| I.2. Objects | ||
|---|---|---|
 | Appendix I. Configuration Objects |  |
| I.2. Objects | ||
|---|---|---|
| | Appendix I. Configuration Objects | |
The system settings are the top level attributes of the system which apply globally.
Table I.3. system: Attributes
| Attribute | Type | Default | Description |
| acme-directory | string | https://acme-v02.api.letsencrypt.org/directory | ACME server directory |
| acme-hostname | List of string | - | Public hostname(s) for FireBrick for HTTPS |
| acme-keygen | boolean | true | Automatically obtain private keys as needed |
| acme-renew | positiveInteger | 30 | Renewal before expiry (days) |
| acme-source-ip | IP46Addr | - | Source IP for ACME renewal |
| acme-terms-agreed-email | string | - | Put your email if you agree CA terms |
| auto-backup-url | string | - | URL to http POST after config changed |
| comment | string | - | Comment |
| contact | string | - | Contact name |
| string | - | Contact email | |
| eth-rx-batch | unsignedInt | 20 | Max packets serviced on one port before rechecking other port for idle |
| eth-rx-qsize | unsignedInt | 2000 | Size of eth driver Rx queue |
| eth-tx-qsize | unsignedInt | 2000 | Size of eth driver Tx queue |
| intro | string | - | Home page text |
| lacp-hot-standby | lacp-hot-standby | nosync | Allow LACP to use hot standby |
| location | string | - | Location description |
| log | NMTOKEN | Web/console | Log system events |
| log-acme | NMTOKEN | - | Log ACME |
| log-acme-debug | NMTOKEN | - | Log ACME debug |
| log-acme-error | NMTOKEN | - | Log ACME errors |
| log-config | NMTOKEN | Web/Flash/console | Log config load |
| log-debug | NMTOKEN | Not logging | Log system debug messages |
| log-diagnostic | NMTOKEN | Not logging | Log system diagnostic messages |
| log-error | NMTOKEN | Web/Flash/console | Log system errors |
| log-eth | NMTOKEN | Web/console | Log Ethernet messages |
| log-eth-debug | NMTOKEN | Not logging | Log Ethernet debug |
| log-eth-error | NMTOKEN | Web/Flash/console | Log Ethernet errors |
| log-ppp-dump | ppp-dump | - | PPP dump format |
| log-route-nexthop | NMTOKEN | Not logged | Log next hop changes |
| log-stats | NMTOKEN | Not logging | Log one second stats |
| log-support | NMTOKEN | Web logs | Log support messages (e.g. stack trace) |
| log-tcp-debug | NMTOKEN | Not logging | Log TCP/TLS debug messages |
| login-intro | string | - | Login page text |
| name | string | - | System hostname |
| panic-stack-bytes | unsignedInt | 0 | Stack context for certain panics (bvtes) |
| pre-reboot-url | string | - | URL to GET prior to s/w reboot (typically to warn nagios) |
| source | string | - | Source of data, used in automated config management |
| spoof-mac | (hexBinary) macspoof | - | Spoof MAC base address - use with caution! |
| sw-update | autoloadtype | false | Load new software automatically |
| sw-update-delay | (unsignedByte 0-30) fb-sw-update-delay | 0 | Number of days after release to wait before automatically upgrading |
| table | (unsignedByte 0-99) routetable | 0 | Routing table number for system functions (s/w updates, etc) |
| tcp-stealth | boolean | false | Ignore (as opposed to reject) TCP to the FireBrick itself that isn't accepted |
Default source IP for traffic originated by this FireBrick
Table I.6. routing-table: Attributes
| Attribute | Type | Default | Description |
| name | string | - | Name |
| source-ip | IP46Addr | - | Default source IP for services |
| table | (unsignedByte 0-99) routetable | Not optional | Routing table number |
User names, passwords and abilities for admin users
Table I.7. user: Attributes
| Attribute | Type | Default | Description |
| allow | List of IPNameRange | - | Restrict logins to be from specific IP addresses |
| comment | string | - | Comment |
| config | config-access | full | Config access level |
| full-name | string | - | Full name |
| level | user-level | ADMIN | Login level |
| local-only | boolean | false | Restrict access to locally connected Ethernet subnets only |
| log | NMTOKEN | Not logged | Log events |
| name | (NMTOKEN) username | Not optional | User name |
| otp-seed | OTP | - | OTP seed (do not edit by hand) |
| password | Password | Not optional | User password |
| source | string | - | Source of data, used in automated config management |
| table | (unsignedByte 0-99) routetable | 0 | Restrict login to specific routing table |
| timeout | duration | 5:00 | Login idle timeout (zero to stay logged in, not recommended) |
Identities, passwords and access methods for access controlled with EAP
Table I.8. eap: Attributes
| Attribute | Type | Default | Description |
| comment | string | - | Comment |
| full-name | string | - | Full name |
| methods | Set of eap-method | Not optional | Allowed methods |
| name | string | Not optional | User or account name |
| password | Secret | Not optional | User password |
