * ``transmit-load-balance`` @@ -136,14 +142,15 @@ Bond modes * - **Description:** - Provides adaptive transmit load balancing and fault tolerance. - * - **Traffic distribution:** - - **Outgoing:** Distributed across all active member interfaces based on - the current load. + * - **Traffic distribution:** + - **Outgoing:** Distributed across all active member interfaces + based on the current load. - **Incoming:** Received by a designated member interface (active receiver). - * - **Failover:** - - If the active receiver fails, another member interface takes over as the new - active receiver. + **Incoming:** Received by a designated member interface + (active receiver). + * - **Failover:** + - If the active receiver fails, another member interface takes + over as the new active receiver. * ``adaptive-load-balance`` @@ -151,75 +158,88 @@ Bond modes :widths: 20 80 * - **Description:** - - Provides adaptive transmit load balancing identical to - ``transmit-load-balance``, receive load balancing for IPv4 traffic, and fault - tolerance for both incoming and outgoing traffic. + - Provides adaptive transmit load balancing identical to + ``transmit-load-balance``, receive load balancing for IPv4 + traffic, and fault tolerance for both incoming and outgoing + traffic. * - **Traffic distribution:** - **Outgoing:** Identical to ``transmit-load-balance``. - **Incoming:** Distributed based on ARP manipulation. For both local and remote - connections, the bonding driver intercepts ARP traffic and changes the source - MAC address to the MAC address of the least loaded member interface. + **Incoming:** Distributed based on ARP manipulation. For + both local and remote connections, the bonding driver + intercepts ARP traffic and changes the source MAC address + to the MAC address of the least loaded member interface. - All traffic from that peer is then routed to the chosen member interface. + All traffic from that peer is then routed to the chosen + member interface. * - **Failover:** - - If a member interface's state changes (fails, recovers, is added, or excluded), - the traffic is redistributed among all active member interfaces. + - If a member interface's state changes (fails, recovers, is + added, or excluded), the traffic is redistributed among all + active member interfaces. - * ``xor-hash``: Provides load balancing and fault tolerance based on a hash formula. - Distributes traffic and handles failover identically to ``802.3ad``, but operates - without the :abbr:`LACP (Link Aggregation Control Protocol)`. + * ``xor-hash``: Provides load balancing and fault tolerance + based on a hash formula. Distributes traffic and handles + failover identically to ``802.3ad``, but operates without + the :abbr:`LACP (Link Aggregation Control Protocol)`. .. cfgcmd:: set interfaces bonding <interface> min-links <0-16> - **Configure how many member interfaces must be active (in the link-up state) to - mark the bonding interface UP (carrier asserted).** + **Configure how many member interfaces must be active (in the + link-up state) to mark the bonding interface UP (carrier + asserted).** - This command applies only when the bonding interface is configured in 802.3ad - mode and functions like the Cisco EtherChannel min-links feature. It ensures - that a bonding interface is marked UP (carrier asserted) only when a specified - number of member interfaces are active (in the link-up state). This helps - guarantee a minimum level of bandwidth for higher-level services (such as - clustering) relying on the bonding interface. + This command applies only when the bonding interface is configured + in 802.3ad mode and functions like the Cisco EtherChannel min-links + feature. It ensures that a bonding interface is marked UP (carrier + asserted) only when a specified number of member interfaces are + active (in the link-up state). This helps guarantee a minimum level + of bandwidth for higher-level services (such as clustering) relying + on the bonding interface. - The default value is 0. This marks the bonding interface UP (carrier asserted) - whenever an active LACP aggregator exists, regardless of the number of member - interfaces in that aggregator. + The default value is 0. This marks the bonding interface UP + (carrier asserted) whenever an active LACP aggregator exists, + regardless of the number of member interfaces in that aggregator. - .. note:: In 802.3ad mode, a bond cannot be active without at least one active - member interface. Therefore, setting min-links to 0 or 1 has the same result: - the bonding interface is marked UP (carrier asserted). + .. note:: In 802.3ad mode, a bond cannot be active without at + least one active member interface. Therefore, setting min-links + to 0 or 1 has the same result: the bonding interface is marked + UP (carrier asserted). .. cfgcmd:: set interfaces bonding <interface> lacp-rate <slow|fast> - **Configure the rate at which the bonding interface requests its link - partner to send** :abbr:`LACPDUs (Link Aggregation Control Protocol Data - Units)` **in 802.3ad mode.