[PATCH pve-docs v3 9/9] sdn: add IPv6 RA / SLAAC section

[Hannes Laimer <h.laimer@proxmox.com>]

Signed-off-by: Hannes Laimer <h.laimer@proxmox.com>
---
 pvesdn.adoc | 68 +++++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 68 insertions(+)

diff --git a/pvesdn.adoc b/pvesdn.adoc
index a09a443..d8a6a2d 100644
--- a/pvesdn.adoc
+++ b/pvesdn.adoc
@@ -409,6 +409,10 @@ xref:pvesdn_firewall_integration[VNET Firewall] to further isolate traffic in
 the VNET across nodes. For example, DROP by default and only allow traffic from
 the IP subnet to the gateway and vice versa.
 
+For VNets in an EVPN zone, IPv6 Router Advertisements can be enabled so guests
+autoconfigure via SLAAC. See
+xref:pvesdn_ipv6_ra[IPv6 Router Advertisements (SLAAC)].
+
 [[pvesdn_config_subnet]]
 Subnets
 -------
@@ -442,6 +446,70 @@ SNAT:: Enable Source NAT which allows VMs from inside a
 DNS Zone Prefix:: Add a prefix to the domain registration, like
   <hostname>.prefix.<domain>  Optional.
 
+On IPv6 subnets of an EVPN VNet with Router Advertisements enabled, additional
+per-prefix options are available. See
+xref:pvesdn_ipv6_ra[IPv6 Router Advertisements (SLAAC)].
+
+
+[[pvesdn_ipv6_ra]]
+IPv6 Router Advertisements (SLAAC)
+----------------------------------
+
+VNets in an xref:pvesdn_zone_plugin_evpn[EVPN zone] can emit IPv6 Router
+Advertisements (RAs) from their anycast gateway. Guests on the VNet then
+autoconfigure their addresses via SLAAC and learn the default gateway, DNS
+servers and other settings directly from the RA.
+
+RAs are enabled per VNet and require the VNet to have at least one IPv6 subnet.
+The configuration follows the protocol's two layers: RA-wide settings live on
+the VNet (the 'IPv6 Router Advertisement' tab), per-prefix settings on each
+IPv6 subnet (the 'IPv6 Prefix Options' tab). The defaults are chosen so that
+enabling RAs on a VNet with a /64 IPv6 subnet already lets guests
+autoconfigure, without setting any of the options below.
+
+Per-VNet options:
+
+Send Router Advertisements:: Emit RAs on this VNet's bridge. Only available for
+  VNets in an EVPN zone that have at least one IPv6 subnet. The remaining
+  options only take effect while this is enabled.
+
+DHCP Managed (M):: Set the managed-address (M) flag, telling hosts to obtain
+  their addresses via DHCPv6 in addition to, or instead of, SLAAC. Optional,
+  off by default.
+
+DHCP Other (O):: Set the other-configuration (O) flag, telling hosts to obtain
+  other information, such as DNS servers, via DHCPv6. Optional, off by default.
+
+RDNSS:: Recursive DNS server IPv6 addresses to advertise, so hosts learn their
+  resolvers from the RA itself. Optional.
+
+Router Lifetime (s):: Seconds for which hosts may use this gateway as a default
+  router, 0 to 9000. A value of 0 advertises the gateway as not being a default
+  router, for example when the RA only distributes a prefix or DNS servers. A
+  non-zero value must be at least the RA interval. Optional.
+
+RA Interval (s):: Maximum number of seconds (4 to 1800) between two unsolicited
+  RAs. Optional, defaults to 600.
+
+Advertised MTU:: Link MTU to advertise to hosts, 1280 to 65535. Optional.
+
+Per-subnet options (IPv6 subnets only):
+
+SLAAC (A):: Set the autonomous (A) flag, advertising the prefix for SLAAC so
+  hosts can derive an address from it. SLAAC requires a /64 prefix, so this
+  defaults to enabled on /64 subnets and is disabled, and cannot be enabled, on
+  others.
+
+On-link (L):: Set the on-link (L) flag, advertising the prefix as reachable
+  directly on the link. Optional, on by default.
+
+Valid Lifetime (s):: Seconds an address derived from this prefix stays valid.
+  Optional, defaults to 2592000 (30 days).
+
+Preferred Lifetime (s):: Seconds an address derived from this prefix stays
+  preferred. Must not exceed the valid lifetime. Optional, defaults to 604800
+  (7 days).
+
 
 [[pvesdn_config_controllers]]
 Controllers
-- 
2.47.3