| source | string | - | Source of data, used in automated config management |
| subsystem | eap-subsystem | Not optional | Access controlled subsystem |
Named logging target
Table I.9. log: Attributes
| Attribute | Type | Default | Description |
| colour | Colour | - | Colour used in web display |
| comment | string | - | Comment |
| console | boolean | - | Log immediately to console |
| flash | boolean | - | Log immediately to slow flash memory (use with care) |
| jtag | boolean | - | Log immediately jtag (development use only) |
| name | NMTOKEN | Not optional | Log target name |
| source | string | - | Source of data, used in automated config management |
| system | boolean | - | Include system logs on web/cli view |
Table I.10. log: Elements
| Element | Type | Instances | Description |
| log-email | Optional, unlimited | Email settings | |
| syslog | log-syslog | Optional, unlimited | Syslog settings |
Logging to a syslog server
Table I.11. log-syslog: Attributes
| Attribute | Type | Default | Description |
| comment | string | - | Comment |
| facility | syslog-facility | LOCAL0 | Facility setting |
| port | unsignedShort | 514 | Server port |
| server | IPNameAddr | Not optional | Syslog server |
| severity | syslog-severity | NOTICE | Severity setting |
| source | string | - | Source of data, used in automated config management |
| source-ip | IPAddr | - | Use specific source IP |
| system-logs | boolean | - | Include generic system log messages as well |
| table | (unsignedByte 0-99) routetable | 0 | Routing table number for sending syslogs |
Logging to email
Table I.12. log-email: Attributes
| Attribute | Type | Default | Description |
| comment | string | - | Comment |
| delay | duration | 1:00 | Delay before sending, since first event to send |
| from | string | One made up using serial number | Source email address |
| hold-off | duration | 1:00:00 | Delay before sending, since last email |
| log | NMTOKEN | Not logging | Log emailing process |
| log-debug | NMTOKEN | Not logging | Log emailing debug |
| log-error | NMTOKEN | Not logging | Log emailing errors |
| port | unsignedShort | 25 | Server port |
| retry | duration | 10:00 | Delay before sending, since failed send |
| server | IPNameAddr | - | Smart host to use rather than MX |
| source | string | - | Source of data, used in automated config management |
| subject | string | From first line being logged | Subject |
| table | (unsignedByte 0-99) routetable | 0 | Routing table number for sending email |
| to | string | Not optional | Target email address |
System services are various generic services that the system provides, and allows access controls and settings for these to be specified. The service is only active if the corresponding element is included in services, otherwise it is disabled.
Table I.13. services: Elements
| Element | Type | Instances | Description |
| dns | dns-service | Optional | DNS service settings |
| http | http-service | Optional | Web server settings |
| snmp | snmp-service | Optional | SNMP server settings |
| telnet | telnet-service | Optional | Telnet server settings |
| time | time-service | Optional | System time server settings |
Web management pages
Table I.14. http-service: Attributes
| Attribute | Type | Default | Description |
| access-control-allow-origin | string | - | Additional HTTP header |
| allow | List of IPNameRange | Allow from anywhere | List of IP ranges from which service can be accessed |
| allow-acme | boolean | true | Allow limited port 80 HTTP access for ACME during renewal |
| banner-background | Colour | #bd1220 | Override default colours |
| certlist | List of NMTOKEN | use any suitable | Certificate(s) to be used for HTTPS sessions |
| comment | string | - | Comment |
| config-boxes | Colour | from banner | Config editor colours |
| content-security-policy | string | - | Additional HTTP header |
| css-url | string | - | Additional CSS for web control pages |
| highlight-text | Colour | from banner | Override default colours |
| https-port | unsignedShort | 443 | Service port for HTTPS access |
| js-url | string | - | Additional javascript for web control pages (logged in/trusted-ip) |
| local-only | boolean | true | Restrict access to locally connected Ethernet subnets only |
| log | NMTOKEN | Not logging | Log events |
| log-client | NMTOKEN | Not logging | Log client accesses |
| log-client-debug | NMTOKEN | Not logging | Log client accesses (debug) |
| log-debug | NMTOKEN | Not logging | Log debug |
| log-error | NMTOKEN | Log as event | Log errors |
| mode | http-mode | redirect-to-https-if-acme | Security mode |
| port | unsignedShort | 80 | Service port for HTTP access |
| referrer-policy | string | no-referrer | Additional HTTP header |
| self-sign | boolean | true | Create self signed certificate for HTTPS when necessary |
| source | string | - | Source of data, used in automated config management |
