VTYSH extensions. Interfaces


Preliminary version.

24.08.2023


Contents

Changelog 3

Debug / Informational commands 3

Configuration commands 3

Overall interface commands 3

PPP-type interface commands 5

Bridge related commands 5

Wireless and cellular interface related commands 6

IPSEC related commands 8

Configuration samples 10

DM VPN spoke, BGP and two L2TP connections secured by IPSec. 10

Changelog

12.07.2023 — Sample config for DM VPN, L2TP and IPSec profiles is added.

02.08.2023 — Contents has been added.

23.08.2023 — SSTP mode for PPP connections has been added.

24.08.2023 - <show wireless interface ...> command is added.


Debug / Informational
commands


** show wireless interface INTERFACE **
Show state and mode of wireless interface specified by name. Command is in enable mode.  Requires privilege level at least 10.


Configuration
commands


All comands below are available in interface configuration mode.


Overall
interface commands


** use mode <l2tp|pptp|pppoe|sstp|ppp|cellular|qmi|cdc|gre|openvpn|ipsec|vxlan|xfrm|pppoa|pppoeoadsl|wireguard|ap|station|ad-hoc|repeater|monitor> **
Setup working mode for interface. Usually required for logical interfaces or as helper for using of hardware interfaces.

** use local WORD [peer <A.B.C.D|X:X::X:X|FQDN>] **
Use interface or device as underlay for logical interface. Remote side (IPv4, IPv6 addresses or FQDN) can be optionally specified.

** use peer <A.B.C.D|X:X::X:X|FQDN> **
Specify remote side (IPv4, IPv6 addresses or FQDN) for logical interface.

** use login NAME [second] **
Connection username or Login when required.

** no use login [second] **
Remove previously configured login.

** use key SECRET [second] **
Setup password, passphrase or key when required. Optional keyword «second» means  to setup the same for second data connection through this interface.

** no use key [second] **
Remove password, passphrase or key when required. Optional keyword «second» means  to setup the same for second data connection through this interface.

** use service-set WORD [second] **
Setup service set (SSID, APN and so on) for connection/interface. Second data connection can be specified.

** no use service-set [second] **
Reset service set for connection. Second data connection can be specified.

** use auth-type <none|auto|pap|chap|wep|wpa-psk|wpa2-psk|wpa3-psk|eap|8021x|pubkey> [second] **
 Connection Parameters Auth-type No auth Automatic selection Cleartext Passphrase CHAP WiFI WEP WiFI WPA-PSK WiFI WPA2-PSK WiFI WPA3-PSK EAP with RADIUS backend IEEE 802.1X Public key For second connection 

** no use auth-type [second] **
Reset authentication type for connection. Second data connection can be specified.

** no use <mode|local|peer|mtu|transport|policy|pin> **
Reset / clear some interface settings.

** use mtu (128-65536) **
Setup MTU for interface.

** no use mtu **
Reset fixed MTU size.

** member <bridge|bond> IFNAME **
Assign interface as a part of bridge or bonding.

** no member <bridge|bond|zone> **
Release interface from bridge, bonding or zone.

** ip address <dhcp|auto> [<backup|nodefaultroute|nopeerdns|nopeersettings>] **
Tell software to obtain IPv4 address from dhcp or as specified for this classs interfaces. Possible to specify what kind of settings from remote side to ignore.

** no ip address <dhcp|auto> **
Do not obtain IPv4 address in automtic manner.

** ip checkpoint A.B.C.D **
Setup remote IPv4 address to check link connectivity (to track it).

** no ip checkpoint **
Reset tracking IPv4 address.

** ip dhcp pool start A.B.C.D last A.B.C.D **
Enable DHCP server on this interface and specify address pool.

** no ip dhcp pool **
Disable DHCP server for interface and clear pool settings

** ipv6 dhcp pool first X:X::X:X last X:X::X:X **
Enable DHCP server on this interface and specify address pool.

** no ipv6 dhcp pool **
Disable DHCP server for interface and clear pool settings

** ipv6 address <dhcp|auto> [<backup|nodefaultroute|nopeerdns|nopeersettings>] **
Tell software to obtain IPv6 address from dhcp or as specified for this classs interfaces (e.g. SLAAC). Possible to specify what kind of settings from remote side to ignore.