** + **Configure the rate at which the bonding interface requests its + link partner to send** + :abbr:`LACPDUs (Link Aggregation Control Protocol Data Units)` + **in 802.3ad mode.** - This command applies only when the bonding interface is configured in - 802.3ad mode. + This command applies only when the bonding interface is configured + in 802.3ad mode. The following options are available: - * **slow (default):** Requests the link partner to transmit LACPDUs every 30 seconds. + * **slow (default):** Requests the link partner to transmit + LACPDUs every 30 seconds. - * **fast:** Requests the link partner to transmit LACPDUs every 1 second. + * **fast:** Requests the link partner to transmit LACPDUs every + 1 second. .. cfgcmd:: set interfaces bonding <interface> system-mac <mac address> **Configure a specific MAC address for the bonding interface.** - This sets the 802.3ad system MAC address, which is used for :abbr:`LACPDU (Link - Aggregation Control Protocol Data Unit)` exchanges with the link partner. - You can assign a fixed MAC address or generate a random one for these - :abbr:`LACPDU (Link Aggregation Control Protocol Data Unit)` exchanges. + This sets the 802.3ad system MAC address, which is used for + :abbr:`LACPDU (Link Aggregation Control Protocol Data Unit)` + exchanges with the link partner. You can assign a fixed MAC address + or generate a random one for these + :abbr:`LACPDU (Link Aggregation Control Protocol Data Unit)` + exchanges. .. cfgcmd:: set interfaces bonding <interface> hash-policy <policy> - **Configure which transmit hash policy to use for distributing traffic across - member interfaces.** + **Configure which transmit hash policy to use for distributing + traffic across member interfaces.** The following policies are available: @@ -229,10 +249,12 @@ Bond modes :widths: 20 80 * - **Description:** - - Routes all traffic destined for a specific network peer through the same - member interface. The policy is 802.3ad-compliant. + - Routes all traffic destined for a specific network peer + through the same member interface. The policy is + 802.3ad-compliant. * - **Hash inputs:** - - Source MAC address, destination MAC address, and Ethernet packet type ID. + - Source MAC address, destination MAC address, and Ethernet + packet type ID. * - **Formula:** - .. code-block:: none @@ -245,13 +267,16 @@ Bond modes :widths: 20 80 * - **Description:** - - Similar to ``layer2``, routes all traffic destined for a specific network - peer through the same member interface and is IEEE 802.3ad-compliant. Uses - both Layer 2 and Layer 3 information to provide a more balanced traffic distribution. + - Similar to ``layer2``, routes all traffic destined for a + specific network peer through the same member interface + and is IEEE 802.3ad-compliant. Uses both Layer 2 and + Layer 3 information to provide a more balanced traffic + distribution. * - **Hash inputs:** - - * Source MAC address, destination MAC address, and Ethernet packet type ID. - * Source IP address, destination IP address. IPv6 addresses are first hashed - using ``IPv6_addr_hash``. + - * Source MAC address, destination MAC address, and + Ethernet packet type ID. + * Source IP address, destination IP address. IPv6 + addresses are first hashed using ``IPv6_addr_hash``. * - **Formula:** - .. code-block:: none @@ -269,18 +294,21 @@ Bond modes :widths: 20 80 * - **Description:** - - Routes different connections (flows) destined for a specific network peer - through multiple member interfaces, but ensures each individual flow is - routed through only one member interface. - - .. note:: This policy is not fully 802.3ad-compliant. When a single TCP - or UDP flow contains both fragmented and unfragmented packets, the - algorithm may distribute them across different member interfaces. This - may result in out-of-order packet delivery, violating the 802.3ad standard. + - Routes different connections (flows) destined for a + specific network peer through multiple member interfaces, + but ensures each individual flow is routed through only + one member interface. + + .. note:: This policy is not fully 802.3ad-compliant. + When a single TCP or UDP flow contains both fragmented + and unfragmented packets, the algorithm may distribute + them across different member interfaces. This may + result in out-of-order packet delivery, violating the + 802.3ad standard. * - **Hash inputs:** - * Source port, destination port (if available). - * Source IP address, destination IP address. IPv6 addresses are first hashed - using ``IPv6_addr_hash``. + * Source IP address, destination IP address. IPv6 + addresses are first hashed using ``IPv6_addr_hash``. * - **Formula:** - .. code-block:: none @@ -290,8 +318,9 @@ Bond modes hash = hash XOR (hash RSHIFT 8) member interface number = hash modulo member interface count - For fragmented TCP or UDP packets and all other IPv4 and IPv6 traffic, the - source and destination port information is omitted. + For fragmented TCP or UDP packets and all other IPv4 and + IPv6 traffic, the source and destination port information + is omitted. For non-IP traffic, the formula is the same as for ``layer2``. @@ -299,29 +328,33 @@ Bond modes **Configure the primary member interface in the bond.