| table | (unsignedByte 0-99) routetable | All | Routing table number for access to service |
| trusted | List of IPNameRange | - | List of allowed IP ranges from which additional access to certain functions is available |
| x-content-type-options | string | nosniff | Additional HTTP header |
| x-frame-options | string | SAMEORIGIN | Additional HTTP header |
| x-xss-protection | string | 1; mode=block | Additional HTTP header |
DNS forwarding resolver service
Table I.15. dns-service: Attributes
| Attribute | Type | Default | Description |
| allow | List of IPNameRange | Allow from anywhere | List of IP ranges from which service can be accessed |
| auto-dhcp | boolean | - | Forward and reverse DNS for names in DHCP using this domain |
| auto-dhcp-new | string | - | Name to use for last new DHCP allocation (since last reboot) |
| caching | boolean | true | Cache relayed DNS entries locally |
| comment | string | - | Comment |
| domain | string | - | Our domain |
| fallback | boolean | true | For incoming requests, if no server in required table, relay to any DNS available |
| fallback-table | (unsignedByte 0-99) routetable | Don't fallback | For incoming requests, if no server in requesting table, relay to any DNS available in this table |
| local-only | boolean | true | Restrict access to locally connected Ethernet subnets only |
| log | NMTOKEN | Not logging | Log events |
| log-debug | NMTOKEN | Not logging | Log debug |
| log-error | NMTOKEN | Log as event | Log errors |
| log-interface | List of NMTOKEN | All interfaces | Only do normal log for specific interface(s) |
| resolvers | List of IPAddr | - | Recursive DNS resolvers to use |
| resolvers-table | (unsignedByte 0-99) routetable | as table / 0 | Routing table for specified resolvers |
| source | string | - | Source of data, used in automated config management |
| table | (unsignedByte 0-99) routetable | All | Routing table number for access to service |
DNS forwarding resolver service
Table I.17. dns-host: Attributes
| Attribute | Type | Default | Description |
| comment | string | - | Comment |
| ip | List of IPAddr | Our IP | IP addresses to serve (or our IP if omitted) |
| name | List of string | Not optional | Host names (can use * as a part of a domain) |
| restrict-interface | List of NMTOKEN | - | Only apply on certain interface(s) |
| restrict-to | List of IPNameRange | - | List of IP ranges to which this is served |
| reverse | boolean | - | Map reverse DNS as well |
| source | string | - | Source of data, used in automated config management |
| table | (unsignedByte 0-99) routetable | any | Routing table applicable |
| ttl | unsignedInt | 60 | Time to live |
DNS forwarding resolver service
Table I.18. dns-block: Attributes
| Attribute | Type | Default | Description |
| comment | string | - | Comment |
| name | List of string | Not optional | Host names (can use * as a part of a domain) |
| restrict-interface | List of NMTOKEN | - | Only apply on certain interface(s) |
| restrict-to | List of IPNameRange | - | List of IP ranges to which this is served |
| source | string | - | Source of data, used in automated config management |
| table | (unsignedByte 0-99) routetable | any | Routing table applicable |
| ttl | unsignedInt | 60 | Time to live |
Telnet control interface
Table I.19. telnet-service: Attributes
| Attribute | Type | Default | Description |
| allow | List of IPNameRange | Allow from anywhere | List of IP ranges from which service can be accessed |
| comment | string | - | Comment |
| local-only | boolean | true | Restrict access to locally connected Ethernet subnets only |
| log | NMTOKEN | Not logging | Log events |
| log-debug | NMTOKEN | Not logging | Log debug |
| log-error | NMTOKEN | Log as event | Log errors |
| port | unsignedShort | 23 | Service port |
| prompt | string | system name | Prompt |
| source | string | - | Source of data, used in automated config management |
| table | (unsignedByte 0-99) routetable | All | Routing table number for access to service |
The SNMP service has general service settings and also specific attributes for SNMP such as community
Table I.20. snmp-service: Attributes
| Attribute | Type | Default | Description |
| allow | List of IPNameRange | Allow from anywhere | List of IP ranges from which service can be accessed |
| comment | string | - | Comment |
| community | Secret | public | Community string |
| local-only | boolean | false | Restrict access to locally connected Ethernet subnets only |
| log | NMTOKEN | Not logging | Log events |
| log-debug | NMTOKEN | Not logging | Log debug |
| log-error | NMTOKEN | Log as event | Log errors |
| port | unsignedShort | 161 | Service port |
| source | string | - | Source of data, used in automated config management |
| table | (unsignedByte 0-99) routetable | All | Routing table number for access to service |