** no ipv6 address <dhcp|auto> **
Do not obtain IPv6 address in automtic manner.

** ipv6 checkpoint X:X::X:X **
Setup remote IPv6 address to check link connectivity (to track it).

** no ipv6 checkpoint **
Reset tracking IPv6 address.

** hw-address WORD **
Specify MAC-address to use for interface (e.g. 00:01:02:03:04:05) 

** no hw-address **
Reset / clear previously configured MAC-address

** proxy-arp on **
Enable ARP proxy.

** no proxy-arp **
Disable ARP proxy.


PPP-type interface
commands


** use ppp-options encap <vc|llc> **
Setup PPP over ATM and ADSL encapsulation type VPI or VCI.

** use ppp-options <passthrough|sync|nobuff|relay|bcp|nomaclocal|notagged> **
Setup multiple boolean options for PPP-based connections / interfaces. E.g. BCP will enable transfer of Ethernet-frames through PPP link.

** use ppp-options <vpi|vci|multilink|segmentid> (0-65535) **
Setup some PPP options with numeric values. E.g. multilink option will enable using of Multilink PPP and setup MRRU in specified value.

** no use ppp-options <passthrough|multilink|sync|nobuff|relay|bcp|nomaclocal|notagged|vpi|vci|segmentid|encap> **
Remove specified PPP options.


Bridge related
commands


** bridge <priority|forward-delay|hello-time> (0-2147483647) **
Setup bridge values like «priority» different than defaults.

** no bridge <priority|forward-delay|hello-time> **
Clear previously configured bridge values to defaults.

** bridge stp on **
Enable STP on the bridge.

** no bridge stp **
Disable STP on the bridge.



Wireless and cellular
interface related commands


** use network-mode <auto|2g|3g|4g|5g|80211a|80211b|80211g|80211n|80211ac|80211ax> **
Selects specified network mode. E.g. 802.11ax for WiFi6 interfaces or 5g for 5g cellular connection. «Auto» permits to select reliable network mode by hardware.

** no use network-mode **
Remove / reset selected network mode.

** use cellular-band <gsm|3g|lte|5g> (1-65535) **
Latch to the specified cellular band. Has sense for cellular interfaces only. Must not be conflict with «use network-mode» setup.

** no use cellular-band <gsm|3g|lte|5g> (1-65535) **
Clear latching to any cellular band.

** use wireless <channel|power|gain|distance|sensetivity|tx-antenna|rx-antenna> (1-65535) **
Setup some WLAN related parameters like using channel, antenna gain, antenna pattern and so on.

** no use wireless <channel|power|gain|distance|sensetivity|tx-antenna|rx-antenna> **
Remove specified configuration value for WLAN interface.

** use pin (0-999999999999) **
Setup PIN-code for device / interface / connection.

** hide service-set **
Hide Service set in beacons.

** no hide service-set **
Do not iide Service set in beacons (Default behaivor for WLAN). 

** use wireless <qos|tkip|wep|isolation|vlans|power-management|hotspot|fast-roaming|force-fast-roaming|hotspot-eap-tls|hotspot-eap-ttls|hotspot-eap-peap|hotspot-eap-sim> **
Enable to use various WLAN options like:
- QoS mode;
- Using of TKIP key management;
- Using of WEP;
- Isolate clients (for AP only);
- Assign dynamic VLANs (fpr AP only);
- Power management;
- Hotspot 2.0;
- Fast roaming;
- Force key management to FT only;
- Advertise EAP-TLS method for Hotspot 2.0;
- Advertise EAP-TTLS method for Hotspot 2.0;
- Advertise EAP-PEAP method for Hotspot 2.0;
- Advertise EAP-SIM method for Hotspot 2.0.