** - The primary member interface remains active as long as it is operational; - alternative member interfaces are used only if it fails. + The primary member interface remains active as long as it is + operational; alternative member interfaces are used only if it + fails. - Use this configuration when a specific member interface is preferred, - such as one with higher throughput. + Use this configuration when a specific member interface is + preferred, such as one with higher throughput. - This command applies only to ``active-backup``, ``transmit-load-balance``, and - ``adaptive-load-balance`` modes. + This command applies only to ``active-backup``, + ``transmit-load-balance``, and ``adaptive-load-balance`` modes. .. cfgcmd:: set interfaces bonding <interface> arp-monitor interval <time> - **Configure the ARP monitoring interval, in seconds, for the bonding interface.** + **Configure the ARP monitoring interval, in seconds, for the + bonding interface.** - ARP monitoring periodically assesses the health of each member interface by - checking whether it has recently sent or received traffic (this criterion - varies depending on the bonding mode and the member interface’s state). ARP - probes are sent to the IP addresses specified with the arp-monitor target option. + ARP monitoring periodically assesses the health of each member + interface by checking whether it has recently sent or received + traffic (this criterion varies depending on the bonding mode and + the member interface’s state). ARP probes are sent to the IP + addresses specified with the arp-monitor target option. - When ARP monitoring is used with EtherChannel-compatible modes (such as - ``round-robin`` or ``xor-hash``), the switch should be configured to distribute - traffic across all member interfaces. If the switch distributes traffic using - an XOR-based policy, all ARP replies will be received on one member interface, - causing other member interfaces to be incorrectly marked as failed. + When ARP monitoring is used with EtherChannel-compatible modes + (such as ``round-robin`` or ``xor-hash``), the switch should be + configured to distribute traffic across all member interfaces. If + the switch distributes traffic using an XOR-based policy, all ARP + replies will be received on one member interface, causing other + member interfaces to be incorrectly marked as failed. Setting this value to 0 disables ARP monitoring. @@ -331,13 +364,13 @@ Bond modes **Configure the IP addresses for ARP monitoring requests.** - The bonding driver sends ARP requests to these IP addresses to check the - state of member interfaces. + The bonding driver sends ARP requests to these IP addresses to + check the state of member interfaces. - To enable ARP monitoring, configure at least one IP address (up to 16 per - bonding interface). + To enable ARP monitoring, configure at least one IP address (up to + 16 per bonding interface). - By default, no IP addresses are configured. + By default, no IP addresses are configured. :abbr:`VLAN (Virtual Local Area Network)` ========================================= @@ -381,40 +414,46 @@ discriminator, or an Ethernet Segment Identifier Name (ESINAME). The following two commands generate a 10-byte Type-3 ESI by combining the system MAC and local discriminator: +.. stop_vyoslinter + .. cfgcmd:: set interfaces bonding <interface> evpn es-id <1-16777215|10-byte ID> .. cfgcmd:: set interfaces bonding <interface> evpn es-sys-mac <xx:xx:xx:xx:xx:xx> - Alternatively, assign an ESINAME directly as a 10-byte Type-0 ESI using the - following format: 00:AA:BB:CC:DD:EE:FF:GG:HH:II. + Alternatively, assign an ESINAME directly as a 10-byte Type-0 ESI + using the following format: 00:AA:BB:CC:DD:EE:FF:GG:HH:II. **BGP-EVPN route usage** - EVPN-MH uses BGP-EVPN route types 1 and 2 for ES discovery and MAC-IP - synchronization: + EVPN-MH uses BGP-EVPN route types 1 and 2 for ES discovery and + MAC-IP synchronization: - * **Type 1 (EAD-per-ES and EAD-per-EVI)** routes advertise the locally - attached ESs and discover remote ESs in the network. - * **Type 2 (MAC-IP advertisement)** routes are advertised with a + * **Type 1 (EAD-per-ES and EAD-per-EVI)** routes advertise the + locally attached ESs and discover remote ESs in the network. + * **Type 2 (MAC-IP advertisement)** routes are advertised with a destination ESI, enabling MAC-IP synchronization between ES peers. +.. stop_vyoslinter + .. cfgcmd:: set interfaces bonding <interface> evpn es-df-pref <1-65535> - **Configure the** :abbr:`DF (Designated Forwarder)` **preference (1-65535) for - the interface. A higher value indicates a higher preference to become the** - :abbr:`DF (Designated Forwarder)`. **The** :abbr:`DF (Designated Forwarder)` + **Configure the** :abbr:`DF (Designated Forwarder)` **preference (1-65535) for + the interface. A higher value indicates a higher preference to become the** + :abbr:`DF (Designated Forwarder)`. **The** :abbr:`DF (Designated Forwarder)` **preference is configured per-ES.