From 0130485ced95e2d79ae27b77d8a5591469cfec46 Mon Sep 17 00:00:00 2001 From: Matthew Kobayashi Date: Thu, 18 Apr 2024 16:47:57 +1000 Subject: ethernet: Add details about LRO/GRO --- docs/configuration/interfaces/ethernet.rst | 28 ++++++++++++++++++++++------ 1 file changed, 22 insertions(+), 6 deletions(-) (limited to 'docs/configuration/interfaces') diff --git a/docs/configuration/interfaces/ethernet.rst b/docs/configuration/interfaces/ethernet.rst index bbf52112..a1151fd4 100644 --- a/docs/configuration/interfaces/ethernet.rst +++ b/docs/configuration/interfaces/ethernet.rst @@ -61,6 +61,22 @@ Offloading Enable different types of hardware offloading on the given NIC. + :abbr:`LRO (Large Receive Offload)` is a technique designed to boost the + efficiency of how your computer's network interface card (NIC) processes + incoming network traffic. Typically, network data arrives in smaller chunks + called packets. Processing each packet individually consumes CPU (central + processing unit) resources. Lots of small packets can lead to a performance + bottleneck. Instead of handing the CPU each packet as it comes in, LRO + instructs the NIC to combine multiple incoming packets into a single, larger + packet. This larger packet is then passed to the CPU for processing. + + .. note:: Under some circumstances, LRO is known to modify the packet headers + of forwarded traffic, which breaks the end-to-end principle of computer + networking. LRO is also only able to offload TCP segments encapsulated in + IPv4 packets. Due to these limitations, it is recommended to use GRO + (Generic Receive Offload) where possible. More information on the + limitations of LRO can be found here: https://lwn.net/Articles/358910/ + :abbr:`GSO (Generic Segmentation Offload)` is a pure software offload that is meant to deal with cases where device drivers cannot perform the offloads described above. What occurs in GSO is that a given skbuff will have its data @@ -87,13 +103,13 @@ Offloading placing the packet on the desired CPU's backlog queue and waking up the CPU for processing. RPS has some advantages over RSS: - - it can be used with any NIC, - - software filters can easily be added to hash over new protocols, - - it does not increase hardware device interrupt rate (although it does - introduce inter-processor interrupts (IPIs)). + - it can be used with any NIC + - software filters can easily be added to hash over new protocols + - it does not increase hardware device interrupt rate, although it does + introduce inter-processor interrupts (IPIs) - .. note:: In order to use TSO/LRO with VMXNET3 adaters one must also enable - the SG offloading option. + .. note:: In order to use TSO/LRO with VMXNET3 adapters, the SG offloading + option must also be enabled. Authentication (EAPoL) ---------------------- -- cgit v1.2.3 From 0ac48851041f43656e08988b2d33fe8eb93da28f Mon Sep 17 00:00:00 2001 From: Christian Breunig Date: Sat, 11 May 2024 14:34:49 +0200 Subject: evpn: T6306: add multihoming documentation --- docs/_include/interface-evpn-uplink.txt | 11 +++++++ docs/configuration/interfaces/bonding.rst | 49 +++++++++++++++++++++++++++++- docs/configuration/interfaces/ethernet.rst | 9 +++++- 3 files changed, 67 insertions(+), 2 deletions(-) create mode 100644 docs/_include/interface-evpn-uplink.txt (limited to 'docs/configuration/interfaces') diff --git a/docs/_include/interface-evpn-uplink.txt b/docs/_include/interface-evpn-uplink.txt new file mode 100644 index 00000000..3495361d --- /dev/null +++ b/docs/_include/interface-evpn-uplink.txt @@ -0,0 +1,11 @@ +.. cfgcmd:: set interfaces {{ var0 }} evpn uplink + + When all the underlay links go down the PE no longer has access + to the VxLAN +overlay. To prevent blackholing of traffic the + server/ES links are protodowned on the PE. + + A link can be setup for uplink tracking via the following example: + + .. code-block:: none + + set interfaces {{ var0 }} {{ var1 }} evpn uplink diff --git a/docs/configuration/interfaces/bonding.rst b/docs/configuration/interfaces/bonding.rst index 3c8ebd0d..dfc5fab9 100644 --- a/docs/configuration/interfaces/bonding.rst +++ b/docs/configuration/interfaces/bonding.rst @@ -286,6 +286,54 @@ Port Mirror (SPAN) :var1: bond1 :var2: eth3 +EVPN Multihoming +---------------- + +All-Active Multihoming is used for redundancy and load sharing. Servers are +attached to two or more PEs and the links are bonded (link-aggregation). +This group of server links is referred to as an :abbr:`ES (Ethernet Segment)`. + +An Ethernet Segment can be configured by specifying a system-MAC and a local +discriminator or a complete ESINAME against the bond interface on the PE. + +.. cfgcmd:: set interfaces bonding evpn es-id <<1-16777215|10-byte ID> +.. cfgcmd:: set interfaces bonding evpn es-sys-mac + + The sys-mac and local discriminator are used for generating a 10-byte, Type-3 + Ethernet Segment ID. ESINAME is a 10-byte, Type-0 Ethernet Segment ID - + "00:AA:BB:CC:DD:EE:FF:GG:HH:II". + + Type-1 (EAD-per-ES and EAD-per-EVI) routes are used to advertise the locally + attached ESs and to learn off remote ESs in the network. Local Type-2/MAC-IP + routes are also advertised with a destination ESI allowing for MAC-IP syncing + between Ethernet Segment peers. Reference: RFC 7432, RFC 8365 + + EVPN-MH is intended as a replacement for MLAG or Anycast VTEPs. In multihoming + each PE has an unique VTEP address which requires the introduction of a new + dataplane construct, MAC-ECMP. Here a MAC/FDB entry can point to a list of + remote PEs/VTEPs. + +.. cfgcmd:: set interfaces bonding evpn es-df-pref <1-65535> + + Type-4 (ESR) routes are used for Designated Forwarder (DF) election. + DFs forward BUM traffic received via the overlay network. This + implementation uses a preference based DF election specified by + draft-ietf-bess-evpn-pref-df. + + The DF preference is configurable per-ES. + + BUM traffic is rxed via the overlay by all PEs attached to a server but + only the DF can forward the de-capsulated traffic to the access port. + To accommodate that non-DF filters are installed in the dataplane to drop + the traffic. + + Similarly traffic received from ES peers via the overlay cannot be forwarded + to the server. This is split-horizon-filtering with local bias. + +.. cmdinclude:: /_include/interface-evpn-uplink.txt + :var0: bonding + :var1: bond0 + ******* Example ******* @@ -590,4 +638,3 @@ Operation Partner Churn State: churned Actor Churned Count: 1 Partner Churned Count: 1 - diff --git a/docs/configuration/interfaces/ethernet.rst b/docs/configuration/interfaces/ethernet.rst index a1151fd4..dd524035 100644 --- a/docs/configuration/interfaces/ethernet.rst +++ b/docs/configuration/interfaces/ethernet.rst @@ -118,6 +118,14 @@ Authentication (EAPoL) :var0: ethernet :var1: eth0 +EVPN Multihoming +---------------- + +Uplink/Core tracking. + +.. cmdinclude:: /_include/interface-evpn-uplink.txt + :var0: ethernet + :var1: eth0 VLAN ==== @@ -289,4 +297,3 @@ Operation Date code : 0506xx .. stop_vyoslinter - -- cgit v1.2.3 From d67ef4144f73f007fe86101344ab6f367f0ef0ca Mon Sep 17 00:00:00 2001 From: fett0 Date: Sat, 11 May 2024 14:38:08 -0300 Subject: Bond: T6303: add system mac documentation --- docs/configuration/interfaces/bonding.rst | 5 +++++ 1 file changed, 5 insertions(+) (limited to 'docs/configuration/interfaces') diff --git a/docs/configuration/interfaces/bonding.rst b/docs/configuration/interfaces/bonding.rst index 3c8ebd0d..a22d3ccb 100644 --- a/docs/configuration/interfaces/bonding.rst +++ b/docs/configuration/interfaces/bonding.rst @@ -156,6 +156,11 @@ Bond options The default value is slow. +.. cfgcmd:: set interfaces bonding system-mac + + This option allow to specifies the 802.3ad system MAC address.You can set a + random mac-address