Ethernet
Ethernet interfaces (e.g., eth0, eth1) represent the host’s physical
or virtual network ports.
They are the most common interface type, serving as the base layer upon which IP addresses, VLANs, and tunnels are configured to carry traffic across both LANs and WANs.
Configuration
Common interface configuration
Configure the interface with one or more IP addresses.
The following options are available:
address: Assign one or more IPv4 or IPv6 addresses to the interface. For example, use 192.0.2.1/24 for IPv4 or 2001:db8::1/64 for IPv6.
dhcp: The interface obtains an IPv4 address from a DHCP server on the same network segment.
dhcpv6: The interface obtains an IPv6 address from a DHCPv6 server on the same network segment.
Note
If the interface obtains an IPv4 address via DHCP, and specific adjustments are needed before/after the IP address is obtained, use the provided hook scripts:
/config/scripts/dhcp-client/pre-hooks.d//config/scripts/dhcp-client/post-hooks.d/
Example:
set interfaces ethernet eth0 address 192.0.2.1/24
set interfaces ethernet eth0 address 2001:db8::1/64
set interfaces ethernet eth0 address dhcp
set interfaces ethernet eth0 address dhcpv6
Configure a clear, descriptive alias for the interface.
This alias appears in the show interfaces command and SNMP-based
monitoring tools.
Example:
set interfaces ethernet eth0 description 'This is an interface running on VyOS.'
Disable the interface.
The interface will be set to the administratively down
(A/D) state.
Example:
set interfaces ethernet eth0 disable
Disable Ethernet flow control (IEEE 802.3x pause frames) on the interface.
Ethernet flow control, defined by the IEEE 802.3x standard, temporarily stops data transmission to prevent packet loss during network congestion. For example, when a sender transmits data faster than the receiver can process it.
Disabling Ethernet flow control means the interface will not signal the connected device to pause transmission and will drop packets if overwhelmed.
Example:
set interfaces ethernet eth0 disable-flow-control
Disable physical link-state change detection on the interface, such as when a cable is unplugged.
By default, the interface detects physical link-state changes.
Example:
set interfaces ethernet eth0 disable-link-detect
Configure a custom MAC address on the interface.
Example:
set interfaces ethernet eth0 mac '00:53:01:02:03:04'
Configure the MTU on the interface.
This value defines the largest packet size, in bytes, that the interface transmits without fragmentation.
Example:
set interfaces ethernet eth0 mtu 1600
Configure the MSS advertised in outgoing TCP SYN packets on the specified interface.
By clamping the MSS value in TCP SYN packets, you explicitly inform the remote side not to send packets larger than that size. This prevents connection issues that occur when Path MTU Discovery (PMTUD) fails.
The following options are available:
mss: Sets the MSS to a specific value, in bytes. Use this option if you need to enforce a specific MSS, for example, to troubleshoot connectivity issues or accommodate specific network requirements.
clamp-mss-to-pmtu: The router automatically calculates the MSS to be the interface’s MTU minus 40 bytes for IPv4 traffic (20 bytes for the IPv4 header and 20 bytes for the TCP header). This option is recommended to automatically set the proper value.
Configure how long an ARP entry remains valid after learning an IP-to-MAC address mapping on this interface.
The default duration is 30 seconds.
An ARP entry remains valid if it receives positive feedback from higher-level protocols.
Example:
set interfaces ethernet eth0 ip arp-cache-timeout 180
Configure ARP filtering on this interface.
Default behavior: The kernel responds to ARP requests on this interface only if the traffic would be routed back to the ARP sender through that specific interface.
If configured: The kernel responds to ARP requests on this interface for any IP address configured on the local host, regardless of which specific interface that IP address is assigned to, and regardless of the routing table. This reflects the Linux concept that IP addresses belong to the host, not individual interfaces.
Example:
set interfaces ethernet eth0 ip disable-arp-filter
Configure the interface for host or router behavior.
If configured, the interface switches to host mode, and IPv4 forwarding is disabled on it.
Example:
set interfaces ethernet eth0 ip disable-forwarding
Configure whether to forward IP-directed broadcast packets received on this interface.
Default behavior: IP-directed broadcast packets are dropped.
If configured: IP-directed broadcast packets are forwarded to all hosts on the destination subnet, as defined in RFC 1812 and RFC 2644.
Example:
set interfaces ethernet eth0 ip enable-directed-broadcast
Configure how to process gratuitous ARPs on this interface.
If configured, an IP-to-MAC address mapping is added to the ARP table based on gratuitous ARP requests or replies.
Note
If the ARP table already contains the IP address from a gratuitous ARP, its entry is updated regardless of whether this setting is configured.
Example:
set interfaces ethernet eth0 ip enable-arp-accept
Configure the source IP selection for ARP requests on this interface.
Default behavior: The kernel can use any IP address the host owns as the source IP address in ARP requests on this interface.
If configured: The kernel first attempts to select a source IP address configured on the interface that shares a common subnet with the target IP address. If there is no such subnet, the kernel selects the IP address it would normally use (based on the routing table to reach the target destination).
Example:
set interfaces ethernet eth0 ip enable-arp-announce
Configure which ARP requests will be ignored on this interface.
Default behavior: The kernel responds to ARP requests for any local IP addresses, regardless of which interface they are assigned to.
If configured: The kernel responds to ARP requests only if the target IP address is assigned to this specific interface.
Example:
set interfaces ethernet eth0 ip enable-arp-ignore
Configure proxy ARP on this interface.
If configured, the router (kernel) intercepts ARP requests for non-local IP addresses and replies with the MAC address of the interface that received the request. Subsequent packets destined to these IP addresses are forwarded to their actual destinations on remote subnets.
Example:
set interfaces ethernet eth0 ip enable-proxy-arp
Configure local proxy ARP on the interface.
If configured, the router (kernel) responds to ARP requests on this VLAN interface even if the target IP address resides on the same subnet and interface.
This is used to support network isolation requirements (RFC 3069) for private VLANs (PVLANs). In PVLAN configurations, hosts on isolated ports are NOT allowed to communicate directly with each other at Layer 2, but they can communicate with the upstream router.
By replying to inter-host ARP requests with its own MAC address, the router (kernel) directs inter-host traffic through itself instead of directly between hosts.
Note
This command works independently and does not require enabling the standard proxy ARP on the interface.
Local proxy ARP is also known as:
VLAN aggregation (RFC 3069).
Private VLAN (Cisco, Allied Telesyn).
Source-port filtering or port isolation (Hewlett-Packard).
MAC-Forced Forwarding (Ericsson).
Configure source IP address validation using RPF on this interface, as specified in RFC 3704.
The following options are available:
strict: Each incoming packet’s source IP address is checked against the Forwarding Information Base (FIB). If the interface is not the best route back to that source, validation fails, and the packet is dropped.
loose: Each incoming packet’s source IP address is checked against the FIB. If the source IP address is unreachable through any interface, validation fails.
disable: No source IP address validation is performed. All incoming packets are accepted.
RFC 3704 recommends enabling strict mode to prevent IP spoofing, such as DDoS attacks. For asymmetric or other complex routing scenarios, use loose mode.
Configure the interface to automatically obtain an IPv6 address using SLAAC, as specified in RFC 4862.
IPv6 hosts can configure themselves automatically when connected to an IPv6 network using the Neighbor Discovery Protocol via ICMPv6 router discovery messages. When first connected to a network, a host sends a link-local router solicitation multicast request for its configuration parameters. The router responds with a router advertisement packet containing Internet Layer configuration parameters.
Note
This method automatically disables IPv6 traffic forwarding on the interface.
Example:
set interfaces ethernet eth0 ipv6 address autoconf
Configure the interface to assign itself an IPv6 address using the EUI-64 method, as specified in RFC 4291.