** no use wireless <qos|tkip|wep|isolation|vlans|power-management|hotspot|fast-roaming|force-fast-roaming|hotspot-eap-tls|hotspot-eap-ttls|hotspot-eap-peap|hotspot-eap-sim> **
Reset / clear WLAN related configuration options.

** use wireless connection limit (1-65536) **
Limit amount of connections to AP to specified value.

** no use wireless connection limit **
Reset / clear amount of simultaneous connections to AP.

** <permin|deny> hw-address WORD **
Add MAC-address to black or white list to control connection to AP. Actual for AP mode.

** no <permit|deny> hw-address **
Reset black or white list of MAC-addresses.

** use wireless ap hw-address WORD **
Setup AP MAC-address to connect e.g. 00:01:02:03:04:05.

** no use wireless ap hw-address **
Reset / clear MAC-address to connect to AP.

** use wireless power constraint (1-255) **
Enable power constraint for AP mode and setup constraint value in dBi.

** no use wireless power constraint **
Disable power constraint for AP mode.

** use wireless channel-width <20mhz|5mhz|10mhz|40mhz|ht-|ht+|80mhz|80+80mhz|160mhz|160+160mhz|320mhz|1_5mhz|2_5mhz> **
Specify required channel width. Should be reliable for existing hardware and network mode. E.g. Channel width 40Mhz, 20Mhz, 10Mhz, 5Mhz (for modes older than WiFI5 (802.11ac) and special radio cards); 40Mhz with controll channel under data (for WiFI4 (802.11n) mode and above); 40Mhz with controll channel above data (for WiFI4 (802.11n) mode and above); 80Mhz (for WiFI5 (802.11ac) mode and above); 80+80Mhz (for WiFI5 (802.11ac Wave2) mode and above; 160Mhz (for WiFI5 (802.11ac Wave2) mode and above; 160+160Mhz (for WiFI6E (802.11ax) mode and above/ 

** no use wireless channel-width **
Reset previously configured WLAN channel width.

** use wireless qos <background|best-effort|video|voice> <interfame|mincw|maxcw|bursting|acms> (0-65535) **
Setup Wireless Multimedia class and param like Interframe interval, Min contention window, Max contention window, Bursting time, ACMs number.

** no use wireless qos <background|best-effort|video|voice> <interframe|mincw|maxcw|bursting|acms> **
Reset Wireless Multimedia settings for specified class and param.

** use wireless <fast-roaming-domain|fast-roaming-key|fast-roaming-mac-list|hotspot-venue-name|hotspot-friendly-name|hotspot-mnc-mcc-list> WORD **
Setup various Hotspot 2.0 and Fast roaming settings like  Mobility Domain (four hex digits), Roaming key (32 hex digits), Comma separated MAC list (e.g. 00:01:02:03:04:05,00:01:02:03:04:06), Hotspot 2.0 Venue Name, Hotspot 2.0 Friendly Name (comma separated list in diff languages), List of MNC,MCC pairs (e.g. MNC1,MCC1;MNC1,MCC2)

** no use wireless <fast-roaming-domain|fast-roaming-key|fast-roaming-mac-list|hotspot-venue-name|hotspot-friendly-name|hotspot-mnc-mcc-list> **
Reset / clear hotspot 2.0 and fast roaming settings

** use wireless hotspot-network-type <private|guest|chargeable|free> **
Specify hotspot 2.0 network type.

** no use wireless hotspot-network-type **
Reset WLAN hotspot 2.0 network type.


IPSEC related
commands


** use submode <tunnel|transport> **
Specify «tunnel» or «transport» mode.

** use policy <start|trap> **
Specify how to initiate tunnel. Immediately «start» or when matched traffic exists («trap»).

