Ethernet

This will be the most widely used interface on a router carrying traffic to the real world.

Configuration

Common interface configuration

set interfaces ethernet <interface> address <address | dhcp | dhcpv6>

Configure interface <interface> with one or more interface addresses.

  • address can be specified multiple times as IPv4 and/or IPv6 address, e.g. 192.0.2.1/24 and/or 2001:db8::1/64

  • dhcp interface address is received by DHCP from a DHCP server on this segment.

  • dhcpv6 interface address is received by DHCPv6 from a DHCPv6 server on this segment.

Note

When using DHCP to retrieve IPv4 address and if local customizations are needed, they should be possible using the enter and exit hooks provided. The hook dirs are:

  • /config/scripts/dhcp-client/pre-hooks.d/

  • /config/scripts/dhcp-client/post-hooks.d/

Example:

set interfaces ethernet eth0 address 192.0.2.1/24
set interfaces ethernet eth0 address 2001:db8::1/64
set interfaces ethernet eth0 address dhcp
set interfaces ethernet eth0 address dhcpv6
set interfaces ethernet <interface> description <description>

Set a human readable, descriptive alias for this connection. Alias is used by e.g. the show interfaces command or SNMP based monitoring tools.

Example:

set interfaces ethernet eth0 description 'This is an awesome interface running on VyOS'
set interfaces ethernet <interface> disable

Disable given <interface>. It will be placed in administratively down (A/D) state.

Example:

set interfaces ethernet eth0 disable
set interfaces ethernet <interface> disable-flow-control

Ethernet flow control is a mechanism for temporarily stopping the transmission of data on Ethernet family computer networks. The goal of this mechanism is to ensure zero packet loss in the presence of network congestion.

The first flow control mechanism, the pause frame, was defined by the IEEE 802.3x standard.

A sending station (computer or network switch) may be transmitting data faster than the other end of the link can accept it. Using flow control, the receiving station can signal the sender requesting suspension of transmissions until the receiver catches up.

Use this command to disable the generation of Ethernet flow control (pause frames).

Example:

set interfaces ethernet eth0 disable-flow-control
set interfaces ethernet <interface> disable-link-detect

Use this command to direct an interface to not detect any physical state changes on a link, for example, when the cable is unplugged.

Default is to detects physical link state changes.

Example:

set interfaces ethernet eth0 disable-link-detect
set interfaces ethernet <interface> mac <xx:xx:xx:xx:xx:xx>

Configure user defined MAC address on given <interface>.

Example:

set interfaces ethernet eth0 mac '00:01:02:03:04:05'
set interfaces ethernet <interface> mtu <mtu>

Configure MTU on given <interface>. It is the size (in bytes) of the largest ethernet frame sent on this link.

Example:

set interfaces ethernet eth0 mtu 1600
set interfaces ethernet <interface> ip adjust-mss <mss | clamp-mss-to-pmtu>

As Internet wide PMTU discovery rarely works, we sometimes need to clamp our TCP MSS value to a specific value. This is a field in the TCP options part of a SYN packet. By setting the MSS value, you are telling the remote side unequivocally ‘do not try to send me packets bigger than this value’.

Note

This command was introduced in VyOS 1.4 - it was previously called: set firewall options interface <name> adjust-mss <value>

Hint

MSS value = MTU - 20 (IP header) - 20 (TCP header), resulting in 1452 bytes on a 1492 byte MTU.

Instead of a numerical MSS value clamp-mss-to-pmtu can be used to automatically set the proper value.

set interfaces ethernet <interface> ip arp-cache-timeout

Once a neighbor has been found, the entry is considered to be valid for at least for this specific time. An entry’s validity will be extended if it receives positive feedback from higher level protocols.

This defaults to 30 seconds.

Example:

set interfaces ethernet eth0 ip arp-cache-timeout 180
set interfaces ethernet <interface> ip disable-arp-filter

If set the kernel can respond to arp requests with addresses from other interfaces. This may seem wrong but it usually makes sense, because it increases the chance of successful communication. IP addresses are owned by the complete host on Linux, not by particular interfaces. Only for more complex setups like load-balancing, does this behaviour cause problems.

If not set (default) allows you to have multiple network interfaces on the same subnet, and have the ARPs for each interface be answered based on whether or not the kernel would route a packet from the ARP’d IP out that interface (therefore you must use source based routing for this to work).

In other words it allows control of which cards (usually 1) will respond to an arp request.

Example:

set interfaces ethernet eth0 ip disable-arp-filter
set interfaces ethernet <interface> ip disable-forwarding

Configure interface-specific Host/Router behaviour. If set, the interface will switch to host mode and IPv6 forwarding will be disabled on this interface.

set interfaces ethernet eth0 ip disable-forwarding
set interfaces ethernet <interface> ip enable-directed-broadcast

Define different modes for IP directed broadcast forwarding as described in RFC 1812 and RFC 2644.

If configured, incoming IP directed broadcast packets on this interface will be forwarded.

If this option is unset (default), incoming IP directed broadcast packets will not be forwarded.

set interfaces ethernet eth0 ip enable-directed-broadcast
set interfaces ethernet <interface> ip enable-arp-accept

Define behavior for gratuitous ARP frames who’s IP is not already present in the ARP table. If configured create new entries in the ARP table.

Both replies and requests type gratuitous arp will trigger the ARP table to be updated, if this setting is on.

If the ARP table already contains the IP address of the gratuitous arp frame, the arp table will be updated regardless if this setting is on or off.

set interfaces ethernet eth0 ip enable-arp-accept
set interfaces ethernet <interface> ip enable-arp-announce

Define different restriction levels for announcing the local source IP address from IP packets in ARP requests sent on interface.

Use any local address, configured on any interface if this is not set.

If configured, try to avoid local addresses that are not in the target’s subnet for this interface. This mode is useful when target hosts reachable via this interface require the source IP address in ARP requests to be part of their logical network configured on the receiving interface. When we generate the request we will check all our subnets that include the target IP and will preserve the source address if it is from such subnet. If there is no such subnet we select source address according to the rules for level 2.

set interfaces ethernet eth0 ip enable-arp-announce
set interfaces ethernet <interface> ip enable-arp-ignore

Define different modes for sending replies in response to received ARP requests that resolve local target IP addresses:

If configured, reply only if the target IP address is local address configured on the incoming interface.

If this option is unset (default), reply for any local target IP address, configured on any interface.

set interfaces ethernet eth0 ip enable-arp-ignore
set interfaces ethernet <interface> ip enable-proxy-arp

Use this command to enable proxy Address Resolution Protocol (ARP) on this interface. Proxy ARP allows an Ethernet interface to respond with its own MAC address to ARP requests for destination IP addresses on subnets attached to other interfaces on the system. Subsequent packets sent to those destination IP addresses are forwarded appropriately by the system.

Example:

set interfaces ethernet eth0 ip enable-proxy-arp
set interfaces ethernet <interface> ip proxy-arp-pvlan

Private VLAN proxy arp. Basically allow proxy arp replies back to the same interface (from which the ARP request/solicitation was received).

This is done to support (ethernet) switch features, like RFC 3069, where the individual ports are NOT allowed to communicate with each other, but they are allowed to talk to the upstream router. As described in RFC 3069, it is possible to allow these hosts to communicate through the upstream router by proxy_arp’ing.

Note

Does not need to be used together with proxy_arp.

This technology is known by different names:

  • In RFC 3069 it is called VLAN Aggregation

  • Cisco and Allied Telesyn call it Private VLAN

  • Hewlett-Packard call it Source-Port filtering or port-isolation

  • Ericsson call it MAC-Forced Forwarding (RFC Draft)

set interfaces ethernet <interface> ip source-validation <strict | loose | disable>

Enable policy for source validation by reversed path, as specified in RFC 3704. Current recommended practice in RFC 3704 is to enable strict mode to prevent IP spoofing from DDos attacks. If using asymmetric routing or other complicated routing, then loose mode is recommended.

  • strict: Each incoming packet is tested against the FIB and if the interface is not the best reverse path the packet check will fail. By default failed packets are discarded.

  • loose: Each incoming packet’s source address is also tested against the FIB and if the source address is not reachable via any interface the packet check will fail.

