Configure Interfaces

With the configuration data in hand, it is now possible to configure TNSR interfaces for basic IP level connectivity.

From within the TNSR CLI (Entering the TNSR CLI), enter configuration mode and setup the interfaces using this example as a guide:

tnsr# configure terminal
tnsr(config)# interface GigabitEthernet0/14/1
tnsr(config-interface)# description WAN
tnsr(config-interface)# ip address 203.0.113.2/24
tnsr(config-interface)# ipv6 address 2001:db8:0:2::2/64
tnsr(config-interface)# enable
tnsr(config-interface)# exit
tnsr(config)# interface GigabitEthernet0/14/2
tnsr(config-interface)# description LAN
tnsr(config-interface)# ip address 10.2.0.1/24
tnsr(config-interface)# ipv6 address 2001:db8:1::1/64
tnsr(config-interface)# enable
tnsr(config-interface)# exit
tnsr(config)# exit
tnsr#

In this sample session, both interfaces were configured with an appropriate description for reference purposes, an IP address/subnet mask, and then placed into an enabled state.

If other hosts are present and active on the connected interfaces, it will now be possible to ping to/from TNSR to these networks.

Tip

After making changes, don’t forget to save them to ensure they persist for the next startup by issuing the configuration copy running startup command from with in config mode. See Saving the Configuration for more information.

Interface Command

The interface command can configure existing interfaces and create new interfaces.

Configure an existing interface:

tnsr(config)# interface <name>
tnsr(config-interface)#

This command enters config-interface mode

Note

The maximum interface name length is 63 characters.

Create a new interface:

tnsr(config)# interface <type> <options>

The mode entered by this command depends upon the type of interface it creates. For more information on interface types and how to configure them, see Types of Interfaces.

Print a list of available interfaces and types:

tnsr(config)# interface ?

Interface Configuration Options

The following commands are available when configuring an interface (config-interface mode):

access-list (input|output) acl <acl-name> sequence <seq>:

Access Control Lists which apply to packets on this interface in the given direction (Standard ACLs).

access-list macip <macip-name>:

MACIP Access Control Lists which apply to packets on this interface (MACIP ACLs).

bond <id>:

Set this interface as a part of the given bonding group (Bonding Interfaces).

bridge domain <id>:

Set this interface as a member of the given bridge domain (Bridge Interfaces).

description:

Set the interface description.

detailed-stats (enable|disable):

Enable or disable the collection of detailed packet statistics which individually track received and transmitted unicast, multicast, and broadcast packets. Disabled by default. Disabling these counters for an interface will not clear the values, it only stops new data collection.

dhcp client [ipv4]:

Configures this interface to obtain its IPv4 address using Dynamic Host Configuration Protocol.

Warning

If this interface contains an input ACL, it must allow DHCP responses. These responses cannot be passed via reflect on an outbound ACL. The inbound ACL must pass IPv4 UDP from any source address on port 67 to any destination address on port 68.

Tip

The DHCP client runs in the dataplane namespace and can be controlled as a systemd service. See Troubleshooting DHCP Client for details.

dhcp client ipv4 hostname <host-name>:

Sets the hostname sent with DHCP client requests.

disable:

Disable interface administratively.

enable:

Enable interface administratively.

ip address <ip-address>:

Sets the IPv4 address for this interface. May be repeated to add multiple addresses to an interface.

Note

TNSR 19.08 and later support multiple IP addresses in the same prefix. Older versions only allowed a single address per prefix.

ip nat (inside|outside|none):

Configures this interface to be an inside or outside NAT interface for use with dataplane NAT (Network Address Translation). To stop an interface from participating in dataplane NAT, use either no ip nat or ip nat none.

This is not necessary for VPF NAT.

ip reassembly enable:

Enables IP Reassembly for IPv4.

ip reassembly type (full|virtual):

Sets the type of IP Reassembly to perform on this interface for IPv4 fragments.

ipv6 address <ip6-address>:

Sets the IPv6 address for this interface. May be repeated to add multiple addresses to an interface.