Example:
set interfaces ethernet eth0 ipv6 address eui64 2001:db8:beef::/64
Disable the automatic assignment of a link-local IPv6 address to this interface.
Example:
set interfaces ethernet eth0 ipv6 address no-default-link-local
Configure the interface for host or router behavior.
If configured, the interface switches to host mode, and IPv6 forwarding is disabled on it.
Example:
set interfaces ethernet eth0 ipv6 disable-forwarding
Configure the MSS advertised in outgoing TCP SYN packets on the specified interface.
By clamping the MSS value in TCP SYN packets, you explicitly inform the remote side not to send packets larger than that size. This prevents connection issues when Path MTU Discovery (PMTUD) fails.
The following options are available:
mss: Set the MSS to a specific value, in bytes. Use this option to enforce a specific MSS, for example, to troubleshoot connectivity issues or accommodate specific network requirements.
clamp-mss-to-pmtu: The router calculates the MSS to be the interface’s MTU minus 60 bytes for IPv6 traffic (40 bytes for the IPv6 header and 20 bytes for the TCP header). This option is recommended to automatically set the proper value.
Configure IPv6 DAD on the interface.
The following options are available:
0: Disables DAD. No duplicate address detection is performed.
1: Enables DAD (default). Duplicate addresses are detected. The interface’s IPv6 operation continues for valid IPv6 addresses.
2: Enables DAD and, if a MAC-based duplicate link-local address is found, disables IPv6 operation on this interface.
Example:
set interfaces ethernet eth0 ipv6 accept-dad 2
Configure the number of DAD messages that the router (kernel) sends during IPv6 address assignment on this interface.
The default value is 1.
Example:
set interfaces ethernet eth0 ipv6 dup-addr-detect-transmits 5
Assign the interface to a specific VRF instance.
See also
For information on configuring a VRF, refer to the VRF section.
Example:
set interfaces ethernet eth0 vrf red
DHCP(v6)
Configure a DHCP client identifier for the interface, as specified in RFC 2131.
The client-id is an identifier that the DHCP client sends to the DHCP
server to uniquely identify itself for IP address assignment. By default,
the client uses its MAC address. The <description> is a user-defined
string that will be sent to the DHCP server as the DHCP client identifier.
Example:
set interfaces ethernet eth0 dhcp-options client-id 'foo-bar'
Configure a specific hostname for the interface.
Instead of the real hostname, the DHCP client will send the specific hostname to the DHCP server when requesting an IP address.
Example:
set interfaces ethernet eth0 dhcp-options host-name 'VyOS'
Configure the DHCP client to include a vendor-class identifier in its DHCP requests on this interface.
The vendor-class identifier is a vendor-specific byte string that enables the DHCP server to identify the device and, in some cases, provide configuration options.
Example:
set interfaces ethernet eth0 dhcp-options vendor-class-id 'VyOS'
Configure the DHCP client to obtain an IP address, but ignore any default gateway provided by the DHCP server on this interface.
Example:
set interfaces ethernet eth0 dhcp-options no-default-route
Configure the distance for the default route obtained from the DHCP server on this interface.
Example:
set interfaces ethernet eth0 dhcp-options default-route-distance 220
Configure the DHCP client to reject the specific IP address or IP address range from the DHCP server on this interface.
This is useful when a modem assigns a local IP address upon start. To reject multiple addresses, run this command multiple times with different values. You can reject individual addresses (192.168.100.1) or entire subnets (192.168.100.0/24).
Example:
set interfaces ethernet eth0 dhcp-options reject 192.168.100.0/24
Configure the DHCP client to send a specific user-class identifier in its DHCP requests on this interface.
The DHCP server can interpret this identifier and provide specific configuration options based on it (for example, default routes). The user-class value typically groups DHCP clients with similar configuration needs (for example, employees, guests, or printers).
Example:
set interfaces ethernet eth0 dhcp-options user-class VyOS
Configure a specific DUID for the DHCPv6 client on this interface.
The DUID is an identifier used by a DHCPv6 client to get an IPv6 address from a DHCPv6 server. It consists of a 2-byte type field, followed by a variable-length identifier field up to 128 bytes. The format of the identifier part depends on the DUID type:
DUID-LLT: The most common type, which includes a hardware type, a timestamp, and a MAC address.
DUID-EN: Is based on a vendor’s enterprise number and a unique identifier assigned by the vendor.
DUID-LL: Includes only a MAC address.
The DHCP server matches the DUID against its database and provides configuration data (such as address, lease times, DNS servers, etc.) to the DHCP client.
Example:
set interfaces ethernet eth0 duid '0e:00:00:01:00:01:27:71:db:f0:00:50:56:bf:c5:6d'
Configure the DHCP client not to send a release message when it stops running on this interface.
This helps retain the assigned address or prefix.
Example:
set interfaces ethernet eth0 dhcpv6-options no-release
Enable a stateless DHCPv6 client mode on this interface.
In stateless mode, the DHCPv6 client requests only stateless configuration parameters from the DHCP server (for example, DNS server addresses). It doesn’t request a stateful configuration, such as IPv6 addresses or prefixes.
Example:
set interfaces ethernet eth0 dhcpv6-options parameters-only
Enable DHCPv6 rapid commit on this interface.
When enabled, the DHCP client and server skip the negotiation steps (Advertise and Request), completing the DHCPv6 configuration process in just two messages (Solicit and final Reply).
Example:
set interfaces ethernet eth0 dhcpv6-options rapid-commit
Configure the DHCPv6 client to request a temporary IPv6 address on this interface.
When configured, the DHCP client doesn’t form an Identity Association for Non-temporary Addresses (IA_NA) partnership. Consequently, it only obtains a temporary IPv6 address and doesn’t obtain a permanent one.
Example:
set interfaces ethernet eth0 dhcpv6-options temporary
DHCPv6 Prefix Delegation (PD)
VyOS supports DHCPv6 Prefix Delegation (DHCPv6-PD) as described in RFC 3633. DHCPv6-PD is supported by most ISPs that provide native IPv6 for consumers on fixed networks.
Configure a specific prefix length for DHCPv6-PD requests on this interface.
Some ISPs provide only a /64 prefix by default. Use this command to request a different prefix length for a specific DHCPv6-PD request, ranging from /32 (if allowed by your ISP) down to /64. <id> is a unique identifier for the DHCPv6-PD request.
The default value is 64.
To request a /56 prefix from your ISP, use:
set interfaces ethernet eth0 dhcpv6-options pd 0 length 56
Configure the IPv6 interface identifier (host portion) for the delegatee interface.
The value must be a decimal integer. It is appended to the delegated prefix and the configured SLA ID to form the final IPv6 address.
By default, the host portion is generated based on the parent interface’s MAC address (EUI-64 format).
Example:
If a /64 prefix is delegated to interface eth8 and you configure the host portion as 65535, the resulting IPv6 address will end with ::ffff, as 65535 corresponds to ffff in hexadecimal notation.
set interfaces ethernet eth0 dhcpv6-options pd 0 interface eth8 address 65534
Configure the SLA ID for the delegatee interface.
The value must be a decimal integer greater than 0 and fit in the length of SLA IDs. It is converted to hexadecimal and appended to the delegated prefix to form the specific subnet prefix for the delegatee interface.
Example:
If SLA ID is 1 and the delegated prefix is 2001:db8:ffff::/48, the
resulting subnet prefix for the delegatee interface will be
2001:db8:ffff:1::/64.
set interfaces ethernet eth0 dhcpv6-options pd 0 interface eth8 sla-id 1
Enable switchdev mode for the interface.
In switchdev mode, the interface offloads traffic switching between ports
to the hardware, bypassing the host CPU. This increases the interface’s
traffic-handling capacity and reduces its forwarding delay.