  • disable: No source validation

set interfaces ethernet <interface> ipv6 address autoconf

SLAAC RFC 4862. IPv6 hosts can configure themselves automatically when connected to an IPv6 network using the Neighbor Discovery Protocol via ICMPv6 router discovery messages. When first connected to a network, a host sends a link-local router solicitation multicast request for its configuration parameters; routers respond to such a request with a router advertisement packet that contains Internet Layer configuration parameters.

Note

This method automatically disables IPv6 traffic forwarding on the interface in question.

Example:

set interfaces ethernet eth0 ipv6 address autoconf
set interfaces ethernet <interface> ipv6 address eui64 <prefix>

EUI-64 as specified in RFC 4291 allows a host to assign iteslf a unique 64-Bit IPv6 address.

Example:

set interfaces ethernet eth0 ipv6 address eui64 2001:db8:beef::/64
set interfaces ethernet <interface> ipv6 address no-default-link-local

Do not assign a link-local IPv6 address to this interface.

Example:

set interfaces ethernet eth0 ipv6 address no-default-link-local
set interfaces ethernet <interface> ipv6 disable-forwarding

Configure interface-specific Host/Router behaviour. If set, the interface will switch to host mode and IPv6 forwarding will be disabled on this interface.

Example:

set interfaces ethernet eth0 ipv6 disable-forwarding
set interfaces ethernet <interface> ipv6 adjust-mss <mss | clamp-mss-to-pmtu>

As Internet wide PMTU discovery rarely works, we sometimes need to clamp our TCP MSS value to a specific value. This is a field in the TCP options part of a SYN packet. By setting the MSS value, you are telling the remote side unequivocally ‘do not try to send me packets bigger than this value’.

Note

This command was introduced in VyOS 1.4 - it was previously called: set firewall options interface <name> adjust-mss6 <value>

Hint

MSS value = MTU - 40 (IPv6 header) - 20 (TCP header), resulting in 1432 bytes on a 1492 byte MTU.

Instead of a numerical MSS value clamp-mss-to-pmtu can be used to automatically set the proper value.

set interfaces ethernet <interface> ipv6 accept-dad <1-3>

Whether to accept DAD (Duplicate Address Detection).

  • 0: Disable DAD

  • 1: Enable DAD (default)

  • 2: Enable DAD, and disable IPv6 operation if MAC-based duplicate link-local address has been found.

Example:

set interfaces ethernet eth0 ipv6 accept-dad 2
set interfaces ethernet <interface> ipv6 dup-addr-detect-transmits <n>

The amount of Duplicate Address Detection probes to send.

Default: 1

Example:

set interfaces ethernet eth0 ipv6 dup-addr-detect-transmits 5
set interfaces ethernet <interface> vrf <vrf>

Place interface in given VRF instance.

See also

There is an entire chapter about how to configure a VRF, please check this for additional information.

Example:

set interfaces ethernet eth0 vrf red

DHCP(v6)

set interfaces ethernet <interface> dhcp-options client-id <description>

RFC 2131 states: The client MAY choose to explicitly provide the identifier through the ‘client identifier’ option. If the client supplies a ‘client identifier’, the client MUST use the same ‘client identifier’ in all subsequent messages, and the server MUST use that identifier to identify the client.

Example:

set interfaces ethernet eth0 dhcp-options client-id 'foo-bar'
set interfaces ethernet <interface> dhcp-options host-name <hostname>

Instead of sending the real system hostname to the DHCP server, overwrite the host-name with this given-value.

Example:

set interfaces ethernet eth0 dhcp-options host-name 'VyOS'
set interfaces ethernet <interface> dhcp-options vendor-class-id <vendor-id>

This option is used by some DHCP clients to identify the vendor type and possibly the configuration of a DHCP client. The information is a string of bytes whose contents are specific to the vendor and are not specified in a standard.

The vendor-class-id option can be used to request a specific class of vendor options from the server.

Example:

set interfaces ethernet eth0 dhcp-options vendor-class-id 'VyOS'
set interfaces ethernet <interface> dhcp-options no-default-route

Only request an address from the DHCP server but do not request a default gateway.

Example:

set interfaces ethernet eth0 dhcp-options no-default-route
set interfaces ethernet <interface> dhcp-options default-route-distance <distance>

Set the distance for the default gateway sent by the DHCP server.

Example:

set interfaces ethernet eth0 dhcp-options default-route-distance 220
set interfaces ethernet <interface> dhcp-options reject <address>

Reject DHCP leases from a given address or range. This is useful when a modem gives a local IP when first starting.

  • address can be specified multiple times, e.g. 192.168.100.1 and/or 192.168.100.0/24

Example:

set interfaces ethernet eth0 dhcp-options reject 192.168.100.0/24
set interfaces ethernet <interface> dhcp-options user-class <string>

This option is used by some DHCP clients as a way for users to specify identifying information to the client. This can be used in a similar way to the vendor-class-identifier option, but the value of the option is specified by the user, not the vendor.

Example:

set interfaces ethernet eth0 dhcp-options user-class VyOS
set interfaces ethernet <interface> dhcpv6-options duid <duid>

The DHCP unique identifier (DUID) is used by a client to get an IP address from a DHCPv6 server. It has a 2-byte DUID type field, and a variable-length identifier field up to 128 bytes. Its actual length depends on its type. The server compares the DUID with its database and delivers configuration data (address, lease times, DNS servers, etc.) to the client.

set interfaces ethernet eth0 duid '0e:00:00:01:00:01:27:71:db:f0:00:50:56:bf:c5:6d'
set interfaces ethernet <interface> dhcpv6-options no-release

When no-release is specified, dhcp6c will send a release message on client exit to prevent losing an assigned address or prefix.

set interfaces ethernet eth0 dhcpv6-options no-release
set interfaces ethernet <interface> dhcpv6-options parameters-only

This statement specifies dhcp6c to only exchange informational configuration parameters with servers. A list of DNS server addresses is an example of such parameters. This statement is useful when the client does not need stateful configuration parameters such as IPv6 addresses or prefixes.

set interfaces ethernet eth0 dhcpv6-options parameters-only
set interfaces ethernet <interface> dhcpv6-options rapid-commit

When rapid-commit is specified, dhcp6c will include a rapid-commit option in solicit messages and wait for an immediate reply instead of advertisements.

set interfaces ethernet eth0 dhcpv6-options rapid-commit
set interfaces ethernet <interface> dhcpv6-options temporary

Request only a temporary address and not form an IA_NA (Identity Association for Non-temporary Addresses) partnership.

set interfaces ethernet eth0 dhcpv6-options temporary

DHCPv6 Prefix Delegation (PD)

VyOS 1.3 (equuleus) supports DHCPv6-PD (RFC 3633). DHCPv6 Prefix Delegation is supported by most ISPs who provide native IPv6 for consumers on fixed networks.

set interfaces ethernet <interface> dhcpv6-options pd <id> length <length>

Some ISPs by default only delegate a /64 prefix. To request for a specific prefix size use this option to request for a bigger delegation for this pd <id>. This value is in the range from 32 - 64 so you could request up to a /32 prefix (if your ISP allows this) down to a /64 delegation.

The default value corresponds to 64.

To request a /56 prefix from your ISP use:

set interfaces ethernet eth0 dhcpv6-options pd 0 length 56
set interfaces ethernet <interface> dhcpv6-options pd <id> interface <delegatee> address <address>

Specify the interface address used locally on the interface where the prefix has been delegated to. ID must be a decimal integer.

It will be combined with the delegated prefix and the sla-id to form a complete interface address. The default is to use the EUI-64 address of the interface.

Example: Delegate a /64 prefix to interface eth8 which will use a local address on this router of <prefix>::ffff, as the address 65534 will correspond to ffff in hexadecimal notation.

set interfaces ethernet eth0 dhcpv6-options pd 0 interface eth8 address 65534
set interfaces ethernet <interface> dhcpv6-options pd <id> interface <delegatee> sla-id <id>

Specify the identifier value of the site-level aggregator (SLA) on the interface. ID must be a decimal number greater then 0 which fits in the length of SLA IDs (see below).