The time settings define which NTP servers to synchronize the system clock from, and provide controls for daylight saving (summer time). The defaults are those that apply to the EU
Table I.21. time-service: Attributes
| Attribute | Type | Default | Description |
| allow | List of IPNameRange | Allow from anywhere | List of IP ranges from which service can be accessed |
| comment | string | - | Comment |
| legacy-timeserver | boolean | false | Serve legacy TIME service on UDP port 37 |
| local-only | boolean | true | Restrict access to locally connected Ethernet subnets only |
| log | NMTOKEN | Not logging | Log events |
| log-debug | NMTOKEN | Not logging | Log debug |
| log-error | NMTOKEN | Log as event | Log errors |
| maxpoll | duration | 1024 | NTP maximum poll rate |
| minpoll | duration | 64 | NTP minimum poll rate |
| ntp-control-allow | List of IPNameRange | Allow from anywhere | List of IP ranges from which control (ntpq) requests can be accessed |
| ntp-control-local-only | boolean | true | Restrict control (ntpq) access to locally connected Ethernet subnets only |
| ntp-control-table | (unsignedByte 0-99) routetable | All | Routing table number for incoming control (ntpq) requests |
| ntp-peer-table | (unsignedByte 0-99) routetable | 0 | Routing table number used for outgoing ntp peer requests |
| ntp-servers | List of IPNameAddr | ntp.firebrick.ltd.uk | List of NTP time servers (IP or hostname) from which time may be synchronized and served by ntp (Null list disables NTP) |
| source | string | - | Source of data, used in automated config management |
| table | (unsignedByte 0-99) routetable | All | Routing table number for access to service |
| tz1-name | string | GMT | Timezone 1 name |
| tz1-offset | duration | 0 | Timezone 1 offset from UTC |
| tz12-date | (unsignedByte 1-31) datenum | 25 | Timezone 1 to 2 earliest date in month |
| tz12-day | day | Sun | Timezone 1 to 2 day of week of change |
| tz12-month | month | Mar | Timezone 1 to 2 month |
| tz12-time | time | 01:00:00 | Timezone 1 to 2 local time of change |
| tz2-name | string | BST | Timezone 2 name |
| tz2-offset | duration | 1:00:00 | Timezone 2 offset from UTC |
| tz21-date | (unsignedByte 1-31) datenum | 25 | Timezone 2 to 1 earliest date in month |
| tz21-day | day | Sun | Timezone 2 to 1 day of week of change |
| tz21-month | month | Oct | Timezone 2 to 1 month |
| tz21-time | time | 02:00:00 | Timezone 2 to 1 local time of change |
Physical port attributes
Table I.22. ethernet: Attributes
| Attribute | Type | Default | Description |
| autoneg | boolean | true | Perform link auto-negotiation |
| clocking | LinkClock | prefer-slave | Gigabit clock setting |
| crossover | Crossover | auto | Port crossover configuration |
| flow | LinkFlow | none | Flow control setting |
| green | LinkLED-g | Link/Activity | Green LED setting |
| lacp | boolean | Auto | Send LACP packets |
| lldp | boolean | true | Send LLDP packets |
| optimise | boolean | true | enable PHY optimisations |
| port | port | Not optional | Physical port |
| power-saving | LinkPower | full | enable PHY power saving |
| send-fault | LinkFault | - | Send fault status |
| shutdown | boolean | false | Power down this port |
| yellow | LinkLED-y | Tx | Yellow LED setting |
Packet sampling configuration
Table I.23. sampling: Attributes
| Attribute | Type | Default | Description |
| agent-ip | IPAddr | use source-ip | IP address used to identify this agent |
| collector-ip | IPAddr | Not optional | IP address of collector |
| collector-port | unsignedShort | 6343 for sFlow, 4739 for IPFIX | UDP port which collector listens on |
| comment | string | - | Comment |
| mtu | (unsignedShort 576-2000) mtu | 1500 | |
| name | string | - | Name |
| protocol | sampling-protocol | sflow | Protocol used to export sampling data |
| sample-flush | duration | 1 sec for sFlow; 30 for IPFIX | Sample max cache time |
| sample-rate | (unsignedShort 100-10000) sample-rate | 1000 | Sample rate (uniform random prob 1/N) |
| snap-length | unsignedShort | 64 | Packet header snap length |
| source | string | - | Source of data, used in automated config management |
| source-ip | IPAddr | - | Source IP address to use |
| source-port | unsignedShort | Use collector-port | UDP source port |
| stats-interval | duration | 60 | Stats export interval |
| table | (unsignedByte 0-99) routetable | 0 | Routing table number for sample data |
| template-refresh | duration | 600 | Template resend interval |
Port grouping and naming
Table I.24. portdef: Attributes
| Attribute | Type | Default | Description |
| comment | string | - | Comment |
| name | NMTOKEN | Not optional | Name |
| ports | Set of port | Not optional | Physical port(s) |
| source | string | - | Source of data, used in automated config management |
| trunk | trunk-mode | l2-hash | Trunk ports |
The interface definition relates to a specific physical port group and VLAN. It includes subnets and VRRP that apply to that interface.
