Configure Interfaces¶
With the configuration data in hand, it is now possible to configure TNSR interfaces for basic IP level connectivity.
From within the TNSR CLI (Entering the TNSR CLI), enter configuration mode and setup the interfaces using this example as a guide:
tnsr# configure terminal
tnsr(config)# interface GigabitEthernet0/14/1
tnsr(config-interface)# description WAN
tnsr(config-interface)# ip address 203.0.113.2/24
tnsr(config-interface)# ipv6 address 2001:db8:0:2::2/64
tnsr(config-interface)# enable
tnsr(config-interface)# exit
tnsr(config)# interface GigabitEthernet0/14/2
tnsr(config-interface)# description LAN
tnsr(config-interface)# ip address 10.2.0.1/24
tnsr(config-interface)# ipv6 address 2001:db8:1::1/64
tnsr(config-interface)# enable
tnsr(config-interface)# exit
tnsr(config)# exit
tnsr#
In this sample session, both interfaces were configured with an appropriate description for reference purposes, an IP address/subnet mask, and then placed into an enabled state.
If other hosts are present and active on the connected interfaces, it will now be possible to ping to/from TNSR to these networks.
Tip
After making changes, don’t forget to save them to ensure they persist for
the next startup by issuing the configuration copy running startup
command from with in config
mode. See Saving the Configuration for more
information.
Interface Command¶
The interface
command can configure existing interfaces and create new
interfaces.
Configure an existing interface:
tnsr(config)# interface <name>
tnsr(config-interface)#
This command enters config-interface
mode
Note
The maximum interface name length is 63 characters.
Create a new interface:
tnsr(config)# interface <type> <options>
The mode entered by this command depends upon the type of interface it creates. For more information on interface types and how to configure them, see Types of Interfaces.
Print a list of available interfaces and types:
tnsr(config)# interface ?
Interface Configuration Options¶
The following commands are available when configuring an interface
(config-interface
mode):
- access-list (input|output) acl <acl-name> sequence <seq>:
Access Control Lists which apply to packets on this interface in the given direction (Standard ACLs).
- access-list macip <macip-name>:
MACIP Access Control Lists which apply to packets on this interface (MACIP ACLs).
- bond <id>:
Set this interface as a part of the given bonding group (Bonding Interfaces).
- bridge domain <id>:
Set this interface as a member of the given bridge domain (Bridge Interfaces).
- description:
Set the interface description.
- detailed-stats (enable|disable):
Enable or disable the collection of detailed packet statistics which individually track received and transmitted unicast, multicast, and broadcast packets. Disabled by default. Disabling these counters for an interface will not clear the values, it only stops new data collection.
- dhcp client [ipv4]:
Configures this interface to obtain its IPv4 address using Dynamic Host Configuration Protocol.
Warning
If this interface contains an input ACL, it must allow DHCP responses. These responses cannot be passed via reflect on an outbound ACL. The inbound ACL must pass IPv4 UDP from any source address on port
67
to any destination address on port68
.Tip
The DHCP client runs in the
dataplane
namespace and can be controlled as asystemd
service. See Troubleshooting DHCP Client for details.- dhcp client ipv4 hostname <host-name>:
Sets the hostname sent with DHCP client requests.
- disable:
Disable interface administratively.
- enable:
Enable interface administratively.
- ip address <ip-address>:
Sets the IPv4 address for this interface. May be repeated to add multiple addresses to an interface.
Note
TNSR 19.08 and later support multiple IP addresses in the same prefix. Older versions only allowed a single address per prefix.
- ip nat (inside|outside|none):
Configures this interface to be an inside or outside NAT interface for use with dataplane NAT (Network Address Translation). To stop an interface from participating in dataplane NAT, use either
no ip nat
orip nat none
.This is not necessary for VPF NAT.
- ip reassembly enable:
Enables IP Reassembly for IPv4.
- ip reassembly type (full|virtual):
Sets the type of IP Reassembly to perform on this interface for IPv4 fragments.