Note

TNSR 19.08 and later support multiple IP addresses in the same prefix. Older versions only allowed a single address per prefix.

ipv6 reassembly enable:

Enables IP Reassembly for IPv6.

ipv6 reassembly type (full|virtual):

Sets the type of IP Reassembly to perform on this interface for IPv6 fragments.

ipv6 router-advertisements:

Enteres config-interface-ipv6-ra mode to configure IPv6 Router Advertisements. See IPv6 Router Advertisement Configuration for details.

lldp:

LLDP options for this interface (Link Layer Discovery Protocol).

mac-address:

Configures an alternative MAC address for this interface.

Warning

Changing the MAC address on an active interface will result in unpredictable behavior. Packets already in transit addressed to the old MAC will be dropped, and it may take some time for other hosts and equipment on directly connected networks to update their ARP tables with the new MAC address.

The best practice is to set an interface administratively down (disable) before changing the MAC address, and then enable it again afterward.

map:

MAP-E/T options for this interface (MAP (Mapping of Address and Port)).

mtu <size>:

Sets the interface Layer 2 (L2) Maximum Transmission Unit (MTU) size, in bytes. This would reflect the capability of the link or underlying medium and applies to all traffic on the interface.

When configuring interfaces which are encapsulated, such as IPsec ipip interfaces, this MTU must account for the overhead incurred by the protocols involved. See IPsec Interface MTU for IPsec-specific information.

Warning

Any interface that will contain an IPv6 address must have an MTU of 1280 or higher. This includes both the default MTU and MTU values set on interfaces directly.

(ip|ipv6) mtu <size>:

Sets a Layer 3 (L3) MTU specifically for IPv4 or IPv6 packets, which may have different upstream link limitations.

(ip|ipv6) tcp mss <mss-value> (Tx|Rx|TxRx):

Sets the TCP Maximum Segment Size (MSS) value in TCP packets on this interface in the given direction to the specified value. This value informs hosts of the maximum data length (in Bytes) which can be sent or received in a single TCP segment.

This setting can help avoid fragmentation by using an MSS value which is less than the link MTU, after factoring in TCP and IP headers and any other overhead. On typical Ethernet interfaces the maximum MSS for IPv4 is 40 bytes less than the MTU, and for IPv6 the value is 60 bytes less than the MTU.

Tip

The value should be set as close as possible to the link MTU. Setting this value too low will lead to lower performance due to increased overhead from sending a larger volume of packets.

Some interface types, such as IPsec, involve additional encapsulation will require lower MSS values due to the additional overhead. The exact amount of overhead varies depending on the type of encapsulation, protocols, and settings involved.

Note

For IPsec, the minimum extra overhead is 54 bytes with AES-GCM or 58 bytes with AES-CBC+HMAC-SHA1. Overhead may be higher depending the presence of NAT-T, padding, and other factors. It is not uncommon to see MSS values of around 1300 for IPv4 IPsec to ensure packets do not get fragmented under any circumstances as numerous devices have difficulty processing fragmented IPsec packets.

rx-mode (adaptive|interrupt|polling):

Configures the receive mode of the interface as either interrupt mode or polling mode (default). This controls how TNSR will acquire data from interfaces, either by waiting for interfaces to signal that there is new data to process (interrupt mode), or constantly polling them for new data (polling mode). Adaptive mode switches between interrupt and polling modes depending on performance needs at a given point in time.

See also

See Polling Mode vs. Interrupt Mode for more information on the differences between interrupt and polling modes.

Configuring the receive mode on a hardware interface will configure the mode in the dataplane and also in the operating system to match.

Virtual interfaces, such as those for VPN tunnels, can still have their mode configured but it does not affect the dataplane, only the operating system interface components. This is because TNSR processes the packet data when it arrives on the hardware interface, so there is no need to separately handle packets arriving on virtual interfaces.