Table I.25. interface: Attributes
| Attribute | Type | Default | Description |
| allow-6in4 | boolean | false | Handle 6in4 (protocol 41) packets |
| comment | string | - | Comment |
| dhcp-relay | IP4Addr | - | Relay any unresolved requests to external server |
| graph | (token) graphname | - | Graph name |
| link | NMTOKEN | - | Interface to which this is linked at layer 2 |
| log | NMTOKEN | Not logging | Log events |
| log-debug | NMTOKEN | Not logging | Log debug |
| log-dhcp | NMTOKEN | Not logging | Log DHCP events not related to a pool |
| log-error | NMTOKEN | Log as event | Log errors |
| mac-suffix | (hexBinary) macsuffix | - | Interface MAC ends with this hex value |
| mtu | (unsignedShort 576-2000) mtu | 1500 | MTU for this interface |
| name | NMTOKEN | - | Name |
| pd | boolean | If not WAN and no ra-subnet-templates and no ra subnets | Available for IPv6 prefix delegation |
| ping | IPAddr | - | Ping address to add loss/latency to graph for interface |
| port | NMTOKEN | Not optional | Port group name |
| restrict-mac | boolean | - | Use only one MAC on this interface |
| sampling | sampling-mode | off | Perform sampling |
| source | string | - | Source of data, used in automated config management |
| source-filter | sfoption | - | Source filter traffic received via this interface |
| source-filter-table | (unsignedByte 0-99) routetable | interface table | Routing table to use for source filtering checks |
| table | (unsignedByte 0-99) routetable | 0 | Routing table applicable |
| vlan | (unsignedShort 0-4095) vlan | 0 | VLAN ID (0=untagged) |
| wan | boolean | - | Do not consider this interface 'local' for 'local-only' checks |
Table I.26. interface: Elements
| Element | Type | Instances | Description |
| dhcp | dhcps | Optional, unlimited | DHCP server settings |
| dhcp6-client | dhcp6-client | Optional | DHCPv6 Client |
| ra-subnet-template | subnet-template | Optional, unlimited | Subnet options for RA client |
| subnet | subnet | Optional, unlimited | IP subnet on the interface |
| vrrp | vrrp | Optional, unlimited | VRRP settings |
Subnet settings define the IP address(es) of the FireBrick, and also allow default routes to be set.