- ipv6 address <ip6-address>:
Sets the IPv6 address for this interface. May be repeated to add multiple addresses to an interface.
Note
TNSR 19.08 and later support multiple IP addresses in the same prefix. Older versions only allowed a single address per prefix.
- ipv6 reassembly enable:
Enables IP Reassembly for IPv6.
- ipv6 reassembly type (full|virtual):
Sets the type of IP Reassembly to perform on this interface for IPv6 fragments.
- ipv6 router-advertisements:
Enteres
config-interface-ipv6-ra
mode to configure IPv6 Router Advertisements. See IPv6 Router Advertisement Configuration for details.- lldp:
LLDP options for this interface (Link Layer Discovery Protocol).
- mac-address:
Configures an alternative MAC address for this interface.
Warning
Changing the MAC address on an active interface will result in unpredictable behavior. Packets already in transit addressed to the old MAC will be dropped, and it may take some time for other hosts and equipment on directly connected networks to update their ARP tables with the new MAC address.
The best practice is to set an interface administratively down (
disable
) before changing the MAC address, and then enable it again afterward.- map:
MAP-E/T options for this interface (MAP (Mapping of Address and Port)).
- mtu <size>:
Sets the interface Layer 2 (L2) Maximum Transmission Unit (MTU) size, in bytes. This would reflect the capability of the link or underlying medium and applies to all traffic on the interface.
When configuring interfaces which are encapsulated, such as IPsec
ipip
interfaces, this MTU must account for the overhead incurred by the protocols involved. See IPsec Interface MTU for IPsec-specific information.Warning
Any interface that will contain an IPv6 address must have an MTU of
1280
or higher. This includes both the default MTU and MTU values set on interfaces directly.- (ip|ipv6) mtu <size>:
Sets a Layer 3 (L3) MTU specifically for IPv4 or IPv6 packets, which may have different upstream link limitations.
- (ip|ipv6) tcp mss <mss-value> (Tx|Rx|TxRx):
Sets the TCP Maximum Segment Size (MSS) value in TCP packets on this interface in the given direction to the specified value. This value informs hosts of the maximum data length (in Bytes) which can be sent or received in a single TCP segment.
This setting can help avoid fragmentation by using an MSS value which is less than the link MTU, after factoring in TCP and IP headers and any other overhead. On typical Ethernet interfaces the maximum MSS for IPv4 is
40
bytes less than the MTU, and for IPv6 the value is60
bytes less than the MTU.Tip
The value should be set as close as possible to the link MTU. Setting this value too low will lead to lower performance due to increased overhead from sending a larger volume of packets.
Some interface types, such as IPsec, involve additional encapsulation will require lower MSS values due to the additional overhead. The exact amount of overhead varies depending on the type of encapsulation, protocols, and settings involved.
Note
For IPsec, the minimum extra overhead is
54
bytes with AES-GCM or58
bytes with AES-CBC+HMAC-SHA1. Overhead may be higher depending the presence of NAT-T, padding, and other factors. It is not uncommon to see MSS values of around1300
for IPv4 IPsec to ensure packets do not get fragmented under any circumstances as numerous devices have difficulty processing fragmented IPsec packets.- rx-mode (adaptive|interrupt|polling):
Configures the receive mode of the interface as either interrupt mode or polling mode (default). This controls how TNSR will acquire data from interfaces, either by waiting for interfaces to signal that there is new data to process (interrupt mode), or constantly polling them for new data (polling mode). Adaptive mode switches between interrupt and polling modes depending on performance needs at a given point in time.
See also
See Polling Mode vs. Interrupt Mode for more information on the differences between interrupt and polling modes.
Configuring the receive mode on a hardware interface will configure the mode in the dataplane and also in the operating system to match.
Virtual interfaces, such as those for VPN tunnels, can still have their mode configured but it does not affect the dataplane, only the operating system interface components. This is because TNSR processes the packet data when it arrives on the hardware interface, so there is no need to separately handle packets arriving on virtual interfaces.
This option cannot be set on VLAN subinterfaces as they rely on the behavior of the underlying hardware interface.