Note
switchdev mode is available only on certain physical network
interfaces and requires a switchdev-compatible driver.
Ethernet options
Configure duplex mode for the interface.
The following duplex modes are available:
auto: The interface negotiates the duplex mode with the connected device.full: The interface sends and receives data simultaneously. The connected device must also be set to full-duplex to avoid a duplex mismatch.half: The interface either sends or receives data, but not both at the same time.
The default duplex mode is auto.
Configure the interface’s speed, in Mbit/s.
The following options are available:
auto: The interface negotiates the speed with the connected device.
10, 100, 1000 ...: The interface operates at the selected speed. The connected device must be set to the same speed to establish a connection.The default option is
auto.
Configure the receive (RX) ring buffer size for the interface.
The RX ring buffer size defines the number of incoming packets the interface can queue in hardware before the CPU processes them.
Higher values reduce the risk of drops when the NIC receives network traffic faster than the CPU can process it, though latency may increase. Lower values reduce latency but increase the risk of packet drops during incoming traffic bursts.
To view supported values for a specific interface, use:
ethtool -g <interface>
Configure the transmit (TX) ring buffer size.
The TX ring buffer size defines the number of outgoing packets the interface can queue in hardware before they are transmitted onto the network.
Higher values reduce the risk of drops when the CPU generates traffic faster than the NIC can handle, though latency may increase. Lower values reduce latency but increase the risk of packet drops during outgoing traffic bursts.
To view supported values for a specific interface, use:
ethtool -g <interface>
Interrupt Coalescing
Interrupt coalescing is a mechanism that reduces CPU interrupt load by bundling multiple packets into a single interrupt event instead of interrupting the CPU for every packet arrival or transmission.
Note
Not all network drivers or virtual interfaces support all
coalescing parameters. Use ethtool --show-coalesce <interface>
to verify which settings are supported by your hardware and driver.
Basic adaptive coalescing
Enable adaptive interrupt coalescing. The NIC automatically tunes RX/TX interrupt pacing based on traffic patterns to reduce CPU utilization during high throughput while preserving latency at low packet rates.
Basic interrupt delay
Set the delay in microseconds before generating an RX/TX interrupt after receiving or transmitting a packet. Lower values reduce latency; higher values reduce CPU load.
Interrupt frame thresholds
Generate an RX/TX interrupt only after the specified number of packets have been received or transmitted.
IRQ-specific coalescing
Control interrupt coalescing parameters while the driver is already servicing an interrupt (IRQ context). These settings allow finer tuning of interrupt behavior under sustained load.
Adaptive rate thresholds
Define packet-rate thresholds (packets per second) used by adaptive coalescing to switch between low-rate and high-rate interrupt coalescing profiles.
Low-rate adaptive parameters
Interrupt coalescing parameters applied when the packet rate is below
pkt-rate-low. Typically optimized for lower latency.
High-rate adaptive parameters
Interrupt coalescing parameters applied when the packet rate exceeds
pkt-rate-high. Typically optimized for maximum throughput and
reduced CPU utilization.
Statistics and sampling
Control how frequently coalescing statistics are updated and how often the NIC samples traffic rates for adaptive coalescing decisions.
Completion queue (CQE) mode
Enable RX/TX Completion Queue Entry (CQE) mode, if supported by the driver. CQE mode can improve performance on high-speed NICs by optimizing completion handling.
Transmit aggregation
Offloading
Configure the offloading features for the interface.
The interface offloading features define whether specific packet-processing tasks are performed by hardware (the NIC) or by software (the kernel). You can enable multiple offloading features for a single interface.
lro(Large Receive Offload): Instructs the NIC to merge multiple incoming packets into one larger packet before sending it to the CPU.Note
LRO hardware support is often limited to TCP/IPv4 packets. For details on LRO limitations, see https://lwn.net/Articles/358910/
Warning
LRO irreversibly alters packet headers during merging. This prevents the merged packet from being correctly split back into the original packets, causing packet drops and forwarding failures on routers and bridges. Use LRO only for end-hosts that do not forward traffic.
tso(TCP Segmentation Offload): Instructs the NIC to split large TCP packets into smaller ones before transmitting them to the network.Important: SG must be enabled for TSO to work. Additionally, GSO should be enabled as a safety fallback; it ensures that if traffic is rerouted to hardware without TSO support, the kernel can still segment the packets, preventing transmission failures.
gso(Generic Segmentation Offload): Instructs the kernel to split large packets into smaller ones before sending them to the NIC.GSO serves as a software fallback for hardware that does not support TSO or for protocols (like UDP) that hardware cannot offload.
Important: SG must be enabled for GSO to work.
gro(Generic Receive Offload): Instructs the kernel to merge multiple incoming packets into one larger packet before passing it to upper protocol layers.Unlike LRO, GRO preserves the necessary packet metadata so the merged packet can be correctly split back into the original packets. This makes GRO safe for use on routers and bridges.
Note
The exception is for IPv4 IDs. If the “Don’t Fragment” (DF) bit is set and IDs are not sequential, GSO alters them to maintain a consistent sequence for GSO compatibility.
rps(Receive Packet Steering): Instructs the kernel to distribute the processing of incoming packets across multiple CPU cores.The kernel calculates a hash from packet headers (IP addresses and ports) to ensure packets from the same flow are processed by the same CPU core.
Note
RPS is a software version of RSS and is useful for NICs without hardware multi-queue support.
sg(Scatter-Gather/Scatter-Gather DMA): Instructs the NIC to fetch data fragments from various RAM locations and transmit them as a single packet to the network, eliminating the need for the kernel to copy them into a contiguous block first.
802.1X (EAPOL) authentication
Overview
IEEE 802.1X is a security standard that enforces access control at the data link layer. It blocks all traffic on a port until the connecting device proves its identity. The EAPOL protocol transports credentials between the client (supplicant) and the network switch (authenticator). The switch forwards these credentials to a backend authentication server, typically RADIUS, which verifies them and authorizes the connection.
The VyOS router acts as the supplicant, authenticating with upstream network equipment such as ISP gateways or enterprise switches. Authentication uses X.509 certificates to validate the identities of both the router and the authentication server.
The EAPOL protocol requires the supplicant (the router) to provide an identity string to the authentication server during the initial handshake. If no identity is configured, VyOS uses the Ethernet interface’s MAC address as the identity string.
Configuration
Prerequisites: Before configuring 802.1X (EAPOL) authentication, upload the required CA certificate, client certificate, and private key to the router and import them into the PKI system.
Note
The client certificate and private key must share the same PKI name.
See also
For more information about managing certificates and keys, see the PKI section.
Configure the trusted CA certificate for the interface.
The router uses this certificate to validate the authentication server’s identity.
<name> is the CA certificate name as
defined in the PKI system.
Note
If you specify an intermediate CA certificate, ensure the full certificate chain, including the root and all higher-level intermediate CA certificates, is available to the system.
Example:
set pki ca eapol-server-intermediate-ca <server intermediate CA contents>
set pki ca eapol-server-root-ca <server root CA contents>
set interfaces ethernet eth0 eapol ca-certificate eapol-server-intermediate-ca
Configure the client certificate for the interface.
The router uses this certificate to prove its identity to the authentication server.
<name> is the client certificate name as defined in the PKI system.
During authentication, all parent CA certificates of the client certificate, such as intermediate and root CA certificates, are automatically sent as part of the EAP-TLS handshake.
Example:
set pki ca eapol-client-intermediate-ca <client intermediate CA contents>
set pki ca eapol-client-root-ca <client root CA contents>
set pki certificate eapol-client certificate <client certificate contents>
set pki certificate eapol-client private key <client private key contents>
set interfaces ethernet eth0 eapol certificate eapol-client
EVPN Multihoming
Uplink/core tracking.