Example: If ID is 1 and the client is delegated an IPv6 prefix 2001:db8:ffff::/48, dhcp6c will combine the two values into a single IPv6 prefix, 2001:db8:ffff:1::/64, and will configure the prefix on the specified interface.

set interfaces ethernet eth0 dhcpv6-options pd 0 interface eth8 sla-id 1

Ethernet options

set interfaces ethernet <interface> duplex <auto | full | half>

Configure physical interface duplex setting.

  • auto - interface duplex setting is auto-negotiated

  • full - always use full-duplex

  • half - always use half-duplex

VyOS default will be auto.

set interfaces ethernet <interface> speed <auto | 10 | 100 | 1000 | 2500 | 5000 | 10000 | 25000 | 40000 | 50000 | 100000>

Configure physical interface speed setting.

  • auto - interface speed is auto-negotiated

  • 10 - 10 MBit/s

  • 100 - 100 MBit/s

  • 1000 - 1 GBit/s

  • 2500 - 2.5 GBit/s

  • 5000 - 5 GBit/s

  • 10000 - 10 GBit/s

  • 25000 - 25 GBit/s

  • 40000 - 40 GBit/s

  • 50000 - 50 GBit/s

  • 100000 - 100 GBit/s

VyOS default will be auto.

Offloading

set interfaces ethernet <interface> offload <gro | gso | lro | rps | sg | tso>

Enable different types of hardware offloading on the given NIC.

GSO is a pure software offload that is meant to deal with cases where device drivers cannot perform the offloads described above. What occurs in GSO is that a given skbuff will have its data broken out over multiple skbuffs that have been resized to match the MSS provided via skb_shinfo()->gso_size.

Before enabling any hardware segmentation offload a corresponding software offload is required in GSO. Otherwise it becomes possible for a frame to be re-routed between devices and end up being unable to be transmitted.

GRO is the complement to GSO. Ideally any frame assembled by GRO should be segmented to create an identical sequence of frames using GSO, and any sequence of frames segmented by GSO should be able to be reassembled back to the original by GRO. The only exception to this is IPv4 ID in the case that the DF bit is set for a given IP header. If the value of the IPv4 ID is not sequentially incrementing it will be altered so that it is when a frame assembled via GRO is segmented via GSO.

RPS is logically a software implementation of RSS. Being in software, it is necessarily called later in the datapath. Whereas RSS selects the queue and hence CPU that will run the hardware interrupt handler, RPS selects the CPU to perform protocol processing above the interrupt handler. This is accomplished by placing the packet on the desired CPU’s backlog queue and waking up the CPU for processing. RPS has some advantages over RSS:

  • it can be used with any NIC,

  • software filters can easily be added to hash over new protocols,

  • it does not increase hardware device interrupt rate (although it does introduce inter-processor interrupts (IPIs)).

Note

In order to use TSO/LRO with VMXNET3 adaters one must also enable the SG offloading option.

Authentication (EAPoL)

EAP over LAN (EAPoL) is a network port authentication protocol used in IEEE 802.1X (Port Based Network Access Control) developed to give a generic network sign-on to access network resources.

EAPoL comes with an identify option. We automatically use the interface MAC address as identity parameter.

set interfaces ethernet <interface> eapol ca-certificate <name>

Set the name of the SSL CA PKI entry used for authentication of the remote side. If an intermediate CA certificate is specified, then all parent CA certificates that exist in the PKI, such as the root CA or additional intermediate CAs, will automatically be used during certificate validation to ensure that the full chain of trust is available.

Example:

set pki ca eapol-server-intermediate-ca <Server intermediate CA contents>
set pki ca eapol-server-root-ca <Server root CA contents>
set interfaces ethernet eth0 eapol ca-certificate eapol-server-intermediate-ca
set interfaces ethernet <interface> eapol certificate <name>

Set the name of the x509 client keypair used to authenticate against the 802.1x system. All parent CA certificates of the client certificate, such as intermediate and root CAs, will be sent as part of the EAP-TLS handshake.

Example:

set pki ca eapol-client-intermediate-ca <Client intermediate CA contents>
set pki ca eapol-client-root-ca <Client root CA contents>
set pki certificate eapol-client certificate <Client certificate contents>
set pki certificate eapol-client private key <Client private key contents>
set interfaces ethernet eth0 eapol certificate eapol-client

VLAN

Regular VLANs (802.1q)

IEEE 802.1q, often referred to as Dot1q, is the networking standard that supports virtual LANs (VLANs) on an IEEE 802.3 Ethernet network. The standard defines a system of VLAN tagging for Ethernet frames and the accompanying procedures to be used by bridges and switches in handling such frames. The standard also contains provisions for a quality-of-service prioritization scheme commonly known as IEEE 802.1p and defines the Generic Attribute Registration Protocol.

Portions of the network which are VLAN-aware (i.e., IEEE 802.1q conformant) can include VLAN tags. When a frame enters the VLAN-aware portion of the network, a tag is added to represent the VLAN membership. Each frame must be distinguishable as being within exactly one VLAN. A frame in the VLAN-aware portion of the network that does not contain a VLAN tag is assumed to be flowing on the native VLAN.

The standard was developed by IEEE 802.1, a working group of the IEEE 802 standards committee, and continues to be actively revised. One of the notable revisions is 802.1Q-2014 which incorporated IEEE 802.1aq (Shortest Path Bridging) and much of the IEEE 802.1d standard.

802.1q VLAN interfaces are represented as virtual sub-interfaces in VyOS. The term used for this is vif.

set interfaces ethernet <interface> vif <vlan-id>

Create a new VLAN interface on interface <interface> using the VLAN number provided via <vlan-id>.

You can create multiple VLAN interfaces on a physical interface. The VLAN ID range is from 0 to 4094.

Note

Only 802.1Q-tagged packets are accepted on Ethernet vifs.

set interfaces ethernet <interface> vif <vlan-id> address <address | dhcp | dhcpv6>

Configure interface <interface> with one or more interface addresses.

  • address can be specified multiple times as IPv4 and/or IPv6 address, e.g. 192.0.2.1/24 and/or 2001:db8::1/64

  • dhcp interface address is received by DHCP from a DHCP server on this segment.

  • dhcpv6 interface address is received by DHCPv6 from a DHCPv6 server on this segment.

Note

When using DHCP to retrieve IPv4 address and if local customizations are needed, they should be possible using the enter and exit hooks provided. The hook dirs are:

  • /config/scripts/dhcp-client/pre-hooks.d/

  • /config/scripts/dhcp-client/post-hooks.d/

Example:

set interfaces ethernet eth0 vif 10 address 192.0.2.1/24
set interfaces ethernet eth0 vif 10 address 2001:db8::1/64
set interfaces ethernet eth0 vif 10 address dhcp
set interfaces ethernet eth0 vif 10 address dhcpv6
set interfaces ethernet <interface> vif <vlan-id> description <description>

Set a human readable, descriptive alias for this connection. Alias is used by e.g. the show interfaces command or SNMP based monitoring tools.

Example:

set interfaces ethernet eth0 vif 10 description 'This is an awesome interface running on VyOS'
set interfaces ethernet <interface> vif <vlan-id> disable

Disable given <interface>. It will be placed in administratively down (A/D) state.

Example:

set interfaces ethernet eth0 vif 10 disable
set interfaces ethernet <interface> vif <vlan-id> disable-link-detect

Use this command to direct an interface to not detect any physical state changes on a link, for example, when the cable is unplugged.

Default is to detects physical link state changes.

Example:

set interfaces ethernet eth0 vif 10 disable-link-detect
set interfaces ethernet <interface> vif <vlan-id> mac <xx:xx:xx:xx:xx:xx>

Configure user defined MAC address on given <interface>.

Example:

set interfaces ethernet eth0 vif 10 mac '00:01:02:03:04:05'
set interfaces ethernet <interface> vif <vlan-id> mtu <mtu>

Configure MTU on given <interface>. It is the size (in bytes) of the largest ethernet frame sent on this link.

Example:

set interfaces ethernet eth0 vif 10 mtu 1600
set interfaces ethernet <interface> vif <vlan-id> ip adjust-mss <mss | clamp-mss-to-pmtu>

As Internet wide PMTU discovery rarely works, we sometimes need to clamp our TCP MSS value to a specific value. This is a field in the TCP options part of a SYN packet. By setting the MSS value, you are telling the remote side unequivocally ‘do not try to send me packets bigger than this value’.