** - The DF election process determines which interface in a specific ES forwards - :abbr:`BUM (Broadcast, Unknown Unicast, and Multicast)` traffic from the EVPN - overlay to the connected CE device. EVPN Type-4 (Ethernet Segment) routes are - used to elect the DF, implementing the preference-based election method defined + The DF election process determines which interface in a specific ES forwards + :abbr:`BUM (Broadcast, Unknown Unicast, and Multicast)` traffic from the EVPN + overlay to the connected CE device. EVPN Type-4 (Ethernet Segment) routes are + used to elect the DF, implementing the preference-based election method defined in RFC 9785. - Interfaces not elected as the DF drop any BUM traffic from the EVPN overlay - using non-DF filters. Similarly, traffic received from ES peers via the EVPN - overlay is blocked from forwarding to the CE device to maintain split-horizon + Interfaces not elected as the DF drop any BUM traffic from the EVPN overlay + using non-DF filters. Similarly, traffic received from ES peers via the EVPN + overlay is blocked from forwarding to the CE device to maintain split-horizon filtering with local bias. - + +.. start_vyoslinter + .. cmdinclude:: /_include/interface-evpn-uplink.txt :var0: bonding :var1: bond0 @@ -442,13 +481,14 @@ subinterface. set interfaces bonding bond0 member interface eth1 set interfaces bonding bond0 member interface eth2 -.. note:: If you are running this configuration in a virtual environment like - EVE-NG, ensure the e1000 driver is chosen for your VyOS NIC. The default - drivers, such as ``virtio-net-pci`` or ``vmxnet3``, are incompatible with - this configuration. Specifically, ICMP messages will not be processed correctly. +.. note:: If you are running this configuration in a virtual environment like + EVE-NG, ensure the e1000 driver is chosen for your VyOS NIC. The default + drivers, such as ``virtio-net-pci`` or ``vmxnet3``, are incompatible with + this configuration. Specifically, ICMP messages will not be processed + correctly. - To check your NIC driver, use the following command: :opcmd:`show interfaces ethernet - eth0 physical | grep -i driver` + To check your NIC driver, use the following command: + :opcmd:`show interfaces ethernet eth0 physical | grep -i driver` Cisco Catalyst configuration ============================ @@ -486,8 +526,8 @@ such as allowed VLAN interfaces and STP, is applied here. Juniper EX Switch configuration =============================== -Configure a Juniper EX Series switch to integrate with a two-member VyOS bonding -interface. +Configure a Juniper EX Series switch to integrate with a two-member VyOS +bonding interface. .. code-block:: none diff --git a/docs/configuration/interfaces/wireguard.rst b/docs/configuration/interfaces/wireguard.rst index e66b0fb8..f6da17e3 100644 --- a/docs/configuration/interfaces/wireguard.rst +++ b/docs/configuration/interfaces/wireguard.rst @@ -33,8 +33,9 @@ Generate keypair Generate a keypair: a public and a private key. - .. note:: This command only outputs the keys to your console. It neither stores - them in the system nor applies them to the system configuration. + .. note:: This command only outputs the keys to your console. It + neither stores them in the system nor applies them to the system + configuration. .. code-block:: none @@ -58,9 +59,9 @@ Generate keypair Corresponding public-key to use on peer system is: 'UxDsYT6EnpTIOKUzvMlw2p0sNOKQvFxEdSVrnNrX1Ro=' - .. note:: If you invoke this command from configuration mode with the ``run`` - prefix, the generated private key is automatically assigned to the specified - interface. + .. note:: If you invoke this command from configuration mode with + the ``run`` prefix, the generated private key is automatically + assigned to the specified interface. .. code-block:: none @@ -103,10 +104,12 @@ Optional Pre-shared key: OHH2EwZfMNK+1L6BXbYw3bKCtMrfjpR4mCAEeBlFnRs= +.. stop_vyoslinter + .. opcmd:: generate pki wireguard preshared-key install interface <interface> peer <peer> - Generate a pre-shared key and output the key assignment command for the - specified peer. + Generate a pre-shared key and output the key assignment command for + the specified peer. .. code-block:: none @@ -119,8 +122,11 @@ Optional Pre-shared key: +LuaZ8W6DjsDFJFX3jJzoNqrsXHhvq08JztM9z8LHCs= - .. note:: If you invoke this command from configuration mode with the run - prefix, the generated key is automatically assigned to the specified peer. + .. note:: If you invoke this command from configuration mode with + the run prefix, the generated key is automatically assigned to + the specified peer. + +.. start_vyoslinter *********************** @@ -133,7 +139,8 @@ networks you want to tunnel (``allowed-ips``). If your system only initiates connections, specifying the listen port is optional. If your system accepts incoming connections, you must define a port for peers to connect to. Otherwise, WireGuard selects a random port at each -reboot, and that may break your peers' ability to connect if that port is not enabled in your firewall rules. +reboot, and that may break your peers' ability to connect if that port +is not enabled in your firewall rules. To configure a WireGuard tunnel, you also need your peer's public key. @@ -417,13 +424,13 @@ simplify deployment, generate a per-mobile configuration from the VyOS CLI. The public key from the specified interface is automatically included in the configuration file. - The command also generates a configuration snippet that can be copied into the - VyOS CLI. The ``<name>`` you provide will be used as the peer name in the - snippet. + The command also generates a configuration snippet that can be copied + into the VyOS CLI. The ``<name>`` you provide will be used as the peer + name in the snippet. - You must also specify the IP address or FQDN of the server the client connects - to. The address parameter can be used twice to assign both an IPv4 (/32) and - an IPv6 (/128) address to the client. + You must also specify the IP address or FQDN of the server the client + connects to. The address parameter can be used twice to assign both an + IPv4 (/32) and an IPv6 (/128) address to the client. .. figure:: /_static/images/wireguard_qrcode.* :alt: WireGuard Client QR code diff --git a/docs/configuration/protocols/pim.rst b/docs/configuration/protocols/pim.rst index 019f1e64..f3f388ba 100644 --- a/docs/configuration/protocols/pim.rst +++ b/docs/configuration/protocols/pim.rst @@ -70,12 +70,17 @@ PIM-SM - PIM Sparse Mode This command is only useful at scale when you can possibly have a large number of PIM control packets flowing. +.. stop_vyoslinter + .. cfgcmd:: set protocols pim register-accept-list <prefix-list> - When PIM receives a register packet the source of the packet will be compared - to the prefix-list specified, and if a permit is received normal processing - continues. If a deny is returned for the source address of the register packet - a register stop message is sent to the source. + When PIM receives a register packet the source of the packet will be + compared to the prefix-list specified, and if a permit is received + normal processing continues. If a deny is returned for the source + address of the register packet a register stop message is sent to + the source. + +.. start_vyoslinter .. cfgcmd:: set protocols pim register-suppress-time <n> @@ -84,9 +89,10 @@ PIM-SM - PIM Sparse Mode .. cfgcmd:: set protocols pim rp <address> group <group> - In order to use PIM, it is necessary to configure a :abbr:`RP (Rendezvous Point)` - for join messages to be sent to. Currently the only methodology to do this is - via static rendezvous point commands. + In order to use PIM, it is necessary to configure a + :abbr:`RP (Rendezvous Point)` for join messages to be sent to. + Currently the only methodology to do this is via static rendezvous + point commands. All routers in the PIM network must agree on these values. @@ -115,14 +121,19 @@ PIM-SM - PIM Sparse Mode nexthops in it's decision for :abbr:`RPF (Reverse Path Forwarding)` lookup if this option is not set (default). +.. stop_vyoslinter + .. cfgcmd:: set protocols pim spt-switchover infinity-and-beyond [prefix-list <list>] - On the last hop router if it is desired to not switch over to the SPT tree - configure this command. + On the last hop router if it is desired to not switch over to the + SPT tree configure this command. - Optional parameter prefix-list can be use to control which groups to switch or - not switch. If a group is PERMIT as per the prefix-list, then the SPT switchover - does not happen for it and if it is DENY, then the SPT switchover happens. + Optional parameter prefix-list can be use to control which groups + to switch or not switch. If a group is PERMIT as per the + prefix-list, then the SPT switchover does not happen for it and if + it is DENY, then the SPT switchover happens. + +.. start_vyoslinter .. cfgcmd:: set protocols pim ssm prefix-list <list> @@ -206,6 +217,8 @@ Interface specific commands not returned in the specified time, it will be assumed the (S,G) or (\*,G) state :rfc:`7761#section-4.1` has timed out. +.. stop_vyoslinter + .. cfgcmd:: set