Configure this interface as an EVPN-MH uplink interface.
If all uplink interfaces on a PE device go down, this PE device loses access to the VXLAN overlay. To prevent traffic blackholing, the PE device forces a protocol shutdown (protodown) of its downstream EVPN-MH interfaces.
The following example configures eth0 as an EVPN-MH uplink interface:
set interfaces ethernet eth0 evpn uplink
VLAN
Regular VLANs (802.1q)
IEEE 802.1q, often referred to as Dot1q, is the industry standard for implementing VLANs on Ethernet networks. It defines VLAN tagging for Ethernet frames and outlines procedures for bridges and switches. The standard also includes quality-of-service prioritization (IEEE 802.1p) and defines the Generic Attribute Registration Protocol.
VLAN-aware network segments (i.e., IEEE 802.1q conformant) use VLAN tags. When a frame enters such a segment, a tag is added to indicate VLAN membership. Each frame can belong to only one VLAN. If a frame arrives without a tag, it is assumed to be part of the native VLAN.
IEEE 802.1, a working group of the IEEE 802 standards committee, has developed the standard and continues to revise it. One notable revision is 802.1Q-2014, which incorporated IEEE 802.1aq (Shortest Path Bridging) and much of the IEEE 802.1d standard.
In VyOS, 802.1q VLAN interfaces are represented as virtual subinterfaces,
referred to as vif.
Configure a VLAN interface with a unique VLAN ID.
VLAN ID identifies a specific VLAN and ranges from 0 to 4094.
You can configure multiple VLAN interfaces on a single physical interface.
Note
Only 802.1Q-tagged packets are accepted on Ethernet vifs.
Configure the interface with one or more IP addresses.
The following options are available:
address: Assign one or more IPv4 or IPv6 addresses to the interface. For example, use 192.0.2.1/24 for IPv4 or 2001:db8::1/64 for IPv6.
dhcp: The interface obtains an IPv4 address from a DHCP server on the same network segment.
dhcpv6: The interface obtains an IPv6 address from a DHCPv6 server on the same network segment.
Note
If the interface obtains an IPv4 address via DHCP, and specific adjustments are needed before/after the IP address is obtained, use the provided hook scripts:
/config/scripts/dhcp-client/pre-hooks.d//config/scripts/dhcp-client/post-hooks.d/
Example:
set interfaces ethernet eth0 vif 10 address 192.0.2.1/24
set interfaces ethernet eth0 vif 10 address 2001:db8::1/64
set interfaces ethernet eth0 vif 10 address dhcp
set interfaces ethernet eth0 vif 10 address dhcpv6
Configure a clear, descriptive alias for the interface.
This alias appears in the show interfaces command and SNMP-based
monitoring tools.
Example:
set interfaces ethernet eth0 vif 10 description 'This is an interface running on VyOS.'
Disable the interface.
The interface will be set to the administratively down
(A/D) state.
Example:
set interfaces ethernet eth0 vif 10 disable
Disable physical link-state change detection on the interface, such as when a cable is unplugged.
By default, the interface detects physical link-state changes.
Example:
set interfaces ethernet eth0 vif 10 disable-link-detect
Configure a custom MAC address on the interface.
Example:
set interfaces ethernet eth0 vif 10 mac '00:53:01:02:03:04'
Configure the MTU on the interface.
This value defines the largest packet size, in bytes, that the interface transmits without fragmentation.
Example:
set interfaces ethernet eth0 vif 10 mtu 1600
Configure the MSS advertised in outgoing TCP SYN packets on the specified interface.
By clamping the MSS value in TCP SYN packets, you explicitly inform the remote side not to send packets larger than that size. This prevents connection issues that occur when Path MTU Discovery (PMTUD) fails.
The following options are available:
mss: Sets the MSS to a specific value, in bytes. Use this option if you need to enforce a specific MSS, for example, to troubleshoot connectivity issues or accommodate specific network requirements.
clamp-mss-to-pmtu: The router automatically calculates the MSS to be the interface’s MTU minus 40 bytes for IPv4 traffic (20 bytes for the IPv4 header and 20 bytes for the TCP header). This option is recommended to automatically set the proper value.
Configure how long an ARP entry remains valid after learning an IP-to-MAC address mapping on this interface.
The default duration is 30 seconds.
An ARP entry remains valid if it receives positive feedback from higher-level protocols.
Example:
set interfaces ethernet eth0 vif 10 ip arp-cache-timeout 180
Configure ARP filtering on this interface.
Default behavior: The kernel responds to ARP requests on this interface only if the traffic would be routed back to the ARP sender through that specific interface.
If configured: The kernel responds to ARP requests on this interface for any IP address configured on the local host, regardless of which specific interface that IP address is assigned to, and regardless of the routing table. This reflects the Linux concept that IP addresses belong to the host, not individual interfaces.
Example:
set interfaces ethernet eth0 vif 10 ip disable-arp-filter
Configure the interface for host or router behavior.
If configured, the interface switches to host mode, and IPv4 forwarding is disabled on it.
Example:
set interfaces ethernet eth0 vif 10 ip disable-forwarding
Configure whether to forward IP-directed broadcast packets received on this interface.
Default behavior: IP-directed broadcast packets are dropped.
If configured: IP-directed broadcast packets are forwarded to all hosts on the destination subnet, as defined in RFC 1812 and RFC 2644.
Example:
set interfaces ethernet eth0 vif 10 ip enable-directed-broadcast
Configure how to process gratuitous ARPs on this interface.
If configured, an IP-to-MAC address mapping is added to the ARP table based on gratuitous ARP requests or replies.
Note
If the ARP table already contains the IP address from a gratuitous ARP, its entry is updated regardless of whether this setting is configured.
Example:
set interfaces ethernet eth0 vif 10 ip enable-arp-accept
Configure the source IP selection for ARP requests on this interface.
Default behavior: The kernel can use any IP address the host owns as the source IP address in ARP requests on this interface.
If configured: The kernel first attempts to select a source IP address configured on the interface that shares a common subnet with the target IP address. If there is no such subnet, the kernel selects the IP address it would normally use (based on the routing table to reach the target destination).
Example:
set interfaces ethernet eth0 vif 10 ip enable-arp-announce
Configure which ARP requests will be ignored on this interface.
Default behavior: The kernel responds to ARP requests for any local IP addresses, regardless of which interface they are assigned to.
If configured: The kernel responds to ARP requests only if the target IP address is assigned to this specific interface.
Example:
set interfaces ethernet eth0 vif 10 ip enable-arp-ignore
Configure proxy ARP on this interface.
If configured, the router (kernel) intercepts ARP requests for non-local IP addresses and replies with the MAC address of the interface that received the request. Subsequent packets destined to these IP addresses are forwarded to their actual destinations on remote subnets.
Example:
set interfaces ethernet eth0 vif 10 ip enable-proxy-arp
Configure local proxy ARP on the interface.
If configured, the router (kernel) responds to ARP requests on this VLAN interface even if the target IP address resides on the same subnet and interface.
This is used to support network isolation requirements (RFC 3069) for private VLANs (PVLANs). In PVLAN configurations, hosts on isolated ports are NOT allowed to communicate directly with each other at Layer 2, but they can communicate with the upstream router.
By replying to inter-host ARP requests with its own MAC address, the router (kernel) directs inter-host traffic through itself instead of directly between hosts.
Note
This command works independently and does not require enabling the standard proxy ARP on the interface.
Local proxy ARP is also known as:
VLAN aggregation (RFC 3069).
Private VLAN (Cisco, Allied Telesyn).
Source-port filtering or port isolation (Hewlett-Packard).