Note

This command was introduced in VyOS 1.4 - it was previously called: set firewall options interface <name> adjust-mss <value>

Hint

MSS value = MTU - 20 (IP header) - 20 (TCP header), resulting in 1452 bytes on a 1492 byte MTU.

Instead of a numerical MSS value clamp-mss-to-pmtu can be used to automatically set the proper value.

set interfaces ethernet <interface> vif <vlan-id> ip arp-cache-timeout

Once a neighbor has been found, the entry is considered to be valid for at least for this specific time. An entry’s validity will be extended if it receives positive feedback from higher level protocols.

This defaults to 30 seconds.

Example:

set interfaces ethernet eth0 vif 10 ip arp-cache-timeout 180
set interfaces ethernet <interface> vif <vlan-id> ip disable-arp-filter

If set the kernel can respond to arp requests with addresses from other interfaces. This may seem wrong but it usually makes sense, because it increases the chance of successful communication. IP addresses are owned by the complete host on Linux, not by particular interfaces. Only for more complex setups like load-balancing, does this behaviour cause problems.

If not set (default) allows you to have multiple network interfaces on the same subnet, and have the ARPs for each interface be answered based on whether or not the kernel would route a packet from the ARP’d IP out that interface (therefore you must use source based routing for this to work).

In other words it allows control of which cards (usually 1) will respond to an arp request.

Example:

set interfaces ethernet eth0 vif 10 ip disable-arp-filter
set interfaces ethernet <interface> vif <vlan-id> ip disable-forwarding

Configure interface-specific Host/Router behaviour. If set, the interface will switch to host mode and IPv6 forwarding will be disabled on this interface.

set interfaces ethernet eth0 vif 10 ip disable-forwarding
set interfaces ethernet <interface> vif <vlan-id> ip enable-directed-broadcast

Define different modes for IP directed broadcast forwarding as described in RFC 1812 and RFC 2644.

If configured, incoming IP directed broadcast packets on this interface will be forwarded.

If this option is unset (default), incoming IP directed broadcast packets will not be forwarded.

set interfaces ethernet eth0 vif 10 ip enable-directed-broadcast
set interfaces ethernet <interface> vif <vlan-id> ip enable-arp-accept

Define behavior for gratuitous ARP frames who’s IP is not already present in the ARP table. If configured create new entries in the ARP table.

Both replies and requests type gratuitous arp will trigger the ARP table to be updated, if this setting is on.

If the ARP table already contains the IP address of the gratuitous arp frame, the arp table will be updated regardless if this setting is on or off.

set interfaces ethernet eth0 vif 10 ip enable-arp-accept
set interfaces ethernet <interface> vif <vlan-id> ip enable-arp-announce

Define different restriction levels for announcing the local source IP address from IP packets in ARP requests sent on interface.

Use any local address, configured on any interface if this is not set.

If configured, try to avoid local addresses that are not in the target’s subnet for this interface. This mode is useful when target hosts reachable via this interface require the source IP address in ARP requests to be part of their logical network configured on the receiving interface. When we generate the request we will check all our subnets that include the target IP and will preserve the source address if it is from such subnet. If there is no such subnet we select source address according to the rules for level 2.

set interfaces ethernet eth0 vif 10 ip enable-arp-announce
set interfaces ethernet <interface> vif <vlan-id> ip enable-arp-ignore

Define different modes for sending replies in response to received ARP requests that resolve local target IP addresses:

If configured, reply only if the target IP address is local address configured on the incoming interface.

If this option is unset (default), reply for any local target IP address, configured on any interface.

set interfaces ethernet eth0 vif 10 ip enable-arp-ignore
set interfaces ethernet <interface> vif <vlan-id> ip enable-proxy-arp

Use this command to enable proxy Address Resolution Protocol (ARP) on this interface. Proxy ARP allows an Ethernet interface to respond with its own MAC address to ARP requests for destination IP addresses on subnets attached to other interfaces on the system. Subsequent packets sent to those destination IP addresses are forwarded appropriately by the system.

Example:

set interfaces ethernet eth0 vif 10 ip enable-proxy-arp
set interfaces ethernet <interface> vif <vlan-id> ip proxy-arp-pvlan

Private VLAN proxy arp. Basically allow proxy arp replies back to the same interface (from which the ARP request/solicitation was received).

This is done to support (ethernet) switch features, like RFC 3069, where the individual ports are NOT allowed to communicate with each other, but they are allowed to talk to the upstream router. As described in RFC 3069, it is possible to allow these hosts to communicate through the upstream router by proxy_arp’ing.

Note

Does not need to be used together with proxy_arp.

This technology is known by different names:

  • In RFC 3069 it is called VLAN Aggregation

  • Cisco and Allied Telesyn call it Private VLAN

  • Hewlett-Packard call it Source-Port filtering or port-isolation

  • Ericsson call it MAC-Forced Forwarding (RFC Draft)

set interfaces ethernet <interface> vif <vlan-id> ip source-validation <strict | loose | disable>

Enable policy for source validation by reversed path, as specified in RFC 3704. Current recommended practice in RFC 3704 is to enable strict mode to prevent IP spoofing from DDos attacks. If using asymmetric routing or other complicated routing, then loose mode is recommended.

  • strict: Each incoming packet is tested against the FIB and if the interface is not the best reverse path the packet check will fail. By default failed packets are discarded.

  • loose: Each incoming packet’s source address is also tested against the FIB and if the source address is not reachable via any interface the packet check will fail.

  • disable: No source validation

set interfaces ethernet <interface> vif <vlan-id> ipv6 address autoconf

SLAAC RFC 4862. IPv6 hosts can configure themselves automatically when connected to an IPv6 network using the Neighbor Discovery Protocol via ICMPv6 router discovery messages. When first connected to a network, a host sends a link-local router solicitation multicast request for its configuration parameters; routers respond to such a request with a router advertisement packet that contains Internet Layer configuration parameters.

Note

This method automatically disables IPv6 traffic forwarding on the interface in question.

Example:

set interfaces ethernet eth0 vif 10 ipv6 address autoconf
set interfaces ethernet <interface> vif <vlan-id> ipv6 address eui64 <prefix>

EUI-64 as specified in RFC 4291 allows a host to assign iteslf a unique 64-Bit IPv6 address.

Example:

set interfaces ethernet eth0 vif 10 ipv6 address eui64 2001:db8:beef::/64
set interfaces ethernet <interface> vif <vlan-id> ipv6 address no-default-link-local

Do not assign a link-local IPv6 address to this interface.

Example:

set interfaces ethernet eth0 vif 10 ipv6 address no-default-link-local
set interfaces ethernet <interface> vif <vlan-id> ipv6 disable-forwarding

Configure interface-specific Host/Router behaviour. If set, the interface will switch to host mode and IPv6 forwarding will be disabled on this interface.

Example:

set interfaces ethernet eth0 vif 10 ipv6 disable-forwarding
set interfaces ethernet <interface> vif <vlan-id> ipv6 adjust-mss <mss | clamp-mss-to-pmtu>

As Internet wide PMTU discovery rarely works, we sometimes need to clamp our TCP MSS value to a specific value. This is a field in the TCP options part of a SYN packet. By setting the MSS value, you are telling the remote side unequivocally ‘do not try to send me packets bigger than this value’.

Note

This command was introduced in VyOS 1.4 - it was previously called: set firewall options interface <name> adjust-mss6 <value>

Hint

MSS value = MTU - 40 (IPv6 header) - 20 (TCP header), resulting in 1432 bytes on a 1492 byte MTU.

Instead of a numerical MSS value clamp-mss-to-pmtu can be used to automatically set the proper value.

set interfaces ethernet <interface> vif <vlan-id> ipv6 accept-dad <1-3>

Whether to accept DAD (Duplicate Address Detection).

  • 0: Disable DAD

  • 1: Enable DAD (default)

  • 2: Enable DAD, and disable IPv6 operation if MAC-based duplicate link-local address has been found.

Example:

set interfaces ethernet eth0 vif 10 ipv6 accept-dad 2
set interfaces ethernet <interface> vif <vlan-id> ipv6 dup-addr-detect-transmits <n>

The amount of Duplicate Address Detection probes to send.