Table I.27. subnet: Attributes
| Attribute | Type | Default | Description |
| accept-dns | boolean | true | Accept DNS servers specified by DHCP |
| arp-timeout | unsignedShort | 60 | Max lifetime on ARP and ND |
| broadcast | boolean | false | If broadcast address allowed |
| comment | string | - | Comment |
| dhcp-class | string | FB-type | DHCP client option 60 (Class) |
| dhcp-client-id | string | MAC | DHCP client option 61 (Client-Identifier) |
| gateway | List of IPAddr | - | One or more gateways to install |
| ip | List of IPSubnet | Automatic by DHCP | One or more IP/len |
| localpref | unsignedInt | 4294967295 | Localpref for subnet (highest wins) |
| mac-suffix | (hexBinary) macsuffix | - | Subnet MAC ends with this hex value |
| mtu | (unsignedShort 576-2000) mtu | As interface | MTU for subnet |
| name | string | - | Name |
| proxy-arp | boolean | false | Answer ARP/ND by proxy if we have routing |
| ra | ramode | false | If to announce IPv6 RA for this subnet |
| ra-autonomous | boolean | If managed not set | RA 'A' (autonomous) flag |
| ra-dns | List of IP6Addr | Our IP | List of recursive DNS servers in route announcements |
| ra-dnssl | List of string | - | List of DNS search domains in route announcements |
| ra-managed | boolean | - | RA 'M' (managed) flag |
| ra-max | (unsignedShort 4-1800) ra-max | 600 | Max RA send interval |
| ra-min | (unsignedShort 3-1350) ra-min | ra-max/3 | Min RA send interval |
| ra-mtu | unsignedShort | As subnet | MTU to use on RA |
| ra-onlink | boolean | true | RA 'L' (onlink) flag |
| ra-other | boolean | - | RA 'O' (other) flag |
| simple-dhcpv6 | boolean | - | Simple DHCPv6 server (fixed addresses) |
| source | string | - | Source of data, used in automated config management |
| test | IPAddr | - | Test link state using ARP/ND for this IP |
| ttl | unsignedByte | 64 | TTL for originating traffic via subnet |
Table I.28. subnet-template: Attributes
| Attribute | Type | Default | Description |
| accept-dns | boolean | True if not set elsewhere | Accept DNS servers specified by DHCP/SLAAC |
| comment | string | - | Comment |
| gateway-match | List of IPNameRange | Any IP | Apply only to received RAs with a gateway in these IPs |
| match-dhcp6-client | boolean | true | Allow matching RAs to be used for an explicit DHCP6 client |
| name | string | - | Name |
| source | string | - | Source of data, used in automated config management |
Table I.29. dhcp6-client: Attributes
| Attribute | Type | Default | Description |
| accept-dns | boolean | true | |
| arp-timeout | unsignedShort | 60 | Max lifetime on ARP and ND |
| comment | string | - | Comment |
| localpref | unsignedInt | 4294967295 | Localpref for subnet (highest wins) |
| mac-suffix | (hexBinary) macsuffix | - | DHCPC MAC ends with this hex value |
| mtu | (unsignedShort 576-2000) mtu | As interface | MTU for subnet |
| source | string | - | Source of data, used in automated config management |
| ttl | unsignedByte | 64 | TTL for originating traffic via subnet |
VRRP settings provide virtual router redundancy for the FireBrick. Profile inactive does not disable vrrp but forces vrrp low priority.
Table I.30. vrrp: Attributes
| Attribute | Type | Default | Description |
| answer-ping | boolean | true | Whether to answer PING to VRRP IPs when master |
| comment | string | - | Comment |
| delay | unsignedInt | 60 | Delay after routing established before priority returns to normal |
| interval | unsignedShort | 100 | Transit interval (centiseconds) |
| ip | List of IPAddr | Not optional | One or more IP addresses to announce |
| log | NMTOKEN | Not logging | Log events |
| log-error | NMTOKEN | log as event | Log errors |
| low-priority | unsignedByte | 1 | Lower priority applicable until routing established |
| name | NMTOKEN | - | Name |
| preempt | boolean | true | Whether pre-empt allowed |
| priority | unsignedByte | 100 | Normal priority |
| source | string | - | Source of data, used in automated config management |
| use-vmac | boolean | true | Whether to use the special VMAC or use normal MAC |
| version3 | boolean | v2 for IPv4, v3 for IPv6 | Use only version 3 |
| vrid | unsignedByte | 42 | VRID |
Settings for DHCP server
Table I.31. dhcps: Attributes
| Attribute | Type | Default | Description |
| boot | IP4Addr | - | Next/boot server |
| boot-file | string | - | Boot filename |