MAC-Forced Forwarding (Ericsson).
Configure source IP address validation using RPF on this interface, as specified in RFC 3704.
The following options are available:
strict: Each incoming packet’s source IP address is checked against the Forwarding Information Base (FIB). If the interface is not the best route back to that source, validation fails, and the packet is dropped.
loose: Each incoming packet’s source IP address is checked against the FIB. If the source IP address is unreachable through any interface, validation fails.
disable: No source IP address validation is performed. All incoming packets are accepted.
RFC 3704 recommends enabling strict mode to prevent IP spoofing, such as DDoS attacks. For asymmetric or other complex routing scenarios, use loose mode.
Configure the interface to automatically obtain an IPv6 address using SLAAC, as specified in RFC 4862.
IPv6 hosts can configure themselves automatically when connected to an IPv6 network using the Neighbor Discovery Protocol via ICMPv6 router discovery messages. When first connected to a network, a host sends a link-local router solicitation multicast request for its configuration parameters. The router responds with a router advertisement packet containing Internet Layer configuration parameters.
Note
This method automatically disables IPv6 traffic forwarding on the interface.
Example:
set interfaces ethernet eth0 vif 10 ipv6 address autoconf
Configure the interface to assign itself an IPv6 address using the EUI-64 method, as specified in RFC 4291.
Example:
set interfaces ethernet eth0 vif 10 ipv6 address eui64 2001:db8:beef::/64
Disable the automatic assignment of a link-local IPv6 address to this interface.
Example:
set interfaces ethernet eth0 vif 10 ipv6 address no-default-link-local
Configure the interface for host or router behavior.
If configured, the interface switches to host mode, and IPv6 forwarding is disabled on it.
Example:
set interfaces ethernet eth0 vif 10 ipv6 disable-forwarding
Configure the MSS advertised in outgoing TCP SYN packets on the specified interface.
By clamping the MSS value in TCP SYN packets, you explicitly inform the remote side not to send packets larger than that size. This prevents connection issues when Path MTU Discovery (PMTUD) fails.
The following options are available:
mss: Set the MSS to a specific value, in bytes. Use this option to enforce a specific MSS, for example, to troubleshoot connectivity issues or accommodate specific network requirements.
clamp-mss-to-pmtu: The router calculates the MSS to be the interface’s MTU minus 60 bytes for IPv6 traffic (40 bytes for the IPv6 header and 20 bytes for the TCP header). This option is recommended to automatically set the proper value.
Configure IPv6 DAD on the interface.
The following options are available:
0: Disables DAD. No duplicate address detection is performed.
1: Enables DAD (default). Duplicate addresses are detected. The interface’s IPv6 operation continues for valid IPv6 addresses.
2: Enables DAD and, if a MAC-based duplicate link-local address is found, disables IPv6 operation on this interface.
Example:
set interfaces ethernet eth0 vif 10 ipv6 accept-dad 2
Configure the number of DAD messages that the router (kernel) sends during IPv6 address assignment on this interface.
The default value is 1.
Example:
set interfaces ethernet eth0 vif 10 ipv6 dup-addr-detect-transmits 5
Assign the interface to a specific VRF instance.
See also
For information on configuring a VRF, refer to the VRF section.
Example:
set interfaces ethernet eth0 vif 10 vrf red
DHCP(v6)
Configure a DHCP client identifier for the interface, as specified in RFC 2131.
The client-id is an identifier that the DHCP client sends to the DHCP
server to uniquely identify itself for IP address assignment. By default,
the client uses its MAC address. The <description> is a user-defined
string that will be sent to the DHCP server as the DHCP client identifier.
Example:
set interfaces ethernet eth0 vif 10 dhcp-options client-id 'foo-bar'
Configure a specific hostname for the interface.
Instead of the real hostname, the DHCP client will send the specific hostname to the DHCP server when requesting an IP address.
Example:
set interfaces ethernet eth0 vif 10 dhcp-options host-name 'VyOS'
Configure the DHCP client to include a vendor-class identifier in its DHCP requests on this interface.
The vendor-class identifier is a vendor-specific byte string that enables the DHCP server to identify the device and, in some cases, provide configuration options.
Example:
set interfaces ethernet eth0 vif 10 dhcp-options vendor-class-id 'VyOS'
Configure the DHCP client to obtain an IP address, but ignore any default gateway provided by the DHCP server on this interface.
Example:
set interfaces ethernet eth0 vif 10 dhcp-options no-default-route
Configure the distance for the default route obtained from the DHCP server on this interface.
Example:
set interfaces ethernet eth0 vif 10 dhcp-options default-route-distance 220
Configure the DHCP client to reject the specific IP address or IP address range from the DHCP server on this interface.
This is useful when a modem assigns a local IP address upon start. To reject multiple addresses, run this command multiple times with different values. You can reject individual addresses (192.168.100.1) or entire subnets (192.168.100.0/24).
Example:
set interfaces ethernet eth0 vif 10 dhcp-options reject 192.168.100.0/24
Configure the DHCP client to send a specific user-class identifier in its DHCP requests on this interface.
The DHCP server can interpret this identifier and provide specific configuration options based on it (for example, default routes). The user-class value typically groups DHCP clients with similar configuration needs (for example, employees, guests, or printers).
Example:
set interfaces ethernet eth0 vif 10 dhcp-options user-class VyOS
Configure a specific DUID for the DHCPv6 client on this interface.
The DUID is an identifier used by a DHCPv6 client to get an IPv6 address from a DHCPv6 server. It consists of a 2-byte type field, followed by a variable-length identifier field up to 128 bytes. The format of the identifier part depends on the DUID type:
DUID-LLT: The most common type, which includes a hardware type, a timestamp, and a MAC address.
DUID-EN: Is based on a vendor’s enterprise number and a unique identifier assigned by the vendor.
DUID-LL: Includes only a MAC address.
The DHCP server matches the DUID against its database and provides configuration data (such as address, lease times, DNS servers, etc.) to the DHCP client.
Example:
set interfaces ethernet eth0 vif 10 duid '0e:00:00:01:00:01:27:71:db:f0:00:50:56:bf:c5:6d'
Configure the DHCP client not to send a release message when it stops running on this interface.
This helps retain the assigned address or prefix.
Example:
set interfaces ethernet eth0 vif 10 dhcpv6-options no-release
Enable a stateless DHCPv6 client mode on this interface.
In stateless mode, the DHCPv6 client requests only stateless configuration parameters from the DHCP server (for example, DNS server addresses). It doesn’t request a stateful configuration, such as IPv6 addresses or prefixes.
Example:
set interfaces ethernet eth0 vif 10 dhcpv6-options parameters-only
Enable DHCPv6 rapid commit on this interface.
When enabled, the DHCP client and server skip the negotiation steps (Advertise and Request), completing the DHCPv6 configuration process in just two messages (Solicit and final Reply).
Example:
set interfaces ethernet eth0 vif 10 dhcpv6-options rapid-commit
Configure the DHCPv6 client to request a temporary IPv6 address on this interface.
When configured, the DHCP client doesn’t form an Identity Association for Non-temporary Addresses (IA_NA) partnership. Consequently, it only obtains a temporary IPv6 address and doesn’t obtain a permanent one.
Example:
set interfaces ethernet eth0 vif 10 dhcpv6-options temporary
DHCPv6 Prefix Delegation (PD)
VyOS supports DHCPv6 Prefix Delegation (DHCPv6-PD) as described in RFC 3633. DHCPv6-PD is supported by most ISPs that provide native IPv6 for consumers on fixed networks.
Configure a specific prefix length for DHCPv6-PD requests on this interface.