Default: 1

Example:

set interfaces ethernet eth0 vif 10 ipv6 dup-addr-detect-transmits 5
set interfaces ethernet <interface> vif <vlan-id> vrf <vrf>

Place interface in given VRF instance.

See also

There is an entire chapter about how to configure a VRF, please check this for additional information.

Example:

set interfaces ethernet eth0 vif 10 vrf red

DHCP(v6)

set interfaces ethernet <interface> vif <vlan-id> dhcp-options client-id <description>

RFC 2131 states: The client MAY choose to explicitly provide the identifier through the ‘client identifier’ option. If the client supplies a ‘client identifier’, the client MUST use the same ‘client identifier’ in all subsequent messages, and the server MUST use that identifier to identify the client.

Example:

set interfaces ethernet eth0 vif 10 dhcp-options client-id 'foo-bar'
set interfaces ethernet <interface> vif <vlan-id> dhcp-options host-name <hostname>

Instead of sending the real system hostname to the DHCP server, overwrite the host-name with this given-value.

Example:

set interfaces ethernet eth0 vif 10 dhcp-options host-name 'VyOS'
set interfaces ethernet <interface> vif <vlan-id> dhcp-options vendor-class-id <vendor-id>

This option is used by some DHCP clients to identify the vendor type and possibly the configuration of a DHCP client. The information is a string of bytes whose contents are specific to the vendor and are not specified in a standard.

The vendor-class-id option can be used to request a specific class of vendor options from the server.

Example:

set interfaces ethernet eth0 vif 10 dhcp-options vendor-class-id 'VyOS'
set interfaces ethernet <interface> vif <vlan-id> dhcp-options no-default-route

Only request an address from the DHCP server but do not request a default gateway.

Example:

set interfaces ethernet eth0 vif 10 dhcp-options no-default-route
set interfaces ethernet <interface> vif <vlan-id> dhcp-options default-route-distance <distance>

Set the distance for the default gateway sent by the DHCP server.

Example:

set interfaces ethernet eth0 vif 10 dhcp-options default-route-distance 220
set interfaces ethernet <interface> vif <vlan-id> dhcp-options reject <address>

Reject DHCP leases from a given address or range. This is useful when a modem gives a local IP when first starting.

  • address can be specified multiple times, e.g. 192.168.100.1 and/or 192.168.100.0/24

Example:

set interfaces ethernet eth0 vif 10 dhcp-options reject 192.168.100.0/24
set interfaces ethernet <interface> vif <vlan-id> dhcp-options user-class <string>

This option is used by some DHCP clients as a way for users to specify identifying information to the client. This can be used in a similar way to the vendor-class-identifier option, but the value of the option is specified by the user, not the vendor.

Example:

set interfaces ethernet eth0 vif 10 dhcp-options user-class VyOS
set interfaces ethernet <interface> vif <vlan-id> dhcpv6-options duid <duid>

The DHCP unique identifier (DUID) is used by a client to get an IP address from a DHCPv6 server. It has a 2-byte DUID type field, and a variable-length identifier field up to 128 bytes. Its actual length depends on its type. The server compares the DUID with its database and delivers configuration data (address, lease times, DNS servers, etc.) to the client.

set interfaces ethernet eth0 vif 10 duid '0e:00:00:01:00:01:27:71:db:f0:00:50:56:bf:c5:6d'
set interfaces ethernet <interface> vif <vlan-id> dhcpv6-options no-release

When no-release is specified, dhcp6c will send a release message on client exit to prevent losing an assigned address or prefix.

set interfaces ethernet eth0 vif 10 dhcpv6-options no-release
set interfaces ethernet <interface> vif <vlan-id> dhcpv6-options parameters-only

This statement specifies dhcp6c to only exchange informational configuration parameters with servers. A list of DNS server addresses is an example of such parameters. This statement is useful when the client does not need stateful configuration parameters such as IPv6 addresses or prefixes.

set interfaces ethernet eth0 vif 10 dhcpv6-options parameters-only
set interfaces ethernet <interface> vif <vlan-id> dhcpv6-options rapid-commit

When rapid-commit is specified, dhcp6c will include a rapid-commit option in solicit messages and wait for an immediate reply instead of advertisements.

set interfaces ethernet eth0 vif 10 dhcpv6-options rapid-commit
set interfaces ethernet <interface> vif <vlan-id> dhcpv6-options temporary

Request only a temporary address and not form an IA_NA (Identity Association for Non-temporary Addresses) partnership.

set interfaces ethernet eth0 vif 10 dhcpv6-options temporary

DHCPv6 Prefix Delegation (PD)

VyOS 1.3 (equuleus) supports DHCPv6-PD (RFC 3633). DHCPv6 Prefix Delegation is supported by most ISPs who provide native IPv6 for consumers on fixed networks.

set interfaces ethernet <interface> vif <vlan-id> dhcpv6-options pd <id> length <length>

Some ISPs by default only delegate a /64 prefix. To request for a specific prefix size use this option to request for a bigger delegation for this pd <id>. This value is in the range from 32 - 64 so you could request up to a /32 prefix (if your ISP allows this) down to a /64 delegation.

The default value corresponds to 64.

To request a /56 prefix from your ISP use:

set interfaces ethernet eth0 vif 10 dhcpv6-options pd 0 length 56
set interfaces ethernet <interface> vif <vlan-id> dhcpv6-options pd <id> interface <delegatee> address <address>

Specify the interface address used locally on the interface where the prefix has been delegated to. ID must be a decimal integer.

It will be combined with the delegated prefix and the sla-id to form a complete interface address. The default is to use the EUI-64 address of the interface.

Example: Delegate a /64 prefix to interface eth8 which will use a local address on this router of <prefix>::ffff, as the address 65534 will correspond to ffff in hexadecimal notation.

set interfaces ethernet eth0 vif 10 dhcpv6-options pd 0 interface eth8 address 65534
set interfaces ethernet <interface> vif <vlan-id> dhcpv6-options pd <id> interface <delegatee> sla-id <id>

Specify the identifier value of the site-level aggregator (SLA) on the interface. ID must be a decimal number greater then 0 which fits in the length of SLA IDs (see below).

Example: If ID is 1 and the client is delegated an IPv6 prefix 2001:db8:ffff::/48, dhcp6c will combine the two values into a single IPv6 prefix, 2001:db8:ffff:1::/64, and will configure the prefix on the specified interface.

set interfaces ethernet eth0 vif 10 dhcpv6-options pd 0 interface eth8 sla-id 1

QinQ (802.1ad)

Call for Contributions

This section needs improvements, examples and explanations.

Please take a look at the Contributing Guide for our Write Documentation.

IEEE 802.1ad was an Ethernet networking standard informally known as QinQ as an amendment to IEEE standard 802.1q VLAN interfaces as described above. 802.1ad was incorporated into the base 802.1q standard in 2011. The technique is also known as provider bridging, Stacked VLANs, or simply QinQ or Q-in-Q. “Q-in-Q” can for supported devices apply to C-tag stacking on C-tag (Ethernet Type = 0x8100).

The original 802.1q specification allows a single Virtual Local Area Network (VLAN) header to be inserted into an Ethernet frame. QinQ allows multiple VLAN tags to be inserted into a single frame, an essential capability for implementing Metro Ethernet network topologies. Just as QinQ extends 802.1Q, QinQ itself is extended by other Metro Ethernet protocols.

In a multiple VLAN header context, out of convenience the term “VLAN tag” or just “tag” for short is often used in place of “802.1q VLAN header”. QinQ allows multiple VLAN tags in an Ethernet frame; together these tags constitute a tag stack. When used in the context of an Ethernet frame, a QinQ frame is a frame that has 2 VLAN 802.1q headers (double-tagged).

In VyOS the terms vif-s and vif-c stand for the ethertype tags that are used.

The inner tag is the tag which is closest to the payload portion of the frame. It is officially called C-TAG (customer tag, with ethertype 0x8100). The outer tag is the one closer/closest to the Ethernet header, its name is S-TAG (service tag with Ethernet Type = 0x88a8).

set interfaces ethernet <interface> vif-s <vlan-id> vif-c <vlan-id> address <address | dhcp | dhcpv6>

Configure interface <interface> with one or more interface addresses.