that can be used for these LACPDU exchanges. + .. cfgcmd:: set interfaces bonding hash-policy * **layer2** - Uses XOR of hardware MAC addresses and packet type ID field -- cgit v1.2.3 From 6a056849d77c9184ba3004251e22946e6bfa3601 Mon Sep 17 00:00:00 2001 From: srividya0208 Date: Mon, 20 May 2024 04:05:58 -0400 Subject: OpenVPN: Added information about mfa settings --- docs/configuration/interfaces/openvpn.rst | 82 +++++++++++++++++++++++++++++++ 1 file changed, 82 insertions(+) (limited to 'docs/configuration/interfaces') diff --git a/docs/configuration/interfaces/openvpn.rst b/docs/configuration/interfaces/openvpn.rst index 8cf579de..f51dfa94 100644 --- a/docs/configuration/interfaces/openvpn.rst +++ b/docs/configuration/interfaces/openvpn.rst @@ -652,6 +652,88 @@ Will add ``push "keepalive 1 10"`` to the generated OpenVPN config file. quotes. This is done through a hack on our config generator. You can pass quotes using the ``"`` statement. +*************************** +Multi-factor Authentication +*************************** + +VyOS supports multi-factor authentication (MFA) or two-factor authentication +using Time-based One-Time Password (TOTP). Compatible with Google Authenticator +software token, other software tokens. + +MFA TOTP options +================ + +.. cfgcmd:: set interfaces openvpn server mfa totp challenge + + If set to enable, openvpn-otp will expect password as result of challenge/ + response protocol. + +.. cfgcmd:: set interfaces openvpn server mfa totp digits <1-65535> + + Configure number of digits to use for totp hash (default: 6) + +.. cfgcmd:: set interfaces openvpn server mfa totp drift <1-65535> + + Configure time drift in seconds (default: 0) + +.. cfgcmd:: set interfaces openvpn server mfa totp slop <1-65535> + + Configure maximum allowed clock slop in seconds (default: 180) + +.. cfgcmd:: set interfaces openvpn server mfa totp step <1-65535> + + Configure step value for totp in seconds (default: 30) + +Example +======= + +.. code-block:: none + + set interfaces openvpn vtun20 encryption cipher 'aes256' + set interfaces openvpn vtun20 hash 'sha512' + set interfaces openvpn vtun20 mode 'server' + set interfaces openvpn vtun20 persistent-tunnel + set interfaces openvpn vtun20 server client user1 + set interfaces openvpn vtun20 server mfa totp challenge 'disable' + set interfaces openvpn vtun20 server subnet '10.10.2.0/24' + set interfaces openvpn vtun20 server topology 'subnet' + set interfaces openvpn vtun20 tls ca-certificate 'openvpn_vtun20' + set interfaces openvpn vtun20 tls certificate 'openvpn_vtun20' + set interfaces openvpn vtun20 tls dh-params 'dh-pem' + +For every client in the openvpn server configuration a totp secret is created. +To display the authentication information, use the command: + +.. cfgcmd:: show interfaces openvpn user mfa + +An example: + +.. code-block:: none + + vyos@vyos:~$ sh interfaces openvpn vtun20 user user1 mfa qrcode + █████████████████████████████████████ + █████████████████████████████████████ + ████ ▄▄▄▄▄ █▀▄▀ ▀▀▄▀ ▀▀▄ █ ▄▄▄▄▄ ████ + ████ █ █ █▀▀▄ █▀▀▀█▀██ █ █ █ ████ + ████ █▄▄▄█ █▀█ ▄ █▀▀ █▄▄▄█ █▄▄▄█ ████ + ████▄▄▄▄▄▄▄█▄█ █ █ ▀ █▄▀▄█▄▄▄▄▄▄▄████ + ████▄▄ ▄ █▄▄ ▄▀▄█▄ ▄▀▄█ ▄▄▀ ▀▄█ ▀████ + ████ ▀██▄▄▄█▄ ██ █▄▄▄▄ █▄▀█ █ █▀█████ + ████ ▄█▀▀▄▄ ▄█▀ ▀▄ ▄▄▀▄█▀▀▀ ▄▄▀████ + ████▄█ ▀▄▄▄▀ ▀ ▄█ ▄ █▄█▀ █▀ █▀█████ + ████▀█▀ ▀ ▄█▀▄▀▀█▄██▄█▀▀ ▀ ▀ ▄█▀████ + ████ ██▄▄▀▄▄█ ██ ▀█ ▄█ ▀▄█ █▀██▀████ + ████▄███▄█▄█ ▀█▄ ██▄▄▄█▀ ▄▄▄ █ ▀ ████ + ████ ▄▄▄▄▄ █▄█▀▄ ▀▄ ▀█▀ █▄█ ██▀█████ + ████ █ █ █ ▄█▀█▀▀▄ ▄▀▀▄▄▄▄▄▄ ████ + ████ █▄▄▄█ █ ▄ ▀ █▄▄▄██▄▀█▄▀▄█▄ █████ + ████▄▄▄▄▄▄▄█▄██▄█▄▄▄▄▄█▄█▄█▄██▄██████ + █████████████████████████████████████ + █████████████████████████████████████ + +Use the QR code to add the user account in Google authenticator application and +on client side, use the OTP number as password. + ********************************** OpenVPN Data Channel Offload (DCO) -- cgit v1.2.3