Some ISPs provide only a /64 prefix by default. Use this command to request a different prefix length for a specific DHCPv6-PD request, ranging from /32 (if allowed by your ISP) down to /64. <id> is a unique identifier for the DHCPv6-PD request.
The default value is 64.
To request a /56 prefix from your ISP, use:
set interfaces ethernet eth0 vif 10 dhcpv6-options pd 0 length 56
Configure the IPv6 interface identifier (host portion) for the delegatee interface.
The value must be a decimal integer. It is appended to the delegated prefix and the configured SLA ID to form the final IPv6 address.
By default, the host portion is generated based on the parent interface’s MAC address (EUI-64 format).
Example:
If a /64 prefix is delegated to interface eth8 and you configure the host portion as 65535, the resulting IPv6 address will end with ::ffff, as 65535 corresponds to ffff in hexadecimal notation.
set interfaces ethernet eth0 vif 10 dhcpv6-options pd 0 interface eth8 address 65534
Configure the SLA ID for the delegatee interface.
The value must be a decimal integer greater than 0 and fit in the length of SLA IDs. It is converted to hexadecimal and appended to the delegated prefix to form the specific subnet prefix for the delegatee interface.
Example:
If SLA ID is 1 and the delegated prefix is 2001:db8:ffff::/48, the
resulting subnet prefix for the delegatee interface will be
2001:db8:ffff:1::/64.
set interfaces ethernet eth0 vif 10 dhcpv6-options pd 0 interface eth8 sla-id 1
802.1ad (QinQ)
Overview
IEEE 802.1ad, commonly known as QinQ, is an Ethernet standard first published as an amendment to 802.1q in 2005, then officially merged into the base standard in 2011.
Unlike the original 802.1q, which allows a single VLAN header per Ethernet frame, QinQ allows two VLAN headers per Ethernet frame, for the inner and the outer VLAN tags. Most often the inner VLAN tag comes from a customer while the outer tag is used by the service provider to differentiate between traffic of different customers.
Frame structure and ethertypes
The IEEE 802.1ad (QinQ) frame includes two VLAN tags:
The outer service tag (S-TAG): The S-TAG is typically added by the provider.
It uses the Ethertype 0x88a8 by default.
The inner customer tag (C-TAG): The C-TAG is generated by the customer’s equipment and remains unchanged during transit. It uses the Ethertype 0x8100.
Implementation in VyOS
In VyOS, these tag types are associated with the following CLI options:
vif-s: Corresponds to the S-TAG (Ethertype 0x88a8).vif-c: Corresponds to the C-TAG (Ethertype 0x8100).
Configure the interface with one or more IP addresses.
The following options are available:
address: Assign one or more IPv4 or IPv6 addresses to the interface. For example, use 192.0.2.1/24 for IPv4 or 2001:db8::1/64 for IPv6.
dhcp: The interface obtains an IPv4 address from a DHCP server on the same network segment.
dhcpv6: The interface obtains an IPv6 address from a DHCPv6 server on the same network segment.
Note
If the interface obtains an IPv4 address via DHCP, and specific adjustments are needed before/after the IP address is obtained, use the provided hook scripts:
/config/scripts/dhcp-client/pre-hooks.d//config/scripts/dhcp-client/post-hooks.d/
Example:
set interfaces ethernet eth0 vif-s 1000 vif-c 20 address 192.0.2.1/24
set interfaces ethernet eth0 vif-s 1000 vif-c 20 address 2001:db8::1/64
set interfaces ethernet eth0 vif-s 1000 vif-c 20 address dhcp
set interfaces ethernet eth0 vif-s 1000 vif-c 20 address dhcpv6
Configure a clear, descriptive alias for the interface.
This alias appears in the show interfaces command and SNMP-based
monitoring tools.
Example:
set interfaces ethernet eth0 vif-s 1000 vif-c 20 description 'This is an interface running on VyOS.'
Disable the interface.
The interface will be set to the administratively down
(A/D) state.
Example:
set interfaces ethernet eth0 vif-s 1000 vif-c 20 disable
Disable physical link-state change detection on the interface, such as when a cable is unplugged.
By default, the interface detects physical link-state changes.
Example:
set interfaces ethernet eth0 vif-s 1000 vif-c 20 disable-link-detect
Configure a custom MAC address on the interface.
Example:
set interfaces ethernet eth0 vif-s 1000 vif-c 20 mac '00:53:01:02:03:04'
Configure the MTU on the interface.
This value defines the largest packet size, in bytes, that the interface transmits without fragmentation.
Example:
set interfaces ethernet eth0 vif-s 1000 vif-c 20 mtu 1600
Configure the MSS advertised in outgoing TCP SYN packets on the specified interface.
By clamping the MSS value in TCP SYN packets, you explicitly inform the remote side not to send packets larger than that size. This prevents connection issues that occur when Path MTU Discovery (PMTUD) fails.
The following options are available:
mss: Sets the MSS to a specific value, in bytes. Use this option if you need to enforce a specific MSS, for example, to troubleshoot connectivity issues or accommodate specific network requirements.
clamp-mss-to-pmtu: The router automatically calculates the MSS to be the interface’s MTU minus 40 bytes for IPv4 traffic (20 bytes for the IPv4 header and 20 bytes for the TCP header). This option is recommended to automatically set the proper value.
Configure how long an ARP entry remains valid after learning an IP-to-MAC address mapping on this interface.
The default duration is 30 seconds.
An ARP entry remains valid if it receives positive feedback from higher-level protocols.
Example:
set interfaces ethernet eth0 vif-s 1000 vif-c 20 ip arp-cache-timeout 180
Configure ARP filtering on this interface.
Default behavior: The kernel responds to ARP requests on this interface only if the traffic would be routed back to the ARP sender through that specific interface.
If configured: The kernel responds to ARP requests on this interface for any IP address configured on the local host, regardless of which specific interface that IP address is assigned to, and regardless of the routing table. This reflects the Linux concept that IP addresses belong to the host, not individual interfaces.
Example:
set interfaces ethernet eth0 vif-s 1000 vif-c 20 ip disable-arp-filter
Configure the interface for host or router behavior.
If configured, the interface switches to host mode, and IPv4 forwarding is disabled on it.
Example:
set interfaces ethernet eth0 vif-s 1000 vif-c 20 ip disable-forwarding
Configure whether to forward IP-directed broadcast packets received on this interface.
Default behavior: IP-directed broadcast packets are dropped.
If configured: IP-directed broadcast packets are forwarded to all hosts on the destination subnet, as defined in RFC 1812 and RFC 2644.
Example:
set interfaces ethernet eth0 vif-s 1000 vif-c 20 ip enable-directed-broadcast
Configure how to process gratuitous ARPs on this interface.
If configured, an IP-to-MAC address mapping is added to the ARP table based on gratuitous ARP requests or replies.
Note
If the ARP table already contains the IP address from a gratuitous ARP, its entry is updated regardless of whether this setting is configured.
Example:
set interfaces ethernet eth0 vif-s 1000 vif-c 20 ip enable-arp-accept
Configure the source IP selection for ARP requests on this interface.
Default behavior: The kernel can use any IP address the host owns as the source IP address in ARP requests on this interface.
If configured: The kernel first attempts to select a source IP address configured on the interface that shares a common subnet with the target IP address. If there is no such subnet, the kernel selects the IP address it would normally use (based on the routing table to reach the target destination).
Example:
set interfaces ethernet eth0 vif-s 1000 vif-c 20 ip enable-arp-announce
Configure which ARP requests will be ignored on this interface.
Default behavior: The kernel responds to ARP requests for any local IP addresses, regardless of which interface they are assigned to.
If configured: The kernel responds to ARP requests only if the target IP address is assigned to this specific interface.
Example:
set interfaces ethernet eth0 vif-s 1000 vif-c 20 ip enable-arp-ignore
Configure proxy ARP on this interface.