| broadcast | boolean | - | Broadcast replies even if not requested |
| circuit | string | - | Agent info circuit match |
| class | string | - | Vendor class match |
| client-name | string | - | Client name match |
| comment | string | - | Comment |
| dns | List of IP4Addr | Our IP | DNS resolvers |
| domain | string | From system settings | DNS domain |
| domain-search | string | - | DNS domain search list (list will be truncated to fit one attribute) |
| force | boolean | - | Send all options even if not requested |
| gateway | IP4Subnet | Our IP | Gateway |
| graph-prefix | string | - | Prefix to use for allocation auto graphs |
| ip | List of IP4Range | 0.0.0.0/0 | Address pool |
| lease | duration | 2:00:00 | Lease length |
| log | NMTOKEN | Not logging | Log events |
| log-decline | NMTOKEN | Not logging | Log events (declined) |
| log-move | NMTOKEN | Not logging | Log events (moved) |
| log-new | NMTOKEN | Not logging | Log events (new) |
| log-release | NMTOKEN | Not logging | Log events (released) |
| log-renew | NMTOKEN | Not logging | Log events (renewed) |
| log-reuse | NMTOKEN | Not logging | Log events (reused) |
| mac | List up to 12 (hexBinary) macprefix | - | Partial or full client hardware (MAC) addresses (or client-id MAC if specified) |
| mac-local | boolean | - | Match only local or non local MAC addresses |
| name | string | - | Name |
| ntp | List of IP4Addr | Our IP | NTP server |
| source | string | - | Source of data, used in automated config management |
| syslog | List of IP4Addr | - | Syslog server |
| time | List of IP4Addr | Our IP | Time server |
Table I.32. dhcps: Elements
| Element | Type | Instances | Description |
| send | dhcp-attr-hex | Optional, unlimited | Additional attributes to send (hex) |
| send-ip | dhcp-attr-ip | Optional, unlimited | Additional attributes to send (IP) |
| send-number | dhcp-attr-number | Optional, unlimited | Additional attributes to send (numeric) |
| send-string | dhcp-attr-string | Optional, unlimited | Additional attributes to send (string) |
Additional DHCP server attributes (numeric)
Table I.35. dhcp-attr-number: Attributes
| Attribute | Type | Default | Description |
| comment | string | - | Comment |
| force | boolean | - | Send even if not requested |
| id | unsignedByte | Not optional | Attribute type code/tag |
| name | string | - | Name |
| value | unsignedInt | Not optional | Value |
| vendor | boolean | - | Add as vendor specific option (under option 43) |
Static routes define prefixes which are permanently in the routing table, and whether these should be announced by routing protocols or not.
Table I.37. route: Attributes
| Attribute | Type | Default | Description |
| comment | string | - | Comment |
| gateway | List of IPAddr | Not optional | One or more target gateway IPs |
| graph | (token) graphname | - | Graph name |
| ip | List of IPPrefix | Not optional | One or more network prefixes |
| localpref | unsignedInt | 4294967295 | Localpref of network (highest wins) |
| name | string | - | Name |
| source | string | - | Source of data, used in automated config management |
| speed | unsignedInt | - | Egress rate limit (b/s) |
| table | (unsignedByte 0-99) routetable | 0 | Routing table number |
Networks that go nowhere
Table I.38. blackhole: Attributes
| Attribute | Type | Default | Description |
| comment | string | - | Comment |
| ip | List of IPPrefix | Not optional | One or more network prefixes |
| localpref | unsignedInt | 4294967295 | Localpref of network (highest wins) |
| name | string | - | Name |
| source | string | - | Source of data, used in automated config management |
| table | (unsignedByte 0-99) routetable | 0 | Routing table number |
Loopback addresses define local IP addresses
Table I.39. loopback: Attributes
| Attribute | Type | Default | Description |
| comment | string | - | Comment |
| ip | List of IPAddr | Not optional | One or more local network addresses |
| localpref | unsignedInt | 4294967295 | Localpref of network (highest wins) |
| name | string | - | Name |
| source | string | - | Source of data, used in automated config management |
| table | (unsignedByte 0-99) routetable | 0 | Routing table number |
Constant quality monitoring (graphs and data) have a number of settings. Most of the graphing settings can be overridden when a graph is collected so these define the defaults in many cases.