  • address can be specified multiple times as IPv4 and/or IPv6 address, e.g. 192.0.2.1/24 and/or 2001:db8::1/64

  • dhcp interface address is received by DHCP from a DHCP server on this segment.

  • dhcpv6 interface address is received by DHCPv6 from a DHCPv6 server on this segment.

Note

When using DHCP to retrieve IPv4 address and if local customizations are needed, they should be possible using the enter and exit hooks provided. The hook dirs are:

  • /config/scripts/dhcp-client/pre-hooks.d/

  • /config/scripts/dhcp-client/post-hooks.d/

Example:

set interfaces ethernet eth0 vif-s 1000 vif-c 20 address 192.0.2.1/24
set interfaces ethernet eth0 vif-s 1000 vif-c 20 address 2001:db8::1/64
set interfaces ethernet eth0 vif-s 1000 vif-c 20 address dhcp
set interfaces ethernet eth0 vif-s 1000 vif-c 20 address dhcpv6
set interfaces ethernet <interface> vif-s <vlan-id> vif-c <vlan-id> description <description>

Set a human readable, descriptive alias for this connection. Alias is used by e.g. the show interfaces command or SNMP based monitoring tools.

Example:

set interfaces ethernet eth0 vif-s 1000 vif-c 20 description 'This is an awesome interface running on VyOS'
set interfaces ethernet <interface> vif-s <vlan-id> vif-c <vlan-id> disable

Disable given <interface>. It will be placed in administratively down (A/D) state.

Example:

set interfaces ethernet eth0 vif-s 1000 vif-c 20 disable
set interfaces ethernet <interface> vif-s <vlan-id> vif-c <vlan-id> disable-link-detect

Use this command to direct an interface to not detect any physical state changes on a link, for example, when the cable is unplugged.

Default is to detects physical link state changes.

Example:

set interfaces ethernet eth0 vif-s 1000 vif-c 20 disable-link-detect
set interfaces ethernet <interface> vif-s <vlan-id> vif-c <vlan-id> mac <xx:xx:xx:xx:xx:xx>

Configure user defined MAC address on given <interface>.

Example:

set interfaces ethernet eth0 vif-s 1000 vif-c 20 mac '00:01:02:03:04:05'
set interfaces ethernet <interface> vif-s <vlan-id> vif-c <vlan-id> mtu <mtu>

Configure MTU on given <interface>. It is the size (in bytes) of the largest ethernet frame sent on this link.

Example:

set interfaces ethernet eth0 vif-s 1000 vif-c 20 mtu 1600
set interfaces ethernet <interface> vif-s <vlan-id> vif-c <vlan-id> ip adjust-mss <mss | clamp-mss-to-pmtu>

As Internet wide PMTU discovery rarely works, we sometimes need to clamp our TCP MSS value to a specific value. This is a field in the TCP options part of a SYN packet. By setting the MSS value, you are telling the remote side unequivocally ‘do not try to send me packets bigger than this value’.

Note

This command was introduced in VyOS 1.4 - it was previously called: set firewall options interface <name> adjust-mss <value>

Hint

MSS value = MTU - 20 (IP header) - 20 (TCP header), resulting in 1452 bytes on a 1492 byte MTU.

Instead of a numerical MSS value clamp-mss-to-pmtu can be used to automatically set the proper value.

set interfaces ethernet <interface> vif-s <vlan-id> vif-c <vlan-id> ip arp-cache-timeout

Once a neighbor has been found, the entry is considered to be valid for at least for this specific time. An entry’s validity will be extended if it receives positive feedback from higher level protocols.

This defaults to 30 seconds.

Example:

set interfaces ethernet eth0 vif-s 1000 vif-c 20 ip arp-cache-timeout 180
set interfaces ethernet <interface> vif-s <vlan-id> vif-c <vlan-id> ip disable-arp-filter

If set the kernel can respond to arp requests with addresses from other interfaces. This may seem wrong but it usually makes sense, because it increases the chance of successful communication. IP addresses are owned by the complete host on Linux, not by particular interfaces. Only for more complex setups like load-balancing, does this behaviour cause problems.

If not set (default) allows you to have multiple network interfaces on the same subnet, and have the ARPs for each interface be answered based on whether or not the kernel would route a packet from the ARP’d IP out that interface (therefore you must use source based routing for this to work).

In other words it allows control of which cards (usually 1) will respond to an arp request.

Example:

set interfaces ethernet eth0 vif-s 1000 vif-c 20 ip disable-arp-filter
set interfaces ethernet <interface> vif-s <vlan-id> vif-c <vlan-id> ip disable-forwarding

Configure interface-specific Host/Router behaviour. If set, the interface will switch to host mode and IPv6 forwarding will be disabled on this interface.

set interfaces ethernet eth0 vif-s 1000 vif-c 20 ip disable-forwarding
set interfaces ethernet <interface> vif-s <vlan-id> vif-c <vlan-id> ip enable-directed-broadcast

Define different modes for IP directed broadcast forwarding as described in RFC 1812 and RFC 2644.

If configured, incoming IP directed broadcast packets on this interface will be forwarded.

If this option is unset (default), incoming IP directed broadcast packets will not be forwarded.

set interfaces ethernet eth0 vif-s 1000 vif-c 20 ip enable-directed-broadcast
set interfaces ethernet <interface> vif-s <vlan-id> vif-c <vlan-id> ip enable-arp-accept

Define behavior for gratuitous ARP frames who’s IP is not already present in the ARP table. If configured create new entries in the ARP table.

Both replies and requests type gratuitous arp will trigger the ARP table to be updated, if this setting is on.

If the ARP table already contains the IP address of the gratuitous arp frame, the arp table will be updated regardless if this setting is on or off.

set interfaces ethernet eth0 vif-s 1000 vif-c 20 ip enable-arp-accept
set interfaces ethernet <interface> vif-s <vlan-id> vif-c <vlan-id> ip enable-arp-announce

Define different restriction levels for announcing the local source IP address from IP packets in ARP requests sent on interface.

Use any local address, configured on any interface if this is not set.

If configured, try to avoid local addresses that are not in the target’s subnet for this interface. This mode is useful when target hosts reachable via this interface require the source IP address in ARP requests to be part of their logical network configured on the receiving interface. When we generate the request we will check all our subnets that include the target IP and will preserve the source address if it is from such subnet. If there is no such subnet we select source address according to the rules for level 2.

set interfaces ethernet eth0 vif-s 1000 vif-c 20 ip enable-arp-announce
set interfaces ethernet <interface> vif-s <vlan-id> vif-c <vlan-id> ip enable-arp-ignore

Define different modes for sending replies in response to received ARP requests that resolve local target IP addresses:

If configured, reply only if the target IP address is local address configured on the incoming interface.

If this option is unset (default), reply for any local target IP address, configured on any interface.

set interfaces ethernet eth0 vif-s 1000 vif-c 20 ip enable-arp-ignore
set interfaces ethernet <interface> vif-s <vlan-id> vif-c <vlan-id> ip enable-proxy-arp

Use this command to enable proxy Address Resolution Protocol (ARP) on this interface. Proxy ARP allows an Ethernet interface to respond with its own MAC address to ARP requests for destination IP addresses on subnets attached to other interfaces on the system. Subsequent packets sent to those destination IP addresses are forwarded appropriately by the system.

Example:

set interfaces ethernet eth0 vif-s 1000 vif-c 20 ip enable-proxy-arp
set interfaces ethernet <interface> vif-s <vlan-id> vif-c <vlan-id> ip proxy-arp-pvlan

Private VLAN proxy arp. Basically allow proxy arp replies back to the same interface (from which the ARP request/solicitation was received).

This is done to support (ethernet) switch features, like RFC 3069, where the individual ports are NOT allowed to communicate with each other, but they are allowed to talk to the upstream router. As described in RFC 3069, it is possible to allow these hosts to communicate through the upstream router by proxy_arp’ing.

Note

Does not need to be used together with proxy_arp.

This technology is known by different names:

  • In RFC 3069 it is called VLAN Aggregation

  • Cisco and Allied Telesyn call it Private VLAN

  • Hewlett-Packard call it Source-Port filtering or port-isolation

  • Ericsson call it MAC-Forced Forwarding (RFC Draft)

set interfaces ethernet <interface> vif-s <vlan-id> vif-c <vlan-id> ip source-validation <strict | loose | disable>

Enable policy for source validation by reversed path, as specified in RFC 3704. Current recommended practice in RFC 3704 is to enable strict mode to prevent IP spoofing from DDos attacks. If using asymmetric routing or other complicated routing, then loose mode is recommended.