If configured, the router (kernel) intercepts ARP requests for non-local IP addresses and replies with the MAC address of the interface that received the request. Subsequent packets destined to these IP addresses are forwarded to their actual destinations on remote subnets.
Example:
set interfaces ethernet eth0 vif-s 1000 vif-c 20 ip enable-proxy-arp
Configure local proxy ARP on the interface.
If configured, the router (kernel) responds to ARP requests on this VLAN interface even if the target IP address resides on the same subnet and interface.
This is used to support network isolation requirements (RFC 3069) for private VLANs (PVLANs). In PVLAN configurations, hosts on isolated ports are NOT allowed to communicate directly with each other at Layer 2, but they can communicate with the upstream router.
By replying to inter-host ARP requests with its own MAC address, the router (kernel) directs inter-host traffic through itself instead of directly between hosts.
Note
This command works independently and does not require enabling the standard proxy ARP on the interface.
Local proxy ARP is also known as:
VLAN aggregation (RFC 3069).
Private VLAN (Cisco, Allied Telesyn).
Source-port filtering or port isolation (Hewlett-Packard).
MAC-Forced Forwarding (Ericsson).
Configure source IP address validation using RPF on this interface, as specified in RFC 3704.
The following options are available:
strict: Each incoming packet’s source IP address is checked against the Forwarding Information Base (FIB). If the interface is not the best route back to that source, validation fails, and the packet is dropped.
loose: Each incoming packet’s source IP address is checked against the FIB. If the source IP address is unreachable through any interface, validation fails.
disable: No source IP address validation is performed. All incoming packets are accepted.
RFC 3704 recommends enabling strict mode to prevent IP spoofing, such as DDoS attacks. For asymmetric or other complex routing scenarios, use loose mode.
Configure the interface to automatically obtain an IPv6 address using SLAAC, as specified in RFC 4862.
IPv6 hosts can configure themselves automatically when connected to an IPv6 network using the Neighbor Discovery Protocol via ICMPv6 router discovery messages. When first connected to a network, a host sends a link-local router solicitation multicast request for its configuration parameters. The router responds with a router advertisement packet containing Internet Layer configuration parameters.
Note
This method automatically disables IPv6 traffic forwarding on the interface.
Example:
set interfaces ethernet eth0 vif-s 1000 vif-c 20 ipv6 address autoconf
Configure the interface to assign itself an IPv6 address using the EUI-64 method, as specified in RFC 4291.
Example:
set interfaces ethernet eth0 vif-s 1000 vif-c 20 ipv6 address eui64 2001:db8:beef::/64
Disable the automatic assignment of a link-local IPv6 address to this interface.
Example:
set interfaces ethernet eth0 vif-s 1000 vif-c 20 ipv6 address no-default-link-local
Configure the interface for host or router behavior.
If configured, the interface switches to host mode, and IPv6 forwarding is disabled on it.
Example:
set interfaces ethernet eth0 vif-s 1000 vif-c 20 ipv6 disable-forwarding
Configure the MSS advertised in outgoing TCP SYN packets on the specified interface.
By clamping the MSS value in TCP SYN packets, you explicitly inform the remote side not to send packets larger than that size. This prevents connection issues when Path MTU Discovery (PMTUD) fails.
The following options are available:
mss: Set the MSS to a specific value, in bytes. Use this option to enforce a specific MSS, for example, to troubleshoot connectivity issues or accommodate specific network requirements.
clamp-mss-to-pmtu: The router calculates the MSS to be the interface’s MTU minus 60 bytes for IPv6 traffic (40 bytes for the IPv6 header and 20 bytes for the TCP header). This option is recommended to automatically set the proper value.
Configure IPv6 DAD on the interface.
The following options are available:
0: Disables DAD. No duplicate address detection is performed.
1: Enables DAD (default). Duplicate addresses are detected. The interface’s IPv6 operation continues for valid IPv6 addresses.
2: Enables DAD and, if a MAC-based duplicate link-local address is found, disables IPv6 operation on this interface.
Example:
set interfaces ethernet eth0 vif-s 1000 vif-c 20 ipv6 accept-dad 2
Configure the number of DAD messages that the router (kernel) sends during IPv6 address assignment on this interface.
The default value is 1.
Example:
set interfaces ethernet eth0 vif-s 1000 vif-c 20 ipv6 dup-addr-detect-transmits 5
Assign the interface to a specific VRF instance.
See also
For information on configuring a VRF, refer to the VRF section.
Example:
set interfaces ethernet eth0 vif-s 1000 vif-c 20 vrf red
DHCP(v6)
Configure a DHCP client identifier for the interface, as specified in RFC 2131.
The client-id is an identifier that the DHCP client sends to the DHCP
server to uniquely identify itself for IP address assignment. By default,
the client uses its MAC address. The <description> is a user-defined
string that will be sent to the DHCP server as the DHCP client identifier.
Example:
set interfaces ethernet eth0 vif-s 1000 vif-c 20 dhcp-options client-id 'foo-bar'
Configure a specific hostname for the interface.
Instead of the real hostname, the DHCP client will send the specific hostname to the DHCP server when requesting an IP address.
Example:
set interfaces ethernet eth0 vif-s 1000 vif-c 20 dhcp-options host-name 'VyOS'
Configure the DHCP client to include a vendor-class identifier in its DHCP requests on this interface.
The vendor-class identifier is a vendor-specific byte string that enables the DHCP server to identify the device and, in some cases, provide configuration options.
Example:
set interfaces ethernet eth0 vif-s 1000 vif-c 20 dhcp-options vendor-class-id 'VyOS'
Configure the DHCP client to obtain an IP address, but ignore any default gateway provided by the DHCP server on this interface.
Example:
set interfaces ethernet eth0 vif-s 1000 vif-c 20 dhcp-options no-default-route
Configure the distance for the default route obtained from the DHCP server on this interface.
Example:
set interfaces ethernet eth0 vif-s 1000 vif-c 20 dhcp-options default-route-distance 220
Configure the DHCP client to reject the specific IP address or IP address range from the DHCP server on this interface.
This is useful when a modem assigns a local IP address upon start. To reject multiple addresses, run this command multiple times with different values. You can reject individual addresses (192.168.100.1) or entire subnets (192.168.100.0/24).
Example:
set interfaces ethernet eth0 vif-s 1000 vif-c 20 dhcp-options reject 192.168.100.0/24
Configure the DHCP client to send a specific user-class identifier in its DHCP requests on this interface.
The DHCP server can interpret this identifier and provide specific configuration options based on it (for example, default routes). The user-class value typically groups DHCP clients with similar configuration needs (for example, employees, guests, or printers).
Example:
set interfaces ethernet eth0 vif-s 1000 vif-c 20 dhcp-options user-class VyOS
Configure a specific DUID for the DHCPv6 client on this interface.
The DUID is an identifier used by a DHCPv6 client to get an IPv6 address from a DHCPv6 server. It consists of a 2-byte type field, followed by a variable-length identifier field up to 128 bytes. The format of the identifier part depends on the DUID type:
DUID-LLT: The most common type, which includes a hardware type, a timestamp, and a MAC address.
DUID-EN: Is based on a vendor’s enterprise number and a unique identifier assigned by the vendor.
DUID-LL: Includes only a MAC address.
The DHCP server matches the DUID against its database and provides configuration data (such as address, lease times, DNS servers, etc.) to the DHCP client.
Example:
set interfaces ethernet eth0 vif-s 1000 vif-c 20 duid '0e:00:00:01:00:01:27:71:db:f0:00:50:56:bf:c5:6d'
Configure the DHCP client not to send a release message when it stops running on this interface.
This helps retain the assigned address or prefix.