Table I.40. cqm: Attributes
| Attribute | Type | Default | Description |
| auto-refresh-list | boolean | true | Auto refresh graph list pages (for trusted IPs) |
| ave | Colour | #08f | Colour for average latency |
| axis | Colour | black | Axis colour |
| background | Colour | white | Background colour |
| bottom | unsignedByte | 11 | Pixels space at bottom of graph |
| dateformat | string | %Y-%m-%d | Date format |
| dayformat | string | %a | Day format |
| fail | Colour | red | Colour for failed (dropped) seconds |
| fail-level | unsignedInt | 1 | Fail level not expected on low usage |
| fail-level1 | unsignedByte | 3 | Loss level 1 |
| fail-level2 | unsignedByte | 50 | Loss level 2 |
| fail-score | unsignedByte | 200 | Score for fail and low usage |
| fail-score1 | unsignedByte | 100 | Score for on/above level 1 |
| fail-score2 | unsignedByte | 200 | Score for on/above level 2 |
| fail-usage | unsignedInt | 128000 | Usage below which fail is not expected |
| fblogo | Colour | #bd1220 | Colour for logo |
| graticule | Colour | grey | Graticule colour |
| heading | string | - | Heading of graph |
| hourformat | string | %H | Hour format |
| key | unsignedByte | 90 | Pixels space for key |
| label-ave | string | Ave | Label for average latency |
| label-fail | string | %Fail | Label for seconds (%) failed |
| label-latency | string | Latency | Label for latency |
| label-max | string | Max | Label for maximum latency |
| label-min | string | Min | Label for minimum latency |
| label-off | string | Off | Label for off line seconds |
| label-period | string | Period | Label for period |
| label-poll | string | Polls | Label for polls |
| label-rej | string | %Reject | Label for rejected seconds |
| label-rx | string | Rx | Label for Rx traffic level |
| label-score | string | Score | Label for score |
| label-sent | string | Sent | Label for seconds polled |
| label-time | string | Time | Label for time |
| label-traffic | string | Traffic (bit/s) | Label for traffic level |
| label-tx | string | Tx | Label for Tx traffic level |
| latency-level | unsignedInt | 100000000 | Latency level not expected on low usage |
| latency-level1 | unsignedInt | 100000000 | Latency level 1 (ns) |
| latency-level2 | unsignedInt | 500000000 | Latency level 2 (ns) |
| latency-score | unsignedByte | 200 | Score for high latency and low usage |
| latency-score1 | unsignedByte | 10 | Score for on/above level 1 |
| latency-score2 | unsignedByte | 20 | Score for on/above level 2 |
| latency-usage | unsignedInt | 128000 | Usage below which latency is not expected |
| left | unsignedByte | 0 | Pixels space left of main graph |
| log | NMTOKEN | Not logging | Log events |
| marker-width | string | - | Stroke width for marker (+) on tx/rx (e.g. 4) |
| max | Colour | green | Colour for maximum latency |
| min | Colour | #008 | Colour for minimum latency |
| ms-max | positiveInteger | 500 | ms max height |
| off | Colour | #c8f | Colour for off line seconds |
| outside | Colour | transparent | Colour for outer border |
| ping-list-source-ip | IP46Addr | - | Source address to use when fetching the ping list |
| ping-update | duration | 1:00:00 | Interval for periodic updates |
| ping-url | string | - | URL for ping list |
| rej | Colour | #f8c | Colour for off line seconds |
| right | unsignedByte | 50 | Pixels space right of main graph |
| rx | Colour | #800 | Colour for Rx traffic level |
| secret | Secret | - | Secret for SHA1 coded URLs |
| sent | Colour | #ff8 | Colour for polled seconds |
| stroke-width | string | 4 if no marker | Stroke line for tx/rx |
| subheading | string | - | Subheading of graph |
| svg-css | string | - | URL for SVG CSS instead of local style settings |
| svg-title | boolean | - | Include mouseover title text on svg |
| text | Colour | black | Colour for text |
| text1 | string | - | Text line 1 |
| text2 | string | - | Text line 2 |
| text3 | string | - | Text line 3 |
| text4 | string | - | Text line 4 |
| timeformat | string | %Y-%m-%d %H:%M:%S | Time format |
| top | unsignedByte | 4 | Pixels space at top of graph |
| tx | Colour | #080 | Colour for Tx traffic level |
Base ping config - additional ping targets set via web API or other means
Table I.41. ping: Attributes
| Attribute | Type | Default | Description |
| comment | string | - | Comment |
| gateway | IP46Addr | - | IP of gateway |
| graph | (token) graphname | Not optional | Graph name |
| ip | IPNameAddr | Not optional | Far end IP |
| name | string | - | Name |
| size | (unsignedInt 0-60000) ping-size | 0 | Payload size |
| slow | boolean | Auto | Slow polling |
| source | string | - | Source of data, used in automated config management |
| source-ip | IP46Addr | - | Source IP |
| table | (unsignedByte 0-99) routetable | 0 | Routing table number for sending pings |
Settings for DHCP server for relayed connections
Table I.43. dhcp-relay: Attributes
| Attribute | Type | Default | Description |
| allocation-table | (unsignedByte 0-99) routetable | Allocate same as request table | Routing table for allocations - suggest using separate tables for remote DHCP |
| allow | List of IPNameRange | Allow from anywhere | IPs allowed (e.g. allocated IPs for renewal) |
| relay | List of IPNameRange | Any relay | Relay server IP(s) |
| table | (unsignedByte 0-99) routetable | Allow any | Routing table applicable |
Table I.44. dhcp-relay: Elements
| Element | Type | Instances | Description |
| dhcp | dhcps | Optional, unlimited | DHCP server settings |
| |  | |
| Appendix I. Configuration Objects |  | I.3. Data types |