** no use ipsec <aggressive|mobike|multinet|stub|ikev1|ikev2|ikev1+v2> **
Clear / reset some IPSsec parameters.

** use ipsec <aggressive|mobike|multinet|stub> **
Setup to use some IPSec related things: 
«aggressive» - enabled aggressive mode for IPSec.
«stub» - IPSec connection will be never up. Traffic will be excluded from policy.
«multinet» - allows to connect every network in left side to every network on right side.

** use ipsec <ikev1|ikev2|ikev1+v2> **
Specify what IKE version to use.

** use ipsec <inactivity|rekey|reauth> time (60-31536000) **
Setup various timeouts in seconds.

** no use ipsec <inactivity|rekey|reauth> time **
Clear /reset various timeouts to its defaults.

** use ipsec dead-peer <detection|delay> time (60-86400) **
Setup timeouts for dead-peer processing.

** no use ipsec dead-peer <detection|delay> time **
Clear /reset dead-peer timeouts to its defaults.

** use ipsec marker <incoming|outgoing> (1-65536) **
Match only marked traffic to IPSec.

** no use ipsec marker <incoming|outgoing> **
Do not match any marked traffic to IPSec.

** use ipsec reuse id (1-65536) **
Tell software to use specified ID.

** no use ipsec reuse id **
Do not use specified ID. Automatically assign it.

** use ipsec <first|second> phase ciphers WORD **
Specify cipher suite (cipher/hash/pfs) to use in first / second stages (e.g. AES128-GCM) 

** no use ipsec <first|second> phase ciphers **
Reset cipher suite to default.

** use ipsec <local|remote> side port (1-65536) **
Use for IPSec udp or tcp traffic with specified source or destnation port.

** no use ipsec <local|remote> side port **
Reset port selection.

** use ipsec <local|remote> side <alias|network> WORD **
Setup local or remote alias or network (e.g. 192.168.25.1).

** no use ipsec <local|remote> side <alias|network> **
Reset / clear local or remote settings (alias or network) to default.

** use ipsec for protocol <icmp|tcp|udp|gre> **
Match protocol to use with IPSec. TCP and UDP allow to specify source or and (or) destination port(s).

** no use ipsec for protocol **
Reset / clear protocol settings to default.


Configuration samples


DM
VPN spoke, BGP and two L2TP connections secured by IPSec.




IPSec profiles are ipsec-tun1 and ipsec-dmvpn.