protocols pim interface <interface> igmp version <version-number> Use this command to define in the selected interface whether you @@ -213,6 +226,8 @@ Interface specific commands The default value is 3. +.. start_vyoslinter + Example ------- diff --git a/docs/configuration/service/conntrack-sync.rst b/docs/configuration/service/conntrack-sync.rst index 62e96e0e..2527407e 100644 --- a/docs/configuration/service/conntrack-sync.rst +++ b/docs/configuration/service/conntrack-sync.rst @@ -56,6 +56,8 @@ Configuration Protocol for which expect entries need to be synchronized. +.. stop_vyoslinter + .. cfgcmd:: set service conntrack-sync failover-mechanism vrrp sync-group <group> Failover mechanism to use for conntrack-sync. @@ -64,7 +66,10 @@ Configuration .. cfgcmd:: set service conntrack-sync ignore-address <x.x.x.x> - IP addresses or networks for which local conntrack entries will not be synced + IP addresses or networks for which local conntrack entries will not + be synced + +.. start_vyoslinter .. cfgcmd:: set service conntrack-sync interface <name> @@ -147,8 +152,9 @@ Operation .. note:: If the table is empty and you have a warning message, it means - conntrack is not enabled. To enable conntrack, just create a NAT or a firewall - rule. :cfgcmd:`set firewall state-policy established action accept` + conntrack is not enabled. To enable conntrack, just create a NAT + or a firewall rule. + :cfgcmd:`set firewall state-policy established action accept` .. opcmd:: show conntrack-sync cache external diff --git a/docs/configuration/vpn/dmvpn.rst b/docs/configuration/vpn/dmvpn.rst index dc796fe8..30398a25 100644 --- a/docs/configuration/vpn/dmvpn.rst +++ b/docs/configuration/vpn/dmvpn.rst @@ -64,9 +64,10 @@ To create NBMA GRE tunnel you might use the following: * Please refer to the :ref:`tunnel-interface` documentation for the individual tunnel related options. - .. note:: The IP-address is assigned as host prefix to tunnel interface. - NHRP will automatically create additional host routes pointing to tunnel interface - when a connection with these hosts is established. + .. note:: The IP-address is assigned as host prefix to tunnel + interface. NHRP will automatically create additional host routes + pointing to tunnel interface when a connection with these hosts is + established. The tunnel interface subnet prefix should be announced by routing protocol from the hub nodes (e.g. BGP ‘network’ announce). This allows the routing @@ -112,46 +113,57 @@ NHRP protocol configuration * **network-id** - NHRP network id <1-4294967295> - Enable NHRP on this interface and set the interface’s network ID. The network ID - is used to allow creating multiple nhrp domains on a router when multiple interfaces - are configured on the router. Interfaces configured with the same ID are part of the - same logical NBMA network. The ID is a local only parameter and is not sent to other - NHRP nodes and so IDs on different nodes do not need to match. When NHRP packets are - received on an interface they are assigned to the local NHRP domain for that interface. + Enable NHRP on this interface and set the interface’s network ID. + The network ID is used to allow creating multiple nhrp domains on a + router when multiple interfaces are configured on the router. + Interfaces configured with the same ID are part of the same logical + NBMA network. The ID is a local only parameter and is not sent to + other NHRP nodes and so IDs on different nodes do not need to match. + When NHRP packets are received on an interface they are assigned to + the local NHRP domain for that interface. + +.. stop_vyoslinter .. cfgcmd:: set protocols nhrp tunnel <tunnel> nhs tunnel-ip <tunnel-ip> nbma <nbma-ip> * **tunnel-ip** - Tunnel ip address in format **x.x.x.x** or **dynamic** * **nbma-ip** - NBMA ip address in format **x.x.x.x** - Configure the Next Hop Server address and its NBMA address. If dynamic is specified - then Next Hop Server can have dynamic address which maps to its NBMA address. + Configure the Next Hop Server address and its NBMA address. If + dynamic is specified then Next Hop Server can have dynamic address + which maps to its NBMA address. + +.. start_vyoslinter .. cfgcmd:: set protocols nhrp tunnel <tunnel> redirect - This enable redirect replies on the NHS similar to ICMP redirects except this is - managed by the nhrp protocol. This setting allows spokes to communicate with each - others directly. + This enable redirect replies on the NHS similar to ICMP redirects + except this is managed by the nhrp protocol. This setting allows + spokes to communicate with each others directly. .. cfgcmd:: set protocols nhrp tunnel <tunnel> registration-no-unique - Allow the client to not set the unique flag in the NHRP packets. This is useful when - a station has a dynamic IP address that could change over time. + Allow the client to not set the unique flag