This option cannot be set on VLAN subinterfaces as they rely on the behavior of the underlying hardware interface.

rx-queue <queue_num> cpu <core-id>:

Pin a specific receive queue for this interface to a specific CPU core. Both the queue number and core ID must be valid and within range for the configured number of queues and cores as set with corelist-workers.

See also

For more information on configuring interface queue sizes, see DPDK Configuration. To configure CPU core usage see CPU Workers and Affinity.

Warning

This option requires that core affinity be enabled by defining the dataplane cpu main-core <n>. Most cases also require a list of cores configured for dataplane use by corelist-workers. RX queue core pinning is incompatible with the workers and skip-list methods of defining CPU cores available for use by the dataplane.

The only exception to this is when no additional workers are configured, an rx-queue may use the core defined by dataplane cpu main-core <n>.

vlan tag-rewrite disable:

Disable tag rewriting for this interface

vlan tag-rewrite pop-1:

Remove one level of VLAN tags from packets on this interface.

vlan tag-rewrite pop-2:

Remove two level of VLAN tags from packets on this interface.

vlan tag-rewrite push-1 (dot1ad|dot1q) <tag 1>:

Add a new layer of VLAN tagging to frames on this interface using the provided VLAN tag.

vlan tag-rewrite push-2 (dot1ad|dot1q) <tag 1> <tag 2>:

Add two new layers of VLAN tagging to frames on this interface using the provided VLAN tags.

vlan tag-rewrite translate-1-1 (dot1ad|dot1q) <tag 1>:

Replace one layer of VLAN tags with the a different VLAN ID.

vlan tag-rewrite translate-1-2 (dot1ad|dot1q) <tag 1> <tag 2>:

Replace one layer of VLAN tags with two layers of tagging using the provided VLAN IDs.

vlan tag-rewrite translate-2-1 (dot1ad|dot1q) <tag 1>:

Replace two layers of VLAN tags with one layer of tagging using the provided VLAN ID.

vlan tag-rewrite translate-2-2 (dot1ad|dot1q) <tag 1> <tag 2>:

Replace two layers of VLAN tags with two different layers of tagging using the provided VLAN IDs.

vrf <vrf-name>:

Specifies a Virtual Routing and Forwarding instance used by route lookups for traffic entering this interface. See Virtual Routing and Forwarding for details.

IPv6 Router Advertisement Configuration

When configured to do so, TNSR sends router advertisements which include route information and indicate to network hosts that the router is operational for IPv6. The router sends these unsolicited multicast router advertisements periodically, with a time range defined by minimum and maximum values in seconds.

To change into config-interface-ipv6-ra mode, enter ipv6 router-advertisements from config-interface mode.

The following commands are available in config-interface-ipv6-ra mode:

default-lifetime <seconds>:

The length of time in seconds (relative to the time the packet is sent) that the prefix is valid for the purpose of on-link determination.

The default value is 3x the value of max-rtr-adv-interval, thus by default this is 1800 seconds.

managed-flag (true|false):

Controls the value of the “managed” flag in RA messages. When true, it indicates to systems on this segment that addresses are available from a DHCPv6 server.

max-rtr-adv-interval <seconds>:

The maximum time allowed between sending unsolicited multicast router advertisements in seconds. Allowed range is between 4-65535 seconds. Default value is 600 seconds.

Should be less than or equal to the default-lifetime value.

min-rtr-adv-interval <seconds>:

The length of time in seconds, relative to the time the packet is sent, that the prefix is valid for the purpose of on-link determination. Allowed range is between 3-1350 seconds.

If the value of max-rtr-adv-interval is greater than or equal to 9 seconds, the default value is 1/3 (0.33x) of max-rtr-adv-interval. Otherwise it is 75% of max-rtr-adv-interval.