frr version 8.1
 frr defaults traditional
 hostname netshe_3171772038
 log syslog
 nhrp nflog-group 1
 !
 time zone GMT0
 time source pool.ntp.org
 wlan country 00
 start timeserver
 start dns relay
 start dhcp server
 start ip firewall
 start ipv6 firewall
 start ssh
 start http
 !
 aaa
  server radius 127.0.0.1 key testing123
 exit
 !
 !
 dns
  searchdomain localdomain
  bind forwarder to zone Lan
 exit
 !
 !
 dhcp
  lease time default 7200
  lease time max 86400
 exit
 !
 !
 ip firewall
  input policy deny
  output policy permit
  forward policy permit
  drop invalid
  syn flood protect rate 25 burst 50
 exit
 !
 !
 ipv6 firewall
  input policy deny
  output policy permit
  forward policy permit
  drop invalid
  syn flood protect rate 25 burst 50
 exit
 !
 !
 zone Lan
  interface br0
  interface aeql
  interface lo1
 !
  ip firewall
   input policy permit
   forward policy permit
   output policy permit
   fix mss output to Wan
   easy napt output to Wan
  exit
 !
 !
  ipv6 firewall
   input policy permit
   forward policy permit
   output policy permit
   fix mss output to Wan
   easy napt output to Wan
  exit
 !
 exit
 !
 !
 zone Wan
  interface eth0
 !
  ip firewall
   input policy deny
   forward policy permit
   output policy permit
   fix mss output to Lan
   rule permit icmp source 0.0.0.0 mask 0 destination 0.0.0.0 mask 0
   rule permit tcp source 0.0.0.0 mask 0 destination 0.0.0.0 mask 0 port 443
   rule permit tcp source 0.0.0.0 mask 0 destination 0.0.0.0 mask 0 port 444
  exit
 !
 !
  ipv6 firewall
   input policy deny
   forward policy permit
   output policy permit
   fix mss output to Lan
   rule permit icmp source :: mask 0 destination :: mask 0
   rule permit tcp source :: mask 0 destination :: mask 0 port 443
   rule permit tcp source :: mask 0 destination :: mask 0 port 444
  exit
 !
 exit
 !
 !
 zone Dmz
 !
  ip firewall
   input policy deny
   forward policy permit
   output policy permit
  exit
 !
 !
  ipv6 firewall
   input policy deny
   forward policy permit
   output policy permit
  exit
 !
 exit
 !
 !
 debug nhrp common
 !
 interface aeql
  ip address 169.254.255.255/32
 exit
 !
 interface br0
  bridge stp on
  ip dhcp pool start 192.168.1.30 last 192.168.1.245
 exit
 !
 interface eth0
  ip address dhcp
  ipv6 address dhcp
 exit
 !
 interface eth1
  member bridge br0
 exit
 !
 interface ipsec-dmvpn
  use auth-type pap
  use ipsec first phase ciphers -
  use ipsec for protocol gre
  use ipsec ikev2
  use ipsec local side alias 172.16.0.1
  use ipsec reauth time 86400
  use ipsec rekey time 28800
  use ipsec second phase ciphers -
  use key 1234567890
  use mode ipsec
  use peer %any
  use policy trap
  use submode transport
 exit
 !
 interface ipsec-tun1
  use auth-type pap
  use ipsec first phase ciphers -
  use ipsec for protocol udp
  use ipsec ikev2
  use ipsec reauth time 86400
  use ipsec rekey time 28800
  use ipsec remote side port 1701
  use ipsec second phase ciphers aes256gcm128
  use key 1234567890
  use local Wan
  use mode ipsec
  use peer 192.168.26.201
  use policy trap
  use submode transport
 exit
 !
 interface l2tp1
  ip address auto
  member bond aeql
  use key test
  use login test
  use mode l2tp
  use peer 151.106.24.26
 exit
 !
 interface l2tp2
  ip address auto
  member bond aeql
  use key test
  use login test
  use mode l2tp
  use peer 151.106.24.27
 exit
 !
 interface lo1
  ip address 169.254.255.254/32
 exit
 !
 interface wlan0
  hide service-set
  member bridge br0
  no use wireless tkip
  use auth-type wpa3-psk
  use key 1234567890
  use mode ap
  use network-mode 80211n
  use service-set MyNETWORK
  use wireless channel 1
  use wireless channel-width 20mhz
  use wireless connection limit 20
  use wireless distance 900
  use wireless gain 13
  use wireless power 20
  use wireless power constraint 20
  use wireless qos
  use wireless rx-antenna 11
  use wireless tx-antenna 11
 exit
 !
 interface xdmvpn.auto.1
  ip nhrp network-id 1
  ip nhrp redirect
  ip nhrp registration no-unique
  ip nhrp shortcut
  tunnel protection vici profile ipsec-dmvpn
  tunnel source eth0
 exit
 !
 router bgp 65000
  bgp router-id 172.16.0.1
  no bgp ebgp-requires-policy
  bgp deterministic-med
  no bgp network import-check
  timers bgp 20 60
  neighbor spokes-ibgp peer-group
  neighbor spokes-ibgp remote-as 65000
  neighbor spokes-ibgp passive
  neighbor spokes-ibgp disable-connected-check
  neighbor spokes-ibgp advertisement-interval 1
  !
  address-family ipv4 unicast
   network 172.16.0.0/23
   redistribute nhrp
   neighbor spokes-ibgp route-reflector-client
   neighbor spokes-ibgp next-hop-self force
   neighbor spokes-ibgp soft-reconfiguration inbound
  exit-address-family
 exit
 !