in the NHRP packets. + This is useful when a station has a dynamic IP address that could + change over time. .. cfgcmd:: set protocols nhrp tunnel <tunnel> shortcut - Enable shortcut (spoke-to-spoke) tunnels to allow NHC to talk to each others directly - after establishing a connection without going through the hub. + Enable shortcut (spoke-to-spoke) tunnels to allow NHC to talk to + each others directly after establishing a connection without going + through the hub. IPSEC configuration ============================== -* Please refer to the :ref:`ipsec_general` documentation for the individual IPSec - related options. +* Please refer to the :ref:`ipsec_general` documentation for the + individual IPSec related options. -.. note:: NHRP daemon based on FRR nhrpd. It controls IPSEC. That's why 'close-action' - parameter in IKE configuration always is set to 'close' and 'dead-peer-detection action' - always is set to 'clear'. +.. note:: NHRP daemon based on FRR nhrpd. It controls IPSEC. That's + why 'close-action' parameter in IKE configuration always is set to + 'close' and 'dead-peer-detection action' always is set to 'clear'. + +.. stop_vyoslinter .. cfgcmd:: set vpn ipsec profile <profile-name> authentication mode pre-shared-secret @@ -161,6 +173,8 @@ IPSEC configuration Set preshared secret +.. start_vyoslinter + .. cfgcmd:: set vpn ipsec profile <profile-name> bind tunnel <tunnel name> Bind IPSEC profile to the specific tunnel interface. diff --git a/docs/configuration/vpn/ipsec/ipsec_general.rst b/docs/configuration/vpn/ipsec/ipsec_general.rst index a9a1eb0f..3d21b81d 100644 --- a/docs/configuration/vpn/ipsec/ipsec_general.rst +++ b/docs/configuration/vpn/ipsec/ipsec_general.rst @@ -143,8 +143,9 @@ You can view the PPK column for information on if PPK is configured, and if it is in use. The output is in the format of ``<configured> / <in use>``. The options for configured are none if not conifugred, opt if configured but optional, and req is configured and required. The in use will show yes -Possible values of the ``configured`` field are ``none`` if not conifgured, ``opt`` if configured -but optional, and ``req`` is configured and required. The in use will show yes +Possible values of the ``configured`` field are ``none`` if not +conifgured, ``opt`` if configured but optional, and ``req`` is +configured and required. The in use will show yes @@ -200,6 +201,8 @@ VyOS IKE group has the next options: * **aggressive** - Use Aggressive mode for Key Exchanges in the IKEv1 protocol aggressive mode is much more insecure compared to Main mode. +.. stop_vyoslinter + .. cfgcmd:: set vpn ipsec ike-group <name> proposal <number> dh-group <dh-group number> Dh-group. Default value is **2**. @@ -208,6 +211,8 @@ VyOS IKE group has the next options: Encryption algorithm. Default value is **aes128**. +.. start_vyoslinter + .. cfgcmd:: set vpn ipsec ike-group <name> proposal <number> hash <hash> Hash algorithm. Default value is **sha1**. @@ -232,10 +237,14 @@ DPD (Dead Peer Detection) Configuration * **restart** - Immediately tries to re-negotiate the CHILD_SA under a fresh IKE_SA. +.. stop_vyoslinter + .. cfgcmd:: set vpn ipsec ike-group <name> dead-peer-detection interval <interval> Keep-alive interval in seconds <2-86400> (default 30). +.. start_vyoslinter + .. cfgcmd:: set vpn ipsec ike-group <name> dead-peer-detection timeout <timeout> Keep-alive timeout in seconds <2-86400> (default 120) **IKEv1 only** @@ -292,10 +301,14 @@ VyOS ESP group has the next options: * **disable** - Disable PFS. * **<dh-group>** - Defines a Diffie-Hellman group for PFS. +.. stop_vyoslinter + .. cfgcmd:: set vpn ipsec esp-group <name> proposal <number> encryption <encryption> Encryption algorithm. Default value is **aes128**. +.. start_vyoslinter + .. cfgcmd:: set vpn ipsec esp-group <name> proposal <number> hash <hash> Hash algorithm. Default value is **sha1**. @@ -351,7 +364,8 @@ Options IKEv2 Retransmission ==================== -If the peer does not respond on DPD packet, the router starts retransmission procedure. +If the peer does not respond on DPD packet, the router starts the +retransmission procedure. The following formula is used to calculate the timeout: diff --git a/docs/configuration/vpn/ipsec/site2site_ipsec.rst b/docs/configuration/vpn/ipsec/site2site_ipsec.rst index 628b8e9d..9f8231e7 100644 --- a/docs/configuration/vpn/ipsec/site2site_ipsec.rst +++ b/docs/configuration/vpn/ipsec/site2site_ipsec.rst @@ -78,7 +78,8 @@ Tunnel information: * If Route based VPN is used * IP of the VTI interface is 10.0.0.1/30 -.. note:: We do not recommend using policy-based vpn and route-based vpn configurations to the same peer. +.. note:: We do not recommend using policy-based vpn and route-based + vpn configurations to the same peer. **1. Configure ike-group (IKE Phase 1)** @@ -108,7 +109,8 @@ Tunnel information: set vpn ipsec interface eth0 -**4. Configure PSK keys and authentication ids for this key if authentication type is PSK** +**4. Configure PSK keys and authentication ids for this key if +authentication type is PSK** .. code-block:: none @@ -146,14 +148,16 @@ To set base64 secret encode plaintext password to base64 and set secret-type **6. Depends to vpn type (route-based vpn or policy-based vpn).