- rx-queue <queue_num> cpu <core-id>:
Pin a specific receive queue for this interface to a specific CPU core. Both the queue number and core ID must be valid and within range for the configured number of queues and cores as set with
corelist-workers
.See also
For more information on configuring interface queue sizes, see DPDK Configuration. To configure CPU core usage see CPU Workers and Affinity.
Warning
This option requires that core affinity be enabled by defining the
dataplane cpu main-core <n>
. Most cases also require a list of cores configured for dataplane use bycorelist-workers
. RX queue core pinning is incompatible with theworkers
andskip-list
methods of defining CPU cores available for use by the dataplane.The only exception to this is when no additional workers are configured, an
rx-queue
may use the core defined bydataplane cpu main-core <n>
.- vlan tag-rewrite disable:
Disable tag rewriting for this interface
- vlan tag-rewrite pop-1:
Remove one level of VLAN tags from packets on this interface.
- vlan tag-rewrite pop-2:
Remove two level of VLAN tags from packets on this interface.
- vlan tag-rewrite push-1 (dot1ad|dot1q) <tag 1>:
Add a new layer of VLAN tagging to frames on this interface using the provided VLAN tag.
- vlan tag-rewrite push-2 (dot1ad|dot1q) <tag 1> <tag 2>:
Add two new layers of VLAN tagging to frames on this interface using the provided VLAN tags.
- vlan tag-rewrite translate-1-1 (dot1ad|dot1q) <tag 1>:
Replace one layer of VLAN tags with the a different VLAN ID.
- vlan tag-rewrite translate-1-2 (dot1ad|dot1q) <tag 1> <tag 2>:
Replace one layer of VLAN tags with two layers of tagging using the provided VLAN IDs.
- vlan tag-rewrite translate-2-1 (dot1ad|dot1q) <tag 1>:
Replace two layers of VLAN tags with one layer of tagging using the provided VLAN ID.
- vlan tag-rewrite translate-2-2 (dot1ad|dot1q) <tag 1> <tag 2>:
Replace two layers of VLAN tags with two different layers of tagging using the provided VLAN IDs.
- vrf <vrf-name>:
Specifies a Virtual Routing and Forwarding instance used by route lookups for traffic entering this interface. See Virtual Routing and Forwarding for details.
IPv6 Router Advertisement Configuration¶
When configured to do so, TNSR sends router advertisements which include route information and indicate to network hosts that the router is operational for IPv6. The router sends these unsolicited multicast router advertisements periodically, with a time range defined by minimum and maximum values in seconds.
To change into config-interface-ipv6-ra
mode, enter
ipv6 router-advertisements
from config-interface
mode.
The following commands are available in config-interface-ipv6-ra
mode:
- default-lifetime <seconds>:
The length of time in seconds (relative to the time the packet is sent) that the prefix is valid for the purpose of on-link determination.
The default value is 3x the value of
max-rtr-adv-interval
, thus by default this is1800
seconds.- managed-flag (true|false):
Controls the value of the “managed” flag in RA messages. When true, it indicates to systems on this segment that addresses are available from a DHCPv6 server.
- max-rtr-adv-interval <seconds>:
The maximum time allowed between sending unsolicited multicast router advertisements in seconds. Allowed range is between
4-65535
seconds. Default value is600
seconds.Should be less than or equal to the
default-lifetime
value.- min-rtr-adv-interval <seconds>:
The length of time in seconds, relative to the time the packet is sent, that the prefix is valid for the purpose of on-link determination. Allowed range is between
3-1350
seconds.If the value of
max-rtr-adv-interval
is greater than or equal to9
seconds, the default value is 1/3 (0.33x
) ofmax-rtr-adv-interval
. Otherwise it is 75% ofmax-rtr-adv-interval
.Value must not be greater than 75% of
max-rtr-adv-interval
.- other-config-flag (true|false):
Controls the value of the “other stateful configuration” flag in RA messages. When true, it indicates to systems on this segment that other configuration data is available via DHCPv6, such as DNS servers.