Value must not be greater than 75% of max-rtr-adv-interval.

other-config-flag (true|false):

Controls the value of the “other stateful configuration” flag in RA messages. When true, it indicates to systems on this segment that other configuration data is available via DHCPv6, such as DNS servers.

prefix <ipv6-prefix>:

Configures router advertisement properties for specific prefixes by entering config-interface-ipv6-ra-prefix mode.

send-advertisements (true|false):

When set to true, the router sends advertisements on this interface and responds to router solicitation messages.

See also

For additional detail on how IPv6 Router Advertisements work, see RFC 4861.

IPv6 Prefix Configuration

Some IPv6 router advertisement messages are specific to individual prefixes, so they can be configured separately for each prefix.

To change into config-interface-ipv6-ra-prefix mode, enter prefix <ipv6-prefix> from config-interface-ipv6-ra mode.

The following commands are available in config-interface-ipv6-ra-prefix mode:

autonomous-flag (true|false):

Controls the value of the “autonomous” flag in RA messages for this prefix. When true, it indicates to systems on this segment that this prefix can be used for stateless address auto-configuration (SLAAC).

no-advertise:

Disables advertisements for this prefix.

on-link-flag (true|false):

Controls the value of the “on-link” flag in RA messages for this prefix. When true, it indicates to systems on this segment that the prefix is local (same layer 2) and can be reached via neighbor discovery. When false, indicates to systems that the prefix is not local and should be sent via this router.

preferred-lifetime <time-in-seconds>:

Length of time, specified in seconds, that the client addresses generated in this prefix using SLAAC are valid. Default value is 604800 seconds.

valid-lifetime <time-in-seconds>:

Length of time, specified in seconds, that the advertised prefix will be valid. Default value is 2592000 seconds.

Other IPv6 Router Advertisement Properties

There are a few additional properties of IPv6 router advertisements that cannot be directly configured by TNSR. These may be familiar to administrators who work with router advertisements on other platforms.

Link MTU:

TNSR automatically populates the link-mtu flag on router advertisements with the value of the IPv6 MTU configured on the interface. To change the MTU in RA messages, change the IPv6 MTU on the interface itself.

Hop Limit:

The cur-hop-limit value in RA messages from TNSR is static: 64.

Reachable Time, Retransmit Timer:

The values of reachable-time and retrans-timer in RA messages from TNSR are both 0 (“unspecified by this router”).

IPv6 Router Advertisement Example

The following example configures an interface named LAN so that it allows clients to self-assign addresses from the prefix 2001:db8:f3:1::/64 using SLAAC:

tnsr(config)# interface LAN
tnsr(config-interface)# ipv6 address 2001:db8:f3:1::1/64
tnsr(config-interface)# ipv6 router-advertisements
tnsr(config-interface-ipv6-ra)# send-advertisements true
tnsr(config-interface-ipv6-ra)# max-rtr-adv-interval 600
tnsr(config-interface-ipv6-ra)# managed-flag false
tnsr(config-interface-ipv6-ra)# other-config-flag false
tnsr(config-interface-ipv6-ra)# prefix 2001:db8:f3:1::/64
tnsr(config-interface-ipv6-ra-prefix)# valid-lifetime 2592000
tnsr(config-interface-ipv6-ra-prefix)# on-link-flag true
tnsr(config-interface-ipv6-ra-prefix)# preferred-lifetime 604800
tnsr(config-interface-ipv6-ra-prefix)# autonomous-flag true
tnsr(config-interface-ipv6-ra-prefix)# end
tnsr# exit

Remove Interface Configuration

To remove an interface and all of its configuration settings, use no interface <if-name>.

For example, to remove the ipip2 interface:

tnsr(config)# no interface ipip2

Warning

Static routes utilizing the interface must be removed before an interface can be deleted.

DHCP Client Example

The previous example was for a static IP address deployment.

To configure a TNSR interface to obtain its IP address via DHCP as a client, follow this example instead:

tnsr# configure terminal
tnsr(config)# interface GigabitEthernet3/0/0
tnsr(config-interface)# dhcp client ipv4
tnsr(config-interface)# enable
tnsr(config-interface)# exit
tnsr(config)# exit