** - **6.1 For Policy-based VPN configure SAs using tunnel command specifying remote and local networks.** + **6.1 For Policy-based VPN configure SAs using tunnel command + specifying remote and local networks.** .. code-block:: none set vpn ipsec site-to-site peer PEER1 tunnel 1 local prefix '192.168.10.0/24' set vpn ipsec site-to-site peer PEER1 tunnel 1 remote prefix '192.168.50.0/24' - **6.2 For Route-based VPN create VTI interface, set IP address to this interface and bind this interface to the vpn peer.** + **6.2 For Route-based VPN create VTI interface, set IP address to + this interface and bind this interface to the vpn peer.** .. code-block:: none @@ -243,6 +247,8 @@ Peer Authentication Commands address. Useful in case if the remote peer is behind NAT or if ``mode x509`` is used. +.. stop_vyoslinter + .. cfgcmd:: set vpn ipsec site-to-site peer <name> authentication rsa local-key <key> Name of PKI key-pair with local private key. @@ -270,6 +276,8 @@ Peer Authentication Commands Name of certificate in PKI configuration, which will be used for authenticating local router on remote peer. +.. start_vyoslinter + .. cfgcmd:: set vpn ipsec authentication x509 passphrase <passphrase> Private key passphrase, if needed. @@ -370,6 +378,8 @@ Policy-Based CHILD SAs Configuration Commands Every configured tunnel under peer configuration is a new CHILD SA. +.. stop_vyoslinter + .. cfgcmd:: set vpn ipsec site-to-site peer <name> tunnel <number> disable Disable this tunnel. @@ -406,6 +416,8 @@ Every configured tunnel under peer configuration is a new CHILD SA. Remote port number. Have effect only when used together with ``prefix``. +.. start_vyoslinter + Route-Based CHILD SAs Configuration Commands """"""""""""""""""""""""""""""""""""""""""""" @@ -435,6 +447,8 @@ for each remote network. Traffic-selectors parameters for traffic that should pass via vti interface. +.. stop_vyoslinter + .. cfgcmd:: set vpn ipsec site-to-site peer <name> vti traffic-selector local prefix <network> Local prefix for interesting traffic. @@ -443,6 +457,8 @@ interface. Remote prefix for interesting traffic. +.. start_vyoslinter + IPsec Op-mode Commands ====================== diff --git a/docs/configuration/vrf/index.rst b/docs/configuration/vrf/index.rst index d8b81bac..5965f857 100644 --- a/docs/configuration/vrf/index.rst +++ b/docs/configuration/vrf/index.rst @@ -20,8 +20,8 @@ then enslaved to a VRF device. .. cfgcmd:: set vrf name <name> table <id> - Create a new VRF instance with `<name>` and `<id>`. The name is used when placing - individual interfaces into the VRF. + Create a new VRF instance with `<name>` and `<id>`. The name is + used when placing individual interfaces into the VRF. .. note:: A routing table ID can not be modified once it is assigned. It can only be changed by deleting and re-adding the VRF instance. @@ -66,9 +66,10 @@ can be used to filter which routes zebra will install in the kernel. Nexthop Tracking ---------------- -Nexthop tracking resolve nexthops via the default route by default. This is enabled -by default for a traditional profile of FRR which we use. It and can be disabled if -you do not want to e.g. allow BGP to peer across the default route. +Nexthop tracking resolve nexthops via the default route by default. +This is enabled by default for a traditional profile of FRR which we +use. It and can be disabled if you do not want to e.g. allow BGP to +peer across the default route. .. cfgcmd:: set vrf name <name> ip nht no-resolve-via-default @@ -230,8 +231,8 @@ For VRF maintenance the following operational commands are in place. the round-trip time of these packets is used in calculating the minimum/ average/maximum round-trip time numbers. - .. note:: Ping command can be interrupted at any given time using ``<Ctrl>+c``. - A brief statistic is shown afterwards. + .. note:: Ping command can be interrupted at any given time using + ``<Ctrl>+c``. A brief statistic is shown afterwards. .. code-block:: none @@ -535,9 +536,9 @@ address-family. .. cfgcmd:: set vrf name <name> protocols bgp interface <interface> mpls forwarding - It is possible to permit BGP install VPN prefixes without transport labels. - This configuration will install VPN prefixes originated from an e-bgp session, - and with the next-hop directly connected. + It is possible to permit BGP install VPN prefixes without transport + labels. This configuration will install VPN prefixes originated + from an e-bgp session, and with the next-hop directly connected. .. _l3vpn-vrf example operation: |