- prefix <ipv6-prefix>:
Configures router advertisement properties for specific prefixes by entering
config-interface-ipv6-ra-prefix
mode.- send-advertisements (true|false):
When set to
true
, the router sends advertisements on this interface and responds to router solicitation messages.
See also
For additional detail on how IPv6 Router Advertisements work, see RFC 4861.
IPv6 Prefix Configuration¶
Some IPv6 router advertisement messages are specific to individual prefixes, so they can be configured separately for each prefix.
To change into config-interface-ipv6-ra-prefix
mode, enter prefix
<ipv6-prefix>
from config-interface-ipv6-ra
mode.
The following commands are available in config-interface-ipv6-ra-prefix
mode:
- autonomous-flag (true|false):
Controls the value of the “autonomous” flag in RA messages for this prefix. When true, it indicates to systems on this segment that this prefix can be used for stateless address auto-configuration (SLAAC).
- no-advertise:
Disables advertisements for this prefix.
- on-link-flag (true|false):
Controls the value of the “on-link” flag in RA messages for this prefix. When true, it indicates to systems on this segment that the prefix is local (same layer 2) and can be reached via neighbor discovery. When false, indicates to systems that the prefix is not local and should be sent via this router.
- preferred-lifetime <time-in-seconds>:
Length of time, specified in seconds, that the client addresses generated in this prefix using SLAAC are valid. Default value is
604800
seconds.- valid-lifetime <time-in-seconds>:
Length of time, specified in seconds, that the advertised prefix will be valid. Default value is
2592000
seconds.
Other IPv6 Router Advertisement Properties¶
There are a few additional properties of IPv6 router advertisements that cannot be directly configured by TNSR. These may be familiar to administrators who work with router advertisements on other platforms.
- Link MTU:
TNSR automatically populates the
link-mtu
flag on router advertisements with the value of the IPv6 MTU configured on the interface. To change the MTU in RA messages, change the IPv6 MTU on the interface itself.- Hop Limit:
The
cur-hop-limit
value in RA messages from TNSR is static:64
.- Reachable Time, Retransmit Timer:
The values of
reachable-time
andretrans-timer
in RA messages from TNSR are both0
(“unspecified by this router”).
IPv6 Router Advertisement Example¶
The following example configures an interface named LAN
so that it allows
clients to self-assign addresses from the prefix 2001:db8:f3:1::/64
using
SLAAC:
tnsr(config)# interface LAN
tnsr(config-interface)# ipv6 address 2001:db8:f3:1::1/64
tnsr(config-interface)# ipv6 router-advertisements
tnsr(config-interface-ipv6-ra)# send-advertisements true
tnsr(config-interface-ipv6-ra)# max-rtr-adv-interval 600
tnsr(config-interface-ipv6-ra)# managed-flag false
tnsr(config-interface-ipv6-ra)# other-config-flag false
tnsr(config-interface-ipv6-ra)# prefix 2001:db8:f3:1::/64
tnsr(config-interface-ipv6-ra-prefix)# valid-lifetime 2592000
tnsr(config-interface-ipv6-ra-prefix)# on-link-flag true
tnsr(config-interface-ipv6-ra-prefix)# preferred-lifetime 604800
tnsr(config-interface-ipv6-ra-prefix)# autonomous-flag true
tnsr(config-interface-ipv6-ra-prefix)# end
tnsr# exit
Remove Interface Configuration¶
To remove an interface and all of its configuration settings, use no interface
<if-name>
.
For example, to remove the ipip2
interface:
tnsr(config)# no interface ipip2
Warning
Static routes utilizing the interface must be removed before an interface can be deleted.
DHCP Client Example¶
The previous example was for a static IP address deployment.
To configure a TNSR interface to obtain its IP address via DHCP as a client, follow this example instead:
tnsr# configure terminal
tnsr(config)# interface GigabitEthernet3/0/0
tnsr(config-interface)# dhcp client ipv4
tnsr(config-interface)# enable
tnsr(config-interface)# exit
tnsr(config)# exit