Example:
set interfaces ethernet eth0 vif-s 1000 vif-c 20 dhcpv6-options no-release
Enable a stateless DHCPv6 client mode on this interface.
In stateless mode, the DHCPv6 client requests only stateless configuration parameters from the DHCP server (for example, DNS server addresses). It doesn’t request a stateful configuration, such as IPv6 addresses or prefixes.
Example:
set interfaces ethernet eth0 vif-s 1000 vif-c 20 dhcpv6-options parameters-only
Enable DHCPv6 rapid commit on this interface.
When enabled, the DHCP client and server skip the negotiation steps (Advertise and Request), completing the DHCPv6 configuration process in just two messages (Solicit and final Reply).
Example:
set interfaces ethernet eth0 vif-s 1000 vif-c 20 dhcpv6-options rapid-commit
Configure the DHCPv6 client to request a temporary IPv6 address on this interface.
When configured, the DHCP client doesn’t form an Identity Association for Non-temporary Addresses (IA_NA) partnership. Consequently, it only obtains a temporary IPv6 address and doesn’t obtain a permanent one.
Example:
set interfaces ethernet eth0 vif-s 1000 vif-c 20 dhcpv6-options temporary
DHCPv6 Prefix Delegation (PD)
VyOS supports DHCPv6 Prefix Delegation (DHCPv6-PD) as described in RFC 3633. DHCPv6-PD is supported by most ISPs that provide native IPv6 for consumers on fixed networks.
Configure a specific prefix length for DHCPv6-PD requests on this interface.
Some ISPs provide only a /64 prefix by default. Use this command to request a different prefix length for a specific DHCPv6-PD request, ranging from /32 (if allowed by your ISP) down to /64. <id> is a unique identifier for the DHCPv6-PD request.
The default value is 64.
To request a /56 prefix from your ISP, use:
set interfaces ethernet eth0 vif-s 1000 vif-c 20 dhcpv6-options pd 0 length 56
Configure the IPv6 interface identifier (host portion) for the delegatee interface.
The value must be a decimal integer. It is appended to the delegated prefix and the configured SLA ID to form the final IPv6 address.
By default, the host portion is generated based on the parent interface’s MAC address (EUI-64 format).
Example:
If a /64 prefix is delegated to interface eth8 and you configure the host portion as 65535, the resulting IPv6 address will end with ::ffff, as 65535 corresponds to ffff in hexadecimal notation.
set interfaces ethernet eth0 vif-s 1000 vif-c 20 dhcpv6-options pd 0 interface eth8 address 65534
Configure the SLA ID for the delegatee interface.
The value must be a decimal integer greater than 0 and fit in the length of SLA IDs. It is converted to hexadecimal and appended to the delegated prefix to form the specific subnet prefix for the delegatee interface.
Example:
If SLA ID is 1 and the delegated prefix is 2001:db8:ffff::/48, the
resulting subnet prefix for the delegatee interface will be
2001:db8:ffff:1::/64.
set interfaces ethernet eth0 vif-s 1000 vif-c 20 dhcpv6-options pd 0 interface eth8 sla-id 1
SPAN port mirroring
SPAN port mirroring copies inbound and outbound traffic from one interface to another specified interface.
The destination interface is usually connected to specialized equipment, such as a behavior control system, an intrusion detection system, or a traffic collector, and copies all related traffic from this port. The benefit of mirroring traffic is that the application is isolated from the source traffic, so application processing does not affect the traffic or system performance.
To configure SPAN port mirroring, VyOS uses
the mirror parameter. You can mirror ingress traffic (traffic entering the
router) and egress traffic (traffic leaving the router) separately. Both
directions can be mirrored to the same destination interface or split to
different ones.
Mirror ingress traffic from a bonding interface to the specified monitoring interface.
Example: Mirror the ingress traffic from eth1 to eth3.
set interfaces ethernet eth1 mirror ingress eth3
Operation
Show brief interface information.
vyos@vyos:~$ show interfaces ethernet
Codes: S - State, L - Link, u - Up, D - Down, A - Admin Down
Interface IP Address S/L Description
--------- ---------- --- -----------
eth0 172.18.201.10/24 u/u LAN
eth1 172.18.202.11/24 u/u WAN
eth2 - u/D
Show detailed interface information.
vyos@vyos:~$ show interfaces ethernet eth0
eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
link/ether 00:50:44:00:f5:c9 brd ff:ff:ff:ff:ff:ff
inet6 fe80::250:44ff:fe00:f5c9/64 scope link
valid_lft forever preferred_lft forever
RX: bytes packets errors dropped overrun mcast
56735451 179841 0 0 0 142380
TX: bytes packets errors dropped carrier collisions
5601460 62595 0 0 0 0
Show interface hardware-level and driver details.
vyos@vyos:~$ show interfaces ethernet eth0 physical
Settings for eth0:
Supported ports: [ TP ]
Supported link modes: 1000baseT/Full
10000baseT/Full
Supported pause frame use: No
Supports auto-negotiation: No
Supported FEC modes: Not reported
Advertised link modes: Not reported
Advertised pause frame use: No
Advertised auto-negotiation: No
Advertised FEC modes: Not reported
Speed: 10000Mb/s
Duplex: Full
Port: Twisted Pair
PHYAD: 0
Transceiver: internal
Auto-negotiation: off
MDI-X: Unknown
Supports Wake-on: uag
Wake-on: d
Link detected: yes
driver: vmxnet3
version: 1.4.16.0-k-NAPI
firmware-version:
expansion-rom-version:
bus-info: 0000:0b:00.0
supports-statistics: yes
supports-test: no
supports-eeprom-access: no
supports-register-dump: yes
supports-priv-flags: no
Show the status of the interface offloading features.
vyos@vyos:~$ show interfaces ethernet eth0 physical offload
rx-checksumming on
tx-checksumming on
tx-checksum-ip-generic on
scatter-gather off
tx-scatter-gather off
tcp-segmentation-offload off
tx-tcp-segmentation off
tx-tcp-mangleid-segmentation off
tx-tcp6-segmentation off
udp-fragmentation-offload off
generic-segmentation-offload off
generic-receive-offload off
large-receive-offload off
rx-vlan-offload on
tx-vlan-offload on
ntuple-filters off
receive-hashing on
tx-gre-segmentation on
tx-gre-csum-segmentation on
tx-udp_tnl-segmentation on
tx-udp_tnl-csum-segmentation on
tx-gso-partial on
tx-nocache-copy off
rx-all off
Show information about the transceiver module plugged into the interface (e.g., SFP+, QSFP).
vyos@vyos:~$ show interfaces ethernet eth5 transceiver
Identifier : 0x03 (SFP)
Extended identifier : 0x04 (GBIC/SFP defined by 2-wire interface ID)
Connector : 0x07 (LC)
Transceiver codes : 0x00 0x00 0x00 0x01 0x00 0x00 0x00 0x00 0x00
Transceiver type : Ethernet: 1000BASE-SX
Encoding : 0x01 (8B/10B)
BR, Nominal : 1300MBd
Rate identifier : 0x00 (unspecified)
Length (SMF,km) : 0km
Length (SMF) : 0m
Length (50um) : 550m
Length (62.5um) : 270m
Length (Copper) : 0m
Length (OM3) : 0m
Laser wavelength : 850nm
Vendor name : CISCO-FINISAR
Vendor OUI : 00:90:65
Vendor PN : FTRJ-8519-7D-CS4
Vendor rev : A
Option values : 0x00 0x1a
Option : RX_LOS implemented
Option : TX_FAULT implemented
Option : TX_DISABLE implemented
BR margin, max : 0%
BR margin, min : 0%
Vendor SN : FNS092xxxxx
Date code : 0506xx