  • strict: Each incoming packet is tested against the FIB and if the interface is not the best reverse path the packet check will fail. By default failed packets are discarded.

  • loose: Each incoming packet’s source address is also tested against the FIB and if the source address is not reachable via any interface the packet check will fail.

  • disable: No source validation

set interfaces ethernet <interface> vif-s <vlan-id> vif-c <vlan-id> ipv6 address autoconf

SLAAC RFC 4862. IPv6 hosts can configure themselves automatically when connected to an IPv6 network using the Neighbor Discovery Protocol via ICMPv6 router discovery messages. When first connected to a network, a host sends a link-local router solicitation multicast request for its configuration parameters; routers respond to such a request with a router advertisement packet that contains Internet Layer configuration parameters.

Note

This method automatically disables IPv6 traffic forwarding on the interface in question.

Example:

set interfaces ethernet eth0 vif-s 1000 vif-c 20 ipv6 address autoconf
set interfaces ethernet <interface> vif-s <vlan-id> vif-c <vlan-id> ipv6 address eui64 <prefix>

EUI-64 as specified in RFC 4291 allows a host to assign iteslf a unique 64-Bit IPv6 address.

Example:

set interfaces ethernet eth0 vif-s 1000 vif-c 20 ipv6 address eui64 2001:db8:beef::/64
set interfaces ethernet <interface> vif-s <vlan-id> vif-c <vlan-id> ipv6 address no-default-link-local

Do not assign a link-local IPv6 address to this interface.

Example:

set interfaces ethernet eth0 vif-s 1000 vif-c 20 ipv6 address no-default-link-local
set interfaces ethernet <interface> vif-s <vlan-id> vif-c <vlan-id> ipv6 disable-forwarding

Configure interface-specific Host/Router behaviour. If set, the interface will switch to host mode and IPv6 forwarding will be disabled on this interface.

Example:

set interfaces ethernet eth0 vif-s 1000 vif-c 20 ipv6 disable-forwarding
set interfaces ethernet <interface> vif-s <vlan-id> vif-c <vlan-id> ipv6 adjust-mss <mss | clamp-mss-to-pmtu>

As Internet wide PMTU discovery rarely works, we sometimes need to clamp our TCP MSS value to a specific value. This is a field in the TCP options part of a SYN packet. By setting the MSS value, you are telling the remote side unequivocally ‘do not try to send me packets bigger than this value’.

Note

This command was introduced in VyOS 1.4 - it was previously called: set firewall options interface <name> adjust-mss6 <value>

Hint

MSS value = MTU - 40 (IPv6 header) - 20 (TCP header), resulting in 1432 bytes on a 1492 byte MTU.

Instead of a numerical MSS value clamp-mss-to-pmtu can be used to automatically set the proper value.

set interfaces ethernet <interface> vif-s <vlan-id> vif-c <vlan-id> ipv6 accept-dad <1-3>

Whether to accept DAD (Duplicate Address Detection).

  • 0: Disable DAD

  • 1: Enable DAD (default)

  • 2: Enable DAD, and disable IPv6 operation if MAC-based duplicate link-local address has been found.

Example:

set interfaces ethernet eth0 vif-s 1000 vif-c 20 ipv6 accept-dad 2
set interfaces ethernet <interface> vif-s <vlan-id> vif-c <vlan-id> ipv6 dup-addr-detect-transmits <n>

The amount of Duplicate Address Detection probes to send.

Default: 1

Example:

set interfaces ethernet eth0 vif-s 1000 vif-c 20 ipv6 dup-addr-detect-transmits 5
set interfaces ethernet <interface> vif-s <vlan-id> vif-c <vlan-id> vrf <vrf>

Place interface in given VRF instance.

See also

There is an entire chapter about how to configure a VRF, please check this for additional information.

Example:

set interfaces ethernet eth0 vif-s 1000 vif-c 20 vrf red

DHCP(v6)

set interfaces ethernet <interface> vif-s <vlan-id> vif-c <vlan-id> dhcp-options client-id <description>

RFC 2131 states: The client MAY choose to explicitly provide the identifier through the ‘client identifier’ option. If the client supplies a ‘client identifier’, the client MUST use the same ‘client identifier’ in all subsequent messages, and the server MUST use that identifier to identify the client.

Example:

set interfaces ethernet eth0 vif-s 1000 vif-c 20 dhcp-options client-id 'foo-bar'
set interfaces ethernet <interface> vif-s <vlan-id> vif-c <vlan-id> dhcp-options host-name <hostname>

Instead of sending the real system hostname to the DHCP server, overwrite the host-name with this given-value.

Example:

set interfaces ethernet eth0 vif-s 1000 vif-c 20 dhcp-options host-name 'VyOS'
set interfaces ethernet <interface> vif-s <vlan-id> vif-c <vlan-id> dhcp-options vendor-class-id <vendor-id>

This option is used by some DHCP clients to identify the vendor type and possibly the configuration of a DHCP client. The information is a string of bytes whose contents are specific to the vendor and are not specified in a standard.

The vendor-class-id option can be used to request a specific class of vendor options from the server.

Example:

set interfaces ethernet eth0 vif-s 1000 vif-c 20 dhcp-options vendor-class-id 'VyOS'
set interfaces ethernet <interface> vif-s <vlan-id> vif-c <vlan-id> dhcp-options no-default-route

Only request an address from the DHCP server but do not request a default gateway.

Example:

set interfaces ethernet eth0 vif-s 1000 vif-c 20 dhcp-options no-default-route
set interfaces ethernet <interface> vif-s <vlan-id> vif-c <vlan-id> dhcp-options default-route-distance <distance>

Set the distance for the default gateway sent by the DHCP server.

Example:

set interfaces ethernet eth0 vif-s 1000 vif-c 20 dhcp-options default-route-distance 220
set interfaces ethernet <interface> vif-s <vlan-id> vif-c <vlan-id> dhcp-options reject <address>

Reject DHCP leases from a given address or range. This is useful when a modem gives a local IP when first starting.

  • address can be specified multiple times, e.g. 192.168.100.1 and/or 192.168.100.0/24

Example:

set interfaces ethernet eth0 vif-s 1000 vif-c 20 dhcp-options reject 192.168.100.0/24
set interfaces ethernet <interface> vif-s <vlan-id> vif-c <vlan-id> dhcp-options user-class <string>

This option is used by some DHCP clients as a way for users to specify identifying information to the client. This can be used in a similar way to the vendor-class-identifier option, but the value of the option is specified by the user, not the vendor.

Example:

set interfaces ethernet eth0 vif-s 1000 vif-c 20 dhcp-options user-class VyOS
set interfaces ethernet <interface> vif-s <vlan-id> vif-c <vlan-id> dhcpv6-options duid <duid>

The DHCP unique identifier (DUID) is used by a client to get an IP address from a DHCPv6 server. It has a 2-byte DUID type field, and a variable-length identifier field up to 128 bytes. Its actual length depends on its type. The server compares the DUID with its database and delivers configuration data (address, lease times, DNS servers, etc.) to the client.

set interfaces ethernet eth0 vif-s 1000 vif-c 20 duid '0e:00:00:01:00:01:27:71:db:f0:00:50:56:bf:c5:6d'
set interfaces ethernet <interface> vif-s <vlan-id> vif-c <vlan-id> dhcpv6-options no-release

When no-release is specified, dhcp6c will send a release message on client exit to prevent losing an assigned address or prefix.

set interfaces ethernet eth0 vif-s 1000 vif-c 20 dhcpv6-options no-release
set interfaces ethernet <interface> vif-s <vlan-id> vif-c <vlan-id> dhcpv6-options parameters-only

This statement specifies dhcp6c to only exchange informational configuration parameters with servers. A list of DNS server addresses is an example of such parameters. This statement is useful when the client does not need stateful configuration parameters such as IPv6 addresses or prefixes.

set interfaces ethernet eth0 vif-s 1000 vif-c 20 dhcpv6-options parameters-only
set interfaces ethernet <interface> vif-s <vlan-id> vif-c <vlan-id> dhcpv6-options rapid-commit

When rapid-commit is specified, dhcp6c will include a rapid-commit option in solicit messages and wait for an immediate reply instead of advertisements.

set interfaces ethernet eth0 vif-s 1000 vif-c 20 dhcpv6-options rapid-commit
set interfaces ethernet <interface> vif-s <vlan-id> vif-c <vlan-id> dhcpv6-options temporary

Request only a temporary address and not form an IA_NA (Identity Association for Non-temporary Addresses) partnership.

set interfaces ethernet eth0 vif-s 1000 vif-c 20 dhcpv6-options temporary

DHCPv6 Prefix Delegation (PD)

VyOS 1.3 (equuleus) supports DHCPv6-PD (RFC 3633). DHCPv6 Prefix Delegation is supported by most ISPs who provide native IPv6 for consumers on fixed networks.

set interfaces ethernet <interface> vif-s <vlan-id> vif-c <vlan-id> dhcpv6-options pd <id> length <length>

Some ISPs by default only delegate a /64 prefix. To request for a specific prefix size use this option to request for a bigger delegation for this pd <id>. This value is in the range from 32 - 64 so you could request up to a /32 prefix (if your ISP allows this) down to a /64 delegation.

The default value corresponds to 64.

To request a /56 prefix from your ISP use:

set interfaces ethernet eth0 vif-s 1000 vif-c 20 dhcpv6-options pd 0 length 56
set interfaces ethernet <interface> vif-s <vlan-id> vif-c <vlan-id> dhcpv6-options pd <id> interface <delegatee> address <address>

Specify the interface address used locally on the interface where the prefix has been delegated to. ID must be a decimal integer.

It will be combined with the delegated prefix and the sla-id to form a complete interface address. The default is to use the EUI-64 address of the interface.

Example: Delegate a /64 prefix to interface eth8 which will use a local address on this router of <prefix>::ffff, as the address 65534 will correspond to ffff in hexadecimal notation.

set interfaces ethernet eth0 vif-s 1000 vif-c 20 dhcpv6-options pd 0 interface eth8 address 65534
set interfaces ethernet <interface> vif-s <vlan-id> vif-c <vlan-id> dhcpv6-options pd <id> interface <delegatee> sla-id <id>

Specify the identifier value of the site-level aggregator (SLA) on the interface. ID must be a decimal number greater then 0 which fits in the length of SLA IDs (see below).

Example: If ID is 1 and the client is delegated an IPv6 prefix 2001:db8:ffff::/48, dhcp6c will combine the two values into a single IPv6 prefix, 2001:db8:ffff:1::/64, and will configure the prefix on the specified interface.

set interfaces ethernet eth0 vif-s 1000 vif-c 20 dhcpv6-options pd 0 interface eth8 sla-id 1

Port Mirror (SPAN)

SPAN port mirroring can copy the inbound/outbound traffic of the interface to the specified interface, usually the interface can be connected to some special equipment, such as behavior control system, intrusion detection system and traffic collector, and can copy all related traffic from this port. The benefit of mirroring the traffic is that the application is isolated from the source traffic and so application processing does not affect the traffic or the system performance.

VyOS uses the mirror option to configure port mirroring. The configuration is divided into 2 different directions. Destination ports should be configured for different traffic directions.

set interfaces ethernet <interface> mirror ingress <monitor-interface>

Configure port mirroring for interface inbound traffic and copy the traffic to monitor-interface

Example: Mirror the inbound traffic of eth1 port to eth3

set interfaces ethernet eth1 mirror ingress eth3
set interfaces ethernet <interface> mirror egress <monitor-interface>

Configure port mirroring for interface outbound traffic and copy the traffic to monitor-interface

Example: Mirror the outbound traffic of eth1 port to eth3

set interfaces ethernet eth1 mirror egress eth3

Operation

show interfaces ethernet

Show brief interface information.

vyos@vyos:~$ show interfaces ethernet
Codes: S - State, L - Link, u - Up, D - Down, A - Admin Down
Interface        IP Address                        S/L  Description
---------        ----------                        ---  -----------
eth0             172.18.201.10/24                  u/u  LAN
eth1             172.18.202.11/24                  u/u  WAN
eth2             -                                 u/D
show interfaces ethernet <interface>

Show detailed information on given <interface>

vyos@vyos:~$ show interfaces ethernet eth0
eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
    link/ether 00:50:44:00:f5:c9 brd ff:ff:ff:ff:ff:ff
    inet6 fe80::250:44ff:fe00:f5c9/64 scope link
       valid_lft forever preferred_lft forever

    RX:  bytes    packets     errors    dropped    overrun      mcast
      56735451     179841          0          0          0     142380
    TX:  bytes    packets     errors    dropped    carrier collisions
       5601460      62595          0          0          0          0
show interfaces ethernet <interface> physical

Show information about physical <interface>

vyos@vyos:~$ show interfaces ethernet eth0 physical
Settings for eth0:
        Supported ports: [ TP ]
        Supported link modes:   1000baseT/Full
                                10000baseT/Full
        Supported pause frame use: No
        Supports auto-negotiation: No
        Supported FEC modes: Not reported
        Advertised link modes:  Not reported
        Advertised pause frame use: No
        Advertised auto-negotiation: No
        Advertised FEC modes: Not reported
        Speed: 10000Mb/s
        Duplex: Full
        Port: Twisted Pair
        PHYAD: 0
        Transceiver: internal
        Auto-negotiation: off
        MDI-X: Unknown
        Supports Wake-on: uag
        Wake-on: d
        Link detected: yes
driver: vmxnet3
version: 1.4.16.0-k-NAPI
firmware-version:
expansion-rom-version:
bus-info: 0000:0b:00.0
supports-statistics: yes
supports-test: no
supports-eeprom-access: no
supports-register-dump: yes
supports-priv-flags: no
show interfaces ethernet <interface> physical offload

Show available offloading functions on given <interface>

vyos@vyos:~$ show interfaces ethernet eth0 physical offload
rx-checksumming               on
tx-checksumming               on
tx-checksum-ip-generic        on
scatter-gather                off
tx-scatter-gather             off
tcp-segmentation-offload      off
tx-tcp-segmentation           off
tx-tcp-mangleid-segmentation  off
tx-tcp6-segmentation          off
udp-fragmentation-offload     off
generic-segmentation-offload  off
generic-receive-offload       off
large-receive-offload         off
rx-vlan-offload               on
tx-vlan-offload               on
ntuple-filters                off
receive-hashing               on
tx-gre-segmentation           on
tx-gre-csum-segmentation      on
tx-udp_tnl-segmentation       on
tx-udp_tnl-csum-segmentation  on
tx-gso-partial                on
tx-nocache-copy               off
rx-all                        off
show interfaces ethernet <interface> transceiver

Show transceiver information from plugin modules, e.g SFP+, QSFP

vyos@vyos:~$ show interfaces ethernet eth5 transceiver
   Identifier              : 0x03 (SFP)
   Extended identifier     : 0x04 (GBIC/SFP defined by 2-wire interface ID)
   Connector               : 0x07 (LC)
   Transceiver codes       : 0x00 0x00 0x00 0x01 0x00 0x00 0x00 0x00 0x00
   Transceiver type        : Ethernet: 1000BASE-SX
   Encoding                : 0x01 (8B/10B)
   BR, Nominal             : 1300MBd
   Rate identifier         : 0x00 (unspecified)
   Length (SMF,km)         : 0km
   Length (SMF)            : 0m
   Length (50um)           : 550m
   Length (62.5um)         : 270m
   Length (Copper)         : 0m
   Length (OM3)            : 0m
   Laser wavelength        : 850nm
   Vendor name             : CISCO-FINISAR
   Vendor OUI              : 00:90:65
   Vendor PN               : FTRJ-8519-7D-CS4
   Vendor rev              : A
   Option values           : 0x00 0x1a
   Option                  : RX_LOS implemented
   Option                  : TX_FAULT implemented
   Option                  : TX_DISABLE implemented
   BR margin, max          : 0%
   BR margin, min          : 0%
   Vendor SN               : FNS092xxxxx
   Date code               : 0506xx